diff --git a/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json b/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json index 1bb2b19434b..ddb86d116c5 100644 --- a/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json +++ b/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json @@ -3348,5 +3348,10 @@ "id": "42CrunchAPIProtection", "templateName": "42CrunchAPIProtection.json", "validationFailReason": "References parser function FortyTwoCrunchAPIProtection which only exists after solution deployment" + }, + { + "id": "ad76e484-f159-4d23-99ee-e734f0b8b60b", + "templateName": "Possible device code phishing attempts.yaml", + "validationFailReason": "References AADSignInEventsBeta, a Microsoft Defender XDR advanced hunting beta table not present in the KQL validator schema" } ] diff --git a/Solutions/Microsoft Defender XDR/Analytic Rules/PossibleWebpBufferOverflow.yaml b/Solutions/Microsoft Defender XDR/Analytic Rules/PossibleWebpBufferOverflow.yaml index b85b044ca0f..cf61dce8f5f 100644 --- a/Solutions/Microsoft Defender XDR/Analytic Rules/PossibleWebpBufferOverflow.yaml +++ b/Solutions/Microsoft Defender XDR/Analytic Rules/PossibleWebpBufferOverflow.yaml @@ -76,12 +76,10 @@ incidentConfiguration: matchingMethod: Selected groupByEntities: - Account - groupByAlertDetails: [] - groupByCustomDetails: [] suppressionDuration: PT5H alertDetailsOverride: alertDisplayNameFormat: Possible exploitation of CVE-2023-4863 alertDynamicProperties: [] eventGroupingSettings: aggregationKind: SingleAlert -version: 1.1.2 +version: 1.1.3 diff --git a/Solutions/Microsoft Defender XDR/Data/Solution_Microsoft Defender XDR.json b/Solutions/Microsoft Defender XDR/Data/Solution_Microsoft Defender XDR.json index ae2cf8a115a..767cba68c29 100644 --- a/Solutions/Microsoft Defender XDR/Data/Solution_Microsoft Defender XDR.json +++ b/Solutions/Microsoft Defender XDR/Data/Solution_Microsoft Defender XDR.json @@ -9,385 +9,384 @@ "Analytic Rules": [ "Analytic Rules/PossiblePhishingwithCSL&NetworkSession.yaml", "Analytic Rules/SUNSPOTHashes.yaml", - "Analytic Rules/PotentialBuildProcessCompromiseMDE.yaml", - "Analytic Rules/SolarWinds_TEARDROP_Process-IOCs.yaml", - "Analytic Rules/SolarWinds_SUNBURST_Network-IOCs.yaml", - "Analytic Rules/SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs.yaml", - "Analytic Rules/AVdetectionsrelatedtoUkrainebasedthreats.yaml", - "Analytic Rules/AVTarrask.yaml", - "Analytic Rules/AVSpringShell.yaml", - "Analytic Rules/PossibleWebpBufferOverflow.yaml", - "Analytic Rules/Campaign/Jupyter-Solarmaker/DeimosComponentExecution.yaml", - "Analytic Rules/Campaign/Macaw Ransomware/ImminentRansomware.yaml", - "Analytic Rules/Campaign/Sysrv-botnet/MaliciousCMDExecutionByJava.yaml", - "Analytic Rules/Command and Control/C2-NamedPipe.yaml", - "Analytic Rules/Credential Access/DoppelPaymerProcDump.yaml", - "Analytic Rules/Credential Access/LSASSCredDumpProcdump.yaml", - "Analytic Rules/Defense Evasion/DoppelpaymerStopService.yaml", - "Analytic Rules/Defense Evasion/QakbotCampaignSelfDeletion.yaml", - "Analytic Rules/Defense Evasion/Regsvr32Rundll32ImageLoadsAbnormalExtension.yaml", - "Analytic Rules/Defense Evasion/Regsvr32Rundll32WithAnomalousParentProcess.yaml", - "Analytic Rules/Discovery/SuspiciousCommandInitiatedByWebServerProcess.yaml", - "Analytic Rules/Execution/BITSAdminActivity.yaml", - "Analytic Rules/Execution/OfficeAppsLaunchingWscript.yaml", - "Analytic Rules/Execution/PotentialKerberoastActivities.yaml", - "Analytic Rules/Exfiltration/FilesCopiedToUSBDrives.yaml", - "Analytic Rules/Exploits/MosaicLoader.yaml", - "Analytic Rules/Impact/AnomalousVoulmeOfFileDeletion.yaml", - "Analytic Rules/Lateral Movement/RemoteFileCreationWithPsExec.yaml", - "Analytic Rules/Lateral Movement/ServiceAccountsPerformingRemotePS.yaml", - "Analytic Rules/Persistence/AccountCreation.yaml", - "Analytic Rules/Persistence/LocalAdminGroupChanges.yaml", - "Analytic Rules/Persistence/RareProcessAsService.yaml", - "Analytic Rules/Ransomware/DEV-0270/DisableSecurityServiceViaRegistry.yaml", - "Analytic Rules/Ransomware/DataDeletionOnMulipleDrivesUsingCipherExe.yaml", - "Analytic Rules/Ransomware/LaZagneCredTheft.yaml", - "Analytic Rules/Ransomware/LogDeletionUsingWevtutil.yaml", - "Analytic Rules/Ransomware/MultiProcessKillWithTaskKill.yaml", - "Analytic Rules/Ransomware/PotentialCobaltStrikeRansomwareActivity.yaml", - "Analytic Rules/Ransomware/QakbotDiscoveryActivities.yaml", - "Analytic Rules/Ransomware/ShadowCopyDeletion.yaml" - - ], -"Hunting Queries" : [ - "Hunting Queries/Appspot Phishing Abuse.yaml", - "Hunting Queries/Campaigns/Bazacall/PayloadDropUsingCertUtil.yaml", - "Hunting Queries/Campaigns/JudgementPandaExfilActivity.yaml", - "Hunting Queries/Campaigns/Jupyter-Solarmaker/DeimosComponentExecution.yaml", - "Hunting Queries/Campaigns/LemonDuck/LemonDuckRegistrationFunction.yaml", - "Hunting Queries/Campaigns/Log4j/DeviceWithLog4jAlerts.yaml", - "Hunting Queries/Campaigns/Log4j/Log4jVulnRelatedAlerts.yaml", - "Hunting Queries/Campaigns/Macaw Ransomware/ImminentRansomware.yaml", - "Hunting Queries/Campaigns/Macaw Ransomware/MaliciousUseOfMSBuildAsLoLBin.yaml", - "Hunting Queries/Campaigns/Qakbot/QakbotReconActivities.yaml", - "Hunting Queries/Campaigns/RobbinhoodDriver.yaml", - "Hunting Queries/Campaigns/Snip3MaliciousNetworkConnectivity.yaml", - "Hunting Queries/Campaigns/Sysrv-botnet/MaliciousCMDExecutionByJava.yaml", - "Hunting Queries/Check for spoofing attempts on the domain with Authentication failures.yaml", - "Hunting Queries/Command and Control/C2-NamedPipe.yaml", - "Hunting Queries/Command and Control/ReconWithRundll.yaml", - "Hunting Queries/Credential Access/DoppelPaymerProcdump.yaml", - "Hunting Queries/Credential Access/LaZagne.yaml", - "Hunting Queries/Credential Access/LSASSCredDumpProcdump.yaml", - "Hunting Queries/Defense Evasion/ClearSystemLogs.yaml", - "Hunting Queries/Defense Evasion/DoppelpaymerStopServices.yaml", - "Hunting Queries/Defense Evasion/QakbotCampaignSelfDeletion.yaml", - "Hunting Queries/Defense Evasion/Regsvr32Rundll32ImageLoadsAbnormalExtension.yaml", - "Hunting Queries/Defense Evasion/Regsvr32Rundll32WithAnomalousParentProcess.yaml", - "Hunting Queries/Delivered Bad Emails from Top bad IPv4 addresses.yaml", - "Hunting Queries/Discovery/SuspiciousCommandInitiatedByWebServerProcess.yaml", - "Hunting Queries/Discovery/User&GroupEnumWithNetCommand.yaml", - "Hunting Queries/Email and Collaboration Queries/Attachment/ATP policy status check.yaml", - "Hunting Queries/Email and Collaboration Queries/Attachment/JNLP attachment.yaml", - "Hunting Queries/Email and Collaboration Queries/Attachment/Safe attachment detection.yaml", - "Hunting Queries/Email and Collaboration Queries/Authentication/Authentication failures.yaml", - "Hunting Queries/Email and Collaboration Queries/Authentication/CompAuth Failure Trend.yaml", - "Hunting Queries/Email and Collaboration Queries/Authentication/DKIM Failure Trend.yaml", - "Hunting Queries/Email and Collaboration Queries/Authentication/DMARC Failure Trend.yaml", - "Hunting Queries/Email and Collaboration Queries/Authentication/SPF Failure Trend.yaml", - "Hunting Queries/Email and Collaboration Queries/Authentication/Spoof attempts with auth failure.yaml", - "Hunting Queries/Email and Collaboration Queries/Authentication/Top Spoof detections by Sender Domain.yaml", - "Hunting Queries/Email and Collaboration Queries/Authentication/Top Spoof DMARC detections by Sender Domain.yaml", - "Hunting Queries/Email and Collaboration Queries/Authentication/Top Spoof Intra-Org detections by SenderDomain.yaml", - "Hunting Queries/Email and Collaboration Queries/Custom Detections/Message from Accepted Domain with DMARC TempError.yaml", - "Hunting Queries/Email and Collaboration Queries/Custom Detections/Message with URL listed on OpenPhish delivered into Inbox.yaml", - "Hunting Queries/Email and Collaboration Queries/Custom Detections/Potential OAuth phishing email delivered into Inbox.yaml", - "Hunting Queries/Email and Collaboration Queries/Custom Detections/Potentially malicious SVG file delivered into Inbox.yaml", - "Hunting Queries/Email and Collaboration Queries/General/Audit Email Preview-Download action.yaml", - "Hunting Queries/Email and Collaboration Queries/General/Bad email percentage - Inbound emails.yaml", - "Hunting Queries/Email and Collaboration Queries/General/Calculate MDO Efficacy.yaml", - "Hunting Queries/Email and Collaboration Queries/General/Email sender IP address Geo location information.yaml", - "Hunting Queries/Email and Collaboration Queries/General/Hunt for Admin email access.yaml", - "Hunting Queries/Email and Collaboration Queries/General/Hunt for TABL changes.yaml", - "Hunting Queries/Email and Collaboration Queries/General/Local time to UTC time conversion.yaml", - "Hunting Queries/Email and Collaboration Queries/General/Mail item accessed.yaml", - "Hunting Queries/Email and Collaboration Queries/General/Malicious email senders.yaml", - "Hunting Queries/Email and Collaboration Queries/General/MDO daily detection summary report.yaml", - "Hunting Queries/Email and Collaboration Queries/General/New TABL Items.yaml", - "Hunting Queries/Email and Collaboration Queries/General/Top 10 Domains sending Malicious Emails (Malware+Phish+Spam).yaml", - "Hunting Queries/Email and Collaboration Queries/General/Top 10 External Senders (Malware).yaml", - "Hunting Queries/Email and Collaboration Queries/General/Top 10 External Senders (Phish).yaml", - "Hunting Queries/Email and Collaboration Queries/General/Top 10 External Senders (Spam).yaml", - "Hunting Queries/Email and Collaboration Queries/General/Top 10 External Senders.yaml", - "Hunting Queries/Email and Collaboration Queries/General/Top 10 Targeted Users (Malware+Phish+Spam).yaml", - "Hunting Queries/Email and Collaboration Queries/General/Top 10 Users clicking on Malicious URLs (Malware+Phish+Spam).yaml", - "Hunting Queries/Email and Collaboration Queries/General/Total number of detections by MDO over time.yaml", - "Hunting Queries/Email and Collaboration Queries/General/Total number of detections by MDO.yaml", - "Hunting Queries/Email and Collaboration Queries/Hunting/Automated email notifications and suspicious sign-in activity.yaml", - "Hunting Queries/Email and Collaboration Queries/Hunting/BEC - File sharing tactics - Dropbox.yaml", - "Hunting Queries/Email and Collaboration Queries/Hunting/BEC - File sharing tactics - OneDrive or SharePoint.yaml", - "Hunting Queries/Email and Collaboration Queries/Hunting/Email bombing.yaml", - "Hunting Queries/Email and Collaboration Queries/Hunting/Emails containing links to IP addresses.yaml", - "Hunting Queries/Email and Collaboration Queries/Hunting/Files share contents and suspicious sign-in activity.yaml", - "Hunting Queries/Email and Collaboration Queries/Hunting/Good emails from senders with bad patterns.yaml", - "Hunting Queries/Email and Collaboration Queries/Hunting/Hunt for email bombing attacks.yaml", - "Hunting Queries/Email and Collaboration Queries/Hunting/Hunt for email conversation take over attempts.yaml", - "Hunting Queries/Email and Collaboration Queries/Hunting/Hunt for malicious attachments using external IOC source.yaml", - "Hunting Queries/Email and Collaboration Queries/Hunting/Hunt for malicious URLs using external IOC source.yaml", - "Hunting Queries/Email and Collaboration Queries/Hunting/Inbox rule change which forward-redirect email.yaml", - "Hunting Queries/Email and Collaboration Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML", - "Hunting Queries/Email and Collaboration Queries/Hunting/MDO_Countofrecipientsemailaddressesbysubject.YAML", - "Hunting Queries/Email and Collaboration Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML", - "Hunting Queries/Email and Collaboration Queries/Hunting/MDO_SummaryOfSenders.YAML", - "Hunting Queries/Email and Collaboration Queries/Hunting/MDO_URLClickedinEmail.YAML", - "Hunting Queries/Email and Collaboration Queries/Hunting/Top outbound recipient domains sending inbound emails with threats.yaml", - "Hunting Queries/Email and Collaboration Queries/Mailflow/Detections by detection methods.yaml", - "Hunting Queries/Email and Collaboration Queries/Mailflow/Mail reply to new domain.yaml", - "Hunting Queries/Email and Collaboration Queries/Mailflow/Mailflow by directionality.yaml", - "Hunting Queries/Email and Collaboration Queries/Mailflow/Malicious emails detected per day.yaml", - "Hunting Queries/Email and Collaboration Queries/Mailflow/Sender recipient contact establishment.yaml", - "Hunting Queries/Email and Collaboration Queries/Mailflow/Spam Detections by Delivery Location - High.yaml", - "Hunting Queries/Email and Collaboration Queries/Mailflow/Spam Detections by Delivery Location - Medium.yaml", - "Hunting Queries/Email and Collaboration Queries/Mailflow/Top 100 malicious email senders.yaml", - "Hunting Queries/Email and Collaboration Queries/Mailflow/Top 100 senders.yaml", - "Hunting Queries/Email and Collaboration Queries/Mailflow/Zero day threats.yaml", - "Hunting Queries/Email and Collaboration Queries/Malware/Email containing malware accessed on a unmanaged device.yaml", - "Hunting Queries/Email and Collaboration Queries/Malware/Email containing malware sent by an internal sender.yaml", - "Hunting Queries/Email and Collaboration Queries/Malware/Email malware detection report.yaml", - "Hunting Queries/Email and Collaboration Queries/Malware/File Malware Detection Trend.yaml", - "Hunting Queries/Email and Collaboration Queries/Malware/File Malware Top Families by AV.yaml", - "Hunting Queries/Email and Collaboration Queries/Malware/File Malware Top Families by Safe Attachments.yaml", - "Hunting Queries/Email and Collaboration Queries/Malware/Malware Detection Trend.yaml", - "Hunting Queries/Email and Collaboration Queries/Malware/Malware Detections by Delivery Location.yaml", - "Hunting Queries/Email and Collaboration Queries/Malware/Malware Detections by Detection Technology Trend.yaml", - "Hunting Queries/Email and Collaboration Queries/Malware/Malware Detections by Detection Technology.yaml", - "Hunting Queries/Email and Collaboration Queries/Malware/Malware detections by Workload Locations.yaml", - "Hunting Queries/Email and Collaboration Queries/Malware/Malware detections by Workload Type.yaml", - "Hunting Queries/Email and Collaboration Queries/Malware/Top Domains sending Malware.yaml", - "Hunting Queries/Email and Collaboration Queries/Malware/Top Email Malware Families.yaml", - "Hunting Queries/Email and Collaboration Queries/Malware/Top Users receiving Malware.yaml", - "Hunting Queries/Email and Collaboration Queries/Malware/Zero-day Malware Detections Trend.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Communication from suspicious external users.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Communication to suspicious external users.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Expanding recipients into separate rows.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/External malicious Teams messages sent from internal senders.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Hunt for malicious messages using External Threat Intelligence.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Inbound Teams messages by sender domains.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Malicious Teams messages by URL detection methods.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Malicious Teams messages received from external senders.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Microsoft Teams chat initiated by a suspicious external user.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Number of unique accounts performing Teams message Admin submissions.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Number of unique accounts performing Teams message User submissions.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Possible partner impersonation in external Team messages.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Possible Teams phishing activity.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Potentially malicious URL click in Teams.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Rare Domains in External Teams Messages.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Suspicious Teams Display Name.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams Admin submission of Malware and Phish daily trend.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams Admin submission of No Threats daily trend.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams Admin-User Submissions Grading Verdicts.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams blocked URL clicks daily trend.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams Malware ZAP .yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams Message with URL listed on OpenPhish.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams message ZAPed with the same URL in Email.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams messages from a specific sender by ThreadType.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams messages with suspicious URL domains.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams Phish ZAP.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams post delivery events daily trend.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams Spam ZAP.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams URL clicks actions summarized by URLs clicked on.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams URL clicks through actions on Phish or Malware URLs summarized by URLs.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams User submissions daily trend.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams users clicking on suspicious URL domains.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top 10 Attacked user by Phish messages.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top 10 external senders sending Teams messages.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top 10 External senders sending Teams phishing messsages.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top 10 sender domains - Admin Teams message submissions FN.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top 10 sender domains - Teams user submissions FN or FP.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top 10 senders - Teams users submissions FN or FP.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top 10 senders of Admin Teams message submissions FN.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top 10 senders of Admin Teams message submissions FP.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top 10 Users clicking on malicious URLs in Teams.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top accounts performing Teams admin submissions FN or FP.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top accounts performing Teams user submissions FN or FP.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top domains outbound sending Malicious Teams messages inbound.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top external malicious senders.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top External Sender domains - Malware.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top External Sender domains - Phish.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top External Sender domains - Spam.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top malicious URLs clicked by users in Teams.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Total number of MDO Teams protection detections daily.yaml", - "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/URL click on URLs in ZAP-d Teams messages.yaml", - "Hunting Queries/Email and Collaboration Queries/Overrides/Spam and Phish delivered to Inbox due to Admin Overrides.yaml", - "Hunting Queries/Email and Collaboration Queries/Overrides/Spam and Phish delivered to Inbox due to User Overrides.yaml", - "Hunting Queries/Email and Collaboration Queries/Overrides/Top policies performing admin overrides.yaml", - "Hunting Queries/Email and Collaboration Queries/Overrides/Top policies performing user overrides.yaml", - "Hunting Queries/Email and Collaboration Queries/Overrides/Total Emails with Admin Overrides - Allow.yaml", - "Hunting Queries/Email and Collaboration Queries/Overrides/Total Emails with Admin Overrides - Block.yaml", - "Hunting Queries/Email and Collaboration Queries/Overrides/Total Emails with User Overrides - Allow.yaml", - "Hunting Queries/Email and Collaboration Queries/Overrides/Total Emails with User Overrides - Block.yaml", - "Hunting Queries/Email and Collaboration Queries/Phish/Phish Detection Trend.yaml", - "Hunting Queries/Email and Collaboration Queries/Phish/Phish Detections by Delivery Location - High.yaml", - "Hunting Queries/Email and Collaboration Queries/Phish/Phish Detections by Delivery Location - Medium.yaml", - "Hunting Queries/Email and Collaboration Queries/Phish/Phish Detections by Delivery Location Trend.yaml", - "Hunting Queries/Email and Collaboration Queries/Phish/Phish Detections by Detection Technology Trend.yaml", - "Hunting Queries/Email and Collaboration Queries/Phish/Phish Detections by Detection Technology.yaml", - "Hunting Queries/Email and Collaboration Queries/Phish/Possible device code phishing attempts.yaml", - "Hunting Queries/Email and Collaboration Queries/Phish/Top Domains sending Phish.yaml", - "Hunting Queries/Email and Collaboration Queries/Phish/Top Users receiving Phish.yaml", - "Hunting Queries/Email and Collaboration Queries/Phish/Zero-day Phish Detections Trend.yaml", - "Hunting Queries/Email and Collaboration Queries/QR code/Campaign with randomly named attachments.yaml", - "Hunting Queries/Email and Collaboration Queries/QR code/Campaign with suspicious keywords.yaml", - "Hunting Queries/Email and Collaboration Queries/QR code/Custom detection-Emails with QR from non-prevalent senders.yaml", - "Hunting Queries/Email and Collaboration Queries/QR code/Emails delivered having URLs from QR codes.yaml", - "Hunting Queries/Email and Collaboration Queries/QR code/Emails with QR codes and suspicious keywords in subject.yaml", - "Hunting Queries/Email and Collaboration Queries/QR code/Emails with QR codes from non-prevalent sender.yaml", - "Hunting Queries/Email and Collaboration Queries/QR code/Hunting for sender patterns.yaml", - "Hunting Queries/Email and Collaboration Queries/QR code/Hunting for user signals-clusters.yaml", - "Hunting Queries/Email and Collaboration Queries/QR code/Inbound emails with QR code URLs.yaml", - "Hunting Queries/Email and Collaboration Queries/QR code/Personalized campaigns based on the first few keywords.yaml", - "Hunting Queries/Email and Collaboration Queries/QR code/Personalized campaigns based on the last few keywords.yaml", - "Hunting Queries/Email and Collaboration Queries/QR code/Risky sign-in attempt from a non-managed device.yaml", - "Hunting Queries/Email and Collaboration Queries/QR code/Suspicious sign-in attempts from QR code phishing campaigns.yaml", - "Hunting Queries/Email and Collaboration Queries/Quarantine/Group quarantine release.yaml", - "Hunting Queries/Email and Collaboration Queries/Quarantine/High Confidence Phish Released.yaml", - "Hunting Queries/Email and Collaboration Queries/Quarantine/Quarantine Phish reason trend.yaml", - "Hunting Queries/Email and Collaboration Queries/Quarantine/Quarantine Phish reason.yaml", - "Hunting Queries/Email and Collaboration Queries/Quarantine/Quarantine Release Email Details.yaml", - "Hunting Queries/Email and Collaboration Queries/Quarantine/Quarantine release trend.yaml", - "Hunting Queries/Email and Collaboration Queries/Quarantine/Quarantine releases by Detection types.yaml", - "Hunting Queries/Email and Collaboration Queries/Quarantine/Quarantine Spam reason trend.yaml", - "Hunting Queries/Email and Collaboration Queries/Quarantine/Quarantine Spam reason.yaml", - "Hunting Queries/Email and Collaboration Queries/Remediation/AIR investigation actions insight.yaml", - "Hunting Queries/Email and Collaboration Queries/Remediation/Email remediation action list.yaml", - "Hunting Queries/Email and Collaboration Queries/Spam/Bulk Detection Top10 Domains.yaml", - "Hunting Queries/Email and Collaboration Queries/Spam/Spam Detection Delivery Location.yaml", - "Hunting Queries/Email and Collaboration Queries/Spam/Spam Detection IP and Geo Position.yaml", - "Hunting Queries/Email and Collaboration Queries/Spam/Spam Detection Mails with BCL.yaml", - "Hunting Queries/Email and Collaboration Queries/Spam/Spam Detection Tech.yaml", - "Hunting Queries/Email and Collaboration Queries/Spam/Spam Detection Top10 Domains.yaml", - "Hunting Queries/Email and Collaboration Queries/Spam/Spam Detection Top10 Users.yaml", - "Hunting Queries/Email and Collaboration Queries/Spam/Spam Detection Top15 Domains Details.yaml", - "Hunting Queries/Email and Collaboration Queries/Spam/Spam Detection Top15 Users Details.yaml", - "Hunting Queries/Email and Collaboration Queries/Spam/Spam Detection Trend.yaml", - "Hunting Queries/Email and Collaboration Queries/Spam/Spam Detections by Detection technology.yaml", - "Hunting Queries/Email and Collaboration Queries/Spoof and Impersonation/Display Name - Spoof and Impersonation.yaml", - "Hunting Queries/Email and Collaboration Queries/Spoof and Impersonation/Impersonation Phishing detections by Detection Technology Trend.yaml", - "Hunting Queries/Email and Collaboration Queries/Spoof and Impersonation/Impersonation Phishing detections by Detection Technology.yaml", - "Hunting Queries/Email and Collaboration Queries/Spoof and Impersonation/Impersonation Phishing detections trend.yaml", - "Hunting Queries/Email and Collaboration Queries/Spoof and Impersonation/Referral phish emails.yaml", - "Hunting Queries/Email and Collaboration Queries/Spoof and Impersonation/Spoof and impersonation detections by sender IP.yaml", - "Hunting Queries/Email and Collaboration Queries/Spoof and Impersonation/Spoof and impersonation phish detections.yaml", - "Hunting Queries/Email and Collaboration Queries/Spoof and Impersonation/Spoof detections by Detection Technology Trend.yaml", - "Hunting Queries/Email and Collaboration Queries/Spoof and Impersonation/Spoof detections by Detection Technology.yaml", - "Hunting Queries/Email and Collaboration Queries/Spoof and Impersonation/Spoof detections trend.yaml", - "Hunting Queries/Email and Collaboration Queries/Spoof and Impersonation/Top Domains with BEC Threats inbound.yaml", - "Hunting Queries/Email and Collaboration Queries/Spoof and Impersonation/User not covered under display name impersonation.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/Admin Submission Trend - FN.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/Admin Submission Trend - FP.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/Admin Submissions by Detection Method - Phish FP.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/Admin Submissions by Detection Method - Spam FP.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/Admin Submissions by Detection Type.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/Admin Submissions by Grading Verdict - FN-FP.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/Admin Submissions by Submission State - FN.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/Admin Submissions by Submission State - FP.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/Admin Submissions by Submission Type - FN.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/Admin Submissions by Submission Type - FP.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/Top accounts performing admin submissions - FN.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/Top accounts performing admin submissions - FP.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/Top accounts performing user submissions.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/Top Detection Overrides - Admin Submissions.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/Top Sender Domains - Admin Submissions FN.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/Top Sender Domains - Admin Submissions FP.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/Total Submissions by Submission Status.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/Total Submissions by Submission Type.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/User reported submissions.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/User Submission Accuracy versus Admin Verdicts.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/User Submissions - Top detection overrides by Admins.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/User Submissions - Top detection overrides by Users.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/User Submissions - Top email (P2) senders domains.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/User Submissions - Top email (P2) senders.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/User Submissions - Top Intra-Org P2 senders.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/User Submissions - Top Intra-Org Subjects.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/User Submissions by Admin review status.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/User Submissions by Grading Verdict - FN-FP.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/User Submissions by Submission Type.