From a58510fdbe27dd731bc6b5ecc0a515fdd3328eb0 Mon Sep 17 00:00:00 2001 From: Niklas Logren Date: Fri, 20 Sep 2024 10:30:56 +0200 Subject: [PATCH 01/12] chore: sort JSON in RecordedFuture-Alert-Importer --- .../azuredeploy.json | 344 +++++++++--------- 1 file changed, 177 insertions(+), 167 deletions(-) diff --git a/Solutions/Recorded Future/Playbooks/Alerts/RecordedFuture-Alert-Importer/azuredeploy.json b/Solutions/Recorded Future/Playbooks/Alerts/RecordedFuture-Alert-Importer/azuredeploy.json index 70b1d3e6f7c..9f6f82edac4 100644 --- a/Solutions/Recorded Future/Playbooks/Alerts/RecordedFuture-Alert-Importer/azuredeploy.json +++ b/Solutions/Recorded Future/Playbooks/Alerts/RecordedFuture-Alert-Importer/azuredeploy.json @@ -2,46 +2,56 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { - "title": "RecordedFuture-Alert-Importer", + "author": { + "name": "Recorded Future" + }, "description": "This playbook imports alerts from Recorded Future and stores them in a custom log in the log analytics workspace. It can create alerts dependant on the parameter: create_incident. ", - "prerequisites": [ - "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" - ], + "entities": [], + "lastUpdateTime": "2024-08-23T00:00:00.000Z", "postDeployment": [ "After deployment, open the playbook to configure all connections and press save." ], - "lastUpdateTime": "2024-08-23T00:00:00.000Z", - "entities": [], - "tags": [ "Alert" ], - "support": { - "tier": "Partner", - "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" - }, - "author": { - "name": "Recorded Future" - }, + "prerequisites": [ + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" + ], "releaseNotes": [ { - "version": "1.0", + "notes": [ + "Initial version" + ], "title": "RecordedFuture-Alert-Importer", - "notes": [ "Initial version" ] + "version": "1.0" }, - { - "version": "1.1", + { + "notes": [ + "Fixed ARM encoding" + ], "title": "RecordedFuture-Alert-Importer", - "notes": [ "Fixed ARM encoding" ] + "version": "1.1" }, - { - "version": "1.2", + { + "notes": [ + "API connector renaming." + ], "title": "RecordedFuture-Alert-Importer", - "notes": [ "API connector renaming." ] + "version": "1.2" }, - { - "version": "1.3", + { + "notes": [ + "Encoding and latest_event_date fix." + ], "title": "RecordedFuture-Alert-Importer", - "notes": [ "Encoding and latest_event_date fix." ] + "version": "1.3" } - ] + ], + "support": { + "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator", + "tier": "Partner" + }, + "tags": [ + "Alert" + ], + "title": "RecordedFuture-Alert-Importer" }, "parameters": { "PlaybookName": { @@ -49,69 +59,42 @@ "type": "string" }, "create_incident": { - "type": "string", "metadata": { "description": "Create Microsoft Sentinel incidents (possible values true/false)" - } + }, + "type": "string" }, "workspace_name": { - "type": "string", "defaultValue": "", "metadata": { - "description" : "Microsoft Sentinel Workspace name" - } + "description": "Microsoft Sentinel Workspace name" + }, + "type": "string" } }, - "variables": { - "AzureloganalyticsdatacollectorConnectionName": "RecordedFuture-Azureloganalyticsdatacollector", - "AzuremonitorlogsConnectionName": "[concat('Azuremonitorlogs-', parameters('PlaybookName'))]", - "MicrosoftSentinelConnectionName": "RecordedFuture-MicrosoftSentinelConnection", - "Recordedfuturev2ConnectionName": "RecordedFuture-ConnectorV2" - }, "resources": [ { + "apiVersion": "2017-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('Recordedfuturev2ConnectionName'))]" + ], + "identity": { + "type": "SystemAssigned" + }, + "location": "[resourceGroup().location]", + "name": "[parameters('PlaybookName')]", "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", "definition": { "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "defaultValue": {}, - "type": "Object" - }, - "create_incident": { - "type": "string", - "defaultValue": "[parameters('create_incident')]" - } - }, - "triggers": { - "Recurrence": { - "recurrence": { - "frequency": "Hour", - "interval": 1 - }, - "evaluatedRecurrence": { - "frequency": "Hour", - "interval": 1 - }, - "type": "Recurrence" - } - }, "actions": { "For_each_triggered_alert": { - "foreach": "@body('Search_Triggered_Alerts')?['data']", "actions": { "Create_incident_if_parameter_is_set": { "actions": { "Add_comment_to_incident_(V3)": { - "runAfter": { - "Parse_JSON_2": [ - "Succeeded" - ] - }, - "type": "ApiConnection", "inputs": { "body": { "incidentArmId": "@body('Create_incident')?['id']", @@ -124,11 +107,15 @@ }, "method": "post", "path": "/Incidents/Comment" - } + }, + "runAfter": { + "Parse_JSON_2": [ + "Succeeded" + ] + }, + "type": "ApiConnection" }, "Create_incident": { - "runAfter": {}, - "type": "ApiConnection", "inputs": { "body": { "description": "**Recorded Future Alert**\n@{items('For_each_triggered_alert')?['title']}\nAlert ID: @{items('For_each_triggered_alert')?['id']}\nTriggered: @{items('For_each_triggered_alert')?['log']?['triggered']}\n[Open Recorded Future portal](@{items('For_each_triggered_alert')?['url']?['portal']})\nAI summary: @{items('For_each_triggered_alert')?['ai_insights']?['text']}", @@ -150,15 +137,11 @@ }, "method": "put", "path": "[concat('/Incidents/subscriptions/', subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/workspaces/',parameters('workspace_name') ) ]" - } + }, + "runAfter": {}, + "type": "ApiConnection" }, "Parse_JSON_2": { - "runAfter": { - "Create_incident": [ - "Succeeded" - ] - }, - "type": "ParseJson", "inputs": { "content": "@items('For_each_triggered_alert')?['hits']", "schema": { @@ -183,7 +166,7 @@ } }, "type": [ - "object", + "object", "null" ] }, @@ -243,14 +226,15 @@ }, "type": "array" } - } + }, + "runAfter": { + "Create_incident": [ + "Succeeded" + ] + }, + "type": "ParseJson" } }, - "runAfter": { - "For_each_hit": [ - "Succeeded" - ] - }, "expression": { "and": [ { @@ -261,14 +245,16 @@ } ] }, + "runAfter": { + "For_each_hit": [ + "Succeeded" + ] + }, "type": "If" }, "For_each_hit": { - "foreach": "@items('For_each_triggered_alert')['hits']", "actions": { "Parse_JSON": { - "runAfter": {}, - "type": "ParseJson", "inputs": { "content": "@items('For_each_hit')", "schema": { @@ -360,15 +346,11 @@ }, "type": "object" } - } + }, + "runAfter": {}, + "type": "ParseJson" }, "Send_Data_2": { - "runAfter": { - "Parse_JSON": [ - "Succeeded" - ] - }, - "type": "ApiConnection", "inputs": { "body": "{\n\"RuleName\": \"@{items('For_each_triggered_alert')?['rule']?['name']}\",\n\"Triggered\": \"@{items('For_each_triggered_alert')?['log']?['triggered']}\",\n\"AlertName\": \"@{replace(replace(items('For_each_triggered_alert')?['title'], '\\', '\\\\'), '\"', '\\\"')}\",\n\"AlertID\": \"@{items('For_each_triggered_alert')?['id']}\", \n\"Entity\": @{items('For_each_hit')?['entities']},\n\"Documents\": @{items('For_each_hit')?['document']},\n\"URL\": \"@{items('For_each_triggered_alert')?['rule']?['url']?['portal']}\",\n\"Document_url\": \"@{items('For_each_hit')?['document']?['url']}\",\n\"AISummary\": \"@{replace(replace(coalesce(items('For_each_triggered_alert')?['ai_insights']?['text'],''), '\\', '\\\\'), '\"', '\\\"')}\",\n\"Fragment\": \"@{replace(replace(coalesce(body('Parse_JSON')?['fragment'],''), '\\', '\\\\'), '\"', '\\\"')}\"}", "headers": { @@ -381,13 +363,21 @@ }, "method": "post", "path": "/api/logs" - } + }, + "runAfter": { + "Parse_JSON": [ + "Succeeded" + ] + }, + "type": "ApiConnection" } }, + "foreach": "@items('For_each_triggered_alert')['hits']", "runAfter": {}, "type": "Foreach" } }, + "foreach": "@body('Search_Triggered_Alerts')?['data']", "runAfter": { "Search_Triggered_Alerts": [ "Succeeded" @@ -396,8 +386,6 @@ "type": "Foreach" }, "Initialize_variable": { - "runAfter": {}, - "type": "InitializeVariable", "inputs": { "variables": [ { @@ -406,15 +394,11 @@ "value": "@{addHours(utcNow(), -24)}" } ] - } + }, + "runAfter": {}, + "type": "InitializeVariable" }, "Run_query_and_list_results": { - "runAfter": { - "Initialize_variable": [ - "Succeeded" - ] - }, - "type": "ApiConnection", "inputs": { "body": "RecordedFuturePortalAlerts_CL\n| summarize LatestEvent=max(Triggered_t)| extend LatestEvent=coalesce(LatestEvent, ago(1d))", "host": { @@ -431,16 +415,15 @@ "subscriptions": "[subscription().subscriptionId]", "timerange": "Last 7 days" } - } - }, - "Search_Triggered_Alerts": { + }, "runAfter": { - "Set_variable": [ - "Succeeded", - "Skipped" + "Initialize_variable": [ + "Succeeded" ] }, - "type": "ApiConnection", + "type": "ApiConnection" + }, + "Search_Triggered_Alerts": { "inputs": { "host": { "connection": { @@ -452,22 +435,53 @@ "queries": { "triggered": "[[@{addSeconds(variables('latest_event_date'),1)},@{utcNow()}]" } - } + }, + "runAfter": { + "Set_variable": [ + "Succeeded", + "Skipped" + ] + }, + "type": "ApiConnection" }, "Set_variable": { + "inputs": { + "name": "latest_event_date", + "value": "@string(body('Run_query_and_list_results')?['value'][0]['LatestEvent'])" + }, "runAfter": { "Run_query_and_list_results": [ "Succeeded" ] }, - "type": "SetVariable", - "inputs": { - "name": "latest_event_date", - "value": "@string(body('Run_query_and_list_results')?['value'][0]['LatestEvent'])" - } + "type": "SetVariable" + } + }, + "contentVersion": "1.0.0.0", + "outputs": {}, + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + }, + "create_incident": { + "defaultValue": "[parameters('create_incident')]", + "type": "string" } }, - "outputs": {} + "triggers": { + "Recurrence": { + "evaluatedRecurrence": { + "frequency": "Hour", + "interval": 1 + }, + "recurrence": { + "frequency": "Hour", + "interval": 1 + }, + "type": "Recurrence" + } + } }, "parameters": { "$connections": { @@ -485,12 +499,12 @@ "azuresentinel": { "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", "connectionName": "[variables('MicrosoftSentinelConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]", "connectionProperties": { "authentication": { "type": "ManagedServiceIdentity" } - } + }, + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" }, "recordedfuturev2": { "connectionId": "[resourceId('Microsoft.Web/connections', variables('Recordedfuturev2ConnectionName'))]", @@ -499,82 +513,78 @@ } } } - } + }, + "provisioningState": "Succeeded", + "state": "Enabled" }, - "name": "[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[resourceGroup().location]", "tags": { "hidden-SentinelTemplateName": "RecordedFuture-AlertImporter", "hidden-SentinelTemplateVersion": "1.3" }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", - "[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]", - "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[resourceId('Microsoft.Web/connections', variables('Recordedfuturev2ConnectionName'))]" - ] + "type": "Microsoft.Logic/workflows" }, { - "type": "Microsoft.Web/connections", "apiVersion": "2016-06-01", - "name": "[variables('AzureloganalyticsdatacollectorConnectionName')]", - "location": "[resourceGroup().location]", "kind": "V1", + "location": "[resourceGroup().location]", + "name": "[variables('AzureloganalyticsdatacollectorConnectionName')]", "properties": { - "displayName": "[variables('AzureloganalyticsdatacollectorConnectionName')]", - "customParameterValues": {}, "api": { "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azureloganalyticsdatacollector')]" - } - } + }, + "customParameterValues": {}, + "displayName": "[variables('AzureloganalyticsdatacollectorConnectionName')]" + }, + "type": "Microsoft.Web/connections" }, { - "type": "Microsoft.Web/connections", "apiVersion": "2016-06-01", - "name": "[variables('AzuremonitorlogsConnectionName')]", - "location": "[resourceGroup().location]", "kind": "V1", + "location": "[resourceGroup().location]", + "name": "[variables('AzuremonitorlogsConnectionName')]", "properties": { - "displayName": "[variables('AzuremonitorlogsConnectionName')]", - "customParameterValues": {}, "api": { "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuremonitorlogs')]" - } - } + }, + "customParameterValues": {}, + "displayName": "[variables('AzuremonitorlogsConnectionName')]" + }, + "type": "Microsoft.Web/connections" }, { - "type": "Microsoft.Web/connections", "apiVersion": "2016-06-01", - "name": "[variables('MicrosoftSentinelConnectionName')]", - "location": "[resourceGroup().location]", "kind": "V1", + "location": "[resourceGroup().location]", + "name": "[variables('MicrosoftSentinelConnectionName')]", "properties": { - "displayName": "[variables('MicrosoftSentinelConnectionName')]", - "customParameterValues": {}, - "parameterValueType": "Alternative", "api": { "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" - } - } + }, + "customParameterValues": {}, + "displayName": "[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative" + }, + "type": "Microsoft.Web/connections" }, { - "type": "Microsoft.Web/connections", "apiVersion": "2016-06-01", - "name": "[variables('Recordedfuturev2ConnectionName')]", - "location": "[resourceGroup().location]", "kind": "V1", + "location": "[resourceGroup().location]", + "name": "[variables('Recordedfuturev2ConnectionName')]", "properties": { - "displayName": "[variables('Recordedfuturev2ConnectionName')]", - "customParameterValues": {}, "api": { "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Recordedfuturev2')]" - } - } + }, + "customParameterValues": {}, + "displayName": "[variables('Recordedfuturev2ConnectionName')]" + }, + "type": "Microsoft.Web/connections" } - ] + ], + "variables": { + "AzureloganalyticsdatacollectorConnectionName": "RecordedFuture-Azureloganalyticsdatacollector", + "AzuremonitorlogsConnectionName": "[concat('Azuremonitorlogs-', parameters('PlaybookName'))]", + "MicrosoftSentinelConnectionName": "RecordedFuture-MicrosoftSentinelConnection", + "Recordedfuturev2ConnectionName": "RecordedFuture-ConnectorV2" + } } From 7fe9d4ca14c4fc937e2f8404021d034caf7b0b5a Mon Sep 17 00:00:00 2001 From: Niklas Logren Date: Fri, 20 Sep 2024 11:33:51 +0200 Subject: [PATCH 02/12] feat: add ?utm_source=microsoft_sentinel param to links --- .../Alerts/RecordedFuture-Alert-Importer/azuredeploy.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Solutions/Recorded Future/Playbooks/Alerts/RecordedFuture-Alert-Importer/azuredeploy.json b/Solutions/Recorded Future/Playbooks/Alerts/RecordedFuture-Alert-Importer/azuredeploy.json index 9f6f82edac4..5785e4b3987 100644 --- a/Solutions/Recorded Future/Playbooks/Alerts/RecordedFuture-Alert-Importer/azuredeploy.json +++ b/Solutions/Recorded Future/Playbooks/Alerts/RecordedFuture-Alert-Importer/azuredeploy.json @@ -98,7 +98,7 @@ "inputs": { "body": { "incidentArmId": "@body('Create_incident')?['id']", - "message": "

@{items('For_each_triggered_alert')?['title']}
\nAlert ID: @{items('For_each_triggered_alert')?['id']}
\nTriggered: @{items('For_each_triggered_alert')?['log']?['triggered']}
\n[Open Recorded Future portal](@{items('For_each_triggered_alert')?['url']?['portal']})
\nAI Summary: @{items('For_each_triggered_alert')?['ai_insights']?['text']}

" + "message": "

@{items('For_each_triggered_alert')?['title']}
\nAlert ID: @{items('For_each_triggered_alert')?['id']}
\nTriggered: @{items('For_each_triggered_alert')?['log']?['triggered']}
\n[Open Recorded Future portal](@{concat(items('For_each_triggered_alert')?['url']?['portal'], '&utm_source=microsoft_sentinel')})
\nAI Summary: @{items('For_each_triggered_alert')?['ai_insights']?['text']}

