Merge pull request #11191 from Azure/v-prasadboke-GSA_new

Detections title changed

Solutions/Global Secure Access/Analytic Rules/Office 365 - External User added to Team and immediately uploads file.yaml

@@ -1,5 +1,5 @@
 id: 4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac
-name: Accessed files shared by temporary external user
+name: Office 365 - Accessed files shared by temporary external user
 description: |
   'This detection identifies when an external user is added to a Team or Teams chat and shares a file which is accessed by many users (>10) and the users is removed within short period of time. This might be an indicator of suspicious activity.'
 severity: Low
@@ -82,5 +82,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: ClientIP
-version: 2.1.1
+version: 2.1.2
 kind: Scheduled

Solutions/Global Secure Access/Analytic Rules/Office 365 - ExternalUserAddedRemovedInTeams.yaml

@@ -1,5 +1,5 @@
 id: 1a8f1297-23a4-4f09-a20b-90af8fc3641a
-name: External User Added and Removed in Short Timeframe
+name: Office 365 - External User Added and Removed in Short Timeframe
 description: |
   This detection flags the occurrences of external user accounts that are added to a Team and then removed within one hour.
 severity: Low
@@ -67,5 +67,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: ClientIp
-version: 2.1.2
+version: 2.1.3
 kind: Scheduled

Solutions/Global Secure Access/Analytic Rules/Office 365 - Mail_redirect_via_ExO_transport_rule.yaml

@@ -1,5 +1,5 @@
 id: edcfc2e0-3134-434c-8074-9101c530d419
-name: Mail redirect via ExO transport rule
+name: Office 365 - Mail redirect via ExO transport rule
 description: |
   'Identifies when Exchange Online transport rule configured to forward emails.
   This could be an adversary mailbox configured to collect mail from multiple user accounts.'
@@ -51,5 +51,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPAddress
-version: 2.0.4
+version: 2.0.5
 kind: Scheduled

Solutions/Global Secure Access/Analytic Rules/Office 365 - Malicious_Inbox_Rule.yaml

@@ -1,5 +1,5 @@
 id: a9c76c8d-f60d-49ec-9b1f-bdfee6db3807
-name: Malicious Inbox Rule
+name: Office 365 - Malicious Inbox Rule
 description: |
   'Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.
    This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this.
@@ -52,5 +52,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: ClientIPAddress
-version: 2.0.4
+version: 2.0.5
 kind: Scheduled

Solutions/Global Secure Access/Analytic Rules/Office 365 - MultipleTeamsDeletes.yaml

@@ -1,5 +1,5 @@
 id: db60e4b6-a845-4f28-a18c-94ebbaad6c6c
-name: Multiple Teams deleted by a single user
+name: Office 365 - Multiple Teams deleted by a single user
 description: |
   'This detection flags the occurrences of deleting multiple teams within an hour.
   This data is a part of Office 365 Connector in Microsoft Sentinel.'
@@ -35,5 +35,5 @@ entityMappings:
         columnName: AccountName
       - identifier: UPNSuffix
         columnName: AccountUPNSuffix
-version: 2.0.4
+version: 2.0.5
 kind: Scheduled

Solutions/Global Secure Access/Analytic Rules/Office 365 - Office_MailForwarding.yaml

@@ -1,5 +1,5 @@
 id: d75e8289-d1cb-44d4-bd59-2f44a9172478
-name: Multiple Users Email Forwarded to Same Destination
+name: Office 365 - Multiple Users Email Forwarded to Same Destination
 description: |
   Identifies when multiple (more than one) users' mailboxes are configured to forward to the same destination. 
   This could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.
@@ -57,5 +57,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: ClientIP
-version: 2.0.3
+version: 2.0.4
 kind: Scheduled

Solutions/Global Secure Access/Analytic Rules/Office 365 - Office_Uploaded_Executables.yaml

@@ -1,5 +1,5 @@
 id: 178c62b4-d5e5-40f5-8eab-7fccd0051e7a
-name: New Executable via Office FileUploaded Operation
+name: Office 365 - New Executable via Office FileUploaded Operation
 description: |
   Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.
   List currently includes exe, inf, gzip, cmd, bat file extensions.
@@ -76,5 +76,5 @@ entityMappings:
     fieldMappings:
       - identifier: Name
         columnName: FileNames
-version: 2.0.5
+version: 2.0.6
 kind: Scheduled

Solutions/Global Secure Access/Analytic Rules/Office 365 - RareOfficeOperations.yaml