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/User Submissions from Junk Folder.yaml", - "Hunting Queries/Email and Collaboration Queries/Submissions/User Submissions Trend - FN.yaml", - "Hunting Queries/Email and Collaboration Queries/Top Attacks/Attacked more than x times average.yaml", - "Hunting Queries/Email and Collaboration Queries/Top Attacks/Malicious mails by sender IPs.yaml", - "Hunting Queries/Email and Collaboration Queries/Top Attacks/Top 10 percent of most attacked users.yaml", - "Hunting Queries/Email and Collaboration Queries/Top Attacks/Top 10 URL domains attacking organization.yaml", - "Hunting Queries/Email and Collaboration Queries/Top Attacks/Top external malicious senders.yaml", - "Hunting Queries/Email and Collaboration Queries/Top Attacks/Top targeted users.yaml", - "Hunting Queries/Email and Collaboration Queries/URL Click/End user malicious clicks.yaml", - "Hunting Queries/Email and Collaboration Queries/URL Click/URL click count by click action.yaml", - "Hunting Queries/Email and Collaboration Queries/URL Click/URL click on ZAP Email.yaml", - "Hunting Queries/Email and Collaboration Queries/URL Click/URL clicks actions by URL.yaml", - "Hunting Queries/Email and Collaboration Queries/URL Click/URLClick details based on malicious URL click alert.yaml", - "Hunting Queries/Email and Collaboration Queries/URL Click/User clicked through events.yaml", - "Hunting Queries/Email and Collaboration Queries/URL Click/User clicks on malicious inbound emails.yaml", - "Hunting Queries/Email and Collaboration Queries/URL Click/User clicks on phishing URLs in emails.yaml", - "Hunting Queries/Email and Collaboration Queries/URL/Malicious Clicks allowed (click-through).yaml", - "Hunting Queries/Email and Collaboration Queries/URL/Malicious Emails with QR code Urls.yaml", - "Hunting Queries/Email and Collaboration Queries/URL/Phishing Email Url Redirector.yaml", - "Hunting Queries/Email and Collaboration Queries/URL/SafeLinks URL detections.yaml", - "Hunting Queries/Email and Collaboration Queries/URL/Top 10 Users clicking on Malicious URLs (Malware).yaml", - "Hunting Queries/Email and Collaboration Queries/URL/Top 10 Users clicking on Malicious URLs (Phish).yaml", - "Hunting Queries/Email and Collaboration Queries/URL/Top 10 Users clicking on Malicious URLs (Spam).yaml", - "Hunting Queries/Email and Collaboration Queries/URL/URL Click attempts by threat type.yaml", - "Hunting Queries/Email and Collaboration Queries/URL/URL Clicks by Action.yaml", - "Hunting Queries/Email and Collaboration Queries/URL/URLs by location.yaml", - "Hunting Queries/Email and Collaboration Queries/ZAP/Post Delivery Events by Admin.yaml", - "Hunting Queries/Email and Collaboration Queries/ZAP/Post Delivery Events by Location.yaml", - "Hunting Queries/Email and Collaboration Queries/ZAP/Post Delivery Events by ZAP type.yaml", - "Hunting Queries/Email and Collaboration Queries/ZAP/Post Delivery Events over time.yaml", - "Hunting Queries/EmailDelivered-ToInbox.yaml", - "Hunting Queries/Execution/AnomalousPayloadDeliveredWithISOFile.yaml", - "Hunting Queries/Execution/BitsadminActivity.yaml", - "Hunting Queries/Execution/MaliciousUseOfMSIExec.yaml", - "Hunting Queries/Execution/MaliciousUseOfMsiExecMimikatz.yaml", - "Hunting Queries/Execution/OfficeAppsLaunchingWscript.yaml", - "Hunting Queries/Execution/PotentialKerberoastActivities.yaml", - "Hunting Queries/Execution/PowerShellDownloads.yaml", - "Hunting Queries/Execution/SuspiciousAppExeutedByWebserver.yaml", - "Hunting Queries/Execution/SuspiciousMshtaUsage.yaml", - "Hunting Queries/Exfiltration/FilesCopiedToUSBDrives.yaml", - "Hunting Queries/Exploits/CVE-2022-26134-Confluence.yaml", - "Hunting Queries/Exploits/MosaicLoader.yaml", - "Hunting Queries/Exploits/Print Spooler RCE/SpoolsvSpawningRundll32.yaml", - "Hunting Queries/Exploits/Print Spooler RCE/SuspiciousDLLInSpoolFolder.yaml", - "Hunting Queries/Exploits/Print Spooler RCE/SuspiciousFilesInSpoolFolder.yaml", - "Hunting Queries/Exploits/Print Spooler RCE/SuspiciousSpoolsvChildProcess.yaml", - "Hunting Queries/Exploits/PrintNightmareUsageDetection-CVE-2021-1675.yaml", - "Hunting Queries/Exploits/SuspiciousFileCreationByPrintSpoolerService.yaml", - "Hunting Queries/General Queries/MITRESuspiciousEvents.yaml", - "Hunting Queries/Impact/AnomalousVoulmeOfFileDeletion.yaml", - "Hunting Queries/Initial Access/DetectMailSniper.yaml", - "Hunting Queries/Lateral Movement/AccountBruteForce.yaml", - "Hunting Queries/Lateral Movement/RemoteFileCreationWithPsExec.yaml", - "Hunting Queries/Lateral Movement/ServiceAccountsPerformingRemotePS.yaml", - "Hunting Queries/Persistence/AccountCreation.yaml", - "Hunting Queries/Persistence/LocalAdminGroupChanges.yaml", - "Hunting Queries/Persistence/RareProcessAsService.yaml", - "Hunting Queries/Persistence/ScheduledTaskCreation.yaml", - "Hunting Queries/Privilege Escalation/SAMNameChange_CVE-2021-42278.yaml", - "Hunting Queries/Ransomware/DataDeletionOnMulipleDrivesUsingCipherExe.yaml", - "Hunting Queries/Ransomware/DetectMultipleSignsOfRamsomwareActivity.yaml", - "Hunting Queries/Ransomware/DEV-0270/DisableSecurityServiceViaRegistry.yaml", - "Hunting Queries/Ransomware/DEV-0270/DomainDiscoveryWMICwithDLLHostExe.yaml", - "Hunting Queries/Ransomware/DEV-0270/MDEExclusionUsingPowerShell.yaml", - "Hunting Queries/Ransomware/IcedIdSuspiciousImageLoad.yaml", - "Hunting Queries/Ransomware/LaZagneCredTheft.yaml", - "Hunting Queries/Ransomware/LogDeletionUsingWevtutil.yaml", - "Hunting Queries/Ransomware/MultiProcessKillWithTaskKill.yaml", - "Hunting Queries/Ransomware/PotentialCobaltStrikeRansomwareActivity.yaml", - "Hunting Queries/Ransomware/QakbotDiscoveryActivities.yaml", - "Hunting Queries/Ransomware/ShadowCopyDeletion.yaml", - "Hunting Queries/Ransomware/TurningOffServicesWithSCCommad.yaml", - "Hunting Queries/TVM/Detect_CISA_Alert_AA22-117A2021_Top_Routinely_Exploited_Vulnerabilities.yaml", - "Hunting Queries/Email and Collaboration Queries/Phish/Punycode chars lookalike domains.yaml" + "Analytic Rules/PotentialBuildProcessCompromiseMDE.yaml", + "Analytic Rules/SolarWinds_TEARDROP_Process-IOCs.yaml", + "Analytic Rules/SolarWinds_SUNBURST_Network-IOCs.yaml", + "Analytic Rules/SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs.yaml", + "Analytic Rules/AVdetectionsrelatedtoUkrainebasedthreats.yaml", + "Analytic Rules/AVTarrask.yaml", + "Analytic Rules/AVSpringShell.yaml", + "Analytic Rules/PossibleWebpBufferOverflow.yaml", + "Analytic Rules/Campaign/Jupyter-Solarmaker/DeimosComponentExecution.yaml", + "Analytic Rules/Campaign/Macaw Ransomware/ImminentRansomware.yaml", + "Analytic Rules/Campaign/Sysrv-botnet/MaliciousCMDExecutionByJava.yaml", + "Analytic Rules/Command and Control/C2-NamedPipe.yaml", + "Analytic Rules/Credential Access/DoppelPaymerProcDump.yaml", + "Analytic Rules/Credential Access/LSASSCredDumpProcdump.yaml", + "Analytic Rules/Defense Evasion/DoppelpaymerStopService.yaml", + "Analytic Rules/Defense Evasion/QakbotCampaignSelfDeletion.yaml", + "Analytic Rules/Defense Evasion/Regsvr32Rundll32ImageLoadsAbnormalExtension.yaml", + "Analytic Rules/Defense Evasion/Regsvr32Rundll32WithAnomalousParentProcess.yaml", + "Analytic Rules/Discovery/SuspiciousCommandInitiatedByWebServerProcess.yaml", + "Analytic Rules/Execution/BITSAdminActivity.yaml", + "Analytic Rules/Execution/OfficeAppsLaunchingWscript.yaml", + "Analytic Rules/Execution/PotentialKerberoastActivities.yaml", + "Analytic Rules/Exfiltration/FilesCopiedToUSBDrives.yaml", + "Analytic Rules/Exploits/MosaicLoader.yaml", + "Analytic Rules/Impact/AnomalousVoulmeOfFileDeletion.yaml", + "Analytic Rules/Lateral Movement/RemoteFileCreationWithPsExec.yaml", + "Analytic Rules/Lateral Movement/ServiceAccountsPerformingRemotePS.yaml", + "Analytic Rules/Persistence/AccountCreation.yaml", + "Analytic Rules/Persistence/LocalAdminGroupChanges.yaml", + "Analytic Rules/Persistence/RareProcessAsService.yaml", + "Analytic Rules/Ransomware/DEV-0270/DisableSecurityServiceViaRegistry.yaml", + "Analytic Rules/Ransomware/DataDeletionOnMulipleDrivesUsingCipherExe.yaml", + "Analytic Rules/Ransomware/LaZagneCredTheft.yaml", + "Analytic Rules/Ransomware/LogDeletionUsingWevtutil.yaml", + "Analytic Rules/Ransomware/MultiProcessKillWithTaskKill.yaml", + "Analytic Rules/Ransomware/PotentialCobaltStrikeRansomwareActivity.yaml", + "Analytic Rules/Ransomware/QakbotDiscoveryActivities.yaml", + "Analytic Rules/Ransomware/ShadowCopyDeletion.yaml" + ], + "Hunting Queries": [ + "Hunting Queries/Appspot Phishing Abuse.yaml", + "Hunting Queries/Campaigns/Bazacall/PayloadDropUsingCertUtil.yaml", + "Hunting Queries/Campaigns/JudgementPandaExfilActivity.yaml", + "Hunting Queries/Campaigns/Jupyter-Solarmaker/DeimosComponentExecution.yaml", + "Hunting Queries/Campaigns/LemonDuck/LemonDuckRegistrationFunction.yaml", + "Hunting Queries/Campaigns/Log4j/DeviceWithLog4jAlerts.yaml", + "Hunting Queries/Campaigns/Log4j/Log4jVulnRelatedAlerts.yaml", + "Hunting Queries/Campaigns/Macaw Ransomware/ImminentRansomware.yaml", + "Hunting Queries/Campaigns/Macaw Ransomware/MaliciousUseOfMSBuildAsLoLBin.yaml", + "Hunting Queries/Campaigns/Qakbot/QakbotReconActivities.yaml", + "Hunting Queries/Campaigns/RobbinhoodDriver.yaml", + "Hunting Queries/Campaigns/Snip3MaliciousNetworkConnectivity.yaml", + "Hunting Queries/Campaigns/Sysrv-botnet/MaliciousCMDExecutionByJava.yaml", + "Hunting Queries/Check for spoofing attempts on the domain with Authentication failures.yaml", + "Hunting Queries/Command and Control/C2-NamedPipe.yaml", + "Hunting Queries/Command and Control/ReconWithRundll.yaml", + "Hunting Queries/Credential Access/DoppelPaymerProcdump.yaml", + "Hunting Queries/Credential Access/LaZagne.yaml", + "Hunting Queries/Credential Access/LSASSCredDumpProcdump.yaml", + "Hunting Queries/Defense Evasion/ClearSystemLogs.yaml", + "Hunting Queries/Defense Evasion/DoppelpaymerStopServices.yaml", + "Hunting Queries/Defense Evasion/QakbotCampaignSelfDeletion.yaml", + "Hunting Queries/Defense Evasion/Regsvr32Rundll32ImageLoadsAbnormalExtension.yaml", + "Hunting Queries/Defense Evasion/Regsvr32Rundll32WithAnomalousParentProcess.yaml", + "Hunting Queries/Delivered Bad Emails from Top bad IPv4 addresses.yaml", + "Hunting Queries/Discovery/SuspiciousCommandInitiatedByWebServerProcess.yaml", + "Hunting Queries/Discovery/User&GroupEnumWithNetCommand.yaml", + "Hunting Queries/Email and Collaboration Queries/Attachment/ATP policy status check.yaml", + "Hunting Queries/Email and Collaboration Queries/Attachment/JNLP attachment.yaml", + "Hunting Queries/Email and Collaboration Queries/Attachment/Safe attachment detection.yaml", + "Hunting Queries/Email and Collaboration Queries/Authentication/Authentication failures.yaml", + "Hunting Queries/Email and Collaboration Queries/Authentication/CompAuth Failure Trend.yaml", + "Hunting Queries/Email and Collaboration Queries/Authentication/DKIM Failure Trend.yaml", + "Hunting Queries/Email and Collaboration Queries/Authentication/DMARC Failure Trend.yaml", + "Hunting Queries/Email and Collaboration Queries/Authentication/SPF Failure Trend.yaml", + "Hunting Queries/Email and Collaboration Queries/Authentication/Spoof attempts with auth failure.yaml", + "Hunting Queries/Email and Collaboration Queries/Authentication/Top Spoof detections by Sender Domain.yaml", + "Hunting Queries/Email and Collaboration Queries/Authentication/Top Spoof DMARC detections by Sender Domain.yaml", + "Hunting Queries/Email and Collaboration Queries/Authentication/Top Spoof Intra-Org detections by SenderDomain.yaml", + "Hunting Queries/Email and Collaboration Queries/Custom Detections/Message from Accepted Domain with DMARC TempError.yaml", + "Hunting Queries/Email and Collaboration Queries/Custom Detections/Message with URL listed on OpenPhish delivered into Inbox.yaml", + "Hunting Queries/Email and Collaboration Queries/Custom Detections/Potential OAuth phishing email delivered into Inbox.yaml", + "Hunting Queries/Email and Collaboration Queries/Custom Detections/Potentially malicious SVG file delivered into Inbox.yaml", + "Hunting Queries/Email and Collaboration Queries/General/Audit Email Preview-Download action.yaml", + "Hunting Queries/Email and Collaboration Queries/General/Bad email percentage - Inbound emails.yaml", + "Hunting Queries/Email and Collaboration Queries/General/Calculate MDO Efficacy.yaml", + "Hunting Queries/Email and Collaboration Queries/General/Email sender IP address Geo location information.yaml", + "Hunting Queries/Email and Collaboration Queries/General/Hunt for Admin email access.yaml", + "Hunting Queries/Email and Collaboration Queries/General/Hunt for TABL changes.yaml", + "Hunting Queries/Email and Collaboration Queries/General/Local time to UTC time conversion.yaml", + "Hunting Queries/Email and Collaboration Queries/General/Mail item accessed.yaml", + "Hunting Queries/Email and Collaboration Queries/General/Malicious email senders.yaml", + "Hunting Queries/Email and Collaboration Queries/General/MDO daily detection summary report.yaml", + "Hunting Queries/Email and Collaboration Queries/General/New TABL Items.yaml", + "Hunting Queries/Email and Collaboration Queries/General/Top 10 Domains sending Malicious Emails (Malware+Phish+Spam).yaml", + "Hunting Queries/Email and Collaboration Queries/General/Top 10 External Senders (Malware).yaml", + "Hunting Queries/Email and Collaboration Queries/General/Top 10 External Senders (Phish).yaml", + "Hunting Queries/Email and Collaboration Queries/General/Top 10 External Senders (Spam).yaml", + "Hunting Queries/Email and Collaboration Queries/General/Top 10 External Senders.yaml", + "Hunting Queries/Email and Collaboration Queries/General/Top 10 Targeted Users (Malware+Phish+Spam).yaml", + "Hunting Queries/Email and Collaboration Queries/General/Top 10 Users clicking on Malicious URLs (Malware+Phish+Spam).yaml", + "Hunting Queries/Email and Collaboration Queries/General/Total number of detections by MDO over time.yaml", + "Hunting Queries/Email and Collaboration Queries/General/Total number of detections by MDO.yaml", + "Hunting Queries/Email and Collaboration Queries/Hunting/Automated email notifications and suspicious sign-in activity.yaml", + "Hunting Queries/Email and Collaboration Queries/Hunting/BEC - File sharing tactics - Dropbox.yaml", + "Hunting Queries/Email and Collaboration Queries/Hunting/BEC - File sharing tactics - OneDrive or SharePoint.yaml", + "Hunting Queries/Email and Collaboration Queries/Hunting/Email bombing.yaml", + "Hunting Queries/Email and Collaboration Queries/Hunting/Emails containing links to IP addresses.yaml", + "Hunting Queries/Email and Collaboration Queries/Hunting/Files share contents and suspicious sign-in activity.yaml", + "Hunting Queries/Email and Collaboration Queries/Hunting/Good emails from senders with bad patterns.yaml", + "Hunting Queries/Email and Collaboration Queries/Hunting/Hunt for email bombing attacks.yaml", + "Hunting Queries/Email and Collaboration Queries/Hunting/Hunt for email conversation take over attempts.yaml", + "Hunting Queries/Email and Collaboration Queries/Hunting/Hunt for malicious attachments using external IOC source.yaml", + "Hunting Queries/Email and Collaboration Queries/Hunting/Hunt for malicious URLs using external IOC source.yaml", + "Hunting Queries/Email and Collaboration Queries/Hunting/Inbox rule change which forward-redirect email.yaml", + "Hunting Queries/Email and Collaboration Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML", + "Hunting Queries/Email and Collaboration Queries/Hunting/MDO_Countofrecipientsemailaddressesbysubject.YAML", + "Hunting Queries/Email and Collaboration Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML", + "Hunting Queries/Email and Collaboration Queries/Hunting/MDO_SummaryOfSenders.YAML", + "Hunting Queries/Email and Collaboration Queries/Hunting/MDO_URLClickedinEmail.YAML", + "Hunting Queries/Email and Collaboration Queries/Hunting/Top outbound recipient domains sending inbound emails with threats.yaml", + "Hunting Queries/Email and Collaboration Queries/Mailflow/Detections by detection methods.yaml", + "Hunting Queries/Email and Collaboration Queries/Mailflow/Mail reply to new domain.yaml", + "Hunting Queries/Email and Collaboration Queries/Mailflow/Mailflow by directionality.yaml", + "Hunting Queries/Email and Collaboration Queries/Mailflow/Malicious emails detected per day.yaml", + "Hunting Queries/Email and Collaboration Queries/Mailflow/Sender recipient contact establishment.yaml", + "Hunting Queries/Email and Collaboration Queries/Mailflow/Spam Detections by Delivery Location - High.yaml", + "Hunting Queries/Email and Collaboration Queries/Mailflow/Spam Detections by Delivery Location - Medium.yaml", + "Hunting Queries/Email and Collaboration Queries/Mailflow/Top 100 malicious email senders.yaml", + "Hunting Queries/Email and Collaboration Queries/Mailflow/Top 100 senders.yaml", + "Hunting Queries/Email and Collaboration Queries/Mailflow/Zero day threats.yaml", + "Hunting Queries/Email and Collaboration Queries/Malware/Email containing malware accessed on a unmanaged device.yaml", + "Hunting Queries/Email and Collaboration Queries/Malware/Email containing malware sent by an internal sender.yaml", + "Hunting Queries/Email and Collaboration Queries/Malware/Email malware detection report.yaml", + "Hunting Queries/Email and Collaboration Queries/Malware/File Malware Detection Trend.yaml", + "Hunting Queries/Email and Collaboration Queries/Malware/File Malware Top Families by AV.yaml", + "Hunting Queries/Email and Collaboration Queries/Malware/File Malware Top Families by Safe Attachments.yaml", + "Hunting Queries/Email and Collaboration Queries/Malware/Malware Detection Trend.yaml", + "Hunting Queries/Email and Collaboration Queries/Malware/Malware Detections by Delivery Location.yaml", + "Hunting Queries/Email and Collaboration Queries/Malware/Malware Detections by Detection Technology Trend.yaml", + "Hunting Queries/Email and Collaboration Queries/Malware/Malware Detections by Detection Technology.yaml", + "Hunting Queries/Email and Collaboration Queries/Malware/Malware detections by Workload Locations.yaml", + "Hunting Queries/Email and Collaboration Queries/Malware/Malware detections by Workload Type.yaml", + "Hunting Queries/Email and Collaboration Queries/Malware/Top Domains sending Malware.yaml", + "Hunting Queries/Email and Collaboration Queries/Malware/Top Email Malware Families.yaml", + "Hunting Queries/Email and Collaboration Queries/Malware/Top Users receiving Malware.yaml", + "Hunting Queries/Email and Collaboration Queries/Malware/Zero-day Malware Detections Trend.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Communication from suspicious external users.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Communication to suspicious external users.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Expanding recipients into separate rows.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/External malicious Teams messages sent from internal senders.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Hunt for malicious messages using External Threat Intelligence.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Inbound Teams messages by sender domains.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Malicious Teams messages by URL detection methods.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Malicious Teams messages received from external senders.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Microsoft Teams chat initiated by a suspicious external user.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Number of unique accounts performing Teams message Admin submissions.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Number of unique accounts performing Teams message User submissions.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Possible partner impersonation in external Team messages.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Possible Teams phishing activity.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Potentially malicious URL click in Teams.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Rare Domains in External Teams Messages.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Suspicious Teams Display Name.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams Admin submission of Malware and Phish daily trend.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams Admin submission of No Threats daily trend.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams Admin-User Submissions Grading Verdicts.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams blocked URL clicks daily trend.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams Malware ZAP .yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams Message with URL listed on OpenPhish.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams message ZAPed with the same URL in Email.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams messages from a specific sender by ThreadType.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams messages with suspicious URL domains.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams Phish ZAP.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams post delivery events daily trend.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams Spam ZAP.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams URL clicks actions summarized by URLs clicked on.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams URL clicks through actions on Phish or Malware URLs summarized by URLs.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams User submissions daily trend.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Teams users clicking on suspicious URL domains.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top 10 Attacked user by Phish messages.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top 10 external senders sending Teams messages.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top 10 External senders sending Teams phishing messsages.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top 10 sender domains - Admin Teams message submissions FN.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top 10 sender domains - Teams user submissions FN or FP.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top 10 senders - Teams users submissions FN or FP.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top 10 senders of Admin Teams message submissions FN.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top 10 senders of Admin Teams message submissions FP.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top 10 Users clicking on malicious URLs in Teams.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top accounts performing Teams admin submissions FN or FP.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top accounts performing Teams user submissions FN or FP.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top domains outbound sending Malicious Teams messages inbound.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top external malicious senders.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top External Sender domains - Malware.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top External Sender domains - Phish.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top External Sender domains - Spam.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Top malicious URLs clicked by users in Teams.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/Total number of MDO Teams protection detections daily.yaml", + "Hunting Queries/Email and Collaboration Queries/Microsoft Teams protection/URL click on URLs in ZAP-d Teams messages.yaml", + "Hunting Queries/Email and Collaboration Queries/Overrides/Spam and Phish delivered to Inbox due to Admin Overrides.yaml", + "Hunting Queries/Email and Collaboration Queries/Overrides/Spam and Phish delivered to Inbox due to User Overrides.yaml", + "Hunting Queries/Email and Collaboration Queries/Overrides/Top policies performing admin overrides.yaml", + "Hunting Queries/Email and Collaboration Queries/Overrides/Top policies performing user overrides.yaml", + "Hunting Queries/Email and Collaboration Queries/Overrides/Total Emails with Admin Overrides - Allow.yaml", + "Hunting Queries/Email and Collaboration Queries/Overrides/Total Emails with Admin Overrides - Block.yaml", + "Hunting Queries/Email and Collaboration Queries/Overrides/Total Emails with User Overrides - Allow.yaml", + "Hunting Queries/Email and Collaboration Queries/Overrides/Total Emails with User Overrides - Block.yaml", + "Hunting Queries/Email and Collaboration Queries/Phish/Phish Detection Trend.yaml", + "Hunting Queries/Email and Collaboration Queries/Phish/Phish Detections by Delivery Location - High.yaml", + "Hunting Queries/Email and Collaboration Queries/Phish/Phish Detections by Delivery Location - Medium.yaml", + "Hunting Queries/Email and Collaboration Queries/Phish/Phish Detections by Delivery Location Trend.yaml", + "Hunting Queries/Email and Collaboration Queries/Phish/Phish Detections by Detection Technology Trend.yaml", + "Hunting Queries/Email and Collaboration Queries/Phish/Phish Detections by Detection Technology.yaml", + "Hunting Queries/Email and Collaboration Queries/Phish/Possible device code phishing attempts.yaml", + "Hunting Queries/Email and Collaboration Queries/Phish/Top Domains sending Phish.yaml", + "Hunting Queries/Email and Collaboration Queries/Phish/Top Users receiving Phish.yaml", + "Hunting Queries/Email and Collaboration Queries/Phish/Zero-day Phish Detections Trend.yaml", + "Hunting Queries/Email and Collaboration Queries/QR code/Campaign with randomly named attachments.yaml", + "Hunting Queries/Email and Collaboration Queries/QR code/Campaign with suspicious keywords.yaml", + "Hunting Queries/Email and Collaboration Queries/QR code/Custom detection-Emails with QR from non-prevalent senders.yaml", + "Hunting Queries/Email and Collaboration Queries/QR code/Emails delivered having URLs from QR codes.yaml", + "Hunting Queries/Email and Collaboration Queries/QR code/Emails with QR codes and suspicious keywords in subject.yaml", + "Hunting Queries/Email and Collaboration Queries/QR code/Emails with QR codes from non-prevalent sender.yaml", + "Hunting Queries/Email and Collaboration Queries/QR code/Hunting for sender patterns.yaml", + "Hunting Queries/Email and Collaboration Queries/QR code/Hunting for user signals-clusters.yaml", + "Hunting Queries/Email and Collaboration Queries/QR code/Inbound emails with QR code URLs.yaml", + "Hunting Queries/Email and Collaboration Queries/QR code/Personalized campaigns based on the first few keywords.yaml", + "Hunting Queries/Email and Collaboration Queries/QR code/Personalized campaigns based on the last few keywords.yaml", + "Hunting Queries/Email and Collaboration Queries/QR code/Risky sign-in attempt from a non-managed device.yaml", + "Hunting Queries/Email and Collaboration Queries/QR code/Suspicious sign-in attempts from QR code phishing campaigns.yaml", + "Hunting Queries/Email and Collaboration Queries/Quarantine/Group quarantine release.yaml", + "Hunting Queries/Email and Collaboration Queries/Quarantine/High Confidence Phish Released.yaml", + "Hunting Queries/Email and Collaboration Queries/Quarantine/Quarantine Phish reason trend.yaml", + "Hunting Queries/Email and Collaboration Queries/Quarantine/Quarantine Phish reason.yaml", + "Hunting Queries/Email and Collaboration Queries/Quarantine/Quarantine Release Email Details.yaml", + "Hunting Queries/Email and Collaboration Queries/Quarantine/Quarantine release trend.yaml", + "Hunting Queries/Email and Collaboration Queries/Quarantine/Quarantine releases by Detection types.yaml", + "Hunting Queries/Email and Collaboration Queries/Quarantine/Quarantine Spam reason trend.yaml", + "Hunting Queries/Email and Collaboration Queries/Quarantine/Quarantine Spam reason.yaml", + "Hunting Queries/Email and Collaboration Queries/Remediation/AIR investigation actions insight.yaml", + "Hunting Queries/Email and Collaboration Queries/Remediation/Email remediation action list.yaml", + "Hunting Queries/Email and Collaboration Queries/Spam/Bulk Detection Top10 Domains.yaml", + "Hunting Queries/Email and Collaboration Queries/Spam/Spam Detection Delivery Location.yaml", + "Hunting Queries/Email and Collaboration Queries/Spam/Spam Detection IP and Geo Position.yaml", + "Hunting Queries/Email and Collaboration Queries/Spam/Spam Detection Mails with BCL.yaml", + "Hunting Queries/Email and Collaboration Queries/Spam/Spam Detection Tech.yaml", + "Hunting Queries/Email and Collaboration Queries/Spam/Spam Detection Top10 Domains.yaml", + "Hunting Queries/Email and Collaboration Queries/Spam/Spam Detection Top10 Users.yaml", + "Hunting Queries/Email and Collaboration Queries/Spam/Spam Detection Top15 Domains Details.yaml", + "Hunting Queries/Email and Collaboration Queries/Spam/Spam Detection Top15 Users Details.yaml", + "Hunting Queries/Email and Collaboration Queries/Spam/Spam Detection Trend.yaml", + "Hunting Queries/Email and Collaboration Queries/Spam/Spam Detections by Detection technology.yaml", + "Hunting Queries/Email and Collaboration Queries/Spoof and Impersonation/Display Name - Spoof and Impersonation.yaml", + "Hunting Queries/Email and Collaboration Queries/Spoof and Impersonation/Impersonation Phishing detections by Detection Technology Trend.yaml", + "Hunting Queries/Email and Collaboration Queries/Spoof and Impersonation/Impersonation Phishing detections by Detection Technology.yaml", + "Hunting Queries/Email and Collaboration Queries/Spoof and Impersonation/Impersonation Phishing detections trend.yaml", + "Hunting Queries/Email and Collaboration Queries/Spoof and Impersonation/Referral phish emails.yaml", + "Hunting Queries/Email and Collaboration Queries/Spoof and Impersonation/Spoof and impersonation detections by sender IP.yaml", + "Hunting Queries/Email and Collaboration Queries/Spoof and Impersonation/Spoof and impersonation phish detections.yaml", + "Hunting Queries/Email and Collaboration Queries/Spoof and Impersonation/Spoof detections by Detection Technology Trend.yaml", + "Hunting Queries/Email and Collaboration Queries/Spoof and Impersonation/Spoof detections by Detection Technology.yaml", + "Hunting Queries/Email and Collaboration Queries/Spoof and Impersonation/Spoof detections trend.yaml", + "Hunting Queries/Email and Collaboration Queries/Spoof and Impersonation/Top Domains with BEC Threats inbound.yaml", + "Hunting Queries/Email and Collaboration Queries/Spoof and Impersonation/User not covered under display name impersonation.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/Admin Submission Trend - FN.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/Admin Submission Trend - FP.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/Admin Submissions by Detection Method - Phish FP.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/Admin Submissions by Detection Method - Spam FP.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/Admin Submissions by Detection Type.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/Admin Submissions by Grading Verdict - FN-FP.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/Admin Submissions by Submission State - FN.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/Admin Submissions by Submission State - FP.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/Admin Submissions by Submission Type - FN.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/Admin Submissions by Submission Type - FP.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/Top accounts performing admin submissions - FN.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/Top accounts performing admin submissions - FP.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/Top accounts performing user submissions.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/Top Detection Overrides - Admin Submissions.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/Top Sender Domains - Admin Submissions FN.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/Top Sender Domains - Admin Submissions FP.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/Total Submissions by Submission Status.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/Total Submissions by Submission Type.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/User reported submissions.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/User Submission Accuracy versus Admin Verdicts.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/User Submissions - Top detection overrides by Admins.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/User Submissions - Top detection overrides by Users.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/User Submissions - Top email (P2) senders domains.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/User Submissions - Top email (P2) senders.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/User Submissions - Top Intra-Org P2 senders.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/User Submissions - Top Intra-Org Subjects.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/User Submissions by Admin review status.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/User Submissions by Grading Verdict - FN-FP.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/User Submissions by Submission Type.