" }, "host": { "connection": { @@ -118,7 +118,7 @@ "Create_incident": { "inputs": { "body": { - "description": "**Recorded Future Alert**\n@{items('For_each_triggered_alert')?['title']}\nAlert ID: @{items('For_each_triggered_alert')?['id']}\nTriggered: @{items('For_each_triggered_alert')?['log']?['triggered']}\n[Open Recorded Future portal](@{items('For_each_triggered_alert')?['url']?['portal']})\nAI summary: @{items('For_each_triggered_alert')?['ai_insights']?['text']}", + "description": "**Recorded Future Alert**\n@{items('For_each_triggered_alert')?['title']}\nAlert ID: @{items('For_each_triggered_alert')?['id']}\nTriggered: @{items('For_each_triggered_alert')?['log']?['triggered']}\n[Open Recorded Future portal](@{concat(items('For_each_triggered_alert')?['url']?['portal'],'&utm_source=microsoft_sentinel')})\nAI summary: @{items('For_each_triggered_alert')?['ai_insights']?['text']}", "severity": "Medium", "status": "New", "tagsToAdd": { From d470fe9aaeda409fe6c79f4be6ae081ad7035fdf Mon Sep 17 00:00:00 2001 From: Niklas Logren Date: Fri, 20 Sep 2024 11:35:10 +0200 Subject: [PATCH 03/12] fix: remove unnecessary ParseJSON blocks and fix JSON serialization in Send Data blocks --- .../azuredeploy.json | 203 +----------------- 1 file changed, 5 insertions(+), 198 deletions(-) diff --git a/Solutions/Recorded Future/Playbooks/Alerts/RecordedFuture-Alert-Importer/azuredeploy.json b/Solutions/Recorded Future/Playbooks/Alerts/RecordedFuture-Alert-Importer/azuredeploy.json index 5785e4b3987..4cd57591041 100644 --- a/Solutions/Recorded Future/Playbooks/Alerts/RecordedFuture-Alert-Importer/azuredeploy.json +++ b/Solutions/Recorded Future/Playbooks/Alerts/RecordedFuture-Alert-Importer/azuredeploy.json @@ -109,7 +109,7 @@ "path": "/Incidents/Comment" }, "runAfter": { - "Parse_JSON_2": [ + "Create_incident": [ "Succeeded" ] }, @@ -138,103 +138,12 @@ "method": "put", "path": "[concat('/Incidents/subscriptions/', subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/workspaces/',parameters('workspace_name') ) ]" }, - "runAfter": {}, "type": "ApiConnection" - }, - "Parse_JSON_2": { - "inputs": { - "content": "@items('For_each_triggered_alert')?['hits']", - "schema": { - "items": { - "properties": { - "analyst_note": {}, - "document": { - "properties": { - "authors": { - "type": "array" - }, - "source": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - } - }, - "type": [ - "object", - "null" - ] - }, - "title": { - "type": [ - "string", - "null" - ] - }, - "url": {} - }, - "type": "object" - }, - "entities": { - "items": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - } - }, - "required": [ - "id", - "name", - "type" - ], - "type": "object" - }, - "type": "array" - }, - "fragment": { - "type": "string" - }, - "id": { - "type": "string" - }, - "language": { - "type": "string" - }, - "primary_entity": {} - }, - "required": [ - "entities", - "document", - "fragment", - "id", - "language", - "primary_entity", - "analyst_note" - ], - "type": "object" - }, - "type": "array" - } - }, - "runAfter": { - "Create_incident": [ - "Succeeded" - ] - }, - "type": "ParseJson" } }, + "else": { + "actions": {} + }, "expression": { "and": [ { @@ -254,105 +163,9 @@ }, "For_each_hit": { "actions": { - "Parse_JSON": { - "inputs": { - "content": "@items('For_each_hit')", - "schema": { - "properties": { - "analyst_note": {}, - "document": { - "properties": { - "authors": { - "items": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - } - }, - "required": [ - "id", - "name", - "type" - ], - "type": "object" - }, - "type": "array" - }, - "source": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - } - }, - "type": [ - "object", - "null" - ] - }, - "title": { - "type": [ - "string", - "null" - ] - }, - "url": {} - }, - "type": "object" - }, - "entities": { - "items": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - } - }, - "required": [ - "id", - "name", - "type" - ], - "type": "object" - }, - "type": "array" - }, - "fragment": { - "type": "string" - }, - "id": { - "type": "string" - }, - "language": { - "type": "string" - }, - "primary_entity": {} - }, - "type": "object" - } - }, - "runAfter": {}, - "type": "ParseJson" - }, "Send_Data_2": { "inputs": { - "body": "{\n\"RuleName\": \"@{items('For_each_triggered_alert')?['rule']?['name']}\",\n\"Triggered\": \"@{items('For_each_triggered_alert')?['log']?['triggered']}\",\n\"AlertName\": \"@{replace(replace(items('For_each_triggered_alert')?['title'], '\\', '\\\\'), '\"', '\\\"')}\",\n\"AlertID\": \"@{items('For_each_triggered_alert')?['id']}\", \n\"Entity\": @{items('For_each_hit')?['entities']},\n\"Documents\": @{items('For_each_hit')?['document']},\n\"URL\": \"@{items('For_each_triggered_alert')?['rule']?['url']?['portal']}\",\n\"Document_url\": \"@{items('For_each_hit')?['document']?['url']}\",\n\"AISummary\": \"@{replace(replace(coalesce(items('For_each_triggered_alert')?['ai_insights']?['text'],''), '\\', '\\\\'), '\"', '\\\"')}\",\n\"Fragment\": \"@{replace(replace(coalesce(body('Parse_JSON')?['fragment'],''), '\\', '\\\\'), '\"', '\\\"')}\"}", + "body": "{\n\"RuleName\": \"@{replace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\nitems('For_each_triggered_alert')?['rule']?['name'],\n'\\', '\\\\'),\n'\"', '\\\"'),\n'\n', '\\n'),\n'\t', '\\t'),\n'\b', '\\b'),\n'\f', '\\f'),\n'\n', '\\r')}\",\n\"Triggered\": \"@{items('For_each_triggered_alert')?['log']?['triggered']}\",\n\"AlertName\": \"@{replace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\nitems('For_each_triggered_alert')?['title'],\n'\\', '\\\\'),\n'\"', '\\\"'),\n'\n', '\\n'),\n'\t', '\\t'),\n'\b', '\\b'),\n'\f', '\\f'),\n'\n', '\\r')}\",\n\"AlertID\": \"@{items('For_each_triggered_alert')?['id']}\", \n\"Entity\": @{items('For_each_hit')?['entities']},\n\"Documents\": @{items('For_each_hit')?['document']},\n\"URL\": \"@{items('For_each_triggered_alert')?['rule']?['url']?['portal']}\",\n\"Document_url\": \"@{items('For_each_hit')?['document']?['url']}\",\n\"AISummary\": \"@{replace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\ncoalesce(items('For_each_triggered_alert')?['ai_insights']?['text'],''),\n'\\', '\\\\'),\n'\"', '\\\"'),\n'\n', '\\n'),\n'\t', '\\t'),\n'\b', '\\b'),\n'\f', '\\f'),\n'\n', '\\r')}\",\n\"Fragment\": \"@{replace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\nitems('For_each_hit')?['fragment'],\n'\\', '\\\\'),\n'\"', '\\\"'),\n'\n', '\\n'),\n'\t', '\\t'),\n'\b', '\\b'),\n'\f', '\\f'),\n'\n', '\\r')}\"}", "headers": { "Log-Type": "RecordedFuturePortalAlerts" }, @@ -364,16 +177,10 @@ "method": "post", "path": "/api/logs" }, - "runAfter": { - "Parse_JSON": [ - "Succeeded" - ] - }, "type": "ApiConnection" } }, "foreach": "@items('For_each_triggered_alert')['hits']", - "runAfter": {}, "type": "Foreach" } }, From 53514dc56d75549acf693f56a42125e2d0e8ef4f Mon Sep 17 00:00:00 2001 From: Niklas Logren Date: Fri, 20 Sep 2024 11:35:34 +0200 Subject: [PATCH 04/12] build: bump version to 1.4 --- .../RecordedFuture-Alert-Importer/azuredeploy.json | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/Solutions/Recorded Future/Playbooks/Alerts/RecordedFuture-Alert-Importer/azuredeploy.json b/Solutions/Recorded Future/Playbooks/Alerts/RecordedFuture-Alert-Importer/azuredeploy.json index 4cd57591041..5c10d036756 100644 --- a/Solutions/Recorded Future/Playbooks/Alerts/RecordedFuture-Alert-Importer/azuredeploy.json +++ b/Solutions/Recorded Future/Playbooks/Alerts/RecordedFuture-Alert-Importer/azuredeploy.json @@ -7,7 +7,7 @@ }, "description": "This playbook imports alerts from Recorded Future and stores them in a custom log in the log analytics workspace. It can create alerts dependant on the parameter: create_incident. ", "entities": [], - "lastUpdateTime": "2024-08-23T00:00:00.000Z", + "lastUpdateTime": "2024-09-20T00:00:00.000Z", "postDeployment": [ "After deployment, open the playbook to configure all connections and press save." ], @@ -42,6 +42,13 @@ ], "title": "RecordedFuture-Alert-Importer", "version": "1.3" + }, + { + "notes": [ + "More JSON encoding fixes, and add utm parameter to links" + ], + "title": "RecordedFuture-Alert-Importer", + "version": "1.4" } ], "support": { @@ -326,7 +333,7 @@ }, "tags": { "hidden-SentinelTemplateName": "RecordedFuture-AlertImporter", - "hidden-SentinelTemplateVersion": "1.3" + "hidden-SentinelTemplateVersion": "1.4" }, "type": "Microsoft.Logic/workflows" }, From f34aeb76002899f5801900d7a19d26418619ee2c Mon Sep 17 00:00:00 2001 From: Niklas Logren Date: Fri, 20 Sep 2024 14:49:45 +0200 Subject: [PATCH 05/12] chore: sort JSON in RecordedFuture-Sandbox_Enrichment-Url --- .../azuredeploy.json | 290 +++++++++--------- 1 file changed, 148 insertions(+), 142 deletions(-) diff --git a/Solutions/Recorded Future/Playbooks/Sandboxing/RecordedFuture-Sandbox_Enrichment-Url/azuredeploy.json b/Solutions/Recorded Future/Playbooks/Sandboxing/RecordedFuture-Sandbox_Enrichment-Url/azuredeploy.json index 6acce089044..9f60ed81d38 100644 --- a/Solutions/Recorded Future/Playbooks/Sandboxing/RecordedFuture-Sandbox_Enrichment-Url/azuredeploy.json +++ b/Solutions/Recorded Future/Playbooks/Sandboxing/RecordedFuture-Sandbox_Enrichment-Url/azuredeploy.json @@ -2,37 +2,43 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { - "title": "RecordedFuture-Sandbox_Enrichment-Url", + "author": { + "name": "Recorded Future" + }, "description": "This playbook will enrich url entities in an incident and send them to Recorded Future Sandbox. The result will be written as a incident comment.", - "prerequisites": "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)", + "entities": [ + "url" + ], + "lastUpdateTime": "2024-01-12T00:00:00.000Z", "postDeployment": [ "After deployment you have to open the playbook to configure all connections and press save." ], + "prerequisites": "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)", "prerequisitesDeployTemplateFile": "", - "lastUpdateTime": "2024-01-12T00:00:00.000Z", - "entities": [ - "url" - ], - "tags": [ "Enrichment" ], - "support": { - "tier": "Partner", - "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" - }, - "author": { - "name": "Recorded Future" - }, "releaseNotes": [ { - "version": "1.0", + "notes": [ + "Initial version" + ], "title": "RecordedFuture-Sandbox_Enrichment-Url", - "notes": [ "Initial version" ] + "version": "1.0" }, { - "version": "1.1", + "notes": [ + "API connection rename." + ], "title": "API Connectors", - "notes": [ "API connection rename." ] + "version": "1.1" } - ] + ], + "support": { + "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator", + "tier": "Partner" + }, + "tags": [ + "Enrichment" + ], + "title": "RecordedFuture-Sandbox_Enrichment-Url" }, "parameters": { "PlaybookName": { @@ -40,54 +46,45 @@ "type": "string" }, "Sandbox API Key": { - "type": "string", "metadata": { "description": "Enter value for Sandbox API Key. Retrive API Key from [Recorded Future Portal](https://sandbox.recordedfuture.com/account)" - } + }, + "type": "string" } }, - "variables": { - "RecordedfutureConnectionName": "RecordedFuture-ConnectorV2", - "MicrosoftSentinelConnectionName": "RecordedFuture-MicrosoftSentinelConnection" - }, "resources": [ { + "apiVersion": "2017-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" + ], + "identity": { + "type": "SystemAssigned" + }, + "location": "[resourceGroup().location]", + "name": "[parameters('PlaybookName')]", "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", "definition": { "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "defaultValue": {}, - "type": "Object" - }, - "Sandbox API Key": { - "defaultValue": "[parameters('Sandbox API Key')]", - "type": "string" - } - }, - "triggers": { - "Microsoft_Sentinel_incident": { - "type": "ApiConnectionWebhook", + "actions": { + "Define_sandbox_status": { "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "variables": [ + { + "name": "sandbox_status", + "type": "string" } - }, - "path": "/incident-creation" - } - } - }, - "actions": { + ] + }, + "runAfter": { + "Entities_-_Get_URLs": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, "Entities_-_Get_URLs": { - "runAfter": {}, - "type": "ApiConnection", "inputs": { "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", "host": { @@ -97,18 +94,13 @@ }, "method": "post", "path": "/entities/url" - } + }, + "runAfter": {}, + "type": "ApiConnection" }, "For_each": { - "foreach": "@body('Entities_-_Get_URLs')?['URLs']", "actions": { "Add_comment_to_incident_(V3)": { - "runAfter": { - "Get_the_full_report": [ - "Succeeded" - ] - }, - "type": "ApiConnection", "inputs": { "body": { "incidentArmId": "@triggerBody()?['object']?['id']", @@ -121,15 +113,15 @@ }, "method": "post", "path": "/Incidents/Comment" - } - }, - "Get_the_full_report": { + }, "runAfter": { - "Wait_for_sandbox_report": [ + "Get_the_full_report": [ "Succeeded" ] }, - "type": "ApiConnection", + "type": "ApiConnection" + }, + "Get_the_full_report": { "inputs": { "headers": { "SandboxToken": "@parameters('Sandbox API Key')" @@ -141,23 +133,27 @@ }, "method": "get", "path": "/samples/@{encodeURIComponent(body('Get_the_full_summary')?['id'])}/overview.json" - } - }, - "Initialize_Sandbox_status": { + }, "runAfter": { - "Submit_url_samples": [ + "Wait_for_sandbox_report": [ "Succeeded" ] }, - "type": "SetVariable", + "type": "ApiConnection" + }, + "Initialize_Sandbox_status": { "inputs": { "name": "sandbox_status", "value": "@body('Submit_url_samples')?['status']" - } + }, + "runAfter": { + "Submit_url_samples": [ + "Succeeded" + ] + }, + "type": "SetVariable" }, "Submit_url_samples": { - "runAfter": {}, - "type": "ApiConnection", "inputs": { "body": { "url": "@items('For_each')?['Url']" @@ -173,27 +169,27 @@ }, "method": "post", "path": "/samples/url" - } + }, + "runAfter": {}, + "type": "ApiConnection" }, "Wait_for_sandbox_report": { "actions": { "Delay": { - "runAfter": { - "Set_sandbox_status": [ - "Succeeded" - ] - }, - "type": "Wait", "inputs": { "interval": { "count": 2, "unit": "Minute" } - } + }, + "runAfter": { + "Set_sandbox_status": [ + "Succeeded" + ] + }, + "type": "Wait" }, "Get_the_full_summary": { - "runAfter": {}, - "type": "ApiConnection", "inputs": { "headers": { "SandboxToken": "@parameters('Sandbox API Key')" @@ -205,59 +201,73 @@ }, "method": "get", "path": "/samples/@{encodeURIComponent(body('Submit_url_samples')?['id'])}" - } + }, + "runAfter": {}, + "type": "ApiConnection" }, "Set_sandbox_status": { + "inputs": { + "name": "sandbox_status", + "value": "@body('Get_the_full_summary')?['status']" + }, "runAfter": { "Get_the_full_summary": [ "Succeeded" ] }, - "type": "SetVariable", - "inputs": { - "name": "sandbox_status", - "value": "@body('Get_the_full_summary')?['status']" - } + "type": "SetVariable" } }, - "runAfter": { - "Initialize_Sandbox_status": [ - "Succeeded" - ] - }, "expression": "@equals(variables('sandbox_status'), 'reported')", "limit": { "count": 60, "timeout": "PT1H" }, + "runAfter": { + "Initialize_Sandbox_status": [ + "Succeeded" + ] + }, "type": "Until" } }, + "foreach": "@body('Entities_-_Get_URLs')?['URLs']", "runAfter": { "Define_sandbox_status": [ "Succeeded" ] }, "type": "Foreach" + } + }, + "contentVersion": "1.0.0.0", + "outputs": {}, + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" }, - "Define_sandbox_status": { - "runAfter": { - "Entities_-_Get_URLs": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", + "Sandbox API Key": { + "defaultValue": "[parameters('Sandbox API Key')]", + "type": "string" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { "inputs": { - "variables": [ - { - "name": "sandbox_status", - "type": "string" + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" } - ] - } + }, + "path": "/incident-creation" + }, + "type": "ApiConnectionWebhook" } - }, - "outputs": {} + } }, "parameters": { "$connections": { @@ -265,12 +275,12 @@ "azuresentinel": { "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", "connectionName": "[variables('MicrosoftSentinelConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]", "connectionProperties": { "authentication": { "type": "ManagedServiceIdentity" } - } + }, + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" }, "recordedfuturesandbo": { "connectionId": "[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]", @@ -279,52 +289,48 @@ } } } - } - }, - "name": "[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[resourceGroup().location]", - "identity": { - "type": "SystemAssigned" + }, + "provisioningState": "Succeeded", + "state": "Enabled" }, "tags": { "hidden-SentinelTemplateName": "RecordedFuture-Sandbox_Enrichment-Url", "hidden-SentinelTemplateVersion": "1.0" }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" - ] + "type": "Microsoft.Logic/workflows" }, { - "type": "Microsoft.Web/connections", "apiVersion": "2016-06-01", - "name": "[variables('RecordedfutureConnectionName')]", - "location": "[resourceGroup().location]", "kind": "V1", + "location": "[resourceGroup().location]", + "name": "[variables('RecordedfutureConnectionName')]", "properties": { - "displayName": "[variables('RecordedfutureConnectionName')]", - "customParameterValues": {}, "api": { "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/recordedfuturesandbo')]" - } - } + }, + "customParameterValues": {}, + "displayName": "[variables('RecordedfutureConnectionName')]" + }, + "type": "Microsoft.Web/connections" }, { - "type": "Microsoft.Web/connections", "apiVersion": "2016-06-01", - "name": "[variables('MicrosoftSentinelConnectionName')]", - "location": "[resourceGroup().location]", "kind": "V1", + "location": "[resourceGroup().location]", + "name": "[variables('MicrosoftSentinelConnectionName')]", "properties": { - "displayName": "[variables('MicrosoftSentinelConnectionName')]", - "customParameterValues": {}, - "parameterValueType": "Alternative", "api": { "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" - } - } + }, + "customParameterValues": {}, + "displayName": "[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative" + }, + "type": "Microsoft.Web/connections" } - ] + ], + "variables": { + "MicrosoftSentinelConnectionName": "RecordedFuture-MicrosoftSentinelConnection", + "RecordedfutureConnectionName": "RecordedFuture-ConnectorV2" + } } From 6e4c94c77db359af870de4fd666a6765baf3f361 Mon Sep 17 00:00:00 2001 From: Niklas Logren Date: Fri, 20 Sep 2024 15:27:52 +0200 Subject: [PATCH 06/12] fix: use Sandbox connector instead of regular connector There was a bug where if you had already instantiated something named "RecordedFuture-ConnectorV2" then it would use that, instead of asking you to create a new API connection for sandbox. --- .../azuredeploy.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Solutions/Recorded Future/Playbooks/Sandboxing/RecordedFuture-Sandbox_Enrichment-Url/azuredeploy.json b/Solutions/Recorded Future/Playbooks/Sandboxing/RecordedFuture-Sandbox_Enrichment-Url/azuredeploy.json index 9f60ed81d38..1b412c5b853 100644 --- a/Solutions/Recorded Future/Playbooks/Sandboxing/RecordedFuture-Sandbox_Enrichment-Url/azuredeploy.json +++ b/Solutions/Recorded Future/Playbooks/Sandboxing/RecordedFuture-Sandbox_Enrichment-Url/azuredeploy.json @@ -57,7 +57,7 @@ "apiVersion": "2017-07-01", "dependsOn": [ "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" + "[resourceId('Microsoft.Web/connections', variables('RecordedfutureSandboxConnectionName'))]" ], "identity": { "type": "SystemAssigned" @@ -283,7 +283,7 @@ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" }, "recordedfuturesandbo": { - "connectionId": "[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]", + "connectionId": "[resourceId('Microsoft.Web/connections', variables('RecordedfutureSandboxConnectionName'))]", "connectionName": "recordedfuturesandbo", "id": "[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/recordedfuturesandbo')]" } @@ -303,13 +303,13 @@ "apiVersion": "2016-06-01", "kind": "V1", "location": "[resourceGroup().location]", - "name": "[variables('RecordedfutureConnectionName')]", + "name": "[variables('RecordedfutureSandboxConnectionName')]", "properties": { "api": { "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/recordedfuturesandbo')]" }, "customParameterValues": {}, - "displayName": "[variables('RecordedfutureConnectionName')]" + "displayName": "[variables('RecordedfutureSandboxConnectionName')]" }, "type": "Microsoft.Web/connections" }, @@ -331,6 +331,6 @@ ], "variables": { "MicrosoftSentinelConnectionName": "RecordedFuture-MicrosoftSentinelConnection", - "RecordedfutureConnectionName": "RecordedFuture-ConnectorV2" + "RecordedfutureSandboxConnectionName": "RecordedFuture-SandboxConnector" } } From 950c029f4db3b2ce9c7b3fd3da95f3f0d93d58cd Mon Sep 17 00:00:00 2001 From: ErikMangstenRecFut Date: Mon, 23 Sep 2024 15:04:41 +0200 Subject: [PATCH 07/12] chore: release bump and tool running --- .../Data/Solution_RecordedFuture.json | 4 +- Solutions/Recorded Future/Package/3.2.9.zip | Bin 0 -> 43821 bytes .../Package/createUiDefinition.json | 654 +- .../Recorded Future/Package/mainTemplate.json | 17990 +++++++--------- Solutions/Recorded Future/ReleaseNotes.md | 1 + 5 files changed, 8421 insertions(+), 10228 deletions(-) create mode 100644 Solutions/Recorded Future/Package/3.2.9.zip diff --git a/Solutions/Recorded Future/Data/Solution_RecordedFuture.json b/Solutions/Recorded Future/Data/Solution_RecordedFuture.json index a7ed631dc42..765fc265462 100644 --- a/Solutions/Recorded Future/Data/Solution_RecordedFuture.json +++ b/Solutions/Recorded Future/Data/Solution_RecordedFuture.json @@ -41,8 +41,8 @@ "Workbooks/RecordedFutureThreatActorHunting.json", "Workbooks/RecordedFutureMalwareThreatHunting.json" ], - "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Recorded Future", - "Version": "3.2.8", + "BasePath": "Users\\emangsten\\git\\github\\Azure-Sentinel\\Solutions\\Recorded Future", + "Version": "3.2.9", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": false diff --git a/Solutions/Recorded Future/Package/3.2.9.zip b/Solutions/Recorded Future/Package/3.2.9.zip new file mode 100644 index 0000000000000000000000000000000000000000..980fa8915ab04487d5a901c9938de7e6c3a8fd44 GIT binary patch literal 43821 zcmV)PK()V6O9KQH000080JU{DSyMtB zX>V>WYIARHP7T?B56_L?xrpS)Ekc~XYCmKVbq!7O~iP^h2tc=gTM`)5BeF&)ats#jZJ93=b8fhP^pHVly6d!)5HfN`>LSN8Z1* zjQ`>cP*h0cKrn@(UU6SZEoa6XS=KcM8SOPw8rUFhLsT}JP(>qVfCdOY!W($!%Xr4; z;GVl+Qm+;z_)-^G|8m!Ojjj6^v>|6q_+cj3g#xWG01>3m(tOl+C1KgvZ)YA@B{3 zYbjDR=zt)v|NZB`C0YWZ)WRy1C3&=u<|@-R$2PD{oTyiVb0!i z_oASWx)4-m95T>3qDxSpTwKL+5fiR;T33Qz0TA_2=RymmwWZF8`y^q?Pyim9jh^9} z6bcPUvg){K)n6WJbx|l!GSw?J7K??a^1)fQhUk|*=xd$1kV*ua2&(2x8$4p zXCT8c5HV-5k1M7Kn8H+|I4Gr=pDJ#a9{FWSfZ;SVB0=zLgcpI3!N+Sr>@_1aH8O%g z2}nQ5kp6UpEb+pf~v@!ft}#x96~%Mr&*RDu&f3q!4Sq2EWU|mB!rkd_Z<~4pR-_BsNKq%&rkAMh;~h14w}ZlI|htsi4bp z^4=30dMBtCi7+bZRHmi|ha%&wWCg2np>Uu4o2+sv6VvUJ%e)duzwZpHvY^vxy)IM* z1IA#wOqI`0^JvG4a#157^*Z;u0GNJN*41GtwkC4jJSvW3jcBf6Ne_!m1NJ~^HD{?{ zw=ipPuq&{h)-ItXoI#P%PL1xe{C!h%m5@H|auXD4is`EL9vcE4KqO4MEU&-5hg1y8 z!JtuTjmuX3f6lXNEeasiT8tQa7Bm(NI~lz#^{;7TmI-UNM`@8$Q?(TDUcW)cCU0u<^`n6kp-m)Fa2(rI-q-1ggjY^$Z&?ys0 z-HCuiz>83dAnTLQ?V=D$y5+W3J^*n6c2Ns11QEE_G8Q!$)KH-B1_NyrbXZ1rh6oFO zrvjGQE?Y#CUIxKl77V@ZCg8XG-ZhdBNKV%$FMcA}PlE*AGx7vDs(cLAyFVbsyH3dU zfuP3?i!2}bG|;SIv?B68K9 zA(O1kwo4E)Ljgqul`U%iWuQy%^x!)Kz8*p*60(#jnFCmn$|f3Yp|ejiW9>9*Sv2R+ zZv)|KGvkrb4Dh|~lWl-4tTNC)7bArtmYr=ODs8dn^_+%fH?^lmS^T8OL6;T(eNm5F z0juxp_^$f67GFyS-%R!W3h3E%tD|l8vIf4J6sMwS$z51M<=UpC#r@`sIC1Z@{db;y zzqRR0N3=iMTv9a8WP}Z$CaRL2GMaOBdlnLQYj{A*W`x*kOc8C|iQBg`*!fh@+QOhnqvu z503*yZ6m)!3_aZ-hK^4+hoGmA13^s_zeD`|xIz59IXl@LfPQ=&0BYIz9U|!21`(7W zpp5X`g1k&)y8-+~Vf5^Az^Kd62VyCri9IU}b8giMQX4WIyCPo;JkK`>o>x>XXyx0D zz~}knfKRun_XSXtbNl8%+G@YO?MR?Jlj_{59d(V~bEmdT(t~ztJC(cJPHm~vH{Ypk z-iRsmA}STQEgQi%K3+ii)V8Z{54kMvn7!!GCIcMKOBK;1EX+BJI5819nvpcw8{?rt$$ z>hvgLxZLwCgSI?);qby5hDR_8l6`i4io8~S$nc0Vi{VjrO{%yTb;fi8>M+tfe?2q@) zYMhH1SK9RMdAbgW>OJ6ueZc;JmQ5Ek>=Ah(eo;wo9mU(@^umVvQM%JGta#|vDXRMp zNYWuIzqf(jyxF?h`ae)h0|XQR000O8wRJaH90v1K(VzeTebfg45dZ)HZDDC{RAp^& zY+-a|E^2dcZtQ($d)qp;?)Ur(KAO2>XUDQE$u)Oo&X!xOxW=-b{^(F5Wih5mg``}v z@BZ%>0E<{qDXKVz&Y785LRkRT0v3RGz4+^uqLlvWcKiB3ExlDrea{=ZZz~o5o7I78 zskiz-x4c#L*T~UVyY?XX&8^hdsypSi_3~P^qUl4^euC+)^uf?nJ$?0uYg_*)t-$iT zw&j7JZgj^rYztOXU0s9!=l?v=JylaZSpQ$(Z}5#e^7^&|6JF|F+tGAQIUISQe&xc^ z2Zrt_O;F;kqk5n`S1Bv*XgIVT?@uR4-b1OOw5SRs!vKos!a`fNIf6MAFA!Gg*^ZK` zss!@=jpQ4ujtXQ1(vKxH?JlZ3`UZUGJq>kOyz4oJbsJO++h9{yuPmd?}P2!xkI(9mqQ`{S9$0g-M(VDil#fpJ*cwh*aMXOq@hF^N`csaqyPOo z7@TZ*JpG#PLBW3d3e*x*w!Czy-y&tO6<>`NH`I@CNPvm~9n+yAKxKgq3k3yVn|c@i zYiVVyD9cOX?@O;=e`hp0-d1v(h}y-|){kLbiUlM@>V9J1Dh*3DpFE@Mg3;4~b)6br z$9C z%b@s-BWylY%usrI+iC^2Z9$q;FR)4b_CPf(WzTjT-SlmDPOVxmuvJH@+h2q>Z4}t1 z=EWkkXtTf;U0TV(N#}rbUh%#(Fo4MOjlxB?bM>sqIJ1U{TE+At+fmxDQ9;W~=*y+o-=kEa199eeU%ERo>0+L7eYLi_ z6DA0MZ))(Tq*&F>wT;dC_U3wRV|#No{H^W(*mi^UJE|g6r(b5g8RK7KZ3#v9B`-J6 z_u2=R16)1mO~>1YPY~A1EG8}pHE~R~Vc;nQ-B*R>)K<6BKkxb5kET}TmlvNmE@UD`fIcu!5sHE#Q!TUlCRi#xQH6sxtZx(hLLClynh5`lK&hZx~=sh(YM}0y?!b61RrLW(~Mql%f6Y4~xujOboz7VSQ*Ra-KE6n<9 zJl0=ZKwS~3D8rvFcRBL1!A)oCDnHy8O{H+2!=`~H`R=0pAAdSN)Brz$$lxRg$jEar zHrVF1K{YRUmds&X*klCLA{9w7EL;|{S#7e+YE!fY_!6i_wTU&V&BBaolgFqw7tp9S zIgM&_VU22&ZB(07qiSAom=q=v=|B=&9PLmtlYwkZTP$PR5|bUDpK3~5SX0_6%#^lx zOlfNYO=*kMl(rVul(yKWv_&&p`kTf(Ix7!#pDiZx+!kj-hEWlr0I;^PaT+S4}H zp0*3Kr)?g4+Fn3=+UB&U?S-|cZMHpaQ|+mxT3W|`j9n|0uN@PklZ1o>t0EUmF)Vy0 zvTg0KY->ln9r!Y+=Cy-0ubsloYlp|Yb{5dQb~w#zXJO52hizUvRP)*!xt=`$4PQhH7e zH@mqt9L+C{;m}R%0mp6b8pn0+8pl!isXC2{{^190W^)eize zIZhu~IY^KRc11J{1wA*#AnQzn#KI~#8%ZdQZkBkYMYTAnMU@L{QC&o^MU@wAQC(cP zMU?|@k#1*7|AKWu$S~P?2&TzZ8O1o6`6=efL}gTQunhjD63U|+C?26vEe@hl<-%xG z7ZIdU!7Z;{c<-lpA+ZjeP#1ZZ=cD9;MFs>!5xS@;)wHJn-eGKCyQU%cw>(LO0 z$x}L)6=w<4nz?}1A38LR!wMc(IDAKcWwbq;KclcY^!1^WTVKOr&+02q{EWJ$^^vNr zHMX{5wk4ceO508dYiW%~OJ}m55Y*E2b^_nQR4uLXXlb6^$ZWI}w;4(6AyrH3Y%Rt3 z>OO)j7JEq6RGNn^tf_S#O`VC0EvTt!4;$afR86h(Xlfn@eKwkk^Uu?|NY&JJwx(j- zRtU=C(o>qFDXgdKJbF44Pg77&(~c&-i>Z3L&ZDP!{M6a#Db7tzYa&%oH`scL0p&I? zxU`f8sTJ1J4IV9>39435OVg-YdtO8L6ro;xfnQs+l@4 z$jr>CDpgr&2uopQ-R4o&nSd+>l{F2r#P>5*S+{wVH4jL0Hp+?vX{OaN)k$G}=|<*g zqnrQ0IOHD8wlR}d!TlOEE@<1Ukk%$*sspY0iW;2Z>=|n)j#DGjN4GL`?0Z84^;Ckc z3QfWd`VthX4viRTO>M1K_n9EeLq|_Cn*|g?*vpU1LGV~9l?2CP=_}TD%43$jSUyc3 z>Xzo7TTx%2ufOV#pfOP7G4aSUekP%J5QTJPMOmUu1fk}s-8=PGcL^g5$A8Qj_&sVC z7#1LwXT+$Bg61aJkf{7NV{*L*!|RXvFYo=aRO0MIsBn176^>G(T4n0Ap;0|Sx5e}g zr%U4_>F>$x82ZlWx3D|Tk~~+jzQyxe(a3{h*;8~`iJ$+D{q=W3;HYs~d6V_;`5;6L z(Nu^j4N;0WwUltB1{{}=<&jxXq}16Q>4Lk_FJ=GKIO5r?xT8*_s&HA1|GoTrHU4K) z18eGdA{rajN4--Ctsa($}vBfj7+k!Wv0o0hEa)MBHR zg)keFv!I~__DpTM*Bon5QLPiFqfuHC6C|LmNTUYX%!y8$NKY|5zr5*-+y z60?1nUY657CPDEq#dzv%c7j8{^bJkZt#UZkgiAxbRT0S>En_rR;V|Q59jn4pa?CR0 zhN=LD2nzR}@REna)p~Nl(%Nu=(pb92E*0;wL_dEeYH>#>h1Tf^Rsr1ni6WQH5_^L@=&_K(}Ml@rvWq=3~wm!(ravk zW0|8dpjW~k@T~Y6S2~8nh5KYo5mV-!Va>IE!QP5VVRwE2TP#M3pv>v?0wV=eKA{%V zYNOT^)q+g#J(vW@6;TQ*wZPtsIsu?mUDf3n@zNeh#$$6lb4rxBp=s^l!GyMFw+*X{ z*1h)fP5pJd-1fl_yxPDy`9$eEwuWC`iRJs!HJpLJ(Ekb4?)Fx9c0obQum9)klCKp@ z-@!i(Z3(yZ5sDt@t_zkASm?ip|NZkXDBALp-~0q6Ehrh%6r(Eo-oR{wg>(qITVMMA z_rEK{|FUfWemLw9iPg7VPo#&&YqvnIn1lFd+&}zh+!J{HbxBR^A-;c&Z3~*PvpK6{ z%>h9w&K?57_HCpLL)cfGxrQpDpDtCJfl9fRJ>Lp=TEQh-$r)LVo*xCoX%887!#atC z%&k$ki(UZX8;9?OwKJS6!9Fu~R#3=NM4g@1U);3xZ)0$)xK8&!-y-MNQ6E-s4X;1y zj9lFbygKCiqFsUi-_bs)0z6)zk(Kah+O32>{r{=0`EGqB+!eZ&u^v{ar(qRi01r7+ ziB^Z!?YELr`R~6w&VRpIXLkD89R<##ift+3Y#Z})!OC;iYQr5{aE6ZNU1T0;w*lr_ zRO-J~rSIsyScj;?;cD{G2la+&-0Q&S2b&u+c*Ldb=;#gx$mprgt?q$B+8tB1?!J}& zd+GnC>_ZXvqC85|Qm*=XrX?4) z!@t)?S>jB+d!{|oGUJv>!8}fh6@PgcPDX(v5kGy4{U%c8mEP_9a066g06L&}DC1KI z^rxz6hJQ4^AMSg+s7TP={F02dN!&k%HaS!yD z;ohy7hIN-cN+*^BcX;6j50-Z2jC9WBeU6I=#av$cj)LAbQ&~phN3EIZtcK>VxXJO( zUfhSUQ4Znb#US5!b`{E(<9IOqa4tWnjvko9EzNwIseHVPE%!ttdXUR2g_yx{9Cz|o z&OXWQ`sbOYeanp*A^kv?aWMgpNSSveC}oj{q%iL0#hpcjn|9cEc|a<6$KtZ(aBNb_ z_R^gh>bz8caZ}PuIvzbVOdTyeXu|D-e<0+dJQyXXms9_9p8ENGuorwRnq3>^q3FEL zZh}KmIHhwRi4s=>c^H~3QyzxC?8DH=P+t1hf!HhZ2o#r3HE(SP>>~#91XNtUXg!k0 zv$-Ug@9`|09MIe_`N=HLkwl>hD~^O`C9gG-Wy))fmwm0_I~l+4rn|7iOxRJApJVbw zo)&kGDGv;O;{$`{5Upxp0tQo%E6)tb>E)ThZ+vFZym;A120Y#KvKE1GwrpO=TP!(8 ziOZH_j!LN7Z|zTW%t-0ZkOwXEHn0f}T8tt0IZN6hl}9bfGUZXr%RXvp4qy7pknIk6 zyM@aaOreW-u_a^XCzfEopiE$P^kYoQuXN^9{c#AjHlW`oSsrA{W!N15M4Ki!X3eg= zvnp*i<)eQM_*;odN!?5=z0|XvfD@X!b51!8=oLC$JAj1b^x2ND*VCR6t;czKo7B_f zesJLPPXkCI-ZO4Tj>`1u;d;;=ISz0HSqBy+M<42*5gxx+3mm>sF%E-a#HJ%;Pj@=0 z2|O!h;^h$9=rJrW+!!T9V_box763--`|v@PKmWQN8QL<~PteS=Kotw+Y(g$~)ii$T zH$kTnh7I#Awsg!hHRvt0=ry!da>}zbQ5xJ%h^Qc`w`x4#MKgP0*R}~)UnF&n?~iHH zgf*N~mSO(B4JJiOSAFd3RvTUTw8IOZ@quXIbj-wKh$&aXxE`W=o=?CPsv=uSW0|%HloBq|zTFO0*)baejMd@YP5=tLED&%*5OLy)K*m1$jHu=m~+}BGStUgzz zWxphrXhxZhxk7HwmUl8NP^n%i4(6xlHTgYSpm+{fR|>I4&X>)DHo1D zFmy+OCjqy*?S>T`8MDV^5CW5F)`1GG&2M!o1JYmKDN<3UxisqYiUjdOlQ~0sq^efI+eZy5k zvrtSO7!HJ)Djo)p*|=ybo~`JpY^8azqWF&?tSHxxsr*ZUJPisk4!A+E9d||P*&|B> z-zd@arGzVu5^k|UGXIHaP+`wDP5Z&HZWT05JbG`HOT)cWT0jnc#sBx^2q>JQf^tv5 zXh3=5hgS-`99~6eQhodwbuj6GicC}K=n4c2fo7?o93{ZLK`EgK6iF3?3|37DX{99# zO8iz@U=;EAn}bJnFf{dj)w%P*#FhW9rga7^U=Y@8xQ2&4@-1E23TP8nX?nJ!pq44! z@R8^h<;foTgJJ1#9Kfc-G_*j!?sQA(Irbn^5*RLDc{{om4%b)B?v7wH(2VtcIqYjw zR~>70{KPKoW!)-|+)5-xc28CLN8f%Zdv^I&M<+jMqpF(j>!dY*PxlVcrv2!Faa{MH zD-mV<2)P1QS6}|f@<4lZ&G3|gt?5X+yTRRrUhyY%;}`fI^jOTbMd{Fenc}MV`f5x+ z(JP~hIvgtgjq^e)BNDbT9FBERsr;AT=g_^m9)fvMzcT!_0{C0&<+ZKy+RoM5+FSJh zU($N42RB%_F*1f(HwYf1X1>%c*BKLrXMXM(rrysG)}-YR9wp955u3NE`5hf-xT~Mp zc!R{aZ1;)l0-V>AYdt|ZErJ;6$KV1)2?fZcN#Ctx90pcvvOA(Fwq^jg0$>6H+HQ|L zWP+*&XQ}jb6~;H*>q_XWuTG)ywHY@4(0ByxgU~AlUT`QbbQi#0B$%)qFrk8l6dJVx zOsDwP)>i8?Y^^`PfcEODHt;89BRTrhXyN({TX+Q81cq^aZ5=ey9hsiL@QyvFX*6(S zh7H_RyTF}*LuhI65>6R_B}TI!tO~>eLgx{9ZSXQc0oz^RsSH%;L#il;HtIs3#RaQ% zZ^~V=Im0e#0bc^F^$Of$CH*XH`Q_$C@a!98)<86ks~`u=?K^DoqqgFEW^0B$a~TeK zg!F(4Qso)&SEOIZzr>ne8UnQhljJe^AR$b0gFnZJ&IN+sljj&==IFc+mot077iMD~ zL&UNKj$;csnK5DODLldi=RRT9WAd?2`hb&HFT$cP92*QhO}KQzw2VgntO7?>ui{D- zC{$=clbmS=B3|iWC#XUT3B}8vY1YeY>$o$`@mVIO4Pn8pq27gKl(@Z09*|>?K%)cl zL_V;e0@J#Co_tlT^i_WZje#Oxj<3A%w_o%QT3S&E2ePkMlqJfEY&hb+Ii)Vu61FrR z)5yUmoxP?HZc;iPo&7dUkhu)pR5;B$O89+n$Px@h=!`4%)!OP#TpQs`9}ZXQ$f@+t z2)!I_BmHky{hLa(Jfhomw2}0Gb1SvA>W;59mGKrhtYh_uYg_+F%+(lx6U8txH=#5% zL^OF2pvP%!6K5}HcY!pRa%vGQA&iM0frxNoMTk&5=q)35Pc_}_Q8W20F(@RVV0%a` z>d~FDJhWZc0OO({=!lEJU=>vR>-4foKJZL*NCI1!8a;F}9T;Q=>=Eo<1yy8jimlO9BNliOZ?kBd&OuyYmw5winZsz3>$4CcXcQ-Mp7;3^ap6 zhchUAcm{PTw<=d!_z-F&>FNsMGqOPVa;Dh1U!+Kr7J+ z>$FZ-$7CkT5xao!DU%kGad%MtT>80rRGoWWw%@_bJs2IR+G2!^Q+EGRlQ4Orw1%b-BdL>&~I z3Zt{=xa$&tLy%wCGwp}56d2bfl4J@P?Lq<31kg3x70FaXa7m(cY1iay!Y)!35}{v3 zBDgR0V1G}Ax;i|m;CVkHyz#?AN=LwgXs9?Czv=*2sYH$oAp;q8=wrbXNv;OWRJ2eT zVvU8_<&>L$bKi;K8U~>^^mEP%Is?2uhsomVC z=28eCae7=EXCNytxq&FDK^`&#;K>Nn8PJ0jSv+YXv;||-f4H+Ot8fJIoCOBhLW2f} z+UExXha->jwIT0J-Z&##bi!V8u525~+`-T(Xn$dX9}!9^44ss}O6;Y*5)n43 z6qD2+e`H`(aF+PvkBE_vw0NLu(Ot*V_rDcLF9nK=&ht=0rMdr>uN){osSpU^g~j0J zHn8i_Z*Av^ocqEt;Nw(Jq!Na~@8lBT7GdOu`B5;ki@u_WjJO5ew|sr*Cytf&^&A3l z(gQO@e1qSY|NJZ526ECLda8R@`5#03&(aF_`taJ9rQ<+(4&XinUOl!(gMsQiaSo~; zWNW*Awy1@EslIcqwc#~3aeVzWvA!Ak*WT1zK^kt>GaggV&&oBKuaI4Lm8`R8N4l_12&pldl@Ge&suaW)^C{a~&$OxOT6OX~2RxaxefgqEFe)A5SOb6!7q(0n9e0{TSt;?pG6na;4*< z5}TIWki5*;sMdBm^U@BEpK67)_C$yJNTZaG{j{pUzE zSxhxi>OZN+)0}e^7qKAoIAThJ5HZvA@^OL0Rf2^V9h&?Gz7b12?tw7gz^< zKlB^;^IM6qZbn{NX$595G(WX~Kjvo)JuQ$O=4Lr#ekMd|W2zn946=1?uza{(eVL>7 zaptA(Sbt_*-|MhK-$x6Zh|4tg;z}zD%o2Kmv`leNG3bt%k3-8Db94NRabJg)G3M|1 z83VsD=twa~(=Q?It_f%Y&eQV?h4GDHK{Ieyzm>jOEPmfoUspBSbzUs#iG5qX8s9|4 z@G@av_}4v?y}>fqixrg)nwi@*3&-i~*i%!7Mg_EiIu3<0z;KZg;;#l7E6{Z42`A$D zBesKimCv`p6~%tFiyB@5kz9#RZ(kVa%jyT zTS!HniZ3rIqor$xq!?RpiZL=0h@bqhkiKC6&?oF3X6et}$b}gme-k3aNtWBxHyK-q zF`|)!8!&uQ+1NB6XB&cQF)VEb(WV7N3mA}c-_XDSL=+dH>lhkKV#^pr`ruH>gkloN zUu@KRDr4$B6?~J&2yx5|mK`l4)G%xZLzJaznkO$7NZl}>aA*RQ|nunM?n-P<9@cNUafSWM|Tn%4GehN6Yg5>9d zOA9N&1((h$;J?3$Yu7X8f=dw9NG>=udqmC3#|4LU{N*sfWvGs($pDw=+o|)u&6luk zqSi$w(zZBzdP2TBOuM5yHNs9zOZ(cBAE`5g*gug{aaZ+mVR5Ef* zREeK?={s1h|26UkZGTSuPqc`($6nUouY_Bm8 z#Yy5O;F@BU{$f}Uskx>=x;3pSScExAWFpNui54`0PIvO;m^;zD=@v3?E*#m`v*98V zqafl+$HnZ!*NYMFnt)l!^)u1dqSsG8cD-=nueiNs+Ti;2+|582$2)$1tDH z3|9C#bfSN$zc12-A)OYYojO1#oG^PfGcYKhbt!mz9Arav?g!vnm!2)e;D*_*FHc0o zj1)BO!iP-{#b|>Bq=K`ugat+&*lZm|)S;u^!mgUG6@>%S z3u>FS@$l@-1PHuPatetTQe7SjFZg+0+kgToy-?%leXhns@x>*^Y~AqqgF(zW=j#%% zKbLVP&&TCOlbTFOLVVsRatfmNjo|DJ)QTdk7)x5Z28I*7fHY}Akb?0`Z->{1v>PoR z(z7@ajMf{ROkoIq>$UZJxIDv<6BfZ<3ckij9r9m+)k)Pf_&k`qJo36{_QUe)6{TET z&-;c^{(&5i$xS#ULSuS4vf4jKy7SZqd*rrhfZhYU>XAvOzZ2lIqpV2ny_0X&{|in$ zK?{@*SQE%<#s`i?;!JZFSotnmGEhbkT z(uaLq)EOvJ(a6CO<6qLZp56eoUI#aI%;EO_)m`ZSBPu+WBp|D-gcxWfqkLoXz8 zX6K7UJ+))4dB#9@V6YStNOe7BOVQLPiZ?JVQcwIWKfk4l!;4|?dSX`IiDtGJ$a6`5 z6L36r+}A38AaDUwN8~;F*7X%Fx-HNRmgdH(3Nnj6*mqT5|Go0(U*X#PH;vGAN@mp3 zy&U#Kog-Rz#&EcRM&=df4(9RWVqTf=#RcT*WX}fq_9z!HqBUSgG4EmNdnTxZ(E;2V zL3Op}H@|}MW4Ml(Z}BhCW@C_kwyw{~CdcryL zog{9S#LWv&+??LQ&Pp>x0|kV1fl~N$AN^DySibR=1kS0#pBe4(^H$+_3|}6nL4at! zP=0nw1W@@y2MJnSaTS`8!@czw!T z;26Rglv98QkyJ!+T;QY{Bp0}EQ&?Fg7x;p3fzO-FTWNYqSG9biSUs%Cr?ycoPq70c z>TptftE6t#R+Tj84~b!Vr(9bjGfXcUPqt(=r}d6FsrQ6@+nD)>M5WATP)-qyvm6)E z)*Kp-V6+;Sr;2WMZ4G;$JjDi83vUoVXZG}3RV%zz2f^T=c_9OFQF_MXY+G0_yoIM= zSy0}$&d(x6gssxu71U%^)0B}n7|-o+_Jpe=2IV-#X0Ks8n+O- zzIPko-DbDbvjIjNf`V?iI^%|@zoOiZz^(&qPzI`}EbEUd7)Sl> z)`q&#>2|y2Ep?+?Uf1irvZ`%tmFt@wy;fWAu4^^@^=iBzv}x?Xt5P0BMU0WlgrJ`E6Q0Gzl1p55cutv-nWRxw2L$5JX(}@bGf&9eZs6k-17DO7O zNtlpO0Fs4OVRdcCWo>55OckFkHR8d{cYfUcT@* zVl)P4?f|!-or@A0I?;f0(4T^G!mdT58}diMZeXyv1y^-0qHM?A@8z=0`Ngn@zF)h# zm?7+u;|v_vn_4Bi4NK7>#`YQLhTFHLu_;v;$XZADoTm%hG`dVB>PCwXRbgTaLh0hF zw$`HS*Fb$V2BSeUk*j*d$OQbPY$jG!q4DXDL)-E%Z*oM}@-G*e@8%yUHCBJ76ZCtB zL@YL;A=#fiKZaL=!#GlR+GxL4Q zh-acqRh4u-#qob>I3c@7h{(~xK*0rB3=PT3e9UJKm|z^Ht?1YY`f;*Ek227s>r+OL zVqWS)IR);LNktTg9wpTv(W4SQic7Ru=ur})h0`yhqfZf7@d2LaD&wOT2tw?@^JoYb z!c-F`OaV?ks3fZy%qI(DiMh=5>r~>ED)6*29fy*^b1oRZl!TJ4ma8=~N|uCv!t_ef z0M2`+qdcKDqB16giL!iRR=cv^)hyZ-07i#KOr1Cy_loqZgsmkL=5RG8hplmFM}7ob zT3P`FTRN+NpY$rOUe6f8wjmL0MI+euZ3sOpN9+Gf!LMbW;hrXb4d2O=q1WOfA)o=w zF$-v23nyHB5#z;xB_mUr0ILhnsf!37J(YF6y0u7Uy z$%jU065X53!g7vR-b(q$2@``%tRPedo8sVQKis1mm9ILE%Gm@SCF6W{T(EIGFXa(V zB&hZCP6j;nL#Ifzer`+W5x@Zg2+iH%-M~n}|B@ijz!x8RkUB>Z3=t7{n>yjevZl`2 zy-W=sgTAuq!8j-bud|HqQKM6;Y|IVAT^{?|On({OS!%)d4S4337re?c?rQW33$#M` zkR{|->btQG{hr6D^L1)vS zse~m8pV4u?#KnC;#+V8h@R44jwlUAE3yiQ^fL9Y2^UcKG2+q@$o?%jF8{TIVqjHC% z4)74hmXE?=D*i&%?$+9x<)Yh?7ZkmfR0q1gPT?_-DLw`A8-;Dn>LHNSH@`uY)4Zd4 zii)!0gq@JfU5FT~X~Z}&=aW=Diyq)4I*BcMbd&g`ETfbbEJ|r(%27%g0AG+(06I)6 zqPQp}QVlXnNk%E*54Jj54%k@;#1b_eW2XM?s;NMSw z`~iM}P^0iy$nEUKYZec-Iy4;D3(HIJ+Os4k)v3I2mV6m=mdG&6m^1!8%R)z-LB)>% z>$r7}o46m&Q;4}gtt8l1ydwQ7L(7s0bNGjohn6vwJAYtVT2_I;vUFAf*Y;Ihxt?)g z*`^FED>|_3NOk)!FRW~HmSJVME|x)MGN?=jmC2woMUg>eGN>$_c(TYX8C8}@Afw7; zRM~W@LRn>08BIzVRaS_cGO7$CBX?RERhG;xqsnAdSt0eys4^K<7N(R@WiL0X?5NQ? z0{?T~alzKmzazeePZr)f==s7M!x_2C6{Z~Lm-*WFc8 zWLd+!wSiC4AHeW38G*);l^%h%E#Ai1s@rRCIitXRDqWkh_*T9K(q|x zFUTnXG$s{MTp${$1{sJZ1JQ7ao<|@WhgZQDh6W3gL1;1vO$MQn<#|CtXuP`>8G
OO*v340}c#w3c!&`MHCmPMyf#us>wh#T%zX@ zsK)du_`=kh7cxjq2C2xIP-lK$UR?$CtJ*+c z9cZtWL^A@t3z6|?u$+jnHb?bKunB&_s$#6LtE;r6Hjc~cGqQm8=ik&}L zE-j}(uv|K;fLr}4u2|1FSZ-Se%M~3gcYS&C@}lLoXBjPr>0uczC*Nw5@oX}lO;Kb# zn~Y~mCyob=5mL!`Hors}&qhoxe zo-J2x@~O7uN5-)&OdQ+wjbwu0VWlOb#}gbn{a@w7^Yu*ncM8Nx;jVFL?P+dv+T3}7SowG3cepeyESC}Qdx z8Nf#9hS>+O@gPmeg~|xF;3Fg0WCYuUD)7=G*tVw}!IlB+1vv!}!lWXKi(n(wAS2jh z1RE~V^N3($I~9B(Z19*^#<0m4Hu=yRQJxp{&>H7fMFx(^z_D?bX#|dK7acf8*X;a} zV`)JJBFEBM1>D(Jam{+hkz+eDa;)gcu@+d{I`(7xz;cXkAFht&YsdWkgU5De89avX zp4+5#~_3#VdNz8BvT!5KUHOHQy z>lcID52@X*J+i#l?DIrwzq}&kq=l|UMi_23n9*yL9BEfBc@h@%BeQ~Jx(xc@*~G{t z2ihP0qT}RZKi3zzFVM!z4HSma33Xa0)Mc>XRDuQhZ+E6~rNNkm2v?*2(u3}Um?$F1gsD+U zh@6lz@x=9V#osnG4fs+6ILo#@yKPuqv`n>^Z|bjEL(d&G;HxPUO&eC;a0b5rL(^+R z<3T|OSX@}xzlZ+~QPt4?yuRM63=09Hbm+|gj5I!|c!gfsH%zbp2=?!bd;21vL#`~9dIUb_bt#L)NsJ#BdG zf3{n^I}ntS*OK#XAwuwU$Q{xebp~KOAXq$5CZrsGVGQ@JAce?^uu!_t(mnbPf>9K{ zeKYmcpxgTvN07~Vb{nudSeQTf3li9sdERcZ14!f;ul zY`2)T7daP`mmI1Y^6bb^!hNty=iD-J8Fr91BCq0N3qW^FAaRXlLMZhJEKmMrxHa-9 z6I=M1oLhiP1a1q*FvT2PlKc27%xK`r8BM^1^K)oYOc*q4>F>P(#V(Tcez5 z|C+e{;_?u)DH(JVG-w5{yo?9;9h#RSX}?_sEnCuGqHm<$m71|5SBXuU~5&-K&qnSxinl{GSaPqqF&1QXXHsiS;KtJ&0t{ z=H@57L1_M}ZD;3yX`Sij`* z8ZDGvKJO(%T!!_G2Y?41AxzOkE+9oYx+y285HZY<@{>zytOCxWJgox0+No@H;x(2_ zI?EsxrOH4xwLkEBBFvEX_h(BgLIy*@N{1&qOV9G5EdL@y$w$OjLosHPd>8Y(+%Nvy z4R7Y5{!y6;B8{^S{=~+y@aB-!2O6*;yve6B>oL=c6VTCX;pqb>cLE-&IRtMWSfXa9 zH<$uLDRdXDGSXbGi87)*n1rbm<)M`;Q|ns+zX7)`>4n2|G1OB874|!bQiq(iC*Z$& zDB_GSE$Ts_d*WavsYxI`HM$v>)X_8Zjh#chQ1RkgYrh$K5TN0wv8KAxfTGhw+exC z*lP+oem7!4$l8I9P!PaYY;e`x1}G7XVGxJn2>lAQ>aoyJsda~&Z+95X0rHr_4AR}Q z^+*?oZwkdfp)}+@gPb@Yvmhz$0aj4E`K-}hoI!mND*f7mcn_LzJXLNI`KsczoVP?t ztiHIrASz`_E`>HdMf{(EVBcu!XDAhUGedi0I&H)L+_=qHrFDOfgQd^R-f>Bgnt~!? zXu`TRS*I&3&!MTJACetr;k5Dg^DWPV;OX}%?`2>6R5TDEjYD|$wN(oYJvI-Hw;^IF*t5M|0f~2U{ME17 zL5OR(pbi+1AqL!6m8aAB7)FwBr+XvO+s`XBiMO5tfzmtH_BRFHl`HHr6_?SQ6RL@u zWZq)1s0DS@2m1q|YErE4XBBZ}IoNY}G-uFB0yYj0LUkwtaaA`}_2-4QT6NSD<{(KD z+=Aqo#nH z)r<=EkK^(Ae((O=dC8gQG|AZn$&X_D!sk~L?-LutcKZW;SCad^wk%IHP2qq~v3-|X z$LOzyZ4VCKfbX?W2k+K*Akq&5f=fOhyDN5^n?mo-=bfC(=S+ep{wn>e?RE-?j$D3R zog6&^J-zJ<_GbRBjZdFXyB4Ug?z@SvU*lFf!A@5Kp6)B}1e?q^@#kY-&Z?dkEOgJ< za2<6BU$sj%EN^)kBf)_2r|@B?V|tQpPXb3s!tS+^a3OOmBh|u!6gW>QAz=YZN!`lu(@bO>I`@`3*!?(w?9Ipl2N*nn! z+~2vlni!!^d7J)NtJYUzmDXP2{{+>2zt!~zc-X_n*G@hY@Mqu*r}oY46AbLf2k(|J zew^Zd-^uYUcm6guKFGP?&++qmZvEWS<$Q7vuF-cE@kI zreAjR%6`j)v0k_)n595~F#LXzC4ZU$y2$1IW8vR2_xOH1@XjUm?&0ungUe&{vS+*N zEAO!*wRE`Lcb12Tqq~t?yu-VCL4V~rHgjfq>`?Ff9m*FE-`Ixl;i8#B1?>*DaZaEr^4tKMh5-fORL z|Y{_@8nsPojFYtHElghqg!=93!?H(Q)_?mt!X+P}5@hiXlY|Q2J)3b-I z%;o=lxxKOU_-<|S?OfAe>5cHys_c5b`D%PM{RU(X4;;_rHaRn_iko3XygqDwxcba@ z&C%{J?2laHe13i!4mm7eZuwp2yLMms)?9p6zCI z>u=}>B>vovK2O58X6csh_aRzZthv0-`a!$H%Gcd zv(5H=xf<#?+K&^{V*`@Mb%cK2LRR`OcEx?UuZav$J(vx$LtFttQr3pX2#AS#qDI`#ktmpQu0AYcG#7NiJn?t^V~C#&wVr0T8aMv!U(ZKJ7yVT|uNvhn*y{q@JzltY+pDUo?rsln zX7=9t+`h&S@Ezix`tj!HT^&sX1l;^9Ug~-)93Z*?R=M+$t5@ApNAH#{z^SjxR(cQH z^GZ`wX<=pca!NG^Ll~H+jg!mhm%XNNbhC}V*=>ZQSW+|`xHK2 zptv4B$HR}gkl*@T8|!;-z;SPbxA=XjxL>mFz&sE%TgML!5WIJk;!M4rUhVi9=u};I zab8`x)^s5}Zy0#KxV#R%I{JEAbeQ+>WoAn=gy?ViYivAheX`I4o^zk@o^|){Zo$(Q zp00*=x!$mHr=g$=U@h#WQGwl3Vo7e0F zcJ5tgd5ZkFi`?ALh0CwgySu56(QjtzyyXB}p9&jx?3J@)eb>jU+XGQhj_lab5Q-^|uidnEI1X)?M=+UVx9u=Q=O z^d2d7-*|s)7#P@E3oFlQii10DeY3vbE4pX#In&YtcspyZwY?*tw?F6gBl7LZ5xupk zkbtRRtHt9o{~e+Up*xU`Ma&|~eiwDUk^}+QhJ1@F1GR}D<}_lB*o?XIh{P0fLgFD5 zx6xBNp~D*znZyE*O}W8H^EeNB&x~e(P4pOw{9C|n2i=vv9m(Oy=s`IY|5XGkt|sI1 zPm3`uxhH0KyKyeOlX$U=37DEXft=%kjJ%JHc=Y__3Q>cNo3O6Ad066acHYycw-vg- zDyW8mQ)Gy_5MST#%*Gf;gXH8~mlfVNTF(PPPeOuZC<^{7S}F3ZY;lgH_`3cb3X`wB zLRR}t%B#-!!$9q@K6eWy@sO>r!UXE^6l z`m8cMF%MQzJ;6f(&va;H4xsTZ4T(dMo)yP3^^BPO5)*71mB|As5dN&FU@Mn=oJ4n# zJk3qyAn=IvKxHIG>TE+_BHD%Ce}GRfA!rww~|$ zlV>!O#>mO6SF0`Jr7CZTmO@z>&=2$AktD7lM-p(J^7c)V_w9p1S6a7`3`e9^{+Jmuozlk zm4UKp_TKWha{P4kk?=ICqE&#DIVVQCyQrI3%&5kPWQ4YG1<_}w;b0{vQzF~>#5>H+ zYBKC~;M=)~Sv|Hq&L43#vz16YkY+uKU;0>q0A9Z!!Y*zb_A32JqQhzN3Qs)o{?SLC zRd=iAdbPQ{vWlX{$ajXZ%JLdPFTX*S#g^~4E=01R7HA0NtwE~jgLn;aE~Lti=0B#O z=KjGO%Cdc;zatLGIW+~KHRjxii+lSz0$d!4!5hyCP*id1+|eRZ(P2BNTsl~Hyv zh0#4ZG4KZvJk;XE8ViZBDM?C*!`oLbX#^un&lD6T54aVtlI+Z+0&;#~D{-uIWf6oK zM9rn@F#G|pQm@O_USjei>bmKQ%mI=_uM>n-?ApW!6`%Dg*y+?0!LWFY2z!T`H^m>A zV6_l^|8W@PTHhT=QZ-x2?uE-BOfd(laQ+jRTq924GIe42P_Og0v5rL}^7Ewiu*|am z&H-~3^?#e17^eDLf$)5yenSwHPQm+!{z#MoGQ6t^?+eEHuhAg%n{G0R#h$X>C*pJu zCiPuj&?99j-qCyCH!2e z*Ml~8d56+?7n!|o78i`)IWMLkj5XU@4Va#)-a4g2%jU$b)4eUQiQIM zl-myQ86Um-yhXl3#q5ylA`i%sS|njl{r!)1jSwfRiMWEt^}oKy^RBj)w@npVV9%Zw zCi3jC7V(xSgWHv569oY}n*X!I)1(RlUgBZT;!>%C+kZ^N!R@y}aztg`ZXl$_?Tp1^ zX;(rO$&3J|l1#0jnA4*%TH|(88TTg=<91KdeThdV<91*C3m->7dZ%*S<&g&@v*Jy` zp!<8O6Ft-LhCLT+cV?~od|!Fs)!2)jl@-=DZ*orREr6+;`}H?S4iI_nxc*KLDT6RD zv(tF+okZF%&e{+t2CF27K$QhjnE;x~5GaW>0gbj0s2zS}azuLNeo#^wfdmGi&b+_x zx_h9b1d%9zIDodG$>ap~KpE2ir|N%ta#%zTmuWKy_`h<; z{UTR?m0__M{Cd%SkU~MHA_7`mL`Ehg0#c-df*SQP1A{uLwClOU_^^k9{*xDwb(hEU zx4LhJW(~XF=O?XPHzvf8fk_%utUwHE0CDuUA*K!i)W9DGSg3*CBqBphXT97(crVu%tSCV1@8#x@|B*`Ln#7x67{5cx(`x&nAE;V0LAq>>? zAPM3yArF?n7SuH46&*9l5heGNlwn^phkkBEC5V}$UfN+8Sm#C3Aq>%Zc{l|(A+W=st<5!H=L-YFbclKDPyHc^ATWt$!-c-wyQ7D3 zQ)6D~G4J*1#BkcO-1FPyN*mnua&F3RJs_fB(JxJtb->VE_zB&REh7YCgLp!pJQE4f zQPtv4Z;t$cy0Xvna=-t0yqSacW!=%T?Ozl~>w23w$|o>qwFMfRowgBr6^tae#Zxy_ zAVL0y--cAG54+*E&l!xKZcg1IDLXhU+^A2C%5<9e5X~>!%1Fwvd%WBWF0Ub$|($<$4~c8IL%eM z!AB$me_=q>cl=BU!+A_ob_Um`@-rJ`MBJ}p)RmQFz9gYoz{G@MaPUd=yYMJ)XX_%8 zEW}-InKL&Mlf#0=iBfuN=iC*SEcp|J0I}!aMPJGx-#Q ze{dKGjNTd-=#;xe4W1IG%>Y(c8V;sAj9pTWn^tj-1u!5wUk@h2OpJ@P!*(5VPtp|y zyPD{-!d|a9fpr_&5a$G}5v#GVR%x{3)g92!T~h8X zuhv1#Si~?wQmyptHhA-@A2XL3u>rNN-@iumzw2ZvD-;!SCcfC5ngu;I1TF5GSJ;)% z{}L+%mD6`hP8d*rJU8^Hpht@jbyeI8X2eh@i~q&BqufTGa2ibLMS{`TG0$uk7{nox zOch>MkHJtGrF#dXa}~WEAGsZuJpFMRdQbkF70tn9uS2XAb=PIo!#XsI2-BXqiH>s= zYd;48`Y!_bU+vM5yaL0QwxAmdsJ>j%Uj(6#kjLZ2>ih8qn8qwIZ37|Z)R$Wab9>Cm z&sM-W0X)vSevre` zE6i7qZY^w%lD!9_dtSAawE8Q*NbKpsAW5;h;JY#SR-~Z)Ayv z&pIzS@Um^%EvGus*E{qU^2#tfQ9c6++b+B;nMjh{>dxt{NSH)kiDV^dqKSgmyBwqo{}hN6O%_6R`(XNQdEqYJl*2)gF! z#?@fuTqa%S`}5B@79!=;*1K_3#TqK;pnlADDvV1xd?R00y!QKDsXB*@?`*2nA+WA4 z9a(Hnuj81$f?wDsE2BwRu97^v-u{mLZR~7i4pQwy&I1uS#XP>%^OS_{LjFSR?1_!D%`;hEhtapJ$XO4Q<^C6Eo|E-*U7sRZx>2q_coqK-n?1>C+|Wg4 ztH0m6MUJd(`e3%eR9ynI23^CkiL(v84&T#^7LTEk(Nr|S)>NHu>Kwju+YQ23$%4*2 z&^}KlJ{^6xb&*fZ6ZbeDa{DTLFF`1s(0ge|rxCpE@#@K}^*VQt>+7Q7J+O=LfvZdd;NDHBKy79aDH2b1vb+3;L(rgEr0kA*Z$+h()Av*T zu<-HZ;umame(QHpU%V=&WbbmsmbAZ-7ZlFoJH^scmpv7f*$tPe?o4m9A`rJ!?tf6T z`J!$$)P(G<&R%;oZQ{7gWt<~LGMCt=S^7%dxheDS6x&NA`E`!r6*3`>M6O#VTiZSh z0;BF<-AYOccS~=~Z`n4+UJokuugj`=CZ1UWslcv)o?kiI>>=P=R@s!^h_11FZZ3z2 z5hdKhBL>8cBG|cY6*<}+=0E z_3rfB+N6grA`~(IU?Mw0gDMA4P z^iNPK!A0t2^Dv3yF^}e>NjOqMErxtybH}~Io_rQb=D3R6;#G#Qt)<_dBhik@=dxj{ z1SJKJ+Zc-^XW9fUv~uh+hJP1*0hlin+z!hC-0)9>r~HHSb+*dpz`{oHmktafW?R%v zI=Uacfhje?<1W(ooMODIrcs8jM8WmP)IW&~lsSyE$w7X_yX~xg>_u?#h&PLZHZZ?av+lMTwI2G-{5i2pqtf8S zVniuc?z;4mWS>dk-=qB8?n_qIfYr3@uZr4)3C~bP?GYdQ1i2BEOF%mv_)9tU-#qPl zK{bCxaDI=M->UcQg>?;UE#fgmnDOR%TrUj@^Yvi*<4`cP%xXx|LOp$uI^)KPU%_v` zEAqPxZ<+5F_7XzhxZna&Wd7~)Vd5sjnQrgyyFzoNjb3Ml$>x&Gob{^>lG{*nbCQao z7@#}Rb>G=2w|RYZtKeQGbp27eMSbcRSCQKZDFTlI==R)PpWGoA;=5esx?h<_EKiY9uwFC$NKX*tgwKT%;o-4{AM=8Aigv=F&ix>9oF7T@0*U9;<(n;!)50ysz+ed*`=niR z*p(~qtyy2~avmO@Dz3g*F9hAPTDMD}ZVhl$?^ zifzfKkUi{MH#aa_7GK-G9KD-f!P)uJb(X;#$4P`#kdJb?&QiGh5i%;ojJnwH;42oR z4M#nG)gdzmG#%6jaJ=~#DKupP?#pzZUM==SN+82~wSbZycYWj7c&yFz} zz&H$^AYDp|y%Cz7Aru*JJ`o8t_pq;`khAm$yBVu;3V~Ct7e&)jZy-V{uvTH^qCXH? zqpC7{NmTH5l!Dlzs&=yc4m>y%Sl_8lxnk~2Hc`*z1lQ1FX}%wHL{}QZ8&0UbIV9!R z2HM&;(rX|y-*QjzYt?vrp3e2v3k=xmILFBTD zmtEIAvZLmO!=g*8UR#U04%_*gf~J%#Pf*bBd;+S!m4&A?O1c~{NBsMz{OtvI*s+TC zU^|K<;v-A1K)S8BpK=n6bov_v+spn0;lus(WeD4Hv{)ZioYM!$=|g?mrOlw%(@+S? z@m0awTBLLs6@{ji2HgO^Xv_^QSuHI9_``~2EaM&QNt3}FV^+VcXb%*{P_A$s3}z20 zI^Ar}Zlm>tzqFOhVZkQ~$*R6NtBUmfnFvFWji3z0q-rH9)9r$YhZ0khxM&h)1#+R= zHdyfwvnZ@_?h1qR9~gO|-&yfG-o)4zf@d3@jq8bHlz+4WhSUt4W<(e1nj$n-CKid+ zdsecc9wcl+p_q;}%s=8KCKknoUv7gnIZU%!Zdux#+}NtxU?t1Y*DEuh9MSia%(M)k zb`8_M`{Zcxv-eHHuSy&_%s#A9zNJ9h+CgyXN7~|Mv(V$)*7IYNdz*+$19Z4B;zgyD zr;?L3TwY%2Sypc>*Y6j^?qUD7QKYe__==UU?1a~X%EetTdf;2hJ9t38auY)L(x;v` zolVQBu8do$>(bPoH^tsPfxoD?v}*!Ru57AotDng&L^Tv~#>bu0DF03DZUG=?;~OSqT0Zy3Pr$hiYmRIA-ja2&$Nlw5ou zyY1eMITmvWLewms9X4e<*yHz;qfZu&K-d3Q9Y=syKk=VL_V7T@@# zagp}=4(}CGzGIE`XqJ7vk!0$Z-yr%HfN^>xl7qE9wc$a-@knreHr7TtKc`S zLIFR^l9bSgf$|6GWY>Fw zk{wAI)%-Za+N8|>rqTG6go-OkOePQNNKT^F8AP^4-Te&iN#>Yve;zUNDMEMjAw8l_ z5I3q(`Y{j}dlRM61Qy~!wfFnyAe~Sb`Na0s{9BweY&ZQ51r6yhaF*fsW>`)EHI`&R zXZu9$)9Ci()n`~1aODMHX@+%Jox1ovf(;pxX%iA@3_(&6X`n#=h*c?4P-z7}s6Oa< zX~<=tjD$b~Fzx7;mss)EU5^?<+AWO39A?Pqj@ZQP{R3|N1VUQTpnv@;Js^-Uw+-2= zPk@LpvA60Q^-Yz;#J@7=l8drPq4C)nWU$*#3`jj>_f%|rauZ{#wCRg(z_2M`4(j!T zyH3B!4J%BbdWRe$l;k$d(O1!mNcW5gLI~(;<4B0xFls$E>GVt-U0n* zRxzF3my;FE{by8ij-q;18k6V72(%i&=J`6(=0A0;EFk4aqB@8#KDJj4>|bDq={c>3 z&-f+Zgq?^PbOdoVi_VK1fsjd@L_Zl(kvKD?XEMb_$bnAiKmEz1%owLIj;EMietv1~7#Oc&<)bNw9 zWF38}MECskmH}H7$W?ry?)8bTZag>xAjQ1*4>rA% z-#2d!jEX^F`c%T3P5tU#p=xPac*W1!9(TFUYyXHl>0fbe-AgfU|HI7o{Flw`UgqZ7 z0!%*Y4H6TmjdhX}bv3ruG97!!N-jjV-q{PkI?a+Wlz( ziY_uGjGeof{CTph!M*_G%AzYnl0dCyPU34M?|YXG*_;1K|_GUhQV08F-OM; zpMiWJc+xx-a^;C;ph=Y(Xr}?|?Py7sQh4nGBdTSR}i=J`F`4xeWDEZ4OZKQ@j* z-quIsUnJdkEeSwi&J9h(pgYFOXmD6dtH7B+mVvIeBZyIxS$#WOKf@+B%vmFu^q%DR zOkx=bJ$A~RONSe>#eq?6rr>5o|)2K5v@>Qr~EhH0d2{J~Jn35?FtW6lt+ znKtU_X^;Fa+&@HFi1@d&tZ?1$SfRF`t-y3ygWcWziB_de7z#lhOW$GmSLFXE;X=)n zJ)rG@|E9bz#-E;@n10EX?&JkUx2$3@kknI5p@bLUIO$I4bCN)3!(Y5sY=ETkKAL(e zDiD8gJS6uDz@>%85PYUV2wPF_G(b!e*iU-1vUR1XiDEFI!L3-t)qg9EzTnFeBl27O zHgnC>%1gMRvsL{>lPmhNw<~T|1KhHf0Ev7xyCwnnUOG;Ljv)HIjmA27~>Mp;|&P3`o z?@ts!`KJXynuC+t;;zDJSQ8C`Z{db|z+3+>Uv)`uVDBdbhI-iT6!m0g%prTezp-PCML{@elpUJUUWTaDc&Ts{4K~Ibi&ey(2EB|(Mn+Bmo9kKkk4IA z4a|F|btZY?L*C=V#p!svqT`{Kk$eMaXRaJefkS1%V2_4h7xs5Ud7x(vvRrmVD~740 z56E3_8$k(fE#>~$ZQ)kAi{c7P82C6|t}-Lrza+rb4}%GO$Sm|Feyv)tllctA9lShp z7dTX^?+SMS)pP(Do@!GhXzyc8Sy)$?z({7`2idgiUHrrAMTJE}eVSc)P=JUOBuV`b z*-H{0@GtCdLtLtDkK%2Uw}5U3|L}_4_!n>6uB05Ip{?CfCmAy<^Ye~^=8g~;`Butt zZAI~N*~XG99FA<@tT*LSAeiV#36?RPBo1TW5O(Rp=zSdhe&%75Y-`Lw%|-gtfCls= z6TakM-RVk)jz6mmgWNHlUhz2WYBqGFn{ED^e7i(C0l}rCu25Y9;exTijnO2@z_*fb zGe{C)@YitxLi4{o5Qi={3n@;l&x;1^_X3OI2ks3K5!GSLXtX&Z80W}wC6eNmJh+U1Li?zgQ53K)iYCWq|sR55@&8 zw*$LsZ$K)Kj1+Ff`uDEfp^&Ri*Jrn@pV$HyJ}dN*{^Bd1wzrlZaoO{{wN`N9V@L%u zv7$LHl6`?`*x@vq4Dp~@oD*b_$$g*h&`GoND4IzI*r7i1)p&Y50a#ja7|!9ul0Gt` zc54i9dFc88&RpEs7^LLLfdDVXpTiCXX(frIV~gUTaemi>ZbC*cA@VCi5ykvF#L&VR z=G+OV*@*(5hO8+kg{f(sVI7ub%45*N@VjHJScPfHHwZt_cgUr5XHy|hiWGH*aEEuN znQKm~32D#lKgtfklN1(PrN9bimUx|>{?6wb0@ujZ*`CYwKGxD(uYz6;2YaD#c4uEU zIpI#oL6KZdI;S2aMNXK?4kCY#(*#Twh}-i=56`1db?LHq#s@4%IBC_{E&(t(YN~l^6936fQWCcoZdYpy#MM zQcE$w&(98#d6z25uAEr`9tmRe8RR%U7 zeji#;`)A`K`+O(YqBycvwtyn)Y|pX)s9Sb!1B)|>UNQrm4}WPUPRR65TH#`mbP|%w z!GnkomI=F^%oCw3Ro`L1d|Nfo+}y&<%{Xfbn6a=IpUHYP?hzGI?XCjl6XhkKLuze0 zX(pwI3dXQwwrN@{s^qEEZT-5?|7&k%5=#SgGCV?10%zNYW-^cFJjZI{6mI~GRz4#l zdW7SK{~`|B$YVd~c|z|CLjr*!tU)m+b6V%wh-a7+aIAu0)QxsT8u^*rT1*%& zEGFXGubtw8c!&n;jvE*3EUU~2-Ypc4FanQ8Da-`VwCJ}qk2(w3(GM%dOevuL+J%4} z)sa<)TgG$2I>N>$FM!IC<_^20%&CsqcmDh}lNLjBsv#ru&v6l78loWRj>}7-sHV7B z$$;P_e|7&vv0aVI_fbzixhf_Az(I+-6q;Xt+W?|d-OS|Vn#2RBylJ96*pE5XRLr?Z z;O8q-tO&}fQ6#L6gGl#<+~24E3UKdrH}EmA)fX1BWGVF1haaey(RHm_a#X;{V($HN zIZz{}+LUtAYpYfLnrk5#&(ZB(>T+6{V{Og+A?H8FtvokUuhz5>z%j{T%(9BfAgQ75 z0KLFPgke1Jd)1$!v!c1kPL_*RK(S1__E~J6SGsuSc{}ljNQBS~@-)wLz2lm_)Or1uzKA2&|)kdBhEBDwQq3o>nQW zhPnx4Y6thmM6~O}g%(-Kv{4&l*SX{i^%DH>zKJDG?yeB$Ntx2%fP-1WtZGnhhKs<^ zc4H-v(bm>Gqi9x~k76Z5o~5@i{|~x^gVKrkMto|_WP`L&6i?*VXp)dX%ajE|q-jDL z9rM4*Us198QCdvpXp;m<(ousVi0=21LhB)8m(xGX9J@fgI{nz`i}j$||qF+GVaRkQ4^tl0?&EkCSW$(tc|@%UncZ|Hmfp_j3T|g0;kf zxg3zf%rv;;lEEPKm>`Z6W=tx7^@Hw9JqMix8hz$klMtJswxOob#1}!1Yi=Y_1%*s+ zYSMB6J(T-Wt+_-v(J^FBQ+@iG0nrbVmcwhSNLG+Yx{{X1kuJU3O1Ls8Z_;nf)4ST5 zSX%vJfktwy#Y`syk#D__ml+I>P09p9iqBV^-YpEY;%&>}vuLexw7xwFEqYFP;G2o- z6rF#U@FI}BzMntwwOS~7?i(D-t0L~}C}M&xdL~jOI`t*(LZD0d-{X7lL}Pa(ntr4c z2<#K`O*++|X0-etNMBK;?|sdCXs7C9(TOr?BTYG37~$f56nP_(6Es5ciPJRotR849 zb;mOCi4n7@4;&WAkr_jh@e2XUIkmguBoj33zu}l-SL15W=>yOx2JRIoY2XX}$*`vT z|L#`(f$+m9Xg5@kaBr@Kb_|azhO8#``rHK0Mst=G6i;q$F=in{UG^L6S^f9T5?e7w}a)wD$dbrKKSyLnrdkdUSBAe62 zX0u_Fw)&L(O=X~zu-|m_75VIPGfawjSM}PgAcQ9y`$@o=NKN=Kt`#Kc@M zJlS?f630w?K~~=OIdHj+C0R?Lmu|n`kP)Z@C^QynO_0n3GSy_<*kP-nVA!Eog=NrRfts8+((jBbBNlH;gExhb zg5k1B$CWK?J^w{P-l*ZF?`w-nm0MihTG#;f0`6poB^Me)+3(WkqZL)CRF@W}Fh8{u zIAD?zD-d7Tye>6lkoZQ}=2@)Q9DWe8j|+u~Cfu?^5`Sb(++HUe_+$rDD0Q=!o`o=) z6^byL`*%>3yrc!As2|}e>LyjYSMivoIDU>?%)=c|i zikN2dT|0Bhlr)Kx$&@&yh!V!5M5ymsU=CA$a#Vq_$Ek}*QWQ*u@S#+{KJ&*z`Pwyk z)UfOek*j28==#QytFk`)q6|#;n5gH*k*ljD8t-&w$1yLHNmp+$7%duJPU+jAq3p=@ zRz&#aSu}5_2$45w`=*dLd2Ai--x~X-(zSaCD-dpXQOA3ZwT+P z3HhI2$fS^85r22f>d6Sd?+?ZjDQ2FDx~7flh1nKiOA`y26Tq{sOD22x`akwqur~v& zWFR(*S3Fc}8qv78V0r&Jd>&PU%cU&ulHx2IS>&Ck1hWG6DC`j(C zMLxzG*;SD6RQ7KT-e22z~Mfk*eJ!QnQPJY3WmVFCE28bH#dv_1uU`X~+c{~0jTkCVuO`EE~zj5ZiLr&lE z<#Vs3DIg7$b34*W#Evn;XfvSQXCZ4gpTpkr1>{^V_|IMV!;wAl@ilxcHhC{T=pi<< z*9gE(IIVU@+>djkrv+yu$&W{4gu!Hg2WT(Gx_b}*(fDIv&>G0=AF7TlsrS0Yfa`Y% zPZZom8Mqm@B$Y!eEmo{+zl?*{W%X?M-C!eZzfxVISBpI*wq(<6Ej|TY9}Gs^ZV;>4z{4~9v4kyF>E@%eR5=B011UbtXagrJd`*DmHedyJVb&Az$s~5n zhg+A->_OMFIg1+w&U;dkGMV&S4?tk#_J|4Z+IL2#kdi#xD2H<{{!>Dd_E0{!0|vL) z)i^PMjbGd6)-8quFW*H&h7p}hX4(^Jl95D*%#fn=fltGPDn4=s_Fh-=1CVd;{pa=K zZeLFyO?w1aGLXN!&l#(xIPy?ZI5tg}GxIiWL6P3!)sRUUgqN20i_iZcMm@ulhZuj7 z?wWbag;SW@@?;WY4K0)FBgracIVg>F!Qmaea=w%CL()f6-?-6QhAbbvRUF6!sHTT= z`5+9L1(_>`D}Wg4JJ)N!*2uyq653L&>_I8WJ27POFGiWTQl%@4q?a){#u3&# zeh|qa?)&D>brBp(v53CcPiNhF68ca9`&`U;yv)HAs-aD$bZN}^ZZty~YJTL9MxUs0 z)1lT{!!qPA>;1#=(GVZfh6g*NmzAfG`ZNzwvZX*60d)0jfRNP%{`wi|hD)UFS;%jc z@B+Ec$jSCgk>6;;O5%2RRMyfIYbDaln{kU5+qW-o%-7goANhr6l+sUNYCsaTPvBu8 z#c06`yyrLYGnp(z3nd zIqpEmV6x82-W4r6U(s=^87c;(3VjcGkq|18)Nb+G?wH4gQ$3EZPTpxj+0MUfFJGkQ z!6;b!75G)rkzb22*5cR!fMAhSE#c7>%kd3460D9e3n0(D&=8W`wLC184=wy>d z+6L&8%SBMWZg&%!;6qA=v|={A(`_r`VG0psj>Ai5VGhWqsFt*bK*brb#HuHY{kJ^# zBod-mDySzPzveqNF;*dSq+TqlVF`2{UryN3*)j^Ed^QaWp^qj?QP|q^6BmO)BbS?L zBwSusXH~;PYS@vJeCkbcPgJoWw1xwZVnN^*cnmO4I!|VF5;8mpn#AkU?yBou;(sE) zyT5ZrcY(Uj6Tam$(e}rLc?zSCuM6d>xMb{wf$|(>+YV`FGBCc8pnFeHVysQ9yCp>b!@i!Y!^3e*Nx(aFHe37OOyg8#?jQI!X{{vS<9ws{1Ym%=>~kq^{y82mSjR;wz<|Ny``9~=)Gt>rNG`u z3FOYP61v(23%O$nw3F^dA_PwzhsKlt`uD6yoPv^GqW%o2S#$8*%$T^iZMjHP+}xb0?YX-46F{g7v<}n6U!_HG&y{jy zp1<;qYgA$#@dJhS(xT`{TA3b1>WyMxqSs-lFf9AAua<#!xd}A@6|Z z#o#dtAf{qzfc7=#FV$U)xu&|Wov-Wg*G)+h1(APt`PrXy-;e>V}ZjS}sLvn8g8PX!IU*ar7jrf_ZRJn2Io#B{J| zPTb#|dJO^?Pr=n~m6k%h$S9CET^_y5F6_fLDEQcrtXaY1ta_e1amKHxU{)f3#1uv4 zp41;h5qTrw`1!jNIDN+@WFzKLj5W8uO>YP<9dWhe1V8@+PAivQ%BdGx*fG5qKG**4 z*teTDjkB+)_V$FDVk>A5R*es<=Btpgd-cuCQKAboDiD$o7A-A@d-f>yH`RyEwsQxI zAV-_rf=IFwdkc*Tw5=}QJnTdZ6vcw^-(}o)8TY;7xbNDg;=b1r@BJ{r36CMVyGT&? z!v%9IBWMNSE@lft$BNqte zPG((T8+aJ;=Zo&z7!VYgnzcg)5NzjHWc-JwDzd) z)y5)QP17_RrlFfH+tllg)<8G<6-#d%*NvtwmVKl_Fdd~x7uH)jui{( ztX47t^iXf$C{ftH^zuUF4e{Uq@qdF^`bN6}38a8f&4M1A z6Kx11WIEn7&@9RphNnRqU$aM_9p4*~KbpdUd6A=Q_MTJ=>6{Fuhv5p^8z-0q2du%^ zsn;O#po2sMMPhz0f9Zww*rHMU+Q4&N%yxqWNH+8VWY4>O!Ln2j;8;xW(0@)9zrmJK zsPx{RW`PQ`yxY;fKt>q!wJH|KOxO&Z0qQ-gkUGX%JlWH_1IPeUGI7kQYxq)L(A^_% zqPb3}TA>Y5ZD5JvSU80Ju-PYeHO1IsO*N?x80JmaPi$=YAgDTm>D@3jb>+r$@smq8 z;o$MlFNK3@g&n(uMB(0J8l&{Ui$1X%q8Hjn_8gV{!N{I`#G;N4v}X zF@OC4M|fnL7&qzP?Q4eh@6&+wjZ{O}3L2S!zRd-Lfp8a?Z`}X*6EQs0v z9;HiRtg&$b4I9}^ctYgQcPN{0!nviPx4#%*vEl9QAZ#|h4F{b|?H^3o*p>!^tNo!- zT!{7uz0{*W{H^?ir8)cM;^)uUL{`Wj6bB=ANtUG79rn&fL0AR+{6FaipHk$7@l*<3 z$b_3$&KsG3ODS4$AynOXEZS@(%hivzLmz#^rN5gmxKRy@nq66Pg@j9Ep(+#ieXF&8 z`t54J)o=9mYQ-Gr^=joNn;0EMNw|9PD4 zj4y>oElr@scyQ3V0A3d`kXG;9_rBcqFb*_{>KfDs%_bc4^?thv;$yUGdb?h$>a~gi z2SAV>yLP;!_>f7E)_B}hAd5rT!gFNkBC`LO?Z+)xG|llL7fLcA$SkA}o*H1s$7IgP zEo)y>%Rr9tL#|8~4G{^1xNQ&tfBatcV&Y@ydNSbelmeERwXsGa;Jw%&OZU7TJ$C%8 ztaD#)H|%Dsag1LYIBx6pBare|t#+(8`;|eTK>)HEzXs(z0`;*<@ z7u&UM*p}^@ZRmqW|46SlDh<7VTsQT8wPhM0uGQ*stAJF#f7K(bgzIqi7RjJwa?e(> zzuh?IP5KOLc}r{4ncHKiL7f1<;W`{o?sm??bGOU|eHJx1a$zVy5TUkJ+6J>1@LU@~ zYD7$)Jw7xyLwe6AY)FZD^LK2>bZa-S%E^}9Ac~g?JRjpLGTV$io z6v>yfJaEIcnG>@&LEm9V%cq_Ss*%G(VqHN?b&AY2?p?|$(tUUOJYaS!VyEf;X=F2X zixMymKrjsWYlnaSSUat8S%S`HX-Kd`zslP}8l*B;;YtZEjcX465O59y!~a0tQRHWo zAC%m|^H@q4WrBV{`rmg9-#6}hEE*Q1oxO2--rW@I%qrRSkWY@34HgYnnTFWtxcQ!(gO1Do)dw8W*wxM-&Zvy^H1=Y z_wexNFB9K@&6gW3V}f~%m`hCy?gI2%4>>_WygsSrUsGpR30}+cC}ln~U$_KVBQG#D z+6Oe;mv7FJ#pYZftTZ?YILHF85jsn3CFH5VuO8rpI|ES@-o)@}M)AN+1fJ3}yeZ%} z>;oGwL}SB)O>##6OWO(cWNI+Ze!1wyXRQ;TMTAx%4(xl^2GbxCpibv|A5DXU%mGX+ zbLnocM;ISFNU{*58ndrexw=5KFYJ(gbRHQ3n64rx$lRUPWEc1;3X#K-+!$*%m&69F z1T}uhl_NBi>W{@xiVURGB=HL>v|_?*JX-!J^wBLKGl$rfp#jRfkCqZ$n%UN3ce;Cf z%$vzvIKduA`t50ZdzAJ9im_kpvHM2l{RgF>yTRz*QriLbyt}XYpyqH5Qx~eZJG9&T ztby$|v|4z)Za`XWSkbQi*>-VV2k--irXBFMu;z<)BqTLV#2<@fM9^}JqWzzSwLL?LV+)=pg`2%G`O5QW8|Z_OJBodroe z(}~)Y9LX6L?SojZtAQLZWVtSH@%S6EZTv;en>=oVj5OR%@fWdWV~O+a)_!h_HkmSI z)cW)6+SN>SmUX+;La>aPn_q~8MeENuYDJQQcCE<1plO?|HK%nOWh-XjMy*xYxT(VP zFPt@7y2;T}8oR0H=dgGEWlUZ_=1yefE}^x+2whIS(SUK`(8GN`Bpq2}i7mauf|%%2 zZ@3ljB+TRIckoAl`&PFs?e*&y!{Lh{c)rV7Wu)z#)toF$VQmjIcRAx_LUo{KuCCk1Z;8A6C*# zZlAXzqLQWM6bvi(Z5QBxz|l+bKU7=$N&*Pf4*|szMvtjT&*zuZVS>N@xl|3c z%o^@&3|GxtLr7z)F04=WDU13Ll4vB3xXp|+@lk1YmsWRabw5t4d$tgjHhF22Z`dZs z#gJu#GsP9zviNOfFjeA8Ong>ZW>zDi{=E_^uiI99MchyajK*&OB4yCBjQZ5Vk0tlrA0c)O8wwgB^*X@y_2uUGTr>FZw z_>$s|HRAmJ`ODa0QV*-jrfiLIwsP+U*g2|3l+-~Z~T-^qplIUSdxm483g)M(}?LVfDJUv*XRJ^m zHCCdKX2+5j#4oUHnWjrF4YS6Du^}mpM?I>AGQ1a0-G8^_pvU+c9^>a(M%NeN{oyTP z*0GrUWQr-Kj*?KZBvf3UQ1NI}go>H+yCkXNR#SvL2JXf50Oq1!OwH#;DHxTkH;eIw zWfieH3dXD&N(#o3g7I6VV4QK7E(sW=%#W0S@n}5+j4A@G;slJzMlL|Wn9RDsCh$}U z80#eg%c#k)u?$j7>f^{O}*S$h_sT%Cn z6$vecCySFIEt{o?8=n~SBH94(&%1tL`=6PY=2s*o!UN^V(*ExFQ!wW2fLvY|aFz^8 zO2(3sak~g?RztnGRz#(?I!vnyuNqTtpl&9f>)qOZO6_If6SM5v+33XCN2v&yhcsu# zkgRe9fiTDcoTRva*mU9W7J76icoS%%$xc>M8dpb^<^k5Re?oL!Vu(7LfY>EYCW+x+ zi0UofHqQ0N%37T64I3@|arr6VZldGUx^9c+N3d6`Td!ANOZP4^{^B*eK#j}&1#A=FY zhoG6OqO$6Bs6LPDfLFdH>huxNhP$ePM1}Fx~J-yu1v$$ds+jmJ9L#wHzi+S<*=wg_~ zu_RjzS|e#{2JVabCaGc;RM259DRmWRe+Uhm#i8}N|%z-rKEHzDP5izrAvK1lrAb*eQ`>cWFr@#bV+7iU=w&MlrD{u(q+Yz zF5UBQiqNI;vXzF zWQkcbOU&^iw{txBHlZ`J8C)`y%Pjtu?)j?7TcGlM)Gbh@g17~qF2LFXl@;Y|fvj7_ z*a972n63q9tq55Q=1VfQG!7ca2glWe9>Q+i z9Sd?9s^!cvu18(~ODRy-avrPYx1-Z;_W~y>Ys5?tIV~D7?c}$MQ`ehXm%ib+>E!Gl zGSQb_ci8*Ip5T(WfQP9bK{nrHc|fg^YOF8V>tq@8YdH%h@mgk& znCUtoX7`mfsQZ$p2AV%&7tZy_872B1%N9*!u3F9r3`u%IOepmKE~^OENl@T2vsV~UCD5?R)(YQdC70|&66Q4&u=7^xB-5nP-qqGMlnOZAh!`(tqb!S z?akmbO0TlKY(`n3v2taLaT>+q;Wk5S1ZK*G>D%_G_X-B_7A&((F&c@1&%tMer^F@6 zj6n8Q!(kK?@VSv+v!(0NkRE}#+UuTwu9w6|CGknVLlEU8k z8N7SGo2{W&67!!;c!Ux6xhRh;2am=01@cGBg#`1h^RL~zcjN|`j_6Phd+_PMoNDMt zvHg<&Xwy6$Xfv;c`-r>GGkA~0@-I1$wh%3v0)DFP+BvY#8RqS}K%Y=$0mx^#6UcDS z*a>7A-lAlimSioG*Xw-Pzc?I~R7JB@;8mKah_22gnj-vtB_u_v`_ENV6rlrl#r#Cw z^AtN#_xx#c6N%9)_oZ@QdQAJ$V#Gq-^G;Yp#BI}AC81ENu=HlQEo4GC1{^Lf-k-Sd(-s3Z;&HEfVLXkRhYCt*lrcf{tF%1TUqMLqM(i@+>5 z@+ELFqmrwY%AWti?u7doHn_jpY)AecHq%}tA8dDIQ;vDwfw716*O-aDqGC$w zq|)eErO}~gK9VeqC(n9RG9Be*I@$nF5g05>k`#5%(=;NXQ{Y?UCt`VG$|24>!tJ?| zXK1}VLl3_G6CGTwk#t|2QAR#bJOqzXM(D?U3M1Sam)1Kg;x1Zc{0iqSQkf2OwZ~R+ z7A+@X?b#mkby60^P_89mQAt>|JYi8|Q-noI*s3_UU1&E50Sr^y@o(fUX zaY3M21R7J;+jH<|Lnx@$>4c%a;hQz*H*vq^=r^uR1uA;_~TS|O}H zAFmKrsvs7^#|tnEVSPoZg)r|{aSLJJ7bX{?$t%JxL>ZIxLc;g}`xNHWJ;3XOgONR% zOEwgn_$SLYq@oRq@e5@!1;w6ak+2|552&DEf`eJIo6OdXI7TJC$y(`6V2De8lW!jL z{Mh(SBB@mnoW$*gf($3Lb1qDAg0|~kL?WWR%vY?qyj&-0qLX4QC!3}?xq!j5dgs3P z<*tWAupxevaI|v}oRGP?B*O^`-)bmM;xaDBh&&p?66`|BRZ?=5l>7FExk@s2tqZvrakd!eL>Z1%Ozfuw@8V{KT*f zAxWw|OEQwgR_uHvad@05IZ5WIK?NxZbGb{bB=le)DK*whsgc$a z=|NnJx4#ezLClhU2%?Lu0D$>S7jzI=ff`s5*+q6FLy-U(PIsZ))#tD6tt7lyQq+#K z{jZfZGhW2uQYGa@NqMn6<;C%)C@<8)yCmnu_JXt?1L;L#^m4IY#HVqiv=>Ua;bJK5 ztRhxNdy!Q`NqbS!UX-*KCGEu%qrEs@5AB5td|aINBH73VXfKjk7uW=z3hhO+q`g=% z?FG|`Cus1!o{k6w{N$-Gnoo=RBGsK`7Dt$WOQpoUBa~UNj#W;YGVZa8^subaFIpzMsq$JDgEtW=t%tRh_)!zNq7$c^V zU-O3FvE>d*P(!^SeH$&^F3AaZQ^h!V^&Vb8$!QN93(OhpU}g$@xhvf-E7s4AcN>O; zycig6U@rzsUa1>jk^-wfX!RR)y>$c|TirZr>TR>x(wlAgvDGx%R;5-z3VuUpzX~mt z*s0>_mK6opyY7L~%OMM~l)IT>Cb47(x1zE0q$eYrT9C35Gnsk>(zK0;rrdXvKi*Vd z#&i>i){lqqP(;kjW)}{75VO<*zLkPR)0O7$2?77GBTfUxc&u_TVP?ZUWELAp$K=L# zd~%8t9`M%it$-23(5=}BDQ89&Pv()|YC6IQcFv~MWjS~5bmNN??7~n`G&qj}rykxI zfyU#}pq+F~MgAnL)5qxe9at{#LjW%!H5^}@0ojVX0+OhKEkOJ<3={xnv*yF2&m6*N zj3D1NWcw$(AK0-Et`GLn`hXck&YZCglZ0J$e2Xy^+3>6V1x|_R0EeIZV98kftVtt# zq7Muc4OjyjH3@b_U*ARD*LJ>y9X^SnxCCTtk{E{P7??FS=>8Jwr%_F`oT#WiPhGsX z73mIWJj0xK81rQ$3l{HSFhH;|;6^jSQbypXfuAjBH6pvv9pcW6$pj9<(Cr=Pz&;Q% zK%`^d_y$!>6g|89L$XC^>$y|QPPQJ}fw8Q}=>$bz8)Ntzp%b=wGx9*`-09*nJ=H}v zyaca??hR}P^&kOP95tpiwrJ|pBKi37V_aqHq0ZJ_wpe^f!%-pOg|!NOP>7VK;2r*~ zZ6-64N0{yD+k4qOz!lenrMvU|tFV0TpYO^98nHbHVR{~Q1InNe$FvUD6g}%N zk}l|3v8b6ubh=~p0=5g`zasy>7As(16ICR_@7@|;lJSZdoF02d!Ff5Wk!!*6_gUy3 zJ!Iq`vA!g$&)FR*5UEm`9R!%z3uc6sQyhyo9a-zZ9P_h%6fhi^6vP)H>8^cad=obd zCQMu+xV4Wl(o)yUR6W9c(jq&-%hTidazsnu? zu+L*jC=(MS7NkN4=XZD!{a5}T#}!S0w>GR)GZ2;+fBMG0wnx$#`b)fJLubT`fNtTT zxQ$)7o15sKei_Hpxt`f2H3@BgV@%$7{Od_5(o)LAOyS#;>ucY>j>PI>%GfhpYCY>& zIwyOZl^4A(rwAfYO5@eD8yLxlgBNrzg{wkA_UJwOF7B1# zs>wY=L=;uv|5I;#SMD8a*gH0|bu74ZP^gP2lUd1~sA$QQ>?ArvnlkT}k&Q136>b*5 zNV=fdju>*~7SYHE3(s6<54FH%t}yIc7)dD&d=ww8j9QKs=85kccbysDrC7f3P*2(7 zG0#a)L~O~#pmZ_cnZvk=KhPrjWK$UUPNIFxg|N?@ECj`t68G@Zt2dg$X?-W&zN8NV z*VP+m^r^!cSg_tXr&#?=S#z?>j)VABXYeQ8Lvu^Bg%p-{7XZ(p^&*N7b0*P?25z8-P z11PYFapF>oxT%JLU|7th;a}SfkoK$ZvdteJzX?5fKYzh9x#4Q8Wc5d|yJ^!fU!Amm z9aEmbc=hkbaF*w(v}Cewz`b8Txdul1GWHr}3$xZ#ve|{cLD{HaE$WIFTRC65*8NJS zFRNLb90KLW@__R3LAa=;wH2);9v&Vpq)cbFh*6(7$v|{G9{l9-Z>Ebg11YVU$1KGv zq7xcI0B2|9?~<8o>M@q#U&eGIg77zUj?3g**&w2I7Sd@RZgod#L+qx3i(%b@MMo-) z_SjhQ+2-a6dJyH}=)#vr3~XdW8asC6hDb~Me8HBv-ik`N=>4OR^8E}Qfbg*QG>%uyV!hro++j zVjooW`v=d$!}-ykCb4jrN$P?$B!S`4{0C{KLLnPJ6%w- z>Tniyg*PW}-tKv^e6Nk*rdUqId8adm{gnsQMACWQ+Ds*{NXmeAj&};!-5*fN}G0cwv52_loT%geO zEN&DSstm?o49ApJ#Oi>dSv8cv&=MG00z*q+=o15mHrE3TRe^Mh14EOITmTrF%(}oP z@Kk`Itr8fzVqoZ7!@V_xIrYszLt9S^8k*|PGRq^(za`L6E}=;uP{D)MkeBv&K%%V@ zBwB(*OOWU{0}>Vbt}slL7w{O+q9tZ@gP747a#2D@OXz3;=xD+;%MBhC`BsV^MM&L` zh3SU~Q2L6KFTPa>4+I(zEWI?o6H%H-!JEW(noMLE#&a&jlfyc@ z=YjSw{JNE+Ie$DHzhtd1g6kCh5?v?;?EL%Mah1H61%Z`&ds(*4s$}EVJ$&Y;*hl?y5|AK-3QZnr?3Q*z<nHg|1cQ;rT zF)0`G;9;T}m`N21MhxOsBP^FR&=fdJUg8|2<${RGq7cmtq-DYZmBd;Gc7CWOrhPi_ zN-;2n0G8sE7Kd1hB1??rQ^i;+R#SA}!a6v=siEg`t*x8W>{{t!AR;}d)@mgfr!jK%2R|Nf8v0=pDvD3(C`(a=D74m!$1-U(tS z+26XbKo2LrZHoh)81LXvbp6k@3hO*Pp@w5`f`cI(MPKqK8a?{)(0CbZ-6gpXhsGWB zNzp9hlW{N%4#g==bRhUN@@_{?5D+TrCHdKgx2kQFIvbM(YK#-m;KKrNtpE;EK3e;sHH%^3j^&xpO$iroV%-G~@=8@aX9mPFdH`AdpVh^FT z{nQ!8vhixy58^E(UmEtx8QLy>LCG``-C(nCDKXzRYOiPre+9e2cki&_(dp(=gm`0g z_%yJs7d*y46jP3?*5Jpfs)UJD!U4?i(8ke(!47OqwpKLT!QeC@nl zV9M-oedvuGFkKGO{}`!f9khmXJp$2s<6UbfV*1!Rg4&AKiGyb9#&{e^KY}`UOuCN4 z+8k5Ehf7x_7VqJ7?0SZ!M<-vX)PcJAi7~o{k*hpp0~;yI(8(le%htXoUZ0W!S|jzP zv0j`&FSO`XEaj_4`Gn^%_WEds65y(d`Y5`H1Baub4N;jGeQ!EZ9Op?Z{E@BgVnv23 z&+<%F@u4z~RO<|@X~tHWZTyHPBoofJee&is+2;JCGrZOU-;{>LH*OEu-UJ%L=jCK? zQ+$VldH15-Df0hZJp;XGO>UrqW@G#Xe!a1A;fKG!%xA1-8p2twhU^^5)BEgGd#=;^ z!l!ikWTHHk7e9^XK84F|P@lRNKW#63%AR?;E_ABCk6D44r|6ld=j>B+${Q_&N2s*4 zKQ>#kXWo4%SsgOYEdpo7ZSQKz+cM9mzQSIJBJ>j%48suDwM2Jn580iS_2TFud!caO zP>+`APyHeL!!8B&(27~QH;sqv4c=?6urJ3C*_ZD53VYIg$e#TA{>=)z(t60QT)F<_+#5w;I(&+Me+J7hgUrX?ksmrWao)D{1=C z5=}3@6jsvo`VvilU|DZ0(e&cR?@F3}yhPKB+qx@hx{{>30JrM{G+j+Qx%kB>Z@ToG z`T~C7_`&3yUF)4Os!>KeS*^xtC!b;XTRP#9UTN#q*qvl}nVN9ZqP)h*< z6ay3h000O8wRJaHSmWkNUI_pI%q#!^7XSbN0000000000q=5hc003ihWnpw>RcS<|XVQFquWo>Y5VRU6KYIARHP)h{{000000ssO4ga7~lld1p!00510u>Jr5 literal 0 HcmV?d00001 diff --git a/Solutions/Recorded Future/Package/createUiDefinition.json b/Solutions/Recorded Future/Package/createUiDefinition.json index 0fce911f174..027f8b54d22 100644 --- a/Solutions/Recorded Future/Package/createUiDefinition.json +++ b/Solutions/Recorded Future/Package/createUiDefinition.json @@ -1,397 +1,257 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", - "handler": "Microsoft.Azure.CreateUIDef", - "version": "0.1.2-preview", - "parameters": { - "config": { - "isWizard": false, - "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Recorded%20Future/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Recorded Future](https://www.recordedfuture.com/) is the worlds largest provider of intelligence for enterprise security. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future delivers intelligence that is timely, accurate, and actionable.\n\nUnderlying Microsoft Technologies used:\nThis solution depends on underlying Microsoft technologies. Some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:\n* [Log Analytics](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design)\n* [Logic apps](https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-pricing)\n* [Threat Indicators](https://learn.microsoft.com/en-us/azure/sentinel/upload-indicators-api)\n\n\n**Workbooks:** 8, **Analytic Rules:** 10, **Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 13\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", - "subscription": { - "resourceProviders": [ - "Microsoft.OperationsManagement/solutions", - "Microsoft.OperationalInsights/workspaces/providers/alertRules", - "Microsoft.Insights/workbooks", - "Microsoft.Logic/workflows" - ] - }, - "location": { - "metadata": { - "hidden": "Hiding location, we get it from the log analytics workspace" - }, - "visible": false - }, - "resourceGroup": { - "allowExisting": true - } - } - }, - "basics": [ - { - "name": "getLAWorkspace", - "type": "Microsoft.Solutions.ArmApiControl", - "toolTip": "This filters by workspaces that exist in the Resource Group selected", - "condition": "[greater(length(resourceGroup().name),0)]", - "request": { - "method": "GET", - "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" - } - }, - { - "name": "workspace", - "type": "Microsoft.Common.DropDown", - "label": "Workspace", - "placeholder": "Select a workspace", - "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", - "constraints": { - "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", - "required": true - }, - "visible": true - } - ], - "steps": [ - { - "name": "workbooks", - "label": "Workbooks", - "subLabel": { - "preValidation": "Configure the workbooks", - "postValidation": "Done" - }, - "bladeTitle": "Workbooks", - "elements": [ - { - "name": "workbooks-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." - } - }, - { - "name": "workbooks-link", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" - } - } - }, - { - "name": "workbook1", - "type": "Microsoft.Common.Section", - "label": "Recorded Future - Playbook Alerts Overview", - "elements": [ - { - "name": "workbook1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Recorded Future Playbook Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Playbook-Alert-Importer." - } - } - ] - }, - { - "name": "workbook2", - "type": "Microsoft.Common.Section", - "label": "Recorded Future - Alerts Overview", - "elements": [ - { - "name": "workbook2-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Recorded Future Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Alert-Importer." - } - } - ] - }, - { - "name": "workbook3", - "type": "Microsoft.Common.Section", - "label": "Recorded Future - Domain Correlation", - "elements": [ - { - "name": "workbook3-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Recorded Future Domain Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." - } - } - ] - }, - { - "name": "workbook4", - "type": "Microsoft.Common.Section", - "label": "Recorded Future - Hash Correlation", - "elements": [ - { - "name": "workbook4-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Recorded Future Hash Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." - } - } - ] - }, - { - "name": "workbook5", - "type": "Microsoft.Common.Section", - "label": "Recorded Future - IP Correlation", - "elements": [ - { - "name": "workbook5-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Recorded Future IP Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." - } - } - ] - }, - { - "name": "workbook6", - "type": "Microsoft.Common.Section", - "label": "Recorded Future - URL Correlation", - "elements": [ - { - "name": "workbook6-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Recorded Future URL Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." - } - } - ] - }, - { - "name": "workbook7", - "type": "Microsoft.Common.Section", - "label": "Recorded Future - Threat Actor Hunting", - "elements": [ - { - "name": "workbook7-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Recorded Future Threat Actor Hunting Workbook. This workbook will visualize Recorded Future threat map and hunting indicators ingested in to Microsoft Sentinel." - } - } - ] - }, - { - "name": "workbook8", - "type": "Microsoft.Common.Section", - "label": "Recorded Future - Malware Threat Hunting", - "elements": [ - { - "name": "workbook8-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Recorded Future Malware Threat Hunting Workbook. This workbook will visualize Recorded Future malware threat map and hunting indicators ingested in to Microsoft Sentinel." - } - } - ] - } - ] - }, - { - "name": "analytics", - "label": "Analytics", - "subLabel": { - "preValidation": "Configure the analytics", - "postValidation": "Done" - }, - "bladeTitle": "Analytics", - "elements": [ - { - "name": "analytics-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." - } - }, - { - "name": "analytics-link", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" - } - } - }, - { - "name": "analytic1", - "type": "Microsoft.Common.Section", - "label": "Detection of Malware C2 Domains in DNS Events", - "elements": [ - { - "name": "analytic1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies a match in DNSEvents from Recorded Future C2 DNS Name Domains Risklist." - } - } - ] - }, - { - "name": "analytic2", - "type": "Microsoft.Common.Section", - "label": "Detection of Malware C2 Domains in Syslog Events", - "elements": [ - { - "name": "analytic2-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies a match in Syslog from Recorded Future C2 DNS Name Domains Risklist." - } - } - ] - }, - { - "name": "analytic3", - "type": "Microsoft.Common.Section", - "label": "Detection of Specific Hashes in CommonSecurityLog", - "elements": [ - { - "name": "analytic3-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies a match in CommonSecurityLog from Recorded Future Hash Observed in Underground Virus Testing Sites RiskList." - } - } - ] - }, - { - "name": "analytic4", - "type": "Microsoft.Common.Section", - "label": "Detection of Malware C2 IPs in Azure Act. Events", - "elements": [ - { - "name": "analytic4-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies a match in Azure Activity Events from Recorded Future Actively Communicating C&C Server Risklist." - } - } - ] - }, - { - "name": "analytic5", - "type": "Microsoft.Common.Section", - "label": "Detection of Malware C2 IPs in DNS Events", - "elements": [ - { - "name": "analytic5-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies a match in DnsEvents from Recorded Future Actively Communicating C&C Server Risklist." - } - } - ] - }, - { - "name": "analytic6", - "type": "Microsoft.Common.Section", - "label": "Detection of Malicious URLs in Syslog Events", - "elements": [ - { - "name": "analytic6-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies a match in Syslog from Recorded Future URLs Recently Reported as malicious by Insikt Group." - } - } - ] - }, - { - "name": "analytic7", - "type": "Microsoft.Common.Section", - "label": "RecordedFuture Threat Hunting Hash All Actors", - "elements": [ - { - "name": "analytic7-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Recorded Future Threat Hunting hash correlation for all actors." - } - } - ] - }, - { - "name": "analytic8", - "type": "Microsoft.Common.Section", - "label": "RecordedFuture Threat Hunting IP All Actors", - "elements": [ - { - "name": "analytic8-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Recorded Future Threat Hunting IP correlation for all actors." - } - } - ] - }, - { - "name": "analytic9", - "type": "Microsoft.Common.Section", - "label": "RecordedFuture Threat Hunting Domain All Actors", - "elements": [ - { - "name": "analytic9-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Recorded Future Threat Hunting domain correlation for all actors." - } - } - ] - }, - { - "name": "analytic10", - "type": "Microsoft.Common.Section", - "label": "RecordedFuture Threat Hunting Url All Actors", - "elements": [ - { - "name": "analytic10-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Recorded Future Threat Hunting Url correlation for all actors." - } - } - ] - } - ] - }, - { - "name": "playbooks", - "label": "Playbooks", - "subLabel": { - "preValidation": "Configure the playbooks", - "postValidation": "Done" - }, - "bladeTitle": "Playbooks", - "elements": [ - { - "name": "playbooks-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub." - } - }, - { - "name": "playbooks-link", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" - } - } - } - ] - } - ], - "outputs": { - "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", - "location": "[location()]", - "workspace": "[basics('workspace')]" - } - } -} +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Recorded%20Future/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Recorded Future](https://www.recordedfuture.com/) is the worlds largest provider of intelligence for enterprise security. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future delivers intelligence that is timely, accurate, and actionable.\n\nUnderlying Microsoft Technologies used:\nThis solution depends on underlying Microsoft technologies. Some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:\n* [Log Analytics](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design)\n* [Logic apps](https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-pricing)\n* [Threat Indicators](https://learn.microsoft.com/en-us/azure/sentinel/upload-indicators-api)\n\n\n**Workbooks:** 8, **Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 13\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "workbooks", + "label": "Workbooks", + "subLabel": { + "preValidation": "Configure the workbooks", + "postValidation": "Done" + }, + "bladeTitle": "Workbooks", + "elements": [ + { + "name": "workbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." + } + }, + { + "name": "workbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" + } + } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "Recorded Future - Playbook Alerts Overview", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Recorded Future Playbook Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Playbook-Alert-Importer." + } + } + ] + }, + { + "name": "workbook2", + "type": "Microsoft.Common.Section", + "label": "Recorded Future - Alerts Overview", + "elements": [ + { + "name": "workbook2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Recorded Future Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Alert-Importer." + } + } + ] + }, + { + "name": "workbook3", + "type": "Microsoft.Common.Section", + "label": "Recorded Future - Domain Correlation", + "elements": [ + { + "name": "workbook3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Recorded Future Domain Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." + } + } + ] + }, + { + "name": "workbook4", + "type": "Microsoft.Common.Section", + "label": "Recorded Future - Hash Correlation", + "elements": [ + { + "name": "workbook4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Recorded Future Hash Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." + } + } + ] + }, + { + "name": "workbook5", + "type": "Microsoft.Common.Section", + "label": "Recorded Future - IP Correlation", + "elements": [ + { + "name": "workbook5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Recorded Future IP Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." + } + } + ] + }, + { + "name": "workbook6", + "type": "Microsoft.Common.Section", + "label": "Recorded Future - URL Correlation", + "elements": [ + { + "name": "workbook6-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Recorded Future URL Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." + } + } + ] + }, + { + "name": "workbook7", + "type": "Microsoft.Common.Section", + "label": "Recorded Future - Threat Actor Hunting", + "elements": [ + { + "name": "workbook7-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Recorded Future Threat Actor Hunting Workbook. This workbook will visualize Recorded Future threat map and hunting indicators ingested in to Microsoft Sentinel." + } + } + ] + }, + { + "name": "workbook8", + "type": "Microsoft.Common.Section", + "label": "Recorded Future - Malware Threat Hunting", + "elements": [ + { + "name": "workbook8-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Recorded Future Malware Threat Hunting Workbook. This workbook will visualize Recorded Future malware threat map and hunting indicators ingested in to Microsoft Sentinel." + } + } + ] + } + ] + }, + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." + } + }, + { + "name": "analytics-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + } + ] + }, + { + "name": "playbooks", + "label": "Playbooks", + "subLabel": { + "preValidation": "Configure the playbooks", + "postValidation": "Done" + }, + "bladeTitle": "Playbooks", + "elements": [ + { + "name": "playbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub." + } + }, + { + "name": "playbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} diff --git a/Solutions/Recorded Future/Package/mainTemplate.json b/Solutions/Recorded Future/Package/mainTemplate.json index 8d44f8cbec4..495914d9d55 100644 --- a/Solutions/Recorded Future/Package/mainTemplate.json +++ b/Solutions/Recorded Future/Package/mainTemplate.json @@ -1,9829 +1,8161 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "author": "Recorded Future Premier Integrations - support@recordedfuture.com", - "comments": "Solution template for Recorded Future" - }, - "parameters": { - "location": { - "type": "string", - "minLength": 1, - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" - } - }, - "workspace-location": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" - } - }, - "workspace": { - "defaultValue": "", - "type": "string", - "metadata": { - "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" - } - }, - "workbook1-name": { - "type": "string", - "defaultValue": "Recorded Future - Playbook Alerts Overview", - "minLength": 1, - "metadata": { - "description": "Name for the workbook" - } - }, - "workbook2-name": { - "type": "string", - "defaultValue": "Recorded Future - Alerts Overview", - "minLength": 1, - "metadata": { - "description": "Name for the workbook" - } - }, - "workbook3-name": { - "type": "string", - "defaultValue": "Recorded Future - Domain Correlation", - "minLength": 1, - "metadata": { - "description": "Name for the workbook" - } - }, - "workbook4-name": { - "type": "string", - "defaultValue": "Recorded Future - Hash Correlation", - "minLength": 1, - "metadata": { - "description": "Name for the workbook" - } - }, - "workbook5-name": { - "type": "string", - "defaultValue": "Recorded Future - IP Correlation", - "minLength": 1, - "metadata": { - "description": "Name for the workbook" - } - }, - "workbook6-name": { - "type": "string", - "defaultValue": "Recorded Future - URL Correlation", - "minLength": 1, - "metadata": { - "description": "Name for the workbook" - } - }, - "workbook7-name": { - "type": "string", - "defaultValue": "Recorded Future - Threat Actor Hunting", - "minLength": 1, - "metadata": { - "description": "Name for the workbook" - } - }, - "workbook8-name": { - "type": "string", - "defaultValue": "Recorded Future - Malware Threat Hunting", - "minLength": 1, - "metadata": { - "description": "Name for the workbook" - } - } - }, - "variables": { - "email": "support@recordedfuture.com", - "_email": "[variables('email')]", - "_solutionName": "Recorded Future", - "_solutionVersion": "3.2.8", - "solutionId": "recordedfuture1605638642586.recorded_future_sentinel_solution", - "_solutionId": "[variables('solutionId')]", - "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.4", - "_analyticRulecontentId1": "a1c02815-4248-4728-a9ae-dac73c67db23", - "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a1c02815-4248-4728-a9ae-dac73c67db23')]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a1c02815-4248-4728-a9ae-dac73c67db23')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a1c02815-4248-4728-a9ae-dac73c67db23','-', '1.0.4')))]" - }, - "analyticRuleObject2": { - "analyticRuleVersion2": "1.0.3", - "_analyticRulecontentId2": "dffd068f-fdab-440e-bbc0-34c14b623c89", - "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dffd068f-fdab-440e-bbc0-34c14b623c89')]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dffd068f-fdab-440e-bbc0-34c14b623c89')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dffd068f-fdab-440e-bbc0-34c14b623c89','-', '1.0.3')))]" - }, - "analyticRuleObject3": { - "analyticRuleVersion3": "1.0.2", - "_analyticRulecontentId3": "388e197d-ec9e-46b6-addb-947d74d2a5c4", - "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '388e197d-ec9e-46b6-addb-947d74d2a5c4')]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('388e197d-ec9e-46b6-addb-947d74d2a5c4')))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','388e197d-ec9e-46b6-addb-947d74d2a5c4','-', '1.0.2')))]" - }, - "analyticRuleObject4": { - "analyticRuleVersion4": "1.0.2", - "_analyticRulecontentId4": "588dc717-7583-452c-a743-dee96705898e", - "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '588dc717-7583-452c-a743-dee96705898e')]", - "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('588dc717-7583-452c-a743-dee96705898e')))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','588dc717-7583-452c-a743-dee96705898e','-', '1.0.2')))]" - }, - "analyticRuleObject5": { - "analyticRuleVersion5": "1.0.3", - "_analyticRulecontentId5": "22cc1dff-14ad-481d-97e1-0602895e429e", - "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '22cc1dff-14ad-481d-97e1-0602895e429e')]", - "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('22cc1dff-14ad-481d-97e1-0602895e429e')))]", - "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','22cc1dff-14ad-481d-97e1-0602895e429e','-', '1.0.3')))]" - }, - "analyticRuleObject6": { - "analyticRuleVersion6": "1.0.2", - "_analyticRulecontentId6": "9acb3664-72c4-4676-80fa-9f81912e347e", - "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9acb3664-72c4-4676-80fa-9f81912e347e')]", - "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9acb3664-72c4-4676-80fa-9f81912e347e')))]", - "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9acb3664-72c4-4676-80fa-9f81912e347e','-', '1.0.2')))]" - }, - "analyticRuleObject7": { - "analyticRuleVersion7": "1.0.4", - "_analyticRulecontentId7": "6db6a8e6-2959-440b-ba57-a505875fcb37", - "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6db6a8e6-2959-440b-ba57-a505875fcb37')]", - "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6db6a8e6-2959-440b-ba57-a505875fcb37')))]", - "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6db6a8e6-2959-440b-ba57-a505875fcb37','-', '1.0.4')))]" - }, - "analyticRuleObject8": { - "analyticRuleVersion8": "1.0.3", - "_analyticRulecontentId8": "e31bc14e-2b4c-42a4-af34-5bfd7d768aea", - "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e31bc14e-2b4c-42a4-af34-5bfd7d768aea')]", - "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e31bc14e-2b4c-42a4-af34-5bfd7d768aea')))]", - "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e31bc14e-2b4c-42a4-af34-5bfd7d768aea','-', '1.0.3')))]" - }, - "analyticRuleObject9": { - "analyticRuleVersion9": "1.0.4", - "_analyticRulecontentId9": "acbf7ef6-f964-44c3-9031-7834ec68175f", - "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'acbf7ef6-f964-44c3-9031-7834ec68175f')]", - "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('acbf7ef6-f964-44c3-9031-7834ec68175f')))]", - "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','acbf7ef6-f964-44c3-9031-7834ec68175f','-', '1.0.4')))]" - }, - "analyticRuleObject10": { - "analyticRuleVersion10": "1.0.4", - "_analyticRulecontentId10": "3f6f0d1a-f2f9-4e01-881a-c55a4a71905b", - "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3f6f0d1a-f2f9-4e01-881a-c55a4a71905b')]", - "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3f6f0d1a-f2f9-4e01-881a-c55a4a71905b')))]", - "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3f6f0d1a-f2f9-4e01-881a-c55a4a71905b','-', '1.0.4')))]" - }, - "RecordedFuture-IOC_Enrichment": "RecordedFuture-IOC_Enrichment", - "_RecordedFuture-IOC_Enrichment": "[variables('RecordedFuture-IOC_Enrichment')]", - "playbookVersion1": "2.7", - "playbookContentId1": "RecordedFuture-IOC_Enrichment", - "_playbookContentId1": "[variables('playbookContentId1')]", - "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]", - "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]", - "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", - "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", - "RecordedFuture-Playbook-Alert-Importer": "RecordedFuture-Playbook-Alert-Importer", - "_RecordedFuture-Playbook-Alert-Importer": "[variables('RecordedFuture-Playbook-Alert-Importer')]", - "TemplateEmptyArray": "[json('[]')]", - "playbookVersion2": "1.3", - "playbookContentId2": "RecordedFuture-Playbook-Alert-Importer", - "_playbookContentId2": "[variables('playbookContentId2')]", - "playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]", - "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]", - "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]", - "RecordedFuture-Alert-Importer": "RecordedFuture-Alert-Importer", - "_RecordedFuture-Alert-Importer": "[variables('RecordedFuture-Alert-Importer')]", - "playbookVersion3": "1.3", - "playbookContentId3": "RecordedFuture-Alert-Importer", - "_playbookContentId3": "[variables('playbookContentId3')]", - "playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]", - "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]", - "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]", - "RecordedFuture-ThreatIntelligenceImport": "RecordedFuture-ThreatIntelligenceImport", - "_RecordedFuture-ThreatIntelligenceImport": "[variables('RecordedFuture-ThreatIntelligenceImport')]", - "playbookVersion4": "1.0", - "playbookContentId4": "RecordedFuture-ThreatIntelligenceImport", - "_playbookContentId4": "[variables('playbookContentId4')]", - "playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]", - "playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))))]", - "_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]", - "RecordedFuture-Domain-IndicatorImport": "RecordedFuture-Domain-IndicatorImport", - "_RecordedFuture-Domain-IndicatorImport": "[variables('RecordedFuture-Domain-IndicatorImport')]", - "playbookVersion5": "1.0", - "playbookContentId5": "RecordedFuture-Domain-IndicatorImport", - "_playbookContentId5": "[variables('playbookContentId5')]", - "playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]", - "playbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5'))))]", - "_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]", - "RecordedFuture-Hash-IndicatorImport": "RecordedFuture-Hash-IndicatorImport", - "_RecordedFuture-Hash-IndicatorImport": "[variables('RecordedFuture-Hash-IndicatorImport')]", - "playbookVersion6": "1.0", - "playbookContentId6": "RecordedFuture-Hash-IndicatorImport", - "_playbookContentId6": "[variables('playbookContentId6')]", - "playbookId6": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId6'))]", - "playbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId6'))))]", - "_playbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId6'),'-', variables('playbookVersion6'))))]", - "RecordedFuture-IP-IndicatorImport": "RecordedFuture-IP-IndicatorImport", - "_RecordedFuture-IP-IndicatorImport": "[variables('RecordedFuture-IP-IndicatorImport')]", - "playbookVersion7": "1.0", - "playbookContentId7": "RecordedFuture-IP-IndicatorImport", - "_playbookContentId7": "[variables('playbookContentId7')]", - "playbookId7": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId7'))]", - "playbookTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId7'))))]", - "_playbookcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId7'),'-', variables('playbookVersion7'))))]", - "RecordedFuture-URL-IndicatorImport": "RecordedFuture-URL-IndicatorImport", - "_RecordedFuture-URL-IndicatorImport": "[variables('RecordedFuture-URL-IndicatorImport')]", - "playbookVersion8": "1.0", - "playbookContentId8": "RecordedFuture-URL-IndicatorImport", - "_playbookContentId8": "[variables('playbookContentId8')]", - "playbookId8": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId8'))]", - "playbookTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId8'))))]", - "_playbookcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId8'),'-', variables('playbookVersion8'))))]", - "RecordedFuture-Sandbox_Enrichment-Url": "RecordedFuture-Sandbox_Enrichment-Url", - "_RecordedFuture-Sandbox_Enrichment-Url": "[variables('RecordedFuture-Sandbox_Enrichment-Url')]", - "playbookVersion9": "1.0", - "playbookContentId9": "RecordedFuture-Sandbox_Enrichment-Url", - "_playbookContentId9": "[variables('playbookContentId9')]", - "playbookId9": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId9'))]", - "playbookTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId9'))))]", - "_playbookcontentProductId9": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId9'),'-', variables('playbookVersion9'))))]", - "RecordedFuture-CustomConnector": "RecordedFuture-CustomConnector", - "_RecordedFuture-CustomConnector": "[variables('RecordedFuture-CustomConnector')]", - "playbookVersion10": "1.0", - "playbookContentId10": "RecordedFuture-CustomConnector", - "_playbookContentId10": "[variables('playbookContentId10')]", - "playbookTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-lc-',uniquestring(variables('_playbookContentId10'))))]", - "_playbookcontentProductId10": "[concat(take(variables('_solutionId'),50),'-','lc','-', uniqueString(concat(variables('_solutionId'),'-','LogicAppsCustomConnector','-',variables('_playbookContentId10'),'-', variables('playbookVersion10'))))]", - "RecordedFuture-ThreatMap-Importer": "RecordedFuture-ThreatMap-Importer", - "_RecordedFuture-ThreatMap-Importer": "[variables('RecordedFuture-ThreatMap-Importer')]", - "playbookVersion11": "1.2", - "playbookContentId11": "RecordedFuture-ThreatMap-Importer", - "_playbookContentId11": "[variables('playbookContentId11')]", - "playbookId11": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId11'))]", - "playbookTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId11'))))]", - "_playbookcontentProductId11": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId11'),'-', variables('playbookVersion11'))))]", - "RecordedFuture-ThreatMapMalware-Importer": "RecordedFuture-ThreatMapMalware-Importer", - "_RecordedFuture-ThreatMapMalware-Importer": "[variables('RecordedFuture-ThreatMapMalware-Importer')]", - "playbookVersion12": "1.0", - "playbookContentId12": "RecordedFuture-ThreatMapMalware-Importer", - "_playbookContentId12": "[variables('playbookContentId12')]", - "playbookId12": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId12'))]", - "playbookTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId12'))))]", - "_playbookcontentProductId12": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId12'),'-', variables('playbookVersion12'))))]", - "RecordedFuture-ActorThreatHunt-IndicatorImport": "RecordedFuture-ActorThreatHunt-IndicatorImport", - "_RecordedFuture-ActorThreatHunt-IndicatorImport": "[variables('RecordedFuture-ActorThreatHunt-IndicatorImport')]", - "playbookVersion13": "1.0", - "playbookContentId13": "RecordedFuture-ActorThreatHunt-IndicatorImport", - "_playbookContentId13": "[variables('playbookContentId13')]", - "playbookId13": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId13'))]", - "playbookTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId13'))))]", - "_playbookcontentProductId13": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId13'),'-', variables('playbookVersion13'))))]", - "RecordedFuture-MalwareThreatHunt-IndicatorImport": "RecordedFuture-MalwareThreatHunt-IndicatorImport", - "_RecordedFuture-MalwareThreatHunt-IndicatorImport": "[variables('RecordedFuture-MalwareThreatHunt-IndicatorImport')]", - "playbookVersion14": "1.0", - "playbookContentId14": "RecordedFuture-MalwareThreatHunt-IndicatorImport", - "_playbookContentId14": "[variables('playbookContentId14')]", - "playbookId14": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId14'))]", - "playbookTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId14'))))]", - "_playbookcontentProductId14": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId14'),'-', variables('playbookVersion14'))))]", - "workbookVersion1": "1.0.1", - "workbookContentId1": "RecordedFuturePlaybookAlertOverviewWorkbook", - "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", - "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", - "_workbookContentId1": "[variables('workbookContentId1')]", - "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", - "workbookVersion2": "1.0.1", - "workbookContentId2": "RecordedFutureAlertOverviewWorkbook", - "workbookId2": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId2'))]", - "workbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2'))))]", - "_workbookContentId2": "[variables('workbookContentId2')]", - "_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]", - "workbookVersion3": "1.0.1", - "workbookContentId3": "RecordedFutureDomainCorrelationWorkbook", - "workbookId3": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId3'))]", - "workbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId3'))))]", - "_workbookContentId3": "[variables('workbookContentId3')]", - "_workbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId3'),'-', variables('workbookVersion3'))))]", - "workbookVersion4": "1.0.1", - "workbookContentId4": "RecordedFutureHashCorrelationWorkbook", - "workbookId4": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId4'))]", - "workbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId4'))))]", - "_workbookContentId4": "[variables('workbookContentId4')]", - "_workbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId4'),'-', variables('workbookVersion4'))))]", - "workbookVersion5": "1.0.1", - "workbookContentId5": "RecordedFutureIPCorrelationWorkbook", - "workbookId5": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId5'))]", - "workbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId5'))))]", - "_workbookContentId5": "[variables('workbookContentId5')]", - "_workbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId5'),'-', variables('workbookVersion5'))))]", - "workbookVersion6": "1.0.1", - "workbookContentId6": "RecordedFutureURLCorrelationWorkbook", - "workbookId6": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId6'))]", - "workbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId6'))))]", - "_workbookContentId6": "[variables('workbookContentId6')]", - "_workbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId6'),'-', variables('workbookVersion6'))))]", - "workbookVersion7": "1.0.1", - "workbookContentId7": "RecordedFutureThreatActorHuntingWorkbook", - "workbookId7": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId7'))]", - "workbookTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId7'))))]", - "_workbookContentId7": "[variables('workbookContentId7')]", - "_workbookcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId7'),'-', variables('workbookVersion7'))))]", - "workbookVersion8": "1.0.0", - "workbookContentId8": "RecordedFutureMalwareThreatHuntingWorkbook", - "workbookId8": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId8'))]", - "workbookTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId8'))))]", - "_workbookContentId8": "[variables('workbookContentId8')]", - "_workbookcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId8'),'-', variables('workbookVersion8'))))]", - "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureDomainMalwareC2inDNSEvents_AnalyticalRules Analytics Rule with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies a match in DNSEvents from Recorded Future C2 DNS Name Domains Risklist.", - "displayName": "Detection of Malware C2 Domains in DNS Events", - "enabled": false, - "query": "// Identifies a match in DnsEvent from the Recorded Future DOMAIN Malware C2 DNS Name \nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\n//Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == 'Recorded Future - Domains - Command and Control Activity'\n| where isnotempty(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == 'Recorded Future - Domains - Command and Control Activity'\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n| join (\n DnsEvents\n | where TimeGenerated > ago(dt_lookBack)\n //Extract Domain patterns from syslog message\n | where isnotempty(Name)\n | extend parts = split(Name, '.')\n //Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend DNS_TimeGenerated = TimeGenerated\n ) \non $left.DomainName==$right.Name\n| where DNS_TimeGenerated >= TimeGenerated and DNS_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, DomainName, Description, ConfidenceScore, AdditionalInformation, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, DNS_TimeGenerated, Computer, ClientIP, Name, QueryType\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n", - "queryFrequency": "PT1H", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "DNS", - "dataTypes": [ - "DnsEvents" - ] - }, - { - "connectorId": "ASimDnsActivityLogs", - "dataTypes": [ - "DnsEvents" - ] - } - ], - "tactics": [ - "CommandAndControl" - ], - "subTechniques": [ - "T1071.004" - ], - "techniques": [ - "T1071" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "Computer", - "identifier": "FullName" - }, - { - "columnName": "HostName", - "identifier": "HostName" - }, - { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "columnName": "ClientIP", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "DomainName", - "identifier": "DomainName" - } - ], - "entityType": "DNS" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", - "properties": { - "description": "Recorded Future Analytics Rule 1", - "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "contentKind": "AnalyticsRule", - "displayName": "Detection of Malware C2 Domains in DNS Events", - "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", - "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureDomainMalwareC2inSyslogEvents_AnalyticalRules Analytics Rule with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies a match in Syslog from Recorded Future C2 DNS Name Domains Risklist.", - "displayName": "Detection of Malware C2 Domains in Syslog Events", - "enabled": false, - "query": "// Identifies a match in Syslog from the Recorded Future DOMAIN Malware C2 DNS Name \nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\n//Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == 'Recorded Future - Domains - Command and Control Activity'\n| where isnotempty(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == 'Recorded Future - Domains - Command and Control Activity'\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n| join (\n Syslog\n | where TimeGenerated > ago(dt_lookBack)\n //Extract domain patterns from syslog message\n | extend domain = extract(\"(([a-z0-9]+(-[a-z0-9]+)*\\\\.)+[a-z]{2,})\",1, tolower(SyslogMessage))\n | where isnotempty(domain)\n | extend parts = split(domain, '.')\n //Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend Syslog_TimeGenerated = TimeGenerated\n ) \non $left.DomainName==$right.domain\n| where Syslog_TimeGenerated >= TimeGenerated and Syslog_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\n", - "queryFrequency": "PT1H", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Syslog", - "dataTypes": [ - "Syslog" - ] - }, - { - "connectorId": "SyslogAma", - "dataTypes": [ - "Syslog" - ] - } - ], - "tactics": [ - "CommandAndControl" - ], - "subTechniques": [ - "T1071.004" - ], - "techniques": [ - "T1071" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "HostCustomEntity", - "identifier": "FullName" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "columnName": "IPCustomEntity", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "URLCustomEntity", - "identifier": "Url" - } - ], - "entityType": "URL" - }, - { - "fieldMappings": [ - { - "columnName": "domain", - "identifier": "DomainName" - } - ], - "entityType": "DNS" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", - "properties": { - "description": "Recorded Future Analytics Rule 2", - "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "contentKind": "AnalyticsRule", - "displayName": "Detection of Malware C2 Domains in Syslog Events", - "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", - "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureHashObservedInUndergroundinCommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies a match in CommonSecurityLog from Recorded Future Hash Observed in Underground Virus Testing Sites RiskList.", - "displayName": "Detection of Specific Hashes in CommonSecurityLog", - "enabled": false, - "query": "// Identifies a match in CommonSecurityLog from the Recorded Future Hashes Observed in Underground Virus Testing Sites\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\nlet fileHashIndicators = ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n// Picking up only Recorded Future IOC's that have been observed in undersground testing sites\n| where Description == \"Recorded Future - HASH - Observed in Underground Virus Testing Sites\"\n| where Active == true\n| where isnotempty(FileHashValue);\n// Handle matches against both lower case and uppercase versions of the hash:\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\n| join (\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(FileHash)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n )\non $left.FileHashValue == $right.FileHash\n| where CommonSecurityLog_TimeGenerated >= TimeGenerated and CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHash, AdditionalInformation\n| extend AccountName = tostring(split(SourceUserName, \"@\")[0]), AccountUPNSuffix = tostring(split(SourceUserName, \"@\")[1])\n| extend HostName = tostring(split(DeviceName, \".\")[0]), DomainIndex = toint(indexof(DeviceName, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\n", - "queryFrequency": "PT1H", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "CEF", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "CefAma", - "dataTypes": [ - "CommonSecurityLog" - ] - } - ], - "tactics": [ - "ResourceDevelopment" - ], - "subTechniques": [ - "T1587.001" - ], - "techniques": [ - "T1587" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "SourceUserName", - "identifier": "FullName" - }, - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "AccountUPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "DeviceName", - "identifier": "FullName" - }, - { - "columnName": "HostName", - "identifier": "HostName" - }, - { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "columnName": "SourceIP", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "Url", - "identifier": "Url" - } - ], - "entityType": "URL" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", - "properties": { - "description": "Recorded Future Analytics Rule 3", - "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", - "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "contentKind": "AnalyticsRule", - "displayName": "Detection of Specific Hashes in CommonSecurityLog", - "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", - "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureIPMalwareC2inAzureActivityEvents_AnalyticalRules Analytics Rule with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies a match in Azure Activity Events from Recorded Future Actively Communicating C&C Server Risklist.", - "displayName": "Detection of Malware C2 IPs in Azure Act. Events", - "enabled": false, - "query": "// Identifies a match in AzureActivity from the Recorded Future C2 Malware Detection IPs (Actively Communicating C&C Server RiskList)\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\nThreatIntelligenceIndicator\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == \"Recorded Future - IP - Actively Communicating C&C Server\"\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n| extend TI_ipEntity = NetworkIP\n| join (\n AzureActivity | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend AzureActivity_TimeGenerated = TimeGenerated\n )\non $left.TI_ipEntity == $right.CallerIpAddress\n| where AzureActivity_TimeGenerated >= TimeGenerated and AzureActivity_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureActivity_TimeGenerated, TI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, Description, AdditionalInformation\n| extend AccountName = tostring(split(Caller, \"@\")[0]), AccountUPNSuffix = tostring(split(Caller, \"@\")[1])\n", - "queryFrequency": "PT1H", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActivity", - "dataTypes": [ - "AzureActivity" - ] - } - ], - "tactics": [ - "CommandAndControl" - ], - "techniques": [ - "T1071" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "Caller", - "identifier": "FullName" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "CallerIpAddress", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "Url", - "identifier": "Url" - } - ], - "entityType": "URL" - }, - { - "fieldMappings": [ - { - "columnName": "TI_ipEntity", - "identifier": "Address" - } - ], - "entityType": "IP" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", - "properties": { - "description": "Recorded Future Analytics Rule 4", - "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", - "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", - "contentKind": "AnalyticsRule", - "displayName": "Detection of Malware C2 IPs in Azure Act. Events", - "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", - "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", - "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureIPMalwareC2inDNSEvents_AnalyticalRules Analytics Rule with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies a match in DnsEvents from Recorded Future Actively Communicating C&C Server Risklist.", - "displayName": "Detection of Malware C2 IPs in DNS Events", - "enabled": false, - "query": "// Identifies a match in DnsEvent from the Recorded Future C2 Malware Detection IPs (Actively Communicating C&C Server RiskList)\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\nThreatIntelligenceIndicator\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == \"Recorded Future - IP - Actively Communicating C&C Server\"\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n| join (\n DnsEvents | where TimeGenerated >= ago(dt_lookBack)\n | where SubType =~ \"LookupQuery\" and isnotempty(IPAddresses)\n | extend SingleIP = split(IPAddresses, \",\")\n | mvexpand SingleIP\n | extend SingleIP = tostring(SingleIP)\n // renaming time column so it is clear the log this came from\n | extend DNS_TimeGenerated = TimeGenerated\n )\non $left.NetworkIP == $right.SingleIP\n| where DNS_TimeGenerated >= TimeGenerated and DNS_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, Description, AdditionalInformation\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n", - "queryFrequency": "PT1H", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "DNS", - "dataTypes": [ - "DnsEvents" - ] - }, - { - "connectorId": "ASimDnsActivityLogs", - "dataTypes": [ - "DnsEvents" - ] - } - ], - "tactics": [ - "CommandAndControl" - ], - "techniques": [ - "T1071" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "Computer", - "identifier": "FullName" - }, - { - "columnName": "HostName", - "identifier": "HostName" - }, - { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "columnName": "ClientIP", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "Url", - "identifier": "Url" - } - ], - "entityType": "URL" - }, - { - "fieldMappings": [ - { - "columnName": "NetworkIP", - "identifier": "Address" - } - ], - "entityType": "IP" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]", - "properties": { - "description": "Recorded Future Analytics Rule 5", - "parentId": "[variables('analyticRuleObject5').analyticRuleId5]", - "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject5').analyticRuleVersion5]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", - "contentKind": "AnalyticsRule", - "displayName": "Detection of Malware C2 IPs in DNS Events", - "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", - "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", - "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureUrlReportedbyInsiktGroupinSyslogEvents_AnalyticalRules Analytics Rule with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies a match in Syslog from Recorded Future URLs Recently Reported as malicious by Insikt Group.", - "displayName": "Detection of Malicious URLs in Syslog Events", - "enabled": false, - "query": "// Identifies a match in Syslog from the Recorded Future URLs Recently Reported by Insikt Group\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\nThreatIntelligenceIndicator\n// Picking up only Recorded Future IOC's that have been recently reported as malicious by Insikt Group\n| where Description == 'Recorded Future - URL - Recently Reported by Insikt Group'\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n| join (\n Syslog\n | where TimeGenerated >= ago(dt_lookBack)\n // Extract URL from the Syslog message but only take messages that include URLs\n | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\", 1,SyslogMessage)\n | where isnotempty(Url)\n | extend Syslog_TimeGenerated = TimeGenerated\n ) \non Url\n| where Syslog_TimeGenerated >= TimeGenerated and Syslog_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, AdditionalInformation, HostIP\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\n", - "queryFrequency": "PT1H", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Syslog", - "dataTypes": [ - "Syslog" - ] - }, - { - "connectorId": "SyslogAma", - "dataTypes": [ - "Syslog" - ] - } - ], - "tactics": [ - "LateralMovement", - "Execution" - ], - "techniques": [ - "T1072" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "HostCustomEntity", - "identifier": "FullName" - } - ], - "entityType": "Host" - }, - { - "fieldMappings": [ - { - "columnName": "IPCustomEntity", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "URLCustomEntity", - "identifier": "Url" - } - ], - "entityType": "URL" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]", - "properties": { - "description": "Recorded Future Analytics Rule 6", - "parentId": "[variables('analyticRuleObject6').analyticRuleId6]", - "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject6').analyticRuleVersion6]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", - "contentKind": "AnalyticsRule", - "displayName": "Detection of Malicious URLs in Syslog Events", - "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", - "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", - "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureThreatHuntingHashAllActors_AnalyticalRules Analytics Rule with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Recorded Future Threat Hunting hash correlation for all actors.", - "displayName": "RecordedFuture Threat Hunting Hash All Actors", - "enabled": false, - "query": "let ioc_lookBack = 1d;\n// The source table (imDns) can be replaced by any infrastructure table containing Hash data.\n// The following workbook: Recorded Future - Hash Correlation will help researching available data and selecting tables and columns \nimFileEvent\n| where isnotempty(Hash)\n| extend lowerHash=tolower(Hash)\n| join kind=inner (\nThreatIntelligenceIndicator\n// Only look for IOCs\n| where isnotempty(FileHashValue)\n// Only look at Recorded Future Threat Hunt Indicators.\n| where Description startswith \"Recorded Future - Threat Hunt\"\n// Only work with the latest indicators \n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| extend lowerHash=tolower(FileHashValue)\n) on lowerHash\n// select column from the source table to match with Recorded Future ThreatIntelligenceIndicator $left.Hash\n| mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)[0]))['RecordedFuturePortalLink']\n| project Hash=FileHashValue, HashType, Description, Type, TimeGenerated, RecordedFuturePortalLink\n", - "queryFrequency": "PT15M", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "ThreatIntelligenceUploadIndicatorsAPI", - "dataTypes": [ - "ThreatIntelligenceIndicator" - ] - } - ], - "tactics": [ - "InitialAccess", - "Execution", - "Persistence" - ], - "techniques": [ - "T1189", - "T1059", - "T1554" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "Hash", - "identifier": "Value" - }, - { - "columnName": "HashType", - "identifier": "Algorithm" - } - ], - "entityType": "FileHash" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "customDetails": { - "ActorInformation": "RecordedFuturePortalLink" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "**{{Description}}**\\n\\nCorrelation found on {{Hash}} from the {{Type}} table.\\n", - "alertDynamicProperties": [ - { - "alertProperty": "AlertLink", - "value": "RecordedFuturePortalLink" - } - ], - "alertDisplayNameFormat": "{{Description}}" - }, - "incidentConfiguration": { - "createIncident": true, - "groupingConfiguration": { - "reopenClosedIncident": false, - "matchingMethod": "AllEntities", - "enabled": true, - "lookbackDuration": "1h" - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]", - "properties": { - "description": "Recorded Future Analytics Rule 7", - "parentId": "[variables('analyticRuleObject7').analyticRuleId7]", - "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject7').analyticRuleVersion7]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", - "contentKind": "AnalyticsRule", - "displayName": "RecordedFuture Threat Hunting Hash All Actors", - "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", - "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", - "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureThreatHuntingIPAllActors_AnalyticalRules Analytics Rule with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Recorded Future Threat Hunting IP correlation for all actors.", - "displayName": "RecordedFuture Threat Hunting IP All Actors", - "enabled": false, - "query": "let ioc_lookBack = 1d;\n// The source table (ASimNetworkSessionLogs) can be replaced by any infrastructure table containing ip data.\n// The following workbook: Recorded Future - IP Correlation will help researching available data and selecting tables and columns \nimNetworkSession\n| where isnotempty(DstIpAddr)\n| join kind=inner (\nThreatIntelligenceIndicator\n// Only look for IOCs\n| where isnotempty(NetworkIP)\n// Only look at Recorded Future Threat Hunt Indicators.\n| where Description startswith \"Recorded Future - Threat Hunt\"\n// Only work with the latest indicators \n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n) on $left.DstIpAddr == $right.NetworkIP\n// select column from the source table to match with Recorded Future ThreatIntelligenceIndicator $left.DstIpAddr\n| mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)[0]))['RecordedFuturePortalLink']\n| project NetworkIP, Description, Type, TimeGenerated, RecordedFuturePortalLink\n", - "queryFrequency": "PT15M", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "ThreatIntelligenceUploadIndicatorsAPI", - "dataTypes": [ - "ThreatIntelligenceIndicator" - ] - } - ], - "tactics": [ - "Exfiltration", - "CommandAndControl" - ], - "techniques": [ - "T1041", - "T1568" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "NetworkIP", - "identifier": "Address" - } - ], - "entityType": "IP" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "customDetails": { - "ActorInformation": "RecordedFuturePortalLink" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "**{{Description}}**\\n\\nCorrelation found on {{NetworkIP}} from the {{Type}} table.\\n", - "alertDynamicProperties": [ - { - "alertProperty": "AlertLink", - "value": "RecordedFuturePortalLink" - } - ], - "alertDisplayNameFormat": "{{Description}}" - }, - "incidentConfiguration": { - "createIncident": true, - "groupingConfiguration": { - "reopenClosedIncident": false, - "matchingMethod": "AllEntities", - "enabled": true, - "lookbackDuration": "1h" - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]", - "properties": { - "description": "Recorded Future Analytics Rule 8", - "parentId": "[variables('analyticRuleObject8').analyticRuleId8]", - "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject8').analyticRuleVersion8]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", - "contentKind": "AnalyticsRule", - "displayName": "RecordedFuture Threat Hunting IP All Actors", - "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", - "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", - "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureThreatHuntingDomainAllActors_AnalyticalRules Analytics Rule with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Recorded Future Threat Hunting domain correlation for all actors.", - "displayName": "RecordedFuture Threat Hunting Domain All Actors", - "enabled": false, - "query": "let ioc_lookBack = 1d;\n// The source table (imDns) can be replaced by any infrastructure table containing domain/dns data.\n// The following workbook: Recorded Future - Domain Correlation will help researching available data and selecting tables and columns \nimDns\n| where isnotempty(Domain)\n| extend lowerDomain=tolower(Domain)\n| join kind=inner (\nThreatIntelligenceIndicator\n// Only look at Domain IOCs\n| where isnotempty(DomainName)\n// Only look at Recorded Future Threat Hunt Indicators.\n| where Description startswith \"Recorded Future - Threat Hunt\"\n// Only work with the latest indicators \n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| extend lowerDomain=tolower(DomainName)\n) on lowerDomain \n// select column from the source table to match with Recorded Future $left.Domain\n| mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)[0]))['RecordedFuturePortalLink']\n| project DomainName, Description, Type, TimeGenerated, RecordedFuturePortalLink\n", - "queryFrequency": "PT15M", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "ThreatIntelligenceUploadIndicatorsAPI", - "dataTypes": [ - "ThreatIntelligenceIndicator" - ] - } - ], - "tactics": [ - "InitialAccess", - "CommandAndControl" - ], - "techniques": [ - "T1566", - "T1568" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "Domain", - "identifier": "DomainName" - } - ], - "entityType": "DNS" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "customDetails": { - "ActorInformation": "RecordedFuturePortalLink" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "**{{Description}}**\\n\\nCorrelation found on {{DomainName}} from the {{Type}} table.\\n", - "alertDynamicProperties": [ - { - "alertProperty": "AlertLink", - "value": "RecordedFuturePortalLink" - } - ], - "alertDisplayNameFormat": "{{Description}}" - }, - "incidentConfiguration": { - "createIncident": true, - "groupingConfiguration": { - "reopenClosedIncident": false, - "matchingMethod": "AllEntities", - "enabled": true, - "lookbackDuration": "1h" - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]", - "properties": { - "description": "Recorded Future Analytics Rule 9", - "parentId": "[variables('analyticRuleObject9').analyticRuleId9]", - "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject9').analyticRuleVersion9]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", - "contentKind": "AnalyticsRule", - "displayName": "RecordedFuture Threat Hunting Domain All Actors", - "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", - "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", - "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureThreatHuntingUrlAllActors_AnalyticalRules Analytics Rule with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Recorded Future Threat Hunting Url correlation for all actors.", - "displayName": "RecordedFuture Threat Hunting Url All Actors", - "enabled": false, - "query": "let ioc_lookBack = 1d;\n// The source table (imWebSession) can be replaced by any infrastructure table containing Url data.\n// The following workbook: Recorded Future - Url Correlation will help researching available data and selecting tables and columns \nimWebSession\n| where isnotempty(Url)\n| extend lowerUrl=tolower(Url)\n| join kind=inner (\nThreatIntelligenceIndicator\n// Only look for IOCs\n| where isnotempty(Url)\n// Only look at Recorded Future Threat Hunt Indicators.\n| where Description startswith \"Recorded Future - Threat Hunt\"\n// Only work with the latest indicators \n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| extend lowerUrl=tolower(Url)\n) on lowerUrl\n// select column from the source table to match with Recorded Future ThreatIntelligenceIndicator $left.Url\n| mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)[0]))['RecordedFuturePortalLink']\n| project Url, Description, Type, TimeGenerated, RecordedFuturePortalLink\n", - "queryFrequency": "PT15M", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "ThreatIntelligenceUploadIndicatorsAPI", - "dataTypes": [ - "ThreatIntelligenceIndicator" - ] - } - ], - "tactics": [ - "Persistence", - "PrivilegeEscalation", - "DefenseEvasion" - ], - "techniques": [ - "T1098", - "T1078" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "Url", - "identifier": "Url" - } - ], - "entityType": "URL" - } - ], - "customDetails": { - "ActorInformation": "RecordedFuturePortalLink" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "*{{Description}}**\\n\\nCorrelation found on {{Url}} from the {{Type}} table.\\n", - "alertDynamicProperties": [ - { - "alertProperty": "AlertLink", - "value": "RecordedFuturePortalLink" - } - ], - "alertDisplayNameFormat": "{{Description}}" - }, - "incidentConfiguration": { - "createIncident": true, - "groupingConfiguration": { - "reopenClosedIncident": false, - "matchingMethod": "AllEntities", - "enabled": true, - "lookbackDuration": "1h" - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]", - "properties": { - "description": "Recorded Future Analytics Rule 10", - "parentId": "[variables('analyticRuleObject10').analyticRuleId10]", - "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject10').analyticRuleVersion10]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", - "contentKind": "AnalyticsRule", - "displayName": "RecordedFuture Threat Hunting Url All Actors", - "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", - "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", - "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFuture-IOC_Enrichment Playbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion1')]", - "parameters": { - "PlaybookName": { - "defaultValue": "RecordedFuture-IOC_Enrichment", - "type": "string" - } - }, - "variables": { - "RecordedFutureConnectionName": "RecordedFuture-ConnectorV2", - "AzureSentinelConnectionName": "RecordedFuture-MicrosoftSentinelConnection", - "connection-2": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/recordedfuturev2')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2019-05-01", - "name": "[[parameters('PlaybookName')]", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "hidden-SentinelTemplateVersion": "2.7", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]" - ], - "properties": { - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "actions": { - "For_each": { - "actions": { - "Parse_JSON_2": { - "inputs": { - "content": "@items('For_each')", - "schema": { - "properties": { - "id": { - "type": "string" - }, - "kind": { - "type": "string" - }, - "properties": { - "type": "object" - }, - "type": { - "type": "string" - } - }, - "type": "object" - } - }, - "type": "ParseJson" - }, - "Switch": { - "cases": { - "Case": { - "actions": { - "Add_comment_to_incident_(V3)_-_Domain": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