@@ -1,5 +1,5 @@
 id: 433c254d-4b84-46f7-99ec-9dfefb5f6a7b
-name: Rare and Potentially High-Risk Office Operations
+name: Office 365 - Rare and Potentially High-Risk Office Operations
 description: |
   Identifies Office operations that are typically rare and can provide capabilities useful to attackers.
 severity: Low
@@ -41,5 +41,5 @@ entityMappings:
     fieldMappings:
       - identifier: AppId
         columnName: AppId
-version: 2.0.5
+version: 2.0.6
 kind: Scheduled

Solutions/Global Secure Access/Analytic Rules/Office 365 - SharePoint_Downloads_byNewIP.yaml

@@ -1,5 +1,5 @@
 id: 7460e34e-4c99-47b2-b7c0-c42e339fc586
-name: SharePoint File Operation via Previously Unseen IPs
+name: Office 365 - SharePoint File Operation via Previously Unseen IPs
 description: |
   Identifies anomalies using user behavior by setting a threshold for significant changes in file upload/download activities from new IP addresses. It establishes a baseline of typical behavior, compares it to recent activity, and flags deviations exceeding a default threshold of 25.
 severity: Medium
@@ -68,5 +68,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: Site_Url
-version: 2.0.4
+version: 2.0.5
 kind: Scheduled

Solutions/Global Secure Access/Analytic Rules/Office 365 - SharePoint_Downloads_byNewUserAgent.yaml

@@ -1,5 +1,5 @@
 id: efd17c5f-5167-40f8-a1e9-0818940785d9
-name: SharePointFileOperation via devices with previously unseen user agents
+name: Office 365 - SharePointFileOperation via devices with previously unseen user agents
 description: |
   Identifies anomalies if the number of documents uploaded or downloaded from device(s) associated with a previously unseen user agent exceeds a threshold (default is 5) and deviation (default is 25%).
 severity: Medium
@@ -81,5 +81,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: Site_Url
-version: 2.2.4
+version: 2.2.5
 kind: Scheduled

Solutions/Global Secure Access/Analytic Rules/Office 365 - exchange_auditlogdisabled.yaml

@@ -1,5 +1,5 @@
 id: dc451755-8ab3-4059-b805-e454c45d1d44
-name: Exchange AuditLog Disabled
+name: Office 365 - Exchange AuditLog Disabled
 description: |
   'Identifies when the exchange audit logging has been disabled which may be an adversary attempt to evade detection or avoid other defenses.'
 severity: Medium
@@ -45,5 +45,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: ClientIP
-version: 2.0.6
+version: 2.0.7
 kind: Scheduled

Solutions/Global Secure Access/Analytic Rules/Office 365 - office_policytampering.yaml

@@ -1,5 +1,5 @@
 id: 0f1f2b17-f9d6-4d2a-a0fb-a7ae1659e3eb
-name: Office Policy Tampering
+name: Office 365 - Office Policy Tampering
 description: |
   Identifies if any tampering is done to either audit log, ATP Safelink, SafeAttachment, AntiPhish, or Dlp policy. 
   An adversary may use this technique to evade detection or avoid other policy-based defenses.
@@ -55,5 +55,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: ClientIP
-version: 2.0.3
+version: 2.0.4
 kind: Scheduled

Solutions/Global Secure Access/Analytic Rules/Office 365 - sharepoint_file_transfer_above_threshold.yaml

@@ -1,5 +1,5 @@
 id: 30375d00-68cc-4f95-b89a-68064d566358
-name: Office365 Sharepoint File Transfer Above Threshold
+name: Office 365 - Sharepoint File Transfer Above Threshold
 description: |
   Identifies Office365 Sharepoint File Transfers above a certain threshold in a 15-minute time period.
   Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur.
@@ -55,5 +55,5 @@ incidentConfiguration:
       - Account
     groupByAlertDetails: []
     groupByCustomDetails: []
-version: 1.0.4
+version: 1.0.5
 kind: Scheduled

Solutions/Global Secure Access/Analytic Rules/Office 365 - sharepoint_file_transfer_folders_above_threshold.yaml

@@ -1,5 +1,5 @@
 id: abd6976d-8f71-4851-98c4-4d086201319c
-name: Office365 Sharepoint File Transfer Above Threshold
+name: Office 365 - Sharepoint File Transfer Above Threshold
 description: |
   Identifies Office365 Sharepoint File Transfers with a distinct folder count above a certain threshold in a 15-minute time period.
   Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur.
@@ -57,5 +57,5 @@ incidentConfiguration:
       - Account
     groupByAlertDetails: []
     groupByCustomDetails: []
-version: 1.0.4
+version: 1.0.5
 kind: Scheduled