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/User Submissions from Junk Folder.yaml", + "Hunting Queries/Email and Collaboration Queries/Submissions/User Submissions Trend - FN.yaml", + "Hunting Queries/Email and Collaboration Queries/Top Attacks/Attacked more than x times average.yaml", + "Hunting Queries/Email and Collaboration Queries/Top Attacks/Malicious mails by sender IPs.yaml", + "Hunting Queries/Email and Collaboration Queries/Top Attacks/Top 10 percent of most attacked users.yaml", + "Hunting Queries/Email and Collaboration Queries/Top Attacks/Top 10 URL domains attacking organization.yaml", + "Hunting Queries/Email and Collaboration Queries/Top Attacks/Top external malicious senders.yaml", + "Hunting Queries/Email and Collaboration Queries/Top Attacks/Top targeted users.yaml", + "Hunting Queries/Email and Collaboration Queries/URL Click/End user malicious clicks.yaml", + "Hunting Queries/Email and Collaboration Queries/URL Click/URL click count by click action.yaml", + "Hunting Queries/Email and Collaboration Queries/URL Click/URL click on ZAP Email.yaml", + "Hunting Queries/Email and Collaboration Queries/URL Click/URL clicks actions by URL.yaml", + "Hunting Queries/Email and Collaboration Queries/URL Click/URLClick details based on malicious URL click alert.yaml", + "Hunting Queries/Email and Collaboration Queries/URL Click/User clicked through events.yaml", + "Hunting Queries/Email and Collaboration Queries/URL Click/User clicks on malicious inbound emails.yaml", + "Hunting Queries/Email and Collaboration Queries/URL Click/User clicks on phishing URLs in emails.yaml", + "Hunting Queries/Email and Collaboration Queries/URL/Malicious Clicks allowed (click-through).yaml", + "Hunting Queries/Email and Collaboration Queries/URL/Malicious Emails with QR code Urls.yaml", + "Hunting Queries/Email and Collaboration Queries/URL/Phishing Email Url Redirector.yaml", + "Hunting Queries/Email and Collaboration Queries/URL/SafeLinks URL detections.yaml", + "Hunting Queries/Email and Collaboration Queries/URL/Top 10 Users clicking on Malicious URLs (Malware).yaml", + "Hunting Queries/Email and Collaboration Queries/URL/Top 10 Users clicking on Malicious URLs (Phish).yaml", + "Hunting Queries/Email and Collaboration Queries/URL/Top 10 Users clicking on Malicious URLs (Spam).yaml", + "Hunting Queries/Email and Collaboration Queries/URL/URL Click attempts by threat type.yaml", + "Hunting Queries/Email and Collaboration Queries/URL/URL Clicks by Action.yaml", + "Hunting Queries/Email and Collaboration Queries/URL/URLs by location.yaml", + "Hunting Queries/Email and Collaboration Queries/ZAP/Post Delivery Events by Admin.yaml", + "Hunting Queries/Email and Collaboration Queries/ZAP/Post Delivery Events by Location.yaml", + "Hunting Queries/Email and Collaboration Queries/ZAP/Post Delivery Events by ZAP type.yaml", + "Hunting Queries/Email and Collaboration Queries/ZAP/Post Delivery Events over time.yaml", + "Hunting Queries/EmailDelivered-ToInbox.yaml", + "Hunting Queries/Execution/AnomalousPayloadDeliveredWithISOFile.yaml", + "Hunting Queries/Execution/BitsadminActivity.yaml", + "Hunting Queries/Execution/MaliciousUseOfMSIExec.yaml", + "Hunting Queries/Execution/MaliciousUseOfMsiExecMimikatz.yaml", + "Hunting Queries/Execution/OfficeAppsLaunchingWscript.yaml", + "Hunting Queries/Execution/PotentialKerberoastActivities.yaml", + "Hunting Queries/Execution/PowerShellDownloads.yaml", + "Hunting Queries/Execution/SuspiciousAppExeutedByWebserver.yaml", + "Hunting Queries/Execution/SuspiciousMshtaUsage.yaml", + "Hunting Queries/Exfiltration/FilesCopiedToUSBDrives.yaml", + "Hunting Queries/Exploits/CVE-2022-26134-Confluence.yaml", + "Hunting Queries/Exploits/MosaicLoader.yaml", + "Hunting Queries/Exploits/Print Spooler RCE/SpoolsvSpawningRundll32.yaml", + "Hunting Queries/Exploits/Print Spooler RCE/SuspiciousDLLInSpoolFolder.yaml", + "Hunting Queries/Exploits/Print Spooler RCE/SuspiciousFilesInSpoolFolder.yaml", + "Hunting Queries/Exploits/Print Spooler RCE/SuspiciousSpoolsvChildProcess.yaml", + "Hunting Queries/Exploits/PrintNightmareUsageDetection-CVE-2021-1675.yaml", + "Hunting Queries/Exploits/SuspiciousFileCreationByPrintSpoolerService.yaml", + "Hunting Queries/General Queries/MITRESuspiciousEvents.yaml", + "Hunting Queries/Impact/AnomalousVoulmeOfFileDeletion.yaml", + "Hunting Queries/Initial Access/DetectMailSniper.yaml", + "Hunting Queries/Lateral Movement/AccountBruteForce.yaml", + "Hunting Queries/Lateral Movement/RemoteFileCreationWithPsExec.yaml", + "Hunting Queries/Lateral Movement/ServiceAccountsPerformingRemotePS.yaml", + "Hunting Queries/Persistence/AccountCreation.yaml", + "Hunting Queries/Persistence/LocalAdminGroupChanges.yaml", + "Hunting Queries/Persistence/RareProcessAsService.yaml", + "Hunting Queries/Persistence/ScheduledTaskCreation.yaml", + "Hunting Queries/Privilege Escalation/SAMNameChange_CVE-2021-42278.yaml", + "Hunting Queries/Ransomware/DataDeletionOnMulipleDrivesUsingCipherExe.yaml", + "Hunting Queries/Ransomware/DetectMultipleSignsOfRamsomwareActivity.yaml", + "Hunting Queries/Ransomware/DEV-0270/DisableSecurityServiceViaRegistry.yaml", + "Hunting Queries/Ransomware/DEV-0270/DomainDiscoveryWMICwithDLLHostExe.yaml", + "Hunting Queries/Ransomware/DEV-0270/MDEExclusionUsingPowerShell.yaml", + "Hunting Queries/Ransomware/IcedIdSuspiciousImageLoad.yaml", + "Hunting Queries/Ransomware/LaZagneCredTheft.yaml", + "Hunting Queries/Ransomware/LogDeletionUsingWevtutil.yaml", + "Hunting Queries/Ransomware/MultiProcessKillWithTaskKill.yaml", + "Hunting Queries/Ransomware/PotentialCobaltStrikeRansomwareActivity.yaml", + "Hunting Queries/Ransomware/QakbotDiscoveryActivities.yaml", + "Hunting Queries/Ransomware/ShadowCopyDeletion.yaml", + "Hunting Queries/Ransomware/TurningOffServicesWithSCCommad.yaml", + "Hunting Queries/TVM/Detect_CISA_Alert_AA22-117A2021_Top_Routinely_Exploited_Vulnerabilities.yaml", + "Hunting Queries/Email and Collaboration Queries/Phish/Punycode chars lookalike domains.yaml" + ], + "Workbooks": [ + "Workbooks/MicrosoftDefenderForOffice365detectionsandinsights.json", + "Workbooks/MicrosoftDefenderForEndPoint.json", + "Workbooks/MicrosoftDefenderForIdentity.json" ], - "Workbooks" : [ - "Workbooks/MicrosoftDefenderForOffice365detectionsandinsights.json", - "Workbooks/MicrosoftDefenderForEndPoint.json", - "Workbooks/MicrosoftDefenderForIdentity.json" - ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Microsoft Defender XDR", - "Version": "3.0.14", + "Version": "3.0.15", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "StaticDataConnectorIds": [ "MicrosoftThreatProtection" ] -} \ No newline at end of file +} diff --git a/Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Custom Detections/Potential OAuth phishing email delivered into Inbox.yaml b/Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Custom Detections/Potential OAuth phishing email delivered into Inbox.yaml index 2d295bb54cd..e8aba64ddfa 100644 --- a/Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Custom Detections/Potential OAuth phishing email delivered into Inbox.yaml +++ b/Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Custom Detections/Potential OAuth phishing email delivered into Inbox.yaml @@ -13,9 +13,11 @@ tactics: relevantTechniques: - T1566 query: | - let ConsentUrls = pack_array("://login.microsoftonline.com/common/oauth2", "://login.microsoftonline.com/consumers/oauth2", "://login.microsoftonline.com/organizations/oauth2", "://login.microsoftonline.us/common/oauth2", "://login.microsoftonline.us/consumers/oauth2", "://login.microsoftonline.us/organizations/oauth2"); + let LoginCom = strcat("login.", "microsoftonline.com"); + let LoginUs = strcat("login.", "microsoftonline.us"); + let ConsentUrls = pack_array(strcat("://", LoginCom, "/common/oauth2"), strcat("://", LoginCom, "/consumers/oauth2"), strcat("://", LoginCom, "/organizations/oauth2"), strcat("://", LoginUs, "/common/oauth2"), strcat("://", LoginUs, "/consumers/oauth2"), strcat("://", LoginUs, "/organizations/oauth2")); EmailUrlInfo | where Url has_any (ConsentUrls) | join EmailEvents on NetworkMessageId | where EmailDirection == "Inbound" and LatestDeliveryAction == "Delivered" -version: 1.0.0 \ No newline at end of file +version: 1.0.1 \ No newline at end of file diff --git a/Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Phish/Possible device code phishing attempts.yaml b/Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Phish/Possible device code phishing attempts.yaml index 69a826e0864..7ffa678c750 100644 --- a/Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Phish/Possible device code phishing attempts.yaml +++ b/Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Phish/Possible device code phishing attempts.yaml @@ -14,9 +14,10 @@ tactics: relevantTechniques: - T1566 query: | + let DeviceLoginUrls = pack_array(strcat("microsoft.", "com/devicelogin"), strcat("login.", "microsoftonline.com/common/oauth2/deviceauth")); let suspiciousUserClicks = materialize(UrlClickEvents | where ActionType in ("ClickAllowed", "UrlScanInProgress", "UrlErrorPage") or IsClickedThrough != "0" - | where UrlChain has_any ("microsoft.com/devicelogin", "login.microsoftonline.com/common/oauth2/deviceauth") + | where UrlChain has_any (DeviceLoginUrls) | extend AccountUpn = tolower(AccountUpn) | project ClickTime = Timestamp, ActionType, UrlChain, NetworkMessageId, Url, AccountUpn); //Check for Risky Sign-In in the short time window @@ -44,4 +45,4 @@ query: | | distinct AccountUpn); suspiciousSignIns | where AccountUpn in (shortIntervalSignInAttemptUsers) -version: 1.0.0 \ No newline at end of file +version: 1.0.1 \ No newline at end of file diff --git a/Solutions/Microsoft Defender XDR/Package/3.0.15.zip b/Solutions/Microsoft Defender XDR/Package/3.0.15.zip new file mode 100644 index 00000000000..519a19e106d Binary files /dev/null and b/Solutions/Microsoft Defender XDR/Package/3.0.15.zip differ diff --git a/Solutions/Microsoft Defender XDR/Package/mainTemplate.json b/Solutions/Microsoft Defender XDR/Package/mainTemplate.json index 05175bf8aa8..1ff1a1e2b4c 100644 --- a/Solutions/Microsoft Defender XDR/Package/mainTemplate.json +++ b/Solutions/Microsoft Defender XDR/Package/mainTemplate.json @@ -57,7 +57,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Microsoft Defender XDR", - "_solutionVersion": "3.0.14", + "_solutionVersion": "3.0.15", "solutionId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "MicrosoftThreatProtection", @@ -133,7 +133,7 @@ "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3bd33158-3f0b-47e3-a50f-7c20a1b88038','-', '1.0.3')))]" }, "analyticRuleObject10": { - "analyticRuleVersion10": "1.1.2", + "analyticRuleVersion10": "1.1.3", "_analyticRulecontentId10": "26e81021-2de6-4442-a74a-a77885e96911", "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '26e81021-2de6-4442-a74a-a77885e96911')]", "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('26e81021-2de6-4442-a74a-a77885e96911')))]", @@ -555,7 +555,7 @@ "huntingQueryTemplateSpecName41": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('a8c66aec-2000-45d8-8481-36aaa17f1033')))]" }, "huntingQueryObject42": { - "huntingQueryVersion42": "1.0.0", + "huntingQueryVersion42": "1.0.1", "_huntingQuerycontentId42": "08113d6f-3c95-45ba-94df-4fdd7f35d944", "huntingQueryTemplateSpecName42": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('08113d6f-3c95-45ba-94df-4fdd7f35d944')))]" }, @@ -1210,7 +1210,7 @@ "huntingQueryTemplateSpecName172": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('4c30fab1-db4f-4a64-b66b-51478e43a477')))]" }, "huntingQueryObject173": { - "huntingQueryVersion173": "1.0.0", + "huntingQueryVersion173": "1.0.1", "_huntingQuerycontentId173": "ad76e484-f159-4d23-99ee-e734f0b8b60b", "huntingQueryTemplateSpecName173": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('ad76e484-f159-4d23-99ee-e734f0b8b60b')))]" }, @@ -2015,7 +2015,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Defender XDR data connector with template version 3.0.14", + "description": "Microsoft Defender XDR data connector with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -2516,7 +2516,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PossiblePhishingwithCSL&NetworkSession_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "PossiblePhishingwithCSL&NetworkSession_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -2544,86 +2544,86 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "AlertEvidence", "EmailEvents", "IdentityInfo", "DeviceEvents", "DeviceNetworkEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "Zscaler", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "Zscaler" }, { - "connectorId": "Fortinet", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "Fortinet" }, { - "connectorId": "CheckPoint", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CheckPoint" }, { - "connectorId": "PaloAltoNetworks", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "PaloAltoNetworks" }, { - "connectorId": "AWSS3", "datatypes": [ "AWSVPCFlow" - ] + ], + "connectorId": "AWSS3" }, { - "connectorId": "WindowsForwardedEvents", "dataTypes": [ "WindowsEvent" - ] + ], + "connectorId": "WindowsForwardedEvents" }, { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" }, { - "connectorId": "MicrosoftSysmonForLinux", "dataTypes": [ "Syslog" - ] + ], + "connectorId": "MicrosoftSysmonForLinux" }, { - "connectorId": "AzureNSG", "dataTypes": [ "AzureDiagnostics" - ] + ], + "connectorId": "AzureNSG" }, { - "connectorId": "AzureMonitor(VMInsights)", "dataTypes": [ "VMConnection" - ] + ], + "connectorId": "AzureMonitor(VMInsights)" }, { - "connectorId": "AIVectraStream", "dataTypes": [ "VectraStream_CL" - ] + ], + "connectorId": "AIVectraStream" } ], "tactics": [ @@ -2636,73 +2636,73 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "InitiatingProcessAccountUpn", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "InitiatingProcessAccountUpn" }, { - "columnName": "InitiatingProcessAccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "InitiatingProcessAccountName" }, { - "columnName": "InitiatingProcessAccountDomain", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "InitiatingProcessAccountDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "RecipientEmailAddress", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "RecipientEmailAddress" }, { - "columnName": "RecipientEmailName", - "identifier": "Name" + "identifier": "Name", + "columnName": "RecipientEmailName" }, { - "columnName": "RecipientEmailUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "RecipientEmailUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "SourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "DestinationIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "DestinationIP" } - ], - "entityType": "IP" + ] } ] } @@ -2758,7 +2758,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SUNSPOTHashes_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "SUNSPOTHashes_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -2786,11 +2786,11 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceImageLoadEvents", "DeviceEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -2801,38 +2801,38 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "InitiatingProcessAccountUpn", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "InitiatingProcessAccountUpn" }, { - "columnName": "InitiatingProcessAccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "InitiatingProcessAccountName" }, { - "columnName": "InitiatingProcessAccountDomain", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "InitiatingProcessAccountDomain" } - ], - "entityType": "Account" + ] } ] } @@ -2888,7 +2888,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PotentialBuildProcessCompromiseMDE_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "PotentialBuildProcessCompromiseMDE_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -2916,11 +2916,11 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents", "DeviceFileEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -2931,34 +2931,34 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "FileEditUpn", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "FileEditUpn" }, { - "columnName": "FileEditAccount", - "identifier": "Name" + "identifier": "Name", + "columnName": "FileEditAccount" }, { - "columnName": "FileEditDomain", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "FileEditDomain" } - ], - "entityType": "Account" + ] } ] } @@ -3014,7 +3014,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SolarWinds_TEARDROP_Process-IOCs_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "SolarWinds_TEARDROP_Process-IOCs_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -3042,10 +3042,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3060,51 +3060,51 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "InitiatingProcessAccountUpn", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "InitiatingProcessAccountUpn" }, { - "columnName": "InitiatingProcessAccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "InitiatingProcessAccountName" }, { - "columnName": "InitiatingProcessAccountDomain", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "InitiatingProcessAccountDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "FileHash", "fieldMappings": [ { - "columnName": "HashAlgorithm", - "identifier": "Algorithm" + "identifier": "Algorithm", + "columnName": "HashAlgorithm" }, { - "columnName": "InitiatingProcessSHA1", - "identifier": "Value" + "identifier": "Value", + "columnName": "InitiatingProcessSHA1" } - ], - "entityType": "FileHash" + ] } ] } @@ -3160,7 +3160,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SolarWinds_SUNBURST_Network-IOCs_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "SolarWinds_SUNBURST_Network-IOCs_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -3188,10 +3188,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceNetworkEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3206,69 +3206,69 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "InitiatingProcessAccountUpn", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "InitiatingProcessAccountUpn" }, { - "columnName": "InitiatingProcessAccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "InitiatingProcessAccountName" }, { - "columnName": "InitiatingProcessAccountDomain", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "InitiatingProcessAccountDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "RemoteIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "RemoteIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "RemoteUrl", - "identifier": "Url" + "identifier": "Url", + "columnName": "RemoteUrl" } - ], - "entityType": "URL" + ] }, { + "entityType": "FileHash", "fieldMappings": [ { - "columnName": "HashAlgorithm", - "identifier": "Algorithm" + "identifier": "Algorithm", + "columnName": "HashAlgorithm" }, { - "columnName": "InitiatingProcessMD5", - "identifier": "Value" + "identifier": "Value", + "columnName": "InitiatingProcessMD5" } - ], - "entityType": "FileHash" + ] } ] } @@ -3324,7 +3324,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -3352,10 +3352,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceFileEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3370,51 +3370,51 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "InitiatingProcessAccountUpn", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "InitiatingProcessAccountUpn" }, { - "columnName": "InitiatingProcessAccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "InitiatingProcessAccountName" }, { - "columnName": "InitiatingProcessAccountDomain", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "InitiatingProcessAccountDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "FileHash", "fieldMappings": [ { - "columnName": "HashAlgorithm", - "identifier": "Algorithm" + "identifier": "Algorithm", + "columnName": "HashAlgorithm" }, { - "columnName": "MD5", - "identifier": "Value" + "identifier": "Value", + "columnName": "MD5" } - ], - "entityType": "FileHash" + ] } ] } @@ -3470,7 +3470,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AVdetectionsrelatedtoUkrainebasedthreats_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "AVdetectionsrelatedtoUkrainebasedthreats_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -3498,10 +3498,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3512,21 +3512,21 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "CompromisedEntity", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "CompromisedEntity" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] } ] } @@ -3582,7 +3582,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AVTarrask_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "AVTarrask_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -3610,10 +3610,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3624,30 +3624,30 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "CompromisedEntity", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "CompromisedEntity" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "PublicIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "PublicIP" } - ], - "entityType": "IP" + ] } ] } @@ -3703,7 +3703,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AVSpringShell_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "AVSpringShell_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -3731,10 +3731,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3745,30 +3745,30 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "CompromisedEntity", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "CompromisedEntity" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "PublicIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "PublicIP" } - ], - "entityType": "IP" + ] } ] } @@ -3824,7 +3824,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PossibleWebpBufferOverflow_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "PossibleWebpBufferOverflow_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -3852,13 +3852,13 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents", "DeviceNetworkEvents", "DeviceEvents", "DeviceTvmSoftwareVulnerabilities" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3869,74 +3869,74 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountUpn", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "AccountUpn" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "LocalIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "LocalIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "Process", "fieldMappings": [ { - "columnName": "ProcessId", - "identifier": "ProcessId" + "identifier": "ProcessId", + "columnName": "ProcessId" } - ], - "entityType": "Process" + ] }, { + "entityType": "Process", "fieldMappings": [ { - "columnName": "InitiatingProcessId", - "identifier": "ProcessId" + "identifier": "ProcessId", + "columnName": "InitiatingProcessId" } - ], - "entityType": "Process" + ] }, { + "entityType": "Process", "fieldMappings": [ { - "columnName": "ProcessCommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "ProcessCommandLine" } - ], - "entityType": "Process" + ] } ], "eventGroupingSettings": { @@ -3948,13 +3948,13 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", "groupByEntities": [ "Account" ], - "lookbackDuration": "PT5H", - "enabled": false, - "reopenClosedIncident": false, - "matchingMethod": "Selected" + "matchingMethod": "Selected", + "enabled": false }, "createIncident": false } @@ -4011,7 +4011,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DeimosComponentExecution_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "DeimosComponentExecution_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", @@ -4039,10 +4039,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -4057,21 +4057,21 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -4127,7 +4127,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ImminentRansomware_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "ImminentRansomware_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", @@ -4164,21 +4164,21 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "Dvc", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Dvc" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -4234,7 +4234,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MaliciousCMDExecutionByJava_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "MaliciousCMDExecutionByJava_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", @@ -4262,10 +4262,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -4276,21 +4276,21 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -4346,7 +4346,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "C2-NamedPipe_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "C2-NamedPipe_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", @@ -4374,10 +4374,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -4388,21 +4388,21 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -4458,7 +4458,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DoppelPaymerProcDump_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "DoppelPaymerProcDump_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]", @@ -4486,10 +4486,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -4500,21 +4500,21 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -4570,7 +4570,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LSASSCredDumpProcdump_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "LSASSCredDumpProcdump_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]", @@ -4598,10 +4598,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -4612,21 +4612,21 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -4682,7 +4682,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DoppelpaymerStopService_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "DoppelpaymerStopService_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]", @@ -4710,10 +4710,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -4726,21 +4726,21 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -4796,7 +4796,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "QakbotCampaignSelfDeletion_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "QakbotCampaignSelfDeletion_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]", @@ -4824,10 +4824,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -4838,21 +4838,21 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -4908,7 +4908,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Regsvr32Rundll32ImageLoadsAbnormalExtension_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "Regsvr32Rundll32ImageLoadsAbnormalExtension_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject19').analyticRuleVersion19]", @@ -4936,11 +4936,11 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents", "DeviceNetworkEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -4956,48 +4956,48 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "LocalIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "LocalIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "RemoteIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "RemoteIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "RemoteUrl", - "identifier": "Url" + "identifier": "Url", + "columnName": "RemoteUrl" } - ], - "entityType": "URL" + ] } ] } @@ -5053,7 +5053,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Regsvr32Rundll32WithAnomalousParentProcess_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "Regsvr32Rundll32WithAnomalousParentProcess_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject20').analyticRuleVersion20]", @@ -5081,11 +5081,11 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents", "DeviceNetworkEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -5101,48 +5101,48 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "LocalIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "LocalIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "RemoteIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "RemoteIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "RemoteUrl", - "identifier": "Url" + "identifier": "Url", + "columnName": "RemoteUrl" } - ], - "entityType": "URL" + ] } ] } @@ -5198,7 +5198,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousCommandInitiatedByWebServerProcess_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "SuspiciousCommandInitiatedByWebServerProcess_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject21').analyticRuleVersion21]", @@ -5226,10 +5226,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -5245,21 +5245,21 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -5315,7 +5315,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BITSAdminActivity_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "BITSAdminActivity_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject22').analyticRuleVersion22]", @@ -5343,10 +5343,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -5361,34 +5361,34 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Process", "fieldMappings": [ { - "columnName": "ProcessId", - "identifier": "ProcessId" + "identifier": "ProcessId", + "columnName": "ProcessId" }, { - "columnName": "ProcessCommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "ProcessCommandLine" } - ], - "entityType": "Process" + ] } ] } @@ -5444,7 +5444,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OfficeAppsLaunchingWscript_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "OfficeAppsLaunchingWscript_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject23').analyticRuleVersion23]", @@ -5472,10 +5472,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -5490,34 +5490,34 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Process", "fieldMappings": [ { - "columnName": "ProcessId", - "identifier": "ProcessId" + "identifier": "ProcessId", + "columnName": "ProcessId" }, { - "columnName": "ProcessCommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "ProcessCommandLine" } - ], - "entityType": "Process" + ] } ] } @@ -5573,7 +5573,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PotentialKerberoastActivities_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "PotentialKerberoastActivities_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject24').analyticRuleVersion24]", @@ -5601,10 +5601,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "IdentityLogonEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -5618,38 +5618,38 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountUpn", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "AccountUpn" }, { - "columnName": "AccountDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "AccountDomain" }, { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" } - ], - "entityType": "Account" + ] } ] } @@ -5705,7 +5705,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FilesCopiedToUSBDrives_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "FilesCopiedToUSBDrives_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject25').analyticRuleVersion25]", @@ -5733,11 +5733,11 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceEvents", "DeviceFileEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -5748,47 +5748,47 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "File", "fieldMappings": [ { - "columnName": "FileName", - "identifier": "Name" + "identifier": "Name", + "columnName": "FileName" }, { - "columnName": "FolderPath", - "identifier": "Directory" + "identifier": "Directory", + "columnName": "FolderPath" } - ], - "entityType": "File" + ] }, { + "entityType": "FileHash", "fieldMappings": [ { - "columnName": "FileHashAlgorithm", - "identifier": "Algorithm" + "identifier": "Algorithm", + "columnName": "FileHashAlgorithm" }, { - "columnName": "SHA256", - "identifier": "Value" + "identifier": "Value", + "columnName": "SHA256" } - ], - "entityType": "FileHash" + ] } ] } @@ -5844,7 +5844,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MosaicLoader_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "MosaicLoader_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject26').analyticRuleVersion26]", @@ -5872,10 +5872,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceRegistryEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -5886,34 +5886,34 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "RegistryValue", "fieldMappings": [ { - "columnName": "RegistryValueName", - "identifier": "Name" + "identifier": "Name", + "columnName": "RegistryValueName" }, { - "columnName": "RegistryValueData", - "identifier": "Value" + "identifier": "Value", + "columnName": "RegistryValueData" } - ], - "entityType": "RegistryValue" + ] } ] } @@ -5969,7 +5969,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AnomalousVoulmeOfFileDeletion_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "AnomalousVoulmeOfFileDeletion_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject27').analyticRuleVersion27]", @@ -5997,11 +5997,11 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "CloudAppEvents", "AADSignInEventsBeta" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -6012,35 +6012,35 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "columnName": "UserId", - "identifier": "AadUserId" + "identifier": "AadUserId", + "columnName": "UserId" } - ], - "entityType": "Account" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "NTDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "NTDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "CloudApplication", "fieldMappings": [ { - "columnName": "ApplicationId", - "identifier": "AppId" + "identifier": "AppId", + "columnName": "ApplicationId" } - ], - "entityType": "CloudApplication" + ] } ], "customDetails": { @@ -6099,7 +6099,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RemoteFileCreationWithPsExec_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "RemoteFileCreationWithPsExec_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject28').analyticRuleVersion28]", @@ -6127,10 +6127,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceFileEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -6141,21 +6141,21 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -6211,7 +6211,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ServiceAccountsPerformingRemotePS_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "ServiceAccountsPerformingRemotePS_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject29').analyticRuleVersion29]", @@ -6239,11 +6239,11 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceLogonEvents", "DeviceEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -6254,38 +6254,38 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "AccountName" }, { - "columnName": "AccountDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "AccountDomain" }, { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" } - ], - "entityType": "Account" + ] } ] } @@ -6341,7 +6341,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AccountCreation_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "AccountCreation_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject30').analyticRuleVersion30]", @@ -6369,10 +6369,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -6383,34 +6383,34 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Process", "fieldMappings": [ { - "columnName": "ProcessId", - "identifier": "ProcessId" + "identifier": "ProcessId", + "columnName": "ProcessId" }, { - "columnName": "ProcessCommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "ProcessCommandLine" } - ], - "entityType": "Process" + ] } ] } @@ -6466,7 +6466,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LocalAdminGroupChanges_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "LocalAdminGroupChanges_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject31').analyticRuleVersion31]", @@ -6494,11 +6494,11 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "IdentityInfo", "DeviceEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -6509,38 +6509,38 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "UserAdded", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "UserAdded" }, { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "laccountdomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "laccountdomain" } - ], - "entityType": "Account" + ] } ] } @@ -6596,7 +6596,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RareProcessAsService_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "RareProcessAsService_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject32').analyticRuleVersion32]", @@ -6624,13 +6624,13 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents", "DeviceNetworkEvents", "DeviceFileEvents", "DeviceImageLoadEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -6645,34 +6645,34 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Process", "fieldMappings": [ { - "columnName": "ServiceProcessID", - "identifier": "ProcessId" + "identifier": "ProcessId", + "columnName": "ServiceProcessID" }, { - "columnName": "ServiceProcessCmdline", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "ServiceProcessCmdline" } - ], - "entityType": "Process" + ] } ] } @@ -6728,7 +6728,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DisableSecurityServiceViaRegistry_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "DisableSecurityServiceViaRegistry_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject33').analyticRuleVersion33]", @@ -6756,10 +6756,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -6770,51 +6770,51 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountUpn", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "AccountUpn" }, { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "AccountDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "AccountDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "Process", "fieldMappings": [ { - "columnName": "ProcessId", - "identifier": "ProcessId" + "identifier": "ProcessId", + "columnName": "ProcessId" }, { - "columnName": "ProcessCommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "ProcessCommandLine" } - ], - "entityType": "Process" + ] } ] } @@ -6870,7 +6870,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DataDeletionOnMulipleDrivesUsingCipherExe_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "DataDeletionOnMulipleDrivesUsingCipherExe_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject34').analyticRuleVersion34]", @@ -6898,10 +6898,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -6912,21 +6912,21 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -6982,7 +6982,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LaZagneCredTheft_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "LaZagneCredTheft_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject35').analyticRuleVersion35]", @@ -7010,10 +7010,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -7024,34 +7024,34 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Process", "fieldMappings": [ { - "columnName": "ProcessId", - "identifier": "ProcessId" + "identifier": "ProcessId", + "columnName": "ProcessId" }, { - "columnName": "ProcessCommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "ProcessCommandLine" } - ], - "entityType": "Process" + ] } ] } @@ -7107,7 +7107,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LogDeletionUsingWevtutil_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "LogDeletionUsingWevtutil_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject36').analyticRuleVersion36]", @@ -7135,10 +7135,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -7149,21 +7149,21 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -7219,7 +7219,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MultiProcessKillWithTaskKill_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "MultiProcessKillWithTaskKill_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject37').analyticRuleVersion37]", @@ -7247,10 +7247,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -7261,21 +7261,21 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -7331,7 +7331,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PotentialCobaltStrikeRansomwareActivity_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "PotentialCobaltStrikeRansomwareActivity_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject38').analyticRuleVersion38]", @@ -7359,12 +7359,12 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "AlertInfo", "AlertEvidence", "DeviceLogonEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -7381,47 +7381,47 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountFullName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "AccountFullName" }, { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "AccountDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "AccountDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "columnName": "RemoteIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "RemoteIP" } - ], - "entityType": "IP" + ] } ] } @@ -7477,7 +7477,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "QakbotDiscoveryActivities_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "QakbotDiscoveryActivities_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject39').analyticRuleVersion39]", @@ -7505,10 +7505,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -7523,21 +7523,21 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -7593,7 +7593,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ShadowCopyDeletion_AnalyticalRules Analytics Rule with template version 3.0.14", + "description": "ShadowCopyDeletion_AnalyticalRules Analytics Rule with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject40').analyticRuleVersion40]", @@ -7621,10 +7621,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -7635,51 +7635,51 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountUpn", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "AccountUpn" }, { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "AccountDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "AccountDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "Process", "fieldMappings": [ { - "columnName": "ProcessId", - "identifier": "ProcessId" + "identifier": "ProcessId", + "columnName": "ProcessId" }, { - "columnName": "ProcessCommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "ProcessCommandLine" } - ], - "entityType": "Process" + ] } ] } @@ -7735,7 +7735,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Appspot Phishing Abuse_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Appspot Phishing Abuse_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -7744,7 +7744,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_1", "location": "[parameters('workspace-location')]", "properties": { @@ -7820,7 +7820,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PayloadDropUsingCertUtil_HuntingQueries Hunting Query with template version 3.0.14", + "description": "PayloadDropUsingCertUtil_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -7829,7 +7829,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_2", "location": "[parameters('workspace-location')]", "properties": { @@ -7901,7 +7901,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "JudgementPandaExfilActivity_HuntingQueries Hunting Query with template version 3.0.14", + "description": "JudgementPandaExfilActivity_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -7910,7 +7910,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_3", "location": "[parameters('workspace-location')]", "properties": { @@ -7986,7 +7986,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DeimosComponentExecution_HuntingQueries Hunting Query with template version 3.0.14", + "description": "DeimosComponentExecution_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -7995,7 +7995,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_4", "location": "[parameters('workspace-location')]", "properties": { @@ -8067,7 +8067,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LemonDuckRegistrationFunction_HuntingQueries Hunting Query with template version 3.0.14", + "description": "LemonDuckRegistrationFunction_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -8076,7 +8076,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_5", "location": "[parameters('workspace-location')]", "properties": { @@ -8148,7 +8148,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DeviceWithLog4jAlerts_HuntingQueries Hunting Query with template version 3.0.14", + "description": "DeviceWithLog4jAlerts_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -8157,7 +8157,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_6", "location": "[parameters('workspace-location')]", "properties": { @@ -8229,7 +8229,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Log4jVulnRelatedAlerts_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Log4jVulnRelatedAlerts_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -8238,7 +8238,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_7", "location": "[parameters('workspace-location')]", "properties": { @@ -8310,7 +8310,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ImminentRansomware_HuntingQueries Hunting Query with template version 3.0.14", + "description": "ImminentRansomware_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -8319,7 +8319,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_8", "location": "[parameters('workspace-location')]", "properties": { @@ -8391,7 +8391,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MaliciousUseOfMSBuildAsLoLBin_HuntingQueries Hunting Query with template version 3.0.14", + "description": "MaliciousUseOfMSBuildAsLoLBin_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -8400,7 +8400,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_9", "location": "[parameters('workspace-location')]", "properties": { @@ -8472,7 +8472,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "QakbotReconActivities_HuntingQueries Hunting Query with template version 3.0.14", + "description": "QakbotReconActivities_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -8481,7 +8481,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_10", "location": "[parameters('workspace-location')]", "properties": { @@ -8553,7 +8553,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RobbinhoodDriver_HuntingQueries Hunting Query with template version 3.0.14", + "description": "RobbinhoodDriver_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject11').huntingQueryVersion11]", @@ -8562,7 +8562,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_11", "location": "[parameters('workspace-location')]", "properties": { @@ -8634,7 +8634,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Snip3MaliciousNetworkConnectivity_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Snip3MaliciousNetworkConnectivity_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject12').huntingQueryVersion12]", @@ -8643,7 +8643,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_12", "location": "[parameters('workspace-location')]", "properties": { @@ -8715,7 +8715,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MaliciousCMDExecutionByJava_HuntingQueries Hunting Query with template version 3.0.14", + "description": "MaliciousCMDExecutionByJava_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject13').huntingQueryVersion13]", @@ -8724,7 +8724,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_13", "location": "[parameters('workspace-location')]", "properties": { @@ -8796,7 +8796,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Check for spoofing attempts on the domain with Authentication failures_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Check for spoofing attempts on the domain with Authentication failures_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject14').huntingQueryVersion14]", @@ -8805,7 +8805,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_14", "location": "[parameters('workspace-location')]", "properties": { @@ -8881,7 +8881,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "C2-NamedPipe_HuntingQueries Hunting Query with template version 3.0.14", + "description": "C2-NamedPipe_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject15').huntingQueryVersion15]", @@ -8890,7 +8890,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_15", "location": "[parameters('workspace-location')]", "properties": { @@ -8962,7 +8962,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ReconWithRundll_HuntingQueries Hunting Query with template version 3.0.14", + "description": "ReconWithRundll_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject16').huntingQueryVersion16]", @@ -8971,7 +8971,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_16", "location": "[parameters('workspace-location')]", "properties": { @@ -9043,7 +9043,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DoppelPaymerProcdump_HuntingQueries Hunting Query with template version 3.0.14", + "description": "DoppelPaymerProcdump_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject17').huntingQueryVersion17]", @@ -9052,7 +9052,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_17", "location": "[parameters('workspace-location')]", "properties": { @@ -9124,7 +9124,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LaZagne_HuntingQueries Hunting Query with template version 3.0.14", + "description": "LaZagne_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject18').huntingQueryVersion18]", @@ -9133,7 +9133,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_18", "location": "[parameters('workspace-location')]", "properties": { @@ -9205,7 +9205,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LSASSCredDumpProcdump_HuntingQueries Hunting Query with template version 3.0.14", + "description": "LSASSCredDumpProcdump_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject19').huntingQueryVersion19]", @@ -9214,7 +9214,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_19", "location": "[parameters('workspace-location')]", "properties": { @@ -9286,7 +9286,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClearSystemLogs_HuntingQueries Hunting Query with template version 3.0.14", + "description": "ClearSystemLogs_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject20').huntingQueryVersion20]", @@ -9295,7 +9295,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_20", "location": "[parameters('workspace-location')]", "properties": { @@ -9367,7 +9367,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DoppelpaymerStopServices_HuntingQueries Hunting Query with template version 3.0.14", + "description": "DoppelpaymerStopServices_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject21').huntingQueryVersion21]", @@ -9376,7 +9376,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_21", "location": "[parameters('workspace-location')]", "properties": { @@ -9448,7 +9448,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "QakbotCampaignSelfDeletion_HuntingQueries Hunting Query with template version 3.0.14", + "description": "QakbotCampaignSelfDeletion_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject22').huntingQueryVersion22]", @@ -9457,7 +9457,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_22", "location": "[parameters('workspace-location')]", "properties": { @@ -9529,7 +9529,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Regsvr32Rundll32ImageLoadsAbnormalExtension_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Regsvr32Rundll32ImageLoadsAbnormalExtension_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject23').huntingQueryVersion23]", @@ -9538,7 +9538,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_23", "location": "[parameters('workspace-location')]", "properties": { @@ -9614,7 +9614,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Regsvr32Rundll32WithAnomalousParentProcess_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Regsvr32Rundll32WithAnomalousParentProcess_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject24').huntingQueryVersion24]", @@ -9623,7 +9623,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_24", "location": "[parameters('workspace-location')]", "properties": { @@ -9699,7 +9699,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Delivered Bad Emails from Top bad IPv4 addresses_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Delivered Bad Emails from Top bad IPv4 addresses_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject25').huntingQueryVersion25]", @@ -9708,7 +9708,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_25", "location": "[parameters('workspace-location')]", "properties": { @@ -9784,7 +9784,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousCommandInitiatedByWebServerProcess_HuntingQueries Hunting Query with template version 3.0.14", + "description": "SuspiciousCommandInitiatedByWebServerProcess_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject26').huntingQueryVersion26]", @@ -9793,7 +9793,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_26", "location": "[parameters('workspace-location')]", "properties": { @@ -9865,7 +9865,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User&GroupEnumWithNetCommand_HuntingQueries Hunting Query with template version 3.0.14", + "description": "User&GroupEnumWithNetCommand_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject27').huntingQueryVersion27]", @@ -9874,7 +9874,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_27", "location": "[parameters('workspace-location')]", "properties": { @@ -9942,7 +9942,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ATP policy status check_HuntingQueries Hunting Query with template version 3.0.14", + "description": "ATP policy status check_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject28').huntingQueryVersion28]", @@ -9951,7 +9951,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_28", "location": "[parameters('workspace-location')]", "properties": { @@ -10027,7 +10027,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "JNLP attachment_HuntingQueries Hunting Query with template version 3.0.14", + "description": "JNLP attachment_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject29').huntingQueryVersion29]", @@ -10036,7 +10036,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_29", "location": "[parameters('workspace-location')]", "properties": { @@ -10112,7 +10112,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Safe attachment detection_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Safe attachment detection_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject30').huntingQueryVersion30]", @@ -10121,7 +10121,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_30", "location": "[parameters('workspace-location')]", "properties": { @@ -10197,7 +10197,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Authentication failures_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Authentication failures_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject31').huntingQueryVersion31]", @@ -10206,7 +10206,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_31", "location": "[parameters('workspace-location')]", "properties": { @@ -10282,7 +10282,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CompAuth Failure Trend_HuntingQueries Hunting Query with template version 3.0.14", + "description": "CompAuth Failure Trend_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject32').huntingQueryVersion32]", @@ -10291,7 +10291,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_32", "location": "[parameters('workspace-location')]", "properties": { @@ -10367,7 +10367,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DKIM Failure Trend_HuntingQueries Hunting Query with template version 3.0.14", + "description": "DKIM Failure Trend_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject33').huntingQueryVersion33]", @@ -10376,7 +10376,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_33", "location": "[parameters('workspace-location')]", "properties": { @@ -10452,7 +10452,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DMARC Failure Trend_HuntingQueries Hunting Query with template version 3.0.14", + "description": "DMARC Failure Trend_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject34').huntingQueryVersion34]", @@ -10461,7 +10461,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_34", "location": "[parameters('workspace-location')]", "properties": { @@ -10537,7 +10537,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SPF Failure Trend_HuntingQueries Hunting Query with template version 3.0.14", + "description": "SPF Failure Trend_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject35').huntingQueryVersion35]", @@ -10546,7 +10546,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_35", "location": "[parameters('workspace-location')]", "properties": { @@ -10622,7 +10622,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Spoof attempts with auth failure_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Spoof attempts with auth failure_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject36').huntingQueryVersion36]", @@ -10631,7 +10631,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_36", "location": "[parameters('workspace-location')]", "properties": { @@ -10707,7 +10707,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top Spoof detections by Sender Domain_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top Spoof detections by Sender Domain_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject37').huntingQueryVersion37]", @@ -10716,7 +10716,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_37", "location": "[parameters('workspace-location')]", "properties": { @@ -10792,7 +10792,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top Spoof DMARC detections by Sender Domain_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top Spoof DMARC detections by Sender Domain_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject38').huntingQueryVersion38]", @@ -10801,7 +10801,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_38", "location": "[parameters('workspace-location')]", "properties": { @@ -10877,7 +10877,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top Spoof Intra-Org detections by SenderDomain_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top Spoof Intra-Org detections by SenderDomain_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject39').huntingQueryVersion39]", @@ -10886,7 +10886,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_39", "location": "[parameters('workspace-location')]", "properties": { @@ -10962,7 +10962,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Message from Accepted Domain with DMARC TempError_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Message from Accepted Domain with DMARC TempError_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject40').huntingQueryVersion40]", @@ -10971,7 +10971,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_40", "location": "[parameters('workspace-location')]", "properties": { @@ -11047,7 +11047,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Message with URL listed on OpenPhish delivered into Inbox_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Message with URL listed on OpenPhish delivered into Inbox_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject41').huntingQueryVersion41]", @@ -11056,7 +11056,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_41", "location": "[parameters('workspace-location')]", "properties": { @@ -11132,7 +11132,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Potential OAuth phishing email delivered into Inbox_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Potential OAuth phishing email delivered into Inbox_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject42').huntingQueryVersion42]", @@ -11141,14 +11141,14 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_42", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", "displayName": "Potential OAuth phishing email delivered into Inbox", "category": "Hunting Queries", - "query": "let ConsentUrls = pack_array(\"://login.microsoftonline.com/common/oauth2\", \"://login.microsoftonline.com/consumers/oauth2\", \"://login.microsoftonline.com/organizations/oauth2\", \"://login.microsoftonline.us/common/oauth2\", \"://login.microsoftonline.us/consumers/oauth2\", \"://login.microsoftonline.us/organizations/oauth2\");\nEmailUrlInfo\n| where Url has_any (ConsentUrls)\n| join EmailEvents on NetworkMessageId\n| where EmailDirection == \"Inbound\" and LatestDeliveryAction == \"Delivered\"\n", + "query": "let LoginCom = strcat(\"login.\", \"microsoftonline.com\");\nlet LoginUs = strcat(\"login.