@{body('Domain_Enrichment')?['data']?['html_response']}

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "runAfter": { - "Domain_Enrichment": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "Add_comment_to_incident_(V3)_4": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "


\nNo Recorded Future data on @{body('Parse_JSON_-_DNS_Resolution')?['domainName']}
\nRequest Data Collection In The Recorded Future Portal

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "runAfter": { - "Add_comment_to_incident_(V3)_-_Domain": [ - "Skipped" - ] - }, - "type": "ApiConnection" - }, - "Domain_Enrichment": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuture']['connectionId']" - } - }, - "method": "get", - "path": "/lookup/domain/@{encodeURIComponent(body('Parse_JSON_-_DNS_Resolution')?['domainName'])}", - "queries": { - "IntelligenceCloud": "@parameters('IntelligenceCloud')", - "RFIncidentId": "@variables('RFIncidentId')", - "Techniques": "@string(triggerBody()?['object']?['properties']?['additionalData']?['techniques'])", - "WorkspaceId": "@triggerBody()?['workspaceInfo']?['WorkspaceName']", - "fields": "intelCard,risk,links", - "htmlresponse": "True" - } - }, - "runAfter": { - "Parse_JSON_-_DNS_Resolution": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "Parse_JSON_-_DNS_Resolution": { - "inputs": { - "content": "@body('Parse_JSON_2')?['properties']", - "schema": { - "properties": { - "domainName": { - "type": "string" - }, - "friendlyName": { - "type": "string" - } - }, - "type": "object" - } - }, - "type": "ParseJson" - } - }, - "case": "DnsResolution" - }, - "Case_2": { - "actions": { - "Add_comment_to_incident_(V3)_-_Hash": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

@{body('Hash_Enrichment')?['data']?['html_response']}

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "runAfter": { - "Hash_Enrichment": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "Add_comment_to_incident_(V3)_3": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "


\nNo Recorded Future data on @{body('Parse_JSON_-_File_Hash')?['hashValue']}
\nRequest Data Collection In The Recorded Future Portal

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "runAfter": { - "Add_comment_to_incident_(V3)_-_Hash": [ - "Skipped" - ] - }, - "type": "ApiConnection" - }, - "Hash_Enrichment": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuture']['connectionId']" - } - }, - "method": "get", - "path": "/lookup/hash/@{encodeURIComponent(body('Parse_JSON_-_File_Hash')?['hashValue'])}", - "queries": { - "IntelligenceCloud": "@parameters('IntelligenceCloud')", - "RFIncidentId": "@variables('RFIncidentId')", - "Techniques": "@string(triggerBody()?['object']?['properties']?['additionalData']?['techniques'])", - "WorkspaceId": "@triggerBody()?['workspaceInfo']?['WorkspaceName']", - "fields": "intelCard,risk,links", - "htmlresponse": "True" - } - }, - "runAfter": { - "Parse_JSON_-_File_Hash": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "Parse_JSON_-_File_Hash": { - "inputs": { - "content": "@body('Parse_JSON_2')?['properties']", - "schema": { - "properties": { - "algorithm": { - "type": "string" - }, - "friendlyName": { - "type": "string" - }, - "hashValue": { - "type": "string" - } - }, - "type": "object" - } - }, - "type": "ParseJson" - } - }, - "case": "FileHash" - }, - "Case_3": { - "actions": { - "Add_comment_to_incident_(V3)_-_URL": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

@{body('URL_Enrichment')?['data']?['html_response']}

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "runAfter": { - "URL_Enrichment": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "Add_comment_to_incident_(V3)_2": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "


\nNo Recorded Future data on @{body('Parse_JSON_-_Url')?['url']}
\nRequest Data Collection In The Recorded Future Portal

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "runAfter": { - "Add_comment_to_incident_(V3)_-_URL": [ - "Skipped" - ] - }, - "type": "ApiConnection" - }, - "Parse_JSON_-_Url": { - "inputs": { - "content": "@body('Parse_JSON_2')?['properties']", - "schema": { - "properties": { - "friendlyName": { - "type": "string" - }, - "url": { - "type": "string" - } - }, - "type": "object" - } - }, - "type": "ParseJson" - }, - "URL_Enrichment": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuture']['connectionId']" - } - }, - "method": "get", - "path": "/lookup/url/@{encodeURIComponent(body('Parse_JSON_-_Url')?['url'])}", - "queries": { - "IntelligenceCloud": "@parameters('IntelligenceCloud')", - "RFIncidentId": "@variables('RFIncidentId')", - "Techniques": "@string(triggerBody()?['object']?['properties']?['additionalData']?['techniques'])", - "WorkspaceId": "@triggerBody()?['workspaceInfo']?['WorkspaceName']", - "fields": "intelCard,risk,links", - "htmlresponse": "True" - } - }, - "runAfter": { - "Parse_JSON_-_Url": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - } - }, - "case": "Url" - }, - "Case_4": { - "actions": { - "Add_comment_to_incident_(V3)": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "


\nNo Recorded Future data on @{body('Parse_JSON_-_Ip')?['address']}
\nRequest Data Collection In The Recorded Future Portal

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "runAfter": { - "Add_comment_to_incident_(V3)_-_IP": [ - "Skipped" - ] - }, - "type": "ApiConnection" - }, - "Add_comment_to_incident_(V3)_-_IP": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

@{body('IP_Enrichment')?['data']?['html_response']}

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "runAfter": { - "IP_Enrichment": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "IP_Enrichment": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuture']['connectionId']" - } - }, - "method": "get", - "path": "/lookup/ip/@{encodeURIComponent(body('Parse_JSON_-_Ip')?['address'])}", - "queries": { - "IntelligenceCloud": "@parameters('IntelligenceCloud')", - "RFIncidentId": "@variables('RFIncidentId')", - "Techniques": "@string(triggerBody()?['object']?['properties']?['additionalData']?['techniques'])", - "WorkspaceId": "@triggerBody()?['workspaceInfo']?['WorkspaceName']", - "fields": "intelCard,risk,links", - "htmlresponse": "True" - } - }, - "runAfter": { - "Parse_JSON_-_Ip": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "Parse_JSON_-_Ip": { - "inputs": { - "content": "@body('Parse_JSON_2')?['properties']", - "schema": { - "properties": { - "address": { - "type": "string" - }, - "friendlyName": { - "type": "string" - } - }, - "type": "object" - } - }, - "type": "ParseJson" - } - }, - "case": "Ip" - } - }, - "expression": "@body('Parse_JSON_2')?['kind']", - "runAfter": { - "Parse_JSON_2": [ - "Succeeded" - ] - }, - "type": "Switch" - } - }, - "foreach": "@triggerBody()?['object']?['properties']?['relatedEntities']", - "runAfter": { - "RFIncidentId": [ - "Succeeded" - ] - }, - "runtimeConfiguration": { - "concurrency": { - "repetitions": 1 - } - }, - "type": "Foreach" - }, - "RFIncidentId": { - "inputs": { - "variables": [ - { - "name": "RFIncidentId", - "type": "string", - "value": "@{guid()}" - } - ] - }, - "type": "InitializeVariable" - } - }, - "contentVersion": "1.0.0.0", - "parameters": { - "IntelligenceCloud": { - "defaultValue": true, - "type": "Bool" - }, - "$connections": { - "type": "Object" - } - }, - "triggers": { - "When_Azure_Sentinel_incident_creation_rule_was_triggered": { - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/incident-creation" - }, - "type": "ApiConnectionWebhook" - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/azuresentinel')]", - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "connectionName": "[[variables('AzureSentinelConnectionName')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "recordedfuture": { - "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/recordedfuturev2')]", - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]", - "connectionName": "[[variables('RecordedFutureConnectionName')]" - } - } - } - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('RecordedFutureConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "properties": { - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('AzureSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-3')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId1')]", - "contentId": "[variables('_playbookContentId1')]", - "kind": "Playbook", - "version": "[variables('playbookVersion1')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ], - "metadata": { - "title": "RecordedFuture-IOC_Enrichment", - "description": "This playbook leverages the Recorded Future API to enrich IP, Domain, Url & Hash indicators, found in Microsoft Sentinel incidents, with the following context: Risk Score, Risk Rules and Link to Intelligence Card. The enrichment content will be posted as a comment in the Microsoft Sentinel incident \"Microsoft.", - "prerequisites": [ - "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" - ], - "postDeployment": [ - "After deployment open the playbook in edit mode and configure/authorize all connections and press save.\"Logic" - ], - "lastUpdateTime": "2024-07-09T00:00:00Z", - "entities": [ - "ip", - "url", - "dnsresolution", - "filehash" - ], - "tags": [ - "Enrichment" - ], - "releaseNotes": [ - { - "version": "1.0", - "title": "RecordedFuture-IOC_Enrichment", - "notes": [ - "Initial version" - ] - }, - { - "version": "1.1", - "title": "RecordedFuture-IOC_Enrichment", - "notes": [ - "Improved layout and added Recorded Future Collective Insights." - ] - }, - { - "version": "1.2", - "title": "RecordedFuture-IOC_Enrichment", - "notes": [ - "Fixed risk rule severity and correct image url." - ] - }, - { - "version": "2.3", - "title": "RecordedFuture-IOC_Enrichment", - "notes": [ - "Updated readme and improved layout." - ] - }, - { - "version": "2.4", - "title": "RecordedFuture-IOC_Enrichment", - "notes": [ - "Handle 404 result from enrichment." - ] - }, - { - "version": "2.5", - "title": "RecordedFuture-IOC_Enrichment", - "notes": [ - "Backend rendered markdown/html to increse performance and reduce cost of enrichment." - ] - }, - { - "version": "2.6", - "title": "RecordedFuture-IOC_Enrichment", - "notes": [ - "Shorten name from RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash. Renamed API connections" - ] - }, - { - "version": "2.7", - "title": "RecordedFuture-IOC_Enrichment", - "notes": [ - "Reduce concurrency to 1." - ] - } - ] - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId1')]", - "contentKind": "Playbook", - "displayName": "RecordedFuture-IOC_Enrichment", - "contentProductId": "[variables('_playbookcontentProductId1')]", - "id": "[variables('_playbookcontentProductId1')]", - "version": "[variables('playbookVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFuture-Playbook-Alert-Importer Playbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion2')]", - "parameters": { - "PlaybookName": { - "defaultValue": "RecordedFuture-Playbook-Alert-Importer", - "type": "string" - }, - "create_incident": { - "type": "String", - "defaultValue": "false", - "metadata": { - "description": "Create Microsoft Sentinel incidents (possible values true/false)" - } - } - }, - "variables": { - "AzureloganalyticsdatacollectorConnectionName": "RecordedFuture-Azureloganalyticsdatacollector", - "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", - "RecordedFutureConnectionName": "RecordedFuture-ConnectorV2", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/recordedfuturev2')]", - "_connection-3": "[[variables('connection-3')]", - "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "_connection-4": "[[variables('connection-4')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - }, - "create_incident": { - "type": "String", - "defaultValue": "[[parameters('create_incident')]" - } - }, - "triggers": { - "Recurrence": { - "recurrence": { - "frequency": "Hour", - "interval": 1 - }, - "evaluatedRecurrence": { - "frequency": "Hour", - "interval": 1 - }, - "type": "Recurrence" - } - }, - "actions": { - "For_each": { - "foreach": "@body('Search_Playbook_Alerts')", - "actions": { - "Get_Playbook_Alert_by_ID": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuturev2']['connectionId']" - } - }, - "method": "get", - "path": "/playbook-alert/@{encodeURIComponent(items('For_each')?['playbook_alert_id'])}" - } - }, - "Create_incident_if_parameter_is_set-copy": { - "actions": { - "Add_comment_to_incident_(V3)": { - "runAfter": { - "Create_incident": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "body": { - "incidentArmId": "@body('Create_incident')?['id']", - "message": "

**Recorded Future Alert** @{body('Get_Playbook_Alert_by_ID')?['title']}

Playbook Alert ID: @{body('Get_Playbook_Alert_by_ID')?['id']}

Playbook Alert Type: @{items('For_each')?['category']}

Playbook Alert Priority: @{items('For_each')?['priority']}

Playbook Alert Status: @{item()?['status']}

Playbook Alert Targets:@{body('Get_Playbook_Alert_by_ID')?['targets']}

[Open Recorded Future portal](@{concat('https://app.recordedfuture.com/live/sc/task/?id=',items('For_each')?['playbook_alert_id'])})


Evidence Summary: @{body('Get_Playbook_Alert_by_ID')?['evidence_summary']}


created_date: @{items('For_each')?['created']}

updated_date: @{items('For_each')?['updated']}

" - }, - "path": "/Incidents/Comment" - } - }, - "Create_incident": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "put", - "body": { - "title": "@body('Get_Playbook_Alert_by_ID')?['title']", - "severity": "Medium", - "status": "New", - "description": "**Recorded Future Alert**\n@{body('Get_Playbook_Alert_by_ID')?['title']}\nPlaybook Alert ID: @{body('Get_Playbook_Alert_by_ID')?['id']}\nPlaybook Alert Type: @{items('For_each')?['category']}\nPlaybook Alert Priority: @{items('For_each')?['priority']}\nPlaybook Alert Status: @{item()?['status']}\nPlaybook Alert Targets:@{body('Get_Playbook_Alert_by_ID')?['targets']}\n[Open Recorded Future portal](@{concat('https://app.recordedfuture.com/live/sc/task/?id=',items('For_each')?['playbook_alert_id'])})\n\nEvidence Summary: @{body('Get_Playbook_Alert_by_ID')?['evidence_summary']}\n\ncreated_date: @{items('For_each')?['created']}\nupdated_date: @{items('For_each')?['updated']}\n\n", - "tagsToAdd": { - "TagsToAdd": [ - { - "Tag": "Recorded Future Playbook Alert" - }, - { - "Tag": "RFPAID:@{item()?['playbook_alert_id']}" - } - ] - } - }, - "path": "/Incidents/subscriptions/5129b3ff-c0c6-4e86-bd1c-70e5fcd579cf/resourceGroups/RF-SaaS-V3.2.2/workspaces/RF-SaaS-V3-2-2" - } - } - }, - "runAfter": { - "Send_Data": [ - "Succeeded" - ] - }, - "expression": { - "and": [ - { - "equals": [ - "@parameters('create_incident')", - "true" - ] - } - ] - }, - "type": "If" - }, - "Send_Data": { - "runAfter": { - "Get_Playbook_Alert_by_ID": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": "{\n\"title\": \" @{items('For_each')?['title']}\",\n\"id\": \"@{body('Get_Playbook_Alert_by_ID')?['id']}\",\n\"category\":\"@{items('For_each')?['category']}\",\n\"rule_label\":\"@{coalesce(body('Get_Playbook_Alert_by_ID')?['rule_label'],items('For_each')?['category'])}\",\n\"status\": \"@{items('For_each')?['status']}\", \n\"priority\": \"@{items('For_each')?['priority']}\",\n\"created_date\": \"@{items('For_each')?['created']}\",\n\"updated_date\": \"@{items('For_each')?['updated']}\",\n\"targets\":\"@{body('Get_Playbook_Alert_by_ID')?['targets']}\",\n\"evidence_summary\": \"@{body('Get_Playbook_Alert_by_ID')?['evidence_summary']}\",\n\"link\": \"@{concat('https://app.recordedfuture.com/live/sc/task/?id=',items('For_each')?['playbook_alert_id'])}\"\n}", - "headers": { - "Log-Type": "RecordedFuturePlaybookAlerts" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" - } - }, - "method": "post", - "path": "/api/logs" - } - } - }, - "runAfter": { - "Search_Playbook_Alerts": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Search_Playbook_Alerts": { - "type": "ApiConnection", - "inputs": { - "body": { - "updated_from_relative": "-1", - "categories": "[variables('TemplateEmptyArray')]" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuturev2']['connectionId']" - } - }, - "method": "post", - "path": "/playbook-alert/search" - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "azureloganalyticsdatacollector": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", - "connectionName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]" - }, - "recordedfuturev2": { - "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/recordedfuturev2')]", - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]", - "connectionName": "[[variables('RecordedFutureConnectionName')]" - }, - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - } - } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "hidden-SentinelTemplateName": "PlaybookAlert-Import", - "hidden-SentinelTemplateVersion": "1.3", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('RecordedFutureConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "properties": { - "api": { - "id": "[[variables('_connection-3')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-4')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId2')]", - "contentId": "[variables('_playbookContentId2')]", - "kind": "Playbook", - "version": "[variables('playbookVersion2')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ], - "metadata": { - "title": "RecordedFuture-Playbook-Alert-Importer", - "description": "This playbook imports alerts from Recorded Future and stores them in a custom log in the log analytics workspace.", - "prerequisites": [ - "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" - ], - "postDeployment": [ - "After deployment, open the playbook to configure all connections and press save." - ], - "lastUpdateTime": "2024-07-09T00:00:00Z", - "tags": [ - "Alert" - ], - "releaseNotes": [ - { - "version": "1.0", - "title": "RecordedFuture-Playbook-Alert-Importer", - "notes": [ - "Initial version" - ] - }, - { - "version": "1.1", - "title": "RecordedFuture-Playbook-Alert-Importer", - "notes": [ - "Changed default search parameters for playbook alert serach." - ] - }, - { - "version": "1.2", - "title": "RecordedFuture-Playbook-Alert-Importer", - "notes": [ - "API connector renaming." - ] - }, - { - "version": "1.3", - "title": "RecordedFuture-Playbook-Alert-Importer", - "notes": [ - "Added Incident creation." - ] - } - ] - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId2')]", - "contentKind": "Playbook", - "displayName": "RecordedFuture-Playbook-Alert-Importer", - "contentProductId": "[variables('_playbookcontentProductId2')]", - "id": "[variables('_playbookcontentProductId2')]", - "version": "[variables('playbookVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName3')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFuture-AlertImporter Playbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion3')]", - "parameters": { - "PlaybookName": { - "defaultValue": "RecordedFuture-AlertImporter", - "type": "string" - }, - "create_incident": { - "type": "string", - "metadata": { - "description": "Create Microsoft Sentinel incidents (possible values true/false)" - } - }, - "workspace_name": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Microsoft Sentinel Workspace name" - } - } - }, - "variables": { - "AzureloganalyticsdatacollectorConnectionName": "RecordedFuture-Azureloganalyticsdatacollector", - "AzuremonitorlogsConnectionName": "[[concat('Azuremonitorlogs-', parameters('PlaybookName'))]", - "MicrosoftSentinelConnectionName": "RecordedFuture-MicrosoftSentinelConnection", - "Recordedfuturev2ConnectionName": "RecordedFuture-ConnectorV2", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuremonitorlogs')]", - "_connection-3": "[[variables('connection-3')]", - "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "_connection-4": "[[variables('connection-4')]", - "connection-5": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]", - "_connection-5": "[[variables('connection-5')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - }, - "create_incident": { - "type": "string", - "defaultValue": "[[parameters('create_incident')]" - } - }, - "triggers": { - "Recurrence": { - "recurrence": { - "frequency": "Hour", - "interval": 1 - }, - "evaluatedRecurrence": { - "frequency": "Hour", - "interval": 1 - }, - "type": "Recurrence" - } - }, - "actions": { - "For_each_triggered_alert": { - "foreach": "@body('Search_Triggered_Alerts')?['data']", - "actions": { - "Create_incident_if_parameter_is_set": { - "actions": { - "Add_comment_to_incident_(V3)": { - "runAfter": { - "Parse_JSON_2": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@body('Create_incident')?['id']", - "message": "

@{items('For_each_triggered_alert')?['title']}
\nAlert ID: @{items('For_each_triggered_alert')?['id']}
\nTriggered: @{items('For_each_triggered_alert')?['log']?['triggered']}
\n[Open Recorded Future portal](@{items('For_each_triggered_alert')?['url']?['portal']})
\nAI Summary: @{items('For_each_triggered_alert')?['ai_insights']?['text']}