Solutions/Global Secure Access/Package/createUiDefinition.json

@@ -164,7 +164,7 @@
           {
             "name": "analytic3",
             "type": "Microsoft.Common.Section",
-            "label": "Exchange AuditLog Disabled",
+            "label": "Office 365 - Exchange AuditLog Disabled",
             "elements": [
               {
                 "name": "analytic3-text",
@@ -178,7 +178,7 @@
           {
             "name": "analytic4",
             "type": "Microsoft.Common.Section",
-            "label": "Accessed files shared by temporary external user",
+            "label": "Office 365 - Accessed files shared by temporary external user",
             "elements": [
               {
                 "name": "analytic4-text",
@@ -192,7 +192,7 @@
           {
             "name": "analytic5",
             "type": "Microsoft.Common.Section",
-            "label": "External User Added and Removed in Short Timeframe",
+            "label": "Office 365 - External User Added and Removed in Short Timeframe",
             "elements": [
               {
                 "name": "analytic5-text",
@@ -206,7 +206,7 @@
           {
             "name": "analytic6",
             "type": "Microsoft.Common.Section",
-            "label": "Mail redirect via ExO transport rule",
+            "label": "Office 365 - Mail redirect via ExO transport rule",
             "elements": [
               {
                 "name": "analytic6-text",
@@ -220,7 +220,7 @@
           {
             "name": "analytic7",
             "type": "Microsoft.Common.Section",
-            "label": "Malicious Inbox Rule",
+            "label": "Office 365 - Malicious Inbox Rule",
             "elements": [
               {
                 "name": "analytic7-text",
@@ -234,7 +234,7 @@
           {
             "name": "analytic8",
             "type": "Microsoft.Common.Section",
-            "label": "Multiple Teams deleted by a single user",
+            "label": "Office 365 - Multiple Teams deleted by a single user",
             "elements": [
               {
                 "name": "analytic8-text",
@@ -248,7 +248,7 @@
           {
             "name": "analytic9",
             "type": "Microsoft.Common.Section",
-            "label": "Multiple Users Email Forwarded to Same Destination",
+            "label": "Office 365 - Multiple Users Email Forwarded to Same Destination",
             "elements": [
               {
                 "name": "analytic9-text",
@@ -262,7 +262,7 @@
           {
             "name": "analytic10",
             "type": "Microsoft.Common.Section",
-            "label": "Office Policy Tampering",
+            "label": "Office 365 - Office Policy Tampering",
             "elements": [
               {
                 "name": "analytic10-text",
@@ -276,7 +276,7 @@
           {
             "name": "analytic11",
             "type": "Microsoft.Common.Section",
-            "label": "New Executable via Office FileUploaded Operation",
+            "label": "Office 365 - New Executable via Office FileUploaded Operation",
             "elements": [
               {
                 "name": "analytic11-text",
@@ -290,7 +290,7 @@
           {
             "name": "analytic12",
             "type": "Microsoft.Common.Section",
-            "label": "Rare and Potentially High-Risk Office Operations",
+            "label": "Office 365 - Rare and Potentially High-Risk Office Operations",
             "elements": [
               {
                 "name": "analytic12-text",
@@ -304,7 +304,7 @@
           {
             "name": "analytic13",
             "type": "Microsoft.Common.Section",
-            "label": "SharePoint File Operation via Previously Unseen IPs",
+            "label": "Office 365 - SharePoint File Operation via Previously Unseen IPs",
             "elements": [
               {
                 "name": "analytic13-text",
@@ -318,7 +318,7 @@
           {
             "name": "analytic14",
             "type": "Microsoft.Common.Section",
-            "label": "SharePointFileOperation via devices with previously unseen user agents",
+            "label": "Office 365 - SharePointFileOperation via devices with previously unseen user agents",
             "elements": [
               {
                 "name": "analytic14-text",
@@ -332,7 +332,7 @@
           {
             "name": "analytic15",
             "type": "Microsoft.Common.Section",
-            "label": "Office365 Sharepoint File Transfer Above Threshold",
+            "label": "Office 365 - Sharepoint File Transfer Above Threshold",
             "elements": [
               {
                 "name": "analytic15-text",
@@ -346,7 +346,7 @@
           {
             "name": "analytic16",
             "type": "Microsoft.Common.Section",
-            "label": "Office365 Sharepoint File Transfer Above Threshold",
+            "label": "Office 365 - Sharepoint File Transfer Above Threshold",
             "elements": [
               {
                 "name": "analytic16-text",