\", \"microsoftonline.us\");\nlet ConsentUrls = pack_array(strcat(\"://\", LoginCom, \"/common/oauth2\"), strcat(\"://\", LoginCom, \"/consumers/oauth2\"), strcat(\"://\", LoginCom, \"/organizations/oauth2\"), strcat(\"://\", LoginUs, \"/common/oauth2\"), strcat(\"://\", LoginUs, \"/consumers/oauth2\"), strcat(\"://\", LoginUs, \"/organizations/oauth2\"));\nEmailUrlInfo\n| where Url has_any (ConsentUrls)\n| join EmailEvents on NetworkMessageId\n| where EmailDirection == \"Inbound\" and LatestDeliveryAction == \"Delivered\"\n", "version": 2, "tags": [ { @@ -11203,9 +11203,9 @@ "contentId": "[variables('huntingQueryObject42')._huntingQuerycontentId42]", "contentKind": "HuntingQuery", "displayName": "Potential OAuth phishing email delivered into Inbox", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject42')._huntingQuerycontentId42,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject42')._huntingQuerycontentId42,'-', '1.0.0')))]", - "version": "1.0.0" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject42')._huntingQuerycontentId42,'-', '1.0.1')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject42')._huntingQuerycontentId42,'-', '1.0.1')))]", + "version": "1.0.1" } }, { @@ -11217,7 +11217,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Potentially malicious SVG file delivered into Inbox_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Potentially malicious SVG file delivered into Inbox_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject43').huntingQueryVersion43]", @@ -11226,7 +11226,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_43", "location": "[parameters('workspace-location')]", "properties": { @@ -11302,7 +11302,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Audit Email Preview-Download action_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Audit Email Preview-Download action_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject44').huntingQueryVersion44]", @@ -11311,7 +11311,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_44", "location": "[parameters('workspace-location')]", "properties": { @@ -11387,7 +11387,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Bad email percentage - Inbound emails_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Bad email percentage - Inbound emails_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject45').huntingQueryVersion45]", @@ -11396,7 +11396,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_45", "location": "[parameters('workspace-location')]", "properties": { @@ -11472,7 +11472,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Calculate MDO Efficacy_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Calculate MDO Efficacy_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject46').huntingQueryVersion46]", @@ -11481,7 +11481,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_46", "location": "[parameters('workspace-location')]", "properties": { @@ -11557,7 +11557,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Email sender IP address Geo location information_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Email sender IP address Geo location information_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject47').huntingQueryVersion47]", @@ -11566,7 +11566,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_47", "location": "[parameters('workspace-location')]", "properties": { @@ -11642,7 +11642,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Hunt for Admin email access_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Hunt for Admin email access_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject48').huntingQueryVersion48]", @@ -11651,7 +11651,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_48", "location": "[parameters('workspace-location')]", "properties": { @@ -11727,7 +11727,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Hunt for TABL changes_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Hunt for TABL changes_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject49').huntingQueryVersion49]", @@ -11736,7 +11736,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_49", "location": "[parameters('workspace-location')]", "properties": { @@ -11812,7 +11812,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Local time to UTC time conversion_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Local time to UTC time conversion_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject50').huntingQueryVersion50]", @@ -11821,7 +11821,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_50", "location": "[parameters('workspace-location')]", "properties": { @@ -11897,7 +11897,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Mail item accessed_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Mail item accessed_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject51').huntingQueryVersion51]", @@ -11906,7 +11906,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_51", "location": "[parameters('workspace-location')]", "properties": { @@ -11982,7 +11982,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Malicious email senders_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Malicious email senders_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject52').huntingQueryVersion52]", @@ -11991,7 +11991,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_52", "location": "[parameters('workspace-location')]", "properties": { @@ -12067,7 +12067,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MDO daily detection summary report_HuntingQueries Hunting Query with template version 3.0.14", + "description": "MDO daily detection summary report_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject53').huntingQueryVersion53]", @@ -12076,7 +12076,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_53", "location": "[parameters('workspace-location')]", "properties": { @@ -12152,7 +12152,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "New TABL Items_HuntingQueries Hunting Query with template version 3.0.14", + "description": "New TABL Items_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject54').huntingQueryVersion54]", @@ -12161,7 +12161,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_54", "location": "[parameters('workspace-location')]", "properties": { @@ -12237,7 +12237,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top 10 Domains sending Malicious Emails (Malware+Phish+Spam)_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top 10 Domains sending Malicious Emails (Malware+Phish+Spam)_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject55').huntingQueryVersion55]", @@ -12246,7 +12246,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_55", "location": "[parameters('workspace-location')]", "properties": { @@ -12322,7 +12322,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top 10 External Senders (Malware)_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top 10 External Senders (Malware)_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject56').huntingQueryVersion56]", @@ -12331,7 +12331,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_56", "location": "[parameters('workspace-location')]", "properties": { @@ -12407,7 +12407,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top 10 External Senders (Phish)_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top 10 External Senders (Phish)_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject57').huntingQueryVersion57]", @@ -12416,7 +12416,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_57", "location": "[parameters('workspace-location')]", "properties": { @@ -12492,7 +12492,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top 10 External Senders (Spam)_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top 10 External Senders (Spam)_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject58').huntingQueryVersion58]", @@ -12501,7 +12501,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_58", "location": "[parameters('workspace-location')]", "properties": { @@ -12577,7 +12577,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top 10 External Senders_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top 10 External Senders_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject59').huntingQueryVersion59]", @@ -12586,7 +12586,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_59", "location": "[parameters('workspace-location')]", "properties": { @@ -12662,7 +12662,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top 10 Targeted Users (Malware+Phish+Spam)_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top 10 Targeted Users (Malware+Phish+Spam)_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject60').huntingQueryVersion60]", @@ -12671,7 +12671,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_60", "location": "[parameters('workspace-location')]", "properties": { @@ -12747,7 +12747,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top 10 Users clicking on Malicious URLs (Malware+Phish+Spam)_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top 10 Users clicking on Malicious URLs (Malware+Phish+Spam)_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject61').huntingQueryVersion61]", @@ -12756,7 +12756,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_61", "location": "[parameters('workspace-location')]", "properties": { @@ -12832,7 +12832,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Total number of detections by MDO over time_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Total number of detections by MDO over time_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject62').huntingQueryVersion62]", @@ -12841,7 +12841,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_62", "location": "[parameters('workspace-location')]", "properties": { @@ -12917,7 +12917,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Total number of detections by MDO_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Total number of detections by MDO_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject63').huntingQueryVersion63]", @@ -12926,7 +12926,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_63", "location": "[parameters('workspace-location')]", "properties": { @@ -13002,7 +13002,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Automated email notifications and suspicious sign-in activity_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Automated email notifications and suspicious sign-in activity_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject64').huntingQueryVersion64]", @@ -13011,7 +13011,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_64", "location": "[parameters('workspace-location')]", "properties": { @@ -13087,7 +13087,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BEC - File sharing tactics - Dropbox_HuntingQueries Hunting Query with template version 3.0.14", + "description": "BEC - File sharing tactics - Dropbox_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject65').huntingQueryVersion65]", @@ -13096,7 +13096,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_65", "location": "[parameters('workspace-location')]", "properties": { @@ -13172,7 +13172,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BEC - File sharing tactics - OneDrive or SharePoint_HuntingQueries Hunting Query with template version 3.0.14", + "description": "BEC - File sharing tactics - OneDrive or SharePoint_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject66').huntingQueryVersion66]", @@ -13181,7 +13181,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_66", "location": "[parameters('workspace-location')]", "properties": { @@ -13257,7 +13257,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Email bombing_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Email bombing_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject67').huntingQueryVersion67]", @@ -13266,7 +13266,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_67", "location": "[parameters('workspace-location')]", "properties": { @@ -13338,7 +13338,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Emails containing links to IP addresses_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Emails containing links to IP addresses_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject68').huntingQueryVersion68]", @@ -13347,7 +13347,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_68", "location": "[parameters('workspace-location')]", "properties": { @@ -13423,7 +13423,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Files share contents and suspicious sign-in activity_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Files share contents and suspicious sign-in activity_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject69').huntingQueryVersion69]", @@ -13432,7 +13432,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_69", "location": "[parameters('workspace-location')]", "properties": { @@ -13508,7 +13508,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Good emails from senders with bad patterns_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Good emails from senders with bad patterns_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject70').huntingQueryVersion70]", @@ -13517,7 +13517,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_70", "location": "[parameters('workspace-location')]", "properties": { @@ -13593,7 +13593,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Hunt for email bombing attacks_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Hunt for email bombing attacks_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject71').huntingQueryVersion71]", @@ -13602,7 +13602,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_71", "location": "[parameters('workspace-location')]", "properties": { @@ -13678,7 +13678,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Hunt for email conversation take over attempts_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Hunt for email conversation take over attempts_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject72').huntingQueryVersion72]", @@ -13687,7 +13687,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_72", "location": "[parameters('workspace-location')]", "properties": { @@ -13763,7 +13763,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Hunt for malicious attachments using external IOC source_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Hunt for malicious attachments using external IOC source_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject73').huntingQueryVersion73]", @@ -13772,7 +13772,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_73", "location": "[parameters('workspace-location')]", "properties": { @@ -13848,7 +13848,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Hunt for malicious URLs using external IOC source_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Hunt for malicious URLs using external IOC source_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject74').huntingQueryVersion74]", @@ -13857,7 +13857,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_74", "location": "[parameters('workspace-location')]", "properties": { @@ -13933,7 +13933,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Inbox rule change which forward-redirect email_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Inbox rule change which forward-redirect email_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject75').huntingQueryVersion75]", @@ -13942,7 +13942,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_75", "location": "[parameters('workspace-location')]", "properties": { @@ -14018,7 +14018,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MDO_CountOfRecipientsEmailaddressbySubject_HuntingQueries Hunting Query with template version 3.0.14", + "description": "MDO_CountOfRecipientsEmailaddressbySubject_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject76').huntingQueryVersion76]", @@ -14027,7 +14027,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_76", "location": "[parameters('workspace-location')]", "properties": { @@ -14103,7 +14103,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MDO_Countofrecipientsemailaddressesbysubject_HuntingQueries Hunting Query with template version 3.0.14", + "description": "MDO_Countofrecipientsemailaddressesbysubject_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject77').huntingQueryVersion77]", @@ -14112,7 +14112,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_77", "location": "[parameters('workspace-location')]", "properties": { @@ -14188,7 +14188,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MDO_CountOfSendersEmailaddressbySubject_HuntingQueries Hunting Query with template version 3.0.14", + "description": "MDO_CountOfSendersEmailaddressbySubject_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject78').huntingQueryVersion78]", @@ -14197,7 +14197,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_78", "location": "[parameters('workspace-location')]", "properties": { @@ -14273,7 +14273,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MDO_SummaryOfSenders_HuntingQueries Hunting Query with template version 3.0.14", + "description": "MDO_SummaryOfSenders_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject79').huntingQueryVersion79]", @@ -14282,7 +14282,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_79", "location": "[parameters('workspace-location')]", "properties": { @@ -14358,7 +14358,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MDO_URLClickedinEmail_HuntingQueries Hunting Query with template version 3.0.14", + "description": "MDO_URLClickedinEmail_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject80').huntingQueryVersion80]", @@ -14367,7 +14367,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_80", "location": "[parameters('workspace-location')]", "properties": { @@ -14443,7 +14443,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top outbound recipient domains sending inbound emails with threats_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top outbound recipient domains sending inbound emails with threats_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject81').huntingQueryVersion81]", @@ -14452,7 +14452,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_81", "location": "[parameters('workspace-location')]", "properties": { @@ -14528,7 +14528,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Detections by detection methods_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Detections by detection methods_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject82').huntingQueryVersion82]", @@ -14537,7 +14537,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_82", "location": "[parameters('workspace-location')]", "properties": { @@ -14613,7 +14613,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Mail reply to new domain_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Mail reply to new domain_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject83').huntingQueryVersion83]", @@ -14622,7 +14622,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_83", "location": "[parameters('workspace-location')]", "properties": { @@ -14698,7 +14698,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Mailflow by directionality_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Mailflow by directionality_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject84').huntingQueryVersion84]", @@ -14707,7 +14707,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_84", "location": "[parameters('workspace-location')]", "properties": { @@ -14783,7 +14783,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Malicious emails detected per day_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Malicious emails detected per day_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject85').huntingQueryVersion85]", @@ -14792,7 +14792,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_85", "location": "[parameters('workspace-location')]", "properties": { @@ -14868,7 +14868,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Sender recipient contact establishment_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Sender recipient contact establishment_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject86').huntingQueryVersion86]", @@ -14877,7 +14877,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_86", "location": "[parameters('workspace-location')]", "properties": { @@ -14953,7 +14953,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Spam Detections by Delivery Location - High_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Spam Detections by Delivery Location - High_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject87').huntingQueryVersion87]", @@ -14962,7 +14962,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_87", "location": "[parameters('workspace-location')]", "properties": { @@ -15038,7 +15038,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Spam Detections by Delivery Location - Medium_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Spam Detections by Delivery Location - Medium_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject88').huntingQueryVersion88]", @@ -15047,7 +15047,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_88", "location": "[parameters('workspace-location')]", "properties": { @@ -15123,7 +15123,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top 100 malicious email senders_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top 100 malicious email senders_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject89').huntingQueryVersion89]", @@ -15132,7 +15132,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_89", "location": "[parameters('workspace-location')]", "properties": { @@ -15208,7 +15208,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top 100 senders_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top 100 senders_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject90').huntingQueryVersion90]", @@ -15217,7 +15217,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_90", "location": "[parameters('workspace-location')]", "properties": { @@ -15293,7 +15293,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Zero day threats_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Zero day threats_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject91').huntingQueryVersion91]", @@ -15302,7 +15302,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_91", "location": "[parameters('workspace-location')]", "properties": { @@ -15378,7 +15378,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Email containing malware accessed on a unmanaged device_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Email containing malware accessed on a unmanaged device_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject92').huntingQueryVersion92]", @@ -15387,7 +15387,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_92", "location": "[parameters('workspace-location')]", "properties": { @@ -15463,7 +15463,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Email containing malware sent by an internal sender_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Email containing malware sent by an internal sender_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject93').huntingQueryVersion93]", @@ -15472,7 +15472,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_93", "location": "[parameters('workspace-location')]", "properties": { @@ -15548,7 +15548,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Email malware detection report_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Email malware detection report_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject94').huntingQueryVersion94]", @@ -15557,7 +15557,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_94", "location": "[parameters('workspace-location')]", "properties": { @@ -15633,7 +15633,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "File Malware Detection Trend_HuntingQueries Hunting Query with template version 3.0.14", + "description": "File Malware Detection Trend_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject95').huntingQueryVersion95]", @@ -15642,7 +15642,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_95", "location": "[parameters('workspace-location')]", "properties": { @@ -15718,7 +15718,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "File Malware Top Families by AV_HuntingQueries Hunting Query with template version 3.0.14", + "description": "File Malware Top Families by AV_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject96').huntingQueryVersion96]", @@ -15727,7 +15727,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_96", "location": "[parameters('workspace-location')]", "properties": { @@ -15803,7 +15803,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "File Malware Top Families by Safe Attachments_HuntingQueries Hunting Query with template version 3.0.14", + "description": "File Malware Top Families by Safe Attachments_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject97').huntingQueryVersion97]", @@ -15812,7 +15812,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_97", "location": "[parameters('workspace-location')]", "properties": { @@ -15888,7 +15888,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Malware Detection Trend_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Malware Detection Trend_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject98').huntingQueryVersion98]", @@ -15897,7 +15897,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_98", "location": "[parameters('workspace-location')]", "properties": { @@ -15973,7 +15973,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Malware Detections by Delivery Location_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Malware Detections by Delivery Location_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject99').huntingQueryVersion99]", @@ -15982,7 +15982,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_99", "location": "[parameters('workspace-location')]", "properties": { @@ -16058,7 +16058,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Malware Detections by Detection Technology Trend_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Malware Detections by Detection Technology Trend_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject100').huntingQueryVersion100]", @@ -16067,7 +16067,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_100", "location": "[parameters('workspace-location')]", "properties": { @@ -16143,7 +16143,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Malware Detections by Detection Technology_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Malware Detections by Detection Technology_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject101').huntingQueryVersion101]", @@ -16152,7 +16152,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_101", "location": "[parameters('workspace-location')]", "properties": { @@ -16228,7 +16228,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Malware detections by Workload Locations_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Malware detections by Workload Locations_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject102').huntingQueryVersion102]", @@ -16237,7 +16237,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_102", "location": "[parameters('workspace-location')]", "properties": { @@ -16313,7 +16313,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Malware detections by Workload Type_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Malware detections by Workload Type_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject103').huntingQueryVersion103]", @@ -16322,7 +16322,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_103", "location": "[parameters('workspace-location')]", "properties": { @@ -16398,7 +16398,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top Domains sending Malware_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top Domains sending Malware_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject104').huntingQueryVersion104]", @@ -16407,7 +16407,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_104", "location": "[parameters('workspace-location')]", "properties": { @@ -16483,7 +16483,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top Email Malware Families_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top Email Malware Families_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject105').huntingQueryVersion105]", @@ -16492,7 +16492,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_105", "location": "[parameters('workspace-location')]", "properties": { @@ -16568,7 +16568,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top Users receiving Malware_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top Users receiving Malware_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject106').huntingQueryVersion106]", @@ -16577,7 +16577,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_106", "location": "[parameters('workspace-location')]", "properties": { @@ -16653,7 +16653,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Zero-day Malware Detections Trend_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Zero-day Malware Detections Trend_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject107').huntingQueryVersion107]", @@ -16662,7 +16662,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_107", "location": "[parameters('workspace-location')]", "properties": { @@ -16738,7 +16738,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Communication from suspicious external users_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Communication from suspicious external users_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject108').huntingQueryVersion108]", @@ -16747,7 +16747,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_108", "location": "[parameters('workspace-location')]", "properties": { @@ -16823,7 +16823,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Communication to suspicious external users_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Communication to suspicious external users_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject109').huntingQueryVersion109]", @@ -16832,7 +16832,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_109", "location": "[parameters('workspace-location')]", "properties": { @@ -16908,7 +16908,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Expanding recipients into separate rows_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Expanding recipients into separate rows_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject110').huntingQueryVersion110]", @@ -16917,7 +16917,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_110", "location": "[parameters('workspace-location')]", "properties": { @@ -16993,7 +16993,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "External malicious Teams messages sent from internal senders_HuntingQueries Hunting Query with template version 3.0.14", + "description": "External malicious Teams messages sent from internal senders_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject111').huntingQueryVersion111]", @@ -17002,7 +17002,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_111", "location": "[parameters('workspace-location')]", "properties": { @@ -17078,7 +17078,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Hunt for malicious messages using External Threat Intelligence_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Hunt for malicious messages using External Threat Intelligence_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject112').huntingQueryVersion112]", @@ -17087,7 +17087,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_112", "location": "[parameters('workspace-location')]", "properties": { @@ -17163,7 +17163,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Inbound Teams messages by sender domains_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Inbound Teams messages by sender domains_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject113').huntingQueryVersion113]", @@ -17172,7 +17172,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_113", "location": "[parameters('workspace-location')]", "properties": { @@ -17248,7 +17248,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Malicious Teams messages by URL detection methods_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Malicious Teams messages by URL detection methods_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject114').huntingQueryVersion114]", @@ -17257,7 +17257,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_114", "location": "[parameters('workspace-location')]", "properties": { @@ -17333,7 +17333,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Malicious Teams messages received from external senders_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Malicious Teams messages received from external senders_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject115').huntingQueryVersion115]", @@ -17342,7 +17342,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_115", "location": "[parameters('workspace-location')]", "properties": { @@ -17418,7 +17418,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Teams chat initiated by a suspicious external user_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Microsoft Teams chat initiated by a suspicious external user_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject116').huntingQueryVersion116]", @@ -17427,7 +17427,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_116", "location": "[parameters('workspace-location')]", "properties": { @@ -17503,7 +17503,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Number of unique accounts performing Teams message Admin submissions_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Number of unique accounts performing Teams message Admin submissions_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject117').huntingQueryVersion117]", @@ -17512,7 +17512,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_117", "location": "[parameters('workspace-location')]", "properties": { @@ -17588,7 +17588,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Number of unique accounts performing Teams message User submissions_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Number of unique accounts performing Teams message User submissions_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject118').huntingQueryVersion118]", @@ -17597,7 +17597,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_118", "location": "[parameters('workspace-location')]", "properties": { @@ -17673,7 +17673,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Possible partner impersonation in external Team messages_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Possible partner impersonation in external Team messages_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject119').huntingQueryVersion119]", @@ -17682,7 +17682,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_119", "location": "[parameters('workspace-location')]", "properties": { @@ -17758,7 +17758,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Possible Teams phishing activity_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Possible Teams phishing activity_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject120').huntingQueryVersion120]", @@ -17767,7 +17767,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_120", "location": "[parameters('workspace-location')]", "properties": { @@ -17843,7 +17843,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Potentially malicious URL click in Teams_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Potentially malicious URL click in Teams_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject121').huntingQueryVersion121]", @@ -17852,7 +17852,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_121", "location": "[parameters('workspace-location')]", "properties": { @@ -17928,7 +17928,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Rare Domains in External Teams Messages_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Rare Domains in External Teams Messages_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject122').huntingQueryVersion122]", @@ -17937,7 +17937,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_122", "location": "[parameters('workspace-location')]", "properties": { @@ -18013,7 +18013,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Suspicious Teams Display Name_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Suspicious Teams Display Name_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject123').huntingQueryVersion123]", @@ -18022,7 +18022,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_123", "location": "[parameters('workspace-location')]", "properties": { @@ -18098,7 +18098,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Teams