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - }, - "Create_incident": { - "type": "ApiConnection", - "inputs": { - "body": { - "description": "**Recorded Future Alert**\n@{items('For_each_triggered_alert')?['title']}\nAlert ID: @{items('For_each_triggered_alert')?['id']}\nTriggered: @{items('For_each_triggered_alert')?['log']?['triggered']}\n[Open Recorded Future portal](@{items('For_each_triggered_alert')?['url']?['portal']})\nAI summary: @{items('For_each_triggered_alert')?['ai_insights']?['text']}", - "severity": "Medium", - "status": "New", - "tagsToAdd": { - "TagsToAdd": [ - { - "Tag": "Recorded Future Alert" - } - ] - }, - "title": "@items('For_each_triggered_alert')?['title']" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "put", - "path": "[[concat('/Incidents/subscriptions/', subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/workspaces/',parameters('workspace_name') ) ]" - } - }, - "Parse_JSON_2": { - "runAfter": { - "Create_incident": [ - "Succeeded" - ] - }, - "type": "ParseJson", - "inputs": { - "content": "@items('For_each_triggered_alert')?['hits']", - "schema": { - "items": { - "properties": { - "document": { - "properties": { - "authors": { - "type": "array" - }, - "source": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - } - }, - "type": [ - "object", - "null" - ] - }, - "title": { - "type": [ - "string", - "null" - ] - } - }, - "type": "object" - }, - "entities": { - "items": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - } - }, - "required": [ - "id", - "name", - "type" - ], - "type": "object" - }, - "type": "array" - }, - "fragment": { - "type": "string" - }, - "id": { - "type": "string" - }, - "language": { - "type": "string" - } - }, - "required": [ - "entities", - "document", - "fragment", - "id", - "language", - "primary_entity", - "analyst_note" - ], - "type": "object" - }, - "type": "array" - } - } - } - }, - "runAfter": { - "For_each_hit": [ - "Succeeded" - ] - }, - "expression": { - "and": [ - { - "equals": [ - "@parameters('create_incident')", - "true" - ] - } - ] - }, - "type": "If" - }, - "For_each_hit": { - "foreach": "@items('For_each_triggered_alert')['hits']", - "actions": { - "Parse_JSON": { - "type": "ParseJson", - "inputs": { - "content": "@items('For_each_hit')", - "schema": { - "properties": { - "document": { - "properties": { - "authors": { - "items": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - } - }, - "required": [ - "id", - "name", - "type" - ], - "type": "object" - }, - "type": "array" - }, - "source": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - } - }, - "type": [ - "object", - "null" - ] - }, - "title": { - "type": [ - "string", - "null" - ] - } - }, - "type": "object" - }, - "entities": { - "items": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - } - }, - "required": [ - "id", - "name", - "type" - ], - "type": "object" - }, - "type": "array" - }, - "fragment": { - "type": "string" - }, - "id": { - "type": "string" - }, - "language": { - "type": "string" - } - }, - "type": "object" - } - } - }, - "Send_Data_2": { - "runAfter": { - "Parse_JSON": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": "{\n\"RuleName\": \"@{items('For_each_triggered_alert')?['rule']?['name']}\",\n\"Triggered\": \"@{items('For_each_triggered_alert')?['log']?['triggered']}\",\n\"AlertName\": \"@{replace(replace(items('For_each_triggered_alert')?['title'], '\\', '\\\\'), '\"', '\\\"')}\",\n\"AlertID\": \"@{items('For_each_triggered_alert')?['id']}\", \n\"Entity\": @{items('For_each_hit')?['entities']},\n\"Documents\": @{items('For_each_hit')?['document']},\n\"URL\": \"@{items('For_each_triggered_alert')?['rule']?['url']?['portal']}\",\n\"Document_url\": \"@{items('For_each_hit')?['document']?['url']}\",\n\"AISummary\": \"@{replace(replace(coalesce(items('For_each_triggered_alert')?['ai_insights']?['text'],''), '\\', '\\\\'), '\"', '\\\"')}\",\n\"Fragment\": \"@{replace(replace(coalesce(body('Parse_JSON')?['fragment'],''), '\\', '\\\\'), '\"', '\\\"')}\"}", - "headers": { - "Log-Type": "RecordedFuturePortalAlerts" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" - } - }, - "method": "post", - "path": "/api/logs" - } - } - }, - "type": "Foreach" - } - }, - "runAfter": { - "Search_Triggered_Alerts": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Initialize_variable": { - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "latest_event_date", - "type": "string", - "value": "@{addHours(utcNow(), -24)}" - } - ] - } - }, - "Run_query_and_list_results": { - "runAfter": { - "Initialize_variable": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": "RecordedFuturePortalAlerts_CL\n| summarize LatestEvent=max(Triggered_t)| extend LatestEvent=coalesce(LatestEvent, ago(1d))", - "host": { - "connection": { - "name": "@parameters('$connections')['azuremonitorlogs']['connectionId']" - } - }, - "method": "post", - "path": "/queryData", - "queries": { - "resourcegroups": "[[resourceGroup().name]", - "resourcename": "[[parameters('workspace_name')]", - "resourcetype": "Log Analytics Workspace", - "subscriptions": "[[subscription().subscriptionId]", - "timerange": "Last 7 days" - } - } - }, - "Search_Triggered_Alerts": { - "runAfter": { - "Set_variable": [ - "Succeeded", - "Skipped" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuturev2']['connectionId']" - } - }, - "method": "get", - "path": "/v2/alerts", - "queries": { - "triggered": "[[[@{addSeconds(variables('latest_event_date'),1)},@{utcNow()}]" - } - } - }, - "Set_variable": { - "runAfter": { - "Run_query_and_list_results": [ - "Succeeded" - ] - }, - "type": "SetVariable", - "inputs": { - "name": "latest_event_date", - "value": "@string(body('Run_query_and_list_results')?['value'][0]['LatestEvent'])" - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "azureloganalyticsdatacollector": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", - "connectionName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]" - }, - "azuremonitorlogs": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]", - "connectionName": "[[variables('AzuremonitorlogsConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuremonitorlogs')]" - }, - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "recordedfuturev2": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Recordedfuturev2ConnectionName'))]", - "connectionName": "[[variables('Recordedfuturev2ConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]" - } - } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "hidden-SentinelTemplateName": "RecordedFuture-AlertImporter", - "hidden-SentinelTemplateVersion": "1.3", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('Recordedfuturev2ConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzuremonitorlogsConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('AzuremonitorlogsConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-4')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('Recordedfuturev2ConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('Recordedfuturev2ConnectionName')]", - "api": { - "id": "[[variables('_connection-5')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId3')]", - "contentId": "[variables('_playbookContentId3')]", - "kind": "Playbook", - "version": "[variables('playbookVersion3')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ], - "metadata": { - "title": "RecordedFuture-Alert-Importer", - "description": "This playbook imports alerts from Recorded Future and stores them in a custom log in the log analytics workspace. It can create alerts dependant on the parameter: create_incident. ", - "prerequisites": [ - "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" - ], - "postDeployment": [ - "After deployment, open the playbook to configure all connections and press save." - ], - "lastUpdateTime": "2024-08-23T00:00:00Z", - "tags": [ - "Alert" - ], - "releaseNotes": [ - { - "version": "1.0", - "title": "RecordedFuture-Alert-Importer", - "notes": [ - "Initial version" - ] - }, - { - "version": "1.1", - "title": "RecordedFuture-Alert-Importer", - "notes": [ - "Fixed ARM encoding" - ] - }, - { - "version": "1.2", - "title": "RecordedFuture-Alert-Importer", - "notes": [ - "API connector renaming." - ] - }, - { - "version": "1.3", - "title": "RecordedFuture-Alert-Importer", - "notes": [ - "Encoding and latest_event_date fix." - ] - } - ] - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId3')]", - "contentKind": "Playbook", - "displayName": "RecordedFuture-AlertImporter", - "contentProductId": "[variables('_playbookcontentProductId3')]", - "id": "[variables('_playbookcontentProductId3')]", - "version": "[variables('playbookVersion3')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName4')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFuture-ThreatIntelligenceImport Playbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion4')]", - "parameters": { - "PlaybookName": { - "defaultValue": "RecordedFuture-ThreatIntelligenceImport", - "type": "string" - }, - "WorkspaceID": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Microsoft Sentinel WorkspaceID, guid format (example:75a5bccc-7a5c-4e3f-ad57-36be224c4d2e). WorkspaceID can be found under Log Analytics Workspaces blade. " - } - } - }, - "variables": { - "MicrosoftSentinelConnectionName": "RecordedFuture-MicrosoftSentinelConnection", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Batch_messages": { - "type": "Batch", - "inputs": { - "configurations": { - "RFImportToSentinel": { - "releaseCriteria": { - "messageCount": 100, - "recurrence": { - "frequency": "Minute", - "interval": 2 - } - } - } - }, - "mode": "Inline" - } - } - }, - "actions": { - "Select": { - "type": "Select", - "inputs": { - "from": "@triggerBody()['items']", - "select": "@item()['content']" - } - }, - "Threat_Intelligence_-_Upload_Indicators_of_Compromise_(V2)_(Preview)": { - "runAfter": { - "Select": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "indicators": "@body('Select')", - "sourcesystem": "Recorded Future" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel_1']['connectionId']" - } - }, - "method": "post", - "path": "[[concat( '/V2/ThreatIntelligence/',parameters('WorkspaceID'),'/UploadIndicators/')]", - "retryPolicy": { - "count": 10, - "interval": "PT20S", - "maximumInterval": "PT1H", - "minimumInterval": "PT10S", - "type": "exponential" - } - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuresentinel_1": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - } - } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "hidden-SentinelTemplateName": "RecordedFuture-ThreatIntelligenceImport", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId4')]", - "contentId": "[variables('_playbookContentId4')]", - "kind": "Playbook", - "version": "[variables('playbookVersion4')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ], - "metadata": { - "title": "RecordedFuture-ThreatIntelligenceImport", - "description": "This playbook will write indicators in batch to ThreatIntelligenceIndicator log analytics table.", - "prerequisites": [ - "Microsoft Sentinel Threat Intelligence active" - ], - "postDeployment": [ - "After deployment, open the playbook to configure all connections and press save." - ], - "lastUpdateTime": "2024-01-12T00:00:00Z", - "tags": [ - "Threat Intelligence" - ], - "releaseNotes": [ - { - "version": "1.0", - "title": "RecordedFuture-ThreatIntelligenceImport", - "notes": [ - "Initial version" - ] - }, - { - "version": "1.1", - "title": "RecordedFuture-ThreatIntelligenceImport", - "notes": [ - "Fixed Api connection" - ] - } - ] - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId4')]", - "contentKind": "Playbook", - "displayName": "RecordedFuture-ThreatIntelligenceImport", - "contentProductId": "[variables('_playbookcontentProductId4')]", - "id": "[variables('_playbookcontentProductId4')]", - "version": "[variables('playbookVersion4')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName5')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFuture-Domain-IndicatorImport Playbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion5')]", - "parameters": { - "PlaybookName": { - "defaultValue": "RecordedFuture-Domain-IndicatorImport", - "type": "string" - }, - "PlaybookNameBatching": { - "defaultValue": "RecordedFuture-ThreatIntelligenceImport", - "type": "String" - } - }, - "variables": { - "RecordedfutureConnectionName": "RecordedFuture-ConnectorV2", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]", - "_connection-2": "[[variables('connection-2')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Recurrence": { - "recurrence": { - "frequency": "Hour", - "interval": 2 - }, - "evaluatedRecurrence": { - "frequency": "Hour", - "interval": 24 - }, - "type": "Recurrence" - } - }, - "actions": { - "For_each": { - "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download')", - "actions": { - "Parse_JSON": { - "type": "ParseJson", - "inputs": { - "content": "@items('For_each')", - "schema": { - "properties": { - "EvidenceDetails": { - "properties": { - "EvidenceDetails": { - "items": { - "properties": { - "Criticality": { - "type": "integer" - }, - "CriticalityLabel": { - "type": "string" - }, - "EvidenceString": { - "type": "string" - }, - "Rule": { - "type": "string" - }, - "Timestamp": { - "type": "integer" - } - }, - "required": [ - "Rule", - "EvidenceString", - "CriticalityLabel", - "Timestamp", - "Criticality" - ], - "type": "object" - }, - "type": "array" - } - }, - "type": "object" - }, - "Name": { - "type": "string" - }, - "Risk": { - "type": "integer" - }, - "riskString": { - "type": "string" - } - }, - "type": "object" - } - } - }, - "RecordedFuture-ImportToSentinel": { - "runAfter": { - "Parse_JSON": [ - "Succeeded" - ] - }, - "type": "SendToBatch", - "inputs": { - "batchName": "RFImportToSentinel", - "content": { - "confidence": "@int(body('Parse_JSON')?['Risk'])", - "created": "@{utcNow()}", - "description": "Recorded Future - Domains - Command and Control Activity", - "id": "indicator--@{guid()}", - "indicator_types": [ - "malicious-activity" - ], - "labels": [ - "@{body('Parse_JSON')?['EvidenceDetails']?['EvidenceDetails']}" - ], - "modified": "@{utcNow()}", - "name": "@{body('Parse_JSON')?['Name']}", - "pattern": "[[[domain-name:value = '@{body('Parse_JSON')?['Name']}']", - "pattern_type": "stix", - "spec_version": "2.1", - "type": "indicator", - "valid_from": "@{utcNow()}", - "valid_until": "@{addHours(utcNow(),2)}" - }, - "host": { - "triggerName": "Batch_messages", - "workflow": { - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]" - } - } - } - } - }, - "runAfter": { - "Recorded_Future_RiskLists_and_SCF_Download": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Recorded_Future_RiskLists_and_SCF_Download": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuture']['connectionId']" - } - }, - "method": "get", - "path": "/fusion/files", - "queries": { - "path": "/public/MicrosoftAzure/domain_c2_dns.json" - } - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "recordedfuture": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]", - "connectionName": "[[variables('RecordedfutureConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]" - } - } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "tags": { - "hidden-SentinelTemplateName": "RecordedFuture-Domain-IndicatorImport", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('RecordedfutureConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('RecordedfutureConnectionName')]", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId5')]", - "contentId": "[variables('_playbookContentId5')]", - "kind": "Playbook", - "version": "[variables('playbookVersion5')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ], - "metadata": { - "title": "RecordedFuture-Domain-IndicatorImport", - "description": "This playbook imports Domain risk lists from Recorded Future and stores them as Threat Intelligence Indicators in Microsoft Sentinel, for detection purposes.\n\nThis playbook depends on RecordedFuture-ThreatIntelligenceImport that need to be installed **manually** before installing this playbook.", - "prerequisites": [ - "First install the RecordedFuture-ThreatIntelligenceImport playbook.", - "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" - ], - "postDeployment": [ - "After deployment, open the playbook to configure all connections and press save." - ], - "lastUpdateTime": "2024-01-12T00:00:00Z", - "tags": [ - "Threat Intelligence" - ], - "releaseNotes": [ - { - "version": "1.0", - "title": "RecordedFuture-Domain-IndicatorImport", - "notes": [ - "Initial version" - ] - }, - { - "version": "1.1", - "title": "API Connectors", - "notes": [ - "API connection rename." - ] - } - ] - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId5')]", - "contentKind": "Playbook", - "displayName": "RecordedFuture-Domain-IndicatorImport", - "contentProductId": "[variables('_playbookcontentProductId5')]", - "id": "[variables('_playbookcontentProductId5')]", - "version": "[variables('playbookVersion5')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName6')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFuture-Hash-IndicatorImport Playbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion6')]", - "parameters": { - "PlaybookName": { - "defaultValue": "RecordedFuture-Hash-IndicatorImport", - "type": "string" - }, - "PlaybookNameBatching": { - "defaultValue": "RecordedFuture-ThreatIntelligenceImport", - "type": "String" - } - }, - "variables": { - "RecordedfutureConnectionName": "RecordedFuture-ConnectorV2", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]", - "_connection-2": "[[variables('connection-2')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Recurrence": { - "recurrence": { - "frequency": "Hour", - "interval": 24 - }, - "evaluatedRecurrence": { - "frequency": "Hour", - "interval": 24 - }, - "type": "Recurrence" - } - }, - "actions": { - "For_each": { - "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download')", - "actions": { - "Parse_JSON": { - "type": "ParseJson", - "inputs": { - "content": "@items('For_each')", - "schema": { - "properties": { - "EvidenceDetails": { - "properties": { - "EvidenceDetails": { - "items": { - "properties": { - "Criticality": { - "type": "integer" - }, - "CriticalityLabel": { - "type": "string" - }, - "EvidenceString": { - "type": "string" - }, - "Rule": { - "type": "string" - }, - "Timestamp": { - "type": "integer" - } - }, - "required": [ - "Rule", - "EvidenceString", - "CriticalityLabel", - "Timestamp", - "Criticality" - ], - "type": "object" - }, - "type": "array" - } - }, - "type": "object" - }, - "Name": { - "type": "string" - }, - "Risk": { - "type": "integer" - }, - "riskString": { - "type": "string" - } - }, - "type": "object" - } - } - }, - "RecordedFuture-ImportToSentinel": { - "runAfter": { - "Parse_JSON": [ - "Succeeded" - ] - }, - "type": "SendToBatch", - "inputs": { - "batchName": "RFImportToSentinel", - "content": { - "confidence": "@int(body('Parse_JSON')?['Risk'])", - "created": "@{utcNow()}", - "description": "Recorded Future - HASH - Observed in Underground Virus Testing Sites", - "id": "indicator--@{guid()}", - "indicator_types": [ - "malicious-activity" - ], - "labels": [ - "@{body('Parse_JSON')?['EvidenceDetails']?['EvidenceDetails']}" - ], - "modified": "@{utcNow()}", - "name": "@{body('Parse_JSON')?['Name']}", - "pattern": "[[[file:hashes.'@{body('Parse_JSON')?['Algorithm']}' = '@{body('Parse_JSON')?['Name']}']", - "pattern_type": "stix", - "spec_version": "2.1", - "type": "indicator", - "valid_from": "@{utcNow()}", - "valid_until": "@{addHours(utcNow(),24)}" - }, - "host": { - "triggerName": "Batch_messages", - "workflow": { - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]" - } - } - } - } - }, - "runAfter": { - "Recorded_Future_RiskLists_and_SCF_Download": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Recorded_Future_RiskLists_and_SCF_Download": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuture']['connectionId']" - } - }, - "method": "get", - "path": "/fusion/files", - "queries": { - "path": "/public/MicrosoftAzure/hash_observed_testing.json" - } - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "recordedfuture": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]", - "connectionName": "[[variables('RecordedfutureConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]" - } - } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "tags": { - "hidden-SentinelTemplateName": "RecordedFuture-Hash-IndicatorImport", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('RecordedfutureConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('RecordedfutureConnectionName')]", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId6'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId6')]", - "contentId": "[variables('_playbookContentId6')]", - "kind": "Playbook", - "version": "[variables('playbookVersion6')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ], - "metadata": { - "title": "RecordedFuture-Hash-IndicatorImport", - "description": "This playbook imports Hash risk lists from Recorded Future and stores them as Threat Intelligence Indicators in Microsoft Sentinel, for detection purposes.\n\nThis playbook depends on RecordedFuture-ThreatIntelligenceImport that need to be installed **manually** before installing this playbook.", - "prerequisites": [ - "First install the RecordedFuture-ThreatIntelligenceImport playbook.", - "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" - ], - "postDeployment": [ - "After deployment, open the playbook to configure all connections and press save." - ], - "lastUpdateTime": "2024-01-12T00:00:00Z", - "tags": [ - "Threat Intelligence" - ], - "releaseNotes": [ - { - "version": "1.0", - "title": "RecordedFuture-Hash-IndicatorImport", - "notes": [ - "Initial version" - ] - }, - { - "version": "1.1", - "title": "API Connectors", - "notes": [ - "API connection rename." - ] - } - ] - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId6')]", - "contentKind": "Playbook", - "displayName": "RecordedFuture-Hash-IndicatorImport", - "contentProductId": "[variables('_playbookcontentProductId6')]", - "id": "[variables('_playbookcontentProductId6')]", - "version": "[variables('playbookVersion6')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName7')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFuture-IP-IndicatorImport Playbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion7')]", - "parameters": { - "PlaybookName": { - "defaultValue": "RecordedFuture-IP-IndicatorImport", - "type": "string" - }, - "PlaybookNameBatching": { - "defaultValue": "RecordedFuture-ThreatIntelligenceImport", - "type": "String" - } - }, - "variables": { - "RecordedfutureConnectionName": "RecordedFuture-ConnectorV2", - "RecordedFutureThreatIntelligenceImport": "[[parameters('PlaybookNameBatching')]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]", - "_connection-2": "[[variables('connection-2')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Recurrence": { - "recurrence": { - "frequency": "Hour", - "interval": 1 - }, - "evaluatedRecurrence": { - "frequency": "Hour", - "interval": 24 - }, - "type": "Recurrence" - } - }, - "actions": { - "For_each": { - "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download')", - "actions": { - "Parse_JSON": { - "type": "ParseJson", - "inputs": { - "content": "@items('For_each')", - "schema": { - "properties": { - "EvidenceDetails": { - "properties": { - "EvidenceDetails": { - "items": { - "properties": { - "Criticality": { - "type": "integer" - }, - "CriticalityLabel": { - "type": "string" - }, - "EvidenceString": { - "type": "string" - }, - "Rule": { - "type": "string" - }, - "Timestamp": { - "type": "integer" - } - }, - "required": [ - "Rule", - "EvidenceString", - "CriticalityLabel", - "Timestamp", - "Criticality" - ], - "type": "object" - }, - "type": "array" - } - }, - "type": "object" - }, - "Name": { - "type": "string" - }, - "Risk": { - "type": "integer" - }, - "riskString": { - "type": "string" - } - }, - "type": "object" - } - } - }, - "RecordedFuture-ThreatIntelligenceImport": { - "runAfter": { - "Parse_JSON": [ - "Succeeded" - ] - }, - "type": "SendToBatch", - "inputs": { - "batchName": "RFImportToSentinel", - "content": { - "confidence": "@int(body('Parse_JSON')?['Risk'])", - "created": "@{utcNow()}", - "description": "Recorded Future - IP - Actively Communicating C&C Server", - "id": "indicator--@{guid()}", - "indicator_types": [ - "malicious-activity" - ], - "labels": [ - "@{body('Parse_JSON')?['EvidenceDetails']?['EvidenceDetails']}" - ], - "modified": "@{utcNow()}", - "name": "@{body('Parse_JSON')?['Name']}", - "pattern": "[[[ipv4-addr:value = '@{body('Parse_JSON')?['Name']}']", - "pattern_type": "stix", - "spec_version": "2.1", - "type": "indicator", - "valid_from": "@{utcNow()}", - "valid_until": "@{addHours(utcNow(),1)}" - }, - "host": { - "triggerName": "Batch_messages", - "workflow": { - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]" - } - } - } - } - }, - "runAfter": { - "Recorded_Future_RiskLists_and_SCF_Download": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Recorded_Future_RiskLists_and_SCF_Download": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuture']['connectionId']" - } - }, - "method": "get", - "path": "/fusion/files", - "queries": { - "path": "/public/MicrosoftAzure/ip_active_c2.json" - } - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "recordedfuture": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]", - "connectionName": "[[variables('RecordedfutureConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]" - } - } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "tags": { - "hidden-SentinelTemplateName": "RecordedFuture-IP-IndicatorImport", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('RecordedfutureConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('RecordedfutureConnectionName')]", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId7'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId7')]", - "contentId": "[variables('_playbookContentId7')]", - "kind": "Playbook", - "version": "[variables('playbookVersion7')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ], - "metadata": { - "title": "RecordedFuture-IP-IndicatorImport", - "description": "This playbook imports IP risk lists from Recorded Future and stores them as Threat Intelligence Indicators in Microsoft Sentinel, for detection purposes.\n\nThis playbook depends on RecordedFuture-ThreatIntelligenceImport that need to be installed **manually** before installing this playbook.", - "prerequisites": [ - "First install the RecordedFuture-ThreatIntelligenceImport playbook.", - "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)", - "Refer to [Recorded Future Logic App - Threat Intelligence Import](../readme.md) documentation for deployment instructions." - ], - "postDeployment": [ - "After deployment, open the playbook to configure all connections and press save." - ], - "lastUpdateTime": "2024-01-12T17:00:00Z", - "tags": [ - "Threat Intelligence" - ], - "releaseNotes": [ - { - "version": "1.0", - "title": "RecordedFuture-IP-IndicatorImport", - "notes": [ - "Initial version" - ] - }, - { - "version": "1.1", - "title": "API Connectors", - "notes": [ - "API connection rename." - ] - } - ] - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId7')]", - "contentKind": "Playbook", - "displayName": "RecordedFuture-IP-IndicatorImport", - "contentProductId": "[variables('_playbookcontentProductId7')]", - "id": "[variables('_playbookcontentProductId7')]", - "version": "[variables('playbookVersion7')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName8')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFuture-URL-IndicatorImport Playbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion8')]", - "parameters": { - "PlaybookName": { - "defaultValue": "RecordedFuture-URL-IndicatorImport", - "type": "string" - }, - "PlaybookNameBatching": { - "defaultValue": "RecordedFuture-ThreatIntelligenceImport", - "type": "String" - } - }, - "variables": { - "RecordedfutureConnectionName": "RecordedFuture-ConnectorV2", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]", - "_connection-2": "[[variables('connection-2')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Recurrence": { - "recurrence": { - "frequency": "Hour", - "interval": 2 - }, - "evaluatedRecurrence": { - "frequency": "Hour", - "interval": 24 - }, - "type": "Recurrence" - } - }, - "actions": { - "For_each": { - "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download')", - "actions": { - "Parse_JSON": { - "type": "ParseJson", - "inputs": { - "content": "@items('For_each')", - "schema": { - "properties": { - "EvidenceDetails": { - "properties": { - "EvidenceDetails": { - "items": { - "properties": { - "Criticality": { - "type": "integer" - }, - "CriticalityLabel": { - "type": "string" - }, - "EvidenceString": { - "type": "string" - }, - "Rule": { - "type": "string" - }, - "Timestamp": { - "type": "integer" - } - }, - "required": [ - "Rule", - "EvidenceString", - "CriticalityLabel", - "Timestamp", - "Criticality" - ], - "type": "object" - }, - "type": "array" - } - }, - "type": "object" - }, - "Name": { - "type": "string" - }, - "Risk": { - "type": "integer" - }, - "riskString": { - "type": "string" - } - }, - "type": "object" - } - } - }, - "RecordedFuture-ImportToSentinel": { - "runAfter": { - "Parse_JSON": [ - "Succeeded" - ] - }, - "type": "SendToBatch", - "inputs": { - "batchName": "RFImportToSentinel", - "content": { - "confidence": "@int(body('Parse_JSON')?['Risk'])", - "created": "@{utcNow()}", - "description": "Recorded Future - URL - Recently Reported by Insikt Group", - "id": "indicator--@{guid()}", - "indicator_types": [ - "malicious-activity" - ], - "labels": [ - "@{body('Parse_JSON')?['EvidenceDetails']?['EvidenceDetails']}" - ], - "modified": "@{utcNow()}", - "name": "@{body('Parse_JSON')?['Name']}", - "pattern": "[[[url:value = '@{body('Parse_JSON')?['Name']}']", - "pattern_type": "stix", - "spec_version": "2.1", - "type": "indicator", - "valid_from": "@{utcNow()}", - "valid_until": "@{addHours(utcNow(),2)}" - }, - "host": { - "triggerName": "Batch_messages", - "workflow": { - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]" - } - } - } - } - }, - "runAfter": { - "Recorded_Future_RiskLists_and_SCF_Download": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Recorded_Future_RiskLists_and_SCF_Download": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuture']['connectionId']" - } - }, - "method": "get", - "path": "/fusion/files", - "queries": { - "path": "/public/MicrosoftAzure/url_insikt.json" - } - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "recordedfuture": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]", - "connectionName": "[[variables('RecordedfutureConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]" - } - } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "tags": { - "hidden-SentinelTemplateName": "RecordedFuture-URL-IndicatorImport", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('RecordedfutureConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('RecordedfutureConnectionName')]", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId8'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId8')]", - "contentId": "[variables('_playbookContentId8')]", - "kind": "Playbook", - "version": "[variables('playbookVersion8')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ], - "metadata": { - "title": "RecordedFuture-URL-IndicatorImport", - "description": "This playbook imports URL risk lists from Recorded Future and stores them as Threat Intelligence Indicators in Microsoft Sentinel, for detection purposes.\n\nThis playbook depends on RecordedFuture-ThreatIntelligenceImport that need to be installed **manually** before installing this playbook.", - "prerequisites": [ - "First install the RecordedFuture-ThreatIntelligenceImport playbook.", - "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" - ], - "postDeployment": [ - "After deployment, open the playbook to configure all connections and press save." - ], - "lastUpdateTime": "2024-01-12T00:00:00Z", - "tags": [ - "Threat Intelligence" - ], - "releaseNotes": [ - { - "version": "1.0", - "title": "RecordedFuture-URL-IndicatorImport", - "notes": [ - "Initial version" - ] - }, - { - "version": "1.1", - "title": "API Connectors", - "notes": [ - "API connection rename." - ] - } - ] - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId8')]", - "contentKind": "Playbook", - "displayName": "RecordedFuture-URL-IndicatorImport", - "contentProductId": "[variables('_playbookcontentProductId8')]", - "id": "[variables('_playbookcontentProductId8')]", - "version": "[variables('playbookVersion8')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName9')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFuture-Sandbox_Enrichment-Url Playbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion9')]", - "parameters": { - "PlaybookName": { - "defaultValue": "RecordedFuture-Sandbox_Enrichment-Url", - "type": "string" - }, - "Sandbox API Key": { - "type": "string", - "metadata": { - "description": "Enter value for Sandbox API Key. Retrive API Key from [Recorded Future Portal](https://sandbox.recordedfuture.com/account)" - } - } - }, - "variables": { - "RecordedfutureConnectionName": "RecordedFuture-ConnectorV2", - "MicrosoftSentinelConnectionName": "RecordedFuture-MicrosoftSentinelConnection", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/recordedfuturesandbo')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - }, - "Sandbox API Key": { - "defaultValue": "[[parameters('Sandbox API Key')]", - "type": "string" - } - }, - "triggers": { - "Microsoft_Sentinel_incident": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/incident-creation" - } - } - }, - "actions": { - "Entities_-_Get_URLs": { - "type": "ApiConnection", - "inputs": { - "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/entities/url" - } - }, - "For_each": { - "foreach": "@body('Entities_-_Get_URLs')?['URLs']", - "actions": { - "Add_comment_to_incident_(V3)": { - "runAfter": { - "Get_the_full_report": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

@{body('Get_the_full_report')?['html_report']}

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - }, - "Get_the_full_report": { - "runAfter": { - "Wait_for_sandbox_report": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "headers": { - "SandboxToken": "@parameters('Sandbox API Key')" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuturesandbo']['connectionId']" - } - }, - "method": "get", - "path": "/samples/@{encodeURIComponent(body('Get_the_full_summary')?['id'])}/overview.json" - } - }, - "Initialize_Sandbox_status": { - "runAfter": { - "Submit_url_samples": [ - "Succeeded" - ] - }, - "type": "SetVariable", - "inputs": { - "name": "sandbox_status", - "value": "@body('Submit_url_samples')?['status']" - } - }, - "Submit_url_samples": { - "type": "ApiConnection", - "inputs": { - "body": { - "url": "@items('For_each')?['Url']" - }, - "headers": { - "Content-Type": "application/json", - "SandboxToken": "@parameters('Sandbox API Key')" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuturesandbo']['connectionId']" - } - }, - "method": "post", - "path": "/samples/url" - } - }, - "Wait_for_sandbox_report": { - "actions": { - "Delay": { - "runAfter": { - "Set_sandbox_status": [ - "Succeeded" - ] - }, - "type": "Wait", - "inputs": { - "interval": { - "count": 2, - "unit": "Minute" - } - } - }, - "Get_the_full_summary": { - "type": "ApiConnection", - "inputs": { - "headers": { - "SandboxToken": "@parameters('Sandbox API Key')" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuturesandbo']['connectionId']" - } - }, - "method": "get", - "path": "/samples/@{encodeURIComponent(body('Submit_url_samples')?['id'])}" - } - }, - "Set_sandbox_status": { - "runAfter": { - "Get_the_full_summary": [ - "Succeeded" - ] - }, - "type": "SetVariable", - "inputs": { - "name": "sandbox_status", - "value": "@body('Get_the_full_summary')?['status']" - } - } - }, - "runAfter": { - "Initialize_Sandbox_status": [ - "Succeeded" - ] - }, - "expression": "@equals(variables('sandbox_status'), 'reported')", - "limit": { - "count": 60, - "timeout": "PT1H" - }, - "type": "Until" - } - }, - "runAfter": { - "Define_sandbox_status": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Define_sandbox_status": { - "runAfter": { - "Entities_-_Get_URLs": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "sandbox_status", - "type": "string" - } - ] - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "recordedfuturesandbo": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]", - "connectionName": "recordedfuturesandbo", - "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/recordedfuturesandbo')]" - } - } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "identity": { - "type": "SystemAssigned" - }, - "tags": { - "hidden-SentinelTemplateName": "RecordedFuture-Sandbox_Enrichment-Url", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('RecordedfutureConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('RecordedfutureConnectionName')]", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-3')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId9'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId9')]", - "contentId": "[variables('_playbookContentId9')]", - "kind": "Playbook", - "version": "[variables('playbookVersion9')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ], - "metadata": { - "title": "RecordedFuture-Sandbox_Enrichment-Url", - "description": "This playbook will enrich url entities in an incident and send them to Recorded Future Sandbox. The result will be written as a incident comment.", - "prerequisites": "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)", - "postDeployment": [ - "After deployment you have to open the playbook to configure all connections and press save." - ], - "lastUpdateTime": "2024-01-12T00:00:00Z", - "entities": [ - "url" - ], - "tags": [ - "Enrichment" - ], - "releaseNotes": [ - { - "version": "1.0", - "title": "RecordedFuture-Sandbox_Enrichment-Url", - "notes": [ - "Initial version" - ] - }, - { - "version": "1.1", - "title": "API Connectors", - "notes": [ - "API connection rename." - ] - } - ] - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId9')]", - "contentKind": "Playbook", - "displayName": "RecordedFuture-Sandbox_Enrichment-Url", - "contentProductId": "[variables('_playbookcontentProductId9')]", - "id": "[variables('_playbookcontentProductId9')]", - "version": "[variables('playbookVersion9')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName10')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFuture-CustomConnector Playbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion10')]", - "parameters": { - "ConnectorName": { - "defaultValue": "RecordedFuture-CustomConnector", - "type": "String", - "metadata": { - "description": "Recorded Future Custom Connector" - } - }, - "ServiceEndpoint": { - "defaultValue": "https://api.recordedfuture.com/gw/azure", - "type": "String", - "metadata": { - "description": "Recorded Future API" - } - } - }, - "variables": { - "operationId-IP_Enrichment": "IP_Enrichment", - "_operationId-IP_Enrichment": "[[variables('operationId-IP_Enrichment')]", - "operationId-Threat_Map_Actors": "Threat_Map_Actors", - "_operationId-Threat_Map_Actors": "[[variables('operationId-Threat_Map_Actors')]", - "operationId-Threat_Map_Malware": "Threat_Map_Malware", - "_operationId-Threat_Map_Malware": "[[variables('operationId-Threat_Map_Malware')]", - "operationId-Domain_Enrichment": "Domain_Enrichment", - "_operationId-Domain_Enrichment": "[[variables('operationId-Domain_Enrichment')]", - "operationId-Url_Enrichment": "Url_Enrichment", - "_operationId-Url_Enrichment": "[[variables('operationId-Url_Enrichment')]", - "operationId-Hash_Enrichment": "Hash_Enrichment", - "_operationId-Hash_Enrichment": "[[variables('operationId-Hash_Enrichment')]", - "operationId-Vuln_Enrichment": "Vuln_Enrichment", - "_operationId-Vuln_Enrichment": "[[variables('operationId-Vuln_Enrichment')]", - "operationId-Alert_Rules_Search": "Alert_Rules_Search", - "_operationId-Alert_Rules_Search": "[[variables('operationId-Alert_Rules_Search')]", - "operationId-Alert_Not_Search": "Alert_Not_Search", - "_operationId-Alert_Not_Search": "[[variables('operationId-Alert_Not_Search')]", - "operationId-Alert_Not_Lookup": "Alert_Not_Lookup", - "_operationId-Alert_Not_Lookup": "[[variables('operationId-Alert_Not_Lookup')]", - "operationId-Rislk_List_Download": "Rislk_List_Download", - "_operationId-Rislk_List_Download": "[[variables('operationId-Rislk_List_Download')]", - "operationId-Soar_Bulk_Lookup": "Soar_Bulk_Lookup", - "_operationId-Soar_Bulk_Lookup": "[[variables('operationId-Soar_Bulk_Lookup')]", - "operationId-STIX_Indicators": "STIX_Indicators", - "_operationId-STIX_Indicators": "[[variables('operationId-STIX_Indicators')]", - "operationId-STIX_MalwareIndicators": "STIX_MalwareIndicators", - "_operationId-STIX_MalwareIndicators": "[[variables('operationId-STIX_MalwareIndicators')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "playbookContentId10": "RecordedFuture-CustomConnector", - "playbookId10": "[[resourceId('Microsoft.Web/customApis', parameters('ConnectorName'))]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "type": "Microsoft.Web/customApis", - "apiVersion": "2016-06-01", - "name": "[[parameters('ConnectorName')]", - "location": "[[variables('workspace-location-inline')]", - "properties": { - "connectionParameters": { - "api_key": { - "type": "securestring" - } - }, - "backendService": { - "serviceUrl": "[[parameters('ServiceEndPoint')]" - }, - "capabilities": "[variables('TemplateEmptyArray')]", - "brandColor": "#FFFFFF", - "description": "Recorded Future Connector enables access to the Recorded Future Intelligence. The connector has dedicated actions for pulling Recorded Future indicators (IP, Domain, URL, Hash) and associated context (Risk Score, Risk Rules, Intelligence Card Link and High Confidence Evidence Based Links), Vulnerabilities, Recorded Future Alerts and enables access to Recorded Future SOAR API and Fusion Files.", - "displayName": "[[parameters('ConnectorName')]", - "iconUri": "data:image/jpeg;base64,/9j/4AAQSkZJRgABAQEBLAEsAAD/2wBDAAMCAgMCAgMDAwMEAwMEBQgFBQQEBQoHBwYIDAoMDAsKCwsNDhIQDQ4RDgsLEBYQERMUFRUVDA8XGBYUGBIUFRT/2wBDAQMEBAUEBQkFBQkUDQsNFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBT/wAARCAAoADADASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD9U6a7rGpZ2CqoyWY4Ap1YXjjwXpvxC8K6h4d1hZX02+QJMIZDG+AwYYYdOVFVHlckpOyJlzKLcVdniXxW8VeJvF/ir4ofD2wSO4tY/Cq3NnBGoWRpnIDfOSOoYjB44Fa/wz8ZeIdL+JujeAdRaOKwsfBlreSwsoMi3IKoxL55GMj04rzjx5p+m+G/id8VYLnT573RbLwLbxfZlnaNpI1KKq+bgkH5evPQ9a0PBvh3S/GPxkt9LaznttC1L4b20HkeczOkLuo2+ZwSQOM98V9U6VP6va3u8t9uvLHXff8Aq58sqtT6xe/vc1t+nNLTbb+rH1SrBlDKQVIyCOhpay/C/h2z8I+HdN0TTldbHT4Et4RI5dtijAyT1NalfKStd22Pqo3sr7nnvgr45eHPHV5pttaRanYtqkTS6fJqNi8Ed4qrubynPysQuTjOcAntXZnXtMXT5b86jaCxiJEl156+UhBwctnA5r5TH7OvifRfBOjLNczCb/hHLmxmGpaqDBol2y482PL7QjoWiOzO3dkcE1f0H4X3mrXMGsaZpFtqlpYX9rPeeG21LT2ju1SKZAwjt0WFWUyAgu2X2c7doz79TBYVtypVNPl3+W//AAdmeDTxuKVo1aer9e36f8DdM+ifFcHhzxN4fk0jWbq0fTtciNsqtciM3KsOkbAgk88bfWrGlz6D4d0yHT7S7s7a1023WAI1wpMMSYQBiTnAIAye9fP2tfBTxBcR6o0fgfSXj1jR20+zs471CmhSmaV/My/Y+YrHys4ZMAYwaZo/7P2t6R4atJr3QbXXtVtfFEuoXtvNLEJNVs8MEy7HafmIkCOQMjnmsvq1Dks62l9tP8/l/wAA1+s1ue6o6231/wAvn/wT3vQPiDofiK3vp7a8WGKz1CXS3e5IjDTxkBlUk/N14x1pvj34iaH8N/D9/rGs3Oy3so0llihw82xpFjDBM5I3MBmvmiP4C+KbCbUtQv8AQUXRZrjURFosNzYlbRZpFZJQ06tGqlRsJXDrsGARxVjx58BPFGo+B/FWj2nhm38R6rqS2Mun6/PqMLTQRRRwI1vvcIxI8t8EBVYOScH5TqsDhPaxvV9266rur63+f5XMnjcV7OVqT5rdn2dtLf11se2ftIK0nwJ8bKqlmOmyYAGT2ri4G1P4ReKPB8usnRdK0XUJLqK8k8O6W9vDIwgBt1mA3Fm3b9vuSO9FFZ4P36caL2k5X/8AAUaYz3akqq3io2/8CZ5HbeIvEqre+JTrusp4ivPCIuLRe87x3cgkVV28lI13kDkEk+1d/rHxE1fxz8XF0vQPE2o2nhu91CwgjuLJNn7t7K6eTyy6d2jX5scEcdKKK9+rShyzqWV0nbRd1+VvxZ4NKrNShTu7Nq+r7frfX5D/AId674p8U+NINJ1/VpJmmubuHVdFupHdo4Yy/kMsS2wEJBWI+Y0pEgJ6lgB9JWtvHZ28UES7Yo1CKMk8D3NFFfN5laNSKirK1z6PLbypycnd3t+R/9k=", - "swagger": { - "swagger": "2.0", - "info": { - "title": "Recorded Future V2", - "description": "Recorded Future Connector enables access to the Recorded Future Intelligence. The connector has dedicated actions for pulling Recorded Future indicators (IP, Domain, URL, Hash) and associated context (Risk Score, Risk Rules, Intelligence Card Link and High Confidence Evidence Based Links), Vulnerabilities, Recorded Future Alerts and enables access to Recorded Future SOAR API and Fusion Files", - "contact": { - "name": "Recorded Future Support", - "url": "https://support.recordedfuture.com", - "email": "support@recordedfuture.com" - }, - "version": "1.0" - }, - "host": "api.recordedfuture.com", - "basePath": "/gw/azure", - "schemes": [ - "https" - ], - "paths": { - "/lookup/ip/{ip}": { - "get": { - "tags": [ - "Lookup" - ], - "responses": { - "200": { - "description": "Default", - "schema": { - "type": "object", - "properties": { - "data": { - "type": "object", - "properties": { - "intelCard": { - "type": "string", - "description": "Recorded Future Intelligence Card Link", - "title": "intelCard", - "x-ms-visibility": "important" - }, - "risk": { - "type": "object", - "properties": { - "criticalityLabel": { - "type": "string", - "description": "Recorded Future Indicator Criticality Level", - "title": "criticalityLabel", - "x-ms-visibility": "important" - }, - "score": { - "type": "integer", - "format": "int32", - "description": "Recorded Future Indicator Risk Score", - "title": "score", - "x-ms-visibility": "important" - }, - "evidenceDetails": { - "type": "array", - "items": { - "type": "object", - "properties": { - "mitigationString": { - "type": "string", - "description": "Mitigating string", - "x-ms-visibility": "internal" - }, - "timestamp": { - "type": "string", - "description": "Timestamp", - "x-ms-visibility": "internal" - }, - "criticalityLabel": { - "type": "string", - "description": "Criticality label", - "x-ms-visibility": "internal" - }, - "evidenceString": { - "type": "string", - "description": "Recorded Future Risk Rules Evidence Details", - "title": "evidenceString", - "x-ms-visibility": "advanced" - }, - "rule": { - "type": "string", - "description": "Recorded Future Indicator Risk Rules", - "title": "rule", - "x-ms-visibility": "important" - }, - "criticality": { - "type": "integer", - "format": "int32", - "description": "Criticality", - "x-ms-visibility": "internal" - } - } - }, - "description": "Evidence details" - }, - "riskString": { - "type": "string", - "description": "Risk string", - "x-ms-visibility": "internal" - }, - "rules": { - "type": "integer", - "format": "int32", - "description": "Rules", - "x-ms-visibility": "internal" - }, - "criticality": { - "type": "integer", - "format": "int32", - "description": "Criticality", - "x-ms-visibility": "internal" - }, - "riskSummary": { - "type": "string", - "description": "Recorded Future Risk Rules Summary", - "title": "riskSummary", - "x-ms-visibility": "advanced" - } - }, - "description": "Risk" - }, - "links": { - "$ref": "#/definitions/Links" - } - }, - "description": "Data" - } - } - } - } - }, - "summary": "IP Enrichment", - "description": "IP Enrichment with Recorded Future data", - "operationId": "[[variables('_operationId-IP_Enrichment')]", - "x-ms-visibility": "important", - "parameters": [ - { - "name": "ip", - "in": "path", - "required": true, - "type": "string", - "x-ms-visibility": "important", - "description": "The IP address to lookup. Must be a single IP address", - "x-ms-summary": "IP input", - "x-ms-url-encoding": "single" - }, - { - "name": "fields", - "in": "query", - "required": true, - "type": "string", - "default": "intelCard,risk,links", - "x-ms-visibility": "internal" - }, - { - "name": "IntelligenceCloudTracking", - "in": "query", - "required": false, - "type": "boolean", - "default": true, - "description": "Consent", - "x-ms-summary": "See trends and track incidents over time using the Recorded Future Intelligence Cloud. This feature stores alerts generated from correlations in the Intelligence Cloud for additional intelligence to provide new analytical insights." - } - ] - } - }, - "/threat/map/actors": { - "post": { - "tags": [ - "Threat Hunt" - ], - "summary": "Fetch Threat Map actors", - "description": "Fetch Threat Map data for the enterprise's primary organization with filters.", - "operationId": "[[variables('_operationId-Threat_Map_Actors')]", - "x-ms-visibility": "important", - "consumes": [ - "application/json" - ], - "parameters": [ - { - "name": "body", - "in": "body", - "required": true, - "x-ms-visibility": "important", - "schema": { - "type": "object", - "x-ms-visibility": "important", - "properties": { - "actors": { - "description": "List of actors", - "type": "array", - "items": { - "type": "string", - "description": "Description actor1", - "title": "Title actor1", - "x-ms-visibility": "important" - } - }, - "categories": { - "description": "List of categories", - "type": "array", - "items": { - "type": "string", - "description": "Description category1", - "title": "Title category1", - "x-ms-visibility": "important" - } - }, - "watchlists": { - "description": "List of watchlists", - "type": "array", - "items": { - "type": "string", - "description": "Description watchlist1", - "title": "Title watchlist1", - "x-ms-visibility": "important" - } - } - }, - "required": [ - "actors", - "categories", - "watchlists" - ] - } - } - ], - "responses": { - "200": { - "description": "Returns Threat Map", - "schema": { - "type": "object", - "properties": { - "data": { - "$ref": "#/definitions/ThreatMapActors" - } - } - } - } - } - } - }, - "/threat/map/malware": { - "post": { - "tags": [ - "Threat Hunt" - ], - "summary": "Fetch Threat Map malware", - "description": "Fetch Threat Map data for the enterprise's primary organization with filters.", - "operationId": "[[variables('_operationId-Threat_Map_Malware')]", - "x-ms-visibility": "important", - "consumes": [ - "application/json" - ], - "parameters": [ - { - "name": "body", - "in": "body", - "required": true, - "x-ms-visibility": "important", - "schema": { - "type": "object", - "x-ms-visibility": "important", - "properties": { - "malware": { - "description": "List of malware", - "type": "array", - "items": { - "type": "string", - "description": "Description malware1", - "title": "Title malware1", - "x-ms-visibility": "important" - } - }, - "categories": { - "description": "List of categories", - "type": "array", - "items": { - "type": "string", - "description": "Description category1", - "title": "Title category1", - "x-ms-visibility": "important" - } - }, - "watchlists": { - "description": "List of watchlists", - "type": "array", - "items": { - "type": "string", - "description": "Description watchlist1", - "title": "Title watchlist1", - "x-ms-visibility": "important" - } - } - }, - "required": [ - "malware", - "categories", - "watchlists" - ] - } - } - ], - "responses": { - "200": { - "description": "Returns Threat Map", - "schema": { - "type": "object", - "properties": { - "data": { - "$ref": "#/definitions/ThreatMapMalware" - } - } - } - } - } - } - }, - "/lookup/domain/{domain}": { - "get": { - "tags": [ - "Lookup" - ], - "responses": { - "200": { - "description": "Default", - "schema": { - "type": "object", - "properties": { - "data": { - "type": "object", - "properties": { - "intelCard": { - "type": "string", - "description": "Recorded Future Intelligence Card Link", - "title": "intelCard", - "x-ms-visibility": "important" - }, - "risk": { - "type": "object", - "properties": { - "criticalityLabel": { - "type": "string", - "description": "Recorded Future Indicator Criticality Level", - "title": "criticalityLabel", - "x-ms-visibility": "important" - }, - "score": { - "type": "integer", - "format": "int32", - "description": "Recorded Future Indicator Risk Score", - "title": "score", - "x-ms-visibility": "important" - }, - "evidenceDetails": { - "type": "array", - "items": { - "type": "object", - "properties": { - "mitigationString": { - "type": "string", - "description": "Mitigating string", - "x-ms-visibility": "internal" - }, - "timestamp": { - "type": "string", - "description": "Timestamp", - "x-ms-visibility": "internal" - }, - "criticalityLabel": { - "type": "string", - "description": "Criticality label", - "x-ms-visibility": "internal" - }, - "evidenceString": { - "type": "string", - "description": "Recorded Future Risk Rules Evidence Details", - "title": "evidenceString", - "x-ms-visibility": "advanced" - }, - "rule": { - "type": "string", - "description": "Recorded Future Indicator Risk Rules", - "title": "rule", - "x-ms-visibility": "advanced" - }, - "criticality": { - "type": "integer", - "format": "int32", - "description": "Criticality", - "x-ms-visibility": "internal" - } - } - }, - "description": "Evidence details" - }, - "riskString": { - "type": "string", - "description": "Risk string", - "x-ms-visibility": "internal" - }, - "rules": { - "type": "integer", - "format": "int32", - "description": "Rules", - "x-ms-visibility": "internal" - }, - "criticality": { - "type": "integer", - "format": "int32", - "description": "Criticality", - "x-ms-visibility": "internal" - }, - "riskSummary": { - "type": "string", - "description": "Recorded Future Risk Rules Summary", - "title": "riskSummary", - "x-ms-visibility": "advanced" - } - }, - "description": "Risk" - }, - "links": { - "$ref": "#/definitions/Links" - } - }, - "description": "Data" - } - } - } - } - }, - "summary": "Domain Enrichment", - "description": "Domain Enrichment with Recorded Future data", - "operationId": "[[variables('_operationId-Domain_Enrichment')]", - "x-ms-visibility": "important", - "parameters": [ - { - "name": "domain", - "in": "path", - "required": true, - "type": "string", - "x-ms-visibility": "important", - "description": "The domain to lookup. Must be a single domain", - "x-ms-summary": "Domain input", - "x-ms-url-encoding": "single" - }, - { - "name": "fields", - "in": "query", - "required": true, - "type": "string", - "default": "intelCard,risk,links", - "x-ms-visibility": "internal" - }, - { - "name": "IntelligenceCloudTracking", - "in": "query", - "required": false, - "type": "boolean", - "default": true, - "description": "Consent", - "x-ms-summary": "See trends and track incidents over time using the Recorded Future Intelligence Cloud. This feature stores alerts generated from correlations in the Intelligence Cloud for additional intelligence to provide new analytical insights." - } - ] - } - }, - "/lookup/url/{url}": { - "get": { - "tags": [ - "Lookup" - ], - "responses": { - "200": { - "description": "Default", - "schema": { - "type": "object", - "properties": { - "data": { - "type": "object", - "properties": { - "risk": { - "type": "object", - "properties": { - "criticalityLabel": { - "type": "string", - "description": "Recorded Future Indicator Criticality Level", - "title": "criticalityLabel", - "x-ms-visibility": "important" - }, - "score": { - "type": "integer", - "format": "int32", - "description": "Recorded Future Indicator Risk Score", - "title": "score", - "x-ms-visibility": "important" - }, - "evidenceDetails": { - "type": "array", - "items": { - "type": "object", - "properties": { - "mitigationString": { - "type": "string", - "description": "Mitigating string", - "x-ms-visibility": "internal" - }, - "timestamp": { - "type": "string", - "description": "Timestamp", - "x-ms-visibility": "internal" - }, - "criticalityLabel": { - "type": "string", - "description": "Criticality label", - "x-ms-visibility": "internal" - }, - "evidenceString": { - "type": "string", - "description": "Recorded Future Risk Rules Evidence Details", - "title": "evidenceString", - "x-ms-visibility": "advanced" - }, - "rule": { - "type": "string", - "description": "Recorded Future Indicator Risk Rules", - "title": "rule", - "x-ms-visibility": "important" - }, - "criticality": { - "type": "integer", - "format": "int32", - "description": "Criticality", - "x-ms-visibility": "internal" - } - } - }, - "description": "Evidence details" - }, - "riskString": { - "type": "string", - "description": "Risk string", - "x-ms-visibility": "internal" - }, - "rules": { - "type": "integer", - "format": "int32", - "description": "Rules", - "x-ms-visibility": "internal" - }, - "criticality": { - "type": "integer", - "format": "int32", - "description": "Criticality", - "x-ms-visibility": "internal" - }, - "riskSummary": { - "type": "string", - "description": "Recorded Future Risk Rules Summary", - "title": "riskSummary", - "x-ms-visibility": "advanced" - } - }, - "description": "Risk" - }, - "links": { - "$ref": "#/definitions/Links" - } - }, - "description": "Data" - } - } - } - } - }, - "summary": "URL Enrichment", - "description": "URL Enrichment with Recorded Future data", - "operationId": "[[variables('_operationId-Url_Enrichment')]", - "x-ms-visibility": "important", - "parameters": [ - { - "name": "url", - "in": "path", - "required": true, - "type": "string", - "x-ms-visibility": "important", - "description": "The URL to lookup. Must be a single URL", - "x-ms-summary": "URL input", - "x-ms-url-encoding": "single" - }, - { - "name": "fields", - "in": "query", - "required": true, - "type": "string", - "default": "intelCard,risk,links", - "x-ms-visibility": "internal" - }, - { - "name": "IntelligenceCloudTracking", - "in": "query", - "required": false, - "type": "boolean", - "default": true, - "description": "Consent", - "x-ms-summary": "See trends and track incidents over time using the Recorded Future Intelligence Cloud. This feature stores alerts generated from correlations in the Intelligence Cloud for additional intelligence to provide new analytical insights." - } - ] - } - }, - "/lookup/hash/{hash}": { - "get": { - "tags": [ - "Lookup" - ], - "responses": { - "200": { - "description": "Default", - "schema": { - "type": "object", - "properties": { - "data": { - "type": "object", - "properties": { - "intelCard": { - "type": "string", - "description": "Recorded Future Intelligence Card Link", - "title": "intelCard", - "x-ms-visibility": "important" - }, - "risk": { - "type": "object", - "properties": { - "criticalityLabel": { - "type": "string", - "description": "Recorded Future Indicator Criticality Level", - "title": "criticalityLabel", - "x-ms-visibility": "important" - }, - "score": { - "type": "integer", - "format": "int32", - "description": "Recorded Future Indicator Risk Score", - "title": "score", - "x-ms-visibility": "important" - }, - "evidenceDetails": { - "type": "array", - "items": { - "type": "object", - "properties": { - "mitigationString": { - "type": "string", - "description": "Mitigating string", - "x-ms-visibility": "internal" - }, - "timestamp": { - "type": "string", - "description": "Timestamp", - "x-ms-visibility": "internal" - }, - "criticalityLabel": { - "type": "string", - "description": "Criticality label", - "x-ms-visibility": "internal" - }, - "evidenceString": { - "type": "string", - "description": "Recorded Future Risk Rules Evidence Details", - "title": "evidenceString", - "x-ms-visibility": "advanced" - }, - "rule": { - "type": "string", - "description": "Recorded Future Indicator Risk Rules", - "title": "rule", - "x-ms-visibility": "important" - }, - "criticality": { - "type": "integer", - "format": "int32", - "description": "Criticality", - "x-ms-visibility": "internal" - } - } - }, - "description": "Evidence details" - }, - "riskString": { - "type": "string", - "description": "Risk string", - "x-ms-visibility": "internal" - }, - "rules": { - "type": "integer", - "format": "int32", - "description": "Rules", - "x-ms-visibility": "internal" - }, - "criticality": { - "type": "integer", - "format": "int32", - "description": "Criticality", - "x-ms-visibility": "internal" - }, - "riskSummary": { - "type": "string", - "description": "Recorded Future Risk Rules Summary", - "title": "riskSummary", - "x-ms-visibility": "advanced" - } - }, - "description": "Risk" - }, - "links": { - "$ref": "#/definitions/Links" - } - }, - "description": "Data" - } - } - } - } - }, - "summary": "Hash Enrichment", - "description": "Hash Enrichment with Recorded Future data", - "operationId": "[[variables('_operationId-Hash_Enrichment')]", - "x-ms-visibility": "important", - "parameters": [ - { - "name": "hash", - "in": "path", - "required": true, - "type": "string", - "x-ms-visibility": "important", - "description": "The HASH to lookup. Must be a single HASH", - "x-ms-summary": "HASH input", - "x-ms-url-encoding": "single" - }, - { - "name": "fields", - "in": "query", - "required": true, - "type": "string", - "default": "intelCard,risk,links", - "x-ms-visibility": "internal" - }, - { - "name": "IntelligenceCloudTracking", - "in": "query", - "required": false, - "type": "boolean", - "default": true, - "description": "Consent", - "x-ms-summary": "See trends and track incidents over time using the Recorded Future Intelligence Cloud. This feature stores alerts generated from correlations in the Intelligence Cloud for additional intelligence to provide new analytical insights." - } - ] - } - }, - "/lookup/vulnerability/{id}": { - "get": { - "tags": [ - "Lookup" - ], - "responses": { - "200": { - "description": "Default", - "schema": { - "type": "object", - "properties": { - "data": { - "type": "object", - "properties": { - "intelCard": { - "type": "string", - "description": "Recorded Future Intelligence Card Link", - "title": "intelCard", - "x-ms-visibility": "important" - }, - "risk": { - "type": "object", - "properties": { - "criticalityLabel": { - "type": "string", - "description": "Recorded Future Vulnerability Criticality Level", - "title": "criticalityLabel", - "x-ms-visibility": "important" - }, - "score": { - "type": "integer", - "format": "int32", - "description": "Recorded Future Vulnerability Risk Score", - "title": "score", - "x-ms-visibility": "important" - }, - "evidenceDetails": { - "type": "array", - "items": { - "type": "object", - "properties": { - "mitigationString": { - "type": "string", - "description": "Mitigating string", - "x-ms-visibility": "internal" - }, - "timestamp": { - "type": "string", - "description": "Timestamp", - "x-ms-visibility": "internal" - }, - "criticalityLabel": { - "type": "string", - "description": "Criticality label", - "x-ms-visibility": "internal" - }, - "evidenceString": { - "type": "string", - "description": "Recorded Future Risk Rules Evidence Details", - "title": "evidenceString", - "x-ms-visibility": "advanced" - }, - "rule": { - "type": "string", - "description": "Recorded Future Vulnerability Risk Rules", - "title": "rule", - "x-ms-visibility": "important" - }, - "criticality": { - "type": "integer", - "format": "int32", - "description": "Criticality", - "x-ms-visibility": "internal" - } - } - }, - "description": "Evidence details" - }, - "riskString": { - "type": "string", - "description": "Risk string", - "x-ms-visibility": "internal" - }, - "rules": { - "type": "integer", - "format": "int32", - "description": "Rules", - "x-ms-visibility": "internal" - }, - "criticality": { - "type": "integer", - "format": "int32", - "description": "Criticality", - "x-ms-visibility": "internal" - }, - "riskSummary": { - "type": "string", - "description": "Recorded Future Risk Rules Summary", - "title": "riskSummary", - "x-ms-visibility": "advanced" - } - }, - "description": "Risk" - }, - "links": { - "$ref": "#/definitions/Links" - } - }, - "description": "Data" - } - } - } - } - }, - "summary": "Vulnerability Enrichment", - "description": "Vulnerability Enrichment with Recorded Future data", - "parameters": [ - { - "name": "id", - "in": "path", - "required": true, - "type": "string", - "x-ms-visibility": "important", - "description": "The Vulnerability ID (CVE, name) to lookup. Must be a single Vulnerability ID (CVE, name)", - "x-ms-summary": "Vulnerability ID (CVE, name) input", - "x-ms-url-encoding": "single" - }, - { - "name": "fields", - "in": "query", - "required": true, - "type": "string", - "default": "intelCard,risk,links", - "x-ms-visibility": "internal" - }, - { - "name": "IntelligenceCloudTracking", - "in": "query", - "required": false, - "type": "boolean", - "default": true, - "description": "Consent", - "x-ms-summary": "See trends and track incidents over time using the Recorded Future Intelligence Cloud. This feature stores alerts generated from correlations in the Intelligence Cloud for additional intelligence to provide new analytical insights." - } - ], - "operationId": "[[variables('_operationId-Vuln_Enrichment')]", - "x-ms-visibility": "advanced" - } - }, - "/alert/rules": { - "get": { - "tags": [ - "Alerts" - ], - "responses": { - "200": { - "description": "Default", - "schema": { - "type": "object", - "properties": { - "data": { - "type": "object", - "properties": { - "results": { - "type": "array", - "items": { - "type": "object", - "properties": { - "title": { - "type": "string", - "description": "Title", - "title": "Alert Rule Title", - "x-ms-visibility": "advanced" - }, - "id": { - "type": "string", - "description": "Id", - "title": "Alert Rule ID", - "x-ms-visibility": "important" - } - } - }, - "description": "Results" - } - }, - "description": "Data" - }, - "counts": { - "type": "object", - "properties": { - "returned": { - "type": "integer", - "format": "int32", - "description": "Returned", - "title": "Returned Number of Alert Rules", - "x-ms-visibility": "advanced" - }, - "total": { - "type": "integer", - "format": "int32", - "description": "Total", - "title": "Total Number of Alert Rules", - "x-ms-visibility": "advanced" - } - }, - "description": "Counts" - } - } - } - } - }, - "summary": "Search Alert Rules", - "description": "Search Recorded Future UI Alert Rules", - "operationId": "[[variables('_operationId-Alert_Rules_Search')]", - "x-ms-visibility": "advanced", - "parameters": [ - { - "name": "freetext", - "in": "query", - "required": false, - "type": "string", - "description": "Freetext search for Alert Rule Name", - "x-ms-visibility": "advanced", - "x-ms-summary": "Freetext search" - }, - { - "name": "limit", - "in": "query", - "required": false, - "type": "integer", - "default": 10, - "x-ms-visibility": "advanced", - "description": "Maximum number of records", - "x-ms-summary": "Maximum number of records" - } - ] - } - }, - "/alert/search": { - "get": { - "tags": [ - "Alerts" - ], - "responses": { - "200": { - "description": "Default", - "schema": { - "$ref": "#/definitions/AlertSearch" - } - } - }, - "summary": "Search Alert Notifications", - "operationId": "[[variables('_operationId-Alert_Not_Search')]", - "x-ms-visibility": "advanced", - "parameters": [ - { - "name": "triggered", - "in": "query", - "required": false, - "type": "string", - "description": "All Elasticsearch compatible date formats are valid.", - "x-ms-summary": "Triggered", - "x-ms-visibility": "advanced" - }, - { - "name": "alertRule", - "in": "query", - "required": true, - "type": "string", - "description": "Alert Rule ID", - "x-ms-visibility": "important", - "x-ms-summary": "Alert Rule ID" - }, - { - "name": "limit", - "in": "query", - "required": false, - "type": "integer", - "default": 10, - "x-ms-visibility": "advanced", - "description": "Maximum number of records", - "x-ms-summary": "Maximum number of records" - }, - { - "name": "from", - "in": "query", - "required": false, - "type": "integer", - "description": "Records from offset", - "x-ms-visibility": "advanced", - "x-ms-summary": "Records from offset" - } - ], - "description": "Search Alert Notifications" - } - }, - "/alert/{id}": { - "get": { - "tags": [ - "Alerts" - ], - "responses": { - "200": { - "description": "Default", - "schema": { - "$ref": "#/definitions/AlertLookup" - } - } - }, - "summary": "Lookup Alert Notification", - "description": "Lookup Alert Notification", - "operationId": "[[variables('_operationId-Alert_Not_Lookup')]", - "parameters": [ - { - "name": "id", - "in": "path", - "required": true, - "type": "string", - "description": "Alert Notification ID", - "x-ms-visibility": "important", - "x-ms-summary": "Alert Notification ID", - "x-ms-url-encoding": "single" - } - ], - "x-ms-visibility": "advanced" - } - }, - "/fusion/files": { - "get": { - "tags": [ - "Fusion Files" - ], - "responses": { - "200": { - "description": "Default", - "schema": { - "type": "array", - "items": { - "type": "object", - "properties": { - "Name": { - "type": "string" - }, - "Risk": { - "type": "integer" - }, - "RiskString": { - "type": "string" - }, - "EvidenceDetails": { - "type": "object", - "properties": { - "EvidenceDetails": { - "type": "array", - "items": { - "type": "object", - "properties": { - "Rule": { - "type": "string" - }, - "EvidenceString": { - "type": "string" - }, - "CriticalityLabel": { - "type": "string" - }, - "Timestamp": { - "type": "integer" - }, - "MitigationString": { - "type": "string" - }, - "Criticality": { - "type": "integer" - } - } - } - } - } - } - } - } - } - } - }, - "summary": "Recorded Future RiskLists and SCF Download", - "description": "Recorded Future RiskList & Security Control Feeds Download", - "operationId": "[[variables('_operationId-Rislk_List_Download')]", - "x-ms-visibility": "important", - "parameters": [ - { - "name": "path", - "in": "query", - "required": true, - "type": "string", - "x-ms-visibility": "important", - "enum": [ - "/public/MicrosoftAzure/ip_default.json", - "/public/MicrosoftAzure/ip_gt_90.json", - "/public/MicrosoftAzure/ip_active_c2.json", - "/public/MicrosoftAzure/ip_current_c2.json", - "/public/MicrosoftAzure/ip_botnet.json", - "/public/MicrosoftAzure/ip_insikt.json", - "/public/MicrosoftAzure/ip_phishing.json", - "/public/MicrosoftAzure/domain_default.json", - "/public/MicrosoftAzure/domain_gt_90.json", - "/public/MicrosoftAzure/domain_c2_dns.json", - "/public/MicrosoftAzure/domain_ransomware_payment.json", - "/public/MicrosoftAzure/domain_recent_weaponized.json", - "/public/MicrosoftAzure/domain_insikt.json", - "/public/MicrosoftAzure/domain_covid_lure.json", - "/public/MicrosoftAzure/domain_phishing.json", - "/public/MicrosoftAzure/url_gt_90.json", - "/public/MicrosoftAzure/url_c2.json", - "/public/MicrosoftAzure/url_ransomware_distribution.json", - "/public/MicrosoftAzure/url_compromised.json", - "/public/MicrosoftAzure/url_insikt.json", - "/public/MicrosoftAzure/url_malware_verdict.json", - "/public/MicrosoftAzure/hash_targeting_vulns.json", - "/public/MicrosoftAzure/hash_observed_testing.json", - "/public/MicrosoftAzure/hash_malware_ssl.json", - "/public/MicrosoftAzure/vuln_default.json", - "/public/MicrosoftAzure/vuln_gt_90.json", - "/public/MicrosoftAzure/vuln_recent_active_malware.json", - "/public/MicrosoftAzure/vuln_recent_exploit_kit.json", - "/public/MicrosoftAzure/vuln_recent_ransomware.json", - "/public/MicrosoftAzure/vuln_recent_rat.json", - "/public/MicrosoftAzure/vuln_recent_poc_remote.json", - "/public/MicrosoftAzure/vuln_recent_exploit_dev_itw.json", - "/public/MicrosoftAzure/vuln_exploited_itw_malware.json", - "/public/MicrosoftAzure/vuln_critical_cyber_signal.json", - "/public/prevent/c2_communicating_ips.json", - "/public/prevent/weaponized_domains.json", - "/public/prevent/weaponized_urls.json", - "/public/ukraine/ukraine_russia_ip.csv", - "/public/ukraine/ukraine_russia_domain.csv", - "/public/ukraine/ukraine_russia_hash.csv", - "/public/ukraine/ukraine_russia_url.csv" - ], - "x-ms-editor-options": { - "items": [ - { - "title": "IP - Default RiskList", - "value": "/public/MicrosoftAzure/ip_default.json" - }, - { - "title": "IP - 90+ (Very Malicious) RiskList", - "value": "/public/MicrosoftAzure/ip_gt_90.json" - }, - { - "title": "IP - Actively Communicating C&C Server", - "value": "/public/MicrosoftAzure/ip_active_c2.json" - }, - { - "title": "IP - Current C&C Server", - "value": "/public/MicrosoftAzure/ip_current_c2.json" - }, - { - "title": "IP - Recent Botnet Traffic", - "value": "/public/MicrosoftAzure/ip_botnet.json" - }, - { - "title": "IP - Recently Reported by Insikt Group", - "value": "/public/MicrosoftAzure/ip_insikt.json" - }, - { - "title": "IP - Phishing Host", - "value": "/public/MicrosoftAzure/ip_phishing.json" - }, - { - "title": "IP - Ukraine Russia Conflict", - "value": "/public/ukraine/ukraine_russia_ip.csv" - }, - { - "title": "DOMAIN - Default RiskList", - "value": "/public/MicrosoftAzure/domain_default.json" - }, - { - "title": "DOMAIN - 90+ (Very Malicious) RiskList", - "value": "/public/MicrosoftAzure/domain_gt_90.json" - }, - { - "title": "DOMAIN - C&C DNS Name", - "value": "/public/MicrosoftAzure/domain_c2_dns.json" - }, - { - "title": "DOMAIN - Ransomware Payment DNS Name", - "value": "/public/MicrosoftAzure/domain_ransomware_payment.json" - }, - { - "title": "DOMAIN - Recently Active Weaponized Domain", - "value": "/public/MicrosoftAzure/domain_recent_weaponized.json" - }, - { - "title": "DOMAIN - Recently Reported by Insikt Group", - "value": "/public/MicrosoftAzure/domain_insikt.json" - }, - { - "title": "DOMAIN - Recent COVID-19-Related Domain Lure: Malicious", - "value": "/public/MicrosoftAzure/domain_covid_lure.json" - }, - { - "title": "DOMAIN - Recent Phishing Lure: Malicious", - "value": "/public/MicrosoftAzure/domain_phishing.json" - }, - { - "title": "DOMAIN - Ukraine Russia Conflict", - "value": "/public/ukraine/ukraine_russia_domain.csv" - }, - { - "title": "URL - 90+ (Very Malicious) RiskList", - "value": "/public/MicrosoftAzure/url_gt_90.json" - }, - { - "title": "URL - C&C URL", - "value": "/public/MicrosoftAzure/url_c2.json" - }, - { - "title": "URL - Ransomware Distribution URL", - "value": "/public/MicrosoftAzure/url_ransomware_distribution.json" - }, - { - "title": "URL - Compromised URL", - "value": "/public/MicrosoftAzure/url_compromised.json" - }, - { - "title": "URL - Recently Reported by Insikt Group", - "value": "/public/MicrosoftAzure/url_insikt.json" - }, - { - "title": "URL - Positive Malware Verdict", - "value": "/public/MicrosoftAzure/url_malware_verdict.json" - }, - { - "title": "URL - Ukraine Russia Conflict", - "value": "/public/ukraine/ukraine_russia_url.csv" - }, - { - "title": "HASH - Recently Active Targeting Vulnerabilities in the Wild", - "value": "/public/MicrosoftAzure/hash_targeting_vulns.json" - }, - { - "title": "HASH - Observed in Underground Virus Testing Sites ", - "value": "/public/MicrosoftAzure/hash_observed_testing.json" - }, - { - "title": "HASH - Malware SSL Certificate Fingerprint", - "value": "/public/MicrosoftAzure/hash_malware_ssl.json" - }, - { - "title": "HASH - Ukraine Russia Conflict", - "value": "/public/ukraine/ukraine_russia_hash.csv" - }, - { - "title": "(SCF) Security Control Feed: Command and Control IPs", - "value": "/public/prevent/c2_communicating_ips.json" - }, - { - "title": "(SCF) Security Control Feed: Weaponized Domains", - "value": "/public/prevent/weaponized_domains.json" - }, - { - "title": "(SCF) Security Control Feed: Weaponized URLs", - "value": "/public/prevent/weaponized_urls.json" - }, - { - "title": "VULNERABILITY - Default RiskList", - "value": "/public/MicrosoftAzure/vuln_default.json" - }, - { - "title": "VULNERABILITY - 90+ (Very Malicious) RiskList", - "value": "/public/MicrosoftAzure/vuln_gt_90.json" - }, - { - "title": "VULNERABILITY - Exploited in the Wild by Recently Active Malware", - "value": "/public/MicrosoftAzure/vuln_recent_active_malware.json" - }, - { - "title": "VULNERABILITY - Recently Linked to Exploit Kit", - "value": "/public/MicrosoftAzure/vuln_recent_exploit_kit.json" - }, - { - "title": "VULNERABILITY - Recently Linked to Ransomware", - "value": "/public/MicrosoftAzure/vuln_recent_ransomware.json" - }, - { - "title": "VULNERABILITY - Recently Linked to Remote Access Trojan", - "value": "/public/MicrosoftAzure/vuln_recent_rat.json" - }, - { - "title": "VULNERABILITY - Recent Verified Proof of Concept Available Using Remote Execution", - "value": "/public/MicrosoftAzure/vuln_recent_poc_remote.json" - }, - { - "title": "VULNERABILITY - Recently Observed Exploit/Tool Development in the Wild", - "value": "/public/MicrosoftAzure/vuln_recent_exploit_dev_itw.json" - }, - { - "title": "VULNERABILITY - Exploited in the Wild by Malware", - "value": "/public/MicrosoftAzure/vuln_exploited_itw_malware.json" - }, - { - "title": "VULNERABILITY - Cyber Exploit Signal: Critical", - "value": "/public/MicrosoftAzure/vuln_critical_cyber_signal.json" - } - ] - }, - "description": "Path to file", - "x-ms-summary": "Path to file" - } - ] - } - }, - "/soar/lookup": { - "post": { - "tags": [ - "SOAR", - "Lookup" - ], - "responses": { - "200": { - "description": "Default", - "schema": { - "type": "object", - "properties": { - "counts": { - "type": "object", - "properties": { - "returned": { - "type": "integer" - }, - "total": { - "type": "integer" - } - } - }, - "data": { - "type": "object", - "properties": { - "results": { - "type": "array", - "items": { - "type": "object", - "properties": { - "entity": { - "type": "object", - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - } - } - }, - "risk": { - "type": "object", - "properties": { - "context": { - "type": "object" - }, - "level": { - "type": "number" - }, - "rule": { - "type": "object" - }, - "score": { - "type": "number" - } - } - } - } - } - } - } - } - } - } - } - }, - "summary": "SOAR API - Look up multiple entities", - "description": "SOAR API - Look up multiple entities (Specific Access is Required)", - "operationId": "[[variables('_operationId-Soar_Bulk_Lookup')]", - "x-ms-visibility": "important", - "consumes": [ - "application/json" - ], - "parameters": [ - { - "name": "body", - "in": "body", - "required": false, - "schema": { - "type": "object", - "properties": { - "ip": { - "type": "array", - "items": { - "type": "string", - "description": "An IP or array of IPs: array[string]", - "title": "IP", - "x-ms-visibility": "important" - }, - "description": "Ip" - }, - "url": { - "type": "array", - "items": { - "type": "string", - "description": "An URL or array of URLs: array[string]", - "title": "URL", - "x-ms-visibility": "important" - }, - "description": "Url" - }, - "domain": { - "type": "array", - "items": { - "type": "string", - "description": "A domain or array of domains: array[string]", - "title": "Domain", - "x-ms-visibility": "important" - }, - "description": "Domain" - }, - "hash": { - "type": "array", - "items": { - "type": "string", - "description": "A hash or array of hashes: array[string]", - "title": "HASH", - "x-ms-visibility": "advanced" - }, - "description": "Hash" - }, - "vulnerability": { - "type": "array", - "items": { - "type": "string", - "description": "A vulnerability ID or an array of vulnerability IDs: array[string]", - "title": "Vulnerability", - "x-ms-visibility": "advanced" - }, - "description": "Vulnerability" - } - } - } - }, - { - "name": "IntelligenceCloudTracking", - "in": "query", - "required": false, - "type": "boolean", - "default": true, - "description": "Consent", - "x-ms-summary": "See trends and track incidents over time using the Recorded Future Intelligence Cloud. This feature stores alerts generated from correlations in the Intelligence Cloud for additional intelligence to provide new analytical insights." - } - ] - } - }, - "/threat/indicators/actors": { - "post": { - "tags": [ - "Threat Hunt", - "STIX" - ], - "summary": "Fetch Threat Indicators for Actors in STIX format.", - "parameters": [ - { - "name": "body", - "in": "body", - "schema": { - "type": "object", - "properties": { - "actors": { - "type": "array", - "items": { - "type": "string", - "example": "QCwdoU" - } - }, - "categories": { - "type": "array", - "items": { - "type": "string" - } - }, - "watchlists": { - "type": "array", - "items": { - "type": "string" - } - }, - "trigger_score_ip": { - "type": "integer", - "example": 85 - }, - "trigger_score_url": { - "type": "integer", - "example": 85 - }, - "trigger_score_domain": { - "type": "integer", - "example": 85 - }, - "trigger_score_hash": { - "type": "integer", - "example": 85 - }, - "valid_until_delta_hours": { - "type": "integer", - "example": 1 - }, - "threat_hunt_description": { - "type": "string", - "example": "Lazarus Group high risk" - } - }, - "x-ms-visibility": "important" - }, - "required": true, - "x-ms-visibility": "important" - } - ], - "responses": { - "200": { - "description": "List of Threat Indicator in STIX format.", - "schema": { - "type": "object", - "properties": { - "data": { - "$ref": "#/definitions/ThreatHuntActors" - } - } - } - } - }, - "operationId": "[[variables('_operationId-STIX_Indicators')]", - "description": "Fetch Threat Indicators for Actors in STIX format.", - "x-ms-visibility": "important" - } - }, - "/threat/indicators/malware": { - "post": { - "tags": [ - "Threat Hunt", - "STIX" - ], - "summary": "Fetch Threat Indicators for Malware in STIX format.", - "parameters": [ - { - "name": "body", - "in": "body", - "schema": { - "type": "object", - "properties": { - "malware": { - "type": "array", - "items": { - "type": "string", - "example": "LnK3Q6" - } - }, - "categories": { - "type": "array", - "items": { - "type": "string" - } - }, - "watchlists": { - "type": "array", - "items": { - "type": "string" - } - }, - "trigger_score_ip": { - "type": "integer", - "example": 85 - }, - "trigger_score_url": { - "type": "integer", - "example": 85 - }, - "trigger_score_domain": { - "type": "integer", - "example": 85 - }, - "trigger_score_hash": { - "type": "integer", - "example": 85 - }, - "valid_until_delta_hours": { - "type": "integer", - "example": 1 - }, - "threat_hunt_description": { - "type": "string", - "example": "Cobalt Strike Beacon high risk" - } - }, - "x-ms-visibility": "important" - }, - "required": true, - "x-ms-visibility": "important" - } - ], - "responses": { - "200": { - "description": "List of Threat Indicator in STIX format.", - "schema": { - "type": "object", - "properties": { - "data": { - "$ref": "#/definitions/ThreatHuntMalware" - } - } - } - } - }, - "operationId": "[[variables('_operationId-STIX_MalwareIndicators')]", - "description": "Fetch Threat Indicators for Malware in STIX format.", - "x-ms-visibility": "important" - } - } - }, - "x-ms-connector-metadata": [ - { - "propertyName": "Website", - "propertyValue": "https://www.recordedfuture.com" - }, - { - "propertyName": "Privacy Policy", - "propertyValue": "https://www.recordedfuture.com/privacy-policy/" - }, - { - "propertyName": "Categories", - "propertyValue": "AI;Data" - } - ], - "definitions": { - "Links": { - "type": "object", - "title": "links", - "description": "High Confidence Evidence Based Links", - "x-ms-visibility": "important", - "properties": { - "technical": { - "type": "object", - "title": "technical", - "description": "Technical links generated through network traffic analysis, malware analysis, infrastructure analysis and more", - "x-ms-visibility": "important", - "properties": { - "start_date": { - "type": "string", - "title": "startDate", - "description": "Link start date", - "x-ms-visibility": "important" - }, - "stop_date": { - "type": "string", - "title": "stopDate", - "description": "Link stop date", - "x-ms-visibility": "important" - }, - "entities": { - "type": "array", - "title": "entities", - "description": "Related entities", - "x-ms-visibility": "important", - "items": { - "$ref": "#/definitions/LinkEntities" - } - } - } - }, - "research": { - "type": "object", - "title": "research", - "description": "Research links discovered by Insikt Group", - "x-ms-visibility": "important", - "properties": { - "start_date": { - "type": "string", - "title": "startDate", - "description": "Link start date", - "x-ms-visibility": "important" - }, - "stop_date": { - "type": "string", - "title": "stopDate", - "description": "Link stop date", - "x-ms-visibility": "important" - }, - "entities": { - "type": "array", - "title": "entities", - "description": "Related entities", - "x-ms-visibility": "important", - "items": { - "$ref": "#/definitions/LinkEntities" - } - } - } - } - } - }, - "LinkEntities": { - "type": "object", - "properties": { - "type": { - "type": "string", - "title": "type", - "description": "Enitity type", - "x-ms-visibility": "important" - }, - "name": { - "type": "string", - "title": "name", - "description": "Entity name", - "x-ms-visibility": "important" - }, - "score": { - "type": "integer", - "title": "score", - "description": "Risk score", - "x-ms-visibility": "important" - }, - "category": { - "type": "string", - "title": "category", - "description": "Entity category", - "x-ms-visibility": "important" - } - } - }, - "AlertSearch": { - "type": "object", - "properties": { - "data": { - "type": "object", - "properties": { - "results": { - "type": "array", - "items": { - "type": "object", - "properties": { - "review": { - "$ref": "#/definitions/AlertReview" - }, - "url": { - "$ref": "#/definitions/AlertURL" - }, - "rule": { - "$ref": "#/definitions/AlertRule" - }, - "triggered": { - "$ref": "#/definitions/AlertTriggered" - }, - "id": { - "$ref": "#/definitions/AlertID" - }, - "title": { - "$ref": "#/definitions/AlertTitle" - }, - "type": { - "$ref": "#/definitions/AlertType" - } - } - } - } - } - }, - "counts": { - "type": "object", - "properties": { - "returned": { - "type": "integer" - }, - "total": { - "type": "integer" - } - } - } - } - }, - "ThreatMapActors": { - "type": "object", - "properties": { - "data": { - "type": "object", - "properties": { - "threat_map": { - "type": "array", - "items": { - "type": "object", - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "alias": { - "type": "array", - "items": { - "type": "string" - } - }, - "categories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - } - } - } - }, - "intent": { - "type": "integer", - "format": "int32" - }, - "opportunity": { - "type": "integer", - "format": "int32" - }, - "log_entries": { - "type": "array", - "items": { - "type": "object", - "properties": { - "watchlist": { - "type": "object", - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - } - } - }, - "entity": { - "type": "object", - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - } - } - }, - "severity": { - "type": "integer", - "format": "int32" - }, - "axis": { - "type": "string" - }, - "date": { - "type": "string", - "format": "date-time" - } - } - } - } - } - } - }, - "date": { - "type": "string", - "format": "date-time" - } - } - } - } - }, - "ThreatHuntActors": { - "type": "array", - "items": { - "type": "object", - "properties": { - "confidence": { - "type": "integer", - "example": 89 - }, - "description": { - "type": "string", - "example": "Recorded Future - Threat Hunt - Threat Actor - DOMAIN - Lazarus Group (QCwdoU) - [Lazarus Group high risk]" - }, - "id": { - "type": "string", - "example": "indicator--321991ed-aca0-4e25-85a0-c1615c95074f" - }, - "indicator_types": { - "type": "array", - "items": { - "type": "string", - "example": "malicious-activity" - } - }, - "labels": { - "type": "array", - "items": { - "type": "string", - "example": "{ \"RecordedFuturePortalLink\": \"https://app.recordedfuture.com/live/sc/entity/QCwdoU\"}" - } - }, - "name": { - "type": "string", - "example": "akamaicontainer.com" - }, - "pattern": { - "type": "string", - "example": "[[[domain-name:value = 'akamaicontainer.com']" - }, - "pattern_type": { - "type": "string", - "example": "stix" - }, - "spec_version": { - "type": "string", - "example": "2.1" - }, - "type": { - "type": "string", - "example": "indicator" - }, - "created": { - "type": "string", - "example": "2023-09-20T15:39:35.993568+02:00" - }, - "modified": { - "type": "string", - "example": "2023-09-20T15:39:35.993568+02:00" - }, - "valid_from": { - "type": "string", - "example": "2023-09-20T15:39:35.993568+02:00" - }, - "valid_until": { - "type": "string", - "example": "2023-09-20T16:39:35.993568+02:00" - }, - "external_references": { - "type": "array", - "items": { - "type": "object", - "properties": { - "source_name": { - "type": "string", - "example": "Recorded Future" - }, - "description": { - "type": "string", - "example": "Recorded Future Entity card for Threat Actor: Lazarus Group (QCwdoU)" - }, - "external_id": { - "type": "string", - "example": "QCwdoU" - }, - "url": { - "type": "string", - "example": "https://app.recordedfuture.com/live/sc/entity/QCwdoU" - } - } - } - } - }, - "required": [ - "confidence", - "description", - "id", - "indicator_types", - "labels", - "name", - "pattern", - "pattern_type", - "spec_version", - "type", - "created", - "modified", - "valid_from", - "valid_until", - "external_references" - ] - } - }, - "ThreatMapMalware": { - "type": "object", - "properties": { - "data": { - "type": "object", - "properties": { - "threat_map": { - "type": "array", - "items": { - "type": "object", - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "alias": { - "type": "array", - "items": { - "type": "string" - } - }, - "categories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - } - } - } - }, - "intent": { - "type": "integer", - "format": "int32" - }, - "opportunity": { - "type": "integer", - "format": "int32" - }, - "log_entries": { - "type": "array", - "items": { - "type": "object", - "properties": { - "watchlist": { - "type": "object", - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - } - } - }, - "entity": { - "type": "object", - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - } - } - }, - "severity": { - "type": "integer", - "format": "int32" - }, - "axis": { - "type": "string" - }, - "date": { - "type": "string", - "format": "date-time" - } - } - } - } - } - } - }, - "date": { - "type": "string", - "format": "date-time" - } - } - } - } - }, - "ThreatHuntMalware": { - "type": "array", - "items": { - "type": "object", - "properties": { - "confidence": { - "type": "integer", - "example": 89 - }, - "description": { - "type": "string", - "example": "Recorded Future - Threat Hunt - Threat Malware - DOMAIN - Cobalt Strike Beacon Malware (LnK3Q6) - [Cobalt Strike Beacon high risk]" - }, - "id": { - "type": "string", - "example": "indicator--321991ed-aca0-4e25-85a0-c1615c75074f" - }, - "indicator_types": { - "type": "array", - "items": { - "type": "string", - "example": "malicious-activity" - } - }, - "labels": { - "type": "array", - "items": { - "type": "string", - "example": "{ \"RecordedFuturePortalLink\": \"https://app.recordedfuture.com/live/sc/entity/LnK3Q6\"}" - } - }, - "name": { - "type": "string", - "example": "masterunis.net" - }, - "pattern": { - "type": "string", - "example": "[[[domain-name:value = 'masterunis.net']" - }, - "pattern_type": { - "type": "string", - "example": "stix" - }, - "spec_version": { - "type": "string", - "example": "2.1" - }, - "type": { - "type": "string", - "example": "indicator" - }, - "created": { - "type": "string", - "example": "2023-09-20T15:39:35.993568+02:00" - }, - "modified": { - "type": "string", - "example": "2023-09-20T15:39:35.993568+02:00" - }, - "valid_from": { - "type": "string", - "example": "2023-09-20T15:39:35.993568+02:00" - }, - "valid_until": { - "type": "string", - "example": "2023-09-20T16:39:35.993568+02:00" - }, - "external_references": { - "type": "array", - "items": { - "type": "object", - "properties": { - "source_name": { - "type": "string", - "example": "Recorded Future" - }, - "description": { - "type": "string", - "example": "Recorded Future Entity card for Malware: Cobalt Strike Beacon (LnK3Q6)" - }, - "external_id": { - "type": "string", - "example": "LnK3Q6" - }, - "url": { - "type": "string", - "example": "https://app.recordedfuture.com/live/sc/entity/LnK3Q6" - } - } - } - } - }, - "required": [ - "confidence", - "description", - "id", - "indicator_types", - "labels", - "name", - "pattern", - "pattern_type", - "spec_version", - "type", - "created", - "modified", - "valid_from", - "valid_until", - "external_references" - ] - } - }, - "AlertLookup": { - "type": "object", - "properties": { - "data": { - "type": "object", - "properties": { - "review": { - "$ref": "#/definitions/AlertReview" - }, - "entities": { - "$ref": "#/definitions/AlertEntities" - }, - "url": { - "$ref": "#/definitions/AlertURL" - }, - "rule": { - "$ref": "#/definitions/AlertRule" - }, - "triggered": { - "$ref": "#/definitions/AlertTriggered" - }, - "id": { - "$ref": "#/definitions/AlertID" - }, - "counts": { - "type": "object", - "properties": { - "references": { - "type": "integer" - }, - "entities": { - "type": "integer" - }, - "documents": { - "type": "integer" - } - } - }, - "title": { - "$ref": "#/definitions/AlertTitle" - }, - "type": { - "$ref": "#/definitions/AlertType" - } - } - } - } - }, - "AlertReview": { - "type": "object", - "properties": { - "assignee": { - "type": "string" - }, - "status": { - "type": "string" - }, - "noteDate": { - "type": "string" - }, - "noteAuthor": { - "type": "string" - }, - "note": { - "type": "string" - } - } - }, - "AlertEntities": { - "type": "array", - "items": { - "type": "object", - "properties": { - "trend": { - "type": "object", - "additionalProperties": true - }, - "documents": { - "type": "array", - "items": { - "type": "object", - "properties": { - "references": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fragment": { - "type": "string" - }, - "entities": { - "type": "array", - "items": { - "type": "object", - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - } - } - } - }, - "language": { - "type": "string" - } - } - } - }, - "source": { - "type": "object", - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - } - } - }, - "title": { - "type": "string" - }, - "url": { - "type": "string" - } - } - } - }, - "risk": { - "type": "object", - "additionalProperties": true - }, - "entity": { - "type": "object", - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - } - } - } - } - } - }, - "AlertURL": { - "type": "string" - }, - "AlertRule": { - "type": "object", - "properties": { - "name": { - "type": "string" - }, - "id": { - "type": "string" - }, - "url": { - "type": "string" - } - } - }, - "AlertTriggered": { - "type": "string" - }, - "AlertID": { - "type": "string" - }, - "AlertTitle": { - "type": "string" - }, - "AlertType": { - "type": "string" - } - }, - "securityDefinitions": { - "API Key": { - "type": "apiKey", - "in": "header", - "name": "X-RFToken" - } - }, - "security": [ - { - "API Key": "[variables('TemplateEmptyArray')]" - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[[concat(variables('workspace-name'),'/Microsoft.SecurityInsights/',concat('LogicAppsCustomConnector-', last(split(variables('playbookId10'),'/'))))]", - "properties": { - "parentId": "[[variables('playbookId10')]", - "contentId": "[variables('_playbookContentId10')]", - "kind": "LogicAppsCustomConnector", - "version": "[variables('playbookVersion10')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId10')]", - "contentKind": "LogicAppsCustomConnector", - "displayName": "RecordedFuture-CustomConnector", - "contentProductId": "[variables('_playbookcontentProductId10')]", - "id": "[variables('_playbookcontentProductId10')]", - "version": "[variables('playbookVersion10')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName11')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFuture-ThreatMap-Importer Playbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion11')]", - "parameters": { - "PlaybookName": { - "defaultValue": "RecordedFuture-ThreatMap-Importer", - "type": "string" - }, - "CustomConnectorName": { - "defaultValue": "RecordedFuture-CustomConnector", - "type": "string", - "metadata": { - "description": "Name of the logic app connector which performs Recorded Future Communication. Normaly this dont change from RecordedFuture-CustomConnector" - } - } - }, - "variables": { - "RecordedFutureCustomConnectorConnectionName": "Recordedfuture-CustomConnector", - "AzureloganalyticsdatacollectorConnectionName": "RecordedFuture-Azureloganalyticsdatacollector", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Recurrence": { - "recurrence": { - "frequency": "Hour", - "interval": 24 - }, - "evaluatedRecurrence": { - "frequency": "Hour", - "interval": 24 - }, - "type": "Recurrence" - } - }, - "actions": { - "Fetch_Threat_Map_actors": { - "type": "ApiConnection", - "inputs": { - "headers": { - "Content-Type": "application/json" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['RecordedFutureCustomConnector']['connectionId']" - } - }, - "method": "post", - "path": "/threat/map/actors" - } - }, - "Parse_JSON": { - "inputs": { - "content": "@body('Fetch_Threat_Map_actors')", - "schema": { - "properties": { - "data": { - "properties": { - "date": { - "type": "string" - }, - "threat_map": { - "items": { - "properties": { - "alias": { - "items": { - "type": "string" - }, - "type": "array" - }, - "categories": { - "items": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - } - }, - "required": [ - "id", - "name" - ], - "type": "object" - }, - "type": "array" - }, - "id": { - "type": "string" - }, - "intent": { - "type": "integer" - }, - "log_entries": { - "items": { - "properties": { - "axis": { - "type": "string" - }, - "date": { - "type": "string" - }, - "entity": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - } - }, - "type": "object" - }, - "severity": { - "type": "integer" - }, - "watchlist": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - } - }, - "type": "object" - } - }, - "required": [ - "axis", - "date", - "entity", - "severity" - ], - "type": "object" - }, - "type": "array" - }, - "name": { - "type": "string" - }, - "opportunity": { - "type": "integer" - } - }, - "required": [ - "alias", - "categories", - "id", - "intent", - "log_entries", - "name", - "opportunity" - ], - "type": "object" - }, - "type": "array" - } - }, - "type": "object" - } - }, - "type": "object" - } - }, - "runAfter": { - "Fetch_Threat_Map_actors": [ - "Succeeded" - ] - }, - "type": "ParseJson" - }, - "Send_Data_-_Save_full_ThreatMap_response": { - "runAfter": { - "Parse_JSON": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": "@{body('Parse_JSON')?['data']?['threat_map']}", - "headers": { - "Log-Type": "RecordedFutureThreatMap" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" - } - }, - "method": "post", - "path": "/api/logs" - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "RecordedFutureCustomConnector": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureCustomConnectorConnectionName'))]", - "connectionName": "[[variables('RecordedFutureCustomConnectorConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" - }, - "azureloganalyticsdatacollector": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", - "connectionName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]" - } - } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "hidden-SentinelTemplateName": "RecordedFuture-ThreatMap-Importer", - "hidden-SentinelTemplateVersion": "1.2", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureCustomConnectorConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('RecordedFutureCustomConnectorConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('RecordedFutureCustomConnectorConnectionName')]", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId11'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId11')]", - "contentId": "[variables('_playbookContentId11')]", - "kind": "Playbook", - "version": "[variables('playbookVersion11')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - }, - "dependencies": { - "criteria": [ - { - "kind": "LogicAppsCustomConnector", - "contentId": "[variables('_RecordedFuture-CustomConnector')]", - "version": "[variables('playbookVersion10')]" - } - ] - } - } - } - ], - "metadata": { - "title": "RecordedFuture-ThreatMap-Importer", - "description": "This playbook will import Threat Map data from Recorded Future and store it in a custom log.", - "prerequisites": [ - "Prior to deployment of this playbook, RecordedFuture-ThreatMap-Importer playbook need to be deployed.", - "The custom connector RecordedFuture-CustomConnector have to be deployed under the same subscription.", - "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" - ], - "postDeployment": [ - "After deployment, open the playbook to configure all connections and press save." - ], - "lastUpdateTime": "2024-03-08T00:00:00Z", - "tags": [ - "Threat Intelligence" - ], - "releaseNotes": [ - { - "version": "1.0", - "title": "RecordedFuture-ThreatMap-Importer", - "notes": [ - "Initial version" - ] - }, - { - "version": "1.1", - "title": "API Connectors", - "notes": [ - "API connection rename." - ] - }, - { - "version": "1.2", - "title": "Default Recurrence", - "notes": [ - "Changed Default Recurrence to 24." - ] - } - ] - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId11')]", - "contentKind": "Playbook", - "displayName": "RecordedFuture-ThreatMap-Importer", - "contentProductId": "[variables('_playbookcontentProductId11')]", - "id": "[variables('_playbookcontentProductId11')]", - "version": "[variables('playbookVersion11')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName12')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFuture-MalwareThreatMap-Importer Playbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion12')]", - "parameters": { - "PlaybookName": { - "defaultValue": "RecordedFuture-MalwareThreatMap-Importer", - "type": "string" - }, - "CustomConnectorName": { - "defaultValue": "RecordedFuture-CustomConnector", - "type": "string", - "metadata": { - "description": "Name of the logic app connector which performs Recorded Future Communication. Normaly this dont change from RecordedFuture-CustomConnector" - } - } - }, - "variables": { - "RecordedFutureCustomConnectorConnectionName": "RecordedFuture-CustomConnector", - "AzureloganalyticsdatacollectorConnectionName": "RecordedFuture-Azureloganalyticsdatacollector", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Recurrence": { - "recurrence": { - "frequency": "Hour", - "interval": 24 - }, - "evaluatedRecurrence": { - "frequency": "Hour", - "interval": 24 - }, - "type": "Recurrence" - } - }, - "actions": { - "Fetch_Threat_Map_malware": { - "type": "ApiConnection", - "inputs": { - "body": { - "categories": [ - null - ], - "malware": [ - null - ], - "watchlists": [ - null - ] - }, - "host": { - "connection": { - "name": "@parameters('$connections')['RecordedFutureCustomConnector']['connectionId']" - } - }, - "method": "post", - "path": "/threat/map/malware" - } - }, - "Parse_JSON": { - "runAfter": { - "Fetch_Threat_Map_malware": [ - "Succeeded" - ] - }, - "type": "ParseJson", - "inputs": { - "content": "@body('Fetch_Threat_Map_malware')", - "schema": { - "properties": { - "data": { - "properties": { - "date": { - "type": "string" - }, - "threat_map": { - "items": { - "properties": { - "alias": { - "items": { - "type": "string" - }, - "type": "array" - }, - "categories": { - "items": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - } - }, - "required": [ - "id", - "name" - ], - "type": "object" - }, - "type": "array" - }, - "id": { - "type": "string" - }, - "log_entries": { - "items": { - "properties": { - "axis": { - "type": "string" - }, - "date": { - "type": "string" - }, - "entity": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - } - }, - "type": "object" - }, - "severity": { - "type": "integer" - }, - "watchlist": { - "properties": { - "id": { - "type": "string" - }, - "name": { - "type": "string" - } - }, - "type": "object" - } - }, - "required": [ - "axis", - "date", - "entity", - "severity" - ], - "type": "object" - }, - "type": "array" - }, - "name": { - "type": "string" - }, - "opportunity": { - "type": "integer" - }, - "prevalence": { - "type": "integer" - } - }, - "required": [ - "alias", - "categories", - "id", - "prevalence", - "log_entries", - "name", - "opportunity" - ], - "type": "object" - }, - "type": "array" - } - }, - "type": "object" - } - }, - "type": "object" - } - } - }, - "Send_Data_-_Save_full_ThreatMap_Malware_Response": { - "runAfter": { - "Parse_JSON": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": "@{body('Parse_JSON')?['data']?['threat_map']}", - "headers": { - "Log-Type": "RecordedFutureThreatMapMalware" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" - } - }, - "method": "post", - "path": "/api/logs" - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "RecordedFutureCustomConnector": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureCustomConnectorConnectionName'))]", - "connectionName": "[[variables('RecordedFutureCustomConnectorConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" - }, - "azureloganalyticsdatacollector": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", - "connectionName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]" - } - } - } - }, - "zoneRedundancy": "Enabled" - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "hidden-SentinelTemplateName": "RecordedFuture-ThreatMapMalware-Importer", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureCustomConnectorConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('RecordedFutureCustomConnectorConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('RecordedFutureCustomConnectorConnectionName')]", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId12'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId12')]", - "contentId": "[variables('_playbookContentId12')]", - "kind": "Playbook", - "version": "[variables('playbookVersion12')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - }, - "dependencies": { - "criteria": [ - { - "kind": "LogicAppsCustomConnector", - "contentId": "[variables('_RecordedFuture-CustomConnector')]", - "version": "[variables('playbookVersion10')]" - } - ] - } - } - } - ], - "metadata": { - "title": "RecordedFuture-ThreatMapMalware-Importer", - "description": "This playbook will import Threat Map data from Recorded Future and store it in a custom log.", - "prerequisites": [ - "Prior to deployment of this playbook, RecordedFuture-ThreatMap-Importer playbook need to be deployed.", - "The custom connector RecordedFuture-CustomConnector have to be deployed under the same subscription.", - "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" - ], - "postDeployment": [ - "After deployment, open the playbook to configure all connections and press save." - ], - "lastUpdateTime": "2024-01-12T00:00:00Z", - "tags": [ - "Threat Intelligence" - ], - "releaseNotes": [ - { - "version": "1.0", - "title": "RecordedFuture-MalwareThreatMap-Importer", - "notes": [ - "Initial version" - ] - }, - { - "version": "1.1", - "title": "API Connectors", - "notes": [ - "API connection rename." - ] - } - ] - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId12')]", - "contentKind": "Playbook", - "displayName": "RecordedFuture-MalwareThreatMap-Importer", - "contentProductId": "[variables('_playbookcontentProductId12')]", - "id": "[variables('_playbookcontentProductId12')]", - "version": "[variables('playbookVersion12')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName13')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "ActorThreatHunt-IndicatorImport Playbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion13')]", - "parameters": { - "PlaybookName": { - "defaultValue": "ActorThreatHunt-IndicatorImport", - "type": "string" - }, - "CustomConnectorName": { - "defaultValue": "RecordedFuture-CustomConnector", - "type": "string", - "metadata": { - "description": "Name of the logic app connector which performs Recorded Future Communication. Normaly this dont change from RecordedFuture-CustomConnector" - } - }, - "PlaybookNameBatching": { - "defaultValue": "RecordedFuture-ThreatIntelligenceImport", - "type": "String", - "metadata": { - "description": "Only change this if you have renamed the batch playbook RecordedFuture-ThreatIntelligenceImport" - } - } - }, - "variables": { - "RecordedFuture-CustomConnectorConnectionName": "Recordedfuture-CustomConnector", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]", - "_connection-2": "[[variables('connection-2')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Recurrence": { - "recurrence": { - "frequency": "Hour", - "interval": 24 - }, - "evaluatedRecurrence": { - "frequency": "Hour", - "interval": 24 - }, - "type": "Recurrence" - } - }, - "actions": { - "Fetch_Threat_Indicators_for_Actors_in_STIX_format": { - "type": "ApiConnection", - "inputs": { - "body": { - "trigger_score_domain": 65, - "trigger_score_hash": 65, - "trigger_score_ip": 65, - "trigger_score_url": 65, - "valid_until_delta_hours": 24 - }, - "host": { - "connection": { - "name": "@parameters('$connections')['RecordedFuture-CustomConnector']['connectionId']" - } - }, - "method": "post", - "path": "/threat/indicators/actors" - } - }, - "For_each": { - "foreach": "@body('Fetch_Threat_Indicators_for_Actors_in_STIX_format')", - "actions": { - "RecordedFuture-ThreatIntelligenceImport": { - "type": "SendToBatch", - "inputs": { - "batchName": "RFImportToSentinel", - "content": "@items('For_each')", - "host": { - "triggerName": "Batch_messages", - "workflow": { - "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',parameters('PlaybookNameBatching'))]" - } - } - } - } - }, - "runAfter": { - "Fetch_Threat_Indicators_for_Actors_in_STIX_format": [ - "Succeeded" - ] - }, - "type": "Foreach" - } - } - }, - "parameters": { - "$connections": { - "value": { - "RecordedFuture-CustomConnector": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedFuture-CustomConnectorConnectionName'))]", - "connectionName": "[[variables('Recordedfuture-CustomconnectorConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" - } - } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "hidden-SentinelTemplateName": "RecordedFuture-ActorThreatHunt-IndicatorImport", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('RecordedFuture-CustomConnectorConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('Recordedfuture-CustomconnectorConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('Recordedfuture-CustomconnectorConnectionName')]", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId13'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId13')]", - "contentId": "[variables('_playbookContentId13')]", - "kind": "Playbook", - "version": "[variables('playbookVersion13')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - }, - "dependencies": { - "criteria": [ - { - "kind": "LogicAppsCustomConnector", - "contentId": "[variables('_RecordedFuture-CustomConnector')]", - "version": "[variables('playbookVersion10')]" - } - ] - } - } - } - ], - "metadata": { - "title": "RecordedFuture-ActorThreatHunt-IndicatorImport", - "description": "This playbook will write Recorded Future threat hunting indicators to ThreatIntelligenceIndicator log analytics table via the RecordedFuture-ThreatIntelligenceImport playbook.", - "prerequisites": [ - "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)", - "1. Prior to deployment of this playbook, **RecordedFuture-ThreatIntelligenceImport playbook** need to be deployed.", - "2. RecordedFuture-CustomConnector needs to be installed. Refer to [Recorded Future Logic App Custom Connector](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Recorded%20Future/Playbooks/Connectors/RecordedFuture-CustomConnector/readme.md) documentation for instructions." - ], - "postDeployment": [ - "After deployment, open the playbook to configure all connections and press save." - ], - "lastUpdateTime": "2024-01-12T00:02:00Z", - "tags": [ - "Threat Hunting" - ], - "releaseNotes": [ - { - "version": "1.0", - "title": "RecordedFuture-ActorThreatMap-Importer", - "notes": [ - "Initial version" - ] - }, - { - "version": "1.1", - "title": "API Connectors", - "notes": [ - "API connection rename." - ] - } - ] - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId13')]", - "contentKind": "Playbook", - "displayName": "ActorThreatHunt-IndicatorImport", - "contentProductId": "[variables('_playbookcontentProductId13')]", - "id": "[variables('_playbookcontentProductId13')]", - "version": "[variables('playbookVersion13')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName14')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "MalwareThreatHunt-IndicatorImport Playbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion14')]", - "parameters": { - "PlaybookName": { - "defaultValue": "MalwareThreatHunt-IndicatorImport", - "type": "string" - }, - "CustomConnectorName": { - "defaultValue": "RecordedFuture-CustomConnector", - "type": "string", - "metadata": { - "description": "Name of the logic app connector which performs Recorded Future Communication. Normaly this dont change from RecordedFuture-CustomConnector" - } - }, - "PlaybookNameBatching": { - "defaultValue": "RecordedFuture-ThreatIntelligenceImport", - "type": "String", - "metadata": { - "description": "Only change this if you have renamed the batch playbook RecordedFuture-ThreatIntelligenceImport" - } - } - }, - "variables": { - "Recordedfuture-CustomconnectorConnectionName": "Recordedfuture-CustomConnector", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]", - "_connection-2": "[[variables('connection-2')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Recurrence": { - "recurrence": { - "frequency": "Hour", - "interval": 24 - }, - "evaluatedRecurrence": { - "frequency": "Hour", - "interval": 24 - }, - "type": "Recurrence" - } - }, - "actions": { - "Fetch_Threat_Indicators_for_Malware_in_STIX_format": { - "type": "ApiConnection", - "inputs": { - "body": { - "trigger_score_domain": 65, - "trigger_score_hash": 65, - "trigger_score_ip": 65, - "trigger_score_url": 65, - "valid_until_delta_hours": 24 - }, - "host": { - "connection": { - "name": "@parameters('$connections')['RecordedFuture-CustomConnector']['connectionId']" - } - }, - "method": "post", - "path": "/threat/indicators/malware" - } - }, - "For_each": { - "foreach": "@body('Fetch_Threat_Indicators_for_Malware_in_STIX_format')", - "actions": { - "RecordedFuture-ThreatIntelligenceImport": { - "type": "SendToBatch", - "inputs": { - "batchName": "RFImportToSentinel", - "content": "@items('For_each')", - "host": { - "triggerName": "Batch_messages", - "workflow": { - "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',parameters('PlaybookNameBatching'))]" - } - } - } - } - }, - "runAfter": { - "Fetch_Threat_Indicators_for_Malware_in_STIX_format": [ - "Succeeded" - ] - }, - "type": "Foreach" - } - } - }, - "parameters": { - "$connections": { - "value": { - "RecordedFuture-CustomConnector": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedFuture-CustomConnectorConnectionName'))]", - "connectionName": "[[variables('Recordedfuture-CustomconnectorConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" - } - } - } - }, - "zoneRedundancy": "Enabled" - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "hidden-SentinelTemplateName": "RecordedFuture-MalwareThreatHunt-IndicatorImport", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('Recordedfuture-CustomconnectorConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('Recordedfuture-CustomconnectorConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('Recordedfuture-CustomconnectorConnectionName')]", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId14'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId14')]", - "contentId": "[variables('_playbookContentId14')]", - "kind": "Playbook", - "version": "[variables('playbookVersion14')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - }, - "dependencies": { - "criteria": [ - { - "kind": "LogicAppsCustomConnector", - "contentId": "[variables('_RecordedFuture-CustomConnector')]", - "version": "[variables('playbookVersion10')]" - } - ] - } - } - } - ], - "metadata": { - "title": "RecordedFuture-MalwareThreatHunt-IndicatorImport", - "description": "This playbook will write Recorded Future threat hunting indicators to ThreatIntelligenceIndicator log analytics table via the RecordedFuture-ThreatIntelligenceImport playbook.", - "prerequisites": [ - "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)", - "1. Prior to deployment of this playbook, **RecordedFuture-ThreatIntelligenceImport playbook** need to be deployed.", - "2. RecordedFuture-CustomConnector needs to be installed. Refer to [Recorded Future Logic App Custom Connector](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Recorded%20Future/Playbooks/Connectors/RecordedFuture-CustomConnector/readme.md) documentation for instructions." - ], - "postDeployment": [ - "After deployment, open the playbook to configure all connections and press save." - ], - "lastUpdateTime": "2024-01-12T00:02:00Z", - "tags": [ - "Threat Hunting" - ], - "releaseNotes": [ - { - "version": "1.0", - "title": "RecordedFuture-MalwareThreatHunt-Importer", - "notes": [ - "Initial version" - ] - }, - { - "version": "1.1", - "title": "API Connectors", - "notes": [ - "API connection rename." - ] - } - ] - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId14')]", - "contentKind": "Playbook", - "displayName": "MalwareThreatHunt-IndicatorImport", - "contentProductId": "[variables('_playbookcontentProductId14')]", - "id": "[variables('_playbookcontentProductId14')]", - "version": "[variables('playbookVersion14')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('workbookTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFuturePlaybookAlertOverview Workbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId1')]", - "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "Recorded Future Playbook Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Playbook-Alert-Importer." - }, - "properties": { - "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Recorded Future Playbook Alerts\\n---\\n\\nWorkbook to display and analyze Recorded Future Playbook Alerts. This workbook visualize data that is retrived by the ```Recorded Future Playbook Alerts Importer``` Logic app. First run the Logic app once and then select the RecordedFuturePlaybookAlerts_CL table.\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"8e8c2f1a-d25d-49d1-a217-9831dbc4f919\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_picker\",\"label\":\"Time Picker\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":259200000}},{\"id\":\"f8d34a51-ba10-4241-abff-cb6c14b50a55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"log_table\",\"label\":\"Playbook Alerts Log Table\",\"type\":2,\"description\":\"Run the Recorded Future Playbook Alert Importer Playbook first.\",\"isRequired\":true,\"query\":\"search *\\n| where $table endswith \\\"_CL\\\" \\n| distinct $table\\n\",\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"RecordedFuturePlaybookAlerts_CL\"},{\"id\":\"89279a9c-af9e-4734-8a98-21aa1f2fa545\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"categories\",\"label\":\"Category\",\"type\":2,\"description\":\"Filter categories you're looking at\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct rule_label_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_picker\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a0947450-1ebd-4dea-94d7-41a751c79237\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"status\",\"label\":\"Alert Status\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct status_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"25a82661-1700-43a6-ba7a-b3ae5d8fe7b9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"priority\",\"label\":\"Alert Priority\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct priority_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":172800000},\"timeContextFromParameter\":\"time_picker\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where rule_label_s in ({categories:value})\\n| where status_s in ({status:value}) \\n| where priority_s in ({priority:value})\\n| distinct id_s, rule_label_s, updated_date_t, priority_s\\n| summarize Alert=count() by bin(updated_date_t, 1h), priority_s\\n\",\"size\":0,\"title\":\"Playbook Alerts triggered over time\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"chartSettings\":{\"group\":\"priority_s\"}},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy\",\"styleSettings\":{\"maxWidth\":\"70\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where rule_label_s in ({categories:value})\\n| where status_s in ({status:value}) \\n| where priority_s in ({priority:value})\\n| distinct id_s, rule_label_s, updated_date_t\\n| summarize alert_count = count() by rule_label_s\\n| project alert_count, Alert = rule_label_s\",\"size\":0,\"title\":\"Top Categories Triggered\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where rule_label_s in ({categories:value})\\n| where status_s in ({status:value}) \\n| where priority_s in ({priority:value})\\n| distinct updated_date_t, title_s, rule_label_s, status_s, priority_s, link_s, evidence_summary_s, targets_s, created_date_t, id_s\\n| project-rename Updated=updated_date_t, Title=title_s, Category=rule_label_s, Status=status_s, Priority=priority_s, Created=created_date_t, Targets=targets_s, [\\\"Evidence\\\"]=evidence_summary_s, [\\\"External Link\\\"]=link_s, ID=id_s\\n\\n\",\"size\":0,\"title\":\"Triggered Playbook Alerts\",\"noDataMessage\":\"No data in Playbook Alert custom log. Check that playbook/logic apps is running without errors and rules for playbook alerts is setup in Recorded Future Portal.\",\"timeContextFromParameter\":\"time_picker\",\"exportFieldName\":\"id_s\",\"exportParameterName\":\"exported_alert_id\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Title\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Recorded Future\"}},{\"columnMatch\":\"ID\",\"formatter\":5}],\"sortBy\":[{\"itemKey\":\"Updated\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Updated\",\"sortOrder\":2}]},\"name\":\"query - 8\"}],\"fromTemplateId\":\"sentinel-RecordedFuturePlaybookAlertOverviewWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", - "properties": { - "description": "@{workbookKey=RecordedFuturePlaybookAlertOverviewWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future Playbook Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Playbook-Alert-Importer.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - Playbook Alerts Overview; templateRelativePath=RecordedFuturePlaybookAlertOverview.json; subtitle=; provider=Recorded Future}.description", - "parentId": "[variables('workbookId1')]", - "contentId": "[variables('_workbookContentId1')]", - "kind": "Workbook", - "version": "[variables('workbookVersion1')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "RecordedFuturePlaybookAlerts_CL", - "kind": "DataType" - } - ] - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_workbookContentId1')]", - "contentKind": "Workbook", - "displayName": "[parameters('workbook1-name')]", - "contentProductId": "[variables('_workbookcontentProductId1')]", - "id": "[variables('_workbookcontentProductId1')]", - "version": "[variables('workbookVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('workbookTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureAlertOverview Workbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion2')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId2')]", - "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "Recorded Future Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Alert-Importer." - }, - "properties": { - "displayName": "[parameters('workbook2-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Recorded Future Alerts\\n---\\n\\nWorkbook to display and analyze Recorded Future Alerts. This workbook visualize data that is retrived by the ```Recorded Future Alerts Importer``` Logic app. First run the Logic app once and then select the RecordedFuturePortalAlerts_CL table.\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"8e8c2f1a-d25d-49d1-a217-9831dbc4f919\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_picker\",\"label\":\"Time Picker\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}},{\"id\":\"f8d34a51-ba10-4241-abff-cb6c14b50a55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"log_table\",\"label\":\"Alerts Log Table\",\"type\":2,\"isRequired\":true,\"query\":\"search \\\"*\\\" | summarize count() by $table | sort by count_ desc | where $table endswith \\\"CL\\\" | project $table\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"RecordedFuturePortalAlerts_CL\"},{\"id\":\"89279a9c-af9e-4734-8a98-21aa1f2fa545\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"alert_rules\",\"label\":\"Alert Rules\",\"type\":2,\"description\":\"Filter alert rules you're looking at\",\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct RuleName_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where RuleName_s in ({alert_rules:value})\\n| distinct AlertID_s, RuleName_s, Triggered_t\\n| summarize alert_count = count() by RuleName_s\\n| project alert_count, Alert = RuleName_s\\n\",\"size\":0,\"title\":\"Top Rules Triggered\",\"noDataMessage\":\"There are no alerts within this time frame.\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where RuleName_s in ({alert_rules:value})\\n| distinct AlertID_s, RuleName_s, Triggered_t\\n| summarize Alert=count() by bin(Triggered_t, 1h)\\n\",\"size\":0,\"title\":\"Alerts triggered over time\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\"},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy\",\"styleSettings\":{\"maxWidth\":\"70\"}},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"20edde78-9485-4056-8eca-6ef7cd86c8b5\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Alert\",\"subTarget\":\"Reference\",\"preText\":\"Some thing\",\"postText\":\"Some thing\",\"style\":\"link\"}]},\"name\":\"links - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where RuleName_s in ({alert_rules:value})\\n//| where Documents_s != \\\"[]\\\"\\n//| distinct AlertID_s, AlertName_s, Documents_s, Entity_description_s, Entity_id_s, Entity_name_s, Entity_type_s, Risk_criticalityLabel_s, \\n//Risk_criticality_d, Risk_documents_s, Risk_evidence_s, RuleName_s, Trend_documents_s, Trend_name_s, Trend_strengthLabel_s, Trend_strength_d, Triggered_t\\n| distinct Triggered = Triggered_t, [\\\"Alert ID\\\"]=AlertID_s, [\\\"Alert Name\\\"]=AlertName_s, [\\\"Rule Name\\\"]=RuleName_s, [\\\"AI Summary\\\"]= AISummary_s, [\\\"Recorded Future Portal\\\"]= URL_s\\n\\n\\n\\n\",\"size\":0,\"timeContextFromParameter\":\"time_picker\",\"exportFieldName\":\"Alert ID\",\"exportParameterName\":\"Ref_AlertID\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Alert ID\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"AI Summary\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Recorded Future Portal\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Recorded Future\"}}],\"sortBy\":[{\"itemKey\":\"Triggered\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Triggered\",\"sortOrder\":2}]},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where AlertID_s == \\\"{Ref_AlertID}\\\"\\n| project Fragment=Fragment_s, Source=Documents_source_name_s, Title=Documents_title_s, URL=Document_url_s, AlertName = RuleName_s, AlertID=AlertID_s, entities=parse_json(Entity_s)\\n| mv-apply with_itemindex=i entities on (\\n extend p = pack(strcat(\\\"Entity \\\", i+1), strcat(entities.type, \\\", \\\", entities.name, \\\", id:\\\", entities.id))\\n | summarize b = make_bag(p)\\n)\\n| evaluate bag_unpack(b)\\n| project-reorder Fragment, Source, Title, URL, Entity*\\n\\n\",\"size\":0,\"timeContextFromParameter\":\"time_picker\",\"exportedParameters\":[{\"fieldName\":\"Fragment\",\"parameterName\":\"FragmentRef\",\"parameterType\":1},{\"fieldName\":\"Title\",\"parameterName\":\"TitleRef\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Fragment\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true},\"tooltipFormat\":{\"tooltip\":\"{0}\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Reference\"},\"name\":\"Reference View\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**Document Title**\\r\\n{TitleRef}\"},\"name\":\"text - 3\"},{\"type\":1,\"content\":{\"json\":\"**Fragment**\\r\\n{FragmentRef}\\r\\n\\r\\n\\r\\n\"},\"showPin\":false,\"name\":\"Fragment\"}]},\"name\":\"group - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Reference\"},\"name\":\"Reference Alerts\"}],\"fromTemplateId\":\"sentinel-RecordedFutureAlertOverviewWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId2'),'/'))))]", - "properties": { - "description": "@{workbookKey=RecordedFutureAlertOverviewWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Alert-Importer.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - Alerts Overview; templateRelativePath=RecordedFutureAlertOverview.json; subtitle=; provider=Recorded Future}.description", - "parentId": "[variables('workbookId2')]", - "contentId": "[variables('_workbookContentId2')]", - "kind": "Workbook", - "version": "[variables('workbookVersion2')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "RecordedFuturePortalAlerts_CL", - "kind": "DataType" - } - ] - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_workbookContentId2')]", - "contentKind": "Workbook", - "displayName": "[parameters('workbook2-name')]", - "contentProductId": "[variables('_workbookcontentProductId2')]", - "id": "[variables('_workbookcontentProductId2')]", - "version": "[variables('workbookVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('workbookTemplateSpecName3')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureDomainCorrelation Workbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion3')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId3')]", - "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "Recorded Future Domain Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." - }, - "properties": { - "displayName": "[parameters('workbook3-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d7ccc5ca-c8ec-458f-ab0d-564a7ef1d217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Guide\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Guide: Domain Correlation \\n\\nRecorded Future’s Domain Correlation Workbook helps you detect malicious domains within your environment by correlating your logs with Recorded Future Domain Risk Lists.\\n\\n### How to Correlate Domains\\n\\nTo correlate domains, follow the steps below:\\n\\n1. In the **Domain Logs Table** dropdown, select a log table that contains domain logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with domains** dropdown, select the log field that holds the domains to be correlated.\\n\\t* The workbook can correlate domains in the format: `domainName.net`.\\n3. Select a Recorded Future Domain Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n\\n| Table \\t | Field |\\n| ----------- \\t | ----------- |\\n| DNSEvents | Name |\\n| _Im_Dns \\t | DnsQuery |\",\"style\":\"info\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 15\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Domains (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Domain_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":604800000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Domain_Logs_Table\",\"label\":\"Domain Logs Table\",\"type\":2,\"description\":\"Log Table to correlate Domains Against\",\"isRequired\":true,\"query\":\"search \\\"*\\\" \\n| where TimeGenerated {Domain_Logs_Time_Range:query}\\n| summarize count() by $table \\n| sort by count_ desc \\n| where $table != \\\"ThreatIntelligenceIndicator\\\" \\n| project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Squid_Proxy_URL_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Domain_Logs_Field\",\"label\":\"Log Field with Domains\",\"type\":2,\"description\":\"Select the field containing the Domain Name that you want to correlate against\",\"isRequired\":true,\"query\":\"{Domain_Logs_Table:value}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Domain_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":604800000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which Domain Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where isnotempty(DomainName)\\n| where Description contains \\\"Recorded Future\\\"\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| summarize count() by Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - DOMAIN - Default RiskList\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Domains Per Day\\n\\nThe chart displays the number of correlation detections per day between domain logs and Recorded Future's domain Risk lists.\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\n| where Description == {RF_Risk_list:value}\\n| where isnotempty(DomainName)\\n| where isnotempty(Tags)\\n| extend parts = split(DomainName, '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Active == true\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\n| where Description == {RF_Risk_list:value}\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(DomainName)\\n| where isnotempty(Tags)\\n| join (\\n {Domain_Logs_Table:value}\\n | where TimeGenerated {Domain_Logs_Time_Range:query}\\n //Extract Domain patterns from syslog message\\n | where isnotempty({Domain_Logs_Field:value})\\n | extend parts = split({Domain_Logs_Field:value}, '.')\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.{Domain_Logs_Field:value}\\n| summarize Correlation_Matches=count() by bin(DNS_TimeGenerated, 1d)\\n| render barchart\",\"size\":0,\"title\":\"Detected Domains Per Day\",\"noDataMessage\":\"No detected domains\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"100\",\"name\":\"query - 1\"}]},\"customWidth\":\"100\",\"name\":\"group - 14\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Domains\\n\\nThe Detected Domains table lists domains from the correlated logs that have been matched with Recorded Future Domain Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the domain (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **Domain:** The detected domain.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the domain (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let list_tlds = ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n| where isnotempty(DomainName)\\r\\n| where isnotempty(Tags)\\r\\n| extend parts = split(DomainName, '.')\\r\\n| extend tld = parts[(array_length(parts)-1)]\\r\\n| summarize count() by tostring(tld)\\r\\n| summarize make_list(tld);\\r\\nThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Active == true\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n// Picking up only IOC's that contain the entities we want\\r\\n| where isnotempty(DomainName)\\r\\n| join (\\r\\n {Domain_Logs_Table:value}\\r\\n | where TimeGenerated {Domain_Logs_Time_Range:query}\\r\\n //Extract Domain patterns from syslog message\\r\\n | where isnotempty({Domain_Logs_Field:value})\\r\\n | extend parts = split({Domain_Logs_Field:value}, '.')\\r\\n //Split out the TLD\\r\\n | extend tld = parts[(array_length(parts)-1)]\\r\\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\\r\\n | where tld in~ (list_tlds)\\r\\n | extend DNS_TimeGenerated = TimeGenerated\\r\\n) on $left.DomainName==$right.{Domain_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, Domain=DomainName, Detected=format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"]=format_datetime(DNS_TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by Domain, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], Domain, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\",\"size\":0,\"title\":\"Detected Domains\",\"noDataMessage\":\"No detected domains\",\"exportFieldName\":\"Domain\",\"exportParameterName\":\"MaliciousDomainMatch\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let list_tlds = ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n| where isnotempty(DomainName)\\r\\n| where isnotempty(Tags)\\r\\n| extend parts = split(DomainName, '.')\\r\\n| extend tld = parts[(array_length(parts)-1)]\\r\\n| summarize count() by tostring(tld)\\r\\n| summarize make_list(tld);\\r\\nThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Active == true\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n// Picking up only IOC's that contain the entities we want\\r\\n| where isnotempty(DomainName)\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {Domain_Logs_Table:value}\\r\\n | where TimeGenerated {Domain_Logs_Time_Range:query}\\r\\n //Extract Domain patterns from syslog message\\r\\n | where isnotempty({Domain_Logs_Field:value})\\r\\n | extend parts = split({Domain_Logs_Field:value}, '.')\\r\\n //Split out the TLD\\r\\n | extend tld = parts[(array_length(parts)-1)]\\r\\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\\r\\n | where tld in~ (list_tlds)\\r\\n | extend DNS_TimeGenerated = TimeGenerated\\r\\n) on $left.DomainName==$right.{Domain_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, DomainName, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected Domains: Evidence Details\\n\\nTo view evidence details, click a row (domain) in the Detected Domains table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list:value}\\n| where DomainName == \\\"{MaliciousDomainMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString'] \\n| sort by toint(Criticality) desc\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Evidence_String\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"MaliciousDomainMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 3\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {Domain_Logs_Table:value}\\nTo view source data of correlated domain, click a row (domain) in the Detected Domains table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{Domain_Logs_Table:value}\\n| where TimeGenerated {Domain_Logs_Time_Range:query}\\n| where {Domain_Logs_Field:value} == \\\"{MaliciousDomainMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousDomainMatch\",\"comparison\":\"isNotEqualTo\",\"value\":\"\"},\"name\":\"query - 1\"}]},\"name\":\"group - 8\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureDomainCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId3'),'/'))))]", - "properties": { - "description": "@{workbookKey=RecordedFutureDomainCorrelationWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future Domain Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - Domain Correlation; templateRelativePath=RecordedFutureDomainCorrelation.json; subtitle=; provider=Recorded Future}.description", - "parentId": "[variables('workbookId3')]", - "contentId": "[variables('_workbookContentId3')]", - "kind": "Workbook", - "version": "[variables('workbookVersion3')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "ThreatIntelligenceIndicator", - "kind": "DataType" - } - ] - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_workbookContentId3')]", - "contentKind": "Workbook", - "displayName": "[parameters('workbook3-name')]", - "contentProductId": "[variables('_workbookcontentProductId3')]", - "id": "[variables('_workbookcontentProductId3')]", - "version": "[variables('workbookVersion3')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('workbookTemplateSpecName4')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureHashCorrelation Workbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion4')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId4')]", - "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "Recorded Future Hash Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." - }, - "properties": { - "displayName": "[parameters('workbook4-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d7ccc5ca-c8ec-458f-ab0d-564a7ef1d217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Guide\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Guide: Hash Correlation \\n\\nRecorded Future’s Hash Correlation Workbook helps you detect malicious hashes within your environment by correlating your logs with Recorded Future Hash Risk Lists.\\n\\n### How to Correlate hashs\\n\\nTo correlate hashes, follow the steps below:\\n\\n1. In the **Hash Logs Table** dropdown, select a log table that contains hash logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with hashes** dropdown, select the log field that holds the hashs to be correlated.\\n\\t* The workbook can correlate hashes in the format: `b0a0c7ae387c00161f4cc26405600b1a`.\\n3. Select a Recorded Future Hash Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n| Table \\t \\t| Field |\\n| ----------- \\t \\t| ----------- |\\n| CommonSecurityLog | FileHash |\\n| SecurityEvent \\t| FileHash |\",\"style\":\"info\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 15\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Hashes (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Hash_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Hash_Logs_Table\",\"label\":\"Hash Logs Table\",\"type\":2,\"description\":\"Log Table to correlate Domains Against\",\"isRequired\":true,\"query\":\"search \\\"*\\\" \\n| where TimeGenerated {Hash_Logs_Time_Range:query}\\n| summarize count() by $table | sort by count_ desc | where $table != \\\"ThreatIntelligenceIndicator\\\" | project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"EndpointProtection_HASH_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Hash_Logs_Field\",\"label\":\"Log Field with Hashes\",\"type\":2,\"description\":\"Select the field containing the Domain Name that you want to correlate against\",\"isRequired\":true,\"query\":\"{Hash_Logs_Table:value}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Hash_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":1209600000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which Domain Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where isnotempty(FileHashValue)\\n| where Description contains \\\"Recorded Future\\\"\\n| summarize count() by Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - HASH - Observed in Underground Virus Testing Sites\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Domains Per Day\\n\\nThe chart displays the number of correlation detections per day between domain logs and Recorded Future's domain Risk lists.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query} \\r\\n| where Description == {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| extend FileHashValue = tolower(FileHashValue)\\r\\n| join (\\r\\n {Hash_Logs_Table:value}\\r\\n | where TimeGenerated {Hash_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend Hash_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.FileHashValue == $right.{Hash_Logs_Field:value}\\r\\n| summarize Correlation_Matches=count() by bin(Hash_TimeGenerated, 1d)\\r\\n| render barchart\",\"size\":0,\"title\":\"Detected File Hashes Per Day\",\"noDataMessage\":\"No detected hashes\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Hashs\\n\\nThe Detected Hashs table lists hashs from the correlated logs that have been matched with Recorded Future Hash Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the Hashe (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **Hash:** The detected hash.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the hash (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| extend FileHashValue = tolower(FileHashValue)\\r\\n| join (\\r\\n {Hash_Logs_Table:value}\\r\\n | where TimeGenerated {Hash_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend Hash_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.FileHashValue == $right.{Hash_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, Hash=FileHashValue, Detected = format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"] = format_datetime(Hash_TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by Hash, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], Hash, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\\r\\n\",\"size\":0,\"title\":\"Detected Hashes\",\"noDataMessage\":\"No detected hashes\",\"exportedParameters\":[{\"fieldName\":\"Hash\",\"parameterName\":\"MaliciousHashMatch\",\"parameterType\":5}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| extend FileHashValue = tolower(FileHashValue)\\r\\n| join (\\r\\n {Hash_Logs_Table:value}\\r\\n | where TimeGenerated {Hash_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend Hash_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.FileHashValue == $right.{Hash_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, FileHashValue, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected Hashes: Evidence Details\\n\\nTo view evidence details, click a row (hash) in the Detected Hashes table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list:value}\\n| extend FileHashValue = tolower(FileHashValue)\\n| where FileHashValue == \\\"{MaliciousHashMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString']\\n| sort by toint(Criticality) desc\",\"size\":1,\"noDataMessage\":\"No evidence details to show\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousHashMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {Hash_Logs_Table:value}\\n\\nTo view source data of correlated hash, click a row (hash) in the Detected Hashes table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{Hash_Logs_Table:value}\\n| where TimeGenerated {Hash_Logs_Time_Range:query}\\n| where {Hash_Logs_Field:value} == \\\"{MaliciousHashMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousHashMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\"}]},\"name\":\"group - 8\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureHashCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId4'),'/'))))]", - "properties": { - "description": "@{workbookKey=RecordedFutureHashCorrelationWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future Hash Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - Hash Correlation; templateRelativePath=RecordedFutureHashCorrelation.json; subtitle=; provider=Recorded Future}.description", - "parentId": "[variables('workbookId4')]", - "contentId": "[variables('_workbookContentId4')]", - "kind": "Workbook", - "version": "[variables('workbookVersion4')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "ThreatIntelligenceIndicator", - "kind": "DataType" - } - ] - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_workbookContentId4')]", - "contentKind": "Workbook", - "displayName": "[parameters('workbook4-name')]", - "contentProductId": "[variables('_workbookcontentProductId4')]", - "id": "[variables('_workbookcontentProductId4')]", - "version": "[variables('workbookVersion4')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('workbookTemplateSpecName5')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureIPCorrelation Workbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion5')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId5')]", - "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "Recorded Future IP Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." - }, - "properties": { - "displayName": "[parameters('workbook5-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"041885bf-2e2c-42ae-ad35-2e12272b4dc4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\"},\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6\"},{\"type\":1,\"content\":{\"json\":\"### Guide: IP Correlation \\n\\nRecorded Future’s IP Correlation Workbook helps you detect malicious IPs within your environment by correlating your logs with Recorded Future IP Risk Lists.\\n\\n### How to Correlate IPs\\n\\nTo correlate IPs, follow the steps below:\\n\\n1. In the **IP Logs Table** dropdown, select a log table that contains IP logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with IPs** dropdown, select the log field that holds the IPs to be correlated.\\n\\t* The workbook can correlate IPs in the format: `5.56.61.62`.\\n3. Select a Recorded Future IP Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n\\n\\n| Table | Field | Table | Field |\\n|------------------------------|--------------------|---------------------------------|-----------|\\n| AzureActivity | CallerIpAddress | VMConnection | RemoteIp |\\n| AzureDiagnostics | CallerIPAddress | W3CIISLog | cIP |\\n| AWSCloudTrail | SourceIpAddress | _Im_NetworkSession | SrcIpAddr |\\n| AppServiceHTTPLogs | CIp | _Im_NetworkSession | DstIpAddr |\\n| AzureDiagnostics | client_ip_s | _Im_WebSession | SrcIpAddr |\\n| CommonSecurityLog | SourceIpAddress | SigninLogs | IPAddress |\\n| CommonSecurityLog | DestinationIP | AADNonInteractiveUserSignInLogs | IPAddress |\\n| DuoSecurityAuthentication_CL | access_device_ip_s | | |\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### IP (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":7776000000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Logs_Table\",\"label\":\"IP Logs Table\",\"type\":2,\"description\":\"Log Table to correlate IPs Against\",\"isRequired\":true,\"query\":\"search * \\n| where TimeGenerated {IP_Logs_Time_Range:query}\\n| summarize count() by $table \\n| sort by count_ desc \\n| where $table != \\\"ThreatIntelligenceIndicator\\\" \\n| project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"NetScreen_Firewall_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Logs_Field\",\"label\":\"Log Field with IPs\",\"type\":2,\"description\":\"Select the field containing the IP that you want to correlate against\",\"isRequired\":true,\"query\":\"{IP_Logs_Table:value}\\n| where TimeGenerated {IP_Logs_Time_Range:query}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Dst_IPv4_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":5184000000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which IP Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where isnotempty(NetworkIP)\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains \\\"Recorded Future\\\"\\n//| summarize count() by Description\\n| distinct Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - IP - Actively Communicating C&C Server\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected IPs Per Day\\n\\nThe chart displays the number of correlation detections per day between IP logs and Recorded Future's IP Risk lists.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {IP_Logs_Table:value}\\r\\n | where TimeGenerated {IP_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.NetworkIP == $right.{IP_Logs_Field:value}\\r\\n| summarize Correlation_Matches=count() by bin(IP_TimeGenerated, 1d)\\r\\n| render barchart\",\"size\":0,\"title\":\"Detected IPs Per Day\",\"noDataMessage\":\"No detected IPs\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected IPs\\n\\nThe Detected IPs table lists IPs from the correlated logs that have been matched with Recorded Future IP Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the IP (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **IP:** The detected IP.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the IP (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {IP_Logs_Table:value}\\r\\n | where TimeGenerated {IP_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.NetworkIP == $right.{IP_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, IP=NetworkIP, Detected=format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"]=format_datetime(IP_TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by IP, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], IP, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\",\"size\":0,\"title\":\"Detected IPs\",\"noDataMessage\":\"No detected IPs\",\"exportedParameters\":[{\"fieldName\":\"IP\",\"parameterName\":\"MaliciousIPMatch\",\"parameterType\":5}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AdditionalInformation\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"100%\"}}],\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Risk_0\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Risk_0\",\"sortOrder\":2}]},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {IP_Logs_Table:value}\\r\\n | where TimeGenerated {IP_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.NetworkIP == $right.{IP_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, NetworkIP, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected IPs: Evidence Details\\n\\nTo view evidence details, click a row (IP) in the Detected IPs table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list:value}\\n| where NetworkIP == \\\"{MaliciousIPMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString']\\n| sort by toint(Criticality) desc\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Evidence_String\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"100%\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"MaliciousIPMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {IP_Logs_Table:value}\\nTo view source data of correlated IP, click a row (IP) in the Detected IPs table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{IP_Logs_Table:value}\\n| where TimeGenerated {IP_Logs_Time_Range:query}\\n| where {IP_Logs_Field:value} == \\\"{MaliciousIPMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousIPMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 9\"}]},\"name\":\"group - 11\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureIPCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId5'),'/'))))]", - "properties": { - "description": "@{workbookKey=RecordedFutureIPCorrelationWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future IP Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - IP Correlation; templateRelativePath=RecordedFutureIPCorrelation.json; subtitle=; provider=Recorded Future}.description", - "parentId": "[variables('workbookId5')]", - "contentId": "[variables('_workbookContentId5')]", - "kind": "Workbook", - "version": "[variables('workbookVersion5')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "ThreatIntelligenceIndicator", - "kind": "DataType" - } - ] - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_workbookContentId5')]", - "contentKind": "Workbook", - "displayName": "[parameters('workbook5-name')]", - "contentProductId": "[variables('_workbookcontentProductId5')]", - "id": "[variables('_workbookcontentProductId5')]", - "version": "[variables('workbookVersion5')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('workbookTemplateSpecName6')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureURLCorrelation Workbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion6')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId6')]", - "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "Recorded Future URL Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." - }, - "properties": { - "displayName": "[parameters('workbook6-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d7ccc5ca-c8ec-458f-ab0d-564a7ef1d217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Guide\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":1,\"content\":{\"json\":\"### Guide: URL Correlation \\n\\nRecorded Future’s URL Correlation Workbook helps you detect malicious URLs within your environment by correlating your logs with Recorded Future URL Risk Lists.\\n\\n### How to Correlate URLs\\n\\nTo correlate URLs, follow the steps below:\\n\\n1. In the **URL Logs Table** dropdown, select a log table that contains URL logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with URLs** dropdown, select the log field that holds the URLs to be correlated.\\n\\t* The workbook can correlate URLs in the format: `https://testurl.here.net`.\\n3. Select a Recorded Future URL Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n\\n| Table | Field |\\n|-------------------|------------|\\n| CommonSecurityLog | RequestURL |\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### URL (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"URL_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":7776000000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"URL_Logs_Table\",\"label\":\"URL Logs Table\",\"type\":2,\"description\":\"Log Table to correlate URLs Against\",\"isRequired\":true,\"query\":\"search \\\"*\\\" \\n| where TimeGenerated {URL_Logs_Time_Range:query}\\n| summarize count() by $table | sort by count_ desc | where $table != \\\"ThreatIntelligenceIndicator\\\" | project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Squid_Proxy_URL_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"URL_Logs_Field\",\"label\":\"Log Field with URLs\",\"type\":2,\"description\":\"Select the field containing the URL that you want to correlate against\",\"isRequired\":true,\"query\":\"{URL_Logs_Table:value}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"URL_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":7776000000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which Domain Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where isnotempty(Url)\\n| where Description contains \\\"Recorded Future\\\"\\n| summarize count() by Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - URL - Recently Reported by Insikt Group\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected URLs Per Day\\n\\nThe chart displays the number of correlation detections per day between URL logs and Recorded Future's URL Risk lists.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {URL_Logs_Table:value}\\r\\n | where TimeGenerated {URL_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend URL_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.Url == $right.{URL_Logs_Field:value}\\r\\n| summarize Correlation_Matches=count() by bin(URL_TimeGenerated, 1d)\\r\\n| render barchart\",\"size\":0,\"title\":\"Detected URLs Per Day\",\"noDataMessage\":\"No detected URLs\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected URLs\\n\\nThe Detected URLs table lists URLs from the correlated logs that have been matched with Recorded Future URL Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the URL (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **URL:** The detected URL.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the URL (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {URL_Logs_Table:value}\\r\\n | where TimeGenerated {URL_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.Url == $right.{URL_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, URL=Url, Detected = format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"] = IP_TimeGenerated, [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by URL, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], URL, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\\r\\n\",\"size\":0,\"title\":\"Detected URLs\",\"noDataMessage\":\"No detected URLs\",\"exportFieldName\":\"URL\",\"exportParameterName\":\"MaliciousURLMatch\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {URL_Logs_Table:value}\\r\\n | where TimeGenerated {URL_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend URL_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.Url == $right.{URL_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, Url, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected URLs: Evidence Details\\n\\nTo view evidence details, click a row (URL) in the Detected URLs table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list}\\n| where Url == \\\"{MaliciousURLMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString']\\n| sort by toint(Criticality) desc\",\"size\":1,\"noDataMessage\":\"ExpirationDateTime\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousURLMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {URL_Logs_Table:value}\\nTo view source data of correlated URL, click a row (URL) in the Detected URLs table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{URL_Logs_Table:value}\\n| where TimeGenerated {URL_Logs_Time_Range:query}\\n| where {URL_Logs_Field:value} == \\\"{MaliciousURLMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousURLMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\"}]},\"name\":\"group - 10\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureURLCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId6'),'/'))))]", - "properties": { - "description": "@{workbookKey=RecordedFutureURLCorrelationWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future URL Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - URL Correlation; templateRelativePath=RecordedFutureURLCorrelation.json; subtitle=; provider=Recorded Future}.description", - "parentId": "[variables('workbookId6')]", - "contentId": "[variables('_workbookContentId6')]", - "kind": "Workbook", - "version": "[variables('workbookVersion6')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "ThreatIntelligenceIndicator", - "kind": "DataType" - } - ] - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_workbookContentId6')]", - "contentKind": "Workbook", - "displayName": "[parameters('workbook6-name')]", - "contentProductId": "[variables('_workbookcontentProductId6')]", - "id": "[variables('_workbookcontentProductId6')]", - "version": "[variables('workbookVersion6')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('workbookTemplateSpecName7')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureThreatActorHunting Workbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion7')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId7')]", - "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "Recorded Future Threat Actor Hunting Workbook. This workbook will visualize Recorded Future threat map and hunting indicators ingested in to Microsoft Sentinel." - }, - "properties": { - "displayName": "[parameters('workbook7-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"92c84cb2-9b9a-498f-9b18-a3a11f70618a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"description\":\"Time range for incident created and indicator import.\",\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":86400000}},{\"id\":\"29f50496-9072-4438-8ac5-7a0cf4cd7307\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"label\":\"Threat Actor Category\",\"type\":2,\"query\":\"RecordedFutureThreatMap_CL\\r\\n| distinct categories_s\\r\\n| mv-expand parse_json(categories_s)\\r\\n| distinct id = tostring(categories_s.id), name = tostring(categories_s.name)\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"2d4f8b54-8321-4c37-9c78-79c3787a9d02\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Watchlist\",\"label\":\"Recorded Future Watchlist\",\"type\":2,\"query\":\"RecordedFutureThreatMap_CL\\r\\n| distinct log_entries_s\\r\\n| mv-expand parse_json(log_entries_s)\\r\\n| where isnotempty(log_entries_s.watchlist)\\r\\n| distinct id = tostring(log_entries_s.watchlist.id), name = tostring(log_entries_s.watchlist.name)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 5\"},{\"type\":1,\"content\":{\"json\":\"