Admin submission of Malware and Phish daily trend_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Teams Admin submission of Malware and Phish daily trend_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject124').huntingQueryVersion124]", @@ -18107,7 +18107,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_124", "location": "[parameters('workspace-location')]", "properties": { @@ -18183,7 +18183,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Teams Admin submission of No Threats daily trend_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Teams Admin submission of No Threats daily trend_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject125').huntingQueryVersion125]", @@ -18192,7 +18192,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_125", "location": "[parameters('workspace-location')]", "properties": { @@ -18268,7 +18268,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Teams Admin-User Submissions Grading Verdicts_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Teams Admin-User Submissions Grading Verdicts_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject126').huntingQueryVersion126]", @@ -18277,7 +18277,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_126", "location": "[parameters('workspace-location')]", "properties": { @@ -18353,7 +18353,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Teams blocked URL clicks daily trend_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Teams blocked URL clicks daily trend_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject127').huntingQueryVersion127]", @@ -18362,7 +18362,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_127", "location": "[parameters('workspace-location')]", "properties": { @@ -18438,7 +18438,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Teams Malware ZAP _HuntingQueries Hunting Query with template version 3.0.14", + "description": "Teams Malware ZAP _HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject128').huntingQueryVersion128]", @@ -18447,7 +18447,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_128", "location": "[parameters('workspace-location')]", "properties": { @@ -18523,7 +18523,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Teams Message with URL listed on OpenPhish_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Teams Message with URL listed on OpenPhish_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject129').huntingQueryVersion129]", @@ -18532,7 +18532,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_129", "location": "[parameters('workspace-location')]", "properties": { @@ -18608,7 +18608,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Teams message ZAPed with the same URL in Email_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Teams message ZAPed with the same URL in Email_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject130').huntingQueryVersion130]", @@ -18617,7 +18617,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_130", "location": "[parameters('workspace-location')]", "properties": { @@ -18693,7 +18693,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Teams messages from a specific sender by ThreadType_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Teams messages from a specific sender by ThreadType_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject131').huntingQueryVersion131]", @@ -18702,7 +18702,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_131", "location": "[parameters('workspace-location')]", "properties": { @@ -18778,7 +18778,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Teams messages with suspicious URL domains_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Teams messages with suspicious URL domains_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject132').huntingQueryVersion132]", @@ -18787,7 +18787,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_132", "location": "[parameters('workspace-location')]", "properties": { @@ -18863,7 +18863,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Teams Phish ZAP_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Teams Phish ZAP_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject133').huntingQueryVersion133]", @@ -18872,7 +18872,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_133", "location": "[parameters('workspace-location')]", "properties": { @@ -18948,7 +18948,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Teams post delivery events daily trend_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Teams post delivery events daily trend_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject134').huntingQueryVersion134]", @@ -18957,7 +18957,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_134", "location": "[parameters('workspace-location')]", "properties": { @@ -19033,7 +19033,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Teams Spam ZAP_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Teams Spam ZAP_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject135').huntingQueryVersion135]", @@ -19042,7 +19042,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_135", "location": "[parameters('workspace-location')]", "properties": { @@ -19118,7 +19118,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Teams URL clicks actions summarized by URLs clicked on_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Teams URL clicks actions summarized by URLs clicked on_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject136').huntingQueryVersion136]", @@ -19127,7 +19127,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_136", "location": "[parameters('workspace-location')]", "properties": { @@ -19203,7 +19203,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Teams URL clicks through actions on Phish or Malware URLs summarized by URLs_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Teams URL clicks through actions on Phish or Malware URLs summarized by URLs_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject137').huntingQueryVersion137]", @@ -19212,7 +19212,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_137", "location": "[parameters('workspace-location')]", "properties": { @@ -19288,7 +19288,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Teams User submissions daily trend_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Teams User submissions daily trend_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject138').huntingQueryVersion138]", @@ -19297,7 +19297,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_138", "location": "[parameters('workspace-location')]", "properties": { @@ -19373,7 +19373,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Teams users clicking on suspicious URL domains_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Teams users clicking on suspicious URL domains_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject139').huntingQueryVersion139]", @@ -19382,7 +19382,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_139", "location": "[parameters('workspace-location')]", "properties": { @@ -19458,7 +19458,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top 10 Attacked user by Phish messages_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top 10 Attacked user by Phish messages_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject140').huntingQueryVersion140]", @@ -19467,7 +19467,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_140", "location": "[parameters('workspace-location')]", "properties": { @@ -19543,7 +19543,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top 10 external senders sending Teams messages_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top 10 external senders sending Teams messages_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject141').huntingQueryVersion141]", @@ -19552,7 +19552,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_141", "location": "[parameters('workspace-location')]", "properties": { @@ -19628,7 +19628,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top 10 External senders sending Teams phishing messsages_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top 10 External senders sending Teams phishing messsages_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject142').huntingQueryVersion142]", @@ -19637,7 +19637,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_142", "location": "[parameters('workspace-location')]", "properties": { @@ -19713,7 +19713,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top 10 sender domains - Admin Teams message submissions FN_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top 10 sender domains - Admin Teams message submissions FN_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject143').huntingQueryVersion143]", @@ -19722,7 +19722,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_143", "location": "[parameters('workspace-location')]", "properties": { @@ -19798,7 +19798,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top 10 sender domains - Teams user submissions FN or FP_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top 10 sender domains - Teams user submissions FN or FP_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject144').huntingQueryVersion144]", @@ -19807,7 +19807,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_144", "location": "[parameters('workspace-location')]", "properties": { @@ -19883,7 +19883,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top 10 senders - Teams users submissions FN or FP_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top 10 senders - Teams users submissions FN or FP_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject145').huntingQueryVersion145]", @@ -19892,7 +19892,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_145", "location": "[parameters('workspace-location')]", "properties": { @@ -19968,7 +19968,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top 10 senders of Admin Teams message submissions FN_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top 10 senders of Admin Teams message submissions FN_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject146').huntingQueryVersion146]", @@ -19977,7 +19977,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_146", "location": "[parameters('workspace-location')]", "properties": { @@ -20053,7 +20053,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top 10 senders of Admin Teams message submissions FP_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top 10 senders of Admin Teams message submissions FP_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject147').huntingQueryVersion147]", @@ -20062,7 +20062,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_147", "location": "[parameters('workspace-location')]", "properties": { @@ -20138,7 +20138,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top 10 Users clicking on malicious URLs in Teams_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top 10 Users clicking on malicious URLs in Teams_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject148').huntingQueryVersion148]", @@ -20147,7 +20147,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_148", "location": "[parameters('workspace-location')]", "properties": { @@ -20223,7 +20223,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top accounts performing Teams admin submissions FN or FP_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top accounts performing Teams admin submissions FN or FP_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject149').huntingQueryVersion149]", @@ -20232,7 +20232,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_149", "location": "[parameters('workspace-location')]", "properties": { @@ -20308,7 +20308,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top accounts performing Teams user submissions FN or FP_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top accounts performing Teams user submissions FN or FP_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject150').huntingQueryVersion150]", @@ -20317,7 +20317,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_150", "location": "[parameters('workspace-location')]", "properties": { @@ -20393,7 +20393,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top domains outbound sending Malicious Teams messages inbound_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top domains outbound sending Malicious Teams messages inbound_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject151').huntingQueryVersion151]", @@ -20402,7 +20402,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_151", "location": "[parameters('workspace-location')]", "properties": { @@ -20478,7 +20478,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top external malicious senders_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top external malicious senders_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject152').huntingQueryVersion152]", @@ -20487,7 +20487,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_152", "location": "[parameters('workspace-location')]", "properties": { @@ -20563,7 +20563,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top External Sender domains - Malware_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top External Sender domains - Malware_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject153').huntingQueryVersion153]", @@ -20572,7 +20572,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_153", "location": "[parameters('workspace-location')]", "properties": { @@ -20648,7 +20648,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top External Sender domains - Phish_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top External Sender domains - Phish_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject154').huntingQueryVersion154]", @@ -20657,7 +20657,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_154", "location": "[parameters('workspace-location')]", "properties": { @@ -20733,7 +20733,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top External Sender domains - Spam_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top External Sender domains - Spam_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject155').huntingQueryVersion155]", @@ -20742,7 +20742,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_155", "location": "[parameters('workspace-location')]", "properties": { @@ -20818,7 +20818,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top malicious URLs clicked by users in Teams_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top malicious URLs clicked by users in Teams_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject156').huntingQueryVersion156]", @@ -20827,7 +20827,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_156", "location": "[parameters('workspace-location')]", "properties": { @@ -20903,7 +20903,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Total number of MDO Teams protection detections daily_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Total number of MDO Teams protection detections daily_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject157').huntingQueryVersion157]", @@ -20912,7 +20912,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_157", "location": "[parameters('workspace-location')]", "properties": { @@ -20988,7 +20988,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URL click on URLs in ZAP-d Teams messages_HuntingQueries Hunting Query with template version 3.0.14", + "description": "URL click on URLs in ZAP-d Teams messages_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject158').huntingQueryVersion158]", @@ -20997,7 +20997,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_158", "location": "[parameters('workspace-location')]", "properties": { @@ -21073,7 +21073,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Spam and Phish delivered to Inbox due to Admin Overrides_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Spam and Phish delivered to Inbox due to Admin Overrides_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject159').huntingQueryVersion159]", @@ -21082,7 +21082,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_159", "location": "[parameters('workspace-location')]", "properties": { @@ -21158,7 +21158,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Spam and Phish delivered to Inbox due to User Overrides_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Spam and Phish delivered to Inbox due to User Overrides_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject160').huntingQueryVersion160]", @@ -21167,7 +21167,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_160", "location": "[parameters('workspace-location')]", "properties": { @@ -21243,7 +21243,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top policies performing admin overrides_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top policies performing admin overrides_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject161').huntingQueryVersion161]", @@ -21252,7 +21252,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_161", "location": "[parameters('workspace-location')]", "properties": { @@ -21328,7 +21328,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top policies performing user overrides_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top policies performing user overrides_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject162').huntingQueryVersion162]", @@ -21337,7 +21337,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_162", "location": "[parameters('workspace-location')]", "properties": { @@ -21413,7 +21413,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Total Emails with Admin Overrides - Allow_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Total Emails with Admin Overrides - Allow_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject163').huntingQueryVersion163]", @@ -21422,7 +21422,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_163", "location": "[parameters('workspace-location')]", "properties": { @@ -21498,7 +21498,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Total Emails with Admin Overrides - Block_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Total Emails with Admin Overrides - Block_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject164').huntingQueryVersion164]", @@ -21507,7 +21507,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_164", "location": "[parameters('workspace-location')]", "properties": { @@ -21583,7 +21583,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Total Emails with User Overrides - Allow_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Total Emails with User Overrides - Allow_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject165').huntingQueryVersion165]", @@ -21592,7 +21592,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_165", "location": "[parameters('workspace-location')]", "properties": { @@ -21668,7 +21668,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Total Emails with User Overrides - Block_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Total Emails with User Overrides - Block_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject166').huntingQueryVersion166]", @@ -21677,7 +21677,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_166", "location": "[parameters('workspace-location')]", "properties": { @@ -21753,7 +21753,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Phish Detection Trend_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Phish Detection Trend_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject167').huntingQueryVersion167]", @@ -21762,7 +21762,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_167", "location": "[parameters('workspace-location')]", "properties": { @@ -21838,7 +21838,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Phish Detections by Delivery Location - High_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Phish Detections by Delivery Location - High_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject168').huntingQueryVersion168]", @@ -21847,7 +21847,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_168", "location": "[parameters('workspace-location')]", "properties": { @@ -21923,7 +21923,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Phish Detections by Delivery Location - Medium_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Phish Detections by Delivery Location - Medium_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject169').huntingQueryVersion169]", @@ -21932,7 +21932,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_169", "location": "[parameters('workspace-location')]", "properties": { @@ -22008,7 +22008,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Phish Detections by Delivery Location Trend_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Phish Detections by Delivery Location Trend_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject170').huntingQueryVersion170]", @@ -22017,7 +22017,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_170", "location": "[parameters('workspace-location')]", "properties": { @@ -22093,7 +22093,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Phish Detections by Detection Technology Trend_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Phish Detections by Detection Technology Trend_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject171').huntingQueryVersion171]", @@ -22102,7 +22102,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_171", "location": "[parameters('workspace-location')]", "properties": { @@ -22178,7 +22178,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Phish Detections by Detection Technology_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Phish Detections by Detection Technology_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject172').huntingQueryVersion172]", @@ -22187,7 +22187,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_172", "location": "[parameters('workspace-location')]", "properties": { @@ -22263,7 +22263,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Possible device code phishing attempts_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Possible device code phishing attempts_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject173').huntingQueryVersion173]", @@ -22272,14 +22272,14 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_173", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", "displayName": "Possible device code phishing attempts", "category": "Hunting Queries", - "query": "let suspiciousUserClicks = materialize(UrlClickEvents\n | where ActionType in (\"ClickAllowed\", \"UrlScanInProgress\", \"UrlErrorPage\") or IsClickedThrough != \"0\"\n | where UrlChain has_any (\"microsoft.com/devicelogin\", \"login.microsoftonline.com/common/oauth2/deviceauth\")\n | extend AccountUpn = tolower(AccountUpn)\n | project ClickTime = Timestamp, ActionType, UrlChain, NetworkMessageId, Url, AccountUpn);\n//Check for Risky Sign-In in the short time window\nlet interestedUsersUpn = suspiciousUserClicks\n | where isnotempty(AccountUpn)\n | distinct AccountUpn;\nlet suspiciousSignIns = materialize(AADSignInEventsBeta\n | where ErrorCode == 0\n | where AccountUpn in~ (interestedUsersUpn)\n | where RiskLevelDuringSignIn in (10, 50, 100)\n | extend AccountUpn = tolower(AccountUpn)\n | join kind=inner suspiciousUserClicks on AccountUpn\n | where (Timestamp - ClickTime) between (-2min .. 7min)\n | project Timestamp, ReportId, ClickTime, AccountUpn, RiskLevelDuringSignIn, SessionId, IPAddress, Url\n);\n//Validate errorCode 50199 followed by success in 5 minute time interval for the interested user, which suggests a pause to input the code from the phishing email\nlet interestedSessionUsers = suspiciousSignIns\n | where isnotempty(AccountUpn)\n | distinct AccountUpn;\nlet shortIntervalSignInAttemptUsers = materialize(AADSignInEventsBeta\n | where AccountUpn in~ (interestedSessionUsers)\n | where ErrorCode in (0, 50199)\n | summarize ErrorCodes = make_set(ErrorCode) by AccountUpn, CorrelationId, SessionId\n | where ErrorCodes has_all (0, 50199)\n | distinct AccountUpn);\nsuspiciousSignIns\n| where AccountUpn in (shortIntervalSignInAttemptUsers)\n", + "query": "let DeviceLoginUrls = pack_array(strcat(\"microsoft.\", \"com/devicelogin\"), strcat(\"login.\", \"microsoftonline.com/common/oauth2/deviceauth\"));\nlet suspiciousUserClicks = materialize(UrlClickEvents\n | where ActionType in (\"ClickAllowed\", \"UrlScanInProgress\", \"UrlErrorPage\") or IsClickedThrough != \"0\"\n | where UrlChain has_any (DeviceLoginUrls)\n | extend AccountUpn = tolower(AccountUpn)\n | project ClickTime = Timestamp, ActionType, UrlChain, NetworkMessageId, Url, AccountUpn);\n//Check for Risky Sign-In in the short time window\nlet interestedUsersUpn = suspiciousUserClicks\n | where isnotempty(AccountUpn)\n | distinct AccountUpn;\nlet suspiciousSignIns = materialize(AADSignInEventsBeta\n | where ErrorCode == 0\n | where AccountUpn in~ (interestedUsersUpn)\n | where RiskLevelDuringSignIn in (10, 50, 100)\n | extend AccountUpn = tolower(AccountUpn)\n | join kind=inner suspiciousUserClicks on AccountUpn\n | where (Timestamp - ClickTime) between (-2min .. 7min)\n | project Timestamp, ReportId, ClickTime, AccountUpn, RiskLevelDuringSignIn, SessionId, IPAddress, Url\n);\n//Validate errorCode 50199 followed by success in 5 minute time interval for the interested user, which suggests a pause to input the code from the phishing email\nlet interestedSessionUsers = suspiciousSignIns\n | where isnotempty(AccountUpn)\n | distinct AccountUpn;\nlet shortIntervalSignInAttemptUsers = materialize(AADSignInEventsBeta\n | where AccountUpn in~ (interestedSessionUsers)\n | where ErrorCode in (0, 50199)\n | summarize ErrorCodes = make_set(ErrorCode) by AccountUpn, CorrelationId, SessionId\n | where ErrorCodes has_all (0, 50199)\n | distinct AccountUpn);\nsuspiciousSignIns\n| where AccountUpn in (shortIntervalSignInAttemptUsers)\n", "version": 2, "tags": [ { @@ -22334,9 +22334,9 @@ "contentId": "[variables('huntingQueryObject173')._huntingQuerycontentId173]", "contentKind": "HuntingQuery", "displayName": "Possible device code phishing attempts", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject173')._huntingQuerycontentId173,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject173')._huntingQuerycontentId173,'-', '1.0.0')))]", - "version": "1.0.0" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject173')._huntingQuerycontentId173,'-', '1.0.1')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject173')._huntingQuerycontentId173,'-', '1.0.1')))]", + "version": "1.0.1" } }, { @@ -22348,7 +22348,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top Domains sending Phish_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top Domains sending Phish_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject174').huntingQueryVersion174]", @@ -22357,7 +22357,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_174", "location": "[parameters('workspace-location')]", "properties": { @@ -22433,7 +22433,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top Users receiving Phish_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top Users receiving Phish_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject175').huntingQueryVersion175]", @@ -22442,7 +22442,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_175", "location": "[parameters('workspace-location')]", "properties": { @@ -22518,7 +22518,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Zero-day Phish Detections Trend_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Zero-day Phish Detections Trend_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject176').huntingQueryVersion176]", @@ -22527,7 +22527,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_176", "location": "[parameters('workspace-location')]", "properties": { @@ -22603,7 +22603,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Campaign with randomly named attachments_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Campaign with randomly named attachments_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject177').huntingQueryVersion177]", @@ -22612,7 +22612,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_177", "location": "[parameters('workspace-location')]", "properties": { @@ -22688,7 +22688,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Campaign with suspicious keywords_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Campaign with suspicious keywords_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject178').huntingQueryVersion178]", @@ -22697,7 +22697,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_178", "location": "[parameters('workspace-location')]", "properties": { @@ -22773,7 +22773,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Custom detection-Emails with QR from non-prevalent senders_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Custom detection-Emails with QR from non-prevalent senders_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject179').huntingQueryVersion179]", @@ -22782,7 +22782,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_179", "location": "[parameters('workspace-location')]", "properties": { @@ -22858,7 +22858,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Emails delivered having URLs from QR codes_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Emails delivered having URLs from QR codes_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject180').huntingQueryVersion180]", @@ -22867,7 +22867,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_180", "location": "[parameters('workspace-location')]", "properties": { @@ -22943,7 +22943,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Emails with QR codes and suspicious keywords in subject_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Emails with QR codes and suspicious keywords in subject_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject181').huntingQueryVersion181]", @@ -22952,7 +22952,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_181", "location": "[parameters('workspace-location')]", "properties": { @@ -23028,7 +23028,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Emails with QR codes from non-prevalent sender_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Emails with QR codes from non-prevalent sender_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject182').huntingQueryVersion182]", @@ -23037,7 +23037,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_182", "location": "[parameters('workspace-location')]", "properties": { @@ -23113,7 +23113,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Hunting for sender patterns_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Hunting for sender patterns_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject183').huntingQueryVersion183]", @@ -23122,7 +23122,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_183", "location": "[parameters('workspace-location')]", "properties": { @@ -23198,7 +23198,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Hunting for user signals-clusters_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Hunting for user signals-clusters_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject184').huntingQueryVersion184]", @@ -23207,7 +23207,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_184", "location": "[parameters('workspace-location')]", "properties": { @@ -23283,7 +23283,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Inbound emails with QR code URLs_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Inbound emails with QR code URLs_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject185').huntingQueryVersion185]", @@ -23292,7 +23292,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_185", "location": "[parameters('workspace-location')]", "properties": { @@ -23368,7 +23368,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Personalized campaigns based on the first few keywords_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Personalized campaigns based on the first few keywords_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject186').huntingQueryVersion186]", @@ -23377,7 +23377,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_186", "location": "[parameters('workspace-location')]", "properties": { @@ -23453,7 +23453,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Personalized campaigns based on the last few keywords_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Personalized campaigns based on the last few keywords_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject187').huntingQueryVersion187]", @@ -23462,7 +23462,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_187", "location": "[parameters('workspace-location')]", "properties": { @@ -23538,7 +23538,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Risky sign-in attempt from a non-managed device_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Risky sign-in attempt from a non-managed device_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject188').huntingQueryVersion188]", @@ -23547,7 +23547,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_188", "location": "[parameters('workspace-location')]", "properties": { @@ -23623,7 +23623,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Suspicious sign-in attempts from QR code phishing campaigns_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Suspicious sign-in attempts from QR code phishing campaigns_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject189').huntingQueryVersion189]", @@ -23632,7 +23632,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_189", "location": "[parameters('workspace-location')]", "properties": { @@ -23708,7 +23708,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Group quarantine release_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Group quarantine release_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject190').huntingQueryVersion190]", @@ -23717,7 +23717,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_190", "location": "[parameters('workspace-location')]", "properties": { @@ -23793,7 +23793,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "High Confidence Phish Released_HuntingQueries Hunting Query with template version 3.0.14", + "description": "High Confidence Phish Released_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject191').huntingQueryVersion191]", @@ -23802,7 +23802,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_191", "location": "[parameters('workspace-location')]", "properties": { @@ -23878,7 +23878,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Quarantine Phish reason trend_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Quarantine Phish reason trend_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject192').huntingQueryVersion192]", @@ -23887,7 +23887,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_192", "location": "[parameters('workspace-location')]", "properties": { @@ -23963,7 +23963,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Quarantine Phish reason_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Quarantine Phish reason_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject193').huntingQueryVersion193]", @@ -23972,7 +23972,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_193", "location": "[parameters('workspace-location')]", "properties": { @@ -24048,7 +24048,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Quarantine Release Email Details_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Quarantine Release Email Details_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject194').huntingQueryVersion194]", @@ -24057,7 +24057,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_194", "location": "[parameters('workspace-location')]", "properties": { @@ -24133,7 +24133,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Quarantine release trend_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Quarantine release trend_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject195').huntingQueryVersion195]", @@ -24142,7 +24142,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_195", "location": "[parameters('workspace-location')]", "properties": { @@ -24218,7 +24218,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Quarantine releases by Detection types_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Quarantine releases by Detection types_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject196').huntingQueryVersion196]", @@ -24227,7 +24227,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_196", "location": "[parameters('workspace-location')]", "properties": { @@ -24303,7 +24303,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Quarantine Spam reason trend_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Quarantine Spam reason trend_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject197').huntingQueryVersion197]", @@ -24312,7 +24312,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_197", "location": "[parameters('workspace-location')]", "properties": { @@ -24388,7 +24388,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Quarantine Spam reason_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Quarantine Spam reason_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject198').huntingQueryVersion198]", @@ -24397,7 +24397,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_198", "location": "[parameters('workspace-location')]", "properties": { @@ -24473,7 +24473,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AIR investigation actions insight_HuntingQueries Hunting Query with template version 3.0.14", + "description": "AIR investigation actions insight_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject199').huntingQueryVersion199]", @@ -24482,7 +24482,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_199", "location": "[parameters('workspace-location')]", "properties": { @@ -24558,7 +24558,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Email remediation action list_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Email remediation action list_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject200').huntingQueryVersion200]", @@ -24567,7 +24567,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_200", "location": "[parameters('workspace-location')]", "properties": { @@ -24643,7 +24643,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Bulk Detection Top10 Domains_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Bulk Detection Top10 Domains_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject201').huntingQueryVersion201]", @@ -24652,7 +24652,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_201", "location": "[parameters('workspace-location')]", "properties": { @@ -24728,7 +24728,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Spam Detection Delivery Location_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Spam Detection Delivery Location_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject202').huntingQueryVersion202]", @@ -24737,7 +24737,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_202", "location": "[parameters('workspace-location')]", "properties": { @@ -24813,7 +24813,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Spam Detection IP and Geo Position_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Spam Detection IP and Geo Position_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject203').huntingQueryVersion203]", @@ -24822,7 +24822,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_203", "location": "[parameters('workspace-location')]", "properties": { @@ -24898,7 +24898,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Spam Detection Mails with BCL_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Spam Detection Mails with BCL_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject204').huntingQueryVersion204]", @@ -24907,7 +24907,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_204", "location": "[parameters('workspace-location')]", "properties": { @@ -24983,7 +24983,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Spam Detection Tech_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Spam Detection Tech_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject205').huntingQueryVersion205]", @@ -24992,7 +24992,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_205", "location": "[parameters('workspace-location')]", "properties": { @@ -25068,7 +25068,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Spam Detection Top10 Domains_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Spam Detection Top10 Domains_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject206').huntingQueryVersion206]", @@ -25077,7 +25077,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_206", "location": "[parameters('workspace-location')]", "properties": { @@ -25153,7 +25153,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Spam Detection Top10 Users_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Spam Detection Top10 Users_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject207').huntingQueryVersion207]", @@ -25162,7 +25162,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_207", "location": "[parameters('workspace-location')]", "properties": { @@ -25238,7 +25238,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Spam Detection Top15 Domains Details_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Spam Detection Top15 Domains Details_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject208').huntingQueryVersion208]", @@ -25247,7 +25247,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_208", "location": "[parameters('workspace-location')]", "properties": { @@ -25323,7 +25323,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Spam Detection Top15 Users Details_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Spam Detection Top15 Users Details_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject209').huntingQueryVersion209]", @@ -25332,7 +25332,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_209", "location": "[parameters('workspace-location')]", "properties": { @@ -25408,7 +25408,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Spam Detection Trend_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Spam Detection Trend_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject210').huntingQueryVersion210]", @@ -25417,7 +25417,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_210", "location": "[parameters('workspace-location')]", "properties": { @@ -25493,7 +25493,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Spam Detections by Detection technology_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Spam Detections by Detection technology_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject211').huntingQueryVersion211]", @@ -25502,7 +25502,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_211", "location": "[parameters('workspace-location')]", "properties": { @@ -25578,7 +25578,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Display Name - Spoof and Impersonation_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Display Name - Spoof and Impersonation_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject212').huntingQueryVersion212]", @@ -25587,7 +25587,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_212", "location": "[parameters('workspace-location')]", "properties": { @@ -25663,7 +25663,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Impersonation Phishing detections by Detection Technology Trend_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Impersonation Phishing detections by Detection Technology Trend_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject213').huntingQueryVersion213]", @@ -25672,7 +25672,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_213", "location": "[parameters('workspace-location')]", "properties": { @@ -25748,7 +25748,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Impersonation Phishing detections by Detection Technology_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Impersonation Phishing detections by Detection Technology_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject214').huntingQueryVersion214]", @@ -25757,7 +25757,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_214", "location": "[parameters('workspace-location')]", "properties": { @@ -25833,7 +25833,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Impersonation Phishing detections trend_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Impersonation Phishing detections trend_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject215').huntingQueryVersion215]", @@ -25842,7 +25842,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_215", "location": "[parameters('workspace-location')]", "properties": { @@ -25918,7 +25918,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Referral phish emails_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Referral phish emails_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject216').huntingQueryVersion216]", @@ -25927,7 +25927,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_216", "location": "[parameters('workspace-location')]", "properties": { @@ -26003,7 +26003,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Spoof and impersonation detections by sender IP_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Spoof and impersonation detections by sender IP_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject217').huntingQueryVersion217]", @@ -26012,7 +26012,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_217", "location": "[parameters('workspace-location')]", "properties": { @@ -26088,7 +26088,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Spoof and impersonation phish detections_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Spoof and impersonation phish detections_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject218').huntingQueryVersion218]", @@ -26097,7 +26097,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_218", "location": "[parameters('workspace-location')]", "properties": { @@ -26173,7 +26173,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Spoof detections by Detection Technology Trend_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Spoof detections by Detection Technology Trend_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject219').huntingQueryVersion219]", @@ -26182,7 +26182,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_219", "location": "[parameters('workspace-location')]", "properties": { @@ -26258,7 +26258,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Spoof detections by Detection Technology_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Spoof detections by Detection Technology_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject220').huntingQueryVersion220]", @@ -26267,7 +26267,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_220", "location": "[parameters('workspace-location')]", "properties": { @@ -26343,7 +26343,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Spoof detections trend_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Spoof detections trend_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject221').huntingQueryVersion221]", @@ -26352,7 +26352,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_221", "location": "[parameters('workspace-location')]", "properties": { @@ -26428,7 +26428,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top Domains with BEC Threats inbound_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top Domains with BEC Threats inbound_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject222').huntingQueryVersion222]", @@ -26437,7 +26437,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_222", "location": "[parameters('workspace-location')]", "properties": { @@ -26513,7 +26513,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User not covered under display name impersonation_HuntingQueries Hunting Query with template version 3.0.14", + "description": "User not covered under display name impersonation_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject223').huntingQueryVersion223]", @@ -26522,7 +26522,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_223", "location": "[parameters('workspace-location')]", "properties": { @@ -26598,7 +26598,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Admin Submission Trend - FN_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Admin Submission Trend - FN_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject224').huntingQueryVersion224]", @@ -26607,7 +26607,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_224", "location": "[parameters('workspace-location')]", "properties": { @@ -26683,7 +26683,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Admin Submission Trend - FP_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Admin Submission Trend - FP_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject225').huntingQueryVersion225]", @@ -26692,7 +26692,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_225", "location": "[parameters('workspace-location')]", "properties": { @@ -26768,7 +26768,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Admin Submissions by Detection Method - Phish FP_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Admin Submissions by Detection Method - Phish FP_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject226').huntingQueryVersion226]", @@ -26777,7 +26777,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_226", "location": "[parameters('workspace-location')]", "properties": { @@ -26853,7 +26853,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Admin Submissions by Detection Method - Spam FP_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Admin Submissions by Detection Method - Spam FP_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject227').huntingQueryVersion227]", @@ -26862,7 +26862,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_227", "location": "[parameters('workspace-location')]", "properties": { @@ -26938,7 +26938,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Admin Submissions by Detection Type_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Admin Submissions by Detection Type_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject228').huntingQueryVersion228]", @@ -26947,7 +26947,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_228", "location": "[parameters('workspace-location')]", "properties": { @@ -27023,7 +27023,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Admin Submissions by Grading Verdict - FN-FP_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Admin Submissions by Grading Verdict - FN-FP_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject229').huntingQueryVersion229]", @@ -27032,7 +27032,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_229", "location": "[parameters('workspace-location')]", "properties": { @@ -27108,7 +27108,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Admin Submissions by Submission State - FN_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Admin Submissions by Submission State - FN_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject230').huntingQueryVersion230]", @@ -27117,7 +27117,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_230", "location": "[parameters('workspace-location')]", "properties": { @@ -27193,7 +27193,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Admin Submissions by Submission State - FP_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Admin Submissions by Submission State - FP_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject231').huntingQueryVersion231]", @@ -27202,7 +27202,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_231", "location": "[parameters('workspace-location')]", "properties": { @@ -27278,7 +27278,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Admin Submissions by Submission Type - FN_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Admin Submissions by Submission Type - FN_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject232').huntingQueryVersion232]", @@ -27287,7 +27287,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_232", "location": "[parameters('workspace-location')]", "properties": { @@ -27363,7 +27363,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Admin Submissions by Submission Type - FP_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Admin Submissions by Submission Type - FP_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject233').huntingQueryVersion233]", @@ -27372,7 +27372,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_233", "location": "[parameters('workspace-location')]", "properties": { @@ -27448,7 +27448,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top accounts performing admin submissions - FN_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top accounts performing admin submissions - FN_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject234').huntingQueryVersion234]", @@ -27457,7 +27457,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_234", "location": "[parameters('workspace-location')]", "properties": { @@ -27533,7 +27533,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top accounts performing admin submissions - FP_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top accounts performing admin submissions - FP_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject235').huntingQueryVersion235]", @@ -27542,7 +27542,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_235", "location": "[parameters('workspace-location')]", "properties": { @@ -27618,7 +27618,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top accounts performing user submissions_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top accounts performing user submissions_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject236').huntingQueryVersion236]", @@ -27627,7 +27627,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_236", "location": "[parameters('workspace-location')]", "properties": { @@ -27703,7 +27703,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top Detection Overrides - Admin Submissions_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top Detection Overrides - Admin Submissions_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject237').huntingQueryVersion237]", @@ -27712,7 +27712,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_237", "location": "[parameters('workspace-location')]", "properties": { @@ -27788,7 +27788,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top Sender Domains - Admin Submissions FN_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top Sender Domains - Admin Submissions FN_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject238').huntingQueryVersion238]", @@ -27797,7 +27797,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_238", "location": "[parameters('workspace-location')]", "properties": { @@ -27873,7 +27873,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top Sender Domains - Admin Submissions FP_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top Sender Domains - Admin Submissions FP_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject239').huntingQueryVersion239]", @@ -27882,7 +27882,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_239", "location": "[parameters('workspace-location')]", "properties": { @@ -27958,7 +27958,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Total Submissions by Submission Status_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Total Submissions by Submission Status_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject240').huntingQueryVersion240]", @@ -27967,7 +27967,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_240", "location": "[parameters('workspace-location')]", "properties": { @@ -28043,7 +28043,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Total Submissions by Submission Type_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Total Submissions by Submission Type_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject241').huntingQueryVersion241]", @@ -28052,7 +28052,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_241", "location": "[parameters('workspace-location')]", "properties": { @@ -28128,7 +28128,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User reported submissions_HuntingQueries Hunting Query with template version 3.0.14", + "description": "User reported submissions_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject242').huntingQueryVersion242]", @@ -28137,7 +28137,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_242", "location": "[parameters('workspace-location')]", "properties": { @@ -28213,7 +28213,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User Submission Accuracy versus Admin Verdicts_HuntingQueries Hunting Query with template version 3.0.14", + "description": "User Submission Accuracy versus Admin Verdicts_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject243').huntingQueryVersion243]", @@ -28222,7 +28222,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_243", "location": "[parameters('workspace-location')]", "properties": { @@ -28298,7 +28298,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User Submissions - Top detection overrides by Admins_HuntingQueries Hunting Query with template version 3.0.14", + "description": "User Submissions - Top detection overrides by Admins_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject244').huntingQueryVersion244]", @@ -28307,7 +28307,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_244", "location": "[parameters('workspace-location')]", "properties": { @@ -28383,7 +28383,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User Submissions - Top detection overrides by Users_HuntingQueries Hunting Query with template version 3.0.14", + "description": "User Submissions - Top detection overrides by Users_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject245').huntingQueryVersion245]", @@ -28392,7 +28392,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_245", "location": "[parameters('workspace-location')]", "properties": { @@ -28468,7 +28468,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User Submissions - Top email (P2) senders domains_HuntingQueries Hunting Query with template version 3.0.14", + "description": "User Submissions - Top email (P2) senders domains_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject246').huntingQueryVersion246]", @@ -28477,7 +28477,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_246", "location": "[parameters('workspace-location')]", "properties": { @@ -28553,7 +28553,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User Submissions - Top email (P2) senders_HuntingQueries Hunting Query with template version 3.0.14", + "description": "User Submissions - Top email (P2) senders_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject247').huntingQueryVersion247]", @@ -28562,7 +28562,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_247", "location": "[parameters('workspace-location')]", "properties": { @@ -28638,7 +28638,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User Submissions - Top Intra-Org P2 senders_HuntingQueries Hunting Query with template version 3.0.14", + "description": "User Submissions - Top Intra-Org P2 senders_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject248').huntingQueryVersion248]", @@ -28647,7 +28647,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_248", "location": "[parameters('workspace-location')]", "properties": { @@ -28723,7 +28723,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User Submissions - Top Intra-Org Subjects_HuntingQueries Hunting Query with template version 3.0.14", + "description": "User Submissions - Top Intra-Org Subjects_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject249').huntingQueryVersion249]", @@ -28732,7 +28732,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_249", "location": "[parameters('workspace-location')]", "properties": { @@ -28808,7 +28808,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User Submissions by Admin review status_HuntingQueries Hunting Query with template version 3.0.14", + "description": "User Submissions by Admin review status_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject250').huntingQueryVersion250]", @@ -28817,7 +28817,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_250", "location": "[parameters('workspace-location')]", "properties": { @@ -28893,7 +28893,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User Submissions by Grading Verdict - FN-FP_HuntingQueries Hunting Query with template version 3.0.14", + "description": "User Submissions by Grading Verdict - FN-FP_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject251').huntingQueryVersion251]", @@ -28902,7 +28902,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_251", "location": "[parameters('workspace-location')]", "properties": { @@ -28978,7 +28978,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User Submissions by Submission Type_HuntingQueries Hunting Query with template version 3.0.14", + "description": "User Submissions by Submission Type_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject252').huntingQueryVersion252]", @@ -28987,7 +28987,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_252", "location": "[parameters('workspace-location')]", "properties": { @@ -29063,7 +29063,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User Submissions from Junk Folder_HuntingQueries Hunting Query with template version 3.0.14", + "description": "User Submissions from Junk Folder_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject253').huntingQueryVersion253]", @@ -29072,7 +29072,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_253", "location": "[parameters('workspace-location')]", "properties": { @@ -29148,7 +29148,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User Submissions Trend - FN_HuntingQueries Hunting Query with template version 3.0.14", + "description": "User Submissions Trend - FN_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject254').huntingQueryVersion254]", @@ -29157,7 +29157,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_254", "location": "[parameters('workspace-location')]", "properties": { @@ -29233,7 +29233,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Attacked more than x times average_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Attacked more than x times average_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject255').huntingQueryVersion255]", @@ -29242,7 +29242,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_255", "location": "[parameters('workspace-location')]", "properties": { @@ -29318,7 +29318,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Malicious mails by sender IPs_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Malicious mails by sender IPs_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject256').huntingQueryVersion256]", @@ -29327,7 +29327,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_256", "location": "[parameters('workspace-location')]", "properties": { @@ -29403,7 +29403,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top 10 percent of most attacked users_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top 10 percent of most attacked users_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject257').huntingQueryVersion257]", @@ -29412,7 +29412,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_257", "location": "[parameters('workspace-location')]", "properties": { @@ -29488,7 +29488,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top 10 URL domains attacking organization_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top 10 URL domains attacking organization_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject258').huntingQueryVersion258]", @@ -29497,7 +29497,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_258", "location": "[parameters('workspace-location')]", "properties": { @@ -29573,7 +29573,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top external malicious senders_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top external malicious