Threat Actor Map

\\n\\nThis workbook shows Threat Actors imported from [Recorded Future](https://app.recordedfuture.com/portal/threat), their intent towards your company, and their opportunity. \\n\\nIntent (y-axis) - The threat actor has presented previous interest (expressed or manifested) against elements that are relevant to an organization (e.g., industry, peers, third parties, executives, brand, internet-facing assets). \\n\\nOpportunity (x-axis) - A correlation between the threat actor's capabilities and an organization’s vulnerabilities. The capability is a threat actor's ability to perform certain activities or cyber attacks, (i.e., their \\\"sophistication\\\"); vulnerabilities include an organization's exposures, gaps, or technology-related vulnerabilities. \\n\\nData is fetched from Recorded Future thru the playbook ```RecordedFuture-ThreatMap-lmporter```.\\n\\n\\n\",\"style\":\"info\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMap_CL\\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}') \\n| where log_entries_s has_any('{Watchlist}') \\n| extend combine= intent_d+opportunity_d\\n| project TimeGenerated, id_s, name_s, intent_d, opportunity_d, combine\\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, intent_d, opportunity_d, combine\\n| order by combine desc \\n| project MaxTimeGenerated, id_s, name_s, intent_d, opportunity_d\\n| take 100\\n\",\"size\":0,\"title\":\"Threat Actor Map\",\"noDataMessage\":\"No data found\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"scatterchart\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"id_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"intent_d\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"opportunity_d\",\"yAxis\":[\"intent_d\"],\"group\":\"name_s\",\"createOtherGroup\":0,\"showMetrics\":false,\"showLegend\":true,\"xSettings\":{\"min\":0,\"max\":99},\"ySettings\":{\"min\":0,\"max\":99}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"intent_d\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"intent_d\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"intent_d\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMap_CL\\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}') \\n| where log_entries_s has_any('{Watchlist}') \\n| extend combine= intent_d+opportunity_d\\n| project TimeGenerated, id_s, name_s, intent_d, opportunity_d, combine\\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, intent_d, opportunity_d,combine\\n| order by combine desc \\n| project Name=name_s, Intent=intent_d, Opportunity=opportunity_d, id_s\\n\",\"size\":0,\"title\":\"Threat Actors\",\"exportFieldName\":\"id_s\",\"exportParameterName\":\"ThreatActor\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"id_s\",\"formatter\":5}]}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMap_CL\\n| where TimeGenerated {TimeRange:query}\\n| where id_s == \\\"{ThreatActor}\\\"\\n| take 1\\n| mv-expand categoriesArray= parse_json(categories_s)\\n| mv-expand watchlistArray = parse_json(log_entries_s)\\n| summarize [\\\"Threat Actor Categories\\\"] = make_list(categoriesArray.name), WatchLists= make_list_with_nulls(watchlistArray.watchlist.name) by Link=strcat(\\\"https://app.recordedfuture.com/live/sc/entity/\\\",id_s), Name=name_s, Id=id_s, Aliases=array_strcat(parse_json(alias_s),',')\",\"size\":4,\"title\":\"Actor Details\",\"noDataMessage\":\"Please select a threat actor in the Threat Actors table to display details.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"External Link\"}},{\"columnMatch\":\"Id\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Threat Actor Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"https://app.recordedfuture.com/live/sc/entity/{Id}\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"id_s\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}}],\"labelSettings\":[{\"columnId\":\"Link\",\"label\":\"Recorded Future\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Id\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Intent\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where ExpirationDateTime > now()\\r\\n| where Description contains(\\\"{ThreatActor}\\\")\\r\\n| summarize Indicators=count(Description) by Description \",\"size\":0,\"title\":\"Active Indicators for Hunting\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Indicators\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Indicators\",\"sortOrderField\":2,\"size\":\"auto\"},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Indicators\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where TimeGenerated {TimeRange:query}\\r\\n| where Title contains \\\"{ThreatActor}\\\"\\r\\n| summarize CreateTime = max(CreatedTime) by IncidentUrl, Title,Description \",\"size\":0,\"title\":\"Incidents created\",\"noDataMessage\":\"No incidents found, but try different time range to display incidents future back in time.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Open Incident\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":1,\"content\":{\"json\":\"To generate incidents using imported indicators. Create analytic rules that correlates data from infrastructure logs with recorded future hunting indicators. Install and modify the provided analytic rule templates to match your environent. \\r\\n```\\r\\nRecorded Future - Threat Hunting - Domain - All Actors\\r\\nRecorded Future - Threat Hunting - IP - All Actors\\r\\nRecorded Future - Threat Hunting - Hash - All Actors\\r\\nRecorded Future - Threat Hunting - Url - All Actors\\r\\n```\\r\\nInstall and configure Recorded Future Incident Enrichment Playbook to get additional information when incidents are created ```RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash```\\r\\n\",\"style\":\"info\"},\"name\":\"text - 7\"}],\"styleSettings\":{\"paddingStyle\":\"none\",\"spacingStyle\":\"none\"},\"fromTemplateId\":\"sentinel-RecordedFutureThreatActorHuntingWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId7'),'/'))))]", - "properties": { - "description": "@{workbookKey=RecordedFutureThreatActorHuntingWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future Threat Actor Hunting Workbook. This workbook will visualize Recorded Future threat map and hunting indicators ingested in to Microsoft Sentinel.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - Threat Actor Hunting; templateRelativePath=RecordedFutureThreatActorHunting.json; subtitle=; provider=Recorded Future}.description", - "parentId": "[variables('workbookId7')]", - "contentId": "[variables('_workbookContentId7')]", - "kind": "Workbook", - "version": "[variables('workbookVersion7')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "ThreatIntelligenceIndicator", - "kind": "DataType" - } - ] - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_workbookContentId7')]", - "contentKind": "Workbook", - "displayName": "[parameters('workbook7-name')]", - "contentProductId": "[variables('_workbookcontentProductId7')]", - "id": "[variables('_workbookcontentProductId7')]", - "version": "[variables('workbookVersion7')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('workbookTemplateSpecName8')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "RecordedFutureMalwareThreatHunting Workbook with template version 3.2.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion8')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId8')]", - "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "Recorded Future Malware Threat Hunting Workbook. This workbook will visualize Recorded Future malware threat map and hunting indicators ingested in to Microsoft Sentinel." - }, - "properties": { - "displayName": "[parameters('workbook8-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"92c84cb2-9b9a-498f-9b18-a3a11f70618a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"description\":\"Time range for incident created and indicator import.\",\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":86400000}},{\"id\":\"29f50496-9072-4438-8ac5-7a0cf4cd7307\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"label\":\"Threat Malware Category\",\"type\":2,\"query\":\"RecordedFutureThreatMapMalware_CL\\r\\n| distinct categories_s\\r\\n| mv-expand parse_json(categories_s)\\r\\n| distinct id = tostring(categories_s.id), name = tostring(categories_s.name)\\r\\n\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"2d4f8b54-8321-4c37-9c78-79c3787a9d02\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Watchlist\",\"label\":\"Recorded Future Watchlist\",\"type\":2,\"query\":\"RecordedFutureThreatMapMalware_CL\\r\\n| distinct log_entries_s\\r\\n| mv-expand parse_json(log_entries_s)\\r\\n| where isnotempty(log_entries_s.watchlist)\\r\\n| distinct id = tostring(log_entries_s.watchlist.id), name = tostring(log_entries_s.watchlist.name)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 5\"},{\"type\":1,\"content\":{\"json\":\"

Malware Threat Map

\\n\\nThis workbook shows Threat Malware imported from [Recorded Future](https://app.recordedfuture.com/portal/threat).\\n

Prevalence (y-axis) - The malware has been reported as related to elements that are part of an organization context (e.g. industry, peers, third parties, brand, IPs & Domains). \\n

\\n

\\nOpportunity (x-axis) - A correlation between the malware related capabilities and an organization’s vulnerabilities. Vulnerabilities include an organization's exposures, gaps, or technology-related vulnerabilities.

\\nData is fetched from Recorded Future thru the playbook **RecordedFuture-ThreatMapMalware-Importer**.\\n\\n\\n\",\"style\":\"info\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMapMalware_CL\\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}')\\n| where log_entries_s has_any('{Watchlist}')\\n| project TimeGenerated, id_s, name_s, prevalence_d, opportunity_d, combine = prevalence_d + opportunity_d\\n| order by combine desc \\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, prevalence_d, opportunity_d\\n| take 100\\n| project MaxTimeGenerated, id_s, name_s, prevalence_d, opportunity_d\",\"size\":0,\"title\":\"Threat Malware Map\",\"noDataMessage\":\"No data found\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"scatterchart\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"id_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"intent_d\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"opportunity_d\",\"yAxis\":[\"prevalence_d\"],\"group\":\"name_s\",\"createOtherGroup\":0,\"showMetrics\":false,\"showLegend\":true,\"xSettings\":{\"min\":0,\"max\":99},\"ySettings\":{\"min\":0,\"max\":99}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"intent_d\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"intent_d\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"intent_d\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMapMalware_CL \\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}')\\n| where log_entries_s has_any('{Watchlist}')\\n| extend combine= prevalence_d+opportunity_d\\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, prevalence_d, opportunity_d,combine\\n| project Name=name_s, Prevalence=prevalence_d, Opportunity=opportunity_d, id_s, combine\\n| order by combine desc \\n\",\"size\":0,\"title\":\"Threat Malware\",\"exportFieldName\":\"id_s\",\"exportParameterName\":\"ThreatMalware\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"id_s\",\"formatter\":5},{\"columnMatch\":\"combine\",\"formatter\":5}]}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMapMalware_CL\\n| where TimeGenerated {TimeRange:query}\\n| where id_s == \\\"{ThreatMalware}\\\"\\n| take 1\\n| mv-expand watchlistArray = parse_json(log_entries_s)\\n| mv-expand categoriesArray= parse_json(categories_s)\\n| summarize [\\\"Threat Malware Categories\\\"] = make_set(categoriesArray.name), WatchLists= make_set(watchlistArray.watchlist.name) by Link=strcat(\\\"https://app.recordedfuture.com/live/sc/entity/\\\",id_s), Name=name_s, Id=id_s, Aliases=array_strcat(parse_json(alias_s),',')\",\"size\":4,\"title\":\"Malware Details\",\"noDataMessage\":\"Please select a threat malware in the Threat Malware table to display details.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"External Link\"}},{\"columnMatch\":\"Id\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Threat Malware Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"https://app.recordedfuture.com/live/sc/entity/{Id}\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"id_s\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}}],\"labelSettings\":[{\"columnId\":\"Link\",\"label\":\"Recorded Future\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Id\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Intent\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where ExpirationDateTime > now()\\r\\n| where Description contains(\\\"{ThreatMalware}\\\")\\r\\n| summarize Indicators=count(Description) by Description \",\"size\":0,\"title\":\"Active Indicators for Hunting\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Indicators\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Indicators\",\"sortOrderField\":2,\"size\":\"auto\"},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Indicators\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where TimeGenerated {TimeRange:query}\\r\\n| where Title contains \\\"{ThreatMalware}\\\"\\r\\n| summarize CreateTime = max(CreatedTime) by IncidentUrl, Title,Description \",\"size\":0,\"title\":\"Incidents created\",\"noDataMessage\":\"No incidents found, but try different time range to display incidents future back in time.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Open Incident\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":1,\"content\":{\"json\":\"To generate incidents using imported indicators. Create analytic rules that correlates data from infrastructure logs with recorded future hunting indicators. Install and modify the provided analytic rule templates to match your environent. \\r\\n```\\r\\nRecorded Future - Threat Hunting - Domain - All Malware\\r\\nRecorded Future - Threat Hunting - IP - All Malware\\r\\nRecorded Future - Threat Hunting - Hash - All Malware\\r\\nRecorded Future - Threat Hunting - Url - All Malware\\r\\n```\\r\\nInstall and configure Recorded Future Incident Enrichment Playbook to get additional information when incidents are created ```RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash```\\r\\n\",\"style\":\"info\"},\"name\":\"text - 7\"}],\"styleSettings\":{\"paddingStyle\":\"none\",\"spacingStyle\":\"none\"},\"fromTemplateId\":\"sentinel-RecordedFutureThreatActorHuntingWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId8'),'/'))))]", - "properties": { - "description": "@{workbookKey=RecordedFutureMalwareThreatHuntingWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future Malware Threat Hunting Workbook. This workbook will visualize Recorded Future malware threat map and hunting indicators ingested in to Microsoft Sentinel.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Recorded Future - Malware Threat Hunting; templateRelativePath=RecordedFutureMalwareThreatHunting.json; subtitle=; provider=Recorded Future}.description", - "parentId": "[variables('workbookId8')]", - "contentId": "[variables('_workbookContentId8')]", - "kind": "Workbook", - "version": "[variables('workbookVersion8')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "ThreatIntelligenceIndicator", - "kind": "DataType" - } - ] - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_workbookContentId8')]", - "contentKind": "Workbook", - "displayName": "[parameters('workbook8-name')]", - "contentProductId": "[variables('_workbookcontentProductId8')]", - "id": "[variables('_workbookcontentProductId8')]", - "version": "[variables('workbookVersion8')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", - "apiVersion": "2023-04-01-preview", - "location": "[parameters('workspace-location')]", - "properties": { - "version": "3.2.8", - "kind": "Solution", - "contentSchemaVersion": "3.0.0", - "displayName": "Recorded Future", - "publisherDisplayName": "Recorded Future Support Team", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Recorded Future is the worlds largest provider of intelligence for enterprise security. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future delivers intelligence that is timely, accurate, and actionable.

\n

Underlying Microsoft Technologies used:\nThis solution depends on underlying Microsoft technologies. Some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n\n

Workbooks: 8, Analytic Rules: 10, Custom Azure Logic Apps Connectors: 1, Playbooks: 13

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", - "contentKind": "Solution", - "contentProductId": "[variables('_solutioncontentProductId')]", - "id": "[variables('_solutioncontentProductId')]", - "icon": "", - "contentId": "[variables('_solutionId')]", - "parentId": "[variables('_solutionId')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", - "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", - "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", - "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", - "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", - "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", - "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", - "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_RecordedFuture-IOC_Enrichment')]", - "version": "[variables('playbookVersion1')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_RecordedFuture-Playbook-Alert-Importer')]", - "version": "[variables('playbookVersion2')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_RecordedFuture-Alert-Importer')]", - "version": "[variables('playbookVersion3')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_RecordedFuture-ThreatIntelligenceImport')]", - "version": "[variables('playbookVersion4')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_RecordedFuture-Domain-IndicatorImport')]", - "version": "[variables('playbookVersion5')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_RecordedFuture-Hash-IndicatorImport')]", - "version": "[variables('playbookVersion6')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_RecordedFuture-IP-IndicatorImport')]", - "version": "[variables('playbookVersion7')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_RecordedFuture-URL-IndicatorImport')]", - "version": "[variables('playbookVersion8')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_RecordedFuture-Sandbox_Enrichment-Url')]", - "version": "[variables('playbookVersion9')]" - }, - { - "kind": "LogicAppsCustomConnector", - "contentId": "[variables('_RecordedFuture-CustomConnector')]", - "version": "[variables('playbookVersion10')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_RecordedFuture-ThreatMap-Importer')]", - "version": "[variables('playbookVersion11')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_RecordedFuture-ThreatMapMalware-Importer')]", - "version": "[variables('playbookVersion12')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_RecordedFuture-ActorThreatHunt-IndicatorImport')]", - "version": "[variables('playbookVersion13')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_RecordedFuture-MalwareThreatHunt-IndicatorImport')]", - "version": "[variables('playbookVersion14')]" - }, - { - "kind": "Workbook", - "contentId": "[variables('_workbookContentId1')]", - "version": "[variables('workbookVersion1')]" - }, - { - "kind": "Workbook", - "contentId": "[variables('_workbookContentId2')]", - "version": "[variables('workbookVersion2')]" - }, - { - "kind": "Workbook", - "contentId": "[variables('_workbookContentId3')]", - "version": "[variables('workbookVersion3')]" - }, - { - "kind": "Workbook", - "contentId": "[variables('_workbookContentId4')]", - "version": "[variables('workbookVersion4')]" - }, - { - "kind": "Workbook", - "contentId": "[variables('_workbookContentId5')]", - "version": "[variables('workbookVersion5')]" - }, - { - "kind": "Workbook", - "contentId": "[variables('_workbookContentId6')]", - "version": "[variables('workbookVersion6')]" - }, - { - "kind": "Workbook", - "contentId": "[variables('_workbookContentId7')]", - "version": "[variables('workbookVersion7')]" - }, - { - "kind": "Workbook", - "contentId": "[variables('_workbookContentId8')]", - "version": "[variables('workbookVersion8')]" - } - ] - }, - "firstPublishDate": "2021-11-01", - "lastPublishDate": "2023-09-19", - "providers": [ - "Recorded Future" - ], - "categories": { - "domains": [ - "Security - Threat Intelligence" - ] - } - }, - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" - } - ], - "outputs": {} -} +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Recorded Future Premier Integrations - support@recordedfuture.com", + "comments": "Solution template for Recorded Future" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "Recorded Future - Playbook Alerts Overview", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "workbook2-name": { + "type": "string", + "defaultValue": "Recorded Future - Alerts Overview", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "workbook3-name": { + "type": "string", + "defaultValue": "Recorded Future - Domain Correlation", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "workbook4-name": { + "type": "string", + "defaultValue": "Recorded Future - Hash Correlation", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "workbook5-name": { + "type": "string", + "defaultValue": "Recorded Future - IP Correlation", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "workbook6-name": { + "type": "string", + "defaultValue": "Recorded Future - URL Correlation", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "workbook7-name": { + "type": "string", + "defaultValue": "Recorded Future - Threat Actor Hunting", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "workbook8-name": { + "type": "string", + "defaultValue": "Recorded Future - Malware Threat Hunting", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } + }, + "variables": { + "email": "support@recordedfuture.com", + "_email": "[variables('email')]", + "_solutionName": "Recorded Future", + "_solutionVersion": "3.2.9", + "solutionId": "recordedfuture1605638642586.recorded_future_sentinel_solution", + "_solutionId": "[variables('solutionId')]", + "RecordedFuture-IOC_Enrichment": "RecordedFuture-IOC_Enrichment", + "_RecordedFuture-IOC_Enrichment": "[variables('RecordedFuture-IOC_Enrichment')]", + "playbookVersion1": "2.7", + "playbookContentId1": "RecordedFuture-IOC_Enrichment", + "_playbookContentId1": "[variables('playbookContentId1')]", + "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]", + "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", + "RecordedFuture-Playbook-Alert-Importer": "RecordedFuture-Playbook-Alert-Importer", + "_RecordedFuture-Playbook-Alert-Importer": "[variables('RecordedFuture-Playbook-Alert-Importer')]", + "TemplateEmptyArray": "[json('[]')]", + "playbookVersion2": "1.3", + "playbookContentId2": "RecordedFuture-Playbook-Alert-Importer", + "_playbookContentId2": "[variables('playbookContentId2')]", + "playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]", + "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]", + "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]", + "RecordedFuture-Alert-Importer": "RecordedFuture-Alert-Importer", + "_RecordedFuture-Alert-Importer": "[variables('RecordedFuture-Alert-Importer')]", + "playbookVersion3": "1.4", + "playbookContentId3": "RecordedFuture-Alert-Importer", + "_playbookContentId3": "[variables('playbookContentId3')]", + "playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]", + "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]", + "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]", + "RecordedFuture-ThreatIntelligenceImport": "RecordedFuture-ThreatIntelligenceImport", + "_RecordedFuture-ThreatIntelligenceImport": "[variables('RecordedFuture-ThreatIntelligenceImport')]", + "playbookVersion4": "1.0", + "playbookContentId4": "RecordedFuture-ThreatIntelligenceImport", + "_playbookContentId4": "[variables('playbookContentId4')]", + "playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]", + "playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))))]", + "_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]", + "RecordedFuture-Domain-IndicatorImport": "RecordedFuture-Domain-IndicatorImport", + "_RecordedFuture-Domain-IndicatorImport": "[variables('RecordedFuture-Domain-IndicatorImport')]", + "playbookVersion5": "1.0", + "playbookContentId5": "RecordedFuture-Domain-IndicatorImport", + "_playbookContentId5": "[variables('playbookContentId5')]", + "playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]", + "playbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5'))))]", + "_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]", + "RecordedFuture-Hash-IndicatorImport": "RecordedFuture-Hash-IndicatorImport", + "_RecordedFuture-Hash-IndicatorImport": "[variables('RecordedFuture-Hash-IndicatorImport')]", + "playbookVersion6": "1.0", + "playbookContentId6": "RecordedFuture-Hash-IndicatorImport", + "_playbookContentId6": "[variables('playbookContentId6')]", + "playbookId6": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId6'))]", + "playbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId6'))))]", + "_playbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId6'),'-', variables('playbookVersion6'))))]", + "RecordedFuture-IP-IndicatorImport": "RecordedFuture-IP-IndicatorImport", + "_RecordedFuture-IP-IndicatorImport": "[variables('RecordedFuture-IP-IndicatorImport')]", + "playbookVersion7": "1.0", + "playbookContentId7": "RecordedFuture-IP-IndicatorImport", + "_playbookContentId7": "[variables('playbookContentId7')]", + "playbookId7": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId7'))]", + "playbookTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId7'))))]", + "_playbookcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId7'),'-', variables('playbookVersion7'))))]", + "RecordedFuture-URL-IndicatorImport": "RecordedFuture-URL-IndicatorImport", + "_RecordedFuture-URL-IndicatorImport": "[variables('RecordedFuture-URL-IndicatorImport')]", + "playbookVersion8": "1.0", + "playbookContentId8": "RecordedFuture-URL-IndicatorImport", + "_playbookContentId8": "[variables('playbookContentId8')]", + "playbookId8": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId8'))]", + "playbookTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId8'))))]", + "_playbookcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId8'),'-', variables('playbookVersion8'))))]", + "RecordedFuture-Sandbox_Enrichment-Url": "RecordedFuture-Sandbox_Enrichment-Url", + "_RecordedFuture-Sandbox_Enrichment-Url": "[variables('RecordedFuture-Sandbox_Enrichment-Url')]", + "playbookVersion9": "1.0", + "playbookContentId9": "RecordedFuture-Sandbox_Enrichment-Url", + "_playbookContentId9": "[variables('playbookContentId9')]", + "playbookId9": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId9'))]", + "playbookTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId9'))))]", + "_playbookcontentProductId9": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId9'),'-', variables('playbookVersion9'))))]", + "RecordedFuture-CustomConnector": "RecordedFuture-CustomConnector", + "_RecordedFuture-CustomConnector": "[variables('RecordedFuture-CustomConnector')]", + "playbookVersion10": "1.0", + "playbookContentId10": "RecordedFuture-CustomConnector", + "_playbookContentId10": "[variables('playbookContentId10')]", + "playbookTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-lc-',uniquestring(variables('_playbookContentId10'))))]", + "_playbookcontentProductId10": "[concat(take(variables('_solutionId'),50),'-','lc','-', uniqueString(concat(variables('_solutionId'),'-','LogicAppsCustomConnector','-',variables('_playbookContentId10'),'-', variables('playbookVersion10'))))]", + "RecordedFuture-ThreatMap-Importer": "RecordedFuture-ThreatMap-Importer", + "_RecordedFuture-ThreatMap-Importer": "[variables('RecordedFuture-ThreatMap-Importer')]", + "playbookVersion11": "1.2", + "playbookContentId11": "RecordedFuture-ThreatMap-Importer", + "_playbookContentId11": "[variables('playbookContentId11')]", + "playbookId11": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId11'))]", + "playbookTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId11'))))]", + "_playbookcontentProductId11": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId11'),'-', variables('playbookVersion11'))))]", + "RecordedFuture-ThreatMapMalware-Importer": "RecordedFuture-ThreatMapMalware-Importer", + "_RecordedFuture-ThreatMapMalware-Importer": "[variables('RecordedFuture-ThreatMapMalware-Importer')]", + "playbookVersion12": "1.0", + "playbookContentId12": "RecordedFuture-ThreatMapMalware-Importer", + "_playbookContentId12": "[variables('playbookContentId12')]", + "playbookId12": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId12'))]", + "playbookTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId12'))))]", + "_playbookcontentProductId12": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId12'),'-', variables('playbookVersion12'))))]", + "RecordedFuture-ActorThreatHunt-IndicatorImport": "RecordedFuture-ActorThreatHunt-IndicatorImport", + "_RecordedFuture-ActorThreatHunt-IndicatorImport": "[variables('RecordedFuture-ActorThreatHunt-IndicatorImport')]", + "playbookVersion13": "1.0", + "playbookContentId13": "RecordedFuture-ActorThreatHunt-IndicatorImport", + "_playbookContentId13": "[variables('playbookContentId13')]", + "playbookId13": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId13'))]", + "playbookTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId13'))))]", + "_playbookcontentProductId13": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId13'),'-', variables('playbookVersion13'))))]", + "RecordedFuture-MalwareThreatHunt-IndicatorImport": "RecordedFuture-MalwareThreatHunt-IndicatorImport", + "_RecordedFuture-MalwareThreatHunt-IndicatorImport": "[variables('RecordedFuture-MalwareThreatHunt-IndicatorImport')]", + "playbookVersion14": "1.0", + "playbookContentId14": "RecordedFuture-MalwareThreatHunt-IndicatorImport", + "_playbookContentId14": "[variables('playbookContentId14')]", + "playbookId14": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId14'))]", + "playbookTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId14'))))]", + "_playbookcontentProductId14": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId14'),'-', variables('playbookVersion14'))))]", + "workbookVersion1": "1.0.1", + "workbookContentId1": "RecordedFuturePlaybookAlertOverviewWorkbook", + "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", + "_workbookContentId1": "[variables('workbookContentId1')]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", + "workbookVersion2": "1.0.1", + "workbookContentId2": "RecordedFutureAlertOverviewWorkbook", + "workbookId2": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId2'))]", + "workbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2'))))]", + "_workbookContentId2": "[variables('workbookContentId2')]", + "_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]", + "workbookVersion3": "1.0.1", + "workbookContentId3": "RecordedFutureDomainCorrelationWorkbook", + "workbookId3": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId3'))]", + "workbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId3'))))]", + "_workbookContentId3": "[variables('workbookContentId3')]", + "_workbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId3'),'-', variables('workbookVersion3'))))]", + "workbookVersion4": "1.0.1", + "workbookContentId4": "RecordedFutureHashCorrelationWorkbook", + "workbookId4": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId4'))]", + "workbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId4'))))]", + "_workbookContentId4": "[variables('workbookContentId4')]", + "_workbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId4'),'-', variables('workbookVersion4'))))]", + "workbookVersion5": "1.0.1", + "workbookContentId5": "RecordedFutureIPCorrelationWorkbook", + "workbookId5": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId5'))]", + "workbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId5'))))]", + "_workbookContentId5": "[variables('workbookContentId5')]", + "_workbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId5'),'-', variables('workbookVersion5'))))]", + "workbookVersion6": "1.0.1", + "workbookContentId6": "RecordedFutureURLCorrelationWorkbook", + "workbookId6": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId6'))]", + "workbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId6'))))]", + "_workbookContentId6": "[variables('workbookContentId6')]", + "_workbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId6'),'-', variables('workbookVersion6'))))]", + "workbookVersion7": "1.0.1", + "workbookContentId7": "RecordedFutureThreatActorHuntingWorkbook", + "workbookId7": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId7'))]", + "workbookTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId7'))))]", + "_workbookContentId7": "[variables('workbookContentId7')]", + "_workbookcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId7'),'-', variables('workbookVersion7'))))]", + "workbookVersion8": "1.0.0", + "workbookContentId8": "RecordedFutureMalwareThreatHuntingWorkbook", + "workbookId8": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId8'))]", + "workbookTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId8'))))]", + "_workbookContentId8": "[variables('workbookContentId8')]", + "_workbookcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId8'),'-', variables('workbookVersion8'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuture-IOC_Enrichment Playbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion1')]", + "parameters": { + "PlaybookName": { + "defaultValue": "RecordedFuture-IOC_Enrichment", + "type": "string" + } + }, + "variables": { + "RecordedFutureConnectionName": "RecordedFuture-ConnectorV2", + "AzureSentinelConnectionName": "RecordedFuture-MicrosoftSentinelConnection", + "connection-2": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/recordedfuturev2')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2019-05-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateVersion": "2.7", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]" + ], + "properties": { + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "For_each": { + "actions": { + "Parse_JSON_2": { + "inputs": { + "content": "@items('For_each')", + "schema": { + "properties": { + "id": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "properties": { + "type": "object" + }, + "type": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "ParseJson" + }, + "Switch": { + "cases": { + "Case": { + "actions": { + "Add_comment_to_incident_(V3)_-_Domain": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{body('Domain_Enrichment')?['data']?['html_response']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "Domain_Enrichment": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Add_comment_to_incident_(V3)_4": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "


\nNo Recorded Future data on @{body('Parse_JSON_-_DNS_Resolution')?['domainName']}
\nRequest Data Collection In The Recorded Future Portal

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "Add_comment_to_incident_(V3)_-_Domain": [ + "Skipped" + ] + }, + "type": "ApiConnection" + }, + "Domain_Enrichment": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuture']['connectionId']" + } + }, + "method": "get", + "path": "/lookup/domain/@{encodeURIComponent(body('Parse_JSON_-_DNS_Resolution')?['domainName'])}", + "queries": { + "IntelligenceCloud": "@parameters('IntelligenceCloud')", + "RFIncidentId": "@variables('RFIncidentId')", + "Techniques": "@string(triggerBody()?['object']?['properties']?['additionalData']?['techniques'])", + "WorkspaceId": "@triggerBody()?['workspaceInfo']?['WorkspaceName']", + "fields": "intelCard,risk,links", + "htmlresponse": "True" + } + }, + "runAfter": { + "Parse_JSON_-_DNS_Resolution": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Parse_JSON_-_DNS_Resolution": { + "inputs": { + "content": "@body('Parse_JSON_2')?['properties']", + "schema": { + "properties": { + "domainName": { + "type": "string" + }, + "friendlyName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "ParseJson" + } + }, + "case": "DnsResolution" + }, + "Case_2": { + "actions": { + "Add_comment_to_incident_(V3)_-_Hash": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{body('Hash_Enrichment')?['data']?['html_response']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "Hash_Enrichment": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Add_comment_to_incident_(V3)_3": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "


\nNo Recorded Future data on @{body('Parse_JSON_-_File_Hash')?['hashValue']}
\nRequest Data Collection In The Recorded Future Portal

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "Add_comment_to_incident_(V3)_-_Hash": [ + "Skipped" + ] + }, + "type": "ApiConnection" + }, + "Hash_Enrichment": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuture']['connectionId']" + } + }, + "method": "get", + "path": "/lookup/hash/@{encodeURIComponent(body('Parse_JSON_-_File_Hash')?['hashValue'])}", + "queries": { + "IntelligenceCloud": "@parameters('IntelligenceCloud')", + "RFIncidentId": "@variables('RFIncidentId')", + "Techniques": "@string(triggerBody()?['object']?['properties']?['additionalData']?['techniques'])", + "WorkspaceId": "@triggerBody()?['workspaceInfo']?['WorkspaceName']", + "fields": "intelCard,risk,links", + "htmlresponse": "True" + } + }, + "runAfter": { + "Parse_JSON_-_File_Hash": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Parse_JSON_-_File_Hash": { + "inputs": { + "content": "@body('Parse_JSON_2')?['properties']", + "schema": { + "properties": { + "algorithm": { + "type": "string" + }, + "friendlyName": { + "type": "string" + }, + "hashValue": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "ParseJson" + } + }, + "case": "FileHash" + }, + "Case_3": { + "actions": { + "Add_comment_to_incident_(V3)_-_URL": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{body('URL_Enrichment')?['data']?['html_response']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "URL_Enrichment": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Add_comment_to_incident_(V3)_2": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "


\nNo Recorded Future data on @{body('Parse_JSON_-_Url')?['url']}
\nRequest Data Collection In The Recorded Future Portal

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "Add_comment_to_incident_(V3)_-_URL": [ + "Skipped" + ] + }, + "type": "ApiConnection" + }, + "Parse_JSON_-_Url": { + "inputs": { + "content": "@body('Parse_JSON_2')?['properties']", + "schema": { + "properties": { + "friendlyName": { + "type": "string" + }, + "url": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "ParseJson" + }, + "URL_Enrichment": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuture']['connectionId']" + } + }, + "method": "get", + "path": "/lookup/url/@{encodeURIComponent(body('Parse_JSON_-_Url')?['url'])}", + "queries": { + "IntelligenceCloud": "@parameters('IntelligenceCloud')", + "RFIncidentId": "@variables('RFIncidentId')", + "Techniques": "@string(triggerBody()?['object']?['properties']?['additionalData']?['techniques'])", + "WorkspaceId": "@triggerBody()?['workspaceInfo']?['WorkspaceName']", + "fields": "intelCard,risk,links", + "htmlresponse": "True" + } + }, + "runAfter": { + "Parse_JSON_-_Url": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + } + }, + "case": "Url" + }, + "Case_4": { + "actions": { + "Add_comment_to_incident_(V3)": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "


\nNo Recorded Future data on @{body('Parse_JSON_-_Ip')?['address']}
\nRequest Data Collection In The Recorded Future Portal

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "Add_comment_to_incident_(V3)_-_IP": [ + "Skipped" + ] + }, + "type": "ApiConnection" + }, + "Add_comment_to_incident_(V3)_-_IP": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{body('IP_Enrichment')?['data']?['html_response']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "IP_Enrichment": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "IP_Enrichment": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuture']['connectionId']" + } + }, + "method": "get", + "path": "/lookup/ip/@{encodeURIComponent(body('Parse_JSON_-_Ip')?['address'])}", + "queries": { + "IntelligenceCloud": "@parameters('IntelligenceCloud')", + "RFIncidentId": "@variables('RFIncidentId')", + "Techniques": "@string(triggerBody()?['object']?['properties']?['additionalData']?['techniques'])", + "WorkspaceId": "@triggerBody()?['workspaceInfo']?['WorkspaceName']", + "fields": "intelCard,risk,links", + "htmlresponse": "True" + } + }, + "runAfter": { + "Parse_JSON_-_Ip": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Parse_JSON_-_Ip": { + "inputs": { + "content": "@body('Parse_JSON_2')?['properties']", + "schema": { + "properties": { + "address": { + "type": "string" + }, + "friendlyName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "ParseJson" + } + }, + "case": "Ip" + } + }, + "expression": "@body('Parse_JSON_2')?['kind']", + "runAfter": { + "Parse_JSON_2": [ + "Succeeded" + ] + }, + "type": "Switch" + } + }, + "foreach": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "runAfter": { + "RFIncidentId": [ + "Succeeded" + ] + }, + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + }, + "type": "Foreach" + }, + "RFIncidentId": { + "inputs": { + "variables": [ + { + "name": "RFIncidentId", + "type": "string", + "value": "@{guid()}" + } + ] + }, + "type": "InitializeVariable" + } + }, + "contentVersion": "1.0.0.0", + "parameters": { + "IntelligenceCloud": { + "defaultValue": true, + "type": "Bool" + }, + "$connections": { + "type": "Object" + } + }, + "triggers": { + "When_Azure_Sentinel_incident_creation_rule_was_triggered": { + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + }, + "type": "ApiConnectionWebhook" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/azuresentinel')]", + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "recordedfuture": { + "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/recordedfuturev2')]", + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]", + "connectionName": "[[variables('RecordedFutureConnectionName')]" + } + } + } + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('RecordedFutureConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId1')]", + "contentId": "[variables('_playbookContentId1')]", + "kind": "Playbook", + "version": "[variables('playbookVersion1')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ], + "metadata": { + "title": "RecordedFuture-IOC_Enrichment", + "description": "This playbook leverages the Recorded Future API to enrich IP, Domain, Url & Hash indicators, found in Microsoft Sentinel incidents, with the following context: Risk Score, Risk Rules and Link to Intelligence Card. The enrichment content will be posted as a comment in the Microsoft Sentinel incident \"Microsoft.", + "prerequisites": [ + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" + ], + "postDeployment": [ + "After deployment open the playbook in edit mode and configure/authorize all connections and press save.\"Logic" + ], + "lastUpdateTime": "2024-07-09T00:00:00Z", + "entities": [ + "ip", + "url", + "dnsresolution", + "filehash" + ], + "tags": [ + "Enrichment" + ], + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-IOC_Enrichment", + "notes": [ + "Initial version" + ] + }, + { + "version": "1.1", + "title": "RecordedFuture-IOC_Enrichment", + "notes": [ + "Improved layout and added Recorded Future Collective Insights." + ] + }, + { + "version": "1.2", + "title": "RecordedFuture-IOC_Enrichment", + "notes": [ + "Fixed risk rule severity and correct image url." + ] + }, + { + "version": "2.3", + "title": "RecordedFuture-IOC_Enrichment", + "notes": [ + "Updated readme and improved layout." + ] + }, + { + "version": "2.4", + "title": "RecordedFuture-IOC_Enrichment", + "notes": [ + "Handle 404 result from enrichment." + ] + }, + { + "version": "2.5", + "title": "RecordedFuture-IOC_Enrichment", + "notes": [ + "Backend rendered markdown/html to increse performance and reduce cost of enrichment." + ] + }, + { + "version": "2.6", + "title": "RecordedFuture-IOC_Enrichment", + "notes": [ + "Shorten name from RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash. Renamed API connections" + ] + }, + { + "version": "2.7", + "title": "RecordedFuture-IOC_Enrichment", + "notes": [ + "Reduce concurrency to 1." + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId1')]", + "contentKind": "Playbook", + "displayName": "RecordedFuture-IOC_Enrichment", + "contentProductId": "[variables('_playbookcontentProductId1')]", + "id": "[variables('_playbookcontentProductId1')]", + "version": "[variables('playbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuture-Playbook-Alert-Importer Playbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion2')]", + "parameters": { + "PlaybookName": { + "defaultValue": "RecordedFuture-Playbook-Alert-Importer", + "type": "string" + }, + "create_incident": { + "type": "String", + "defaultValue": "false", + "metadata": { + "description": "Create Microsoft Sentinel incidents (possible values true/false)" + } + } + }, + "variables": { + "AzureloganalyticsdatacollectorConnectionName": "RecordedFuture-Azureloganalyticsdatacollector", + "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "RecordedFutureConnectionName": "RecordedFuture-ConnectorV2", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/recordedfuturev2')]", + "_connection-3": "[[variables('connection-3')]", + "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-4": "[[variables('connection-4')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "create_incident": { + "type": "String", + "defaultValue": "[[parameters('create_incident')]" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Hour", + "interval": 1 + }, + "evaluatedRecurrence": { + "frequency": "Hour", + "interval": 1 + }, + "type": "Recurrence" + } + }, + "actions": { + "For_each": { + "foreach": "@body('Search_Playbook_Alerts')", + "actions": { + "Get_Playbook_Alert_by_ID": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuturev2']['connectionId']" + } + }, + "method": "get", + "path": "/playbook-alert/@{encodeURIComponent(items('For_each')?['playbook_alert_id'])}" + } + }, + "Create_incident_if_parameter_is_set-copy": { + "actions": { + "Add_comment_to_incident_(V3)": { + "runAfter": { + "Create_incident": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "body": { + "incidentArmId": "@body('Create_incident')?['id']", + "message": "

**Recorded Future Alert** @{body('Get_Playbook_Alert_by_ID')?['title']}

Playbook Alert ID: @{body('Get_Playbook_Alert_by_ID')?['id']}

Playbook Alert Type: @{items('For_each')?['category']}

Playbook Alert Priority: @{items('For_each')?['priority']}

Playbook Alert Status: @{item()?['status']}

Playbook Alert Targets:@{body('Get_Playbook_Alert_by_ID')?['targets']}

[Open Recorded Future portal](@{concat('https://app.recordedfuture.com/live/sc/task/?id=',items('For_each')?['playbook_alert_id'])})


Evidence Summary: @{body('Get_Playbook_Alert_by_ID')?['evidence_summary']}


created_date: @{items('For_each')?['created']}

updated_date: @{items('For_each')?['updated']}

" + }, + "path": "/Incidents/Comment" + } + }, + "Create_incident": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "body": { + "title": "@body('Get_Playbook_Alert_by_ID')?['title']", + "severity": "Medium", + "status": "New", + "description": "**Recorded Future Alert**\n@{body('Get_Playbook_Alert_by_ID')?['title']}\nPlaybook Alert ID: @{body('Get_Playbook_Alert_by_ID')?['id']}\nPlaybook Alert Type: @{items('For_each')?['category']}\nPlaybook Alert Priority: @{items('For_each')?['priority']}\nPlaybook Alert Status: @{item()?['status']}\nPlaybook Alert Targets:@{body('Get_Playbook_Alert_by_ID')?['targets']}\n[Open Recorded Future portal](@{concat('https://app.recordedfuture.com/live/sc/task/?id=',items('For_each')?['playbook_alert_id'])})\n\nEvidence Summary: @{body('Get_Playbook_Alert_by_ID')?['evidence_summary']}\n\ncreated_date: @{items('For_each')?['created']}\nupdated_date: @{items('For_each')?['updated']}\n\n", + "tagsToAdd": { + "TagsToAdd": [ + { + "Tag": "Recorded Future Playbook Alert" + }, + { + "Tag": "RFPAID:@{item()?['playbook_alert_id']}" + } + ] + } + }, + "path": "/Incidents/subscriptions/5129b3ff-c0c6-4e86-bd1c-70e5fcd579cf/resourceGroups/RF-SaaS-V3.2.2/workspaces/RF-SaaS-V3-2-2" + } + } + }, + "runAfter": { + "Send_Data": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@parameters('create_incident')", + "true" + ] + } + ] + }, + "type": "If" + }, + "Send_Data": { + "runAfter": { + "Get_Playbook_Alert_by_ID": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "{\n\"title\": \" @{items('For_each')?['title']}\",\n\"id\": \"@{body('Get_Playbook_Alert_by_ID')?['id']}\",\n\"category\":\"@{items('For_each')?['category']}\",\n\"rule_label\":\"@{coalesce(body('Get_Playbook_Alert_by_ID')?['rule_label'],items('For_each')?['category'])}\",\n\"status\": \"@{items('For_each')?['status']}\", \n\"priority\": \"@{items('For_each')?['priority']}\",\n\"created_date\": \"@{items('For_each')?['created']}\",\n\"updated_date\": \"@{items('For_each')?['updated']}\",\n\"targets\":\"@{body('Get_Playbook_Alert_by_ID')?['targets']}\",\n\"evidence_summary\": \"@{body('Get_Playbook_Alert_by_ID')?['evidence_summary']}\",\n\"link\": \"@{concat('https://app.recordedfuture.com/live/sc/task/?id=',items('For_each')?['playbook_alert_id'])}\"\n}", + "headers": { + "Log-Type": "RecordedFuturePlaybookAlerts" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + }, + "runAfter": { + "Search_Playbook_Alerts": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Search_Playbook_Alerts": { + "type": "ApiConnection", + "inputs": { + "body": { + "updated_from_relative": "-1", + "categories": "[variables('TemplateEmptyArray')]" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuturev2']['connectionId']" + } + }, + "method": "post", + "path": "/playbook-alert/search" + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azureloganalyticsdatacollector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "connectionName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]" + }, + "recordedfuturev2": { + "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/recordedfuturev2')]", + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]", + "connectionName": "[[variables('RecordedFutureConnectionName')]" + }, + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "PlaybookAlert-Import", + "hidden-SentinelTemplateVersion": "1.3", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('RecordedFutureConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-4')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId2')]", + "contentId": "[variables('_playbookContentId2')]", + "kind": "Playbook", + "version": "[variables('playbookVersion2')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ], + "metadata": { + "title": "RecordedFuture-Playbook-Alert-Importer", + "description": "This playbook imports alerts from Recorded Future and stores them in a custom log in the log analytics workspace.", + "prerequisites": [ + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" + ], + "postDeployment": [ + "After deployment, open the playbook to configure all connections and press save." + ], + "lastUpdateTime": "2024-07-09T00:00:00Z", + "tags": [ + "Alert" + ], + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-Playbook-Alert-Importer", + "notes": [ + "Initial version" + ] + }, + { + "version": "1.1", + "title": "RecordedFuture-Playbook-Alert-Importer", + "notes": [ + "Changed default search parameters for playbook alert serach." + ] + }, + { + "version": "1.2", + "title": "RecordedFuture-Playbook-Alert-Importer", + "notes": [ + "API connector renaming." + ] + }, + { + "version": "1.3", + "title": "RecordedFuture-Playbook-Alert-Importer", + "notes": [ + "Added Incident creation." + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId2')]", + "contentKind": "Playbook", + "displayName": "RecordedFuture-Playbook-Alert-Importer", + "contentProductId": "[variables('_playbookcontentProductId2')]", + "id": "[variables('_playbookcontentProductId2')]", + "version": "[variables('playbookVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName3')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuture-AlertImporter Playbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion3')]", + "parameters": { + "PlaybookName": { + "defaultValue": "RecordedFuture-AlertImporter", + "type": "string" + }, + "create_incident": { + "metadata": { + "description": "Create Microsoft Sentinel incidents (possible values true/false)" + }, + "type": "string" + }, + "workspace_name": { + "defaultValue": "", + "metadata": { + "description": "Microsoft Sentinel Workspace name" + }, + "type": "string" + } + }, + "variables": { + "AzureloganalyticsdatacollectorConnectionName": "RecordedFuture-Azureloganalyticsdatacollector", + "AzuremonitorlogsConnectionName": "[[concat('Azuremonitorlogs-', parameters('PlaybookName'))]", + "MicrosoftSentinelConnectionName": "RecordedFuture-MicrosoftSentinelConnection", + "Recordedfuturev2ConnectionName": "RecordedFuture-ConnectorV2", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuremonitorlogs')]", + "_connection-3": "[[variables('connection-3')]", + "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-4": "[[variables('connection-4')]", + "connection-5": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]", + "_connection-5": "[[variables('connection-5')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('Recordedfuturev2ConnectionName'))]" + ], + "identity": { + "type": "SystemAssigned" + }, + "location": "[[variables('workspace-location-inline')]", + "name": "[[parameters('PlaybookName')]", + "properties": { + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "For_each_triggered_alert": { + "actions": { + "Create_incident_if_parameter_is_set": { + "actions": { + "Add_comment_to_incident_(V3)": { + "inputs": { + "body": { + "incidentArmId": "@body('Create_incident')?['id']", + "message": "

@{items('For_each_triggered_alert')?['title']}
\nAlert ID: @{items('For_each_triggered_alert')?['id']}
\nTriggered: @{items('For_each_triggered_alert')?['log']?['triggered']}
\n[Open Recorded Future portal](@{concat(items('For_each_triggered_alert')?['url']?['portal'], '&utm_source=microsoft_sentinel')})
\nAI Summary: @{items('For_each_triggered_alert')?['ai_insights']?['text']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "Create_incident": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Create_incident": { + "inputs": { + "body": { + "description": "**Recorded Future Alert**\n@{items('For_each_triggered_alert')?['title']}\nAlert ID: @{items('For_each_triggered_alert')?['id']}\nTriggered: @{items('For_each_triggered_alert')?['log']?['triggered']}\n[Open Recorded Future portal](@{concat(items('For_each_triggered_alert')?['url']?['portal'],'&utm_source=microsoft_sentinel')})\nAI summary: @{items('For_each_triggered_alert')?['ai_insights']?['text']}", + "severity": "Medium", + "status": "New", + "tagsToAdd": { + "TagsToAdd": [ + { + "Tag": "Recorded Future Alert" + } + ] + }, + "title": "@items('For_each_triggered_alert')?['title']" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "path": "[[concat('/Incidents/subscriptions/', subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/workspaces/',parameters('workspace_name') ) ]" + }, + "type": "ApiConnection" + } + }, + "expression": { + "and": [ + { + "equals": [ + "@parameters('create_incident')", + "true" + ] + } + ] + }, + "runAfter": { + "For_each_hit": [ + "Succeeded" + ] + }, + "type": "If" + }, + "For_each_hit": { + "actions": { + "Send_Data_2": { + "inputs": { + "body": "{\n\"RuleName\": \"@{replace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\nitems('For_each_triggered_alert')?['rule']?['name'],\n'\\', '\\\\'),\n'\"', '\\\"'),\n'\n', '\\n'),\n'\t', '\\t'),\n'\b', '\\b'),\n'\f', '\\f'),\n'\n', '\\r')}\",\n\"Triggered\": \"@{items('For_each_triggered_alert')?['log']?['triggered']}\",\n\"AlertName\": \"@{replace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\nitems('For_each_triggered_alert')?['title'],\n'\\', '\\\\'),\n'\"', '\\\"'),\n'\n', '\\n'),\n'\t', '\\t'),\n'\b', '\\b'),\n'\f', '\\f'),\n'\n', '\\r')}\",\n\"AlertID\": \"@{items('For_each_triggered_alert')?['id']}\", \n\"Entity\": @{items('For_each_hit')?['entities']},\n\"Documents\": @{items('For_each_hit')?['document']},\n\"URL\": \"@{items('For_each_triggered_alert')?['rule']?['url']?['portal']}\",\n\"Document_url\": \"@{items('For_each_hit')?['document']?['url']}\",\n\"AISummary\": \"@{replace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\ncoalesce(items('For_each_triggered_alert')?['ai_insights']?['text'],''),\n'\\', '\\\\'),\n'\"', '\\\"'),\n'\n', '\\n'),\n'\t', '\\t'),\n'\b', '\\b'),\n'\f', '\\f'),\n'\n', '\\r')}\",\n\"Fragment\": \"@{replace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\nreplace(\nitems('For_each_hit')?['fragment'],\n'\\', '\\\\'),\n'\"', '\\\"'),\n'\n', '\\n'),\n'\t', '\\t'),\n'\b', '\\b'),\n'\f', '\\f'),\n'\n', '\\r')}\"}", + "headers": { + "Log-Type": "RecordedFuturePortalAlerts" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + }, + "type": "ApiConnection" + } + }, + "foreach": "@items('For_each_triggered_alert')['hits']", + "type": "Foreach" + } + }, + "foreach": "@body('Search_Triggered_Alerts')?['data']", + "runAfter": { + "Search_Triggered_Alerts": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Initialize_variable": { + "inputs": { + "variables": [ + { + "name": "latest_event_date", + "type": "string", + "value": "@{addHours(utcNow(), -24)}" + } + ] + }, + "type": "InitializeVariable" + }, + "Run_query_and_list_results": { + "inputs": { + "body": "RecordedFuturePortalAlerts_CL\n| summarize LatestEvent=max(Triggered_t)| extend LatestEvent=coalesce(LatestEvent, ago(1d))", + "host": { + "connection": { + "name": "@parameters('$connections')['azuremonitorlogs']['connectionId']" + } + }, + "method": "post", + "path": "/queryData", + "queries": { + "resourcegroups": "[[resourceGroup().name]", + "resourcename": "[[parameters('workspace_name')]", + "resourcetype": "Log Analytics Workspace", + "subscriptions": "[[subscription().subscriptionId]", + "timerange": "Last 7 days" + } + }, + "runAfter": { + "Initialize_variable": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Search_Triggered_Alerts": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuturev2']['connectionId']" + } + }, + "method": "get", + "path": "/v2/alerts", + "queries": { + "triggered": "[[[@{addSeconds(variables('latest_event_date'),1)},@{utcNow()}]" + } + }, + "runAfter": { + "Set_variable": [ + "Succeeded", + "Skipped" + ] + }, + "type": "ApiConnection" + }, + "Set_variable": { + "inputs": { + "name": "latest_event_date", + "value": "@string(body('Run_query_and_list_results')?['value'][0]['LatestEvent'])" + }, + "runAfter": { + "Run_query_and_list_results": [ + "Succeeded" + ] + }, + "type": "SetVariable" + } + }, + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "create_incident": { + "defaultValue": "[[parameters('create_incident')]", + "type": "string" + } + }, + "triggers": { + "Recurrence": { + "evaluatedRecurrence": { + "frequency": "Hour", + "interval": 1 + }, + "recurrence": { + "frequency": "Hour", + "interval": 1 + }, + "type": "Recurrence" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azureloganalyticsdatacollector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "connectionName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]" + }, + "azuremonitorlogs": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]", + "connectionName": "[[variables('AzuremonitorlogsConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuremonitorlogs')]" + }, + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + }, + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]" + }, + "recordedfuturev2": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Recordedfuturev2ConnectionName'))]", + "connectionName": "[[variables('Recordedfuturev2ConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]" + } + } + } + }, + "provisioningState": "Succeeded", + "state": "Enabled" + }, + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-AlertImporter", + "hidden-SentinelTemplateVersion": "1.4", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "type": "Microsoft.Logic/workflows" + }, + { + "apiVersion": "2016-06-01", + "kind": "V1", + "location": "[[variables('workspace-location-inline')]", + "name": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "properties": { + "api": { + "id": "[[variables('_connection-2')]" + }, + "displayName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]" + }, + "type": "Microsoft.Web/connections" + }, + { + "apiVersion": "2016-06-01", + "kind": "V1", + "location": "[[variables('workspace-location-inline')]", + "name": "[[variables('AzuremonitorlogsConnectionName')]", + "properties": { + "api": { + "id": "[[variables('_connection-3')]" + }, + "displayName": "[[variables('AzuremonitorlogsConnectionName')]" + }, + "type": "Microsoft.Web/connections" + }, + { + "apiVersion": "2016-06-01", + "kind": "V1", + "location": "[[variables('workspace-location-inline')]", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "properties": { + "api": { + "id": "[[variables('_connection-4')]" + }, + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative" + }, + "type": "Microsoft.Web/connections" + }, + { + "apiVersion": "2016-06-01", + "kind": "V1", + "location": "[[variables('workspace-location-inline')]", + "name": "[[variables('Recordedfuturev2ConnectionName')]", + "properties": { + "api": { + "id": "[[variables('_connection-5')]" + }, + "displayName": "[[variables('Recordedfuturev2ConnectionName')]" + }, + "type": "Microsoft.Web/connections" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId3')]", + "contentId": "[variables('_playbookContentId3')]", + "kind": "Playbook", + "version": "[variables('playbookVersion3')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ], + "metadata": { + "description": "This playbook imports alerts from Recorded Future and stores them in a custom log in the log analytics workspace. It can create alerts dependant on the parameter: create_incident. ", + "lastUpdateTime": "2024-09-20T00:00:00Z", + "postDeployment": [ + "After deployment, open the playbook to configure all connections and press save." + ], + "prerequisites": [ + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" + ], + "releaseNotes": [ + { + "notes": [ + "Initial version" + ], + "title": "RecordedFuture-Alert-Importer", + "version": "1.0" + }, + { + "notes": [ + "Fixed ARM encoding" + ], + "title": "RecordedFuture-Alert-Importer", + "version": "1.1" + }, + { + "notes": [ + "API connector renaming." + ], + "title": "RecordedFuture-Alert-Importer", + "version": "1.2" + }, + { + "notes": [ + "Encoding and latest_event_date fix." + ], + "title": "RecordedFuture-Alert-Importer", + "version": "1.3" + }, + { + "notes": [ + "More JSON encoding fixes, and add utm parameter to links" + ], + "title": "RecordedFuture-Alert-Importer", + "version": "1.4" + } + ], + "tags": [ + "Alert" + ], + "title": "RecordedFuture-Alert-Importer" + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId3')]", + "contentKind": "Playbook", + "displayName": "RecordedFuture-AlertImporter", + "contentProductId": "[variables('_playbookcontentProductId3')]", + "id": "[variables('_playbookcontentProductId3')]", + "version": "[variables('playbookVersion3')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName4')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuture-ThreatIntelligenceImport Playbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion4')]", + "parameters": { + "PlaybookName": { + "defaultValue": "RecordedFuture-ThreatIntelligenceImport", + "type": "string" + }, + "WorkspaceID": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Microsoft Sentinel WorkspaceID, guid format (example:75a5bccc-7a5c-4e3f-ad57-36be224c4d2e). WorkspaceID can be found under Log Analytics Workspaces blade. " + } + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "RecordedFuture-MicrosoftSentinelConnection", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Batch_messages": { + "type": "Batch", + "inputs": { + "configurations": { + "RFImportToSentinel": { + "releaseCriteria": { + "messageCount": 100, + "recurrence": { + "frequency": "Minute", + "interval": 2 + } + } + } + }, + "mode": "Inline" + } + } + }, + "actions": { + "Select": { + "type": "Select", + "inputs": { + "from": "@triggerBody()['items']", + "select": "@item()['content']" + } + }, + "Threat_Intelligence_-_Upload_Indicators_of_Compromise_(V2)_(Preview)": { + "runAfter": { + "Select": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "indicators": "@body('Select')", + "sourcesystem": "Recorded Future" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel_1']['connectionId']" + } + }, + "method": "post", + "path": "[[concat( '/V2/ThreatIntelligence/',parameters('WorkspaceID'),'/UploadIndicators/')]", + "retryPolicy": { + "count": 10, + "interval": "PT20S", + "maximumInterval": "PT1H", + "minimumInterval": "PT10S", + "type": "exponential" + } + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel_1": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-ThreatIntelligenceImport", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId4')]", + "contentId": "[variables('_playbookContentId4')]", + "kind": "Playbook", + "version": "[variables('playbookVersion4')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ], + "metadata": { + "title": "RecordedFuture-ThreatIntelligenceImport", + "description": "This playbook will write indicators in batch to ThreatIntelligenceIndicator log analytics table.", + "prerequisites": [ + "Microsoft Sentinel Threat Intelligence active" + ], + "postDeployment": [ + "After deployment, open the playbook to configure all connections and press save." + ], + "lastUpdateTime": "2024-01-12T00:00:00Z", + "tags": [ + "Threat Intelligence" + ], + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-ThreatIntelligenceImport", + "notes": [ + "Initial version" + ] + }, + { + "version": "1.1", + "title": "RecordedFuture-ThreatIntelligenceImport", + "notes": [ + "Fixed Api connection" + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId4')]", + "contentKind": "Playbook", + "displayName": "RecordedFuture-ThreatIntelligenceImport", + "contentProductId": "[variables('_playbookcontentProductId4')]", + "id": "[variables('_playbookcontentProductId4')]", + "version": "[variables('playbookVersion4')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName5')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuture-Domain-IndicatorImport Playbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion5')]", + "parameters": { + "PlaybookName": { + "defaultValue": "RecordedFuture-Domain-IndicatorImport", + "type": "string" + }, + "PlaybookNameBatching": { + "defaultValue": "RecordedFuture-ThreatIntelligenceImport", + "type": "String" + } + }, + "variables": { + "RecordedfutureConnectionName": "RecordedFuture-ConnectorV2", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Hour", + "interval": 2 + }, + "evaluatedRecurrence": { + "frequency": "Hour", + "interval": 24 + }, + "type": "Recurrence" + } + }, + "actions": { + "For_each": { + "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download')", + "actions": { + "Parse_JSON": { + "type": "ParseJson", + "inputs": { + "content": "@items('For_each')", + "schema": { + "properties": { + "EvidenceDetails": { + "properties": { + "EvidenceDetails": { + "items": { + "properties": { + "Criticality": { + "type": "integer" + }, + "CriticalityLabel": { + "type": "string" + }, + "EvidenceString": { + "type": "string" + }, + "Rule": { + "type": "string" + }, + "Timestamp": { + "type": "integer" + } + }, + "required": [ + "Rule", + "EvidenceString", + "CriticalityLabel", + "Timestamp", + "Criticality" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "Name": { + "type": "string" + }, + "Risk": { + "type": "integer" + }, + "riskString": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "RecordedFuture-ImportToSentinel": { + "runAfter": { + "Parse_JSON": [ + "Succeeded" + ] + }, + "type": "SendToBatch", + "inputs": { + "batchName": "RFImportToSentinel", + "content": { + "confidence": "@int(body('Parse_JSON')?['Risk'])", + "created": "@{utcNow()}", + "description": "Recorded Future - Domains - Command and Control Activity", + "id": "indicator--@{guid()}", + "indicator_types": [ + "malicious-activity" + ], + "labels": [ + "@{body('Parse_JSON')?['EvidenceDetails']?['EvidenceDetails']}" + ], + "modified": "@{utcNow()}", + "name": "@{body('Parse_JSON')?['Name']}", + "pattern": "[[[domain-name:value = '@{body('Parse_JSON')?['Name']}']", + "pattern_type": "stix", + "spec_version": "2.1", + "type": "indicator", + "valid_from": "@{utcNow()}", + "valid_until": "@{addHours(utcNow(),2)}" + }, + "host": { + "triggerName": "Batch_messages", + "workflow": { + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]" + } + } + } + } + }, + "runAfter": { + "Recorded_Future_RiskLists_and_SCF_Download": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Recorded_Future_RiskLists_and_SCF_Download": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuture']['connectionId']" + } + }, + "method": "get", + "path": "/fusion/files", + "queries": { + "path": "/public/MicrosoftAzure/domain_c2_dns.json" + } + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "recordedfuture": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]", + "connectionName": "[[variables('RecordedfutureConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-Domain-IndicatorImport", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('RecordedfutureConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('RecordedfutureConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId5')]", + "contentId": "[variables('_playbookContentId5')]", + "kind": "Playbook", + "version": "[variables('playbookVersion5')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ], + "metadata": { + "title": "RecordedFuture-Domain-IndicatorImport", + "description": "This playbook imports Domain risk lists from Recorded Future and stores them as Threat Intelligence Indicators in Microsoft Sentinel, for detection purposes.\n\nThis playbook depends on RecordedFuture-ThreatIntelligenceImport that need to be installed **manually** before installing this playbook.", + "prerequisites": [ + "First install the RecordedFuture-ThreatIntelligenceImport playbook.", + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" + ], + "postDeployment": [ + "After deployment, open the playbook to configure all connections and press save." + ], + "lastUpdateTime": "2024-01-12T00:00:00Z", + "tags": [ + "Threat Intelligence" + ], + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-Domain-IndicatorImport", + "notes": [ + "Initial version" + ] + }, + { + "version": "1.1", + "title": "API Connectors", + "notes": [ + "API connection rename." + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId5')]", + "contentKind": "Playbook", + "displayName": "RecordedFuture-Domain-IndicatorImport", + "contentProductId": "[variables('_playbookcontentProductId5')]", + "id": "[variables('_playbookcontentProductId5')]", + "version": "[variables('playbookVersion5')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName6')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuture-Hash-IndicatorImport Playbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion6')]", + "parameters": { + "PlaybookName": { + "defaultValue": "RecordedFuture-Hash-IndicatorImport", + "type": "string" + }, + "PlaybookNameBatching": { + "defaultValue": "RecordedFuture-ThreatIntelligenceImport", + "type": "String" + } + }, + "variables": { + "RecordedfutureConnectionName": "RecordedFuture-ConnectorV2", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Hour", + "interval": 24 + }, + "evaluatedRecurrence": { + "frequency": "Hour", + "interval": 24 + }, + "type": "Recurrence" + } + }, + "actions": { + "For_each": { + "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download')", + "actions": { + "Parse_JSON": { + "type": "ParseJson", + "inputs": { + "content": "@items('For_each')", + "schema": { + "properties": { + "EvidenceDetails": { + "properties": { + "EvidenceDetails": { + "items": { + "properties": { + "Criticality": { + "type": "integer" + }, + "CriticalityLabel": { + "type": "string" + }, + "EvidenceString": { + "type": "string" + }, + "Rule": { + "type": "string" + }, + "Timestamp": { + "type": "integer" + } + }, + "required": [ + "Rule", + "EvidenceString", + "CriticalityLabel", + "Timestamp", + "Criticality" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "Name": { + "type": "string" + }, + "Risk": { + "type": "integer" + }, + "riskString": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "RecordedFuture-ImportToSentinel": { + "runAfter": { + "Parse_JSON": [ + "Succeeded" + ] + }, + "type": "SendToBatch", + "inputs": { + "batchName": "RFImportToSentinel", + "content": { + "confidence": "@int(body('Parse_JSON')?['Risk'])", + "created": "@{utcNow()}", + "description": "Recorded Future - HASH - Observed in Underground Virus Testing Sites", + "id": "indicator--@{guid()}", + "indicator_types": [ + "malicious-activity" + ], + "labels": [ + "@{body('Parse_JSON')?['EvidenceDetails']?['EvidenceDetails']}" + ], + "modified": "@{utcNow()}", + "name": "@{body('Parse_JSON')?['Name']}", + "pattern": "[[[file:hashes.'@{body('Parse_JSON')?['Algorithm']}' = '@{body('Parse_JSON')?['Name']}']", + "pattern_type": "stix", + "spec_version": "2.1", + "type": "indicator", + "valid_from": "@{utcNow()}", + "valid_until": "@{addHours(utcNow(),24)}" + }, + "host": { + "triggerName": "Batch_messages", + "workflow": { + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]" + } + } + } + } + }, + "runAfter": { + "Recorded_Future_RiskLists_and_SCF_Download": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Recorded_Future_RiskLists_and_SCF_Download": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuture']['connectionId']" + } + }, + "method": "get", + "path": "/fusion/files", + "queries": { + "path": "/public/MicrosoftAzure/hash_observed_testing.json" + } + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "recordedfuture": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]", + "connectionName": "[[variables('RecordedfutureConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-Hash-IndicatorImport", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('RecordedfutureConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('RecordedfutureConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId6'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId6')]", + "contentId": "[variables('_playbookContentId6')]", + "kind": "Playbook", + "version": "[variables('playbookVersion6')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ], + "metadata": { + "title": "RecordedFuture-Hash-IndicatorImport", + "description": "This playbook imports Hash risk lists from Recorded Future and stores them as Threat Intelligence Indicators in Microsoft Sentinel, for detection purposes.\n\nThis playbook depends on RecordedFuture-ThreatIntelligenceImport that need to be installed **manually** before installing this playbook.", + "prerequisites": [ + "First install the RecordedFuture-ThreatIntelligenceImport playbook.", + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" + ], + "postDeployment": [ + "After deployment, open the playbook to configure all connections and press save." + ], + "lastUpdateTime": "2024-01-12T00:00:00Z", + "tags": [ + "Threat Intelligence" + ], + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-Hash-IndicatorImport", + "notes": [ + "Initial version" + ] + }, + { + "version": "1.1", + "title": "API Connectors", + "notes": [ + "API connection rename." + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId6')]", + "contentKind": "Playbook", + "displayName": "RecordedFuture-Hash-IndicatorImport", + "contentProductId": "[variables('_playbookcontentProductId6')]", + "id": "[variables('_playbookcontentProductId6')]", + "version": "[variables('playbookVersion6')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName7')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuture-IP-IndicatorImport Playbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion7')]", + "parameters": { + "PlaybookName": { + "defaultValue": "RecordedFuture-IP-IndicatorImport", + "type": "string" + }, + "PlaybookNameBatching": { + "defaultValue": "RecordedFuture-ThreatIntelligenceImport", + "type": "String" + } + }, + "variables": { + "RecordedfutureConnectionName": "RecordedFuture-ConnectorV2", + "RecordedFutureThreatIntelligenceImport": "[[parameters('PlaybookNameBatching')]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Hour", + "interval": 1 + }, + "evaluatedRecurrence": { + "frequency": "Hour", + "interval": 24 + }, + "type": "Recurrence" + } + }, + "actions": { + "For_each": { + "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download')", + "actions": { + "Parse_JSON": { + "type": "ParseJson", + "inputs": { + "content": "@items('For_each')", + "schema": { + "properties": { + "EvidenceDetails": { + "properties": { + "EvidenceDetails": { + "items": { + "properties": { + "Criticality": { + "type": "integer" + }, + "CriticalityLabel": { + "type": "string" + }, + "EvidenceString": { + "type": "string" + }, + "Rule": { + "type": "string" + }, + "Timestamp": { + "type": "integer" + } + }, + "required": [ + "Rule", + "EvidenceString", + "CriticalityLabel", + "Timestamp", + "Criticality" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "Name": { + "type": "string" + }, + "Risk": { + "type": "integer" + }, + "riskString": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "RecordedFuture-ThreatIntelligenceImport": { + "runAfter": { + "Parse_JSON": [ + "Succeeded" + ] + }, + "type": "SendToBatch", + "inputs": { + "batchName": "RFImportToSentinel", + "content": { + "confidence": "@int(body('Parse_JSON')?['Risk'])", + "created": "@{utcNow()}", + "description": "Recorded Future - IP - Actively Communicating C&C Server", + "id": "indicator--@{guid()}", + "indicator_types": [ + "malicious-activity" + ], + "labels": [ + "@{body('Parse_JSON')?['EvidenceDetails']?['EvidenceDetails']}" + ], + "modified": "@{utcNow()}", + "name": "@{body('Parse_JSON')?['Name']}", + "pattern": "[[[ipv4-addr:value = '@{body('Parse_JSON')?['Name']}']", + "pattern_type": "stix", + "spec_version": "2.1", + "type": "indicator", + "valid_from": "@{utcNow()}", + "valid_until": "@{addHours(utcNow(),1)}" + }, + "host": { + "triggerName": "Batch_messages", + "workflow": { + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]" + } + } + } + } + }, + "runAfter": { + "Recorded_Future_RiskLists_and_SCF_Download": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Recorded_Future_RiskLists_and_SCF_Download": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuture']['connectionId']" + } + }, + "method": "get", + "path": "/fusion/files", + "queries": { + "path": "/public/MicrosoftAzure/ip_active_c2.json" + } + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "recordedfuture": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]", + "connectionName": "[[variables('RecordedfutureConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-IP-IndicatorImport", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('RecordedfutureConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('RecordedfutureConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId7'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId7')]", + "contentId": "[variables('_playbookContentId7')]", + "kind": "Playbook", + "version": "[variables('playbookVersion7')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ], + "metadata": { + "title": "RecordedFuture-IP-IndicatorImport", + "description": "This playbook imports IP risk lists from Recorded Future and stores them as Threat Intelligence Indicators in Microsoft Sentinel, for detection purposes.\n\nThis playbook depends on RecordedFuture-ThreatIntelligenceImport that need to be installed **manually** before installing this playbook.", + "prerequisites": [ + "First install the RecordedFuture-ThreatIntelligenceImport playbook.", + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)", + "Refer to [Recorded Future Logic App - Threat Intelligence Import](../readme.md) documentation for deployment instructions." + ], + "postDeployment": [ + "After deployment, open the playbook to configure all connections and press save." + ], + "lastUpdateTime": "2024-01-12T17:00:00Z", + "tags": [ + "Threat Intelligence" + ], + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-IP-IndicatorImport", + "notes": [ + "Initial version" + ] + }, + { + "version": "1.1", + "title": "API Connectors", + "notes": [ + "API connection rename." + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId7')]", + "contentKind": "Playbook", + "displayName": "RecordedFuture-IP-IndicatorImport", + "contentProductId": "[variables('_playbookcontentProductId7')]", + "id": "[variables('_playbookcontentProductId7')]", + "version": "[variables('playbookVersion7')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName8')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuture-URL-IndicatorImport Playbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion8')]", + "parameters": { + "PlaybookName": { + "defaultValue": "RecordedFuture-URL-IndicatorImport", + "type": "string" + }, + "PlaybookNameBatching": { + "defaultValue": "RecordedFuture-ThreatIntelligenceImport", + "type": "String" + } + }, + "variables": { + "RecordedfutureConnectionName": "RecordedFuture-ConnectorV2", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Hour", + "interval": 2 + }, + "evaluatedRecurrence": { + "frequency": "Hour", + "interval": 24 + }, + "type": "Recurrence" + } + }, + "actions": { + "For_each": { + "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download')", + "actions": { + "Parse_JSON": { + "type": "ParseJson", + "inputs": { + "content": "@items('For_each')", + "schema": { + "properties": { + "EvidenceDetails": { + "properties": { + "EvidenceDetails": { + "items": { + "properties": { + "Criticality": { + "type": "integer" + }, + "CriticalityLabel": { + "type": "string" + }, + "EvidenceString": { + "type": "string" + }, + "Rule": { + "type": "string" + }, + "Timestamp": { + "type": "integer" + } + }, + "required": [ + "Rule", + "EvidenceString", + "CriticalityLabel", + "Timestamp", + "Criticality" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "Name": { + "type": "string" + }, + "Risk": { + "type": "integer" + }, + "riskString": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "RecordedFuture-ImportToSentinel": { + "runAfter": { + "Parse_JSON": [ + "Succeeded" + ] + }, + "type": "SendToBatch", + "inputs": { + "batchName": "RFImportToSentinel", + "content": { + "confidence": "@int(body('Parse_JSON')?['Risk'])", + "created": "@{utcNow()}", + "description": "Recorded Future - URL - Recently Reported by Insikt Group", + "id": "indicator--@{guid()}", + "indicator_types": [ + "malicious-activity" + ], + "labels": [ + "@{body('Parse_JSON')?['EvidenceDetails']?['EvidenceDetails']}" + ], + "modified": "@{utcNow()}", + "name": "@{body('Parse_JSON')?['Name']}", + "pattern": "[[[url:value = '@{body('Parse_JSON')?['Name']}']", + "pattern_type": "stix", + "spec_version": "2.1", + "type": "indicator", + "valid_from": "@{utcNow()}", + "valid_until": "@{addHours(utcNow(),2)}" + }, + "host": { + "triggerName": "Batch_messages", + "workflow": { + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]" + } + } + } + } + }, + "runAfter": { + "Recorded_Future_RiskLists_and_SCF_Download": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Recorded_Future_RiskLists_and_SCF_Download": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuture']['connectionId']" + } + }, + "method": "get", + "path": "/fusion/files", + "queries": { + "path": "/public/MicrosoftAzure/url_insikt.json" + } + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "recordedfuture": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]", + "connectionName": "[[variables('RecordedfutureConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-URL-IndicatorImport", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('RecordedfutureConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('RecordedfutureConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId8'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId8')]", + "contentId": "[variables('_playbookContentId8')]", + "kind": "Playbook", + "version": "[variables('playbookVersion8')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ], + "metadata": { + "title": "RecordedFuture-URL-IndicatorImport", + "description": "This playbook imports URL risk lists from Recorded Future and stores them as Threat Intelligence Indicators in Microsoft Sentinel, for detection purposes.\n\nThis playbook depends on RecordedFuture-ThreatIntelligenceImport that need to be installed **manually** before installing this playbook.", + "prerequisites": [ + "First install the RecordedFuture-ThreatIntelligenceImport playbook.", + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" + ], + "postDeployment": [ + "After deployment, open the playbook to configure all connections and press save." + ], + "lastUpdateTime": "2024-01-12T00:00:00Z", + "tags": [ + "Threat Intelligence" + ], + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-URL-IndicatorImport", + "notes": [ + "Initial version" + ] + }, + { + "version": "1.1", + "title": "API Connectors", + "notes": [ + "API connection rename." + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId8')]", + "contentKind": "Playbook", + "displayName": "RecordedFuture-URL-IndicatorImport", + "contentProductId": "[variables('_playbookcontentProductId8')]", + "id": "[variables('_playbookcontentProductId8')]", + "version": "[variables('playbookVersion8')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName9')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuture-Sandbox_Enrichment-Url Playbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion9')]", + "parameters": { + "PlaybookName": { + "defaultValue": "RecordedFuture-Sandbox_Enrichment-Url", + "type": "string" + }, + "Sandbox API Key": { + "metadata": { + "description": "Enter value for Sandbox API Key. Retrive API Key from [Recorded Future Portal](https://sandbox.recordedfuture.com/account)" + }, + "type": "string" + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "RecordedFuture-MicrosoftSentinelConnection", + "RecordedfutureSandboxConnectionName": "RecordedFuture-SandboxConnector", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/recordedfuturesandbo')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureSandboxConnectionName'))]" + ], + "identity": { + "type": "SystemAssigned" + }, + "location": "[[variables('workspace-location-inline')]", + "name": "[[parameters('PlaybookName')]", + "properties": { + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "Define_sandbox_status": { + "inputs": { + "variables": [ + { + "name": "sandbox_status", + "type": "string" + } + ] + }, + "runAfter": { + "Entities_-_Get_URLs": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Entities_-_Get_URLs": { + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/url" + }, + "type": "ApiConnection" + }, + "For_each": { + "actions": { + "Add_comment_to_incident_(V3)": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{body('Get_the_full_report')?['html_report']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "Get_the_full_report": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Get_the_full_report": { + "inputs": { + "headers": { + "SandboxToken": "@parameters('Sandbox API Key')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuturesandbo']['connectionId']" + } + }, + "method": "get", + "path": "/samples/@{encodeURIComponent(body('Get_the_full_summary')?['id'])}/overview.json" + }, + "runAfter": { + "Wait_for_sandbox_report": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Initialize_Sandbox_status": { + "inputs": { + "name": "sandbox_status", + "value": "@body('Submit_url_samples')?['status']" + }, + "runAfter": { + "Submit_url_samples": [ + "Succeeded" + ] + }, + "type": "SetVariable" + }, + "Submit_url_samples": { + "inputs": { + "body": { + "url": "@items('For_each')?['Url']" + }, + "headers": { + "Content-Type": "application/json", + "SandboxToken": "@parameters('Sandbox API Key')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuturesandbo']['connectionId']" + } + }, + "method": "post", + "path": "/samples/url" + }, + "type": "ApiConnection" + }, + "Wait_for_sandbox_report": { + "actions": { + "Delay": { + "inputs": { + "interval": { + "count": 2, + "unit": "Minute" + } + }, + "runAfter": { + "Set_sandbox_status": [ + "Succeeded" + ] + }, + "type": "Wait" + }, + "Get_the_full_summary": { + "inputs": { + "headers": { + "SandboxToken": "@parameters('Sandbox API Key')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuturesandbo']['connectionId']" + } + }, + "method": "get", + "path": "/samples/@{encodeURIComponent(body('Submit_url_samples')?['id'])}" + }, + "type": "ApiConnection" + }, + "Set_sandbox_status": { + "inputs": { + "name": "sandbox_status", + "value": "@body('Get_the_full_summary')?['status']" + }, + "runAfter": { + "Get_the_full_summary": [ + "Succeeded" + ] + }, + "type": "SetVariable" + } + }, + "expression": "@equals(variables('sandbox_status'), 'reported')", + "limit": { + "count": 60, + "timeout": "PT1H" + }, + "runAfter": { + "Initialize_Sandbox_status": [ + "Succeeded" + ] + }, + "type": "Until" + } + }, + "foreach": "@body('Entities_-_Get_URLs')?['URLs']", + "runAfter": { + "Define_sandbox_status": [ + "Succeeded" + ] + }, + "type": "Foreach" + } + }, + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "Sandbox API Key": { + "defaultValue": "[[parameters('Sandbox API Key')]", + "type": "string" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + }, + "type": "ApiConnectionWebhook" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + }, + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]" + }, + "recordedfuturesandbo": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureSandboxConnectionName'))]", + "connectionName": "recordedfuturesandbo", + "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/recordedfuturesandbo')]" + } + } + } + }, + "provisioningState": "Succeeded", + "state": "Enabled" + }, + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-Sandbox_Enrichment-Url", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "type": "Microsoft.Logic/workflows" + }, + { + "apiVersion": "2016-06-01", + "kind": "V1", + "location": "[[variables('workspace-location-inline')]", + "name": "[[variables('RecordedfutureSandboxConnectionName')]", + "properties": { + "api": { + "id": "[[variables('_connection-2')]" + }, + "displayName": "[[variables('RecordedfutureSandboxConnectionName')]" + }, + "type": "Microsoft.Web/connections" + }, + { + "apiVersion": "2016-06-01", + "kind": "V1", + "location": "[[variables('workspace-location-inline')]", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "properties": { + "api": { + "id": "[[variables('_connection-3')]" + }, + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative" + }, + "type": "Microsoft.Web/connections" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId9'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId9')]", + "contentId": "[variables('_playbookContentId9')]", + "kind": "Playbook", + "version": "[variables('playbookVersion9')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ], + "metadata": { + "description": "This playbook will enrich url entities in an incident and send them to Recorded Future Sandbox. The result will be written as a incident comment.", + "entities": [ + "url" + ], + "lastUpdateTime": "2024-01-12T00:00:00Z", + "postDeployment": [ + "After deployment you have to open the playbook to configure all connections and press save." + ], + "prerequisites": "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)", + "releaseNotes": [ + { + "notes": [ + "Initial version" + ], + "title": "RecordedFuture-Sandbox_Enrichment-Url", + "version": "1.0" + }, + { + "notes": [ + "API connection rename." + ], + "title": "API Connectors", + "version": "1.1" + } + ], + "tags": [ + "Enrichment" + ], + "title": "RecordedFuture-Sandbox_Enrichment-Url" + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId9')]", + "contentKind": "Playbook", + "displayName": "RecordedFuture-Sandbox_Enrichment-Url", + "contentProductId": "[variables('_playbookcontentProductId9')]", + "id": "[variables('_playbookcontentProductId9')]", + "version": "[variables('playbookVersion9')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName10')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuture-CustomConnector Playbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion10')]", + "parameters": { + "ConnectorName": { + "defaultValue": "RecordedFuture-CustomConnector", + "type": "String", + "metadata": { + "description": "Recorded Future Custom Connector" + } + }, + "ServiceEndpoint": { + "defaultValue": "https://api.recordedfuture.com/gw/azure", + "type": "String", + "metadata": { + "description": "Recorded Future API" + } + } + }, + "variables": { + "operationId-IP_Enrichment": "IP_Enrichment", + "_operationId-IP_Enrichment": "[[variables('operationId-IP_Enrichment')]", + "operationId-Threat_Map_Actors": "Threat_Map_Actors", + "_operationId-Threat_Map_Actors": "[[variables('operationId-Threat_Map_Actors')]", + "operationId-Threat_Map_Malware": "Threat_Map_Malware", + "_operationId-Threat_Map_Malware": "[[variables('operationId-Threat_Map_Malware')]", + "operationId-Domain_Enrichment": "Domain_Enrichment", + "_operationId-Domain_Enrichment": "[[variables('operationId-Domain_Enrichment')]", + "operationId-Url_Enrichment": "Url_Enrichment", + "_operationId-Url_Enrichment": "[[variables('operationId-Url_Enrichment')]", + "operationId-Hash_Enrichment": "Hash_Enrichment", + "_operationId-Hash_Enrichment": "[[variables('operationId-Hash_Enrichment')]", + "operationId-Vuln_Enrichment": "Vuln_Enrichment", + "_operationId-Vuln_Enrichment": "[[variables('operationId-Vuln_Enrichment')]", + "operationId-Alert_Rules_Search": "Alert_Rules_Search", + "_operationId-Alert_Rules_Search": "[[variables('operationId-Alert_Rules_Search')]", + "operationId-Alert_Not_Search": "Alert_Not_Search", + "_operationId-Alert_Not_Search": "[[variables('operationId-Alert_Not_Search')]", + "operationId-Alert_Not_Lookup": "Alert_Not_Lookup", + "_operationId-Alert_Not_Lookup": "[[variables('operationId-Alert_Not_Lookup')]", + "operationId-Rislk_List_Download": "Rislk_List_Download", + "_operationId-Rislk_List_Download": "[[variables('operationId-Rislk_List_Download')]", + "operationId-Soar_Bulk_Lookup": "Soar_Bulk_Lookup", + "_operationId-Soar_Bulk_Lookup": "[[variables('operationId-Soar_Bulk_Lookup')]", + "operationId-STIX_Indicators": "STIX_Indicators", + "_operationId-STIX_Indicators": "[[variables('operationId-STIX_Indicators')]", + "operationId-STIX_MalwareIndicators": "STIX_MalwareIndicators", + "_operationId-STIX_MalwareIndicators": "[[variables('operationId-STIX_MalwareIndicators')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "playbookContentId10": "RecordedFuture-CustomConnector", + "playbookId10": "[[resourceId('Microsoft.Web/customApis', parameters('ConnectorName'))]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/customApis", + "apiVersion": "2016-06-01", + "name": "[[parameters('ConnectorName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "connectionParameters": { + "api_key": { + "type": "securestring" + } + }, + "backendService": { + "serviceUrl": "[[parameters('ServiceEndPoint')]" + }, + "capabilities": "[variables('TemplateEmptyArray')]", + "brandColor": "#FFFFFF", + "description": "Recorded Future Connector enables access to the Recorded Future Intelligence. The connector has dedicated actions for pulling Recorded Future indicators (IP, Domain, URL, Hash) and associated context (Risk Score, Risk Rules, Intelligence Card Link and High Confidence Evidence Based Links), Vulnerabilities, Recorded Future Alerts and enables access to Recorded Future SOAR API and Fusion Files.", + "displayName": "[[parameters('ConnectorName')]", + "iconUri": "data:image/jpeg;base64,/9j/4AAQSkZJRgABAQEBLAEsAAD/2wBDAAMCAgMCAgMDAwMEAwMEBQgFBQQEBQoHBwYIDAoMDAsKCwsNDhIQDQ4RDgsLEBYQERMUFRUVDA8XGBYUGBIUFRT/2wBDAQMEBAUEBQkFBQkUDQsNFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBT/wAARCAAoADADASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD9U6a7rGpZ2CqoyWY4Ap1YXjjwXpvxC8K6h4d1hZX02+QJMIZDG+AwYYYdOVFVHlckpOyJlzKLcVdniXxW8VeJvF/ir4ofD2wSO4tY/Cq3NnBGoWRpnIDfOSOoYjB44Fa/wz8ZeIdL+JujeAdRaOKwsfBlreSwsoMi3IKoxL55GMj04rzjx5p+m+G/id8VYLnT573RbLwLbxfZlnaNpI1KKq+bgkH5evPQ9a0PBvh3S/GPxkt9LaznttC1L4b20HkeczOkLuo2+ZwSQOM98V9U6VP6va3u8t9uvLHXff8Aq58sqtT6xe/vc1t+nNLTbb+rH1SrBlDKQVIyCOhpay/C/h2z8I+HdN0TTldbHT4Et4RI5dtijAyT1NalfKStd22Pqo3sr7nnvgr45eHPHV5pttaRanYtqkTS6fJqNi8Ed4qrubynPysQuTjOcAntXZnXtMXT5b86jaCxiJEl156+UhBwctnA5r5TH7OvifRfBOjLNczCb/hHLmxmGpaqDBol2y482PL7QjoWiOzO3dkcE1f0H4X3mrXMGsaZpFtqlpYX9rPeeG21LT2ju1SKZAwjt0WFWUyAgu2X2c7doz79TBYVtypVNPl3+W//AAdmeDTxuKVo1aer9e36f8DdM+ifFcHhzxN4fk0jWbq0fTtciNsqtciM3KsOkbAgk88bfWrGlz6D4d0yHT7S7s7a1023WAI1wpMMSYQBiTnAIAye9fP2tfBTxBcR6o0fgfSXj1jR20+zs471CmhSmaV/My/Y+YrHys4ZMAYwaZo/7P2t6R4atJr3QbXXtVtfFEuoXtvNLEJNVs8MEy7HafmIkCOQMjnmsvq1Dks62l9tP8/l/wAA1+s1ue6o6231/wAvn/wT3vQPiDofiK3vp7a8WGKz1CXS3e5IjDTxkBlUk/N14x1pvj34iaH8N/D9/rGs3Oy3so0llihw82xpFjDBM5I3MBmvmiP4C+KbCbUtQv8AQUXRZrjURFosNzYlbRZpFZJQ06tGqlRsJXDrsGARxVjx58BPFGo+B/FWj2nhm38R6rqS2Mun6/PqMLTQRRRwI1vvcIxI8t8EBVYOScH5TqsDhPaxvV9266rur63+f5XMnjcV7OVqT5rdn2dtLf11se2ftIK0nwJ8bKqlmOmyYAGT2ri4G1P4ReKPB8usnRdK0XUJLqK8k8O6W9vDIwgBt1mA3Fm3b9vuSO9FFZ4P36caL2k5X/8AAUaYz3akqq3io2/8CZ5HbeIvEqre+JTrusp4ivPCIuLRe87x3cgkVV28lI13kDkEk+1d/rHxE1fxz8XF0vQPE2o2nhu91CwgjuLJNn7t7K6eTyy6d2jX5scEcdKKK9+rShyzqWV0nbRd1+VvxZ4NKrNShTu7Nq+r7frfX5D/AId674p8U+NINJ1/VpJmmubuHVdFupHdo4Yy/kMsS2wEJBWI+Y0pEgJ6lgB9JWtvHZ28UES7Yo1CKMk8D3NFFfN5laNSKirK1z6PLbypycnd3t+R/9k=", + "swagger": { + "swagger": "2.0", + "info": { + "title": "Recorded Future V2", + "description": "Recorded Future Connector enables access to the Recorded Future Intelligence. The connector has dedicated actions for pulling Recorded Future indicators (IP, Domain, URL, Hash) and associated context (Risk Score, Risk Rules, Intelligence Card Link and High Confidence Evidence Based Links), Vulnerabilities, Recorded Future Alerts and enables access to Recorded Future SOAR API and Fusion Files", + "contact": { + "name": "Recorded Future Support", + "url": "https://support.recordedfuture.com", + "email": "support@recordedfuture.com" + }, + "version": "1.0" + }, + "host": "api.recordedfuture.com", + "basePath": "/gw/azure", + "schemes": [ + "https" + ], + "paths": { + "/lookup/ip/{ip}": { + "get": { + "tags": [ + "Lookup" + ], + "responses": { + "200": { + "description": "Default", + "schema": { + "type": "object", + "properties": { + "data": { + "type": "object", + "properties": { + "intelCard": { + "type": "string", + "description": "Recorded Future Intelligence Card Link", + "title": "intelCard", + "x-ms-visibility": "important" + }, + "risk": { + "type": "object", + "properties": { + "criticalityLabel": { + "type": "string", + "description": "Recorded Future Indicator Criticality Level", + "title": "criticalityLabel", + "x-ms-visibility": "important" + }, + "score": { + "type": "integer", + "format": "int32", + "description": "Recorded Future Indicator Risk Score", + "title": "score", + "x-ms-visibility": "important" + }, + "evidenceDetails": { + "type": "array", + "items": { + "type": "object", + "properties": { + "mitigationString": { + "type": "string", + "description": "Mitigating string", + "x-ms-visibility": "internal" + }, + "timestamp": { + "type": "string", + "description": "Timestamp", + "x-ms-visibility": "internal" + }, + "criticalityLabel": { + "type": "string", + "description": "Criticality label", + "x-ms-visibility": "internal" + }, + "evidenceString": { + "type": "string", + "description": "Recorded Future Risk Rules Evidence Details", + "title": "evidenceString", + "x-ms-visibility": "advanced" + }, + "rule": { + "type": "string", + "description": "Recorded Future Indicator Risk Rules", + "title": "rule", + "x-ms-visibility": "important" + }, + "criticality": { + "type": "integer", + "format": "int32", + "description": "Criticality", + "x-ms-visibility": "internal" + } + } + }, + "description": "Evidence details" + }, + "riskString": { + "type": "string", + "description": "Risk string", + "x-ms-visibility": "internal" + }, + "rules": { + "type": "integer", + "format": "int32", + "description": "Rules", + "x-ms-visibility": "internal" + }, + "criticality": { + "type": "integer", + "format": "int32", + "description": "Criticality", + "x-ms-visibility": "internal" + }, + "riskSummary": { + "type": "string", + "description": "Recorded Future Risk Rules Summary", + "title": "riskSummary", + "x-ms-visibility": "advanced" + } + }, + "description": "Risk" + }, + "links": { + "$ref": "#/definitions/Links" + } + }, + "description": "Data" + } + } + } + } + }, + "summary": "IP Enrichment", + "description": "IP Enrichment with Recorded Future data", + "operationId": "[[variables('_operationId-IP_Enrichment')]", + "x-ms-visibility": "important", + "parameters": [ + { + "name": "ip", + "in": "path", + "required": true, + "type": "string", + "x-ms-visibility": "important", + "description": "The IP address to lookup. Must be a single IP address", + "x-ms-summary": "IP input", + "x-ms-url-encoding": "single" + }, + { + "name": "fields", + "in": "query", + "required": true, + "type": "string", + "default": "intelCard,risk,links", + "x-ms-visibility": "internal" + }, + { + "name": "IntelligenceCloudTracking", + "in": "query", + "required": false, + "type": "boolean", + "default": true, + "description": "Consent", + "x-ms-summary": "See trends and track incidents over time using the Recorded Future Intelligence Cloud. This feature stores alerts generated from correlations in the Intelligence Cloud for additional intelligence to provide new analytical insights." + } + ] + } + }, + "/threat/map/actors": { + "post": { + "tags": [ + "Threat Hunt" + ], + "summary": "Fetch Threat Map actors", + "description": "Fetch Threat Map data for the enterprise's primary organization with filters.", + "operationId": "[[variables('_operationId-Threat_Map_Actors')]", + "x-ms-visibility": "important", + "consumes": [ + "application/json" + ], + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "x-ms-visibility": "important", + "schema": { + "type": "object", + "x-ms-visibility": "important", + "properties": { + "actors": { + "description": "List of actors", + "type": "array", + "items": { + "type": "string", + "description": "Description actor1", + "title": "Title actor1", + "x-ms-visibility": "important" + } + }, + "categories": { + "description": "List of categories", + "type": "array", + "items": { + "type": "string", + "description": "Description category1", + "title": "Title category1", + "x-ms-visibility": "important" + } + }, + "watchlists": { + "description": "List of watchlists", + "type": "array", + "items": { + "type": "string", + "description": "Description watchlist1", + "title": "Title watchlist1", + "x-ms-visibility": "important" + } + } + }, + "required": [ + "actors", + "categories", + "watchlists" + ] + } + } + ], + "responses": { + "200": { + "description": "Returns Threat Map", + "schema": { + "type": "object", + "properties": { + "data": { + "$ref": "#/definitions/ThreatMapActors" + } + } + } + } + } + } + }, + "/threat/map/malware": { + "post": { + "tags": [ + "Threat Hunt" + ], + "summary": "Fetch Threat Map malware", + "description": "Fetch Threat Map data for the enterprise's primary organization with filters.", + "operationId": "[[variables('_operationId-Threat_Map_Malware')]", + "x-ms-visibility": "important", + "consumes": [ + "application/json" + ], + "parameters": [ + { + "name": "body", + "in": "body", + "required": true, + "x-ms-visibility": "important", + "schema": { + "type": "object", + "x-ms-visibility": "important", + "properties": { + "malware": { + "description": "List of malware", + "type": "array", + "items": { + "type": "string", + "description": "Description malware1", + "title": "Title malware1", + "x-ms-visibility": "important" + } + }, + "categories": { + "description": "List of categories", + "type": "array", + "items": { + "type": "string", + "description": "Description category1", + "title": "Title category1", + "x-ms-visibility": "important" + } + }, + "watchlists": { + "description": "List of watchlists", + "type": "array", + "items": { + "type": "string", + "description": "Description watchlist1", + "title": "Title watchlist1", + "x-ms-visibility": "important" + } + } + }, + "required": [ + "malware", + "categories", + "watchlists" + ] + } + } + ], + "responses": { + "200": { + "description": "Returns Threat Map", + "schema": { + "type": "object", + "properties": { + "data": { + "$ref": "#/definitions/ThreatMapMalware" + } + } + } + } + } + } + }, + "/lookup/domain/{domain}": { + "get": { + "tags": [ + "Lookup" + ], + "responses": { + "200": { + "description": "Default", + "schema": { + "type": "object", + "properties": { + "data": { + "type": "object", + "properties": { + "intelCard": { + "type": "string", + "description": "Recorded Future Intelligence Card Link", + "title": "intelCard", + "x-ms-visibility": "important" + }, + "risk": { + "type": "object", + "properties": { + "criticalityLabel": { + "type": "string", + "description": "Recorded Future Indicator Criticality Level", + "title": "criticalityLabel", + "x-ms-visibility": "important" + }, + "score": { + "type": "integer", + "format": "int32", + "description": "Recorded Future Indicator Risk Score", + "title": "score", + "x-ms-visibility": "important" + }, + "evidenceDetails": { + "type": "array", + "items": { + "type": "object", + "properties": { + "mitigationString": { + "type": "string", + "description": "Mitigating string", + "x-ms-visibility": "internal" + }, + "timestamp": { + "type": "string", + "description": "Timestamp", + "x-ms-visibility": "internal" + }, + "criticalityLabel": { + "type": "string", + "description": "Criticality label", + "x-ms-visibility": "internal" + }, + "evidenceString": { + "type": "string", + "description": "Recorded Future Risk Rules Evidence Details", + "title": "evidenceString", + "x-ms-visibility": "advanced" + }, + "rule": { + "type": "string", + "description": "Recorded Future Indicator Risk Rules", + "title": "rule", + "x-ms-visibility": "advanced" + }, + "criticality": { + "type": "integer", + "format": "int32", + "description": "Criticality", + "x-ms-visibility": "internal" + } + } + }, + "description": "Evidence details" + }, + "riskString": { + "type": "string", + "description": "Risk string", + "x-ms-visibility": "internal" + }, + "rules": { + "type": "integer", + "format": "int32", + "description": "Rules", + "x-ms-visibility": "internal" + }, + "criticality": { + "type": "integer", + "format": "int32", + "description": "Criticality", + "x-ms-visibility": "internal" + }, + "riskSummary": { + "type": "string", + "description": "Recorded Future Risk Rules Summary", + "title": "riskSummary", + "x-ms-visibility": "advanced" + } + }, + "description": "Risk" + }, + "links": { + "$ref": "#/definitions/Links" + } + }, + "description": "Data" + } + } + } + } + }, + "summary": "Domain Enrichment", + "description": "Domain Enrichment with Recorded Future data", + "operationId": "[[variables('_operationId-Domain_Enrichment')]", + "x-ms-visibility": "important", + "parameters": [ + { + "name": "domain", + "in": "path", + "required": true, + "type": "string", + "x-ms-visibility": "important", + "description": "The domain to lookup. Must be a single domain", + "x-ms-summary": "Domain input", + "x-ms-url-encoding": "single" + }, + { + "name": "fields", + "in": "query", + "required": true, + "type": "string", + "default": "intelCard,risk,links", + "x-ms-visibility": "internal" + }, + { + "name": "IntelligenceCloudTracking", + "in": "query", + "required": false, + "type": "boolean", + "default": true, + "description": "Consent", + "x-ms-summary": "See trends and track incidents over time using the Recorded Future Intelligence Cloud. This feature stores alerts generated from correlations in the Intelligence Cloud for additional intelligence to provide new analytical insights." + } + ] + } + }, + "/lookup/url/{url}": { + "get": { + "tags": [ + "Lookup" + ], + "responses": { + "200": { + "description": "Default", + "schema": { + "type": "object", + "properties": { + "data": { + "type": "object", + "properties": { + "risk": { + "type": "object", + "properties": { + "criticalityLabel": { + "type": "string", + "description": "Recorded Future Indicator Criticality Level", + "title": "criticalityLabel", + "x-ms-visibility": "important" + }, + "score": { + "type": "integer", + "format": "int32", + "description": "Recorded Future Indicator Risk Score", + "title": "score", + "x-ms-visibility": "important" + }, + "evidenceDetails": { + "type": "array", + "items": { + "type": "object", + "properties": { + "mitigationString": { + "type": "string", + "description": "Mitigating string", + "x-ms-visibility": "internal" + }, + "timestamp": { + "type": "string", + "description": "Timestamp", + "x-ms-visibility": "internal" + }, + "criticalityLabel": { + "type": "string", + "description": "Criticality label", + "x-ms-visibility": "internal" + }, + "evidenceString": { + "type": "string", + "description": "Recorded Future Risk Rules Evidence Details", + "title": "evidenceString", + "x-ms-visibility": "advanced" + }, + "rule": { + "type": "string", + "description": "Recorded Future Indicator Risk Rules", + "title": "rule", + "x-ms-visibility": "important" + }, + "criticality": { + "type": "integer", + "format": "int32", + "description": "Criticality", + "x-ms-visibility": "internal" + } + } + }, + "description": "Evidence details" + }, + "riskString": { + "type": "string", + "description": "Risk string", + "x-ms-visibility": "internal" + }, + "rules": { + "type": "integer", + "format": "int32", + "description": "Rules", + "x-ms-visibility": "internal" + }, + "criticality": { + "type": "integer", + "format": "int32", + "description": "Criticality", + "x-ms-visibility": "internal" + }, + "riskSummary": { + "type": "string", + "description": "Recorded Future Risk Rules Summary", + "title": "riskSummary", + "x-ms-visibility": "advanced" + } + }, + "description": "Risk" + }, + "links": { + "$ref": "#/definitions/Links" + } + }, + "description": "Data" + } + } + } + } + }, + "summary": "URL Enrichment", + "description": "URL Enrichment with Recorded Future data", + "operationId": "[[variables('_operationId-Url_Enrichment')]", + "x-ms-visibility": "important", + "parameters": [ + { + "name": "url", + "in": "path", + "required": true, + "type": "string", + "x-ms-visibility": "important", + "description": "The URL to lookup. Must be a single URL", + "x-ms-summary": "URL input", + "x-ms-url-encoding": "single" + }, + { + "name": "fields", + "in": "query", + "required": true, + "type": "string", + "default": "intelCard,risk,links", + "x-ms-visibility": "internal" + }, + { + "name": "IntelligenceCloudTracking", + "in": "query", + "required": false, + "type": "boolean", + "default": true, + "description": "Consent", + "x-ms-summary": "See trends and track incidents over time using the Recorded Future Intelligence Cloud. This feature stores alerts generated from correlations in the Intelligence Cloud for additional intelligence to provide new analytical insights." + } + ] + } + }, + "/lookup/hash/{hash}": { + "get": { + "tags": [ + "Lookup" + ], + "responses": { + "200": { + "description": "Default", + "schema": { + "type": "object", + "properties": { + "data": { + "type": "object", + "properties": { + "intelCard": { + "type": "string", + "description": "Recorded Future Intelligence Card Link", + "title": "intelCard", + "x-ms-visibility": "important" + }, + "risk": { + "type": "object", + "properties": { + "criticalityLabel": { + "type": "string", + "description": "Recorded Future Indicator Criticality Level", + "title": "criticalityLabel", + "x-ms-visibility": "important" + }, + "score": { + "type": "integer", + "format": "int32", + "description": "Recorded Future Indicator Risk Score", + "title": "score", + "x-ms-visibility": "important" + }, + "evidenceDetails": { + "type": "array", + "items": { + "type": "object", + "properties": { + "mitigationString": { + "type": "string", + "description": "Mitigating string", + "x-ms-visibility": "internal" + }, + "timestamp": { + "type": "string", + "description": "Timestamp", + "x-ms-visibility": "internal" + }, + "criticalityLabel": { + "type": "string", + "description": "Criticality label", + "x-ms-visibility": "internal" + }, + "evidenceString": { + "type": "string", + "description": "Recorded Future Risk Rules Evidence Details", + "title": "evidenceString", + "x-ms-visibility": "advanced" + }, + "rule": { + "type": "string", + "description": "Recorded Future Indicator Risk Rules", + "title": "rule", + "x-ms-visibility": "important" + }, + "criticality": { + "type": "integer", + "format": "int32", + "description": "Criticality", + "x-ms-visibility": "internal" + } + } + }, + "description": "Evidence details" + }, + "riskString": { + "type": "string", + "description": "Risk string", + "x-ms-visibility": "internal" + }, + "rules": { + "type": "integer", + "format": "int32", + "description": "Rules", + "x-ms-visibility": "internal" + }, + "criticality": { + "type": "integer", + "format": "int32", + "description": "Criticality", + "x-ms-visibility": "internal" + }, + "riskSummary": { + "type": "string", + "description": "Recorded Future Risk Rules Summary", + "title": "riskSummary", + "x-ms-visibility": "advanced" + } + }, + "description": "Risk" + }, + "links": { + "$ref": "#/definitions/Links" + } + }, + "description": "Data" + } + } + } + } + }, + "summary": "Hash Enrichment", + "description": "Hash Enrichment with Recorded Future data", + "operationId": "[[variables('_operationId-Hash_Enrichment')]", + "x-ms-visibility": "important", + "parameters": [ + { + "name": "hash", + "in": "path", + "required": true, + "type": "string", + "x-ms-visibility": "important", + "description": "The HASH to lookup. Must be a single HASH", + "x-ms-summary": "HASH input", + "x-ms-url-encoding": "single" + }, + { + "name": "fields", + "in": "query", + "required": true, + "type": "string", + "default": "intelCard,risk,links", + "x-ms-visibility": "internal" + }, + { + "name": "IntelligenceCloudTracking", + "in": "query", + "required": false, + "type": "boolean", + "default": true, + "description": "Consent", + "x-ms-summary": "See trends and track incidents over time using the Recorded Future Intelligence Cloud. This feature stores alerts generated from correlations in the Intelligence Cloud for additional intelligence to provide new analytical insights." + } + ] + } + }, + "/lookup/vulnerability/{id}": { + "get": { + "tags": [ + "Lookup" + ], + "responses": { + "200": { + "description": "Default", + "schema": { + "type": "object", + "properties": { + "data": { + "type": "object", + "properties": { + "intelCard": { + "type": "string", + "description": "Recorded Future Intelligence Card Link", + "title": "intelCard", + "x-ms-visibility": "important" + }, + "risk": { + "type": "object", + "properties": { + "criticalityLabel": { + "type": "string", + "description": "Recorded Future Vulnerability Criticality Level", + "title": "criticalityLabel", + "x-ms-visibility": "important" + }, + "score": { + "type": "integer", + "format": "int32", + "description": "Recorded Future Vulnerability Risk Score", + "title": "score", + "x-ms-visibility": "important" + }, + "evidenceDetails": { + "type": "array", + "items": { + "type": "object", + "properties": { + "mitigationString": { + "type": "string", + "description": "Mitigating string", + "x-ms-visibility": "internal" + }, + "timestamp": { + "type": "string", + "description": "Timestamp", + "x-ms-visibility": "internal" + }, + "criticalityLabel": { + "type": "string", + "description": "Criticality label", + "x-ms-visibility": "internal" + }, + "evidenceString": { + "type": "string", + "description": "Recorded Future Risk Rules Evidence Details", + "title": "evidenceString", + "x-ms-visibility": "advanced" + }, + "rule": { + "type": "string", + "description": "Recorded Future Vulnerability Risk Rules", + "title": "rule", + "x-ms-visibility": "important" + }, + "criticality": { + "type": "integer", + "format": "int32", + "description": "Criticality", + "x-ms-visibility": "internal" + } + } + }, + "description": "Evidence details" + }, + "riskString": { + "type": "string", + "description": "Risk string", + "x-ms-visibility": "internal" + }, + "rules": { + "type": "integer", + "format": "int32", + "description": "Rules", + "x-ms-visibility": "internal" + }, + "criticality": { + "type": "integer", + "format": "int32", + "description": "Criticality", + "x-ms-visibility": "internal" + }, + "riskSummary": { + "type": "string", + "description": "Recorded Future Risk Rules Summary", + "title": "riskSummary", + "x-ms-visibility": "advanced" + } + }, + "description": "Risk" + }, + "links": { + "$ref": "#/definitions/Links" + } + }, + "description": "Data" + } + } + } + } + }, + "summary": "Vulnerability Enrichment", + "description": "Vulnerability Enrichment with Recorded Future data", + "parameters": [ + { + "name": "id", + "in": "path", + "required": true, + "type": "string", + "x-ms-visibility": "important", + "description": "The Vulnerability ID (CVE, name) to lookup. Must be a single Vulnerability ID (CVE, name)", + "x-ms-summary": "Vulnerability ID (CVE, name) input", + "x-ms-url-encoding": "single" + }, + { + "name": "fields", + "in": "query", + "required": true, + "type": "string", + "default": "intelCard,risk,links", + "x-ms-visibility": "internal" + }, + { + "name": "IntelligenceCloudTracking", + "in": "query", + "required": false, + "type": "boolean", + "default": true, + "description": "Consent", + "x-ms-summary": "See trends and track incidents over time using the Recorded Future Intelligence Cloud. This feature stores alerts generated from correlations in the Intelligence Cloud for additional intelligence to provide new analytical insights." + } + ], + "operationId": "[[variables('_operationId-Vuln_Enrichment')]", + "x-ms-visibility": "advanced" + } + }, + "/alert/rules": { + "get": { + "tags": [ + "Alerts" + ], + "responses": { + "200": { + "description": "Default", + "schema": { + "type": "object", + "properties": { + "data": { + "type": "object", + "properties": { + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "title": { + "type": "string", + "description": "Title", + "title": "Alert Rule Title", + "x-ms-visibility": "advanced" + }, + "id": { + "type": "string", + "description": "Id", + "title": "Alert Rule ID", + "x-ms-visibility": "important" + } + } + }, + "description": "Results" + } + }, + "description": "Data" + }, + "counts": { + "type": "object", + "properties": { + "returned": { + "type": "integer", + "format": "int32", + "description": "Returned", + "title": "Returned Number of Alert Rules", + "x-ms-visibility": "advanced" + }, + "total": { + "type": "integer", + "format": "int32", + "description": "Total", + "title": "Total Number of Alert Rules", + "x-ms-visibility": "advanced" + } + }, + "description": "Counts" + } + } + } + } + }, + "summary": "Search Alert Rules", + "description": "Search Recorded Future UI Alert Rules", + "operationId": "[[variables('_operationId-Alert_Rules_Search')]", + "x-ms-visibility": "advanced", + "parameters": [ + { + "name": "freetext", + "in": "query", + "required": false, + "type": "string", + "description": "Freetext search for Alert Rule Name", + "x-ms-visibility": "advanced", + "x-ms-summary": "Freetext search" + }, + { + "name": "limit", + "in": "query", + "required": false, + "type": "integer", + "default": 10, + "x-ms-visibility": "advanced", + "description": "Maximum number of records", + "x-ms-summary": "Maximum number of records" + } + ] + } + }, + "/alert/search": { + "get": { + "tags": [ + "Alerts" + ], + "responses": { + "200": { + "description": "Default", + "schema": { + "$ref": "#/definitions/AlertSearch" + } + } + }, + "summary": "Search Alert Notifications", + "operationId": "[[variables('_operationId-Alert_Not_Search')]", + "x-ms-visibility": "advanced", + "parameters": [ + { + "name": "triggered", + "in": "query", + "required": false, + "type": "string", + "description": "All Elasticsearch compatible date formats are valid.", + "x-ms-summary": "Triggered", + "x-ms-visibility": "advanced" + }, + { + "name": "alertRule", + "in": "query", + "required": true, + "type": "string", + "description": "Alert Rule ID", + "x-ms-visibility": "important", + "x-ms-summary": "Alert Rule ID" + }, + { + "name": "limit", + "in": "query", + "required": false, + "type": "integer", + "default": 10, + "x-ms-visibility": "advanced", + "description": "Maximum number of records", + "x-ms-summary": "Maximum number of records" + }, + { + "name": "from", + "in": "query", + "required": false, + "type": "integer", + "description": "Records from offset", + "x-ms-visibility": "advanced", + "x-ms-summary": "Records from offset" + } + ], + "description": "Search Alert Notifications" + } + }, + "/alert/{id}": { + "get": { + "tags": [ + "Alerts" + ], + "responses": { + "200": { + "description": "Default", + "schema": { + "$ref": "#/definitions/AlertLookup" + } + } + }, + "summary": "Lookup Alert Notification", + "description": "Lookup Alert Notification", + "operationId": "[[variables('_operationId-Alert_Not_Lookup')]", + "parameters": [ + { + "name": "id", + "in": "path", + "required": true, + "type": "string", + "description": "Alert Notification ID", + "x-ms-visibility": "important", + "x-ms-summary": "Alert Notification ID", + "x-ms-url-encoding": "single" + } + ], + "x-ms-visibility": "advanced" + } + }, + "/fusion/files": { + "get": { + "tags": [ + "Fusion Files" + ], + "responses": { + "200": { + "description": "Default", + "schema": { + "type": "array", + "items": { + "type": "object", + "properties": { + "Name": { + "type": "string" + }, + "Risk": { + "type": "integer" + }, + "RiskString": { + "type": "string" + }, + "EvidenceDetails": { + "type": "object", + "properties": { + "EvidenceDetails": { + "type": "array", + "items": { + "type": "object", + "properties": { + "Rule": { + "type": "string" + }, + "EvidenceString": { + "type": "string" + }, + "CriticalityLabel": { + "type": "string" + }, + "Timestamp": { + "type": "integer" + }, + "MitigationString": { + "type": "string" + }, + "Criticality": { + "type": "integer" + } + } + } + } + } + } + } + } + } + } + }, + "summary": "Recorded Future RiskLists and SCF Download", + "description": "Recorded Future RiskList & Security Control Feeds Download", + "operationId": "[[variables('_operationId-Rislk_List_Download')]", + "x-ms-visibility": "important", + "parameters": [ + { + "name": "path", + "in": "query", + "required": true, + "type": "string", + "x-ms-visibility": "important", + "enum": [ + "/public/MicrosoftAzure/ip_default.json", + "/public/MicrosoftAzure/ip_gt_90.json", + "/public/MicrosoftAzure/ip_active_c2.json", + "/public/MicrosoftAzure/ip_current_c2.json", + "/public/MicrosoftAzure/ip_botnet.json", + "/public/MicrosoftAzure/ip_insikt.json", + "/public/MicrosoftAzure/ip_phishing.json", + "/public/MicrosoftAzure/domain_default.json", + "/public/MicrosoftAzure/domain_gt_90.json", + "/public/MicrosoftAzure/domain_c2_dns.json", + "/public/MicrosoftAzure/domain_ransomware_payment.json", + "/public/MicrosoftAzure/domain_recent_weaponized.json", + "/public/MicrosoftAzure/domain_insikt.json", + "/public/MicrosoftAzure/domain_covid_lure.json", + "/public/MicrosoftAzure/domain_phishing.json", + "/public/MicrosoftAzure/url_gt_90.json", + "/public/MicrosoftAzure/url_c2.json", + "/public/MicrosoftAzure/url_ransomware_distribution.json", + "/public/MicrosoftAzure/url_compromised.json", + "/public/MicrosoftAzure/url_insikt.json", + "/public/MicrosoftAzure/url_malware_verdict.json", + "/public/MicrosoftAzure/hash_targeting_vulns.json", + "/public/MicrosoftAzure/hash_observed_testing.json", + "/public/MicrosoftAzure/hash_malware_ssl.json", + "/public/MicrosoftAzure/vuln_default.json", + "/public/MicrosoftAzure/vuln_gt_90.json", + "/public/MicrosoftAzure/vuln_recent_active_malware.json", + "/public/MicrosoftAzure/vuln_recent_exploit_kit.json", + "/public/MicrosoftAzure/vuln_recent_ransomware.json", + "/public/MicrosoftAzure/vuln_recent_rat.json", + "/public/MicrosoftAzure/vuln_recent_poc_remote.json", + "/public/MicrosoftAzure/vuln_recent_exploit_dev_itw.json", + "/public/MicrosoftAzure/vuln_exploited_itw_malware.json", + "/public/MicrosoftAzure/vuln_critical_cyber_signal.json", + "/public/prevent/c2_communicating_ips.json", + "/public/prevent/weaponized_domains.json", + "/public/prevent/weaponized_urls.json", + "/public/ukraine/ukraine_russia_ip.csv", + "/public/ukraine/ukraine_russia_domain.csv", + "/public/ukraine/ukraine_russia_hash.csv", + "/public/ukraine/ukraine_russia_url.csv" + ], + "x-ms-editor-options": { + "items": [ + { + "title": "IP - Default RiskList", + "value": "/public/MicrosoftAzure/ip_default.json" + }, + { + "title": "IP - 90+ (Very Malicious) RiskList", + "value": "/public/MicrosoftAzure/ip_gt_90.json" + }, + { + "title": "IP - Actively Communicating C&C Server", + "value": "/public/MicrosoftAzure/ip_active_c2.json" + }, + { + "title": "IP - Current C&C Server", + "value": "/public/MicrosoftAzure/ip_current_c2.json" + }, + { + "title": "IP - Recent Botnet Traffic", + "value": "/public/MicrosoftAzure/ip_botnet.json" + }, + { + "title": "IP - Recently Reported by Insikt Group", + "value": "/public/MicrosoftAzure/ip_insikt.json" + }, + { + "title": "IP - Phishing Host", + "value": "/public/MicrosoftAzure/ip_phishing.json" + }, + { + "title": "IP - Ukraine Russia Conflict", + "value": "/public/ukraine/ukraine_russia_ip.csv" + }, + { + "title": "DOMAIN - Default RiskList", + "value": "/public/MicrosoftAzure/domain_default.json" + }, + { + "title": "DOMAIN - 90+ (Very Malicious) RiskList", + "value": "/public/MicrosoftAzure/domain_gt_90.json" + }, + { + "title": "DOMAIN - C&C DNS Name", + "value": "/public/MicrosoftAzure/domain_c2_dns.json" + }, + { + "title": "DOMAIN - Ransomware Payment DNS Name", + "value": "/public/MicrosoftAzure/domain_ransomware_payment.json" + }, + { + "title": "DOMAIN - Recently Active Weaponized Domain", + "value": "/public/MicrosoftAzure/domain_recent_weaponized.json" + }, + { + "title": "DOMAIN - Recently Reported by Insikt Group", + "value": "/public/MicrosoftAzure/domain_insikt.json" + }, + { + "title": "DOMAIN - Recent COVID-19-Related Domain Lure: Malicious", + "value": "/public/MicrosoftAzure/domain_covid_lure.json" + }, + { + "title": "DOMAIN - Recent Phishing Lure: Malicious", + "value": "/public/MicrosoftAzure/domain_phishing.json" + }, + { + "title": "DOMAIN - Ukraine Russia Conflict", + "value": "/public/ukraine/ukraine_russia_domain.csv" + }, + { + "title": "URL - 90+ (Very Malicious) RiskList", + "value": "/public/MicrosoftAzure/url_gt_90.json" + }, + { + "title": "URL - C&C URL", + "value": "/public/MicrosoftAzure/url_c2.json" + }, + { + "title": "URL - Ransomware Distribution URL", + "value": "/public/MicrosoftAzure/url_ransomware_distribution.json" + }, + { + "title": "URL - Compromised URL", + "value": "/public/MicrosoftAzure/url_compromised.json" + }, + { + "title": "URL - Recently Reported by Insikt Group", + "value": "/public/MicrosoftAzure/url_insikt.json" + }, + { + "title": "URL - Positive Malware Verdict", + "value": "/public/MicrosoftAzure/url_malware_verdict.json" + }, + { + "title": "URL - Ukraine Russia Conflict", + "value": "/public/ukraine/ukraine_russia_url.csv" + }, + { + "title": "HASH - Recently Active Targeting Vulnerabilities in the Wild", + "value": "/public/MicrosoftAzure/hash_targeting_vulns.json" + }, + { + "title": "HASH - Observed in Underground Virus Testing Sites ", + "value": "/public/MicrosoftAzure/hash_observed_testing.json" + }, + { + "title": "HASH - Malware SSL Certificate Fingerprint", + "value": "/public/MicrosoftAzure/hash_malware_ssl.json" + }, + { + "title": "HASH - Ukraine Russia Conflict", + "value": "/public/ukraine/ukraine_russia_hash.csv" + }, + { + "title": "(SCF) Security Control Feed: Command and Control IPs", + "value": "/public/prevent/c2_communicating_ips.json" + }, + { + "title": "(SCF) Security Control Feed: Weaponized Domains", + "value": "/public/prevent/weaponized_domains.json" + }, + { + "title": "(SCF) Security Control Feed: Weaponized URLs", + "value": "/public/prevent/weaponized_urls.json" + }, + { + "title": "VULNERABILITY - Default RiskList", + "value": "/public/MicrosoftAzure/vuln_default.json" + }, + { + "title": "VULNERABILITY - 90+ (Very Malicious) RiskList", + "value": "/public/MicrosoftAzure/vuln_gt_90.json" + }, + { + "title": "VULNERABILITY - Exploited in the Wild by Recently Active Malware", + "value": "/public/MicrosoftAzure/vuln_recent_active_malware.json" + }, + { + "title": "VULNERABILITY - Recently Linked to Exploit Kit", + "value": "/public/MicrosoftAzure/vuln_recent_exploit_kit.json" + }, + { + "title": "VULNERABILITY - Recently Linked to Ransomware", + "value": "/public/MicrosoftAzure/vuln_recent_ransomware.json" + }, + { + "title": "VULNERABILITY - Recently Linked to Remote Access Trojan", + "value": "/public/MicrosoftAzure/vuln_recent_rat.json" + }, + { + "title": "VULNERABILITY - Recent Verified Proof of Concept Available Using Remote Execution", + "value": "/public/MicrosoftAzure/vuln_recent_poc_remote.json" + }, + { + "title": "VULNERABILITY - Recently Observed Exploit/Tool Development in the Wild", + "value": "/public/MicrosoftAzure/vuln_recent_exploit_dev_itw.json" + }, + { + "title": "VULNERABILITY - Exploited in the Wild by Malware", + "value": "/public/MicrosoftAzure/vuln_exploited_itw_malware.json" + }, + { + "title": "VULNERABILITY - Cyber Exploit Signal: Critical", + "value": "/public/MicrosoftAzure/vuln_critical_cyber_signal.json" + } + ] + }, + "description": "Path to file", + "x-ms-summary": "Path to file" + } + ] + } + }, + "/soar/lookup": { + "post": { + "tags": [ + "SOAR", + "Lookup" + ], + "responses": { + "200": { + "description": "Default", + "schema": { + "type": "object", + "properties": { + "counts": { + "type": "object", + "properties": { + "returned": { + "type": "integer" + }, + "total": { + "type": "integer" + } + } + }, + "data": { + "type": "object", + "properties": { + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "entity": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "type": { + "type": "string" + } + } + }, + "risk": { + "type": "object", + "properties": { + "context": { + "type": "object" + }, + "level": { + "type": "number" + }, + "rule": { + "type": "object" + }, + "score": { + "type": "number" + } + } + } + } + } + } + } + } + } + } + } + }, + "summary": "SOAR API - Look up multiple entities", + "description": "SOAR API - Look up multiple entities (Specific Access is Required)", + "operationId": "[[variables('_operationId-Soar_Bulk_Lookup')]", + "x-ms-visibility": "important", + "consumes": [ + "application/json" + ], + "parameters": [ + { + "name": "body", + "in": "body", + "required": false, + "schema": { + "type": "object", + "properties": { + "ip": { + "type": "array", + "items": { + "type": "string", + "description": "An IP or array of IPs: array[string]", + "title": "IP", + "x-ms-visibility": "important" + }, + "description": "Ip" + }, + "url": { + "type": "array", + "items": { + "type": "string", + "description": "An URL or array of URLs: array[string]", + "title": "URL", + "x-ms-visibility": "important" + }, + "description": "Url" + }, + "domain": { + "type": "array", + "items": { + "type": "string", + "description": "A domain or array of domains: array[string]", + "title": "Domain", + "x-ms-visibility": "important" + }, + "description": "Domain" + }, + "hash": { + "type": "array", + "items": { + "type": "string", + "description": "A hash or array of hashes: array[string]", + "title": "HASH", + "x-ms-visibility": "advanced" + }, + "description": "Hash" + }, + "vulnerability": { + "type": "array", + "items": { + "type": "string", + "description": "A vulnerability ID or an array of vulnerability IDs: array[string]", + "title": "Vulnerability", + "x-ms-visibility": "advanced" + }, + "description": "Vulnerability" + } + } + } + }, + { + "name": "IntelligenceCloudTracking", + "in": "query", + "required": false, + "type": "boolean", + "default": true, + "description": "Consent", + "x-ms-summary": "See trends and track incidents over time using the Recorded Future Intelligence Cloud. This feature stores alerts generated from correlations in the Intelligence Cloud for additional intelligence to provide new analytical insights." + } + ] + } + }, + "/threat/indicators/actors": { + "post": { + "tags": [ + "Threat Hunt", + "STIX" + ], + "summary": "Fetch Threat Indicators for Actors in STIX format.", + "parameters": [ + { + "name": "body", + "in": "body", + "schema": { + "type": "object", + "properties": { + "actors": { + "type": "array", + "items": { + "type": "string", + "example": "QCwdoU" + } + }, + "categories": { + "type": "array", + "items": { + "type": "string" + } + }, + "watchlists": { + "type": "array", + "items": { + "type": "string" + } + }, + "trigger_score_ip": { + "type": "integer", + "example": 85 + }, + "trigger_score_url": { + "type": "integer", + "example": 85 + }, + "trigger_score_domain": { + "type": "integer", + "example": 85 + }, + "trigger_score_hash": { + "type": "integer", + "example": 85 + }, + "valid_until_delta_hours": { + "type": "integer", + "example": 1 + }, + "threat_hunt_description": { + "type": "string", + "example": "Lazarus Group high risk" + } + }, + "x-ms-visibility": "important" + }, + "required": true, + "x-ms-visibility": "important" + } + ], + "responses": { + "200": { + "description": "List of Threat Indicator in STIX format.", + "schema": { + "type": "object", + "properties": { + "data": { + "$ref": "#/definitions/ThreatHuntActors" + } + } + } + } + }, + "operationId": "[[variables('_operationId-STIX_Indicators')]", + "description": "Fetch Threat Indicators for Actors in STIX format.", + "x-ms-visibility": "important" + } + }, + "/threat/indicators/malware": { + "post": { + "tags": [ + "Threat Hunt", + "STIX" + ], + "summary": "Fetch Threat Indicators for Malware in STIX format.", + "parameters": [ + { + "name": "body", + "in": "body", + "schema": { + "type": "object", + "properties": { + "malware": { + "type": "array", + "items": { + "type": "string", + "example": "LnK3Q6" + } + }, + "categories": { + "type": "array", + "items": { + "type": "string" + } + }, + "watchlists": { + "type": "array", + "items": { + "type": "string" + } + }, + "trigger_score_ip": { + "type": "integer", + "example": 85 + }, + "trigger_score_url": { + "type": "integer", + "example": 85 + }, + "trigger_score_domain": { + "type": "integer", + "example": 85 + }, + "trigger_score_hash": { + "type": "integer", + "example": 85 + }, + "valid_until_delta_hours": { + "type": "integer", + "example": 1 + }, + "threat_hunt_description": { + "type": "string", + "example": "Cobalt Strike Beacon high risk" + } + }, + "x-ms-visibility": "important" + }, + "required": true, + "x-ms-visibility": "important" + } + ], + "responses": { + "200": { + "description": "List of Threat Indicator in STIX format.", + "schema": { + "type": "object", + "properties": { + "data": { + "$ref": "#/definitions/ThreatHuntMalware" + } + } + } + } + }, + "operationId": "[[variables('_operationId-STIX_MalwareIndicators')]", + "description": "Fetch Threat Indicators for Malware in STIX format.", + "x-ms-visibility": "important" + } + } + }, + "x-ms-connector-metadata": [ + { + "propertyName": "Website", + "propertyValue": "https://www.recordedfuture.com" + }, + { + "propertyName": "Privacy Policy", + "propertyValue": "https://www.recordedfuture.com/privacy-policy/" + }, + { + "propertyName": "Categories", + "propertyValue": "AI;Data" + } + ], + "definitions": { + "Links": { + "type": "object", + "title": "links", + "description": "High Confidence Evidence Based Links", + "x-ms-visibility": "important", + "properties": { + "technical": { + "type": "object", + "title": "technical", + "description": "Technical links generated through network traffic analysis, malware analysis, infrastructure analysis and more", + "x-ms-visibility": "important", + "properties": { + "start_date": { + "type": "string", + "title": "startDate", + "description": "Link start date", + "x-ms-visibility": "important" + }, + "stop_date": { + "type": "string", + "title": "stopDate", + "description": "Link stop date", + "x-ms-visibility": "important" + }, + "entities": { + "type": "array", + "title": "entities", + "description": "Related entities", + "x-ms-visibility": "important", + "items": { + "$ref": "#/definitions/LinkEntities" + } + } + } + }, + "research": { + "type": "object", + "title": "research", + "description": "Research links discovered by Insikt Group", + "x-ms-visibility": "important", + "properties": { + "start_date": { + "type": "string", + "title": "startDate", + "description": "Link start date", + "x-ms-visibility": "important" + }, + "stop_date": { + "type": "string", + "title": "stopDate", + "description": "Link stop date", + "x-ms-visibility": "important" + }, + "entities": { + "type": "array", + "title": "entities", + "description": "Related entities", + "x-ms-visibility": "important", + "items": { + "$ref": "#/definitions/LinkEntities" + } + } + } + } + } + }, + "LinkEntities": { + "type": "object", + "properties": { + "type": { + "type": "string", + "title": "type", + "description": "Enitity type", + "x-ms-visibility": "important" + }, + "name": { + "type": "string", + "title": "name", + "description": "Entity name", + "x-ms-visibility": "important" + }, + "score": { + "type": "integer", + "title": "score", + "description": "Risk score", + "x-ms-visibility": "important" + }, + "category": { + "type": "string", + "title": "category", + "description": "Entity category", + "x-ms-visibility": "important" + } + } + }, + "AlertSearch": { + "type": "object", + "properties": { + "data": { + "type": "object", + "properties": { + "results": { + "type": "array", + "items": { + "type": "object", + "properties": { + "review": { + "$ref": "#/definitions/AlertReview" + }, + "url": { + "$ref": "#/definitions/AlertURL" + }, + "rule": { + "$ref": "#/definitions/AlertRule" + }, + "triggered": { + "$ref": "#/definitions/AlertTriggered" + }, + "id": { + "$ref": "#/definitions/AlertID" + }, + "title": { + "$ref": "#/definitions/AlertTitle" + }, + "type": { + "$ref": "#/definitions/AlertType" + } + } + } + } + } + }, + "counts": { + "type": "object", + "properties": { + "returned": { + "type": "integer" + }, + "total": { + "type": "integer" + } + } + } + } + }, + "ThreatMapActors": { + "type": "object", + "properties": { + "data": { + "type": "object", + "properties": { + "threat_map": { + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "alias": { + "type": "array", + "items": { + "type": "string" + } + }, + "categories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + }, + "intent": { + "type": "integer", + "format": "int32" + }, + "opportunity": { + "type": "integer", + "format": "int32" + }, + "log_entries": { + "type": "array", + "items": { + "type": "object", + "properties": { + "watchlist": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + }, + "entity": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + }, + "severity": { + "type": "integer", + "format": "int32" + }, + "axis": { + "type": "string" + }, + "date": { + "type": "string", + "format": "date-time" + } + } + } + } + } + } + }, + "date": { + "type": "string", + "format": "date-time" + } + } + } + } + }, + "ThreatHuntActors": { + "type": "array", + "items": { + "type": "object", + "properties": { + "confidence": { + "type": "integer", + "example": 89 + }, + "description": { + "type": "string", + "example": "Recorded Future - Threat Hunt - Threat Actor - DOMAIN - Lazarus Group (QCwdoU) - [Lazarus Group high risk]" + }, + "id": { + "type": "string", + "example": "indicator--321991ed-aca0-4e25-85a0-c1615c95074f" + }, + "indicator_types": { + "type": "array", + "items": { + "type": "string", + "example": "malicious-activity" + } + }, + "labels": { + "type": "array", + "items": { + "type": "string", + "example": "{ \"RecordedFuturePortalLink\": \"https://app.recordedfuture.com/live/sc/entity/QCwdoU\"}" + } + }, + "name": { + "type": "string", + "example": "akamaicontainer.com" + }, + "pattern": { + "type": "string", + "example": "[[[domain-name:value = 'akamaicontainer.com']" + }, + "pattern_type": { + "type": "string", + "example": "stix" + }, + "spec_version": { + "type": "string", + "example": "2.1" + }, + "type": { + "type": "string", + "example": "indicator" + }, + "created": { + "type": "string", + "example": "2023-09-20T15:39:35.993568+02:00" + }, + "modified": { + "type": "string", + "example": "2023-09-20T15:39:35.993568+02:00" + }, + "valid_from": { + "type": "string", + "example": "2023-09-20T15:39:35.993568+02:00" + }, + "valid_until": { + "type": "string", + "example": "2023-09-20T16:39:35.993568+02:00" + }, + "external_references": { + "type": "array", + "items": { + "type": "object", + "properties": { + "source_name": { + "type": "string", + "example": "Recorded Future" + }, + "description": { + "type": "string", + "example": "Recorded Future Entity card for Threat Actor: Lazarus Group (QCwdoU)" + }, + "external_id": { + "type": "string", + "example": "QCwdoU" + }, + "url": { + "type": "string", + "example": "https://app.recordedfuture.com/live/sc/entity/QCwdoU" + } + } + } + } + }, + "required": [ + "confidence", + "description", + "id", + "indicator_types", + "labels", + "name", + "pattern", + "pattern_type", + "spec_version", + "type", + "created", + "modified", + "valid_from", + "valid_until", + "external_references" + ] + } + }, + "ThreatMapMalware": { + "type": "object", + "properties": { + "data": { + "type": "object", + "properties": { + "threat_map": { + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "alias": { + "type": "array", + "items": { + "type": "string" + } + }, + "categories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + }, + "intent": { + "type": "integer", + "format": "int32" + }, + "opportunity": { + "type": "integer", + "format": "int32" + }, + "log_entries": { + "type": "array", + "items": { + "type": "object", + "properties": { + "watchlist": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + }, + "entity": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + }, + "severity": { + "type": "integer", + "format": "int32" + }, + "axis": { + "type": "string" + }, + "date": { + "type": "string", + "format": "date-time" + } + } + } + } + } + } + }, + "date": { + "type": "string", + "format": "date-time" + } + } + } + } + }, + "ThreatHuntMalware": { + "type": "array", + "items": { + "type": "object", + "properties": { + "confidence": { + "type": "integer", + "example": 89 + }, + "description": { + "type": "string", + "example": "Recorded Future - Threat Hunt - Threat Malware - DOMAIN - Cobalt Strike Beacon Malware (LnK3Q6) - [Cobalt Strike Beacon high risk]" + }, + "id": { + "type": "string", + "example": "indicator--321991ed-aca0-4e25-85a0-c1615c75074f" + }, + "indicator_types": { + "type": "array", + "items": { + "type": "string", + "example": "malicious-activity" + } + }, + "labels": { + "type": "array", + "items": { + "type": "string", + "example": "{ \"RecordedFuturePortalLink\": \"https://app.recordedfuture.com/live/sc/entity/LnK3Q6\"}" + } + }, + "name": { + "type": "string", + "example": "masterunis.net" + }, + "pattern": { + "type": "string", + "example": "[[[domain-name:value = 'masterunis.net']" + }, + "pattern_type": { + "type": "string", + "example": "stix" + }, + "spec_version": { + "type": "string", + "example": "2.1" + }, + "type": { + "type": "string", + "example": "indicator" + }, + "created": { + "type": "string", + "example": "2023-09-20T15:39:35.993568+02:00" + }, + "modified": { + "type": "string", + "example": "2023-09-20T15:39:35.993568+02:00" + }, + "valid_from": { + "type": "string", + "example": "2023-09-20T15:39:35.993568+02:00" + }, + "valid_until": { + "type": "string", + "example": "2023-09-20T16:39:35.993568+02:00" + }, + "external_references": { + "type": "array", + "items": { + "type": "object", + "properties": { + "source_name": { + "type": "string", + "example": "Recorded Future" + }, + "description": { + "type": "string", + "example": "Recorded Future Entity card for Malware: Cobalt Strike Beacon (LnK3Q6)" + }, + "external_id": { + "type": "string", + "example": "LnK3Q6" + }, + "url": { + "type": "string", + "example": "https://app.recordedfuture.com/live/sc/entity/LnK3Q6" + } + } + } + } + }, + "required": [ + "confidence", + "description", + "id", + "indicator_types", + "labels", + "name", + "pattern", + "pattern_type", + "spec_version", + "type", + "created", + "modified", + "valid_from", + "valid_until", + "external_references" + ] + } + }, + "AlertLookup": { + "type": "object", + "properties": { + "data": { + "type": "object", + "properties": { + "review": { + "$ref": "#/definitions/AlertReview" + }, + "entities": { + "$ref": "#/definitions/AlertEntities" + }, + "url": { + "$ref": "#/definitions/AlertURL" + }, + "rule": { + "$ref": "#/definitions/AlertRule" + }, + "triggered": { + "$ref": "#/definitions/AlertTriggered" + }, + "id": { + "$ref": "#/definitions/AlertID" + }, + "counts": { + "type": "object", + "properties": { + "references": { + "type": "integer" + }, + "entities": { + "type": "integer" + }, + "documents": { + "type": "integer" + } + } + }, + "title": { + "$ref": "#/definitions/AlertTitle" + }, + "type": { + "$ref": "#/definitions/AlertType" + } + } + } + } + }, + "AlertReview": { + "type": "object", + "properties": { + "assignee": { + "type": "string" + }, + "status": { + "type": "string" + }, + "noteDate": { + "type": "string" + }, + "noteAuthor": { + "type": "string" + }, + "note": { + "type": "string" + } + } + }, + "AlertEntities": { + "type": "array", + "items": { + "type": "object", + "properties": { + "trend": { + "type": "object", + "additionalProperties": true + }, + "documents": { + "type": "array", + "items": { + "type": "object", + "properties": { + "references": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fragment": { + "type": "string" + }, + "entities": { + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "type": { + "type": "string" + } + } + } + }, + "language": { + "type": "string" + } + } + } + }, + "source": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "type": { + "type": "string" + } + } + }, + "title": { + "type": "string" + }, + "url": { + "type": "string" + } + } + } + }, + "risk": { + "type": "object", + "additionalProperties": true + }, + "entity": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "type": { + "type": "string" + } + } + } + } + } + }, + "AlertURL": { + "type": "string" + }, + "AlertRule": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "id": { + "type": "string" + }, + "url": { + "type": "string" + } + } + }, + "AlertTriggered": { + "type": "string" + }, + "AlertID": { + "type": "string" + }, + "AlertTitle": { + "type": "string" + }, + "AlertType": { + "type": "string" + } + }, + "securityDefinitions": { + "API Key": { + "type": "apiKey", + "in": "header", + "name": "X-RFToken" + } + }, + "security": [ + { + "API Key": "[variables('TemplateEmptyArray')]" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[[concat(variables('workspace-name'),'/Microsoft.SecurityInsights/',concat('LogicAppsCustomConnector-', last(split(variables('playbookId10'),'/'))))]", + "properties": { + "parentId": "[[variables('playbookId10')]", + "contentId": "[variables('_playbookContentId10')]", + "kind": "LogicAppsCustomConnector", + "version": "[variables('playbookVersion10')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId10')]", + "contentKind": "LogicAppsCustomConnector", + "displayName": "RecordedFuture-CustomConnector", + "contentProductId": "[variables('_playbookcontentProductId10')]", + "id": "[variables('_playbookcontentProductId10')]", + "version": "[variables('playbookVersion10')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName11')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuture-ThreatMap-Importer Playbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion11')]", + "parameters": { + "PlaybookName": { + "defaultValue": "RecordedFuture-ThreatMap-Importer", + "type": "string" + }, + "CustomConnectorName": { + "defaultValue": "RecordedFuture-CustomConnector", + "type": "string", + "metadata": { + "description": "Name of the logic app connector which performs Recorded Future Communication. Normaly this dont change from RecordedFuture-CustomConnector" + } + } + }, + "variables": { + "RecordedFutureCustomConnectorConnectionName": "Recordedfuture-CustomConnector", + "AzureloganalyticsdatacollectorConnectionName": "RecordedFuture-Azureloganalyticsdatacollector", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Hour", + "interval": 24 + }, + "evaluatedRecurrence": { + "frequency": "Hour", + "interval": 24 + }, + "type": "Recurrence" + } + }, + "actions": { + "Fetch_Threat_Map_actors": { + "type": "ApiConnection", + "inputs": { + "headers": { + "Content-Type": "application/json" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['RecordedFutureCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/threat/map/actors" + } + }, + "Parse_JSON": { + "inputs": { + "content": "@body('Fetch_Threat_Map_actors')", + "schema": { + "properties": { + "data": { + "properties": { + "date": { + "type": "string" + }, + "threat_map": { + "items": { + "properties": { + "alias": { + "items": { + "type": "string" + }, + "type": "array" + }, + "categories": { + "items": { + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": "array" + }, + "id": { + "type": "string" + }, + "intent": { + "type": "integer" + }, + "log_entries": { + "items": { + "properties": { + "axis": { + "type": "string" + }, + "date": { + "type": "string" + }, + "entity": { + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "severity": { + "type": "integer" + }, + "watchlist": { + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "axis", + "date", + "entity", + "severity" + ], + "type": "object" + }, + "type": "array" + }, + "name": { + "type": "string" + }, + "opportunity": { + "type": "integer" + } + }, + "required": [ + "alias", + "categories", + "id", + "intent", + "log_entries", + "name", + "opportunity" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "runAfter": { + "Fetch_Threat_Map_actors": [ + "Succeeded" + ] + }, + "type": "ParseJson" + }, + "Send_Data_-_Save_full_ThreatMap_response": { + "runAfter": { + "Parse_JSON": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@{body('Parse_JSON')?['data']?['threat_map']}", + "headers": { + "Log-Type": "RecordedFutureThreatMap" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "RecordedFutureCustomConnector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureCustomConnectorConnectionName'))]", + "connectionName": "[[variables('RecordedFutureCustomConnectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" + }, + "azureloganalyticsdatacollector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "connectionName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-ThreatMap-Importer", + "hidden-SentinelTemplateVersion": "1.2", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureCustomConnectorConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('RecordedFutureCustomConnectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('RecordedFutureCustomConnectorConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId11'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId11')]", + "contentId": "[variables('_playbookContentId11')]", + "kind": "Playbook", + "version": "[variables('playbookVersion11')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + }, + "dependencies": { + "criteria": [ + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_RecordedFuture-CustomConnector')]", + "version": "[variables('playbookVersion10')]" + } + ] + } + } + } + ], + "metadata": { + "title": "RecordedFuture-ThreatMap-Importer", + "description": "This playbook will import Threat Map data from Recorded Future and store it in a custom log.", + "prerequisites": [ + "Prior to deployment of this playbook, RecordedFuture-ThreatMap-Importer playbook need to be deployed.", + "The custom connector RecordedFuture-CustomConnector have to be deployed under the same subscription.", + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" + ], + "postDeployment": [ + "After deployment, open the playbook to configure all connections and press save." + ], + "lastUpdateTime": "2024-03-08T00:00:00Z", + "tags": [ + "Threat Intelligence" + ], + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-ThreatMap-Importer", + "notes": [ + "Initial version" + ] + }, + { + "version": "1.1", + "title": "API Connectors", + "notes": [ + "API connection rename." + ] + }, + { + "version": "1.2", + "title": "Default Recurrence", + "notes": [ + "Changed Default Recurrence to 24." + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId11')]", + "contentKind": "Playbook", + "displayName": "RecordedFuture-ThreatMap-Importer", + "contentProductId": "[variables('_playbookcontentProductId11')]", + "id": "[variables('_playbookcontentProductId11')]", + "version": "[variables('playbookVersion11')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName12')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuture-MalwareThreatMap-Importer Playbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion12')]", + "parameters": { + "PlaybookName": { + "defaultValue": "RecordedFuture-MalwareThreatMap-Importer", + "type": "string" + }, + "CustomConnectorName": { + "defaultValue": "RecordedFuture-CustomConnector", + "type": "string", + "metadata": { + "description": "Name of the logic app connector which performs Recorded Future Communication. Normaly this dont change from RecordedFuture-CustomConnector" + } + } + }, + "variables": { + "RecordedFutureCustomConnectorConnectionName": "RecordedFuture-CustomConnector", + "AzureloganalyticsdatacollectorConnectionName": "RecordedFuture-Azureloganalyticsdatacollector", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Hour", + "interval": 24 + }, + "evaluatedRecurrence": { + "frequency": "Hour", + "interval": 24 + }, + "type": "Recurrence" + } + }, + "actions": { + "Fetch_Threat_Map_malware": { + "type": "ApiConnection", + "inputs": { + "body": { + "categories": [ + null + ], + "malware": [ + null + ], + "watchlists": [ + null + ] + }, + "host": { + "connection": { + "name": "@parameters('$connections')['RecordedFutureCustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/threat/map/malware" + } + }, + "Parse_JSON": { + "runAfter": { + "Fetch_Threat_Map_malware": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Fetch_Threat_Map_malware')", + "schema": { + "properties": { + "data": { + "properties": { + "date": { + "type": "string" + }, + "threat_map": { + "items": { + "properties": { + "alias": { + "items": { + "type": "string" + }, + "type": "array" + }, + "categories": { + "items": { + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": "array" + }, + "id": { + "type": "string" + }, + "log_entries": { + "items": { + "properties": { + "axis": { + "type": "string" + }, + "date": { + "type": "string" + }, + "entity": { + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "severity": { + "type": "integer" + }, + "watchlist": { + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "axis", + "date", + "entity", + "severity" + ], + "type": "object" + }, + "type": "array" + }, + "name": { + "type": "string" + }, + "opportunity": { + "type": "integer" + }, + "prevalence": { + "type": "integer" + } + }, + "required": [ + "alias", + "categories", + "id", + "prevalence", + "log_entries", + "name", + "opportunity" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + }, + "Send_Data_-_Save_full_ThreatMap_Malware_Response": { + "runAfter": { + "Parse_JSON": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@{body('Parse_JSON')?['data']?['threat_map']}", + "headers": { + "Log-Type": "RecordedFutureThreatMapMalware" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "RecordedFutureCustomConnector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureCustomConnectorConnectionName'))]", + "connectionName": "[[variables('RecordedFutureCustomConnectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" + }, + "azureloganalyticsdatacollector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "connectionName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]" + } + } + } + }, + "zoneRedundancy": "Enabled" + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-ThreatMapMalware-Importer", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureCustomConnectorConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('RecordedFutureCustomConnectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('RecordedFutureCustomConnectorConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId12'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId12')]", + "contentId": "[variables('_playbookContentId12')]", + "kind": "Playbook", + "version": "[variables('playbookVersion12')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + }, + "dependencies": { + "criteria": [ + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_RecordedFuture-CustomConnector')]", + "version": "[variables('playbookVersion10')]" + } + ] + } + } + } + ], + "metadata": { + "title": "RecordedFuture-ThreatMapMalware-Importer", + "description": "This playbook will import Threat Map data from Recorded Future and store it in a custom log.", + "prerequisites": [ + "Prior to deployment of this playbook, RecordedFuture-ThreatMap-Importer playbook need to be deployed.", + "The custom connector RecordedFuture-CustomConnector have to be deployed under the same subscription.", + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)" + ], + "postDeployment": [ + "After deployment, open the playbook to configure all connections and press save." + ], + "lastUpdateTime": "2024-01-12T00:00:00Z", + "tags": [ + "Threat Intelligence" + ], + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-MalwareThreatMap-Importer", + "notes": [ + "Initial version" + ] + }, + { + "version": "1.1", + "title": "API Connectors", + "notes": [ + "API connection rename." + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId12')]", + "contentKind": "Playbook", + "displayName": "RecordedFuture-MalwareThreatMap-Importer", + "contentProductId": "[variables('_playbookcontentProductId12')]", + "id": "[variables('_playbookcontentProductId12')]", + "version": "[variables('playbookVersion12')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName13')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "ActorThreatHunt-IndicatorImport Playbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion13')]", + "parameters": { + "PlaybookName": { + "defaultValue": "ActorThreatHunt-IndicatorImport", + "type": "string" + }, + "CustomConnectorName": { + "defaultValue": "RecordedFuture-CustomConnector", + "type": "string", + "metadata": { + "description": "Name of the logic app connector which performs Recorded Future Communication. Normaly this dont change from RecordedFuture-CustomConnector" + } + }, + "PlaybookNameBatching": { + "defaultValue": "RecordedFuture-ThreatIntelligenceImport", + "type": "String", + "metadata": { + "description": "Only change this if you have renamed the batch playbook RecordedFuture-ThreatIntelligenceImport" + } + } + }, + "variables": { + "RecordedFuture-CustomConnectorConnectionName": "Recordedfuture-CustomConnector", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Hour", + "interval": 24 + }, + "evaluatedRecurrence": { + "frequency": "Hour", + "interval": 24 + }, + "type": "Recurrence" + } + }, + "actions": { + "Fetch_Threat_Indicators_for_Actors_in_STIX_format": { + "type": "ApiConnection", + "inputs": { + "body": { + "trigger_score_domain": 65, + "trigger_score_hash": 65, + "trigger_score_ip": 65, + "trigger_score_url": 65, + "valid_until_delta_hours": 24 + }, + "host": { + "connection": { + "name": "@parameters('$connections')['RecordedFuture-CustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/threat/indicators/actors" + } + }, + "For_each": { + "foreach": "@body('Fetch_Threat_Indicators_for_Actors_in_STIX_format')", + "actions": { + "RecordedFuture-ThreatIntelligenceImport": { + "type": "SendToBatch", + "inputs": { + "batchName": "RFImportToSentinel", + "content": "@items('For_each')", + "host": { + "triggerName": "Batch_messages", + "workflow": { + "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',parameters('PlaybookNameBatching'))]" + } + } + } + } + }, + "runAfter": { + "Fetch_Threat_Indicators_for_Actors_in_STIX_format": [ + "Succeeded" + ] + }, + "type": "Foreach" + } + } + }, + "parameters": { + "$connections": { + "value": { + "RecordedFuture-CustomConnector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedFuture-CustomConnectorConnectionName'))]", + "connectionName": "[[variables('Recordedfuture-CustomconnectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-ActorThreatHunt-IndicatorImport", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('RecordedFuture-CustomConnectorConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('Recordedfuture-CustomconnectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('Recordedfuture-CustomconnectorConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId13'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId13')]", + "contentId": "[variables('_playbookContentId13')]", + "kind": "Playbook", + "version": "[variables('playbookVersion13')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + }, + "dependencies": { + "criteria": [ + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_RecordedFuture-CustomConnector')]", + "version": "[variables('playbookVersion10')]" + } + ] + } + } + } + ], + "metadata": { + "title": "RecordedFuture-ActorThreatHunt-IndicatorImport", + "description": "This playbook will write Recorded Future threat hunting indicators to ThreatIntelligenceIndicator log analytics table via the RecordedFuture-ThreatIntelligenceImport playbook.", + "prerequisites": [ + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)", + "1. Prior to deployment of this playbook, **RecordedFuture-ThreatIntelligenceImport playbook** need to be deployed.", + "2. RecordedFuture-CustomConnector needs to be installed. Refer to [Recorded Future Logic App Custom Connector](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Recorded%20Future/Playbooks/Connectors/RecordedFuture-CustomConnector/readme.md) documentation for instructions." + ], + "postDeployment": [ + "After deployment, open the playbook to configure all connections and press save." + ], + "lastUpdateTime": "2024-01-12T00:02:00Z", + "tags": [ + "Threat Hunting" + ], + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-ActorThreatMap-Importer", + "notes": [ + "Initial version" + ] + }, + { + "version": "1.1", + "title": "API Connectors", + "notes": [ + "API connection rename." + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId13')]", + "contentKind": "Playbook", + "displayName": "ActorThreatHunt-IndicatorImport", + "contentProductId": "[variables('_playbookcontentProductId13')]", + "id": "[variables('_playbookcontentProductId13')]", + "version": "[variables('playbookVersion13')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName14')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MalwareThreatHunt-IndicatorImport Playbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion14')]", + "parameters": { + "PlaybookName": { + "defaultValue": "MalwareThreatHunt-IndicatorImport", + "type": "string" + }, + "CustomConnectorName": { + "defaultValue": "RecordedFuture-CustomConnector", + "type": "string", + "metadata": { + "description": "Name of the logic app connector which performs Recorded Future Communication. Normaly this dont change from RecordedFuture-CustomConnector" + } + }, + "PlaybookNameBatching": { + "defaultValue": "RecordedFuture-ThreatIntelligenceImport", + "type": "String", + "metadata": { + "description": "Only change this if you have renamed the batch playbook RecordedFuture-ThreatIntelligenceImport" + } + } + }, + "variables": { + "Recordedfuture-CustomconnectorConnectionName": "Recordedfuture-CustomConnector", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Hour", + "interval": 24 + }, + "evaluatedRecurrence": { + "frequency": "Hour", + "interval": 24 + }, + "type": "Recurrence" + } + }, + "actions": { + "Fetch_Threat_Indicators_for_Malware_in_STIX_format": { + "type": "ApiConnection", + "inputs": { + "body": { + "trigger_score_domain": 65, + "trigger_score_hash": 65, + "trigger_score_ip": 65, + "trigger_score_url": 65, + "valid_until_delta_hours": 24 + }, + "host": { + "connection": { + "name": "@parameters('$connections')['RecordedFuture-CustomConnector']['connectionId']" + } + }, + "method": "post", + "path": "/threat/indicators/malware" + } + }, + "For_each": { + "foreach": "@body('Fetch_Threat_Indicators_for_Malware_in_STIX_format')", + "actions": { + "RecordedFuture-ThreatIntelligenceImport": { + "type": "SendToBatch", + "inputs": { + "batchName": "RFImportToSentinel", + "content": "@items('For_each')", + "host": { + "triggerName": "Batch_messages", + "workflow": { + "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',parameters('PlaybookNameBatching'))]" + } + } + } + } + }, + "runAfter": { + "Fetch_Threat_Indicators_for_Malware_in_STIX_format": [ + "Succeeded" + ] + }, + "type": "Foreach" + } + } + }, + "parameters": { + "$connections": { + "value": { + "RecordedFuture-CustomConnector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedFuture-CustomConnectorConnectionName'))]", + "connectionName": "[[variables('Recordedfuture-CustomconnectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('CustomConnectorName'))]" + } + } + } + }, + "zoneRedundancy": "Enabled" + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-MalwareThreatHunt-IndicatorImport", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('Recordedfuture-CustomconnectorConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('Recordedfuture-CustomconnectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('Recordedfuture-CustomconnectorConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId14'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId14')]", + "contentId": "[variables('_playbookContentId14')]", + "kind": "Playbook", + "version": "[variables('playbookVersion14')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + }, + "dependencies": { + "criteria": [ + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_RecordedFuture-CustomConnector')]", + "version": "[variables('playbookVersion10')]" + } + ] + } + } + } + ], + "metadata": { + "title": "RecordedFuture-MalwareThreatHunt-IndicatorImport", + "description": "This playbook will write Recorded Future threat hunting indicators to ThreatIntelligenceIndicator log analytics table via the RecordedFuture-ThreatIntelligenceImport playbook.", + "prerequisites": [ + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the [documentation](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials)", + "1. Prior to deployment of this playbook, **RecordedFuture-ThreatIntelligenceImport playbook** need to be deployed.", + "2. RecordedFuture-CustomConnector needs to be installed. Refer to [Recorded Future Logic App Custom Connector](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Recorded%20Future/Playbooks/Connectors/RecordedFuture-CustomConnector/readme.md) documentation for instructions." + ], + "postDeployment": [ + "After deployment, open the playbook to configure all connections and press save." + ], + "lastUpdateTime": "2024-01-12T00:02:00Z", + "tags": [ + "Threat Hunting" + ], + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-MalwareThreatHunt-Importer", + "notes": [ + "Initial version" + ] + }, + { + "version": "1.1", + "title": "API Connectors", + "notes": [ + "API connection rename." + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId14')]", + "contentKind": "Playbook", + "displayName": "MalwareThreatHunt-IndicatorImport", + "contentProductId": "[variables('_playbookcontentProductId14')]", + "id": "[variables('_playbookcontentProductId14')]", + "version": "[variables('playbookVersion14')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuturePlaybookAlertOverview Workbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId1')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Recorded Future Playbook Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Playbook-Alert-Importer." + }, + "properties": { + "displayName": "[parameters('workbook1-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Recorded Future Playbook Alerts\\n---\\n\\nWorkbook to display and analyze Recorded Future Playbook Alerts. This workbook visualize data that is retrived by the ```Recorded Future Playbook Alerts Importer``` Logic app. First run the Logic app once and then select the RecordedFuturePlaybookAlerts_CL table.\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"8e8c2f1a-d25d-49d1-a217-9831dbc4f919\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_picker\",\"label\":\"Time Picker\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":259200000}},{\"id\":\"f8d34a51-ba10-4241-abff-cb6c14b50a55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"log_table\",\"label\":\"Playbook Alerts Log Table\",\"type\":2,\"description\":\"Run the Recorded Future Playbook Alert Importer Playbook first.\",\"isRequired\":true,\"query\":\"search *\\n| where $table endswith \\\"_CL\\\" \\n| distinct $table\\n\",\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"RecordedFuturePlaybookAlerts_CL\"},{\"id\":\"89279a9c-af9e-4734-8a98-21aa1f2fa545\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"categories\",\"label\":\"Category\",\"type\":2,\"description\":\"Filter categories you're looking at\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct rule_label_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_picker\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a0947450-1ebd-4dea-94d7-41a751c79237\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"status\",\"label\":\"Alert Status\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct status_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"25a82661-1700-43a6-ba7a-b3ae5d8fe7b9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"priority\",\"label\":\"Alert Priority\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct priority_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":172800000},\"timeContextFromParameter\":\"time_picker\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where rule_label_s in ({categories:value})\\n| where status_s in ({status:value}) \\n| where priority_s in ({priority:value})\\n| distinct id_s, rule_label_s, updated_date_t, priority_s\\n| summarize Alert=count() by bin(updated_date_t, 1h), priority_s\\n\",\"size\":0,\"title\":\"Playbook Alerts triggered over time\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"chartSettings\":{\"group\":\"priority_s\"}},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy\",\"styleSettings\":{\"maxWidth\":\"70\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where rule_label_s in ({categories:value})\\n| where status_s in ({status:value}) \\n| where priority_s in ({priority:value})\\n| distinct id_s, rule_label_s, updated_date_t\\n| summarize alert_count = count() by rule_label_s\\n| project alert_count, Alert = rule_label_s\",\"size\":0,\"title\":\"Top Categories Triggered\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where rule_label_s in ({categories:value})\\n| where status_s in ({status:value}) \\n| where priority_s in ({priority:value})\\n| distinct updated_date_t, title_s, rule_label_s, status_s, priority_s, link_s, evidence_summary_s, targets_s, created_date_t, id_s\\n| project-rename Updated=updated_date_t, Title=title_s, Category=rule_label_s, Status=status_s, Priority=priority_s, Created=created_date_t, Targets=targets_s, [\\\"Evidence\\\"]=evidence_summary_s, [\\\"External Link\\\"]=link_s, ID=id_s\\n\\n\",\"size\":0,\"title\":\"Triggered Playbook Alerts\",\"noDataMessage\":\"No data in Playbook Alert custom log. Check that playbook/logic apps is running without errors and rules for playbook alerts is setup in Recorded Future Portal.\",\"timeContextFromParameter\":\"time_picker\",\"exportFieldName\":\"id_s\",\"exportParameterName\":\"exported_alert_id\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Title\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Recorded Future\"}},{\"columnMatch\":\"ID\",\"formatter\":5}],\"sortBy\":[{\"itemKey\":\"Updated\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Updated\",\"sortOrder\":2}]},\"name\":\"query - 8\"}],\"fromTemplateId\":\"sentinel-RecordedFuturePlaybookAlertOverviewWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", + "properties": { + "description": "@{workbookKey=RecordedFuturePlaybookAlertOverviewWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future Playbook Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Playbook-Alert-Importer.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - Playbook Alerts Overview; templateRelativePath=RecordedFuturePlaybookAlertOverview.json; subtitle=; provider=Recorded Future}.description", + "parentId": "[variables('workbookId1')]", + "contentId": "[variables('_workbookContentId1')]", + "kind": "Workbook", + "version": "[variables('workbookVersion1')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "RecordedFuturePlaybookAlerts_CL", + "kind": "DataType" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureAlertOverview Workbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion2')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId2')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Recorded Future Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Alert-Importer." + }, + "properties": { + "displayName": "[parameters('workbook2-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Recorded Future Alerts\\n---\\n\\nWorkbook to display and analyze Recorded Future Alerts. This workbook visualize data that is retrived by the ```Recorded Future Alerts Importer``` Logic app. First run the Logic app once and then select the RecordedFuturePortalAlerts_CL table.\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"8e8c2f1a-d25d-49d1-a217-9831dbc4f919\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_picker\",\"label\":\"Time Picker\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}},{\"id\":\"f8d34a51-ba10-4241-abff-cb6c14b50a55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"log_table\",\"label\":\"Alerts Log Table\",\"type\":2,\"isRequired\":true,\"query\":\"search \\\"*\\\" | summarize count() by $table | sort by count_ desc | where $table endswith \\\"CL\\\" | project $table\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"RecordedFuturePortalAlerts_CL\"},{\"id\":\"89279a9c-af9e-4734-8a98-21aa1f2fa545\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"alert_rules\",\"label\":\"Alert Rules\",\"type\":2,\"description\":\"Filter alert rules you're looking at\",\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct RuleName_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where RuleName_s in ({alert_rules:value})\\n| distinct AlertID_s, RuleName_s, Triggered_t\\n| summarize alert_count = count() by RuleName_s\\n| project alert_count, Alert = RuleName_s\\n\",\"size\":0,\"title\":\"Top Rules Triggered\",\"noDataMessage\":\"There are no alerts within this time frame.\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where RuleName_s in ({alert_rules:value})\\n| distinct AlertID_s, RuleName_s, Triggered_t\\n| summarize Alert=count() by bin(Triggered_t, 1h)\\n\",\"size\":0,\"title\":\"Alerts triggered over time\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\"},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy\",\"styleSettings\":{\"maxWidth\":\"70\"}},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"20edde78-9485-4056-8eca-6ef7cd86c8b5\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Alert\",\"subTarget\":\"Reference\",\"preText\":\"Some thing\",\"postText\":\"Some thing\",\"style\":\"link\"}]},\"name\":\"links - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where RuleName_s in ({alert_rules:value})\\n//| where Documents_s != \\\"[]\\\"\\n//| distinct AlertID_s, AlertName_s, Documents_s, Entity_description_s, Entity_id_s, Entity_name_s, Entity_type_s, Risk_criticalityLabel_s, \\n//Risk_criticality_d, Risk_documents_s, Risk_evidence_s, RuleName_s, Trend_documents_s, Trend_name_s, Trend_strengthLabel_s, Trend_strength_d, Triggered_t\\n| distinct Triggered = Triggered_t, [\\\"Alert ID\\\"]=AlertID_s, [\\\"Alert Name\\\"]=AlertName_s, [\\\"Rule Name\\\"]=RuleName_s, [\\\"AI Summary\\\"]= AISummary_s, [\\\"Recorded Future Portal\\\"]= URL_s\\n\\n\\n\\n\",\"size\":0,\"timeContextFromParameter\":\"time_picker\",\"exportFieldName\":\"Alert ID\",\"exportParameterName\":\"Ref_AlertID\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Alert ID\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"AI Summary\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Recorded Future Portal\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Recorded Future\"}}],\"sortBy\":[{\"itemKey\":\"Triggered\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Triggered\",\"sortOrder\":2}]},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where AlertID_s == \\\"{Ref_AlertID}\\\"\\n| project Fragment=Fragment_s, Source=Documents_source_name_s, Title=Documents_title_s, URL=Document_url_s, AlertName = RuleName_s, AlertID=AlertID_s, entities=parse_json(Entity_s)\\n| mv-apply with_itemindex=i entities on (\\n extend p = pack(strcat(\\\"Entity \\\", i+1), strcat(entities.type, \\\", \\\", entities.name, \\\", id:\\\", entities.id))\\n | summarize b = make_bag(p)\\n)\\n| evaluate bag_unpack(b)\\n| project-reorder Fragment, Source, Title, URL, Entity*\\n\\n\",\"size\":0,\"timeContextFromParameter\":\"time_picker\",\"exportedParameters\":[{\"fieldName\":\"Fragment\",\"parameterName\":\"FragmentRef\",\"parameterType\":1},{\"fieldName\":\"Title\",\"parameterName\":\"TitleRef\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Fragment\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true},\"tooltipFormat\":{\"tooltip\":\"{0}\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Reference\"},\"name\":\"Reference View\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**Document Title**\\r\\n{TitleRef}\"},\"name\":\"text - 3\"},{\"type\":1,\"content\":{\"json\":\"**Fragment**\\r\\n{FragmentRef}\\r\\n\\r\\n\\r\\n\"},\"showPin\":false,\"name\":\"Fragment\"}]},\"name\":\"group - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Reference\"},\"name\":\"Reference Alerts\"}],\"fromTemplateId\":\"sentinel-RecordedFutureAlertOverviewWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId2'),'/'))))]", + "properties": { + "description": "@{workbookKey=RecordedFutureAlertOverviewWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Alert-Importer.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - Alerts Overview; templateRelativePath=RecordedFutureAlertOverview.json; subtitle=; provider=Recorded Future}.description", + "parentId": "[variables('workbookId2')]", + "contentId": "[variables('_workbookContentId2')]", + "kind": "Workbook", + "version": "[variables('workbookVersion2')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "RecordedFuturePortalAlerts_CL", + "kind": "DataType" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId2')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook2-name')]", + "contentProductId": "[variables('_workbookcontentProductId2')]", + "id": "[variables('_workbookcontentProductId2')]", + "version": "[variables('workbookVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName3')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureDomainCorrelation Workbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion3')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId3')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Recorded Future Domain Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." + }, + "properties": { + "displayName": "[parameters('workbook3-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d7ccc5ca-c8ec-458f-ab0d-564a7ef1d217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Guide\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Guide: Domain Correlation \\n\\nRecorded Future’s Domain Correlation Workbook helps you detect malicious domains within your environment by correlating your logs with Recorded Future Domain Risk Lists.\\n\\n### How to Correlate Domains\\n\\nTo correlate domains, follow the steps below:\\n\\n1. In the **Domain Logs Table** dropdown, select a log table that contains domain logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with domains** dropdown, select the log field that holds the domains to be correlated.\\n\\t* The workbook can correlate domains in the format: `domainName.net`.\\n3. Select a Recorded Future Domain Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n\\n| Table \\t | Field |\\n| ----------- \\t | ----------- |\\n| DNSEvents | Name |\\n| _Im_Dns \\t | DnsQuery |\",\"style\":\"info\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 15\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Domains (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Domain_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":604800000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Domain_Logs_Table\",\"label\":\"Domain Logs Table\",\"type\":2,\"description\":\"Log Table to correlate Domains Against\",\"isRequired\":true,\"query\":\"search \\\"*\\\" \\n| where TimeGenerated {Domain_Logs_Time_Range:query}\\n| summarize count() by $table \\n| sort by count_ desc \\n| where $table != \\\"ThreatIntelligenceIndicator\\\" \\n| project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Squid_Proxy_URL_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Domain_Logs_Field\",\"label\":\"Log Field with Domains\",\"type\":2,\"description\":\"Select the field containing the Domain Name that you want to correlate against\",\"isRequired\":true,\"query\":\"{Domain_Logs_Table:value}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Domain_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":604800000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which Domain Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where isnotempty(DomainName)\\n| where Description contains \\\"Recorded Future\\\"\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| summarize count() by Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - DOMAIN - Default RiskList\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Domains Per Day\\n\\nThe chart displays the number of correlation detections per day between domain logs and Recorded Future's domain Risk lists.\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\n| where Description == {RF_Risk_list:value}\\n| where isnotempty(DomainName)\\n| where isnotempty(Tags)\\n| extend parts = split(DomainName, '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Active == true\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\n| where Description == {RF_Risk_list:value}\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(DomainName)\\n| where isnotempty(Tags)\\n| join (\\n {Domain_Logs_Table:value}\\n | where TimeGenerated {Domain_Logs_Time_Range:query}\\n //Extract Domain patterns from syslog message\\n | where isnotempty({Domain_Logs_Field:value})\\n | extend parts = split({Domain_Logs_Field:value}, '.')\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.{Domain_Logs_Field:value}\\n| summarize Correlation_Matches=count() by bin(DNS_TimeGenerated, 1d)\\n| render barchart\",\"size\":0,\"title\":\"Detected Domains Per Day\",\"noDataMessage\":\"No detected domains\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"100\",\"name\":\"query - 1\"}]},\"customWidth\":\"100\",\"name\":\"group - 14\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Domains\\n\\nThe Detected Domains table lists domains from the correlated logs that have been matched with Recorded Future Domain Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the domain (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **Domain:** The detected domain.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the domain (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let list_tlds = ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n| where isnotempty(DomainName)\\r\\n| where isnotempty(Tags)\\r\\n| extend parts = split(DomainName, '.')\\r\\n| extend tld = parts[(array_length(parts)-1)]\\r\\n| summarize count() by tostring(tld)\\r\\n| summarize make_list(tld);\\r\\nThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Active == true\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n// Picking up only IOC's that contain the entities we want\\r\\n| where isnotempty(DomainName)\\r\\n| join (\\r\\n {Domain_Logs_Table:value}\\r\\n | where TimeGenerated {Domain_Logs_Time_Range:query}\\r\\n //Extract Domain patterns from syslog message\\r\\n | where isnotempty({Domain_Logs_Field:value})\\r\\n | extend parts = split({Domain_Logs_Field:value}, '.')\\r\\n //Split out the TLD\\r\\n | extend tld = parts[(array_length(parts)-1)]\\r\\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\\r\\n | where tld in~ (list_tlds)\\r\\n | extend DNS_TimeGenerated = TimeGenerated\\r\\n) on $left.DomainName==$right.{Domain_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, Domain=DomainName, Detected=format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"]=format_datetime(DNS_TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by Domain, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], Domain, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\",\"size\":0,\"title\":\"Detected Domains\",\"noDataMessage\":\"No detected domains\",\"exportFieldName\":\"Domain\",\"exportParameterName\":\"MaliciousDomainMatch\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let list_tlds = ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n| where isnotempty(DomainName)\\r\\n| where isnotempty(Tags)\\r\\n| extend parts = split(DomainName, '.')\\r\\n| extend tld = parts[(array_length(parts)-1)]\\r\\n| summarize count() by tostring(tld)\\r\\n| summarize make_list(tld);\\r\\nThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Active == true\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n// Picking up only IOC's that contain the entities we want\\r\\n| where isnotempty(DomainName)\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {Domain_Logs_Table:value}\\r\\n | where TimeGenerated {Domain_Logs_Time_Range:query}\\r\\n //Extract Domain patterns from syslog message\\r\\n | where isnotempty({Domain_Logs_Field:value})\\r\\n | extend parts = split({Domain_Logs_Field:value}, '.')\\r\\n //Split out the TLD\\r\\n | extend tld = parts[(array_length(parts)-1)]\\r\\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\\r\\n | where tld in~ (list_tlds)\\r\\n | extend DNS_TimeGenerated = TimeGenerated\\r\\n) on $left.DomainName==$right.{Domain_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, DomainName, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected Domains: Evidence Details\\n\\nTo view evidence details, click a row (domain) in the Detected Domains table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list:value}\\n| where DomainName == \\\"{MaliciousDomainMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString'] \\n| sort by toint(Criticality) desc\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Evidence_String\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"MaliciousDomainMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 3\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {Domain_Logs_Table:value}\\nTo view source data of correlated domain, click a row (domain) in the Detected Domains table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{Domain_Logs_Table:value}\\n| where TimeGenerated {Domain_Logs_Time_Range:query}\\n| where {Domain_Logs_Field:value} == \\\"{MaliciousDomainMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousDomainMatch\",\"comparison\":\"isNotEqualTo\",\"value\":\"\"},\"name\":\"query - 1\"}]},\"name\":\"group - 8\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureDomainCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId3'),'/'))))]", + "properties": { + "description": "@{workbookKey=RecordedFutureDomainCorrelationWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future Domain Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - Domain Correlation; templateRelativePath=RecordedFutureDomainCorrelation.json; subtitle=; provider=Recorded Future}.description", + "parentId": "[variables('workbookId3')]", + "contentId": "[variables('_workbookContentId3')]", + "kind": "Workbook", + "version": "[variables('workbookVersion3')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "ThreatIntelligenceIndicator", + "kind": "DataType" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId3')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook3-name')]", + "contentProductId": "[variables('_workbookcontentProductId3')]", + "id": "[variables('_workbookcontentProductId3')]", + "version": "[variables('workbookVersion3')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName4')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureHashCorrelation Workbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion4')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId4')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Recorded Future Hash Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." + }, + "properties": { + "displayName": "[parameters('workbook4-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d7ccc5ca-c8ec-458f-ab0d-564a7ef1d217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Guide\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Guide: Hash Correlation \\n\\nRecorded Future’s Hash Correlation Workbook helps you detect malicious hashes within your environment by correlating your logs with Recorded Future Hash Risk Lists.\\n\\n### How to Correlate hashs\\n\\nTo correlate hashes, follow the steps below:\\n\\n1. In the **Hash Logs Table** dropdown, select a log table that contains hash logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with hashes** dropdown, select the log field that holds the hashs to be correlated.\\n\\t* The workbook can correlate hashes in the format: `b0a0c7ae387c00161f4cc26405600b1a`.\\n3. Select a Recorded Future Hash Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n| Table \\t \\t| Field |\\n| ----------- \\t \\t| ----------- |\\n| CommonSecurityLog | FileHash |\\n| SecurityEvent \\t| FileHash |\",\"style\":\"info\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 15\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Hashes (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Hash_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Hash_Logs_Table\",\"label\":\"Hash Logs Table\",\"type\":2,\"description\":\"Log Table to correlate Domains Against\",\"isRequired\":true,\"query\":\"search \\\"*\\\" \\n| where TimeGenerated {Hash_Logs_Time_Range:query}\\n| summarize count() by $table | sort by count_ desc | where $table != \\\"ThreatIntelligenceIndicator\\\" | project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"EndpointProtection_HASH_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Hash_Logs_Field\",\"label\":\"Log Field with Hashes\",\"type\":2,\"description\":\"Select the field containing the Domain Name that you want to correlate against\",\"isRequired\":true,\"query\":\"{Hash_Logs_Table:value}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Hash_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":1209600000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which Domain Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where isnotempty(FileHashValue)\\n| where Description contains \\\"Recorded Future\\\"\\n| summarize count() by Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - HASH - Observed in Underground Virus Testing Sites\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Domains Per Day\\n\\nThe chart displays the number of correlation detections per day between domain logs and Recorded Future's domain Risk lists.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query} \\r\\n| where Description == {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| extend FileHashValue = tolower(FileHashValue)\\r\\n| join (\\r\\n {Hash_Logs_Table:value}\\r\\n | where TimeGenerated {Hash_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend Hash_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.FileHashValue == $right.{Hash_Logs_Field:value}\\r\\n| summarize Correlation_Matches=count() by bin(Hash_TimeGenerated, 1d)\\r\\n| render barchart\",\"size\":0,\"title\":\"Detected File Hashes Per Day\",\"noDataMessage\":\"No detected hashes\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Hashs\\n\\nThe Detected Hashs table lists hashs from the correlated logs that have been matched with Recorded Future Hash Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the Hashe (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **Hash:** The detected hash.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the hash (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| extend FileHashValue = tolower(FileHashValue)\\r\\n| join (\\r\\n {Hash_Logs_Table:value}\\r\\n | where TimeGenerated {Hash_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend Hash_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.FileHashValue == $right.{Hash_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, Hash=FileHashValue, Detected = format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"] = format_datetime(Hash_TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by Hash, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], Hash, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\\r\\n\",\"size\":0,\"title\":\"Detected Hashes\",\"noDataMessage\":\"No detected hashes\",\"exportedParameters\":[{\"fieldName\":\"Hash\",\"parameterName\":\"MaliciousHashMatch\",\"parameterType\":5}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| extend FileHashValue = tolower(FileHashValue)\\r\\n| join (\\r\\n {Hash_Logs_Table:value}\\r\\n | where TimeGenerated {Hash_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend Hash_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.FileHashValue == $right.{Hash_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, FileHashValue, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected Hashes: Evidence Details\\n\\nTo view evidence details, click a row (hash) in the Detected Hashes table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list:value}\\n| extend FileHashValue = tolower(FileHashValue)\\n| where FileHashValue == \\\"{MaliciousHashMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString']\\n| sort by toint(Criticality) desc\",\"size\":1,\"noDataMessage\":\"No evidence details to show\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousHashMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {Hash_Logs_Table:value}\\n\\nTo view source data of correlated hash, click a row (hash) in the Detected Hashes table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{Hash_Logs_Table:value}\\n| where TimeGenerated {Hash_Logs_Time_Range:query}\\n| where {Hash_Logs_Field:value} == \\\"{MaliciousHashMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousHashMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\"}]},\"name\":\"group - 8\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureHashCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId4'),'/'))))]", + "properties": { + "description": "@{workbookKey=RecordedFutureHashCorrelationWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future Hash Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - Hash Correlation; templateRelativePath=RecordedFutureHashCorrelation.json; subtitle=; provider=Recorded Future}.description", + "parentId": "[variables('workbookId4')]", + "contentId": "[variables('_workbookContentId4')]", + "kind": "Workbook", + "version": "[variables('workbookVersion4')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "ThreatIntelligenceIndicator", + "kind": "DataType" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId4')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook4-name')]", + "contentProductId": "[variables('_workbookcontentProductId4')]", + "id": "[variables('_workbookcontentProductId4')]", + "version": "[variables('workbookVersion4')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName5')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureIPCorrelation Workbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion5')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId5')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Recorded Future IP Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." + }, + "properties": { + "displayName": "[parameters('workbook5-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"041885bf-2e2c-42ae-ad35-2e12272b4dc4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\"},\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6\"},{\"type\":1,\"content\":{\"json\":\"### Guide: IP Correlation \\n\\nRecorded Future’s IP Correlation Workbook helps you detect malicious IPs within your environment by correlating your logs with Recorded Future IP Risk Lists.\\n\\n### How to Correlate IPs\\n\\nTo correlate IPs, follow the steps below:\\n\\n1. In the **IP Logs Table** dropdown, select a log table that contains IP logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with IPs** dropdown, select the log field that holds the IPs to be correlated.\\n\\t* The workbook can correlate IPs in the format: `5.56.61.62`.\\n3. Select a Recorded Future IP Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n\\n\\n| Table | Field | Table | Field |\\n|------------------------------|--------------------|---------------------------------|-----------|\\n| AzureActivity | CallerIpAddress | VMConnection | RemoteIp |\\n| AzureDiagnostics | CallerIPAddress | W3CIISLog | cIP |\\n| AWSCloudTrail | SourceIpAddress | _Im_NetworkSession | SrcIpAddr |\\n| AppServiceHTTPLogs | CIp | _Im_NetworkSession | DstIpAddr |\\n| AzureDiagnostics | client_ip_s | _Im_WebSession | SrcIpAddr |\\n| CommonSecurityLog | SourceIpAddress | SigninLogs | IPAddress |\\n| CommonSecurityLog | DestinationIP | AADNonInteractiveUserSignInLogs | IPAddress |\\n| DuoSecurityAuthentication_CL | access_device_ip_s | | |\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### IP (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":7776000000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Logs_Table\",\"label\":\"IP Logs Table\",\"type\":2,\"description\":\"Log Table to correlate IPs Against\",\"isRequired\":true,\"query\":\"search * \\n| where TimeGenerated {IP_Logs_Time_Range:query}\\n| summarize count() by $table \\n| sort by count_ desc \\n| where $table != \\\"ThreatIntelligenceIndicator\\\" \\n| project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"NetScreen_Firewall_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Logs_Field\",\"label\":\"Log Field with IPs\",\"type\":2,\"description\":\"Select the field containing the IP that you want to correlate against\",\"isRequired\":true,\"query\":\"{IP_Logs_Table:value}\\n| where TimeGenerated {IP_Logs_Time_Range:query}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Dst_IPv4_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":5184000000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which IP Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where isnotempty(NetworkIP)\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains \\\"Recorded Future\\\"\\n//| summarize count() by Description\\n| distinct Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - IP - Actively Communicating C&C Server\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected IPs Per Day\\n\\nThe chart displays the number of correlation detections per day between IP logs and Recorded Future's IP Risk lists.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {IP_Logs_Table:value}\\r\\n | where TimeGenerated {IP_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.NetworkIP == $right.{IP_Logs_Field:value}\\r\\n| summarize Correlation_Matches=count() by bin(IP_TimeGenerated, 1d)\\r\\n| render barchart\",\"size\":0,\"title\":\"Detected IPs Per Day\",\"noDataMessage\":\"No detected IPs\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected IPs\\n\\nThe Detected IPs table lists IPs from the correlated logs that have been matched with Recorded Future IP Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the IP (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **IP:** The detected IP.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the IP (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {IP_Logs_Table:value}\\r\\n | where TimeGenerated {IP_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.NetworkIP == $right.{IP_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, IP=NetworkIP, Detected=format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"]=format_datetime(IP_TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by IP, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], IP, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\",\"size\":0,\"title\":\"Detected IPs\",\"noDataMessage\":\"No detected IPs\",\"exportedParameters\":[{\"fieldName\":\"IP\",\"parameterName\":\"MaliciousIPMatch\",\"parameterType\":5}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AdditionalInformation\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"100%\"}}],\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Risk_0\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Risk_0\",\"sortOrder\":2}]},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {IP_Logs_Table:value}\\r\\n | where TimeGenerated {IP_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.NetworkIP == $right.{IP_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, NetworkIP, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected IPs: Evidence Details\\n\\nTo view evidence details, click a row (IP) in the Detected IPs table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list:value}\\n| where NetworkIP == \\\"{MaliciousIPMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString']\\n| sort by toint(Criticality) desc\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Evidence_String\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"100%\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"MaliciousIPMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {IP_Logs_Table:value}\\nTo view source data of correlated IP, click a row (IP) in the Detected IPs table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{IP_Logs_Table:value}\\n| where TimeGenerated {IP_Logs_Time_Range:query}\\n| where {IP_Logs_Field:value} == \\\"{MaliciousIPMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousIPMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 9\"}]},\"name\":\"group - 11\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureIPCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId5'),'/'))))]", + "properties": { + "description": "@{workbookKey=RecordedFutureIPCorrelationWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future IP Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - IP Correlation; templateRelativePath=RecordedFutureIPCorrelation.json; subtitle=; provider=Recorded Future}.description", + "parentId": "[variables('workbookId5')]", + "contentId": "[variables('_workbookContentId5')]", + "kind": "Workbook", + "version": "[variables('workbookVersion5')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "ThreatIntelligenceIndicator", + "kind": "DataType" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId5')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook5-name')]", + "contentProductId": "[variables('_workbookcontentProductId5')]", + "id": "[variables('_workbookcontentProductId5')]", + "version": "[variables('workbookVersion5')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName6')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureURLCorrelation Workbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion6')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId6')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Recorded Future URL Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." + }, + "properties": { + "displayName": "[parameters('workbook6-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d7ccc5ca-c8ec-458f-ab0d-564a7ef1d217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Guide\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":1,\"content\":{\"json\":\"### Guide: URL Correlation \\n\\nRecorded Future’s URL Correlation Workbook helps you detect malicious URLs within your environment by correlating your logs with Recorded Future URL Risk Lists.\\n\\n### How to Correlate URLs\\n\\nTo correlate URLs, follow the steps below:\\n\\n1. In the **URL Logs Table** dropdown, select a log table that contains URL logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with URLs** dropdown, select the log field that holds the URLs to be correlated.\\n\\t* The workbook can correlate URLs in the format: `https://testurl.here.net`.\\n3. Select a Recorded Future URL Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n\\n| Table | Field |\\n|-------------------|------------|\\n| CommonSecurityLog | RequestURL |\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### URL (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"URL_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":7776000000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"URL_Logs_Table\",\"label\":\"URL Logs Table\",\"type\":2,\"description\":\"Log Table to correlate URLs Against\",\"isRequired\":true,\"query\":\"search \\\"*\\\" \\n| where TimeGenerated {URL_Logs_Time_Range:query}\\n| summarize count() by $table | sort by count_ desc | where $table != \\\"ThreatIntelligenceIndicator\\\" | project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Squid_Proxy_URL_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"URL_Logs_Field\",\"label\":\"Log Field with URLs\",\"type\":2,\"description\":\"Select the field containing the URL that you want to correlate against\",\"isRequired\":true,\"query\":\"{URL_Logs_Table:value}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"URL_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":7776000000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which Domain Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where isnotempty(Url)\\n| where Description contains \\\"Recorded Future\\\"\\n| summarize count() by Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - URL - Recently Reported by Insikt Group\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected URLs Per Day\\n\\nThe chart displays the number of correlation detections per day between URL logs and Recorded Future's URL Risk lists.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {URL_Logs_Table:value}\\r\\n | where TimeGenerated {URL_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend URL_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.Url == $right.{URL_Logs_Field:value}\\r\\n| summarize Correlation_Matches=count() by bin(URL_TimeGenerated, 1d)\\r\\n| render barchart\",\"size\":0,\"title\":\"Detected URLs Per Day\",\"noDataMessage\":\"No detected URLs\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected URLs\\n\\nThe Detected URLs table lists URLs from the correlated logs that have been matched with Recorded Future URL Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the URL (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **URL:** The detected URL.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the URL (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {URL_Logs_Table:value}\\r\\n | where TimeGenerated {URL_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.Url == $right.{URL_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, URL=Url, Detected = format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"] = IP_TimeGenerated, [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by URL, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], URL, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\\r\\n\",\"size\":0,\"title\":\"Detected URLs\",\"noDataMessage\":\"No detected URLs\",\"exportFieldName\":\"URL\",\"exportParameterName\":\"MaliciousURLMatch\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {URL_Logs_Table:value}\\r\\n | where TimeGenerated {URL_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend URL_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.Url == $right.{URL_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, Url, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected URLs: Evidence Details\\n\\nTo view evidence details, click a row (URL) in the Detected URLs table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list}\\n| where Url == \\\"{MaliciousURLMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString']\\n| sort by toint(Criticality) desc\",\"size\":1,\"noDataMessage\":\"ExpirationDateTime\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousURLMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {URL_Logs_Table:value}\\nTo view source data of correlated URL, click a row (URL) in the Detected URLs table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{URL_Logs_Table:value}\\n| where TimeGenerated {URL_Logs_Time_Range:query}\\n| where {URL_Logs_Field:value} == \\\"{MaliciousURLMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousURLMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\"}]},\"name\":\"group - 10\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureURLCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId6'),'/'))))]", + "properties": { + "description": "@{workbookKey=RecordedFutureURLCorrelationWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future URL Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - URL Correlation; templateRelativePath=RecordedFutureURLCorrelation.json; subtitle=; provider=Recorded Future}.description", + "parentId": "[variables('workbookId6')]", + "contentId": "[variables('_workbookContentId6')]", + "kind": "Workbook", + "version": "[variables('workbookVersion6')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "ThreatIntelligenceIndicator", + "kind": "DataType" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId6')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook6-name')]", + "contentProductId": "[variables('_workbookcontentProductId6')]", + "id": "[variables('_workbookcontentProductId6')]", + "version": "[variables('workbookVersion6')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName7')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureThreatActorHunting Workbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion7')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId7')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Recorded Future Threat Actor Hunting Workbook. This workbook will visualize Recorded Future threat map and hunting indicators ingested in to Microsoft Sentinel." + }, + "properties": { + "displayName": "[parameters('workbook7-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"92c84cb2-9b9a-498f-9b18-a3a11f70618a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"description\":\"Time range for incident created and indicator import.\",\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":86400000}},{\"id\":\"29f50496-9072-4438-8ac5-7a0cf4cd7307\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"label\":\"Threat Actor Category\",\"type\":2,\"query\":\"RecordedFutureThreatMap_CL\\r\\n| distinct categories_s\\r\\n| mv-expand parse_json(categories_s)\\r\\n| distinct id = tostring(categories_s.id), name = tostring(categories_s.name)\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"2d4f8b54-8321-4c37-9c78-79c3787a9d02\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Watchlist\",\"label\":\"Recorded Future Watchlist\",\"type\":2,\"query\":\"RecordedFutureThreatMap_CL\\r\\n| distinct log_entries_s\\r\\n| mv-expand parse_json(log_entries_s)\\r\\n| where isnotempty(log_entries_s.watchlist)\\r\\n| distinct id = tostring(log_entries_s.watchlist.id), name = tostring(log_entries_s.watchlist.name)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 5\"},{\"type\":1,\"content\":{\"json\":\"