senders_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject259').huntingQueryVersion259]", @@ -29582,7 +29582,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_259", "location": "[parameters('workspace-location')]", "properties": { @@ -29658,7 +29658,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top targeted users_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top targeted users_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject260').huntingQueryVersion260]", @@ -29667,7 +29667,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_260", "location": "[parameters('workspace-location')]", "properties": { @@ -29743,7 +29743,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "End user malicious clicks_HuntingQueries Hunting Query with template version 3.0.14", + "description": "End user malicious clicks_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject261').huntingQueryVersion261]", @@ -29752,7 +29752,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_261", "location": "[parameters('workspace-location')]", "properties": { @@ -29828,7 +29828,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URL click count by click action_HuntingQueries Hunting Query with template version 3.0.14", + "description": "URL click count by click action_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject262').huntingQueryVersion262]", @@ -29837,7 +29837,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_262", "location": "[parameters('workspace-location')]", "properties": { @@ -29913,7 +29913,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URL click on ZAP Email_HuntingQueries Hunting Query with template version 3.0.14", + "description": "URL click on ZAP Email_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject263').huntingQueryVersion263]", @@ -29922,7 +29922,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_263", "location": "[parameters('workspace-location')]", "properties": { @@ -29998,7 +29998,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URL clicks actions by URL_HuntingQueries Hunting Query with template version 3.0.14", + "description": "URL clicks actions by URL_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject264').huntingQueryVersion264]", @@ -30007,7 +30007,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_264", "location": "[parameters('workspace-location')]", "properties": { @@ -30083,7 +30083,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLClick details based on malicious URL click alert_HuntingQueries Hunting Query with template version 3.0.14", + "description": "URLClick details based on malicious URL click alert_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject265').huntingQueryVersion265]", @@ -30092,7 +30092,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_265", "location": "[parameters('workspace-location')]", "properties": { @@ -30168,7 +30168,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User clicked through events_HuntingQueries Hunting Query with template version 3.0.14", + "description": "User clicked through events_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject266').huntingQueryVersion266]", @@ -30177,7 +30177,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_266", "location": "[parameters('workspace-location')]", "properties": { @@ -30253,7 +30253,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User clicks on malicious inbound emails_HuntingQueries Hunting Query with template version 3.0.14", + "description": "User clicks on malicious inbound emails_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject267').huntingQueryVersion267]", @@ -30262,7 +30262,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_267", "location": "[parameters('workspace-location')]", "properties": { @@ -30338,7 +30338,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User clicks on phishing URLs in emails_HuntingQueries Hunting Query with template version 3.0.14", + "description": "User clicks on phishing URLs in emails_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject268').huntingQueryVersion268]", @@ -30347,7 +30347,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_268", "location": "[parameters('workspace-location')]", "properties": { @@ -30423,7 +30423,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Malicious Clicks allowed (click-through)_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Malicious Clicks allowed (click-through)_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject269').huntingQueryVersion269]", @@ -30432,7 +30432,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_269", "location": "[parameters('workspace-location')]", "properties": { @@ -30508,7 +30508,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Malicious Emails with QR code Urls_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Malicious Emails with QR code Urls_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject270').huntingQueryVersion270]", @@ -30517,7 +30517,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_270", "location": "[parameters('workspace-location')]", "properties": { @@ -30593,7 +30593,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Phishing Email Url Redirector_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Phishing Email Url Redirector_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject271').huntingQueryVersion271]", @@ -30602,7 +30602,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_271", "location": "[parameters('workspace-location')]", "properties": { @@ -30678,7 +30678,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SafeLinks URL detections_HuntingQueries Hunting Query with template version 3.0.14", + "description": "SafeLinks URL detections_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject272').huntingQueryVersion272]", @@ -30687,7 +30687,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_272", "location": "[parameters('workspace-location')]", "properties": { @@ -30763,7 +30763,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top 10 Users clicking on Malicious URLs (Malware)_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top 10 Users clicking on Malicious URLs (Malware)_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject273').huntingQueryVersion273]", @@ -30772,7 +30772,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_273", "location": "[parameters('workspace-location')]", "properties": { @@ -30848,7 +30848,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top 10 Users clicking on Malicious URLs (Phish)_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top 10 Users clicking on Malicious URLs (Phish)_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject274').huntingQueryVersion274]", @@ -30857,7 +30857,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_274", "location": "[parameters('workspace-location')]", "properties": { @@ -30933,7 +30933,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top 10 Users clicking on Malicious URLs (Spam)_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Top 10 Users clicking on Malicious URLs (Spam)_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject275').huntingQueryVersion275]", @@ -30942,7 +30942,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_275", "location": "[parameters('workspace-location')]", "properties": { @@ -31018,7 +31018,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URL Click attempts by threat type_HuntingQueries Hunting Query with template version 3.0.14", + "description": "URL Click attempts by threat type_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject276').huntingQueryVersion276]", @@ -31027,7 +31027,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_276", "location": "[parameters('workspace-location')]", "properties": { @@ -31103,7 +31103,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URL Clicks by Action_HuntingQueries Hunting Query with template version 3.0.14", + "description": "URL Clicks by Action_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject277').huntingQueryVersion277]", @@ -31112,7 +31112,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_277", "location": "[parameters('workspace-location')]", "properties": { @@ -31188,7 +31188,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLs by location_HuntingQueries Hunting Query with template version 3.0.14", + "description": "URLs by location_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject278').huntingQueryVersion278]", @@ -31197,7 +31197,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_278", "location": "[parameters('workspace-location')]", "properties": { @@ -31273,7 +31273,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Post Delivery Events by Admin_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Post Delivery Events by Admin_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject279').huntingQueryVersion279]", @@ -31282,7 +31282,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_279", "location": "[parameters('workspace-location')]", "properties": { @@ -31358,7 +31358,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Post Delivery Events by Location_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Post Delivery Events by Location_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject280').huntingQueryVersion280]", @@ -31367,7 +31367,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_280", "location": "[parameters('workspace-location')]", "properties": { @@ -31443,7 +31443,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Post Delivery Events by ZAP type_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Post Delivery Events by ZAP type_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject281').huntingQueryVersion281]", @@ -31452,7 +31452,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_281", "location": "[parameters('workspace-location')]", "properties": { @@ -31528,7 +31528,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Post Delivery Events over time_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Post Delivery Events over time_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject282').huntingQueryVersion282]", @@ -31537,7 +31537,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_282", "location": "[parameters('workspace-location')]", "properties": { @@ -31613,7 +31613,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailDelivered-ToInbox_HuntingQueries Hunting Query with template version 3.0.14", + "description": "EmailDelivered-ToInbox_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject283').huntingQueryVersion283]", @@ -31622,7 +31622,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_283", "location": "[parameters('workspace-location')]", "properties": { @@ -31698,7 +31698,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AnomalousPayloadDeliveredWithISOFile_HuntingQueries Hunting Query with template version 3.0.14", + "description": "AnomalousPayloadDeliveredWithISOFile_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject284').huntingQueryVersion284]", @@ -31707,7 +31707,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_284", "location": "[parameters('workspace-location')]", "properties": { @@ -31783,7 +31783,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BitsadminActivity_HuntingQueries Hunting Query with template version 3.0.14", + "description": "BitsadminActivity_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject285').huntingQueryVersion285]", @@ -31792,7 +31792,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_285", "location": "[parameters('workspace-location')]", "properties": { @@ -31864,7 +31864,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MaliciousUseOfMSIExec_HuntingQueries Hunting Query with template version 3.0.14", + "description": "MaliciousUseOfMSIExec_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject286').huntingQueryVersion286]", @@ -31873,7 +31873,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_286", "location": "[parameters('workspace-location')]", "properties": { @@ -31945,7 +31945,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MaliciousUseOfMsiExecMimikatz_HuntingQueries Hunting Query with template version 3.0.14", + "description": "MaliciousUseOfMsiExecMimikatz_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject287').huntingQueryVersion287]", @@ -31954,7 +31954,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_287", "location": "[parameters('workspace-location')]", "properties": { @@ -32026,7 +32026,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OfficeAppsLaunchingWscript_HuntingQueries Hunting Query with template version 3.0.14", + "description": "OfficeAppsLaunchingWscript_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject288').huntingQueryVersion288]", @@ -32035,7 +32035,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_288", "location": "[parameters('workspace-location')]", "properties": { @@ -32107,7 +32107,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PotentialKerberoastActivities_HuntingQueries Hunting Query with template version 3.0.14", + "description": "PotentialKerberoastActivities_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject289').huntingQueryVersion289]", @@ -32116,7 +32116,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_289", "location": "[parameters('workspace-location')]", "properties": { @@ -32192,7 +32192,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PowerShellDownloads_HuntingQueries Hunting Query with template version 3.0.14", + "description": "PowerShellDownloads_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject290').huntingQueryVersion290]", @@ -32201,7 +32201,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_290", "location": "[parameters('workspace-location')]", "properties": { @@ -32273,7 +32273,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousAppExeutedByWebserver_HuntingQueries Hunting Query with template version 3.0.14", + "description": "SuspiciousAppExeutedByWebserver_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject291').huntingQueryVersion291]", @@ -32282,7 +32282,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_291", "location": "[parameters('workspace-location')]", "properties": { @@ -32354,7 +32354,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousMshtaUsage_HuntingQueries Hunting Query with template version 3.0.14", + "description": "SuspiciousMshtaUsage_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject292').huntingQueryVersion292]", @@ -32363,7 +32363,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_292", "location": "[parameters('workspace-location')]", "properties": { @@ -32435,7 +32435,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FilesCopiedToUSBDrives_HuntingQueries Hunting Query with template version 3.0.14", + "description": "FilesCopiedToUSBDrives_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject293').huntingQueryVersion293]", @@ -32444,7 +32444,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_293", "location": "[parameters('workspace-location')]", "properties": { @@ -32516,7 +32516,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CVE-2022-26134-Confluence_HuntingQueries Hunting Query with template version 3.0.14", + "description": "CVE-2022-26134-Confluence_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject294').huntingQueryVersion294]", @@ -32525,7 +32525,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_294", "location": "[parameters('workspace-location')]", "properties": { @@ -32601,7 +32601,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MosaicLoader_HuntingQueries Hunting Query with template version 3.0.14", + "description": "MosaicLoader_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject295').huntingQueryVersion295]", @@ -32610,7 +32610,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_295", "location": "[parameters('workspace-location')]", "properties": { @@ -32682,7 +32682,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SpoolsvSpawningRundll32_HuntingQueries Hunting Query with template version 3.0.14", + "description": "SpoolsvSpawningRundll32_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject296').huntingQueryVersion296]", @@ -32691,7 +32691,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_296", "location": "[parameters('workspace-location')]", "properties": { @@ -32763,7 +32763,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousDLLInSpoolFolder_HuntingQueries Hunting Query with template version 3.0.14", + "description": "SuspiciousDLLInSpoolFolder_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject297').huntingQueryVersion297]", @@ -32772,7 +32772,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_297", "location": "[parameters('workspace-location')]", "properties": { @@ -32844,7 +32844,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousFilesInSpoolFolder_HuntingQueries Hunting Query with template version 3.0.14", + "description": "SuspiciousFilesInSpoolFolder_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject298').huntingQueryVersion298]", @@ -32853,7 +32853,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_298", "location": "[parameters('workspace-location')]", "properties": { @@ -32925,7 +32925,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousSpoolsvChildProcess_HuntingQueries Hunting Query with template version 3.0.14", + "description": "SuspiciousSpoolsvChildProcess_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject299').huntingQueryVersion299]", @@ -32934,7 +32934,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_299", "location": "[parameters('workspace-location')]", "properties": { @@ -33006,7 +33006,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PrintNightmareUsageDetection-CVE-2021-1675_HuntingQueries Hunting Query with template version 3.0.14", + "description": "PrintNightmareUsageDetection-CVE-2021-1675_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject300').huntingQueryVersion300]", @@ -33015,7 +33015,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_300", "location": "[parameters('workspace-location')]", "properties": { @@ -33087,7 +33087,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousFileCreationByPrintSpoolerService_HuntingQueries Hunting Query with template version 3.0.14", + "description": "SuspiciousFileCreationByPrintSpoolerService_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject301').huntingQueryVersion301]", @@ -33096,7 +33096,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_301", "location": "[parameters('workspace-location')]", "properties": { @@ -33172,7 +33172,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MITRESuspiciousEvents_HuntingQueries Hunting Query with template version 3.0.14", + "description": "MITRESuspiciousEvents_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject302').huntingQueryVersion302]", @@ -33181,7 +33181,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_302", "location": "[parameters('workspace-location')]", "properties": { @@ -33249,7 +33249,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AnomalousVoulmeOfFileDeletion_HuntingQueries Hunting Query with template version 3.0.14", + "description": "AnomalousVoulmeOfFileDeletion_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject303').huntingQueryVersion303]", @@ -33258,7 +33258,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_303", "location": "[parameters('workspace-location')]", "properties": { @@ -33330,7 +33330,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DetectMailSniper_HuntingQueries Hunting Query with template version 3.0.14", + "description": "DetectMailSniper_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject304').huntingQueryVersion304]", @@ -33339,7 +33339,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_304", "location": "[parameters('workspace-location')]", "properties": { @@ -33411,7 +33411,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AccountBruteForce_HuntingQueries Hunting Query with template version 3.0.14", + "description": "AccountBruteForce_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject305').huntingQueryVersion305]", @@ -33420,7 +33420,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_305", "location": "[parameters('workspace-location')]", "properties": { @@ -33488,7 +33488,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RemoteFileCreationWithPsExec_HuntingQueries Hunting Query with template version 3.0.14", + "description": "RemoteFileCreationWithPsExec_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject306').huntingQueryVersion306]", @@ -33497,7 +33497,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_306", "location": "[parameters('workspace-location')]", "properties": { @@ -33569,7 +33569,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ServiceAccountsPerformingRemotePS_HuntingQueries Hunting Query with template version 3.0.14", + "description": "ServiceAccountsPerformingRemotePS_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject307').huntingQueryVersion307]", @@ -33578,7 +33578,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_307", "location": "[parameters('workspace-location')]", "properties": { @@ -33650,7 +33650,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AccountCreation_HuntingQueries Hunting Query with template version 3.0.14", + "description": "AccountCreation_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject308').huntingQueryVersion308]", @@ -33659,7 +33659,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_308", "location": "[parameters('workspace-location')]", "properties": { @@ -33727,7 +33727,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LocalAdminGroupChanges_HuntingQueries Hunting Query with template version 3.0.14", + "description": "LocalAdminGroupChanges_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject309').huntingQueryVersion309]", @@ -33736,7 +33736,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_309", "location": "[parameters('workspace-location')]", "properties": { @@ -33808,7 +33808,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RareProcessAsService_HuntingQueries Hunting Query with template version 3.0.14", + "description": "RareProcessAsService_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject310').huntingQueryVersion310]", @@ -33817,7 +33817,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_310", "location": "[parameters('workspace-location')]", "properties": { @@ -33893,7 +33893,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ScheduledTaskCreation_HuntingQueries Hunting Query with template version 3.0.14", + "description": "ScheduledTaskCreation_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject311').huntingQueryVersion311]", @@ -33902,7 +33902,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_311", "location": "[parameters('workspace-location')]", "properties": { @@ -33974,7 +33974,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SAMNameChange_CVE-2021-42278_HuntingQueries Hunting Query with template version 3.0.14", + "description": "SAMNameChange_CVE-2021-42278_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject312').huntingQueryVersion312]", @@ -33983,7 +33983,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_312", "location": "[parameters('workspace-location')]", "properties": { @@ -34055,7 +34055,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DataDeletionOnMulipleDrivesUsingCipherExe_HuntingQueries Hunting Query with template version 3.0.14", + "description": "DataDeletionOnMulipleDrivesUsingCipherExe_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject313').huntingQueryVersion313]", @@ -34064,7 +34064,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_313", "location": "[parameters('workspace-location')]", "properties": { @@ -34136,7 +34136,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DetectMultipleSignsOfRamsomwareActivity_HuntingQueries Hunting Query with template version 3.0.14", + "description": "DetectMultipleSignsOfRamsomwareActivity_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject314').huntingQueryVersion314]", @@ -34145,7 +34145,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_314", "location": "[parameters('workspace-location')]", "properties": { @@ -34217,7 +34217,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DisableSecurityServiceViaRegistry_HuntingQueries Hunting Query with template version 3.0.14", + "description": "DisableSecurityServiceViaRegistry_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject315').huntingQueryVersion315]", @@ -34226,7 +34226,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_315", "location": "[parameters('workspace-location')]", "properties": { @@ -34298,7 +34298,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainDiscoveryWMICwithDLLHostExe_HuntingQueries Hunting Query with template version 3.0.14", + "description": "DomainDiscoveryWMICwithDLLHostExe_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject316').huntingQueryVersion316]", @@ -34307,7 +34307,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_316", "location": "[parameters('workspace-location')]", "properties": { @@ -34379,7 +34379,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MDEExclusionUsingPowerShell_HuntingQueries Hunting Query with template version 3.0.14", + "description": "MDEExclusionUsingPowerShell_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject317').huntingQueryVersion317]", @@ -34388,7 +34388,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_317", "location": "[parameters('workspace-location')]", "properties": { @@ -34460,7 +34460,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IcedIdSuspiciousImageLoad_HuntingQueries Hunting Query with template version 3.0.14", + "description": "IcedIdSuspiciousImageLoad_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject318').huntingQueryVersion318]", @@ -34469,7 +34469,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_318", "location": "[parameters('workspace-location')]", "properties": { @@ -34541,7 +34541,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LaZagneCredTheft_HuntingQueries Hunting Query with template version 3.0.14", + "description": "LaZagneCredTheft_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject319').huntingQueryVersion319]", @@ -34550,7 +34550,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_319", "location": "[parameters('workspace-location')]", "properties": { @@ -34622,7 +34622,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LogDeletionUsingWevtutil_HuntingQueries Hunting Query with template version 3.0.14", + "description": "LogDeletionUsingWevtutil_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject320').huntingQueryVersion320]", @@ -34631,7 +34631,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_320", "location": "[parameters('workspace-location')]", "properties": { @@ -34703,7 +34703,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MultiProcessKillWithTaskKill_HuntingQueries Hunting Query with template version 3.0.14", + "description": "MultiProcessKillWithTaskKill_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject321').huntingQueryVersion321]", @@ -34712,7 +34712,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_321", "location": "[parameters('workspace-location')]", "properties": { @@ -34784,7 +34784,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PotentialCobaltStrikeRansomwareActivity_HuntingQueries Hunting Query with template version 3.0.14", + "description": "PotentialCobaltStrikeRansomwareActivity_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject322').huntingQueryVersion322]", @@ -34793,7 +34793,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_322", "location": "[parameters('workspace-location')]", "properties": { @@ -34865,7 +34865,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "QakbotDiscoveryActivities_HuntingQueries Hunting Query with template version 3.0.14", + "description": "QakbotDiscoveryActivities_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject323').huntingQueryVersion323]", @@ -34874,7 +34874,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_323", "location": "[parameters('workspace-location')]", "properties": { @@ -34946,7 +34946,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ShadowCopyDeletion_HuntingQueries Hunting Query with template version 3.0.14", + "description": "ShadowCopyDeletion_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject324').huntingQueryVersion324]", @@ -34955,7 +34955,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_324", "location": "[parameters('workspace-location')]", "properties": { @@ -35031,7 +35031,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TurningOffServicesWithSCCommad_HuntingQueries Hunting Query with template version 3.0.14", + "description": "TurningOffServicesWithSCCommad_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject325').huntingQueryVersion325]", @@ -35040,7 +35040,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_325", "location": "[parameters('workspace-location')]", "properties": { @@ -35112,7 +35112,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Detect_CISA_Alert_AA22-117A2021_Top_Routinely_Exploited_Vulnerabilities_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Detect_CISA_Alert_AA22-117A2021_Top_Routinely_Exploited_Vulnerabilities_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject326').huntingQueryVersion326]", @@ -35121,7 +35121,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_326", "location": "[parameters('workspace-location')]", "properties": { @@ -35193,7 +35193,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Punycode chars lookalike domains_HuntingQueries Hunting Query with template version 3.0.14", + "description": "Punycode chars lookalike domains_HuntingQueries Hunting Query with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject327').huntingQueryVersion327]", @@ -35202,7 +35202,7 @@ "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "Microsoft_Defender_XDR_Hunting_Query_327", "location": "[parameters('workspace-location')]", "properties": { @@ -35278,7 +35278,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MicrosoftDefenderForOffice365detectionsandinsights Workbook with template version 3.0.14", + "description": "MicrosoftDefenderForOffice365detectionsandinsights Workbook with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -35382,7 +35382,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MicrosoftDefenderForEndPoint Workbook with template version 3.0.14", + "description": "MicrosoftDefenderForEndPoint Workbook with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -35457,7 +35457,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MicrosoftDefenderForIdentity Workbook with template version 3.0.14", + "description": "MicrosoftDefenderForIdentity Workbook with template version 3.0.15", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion3')]", @@ -35549,7 +35549,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.14", + "version": "3.0.15", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Microsoft Defender XDR", diff --git a/Solutions/Microsoft Defender XDR/ReleaseNotes.md b/Solutions/Microsoft Defender XDR/ReleaseNotes.md index 05db2083e3f..62168be3575 100644 --- a/Solutions/Microsoft Defender XDR/ReleaseNotes.md +++ b/Solutions/Microsoft Defender XDR/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------------------------------------------------| +| 3.0.15 | 15-06-2026 | Refactor OAuth and device-code phishing hunting queries to construct login.microsoftonline.com and login.microsoftonline.us URLs via strcat() (resolves ARM-TTK 'DeploymentTemplate Must Not Contain Hardcoded Uri'); remove empty groupByAlertDetails/groupByCustomDetails arrays from PossibleWebpBufferOverflow analytic rule (resolves ARM-TTK 'Template Should Not Contain Blanks'). | | 3.0.14 | 09-02-2026 | Added new **Hunting Query** Punycode chars lookalike domains.yaml. | | 3.0.13 | 22-01-2026 | Updated Defender XDR solution with new **Hunting Queries**. | | 3.0.12 | 07-04-2025 | Updated ConnectivityCriteria Type in **Data Connector**. |