Threat Actor Map

\\n\\nThis workbook shows Threat Actors imported from [Recorded Future](https://app.recordedfuture.com/portal/threat), their intent towards your company, and their opportunity. \\n\\nIntent (y-axis) - The threat actor has presented previous interest (expressed or manifested) against elements that are relevant to an organization (e.g., industry, peers, third parties, executives, brand, internet-facing assets). \\n\\nOpportunity (x-axis) - A correlation between the threat actor's capabilities and an organization’s vulnerabilities. The capability is a threat actor's ability to perform certain activities or cyber attacks, (i.e., their \\\"sophistication\\\"); vulnerabilities include an organization's exposures, gaps, or technology-related vulnerabilities. \\n\\nData is fetched from Recorded Future thru the playbook ```RecordedFuture-ThreatMap-lmporter```.\\n\\n\\n\",\"style\":\"info\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMap_CL\\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}') \\n| where log_entries_s has_any('{Watchlist}') \\n| extend combine= intent_d+opportunity_d\\n| project TimeGenerated, id_s, name_s, intent_d, opportunity_d, combine\\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, intent_d, opportunity_d, combine\\n| order by combine desc \\n| project MaxTimeGenerated, id_s, name_s, intent_d, opportunity_d\\n| take 100\\n\",\"size\":0,\"title\":\"Threat Actor Map\",\"noDataMessage\":\"No data found\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"scatterchart\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"id_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"intent_d\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"opportunity_d\",\"yAxis\":[\"intent_d\"],\"group\":\"name_s\",\"createOtherGroup\":0,\"showMetrics\":false,\"showLegend\":true,\"xSettings\":{\"min\":0,\"max\":99},\"ySettings\":{\"min\":0,\"max\":99}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"intent_d\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"intent_d\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"intent_d\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMap_CL\\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}') \\n| where log_entries_s has_any('{Watchlist}') \\n| extend combine= intent_d+opportunity_d\\n| project TimeGenerated, id_s, name_s, intent_d, opportunity_d, combine\\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, intent_d, opportunity_d,combine\\n| order by combine desc \\n| project Name=name_s, Intent=intent_d, Opportunity=opportunity_d, id_s\\n\",\"size\":0,\"title\":\"Threat Actors\",\"exportFieldName\":\"id_s\",\"exportParameterName\":\"ThreatActor\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"id_s\",\"formatter\":5}]}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMap_CL\\n| where TimeGenerated {TimeRange:query}\\n| where id_s == \\\"{ThreatActor}\\\"\\n| take 1\\n| mv-expand categoriesArray= parse_json(categories_s)\\n| mv-expand watchlistArray = parse_json(log_entries_s)\\n| summarize [\\\"Threat Actor Categories\\\"] = make_list(categoriesArray.name), WatchLists= make_list_with_nulls(watchlistArray.watchlist.name) by Link=strcat(\\\"https://app.recordedfuture.com/live/sc/entity/\\\",id_s), Name=name_s, Id=id_s, Aliases=array_strcat(parse_json(alias_s),',')\",\"size\":4,\"title\":\"Actor Details\",\"noDataMessage\":\"Please select a threat actor in the Threat Actors table to display details.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"External Link\"}},{\"columnMatch\":\"Id\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Threat Actor Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"https://app.recordedfuture.com/live/sc/entity/{Id}\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"id_s\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}}],\"labelSettings\":[{\"columnId\":\"Link\",\"label\":\"Recorded Future\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Id\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Intent\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where ExpirationDateTime > now()\\r\\n| where Description contains(\\\"{ThreatActor}\\\")\\r\\n| summarize Indicators=count(Description) by Description \",\"size\":0,\"title\":\"Active Indicators for Hunting\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Indicators\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Indicators\",\"sortOrderField\":2,\"size\":\"auto\"},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Indicators\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where TimeGenerated {TimeRange:query}\\r\\n| where Title contains \\\"{ThreatActor}\\\"\\r\\n| summarize CreateTime = max(CreatedTime) by IncidentUrl, Title,Description \",\"size\":0,\"title\":\"Incidents created\",\"noDataMessage\":\"No incidents found, but try different time range to display incidents future back in time.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Open Incident\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":1,\"content\":{\"json\":\"To generate incidents using imported indicators. Create analytic rules that correlates data from infrastructure logs with recorded future hunting indicators. Install and modify the provided analytic rule templates to match your environent. \\r\\n```\\r\\nRecorded Future - Threat Hunting - Domain - All Actors\\r\\nRecorded Future - Threat Hunting - IP - All Actors\\r\\nRecorded Future - Threat Hunting - Hash - All Actors\\r\\nRecorded Future - Threat Hunting - Url - All Actors\\r\\n```\\r\\nInstall and configure Recorded Future Incident Enrichment Playbook to get additional information when incidents are created ```RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash```\\r\\n\",\"style\":\"info\"},\"name\":\"text - 7\"}],\"styleSettings\":{\"paddingStyle\":\"none\",\"spacingStyle\":\"none\"},\"fromTemplateId\":\"sentinel-RecordedFutureThreatActorHuntingWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId7'),'/'))))]", + "properties": { + "description": "@{workbookKey=RecordedFutureThreatActorHuntingWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future Threat Actor Hunting Workbook. This workbook will visualize Recorded Future threat map and hunting indicators ingested in to Microsoft Sentinel.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - Threat Actor Hunting; templateRelativePath=RecordedFutureThreatActorHunting.json; subtitle=; provider=Recorded Future}.description", + "parentId": "[variables('workbookId7')]", + "contentId": "[variables('_workbookContentId7')]", + "kind": "Workbook", + "version": "[variables('workbookVersion7')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "ThreatIntelligenceIndicator", + "kind": "DataType" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId7')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook7-name')]", + "contentProductId": "[variables('_workbookcontentProductId7')]", + "id": "[variables('_workbookcontentProductId7')]", + "version": "[variables('workbookVersion7')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName8')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureMalwareThreatHunting Workbook with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion8')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId8')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Recorded Future Malware Threat Hunting Workbook. This workbook will visualize Recorded Future malware threat map and hunting indicators ingested in to Microsoft Sentinel." + }, + "properties": { + "displayName": "[parameters('workbook8-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"92c84cb2-9b9a-498f-9b18-a3a11f70618a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"description\":\"Time range for incident created and indicator import.\",\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":86400000}},{\"id\":\"29f50496-9072-4438-8ac5-7a0cf4cd7307\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"label\":\"Threat Malware Category\",\"type\":2,\"query\":\"RecordedFutureThreatMapMalware_CL\\r\\n| distinct categories_s\\r\\n| mv-expand parse_json(categories_s)\\r\\n| distinct id = tostring(categories_s.id), name = tostring(categories_s.name)\\r\\n\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"2d4f8b54-8321-4c37-9c78-79c3787a9d02\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Watchlist\",\"label\":\"Recorded Future Watchlist\",\"type\":2,\"query\":\"RecordedFutureThreatMapMalware_CL\\r\\n| distinct log_entries_s\\r\\n| mv-expand parse_json(log_entries_s)\\r\\n| where isnotempty(log_entries_s.watchlist)\\r\\n| distinct id = tostring(log_entries_s.watchlist.id), name = tostring(log_entries_s.watchlist.name)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 5\"},{\"type\":1,\"content\":{\"json\":\"

Malware Threat Map

\\n\\nThis workbook shows Threat Malware imported from [Recorded Future](https://app.recordedfuture.com/portal/threat).\\n

Prevalence (y-axis) - The malware has been reported as related to elements that are part of an organization context (e.g. industry, peers, third parties, brand, IPs & Domains). \\n

\\n

\\nOpportunity (x-axis) - A correlation between the malware related capabilities and an organization’s vulnerabilities. Vulnerabilities include an organization's exposures, gaps, or technology-related vulnerabilities.

\\nData is fetched from Recorded Future thru the playbook **RecordedFuture-ThreatMapMalware-Importer**.\\n\\n\\n\",\"style\":\"info\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMapMalware_CL\\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}')\\n| where log_entries_s has_any('{Watchlist}')\\n| project TimeGenerated, id_s, name_s, prevalence_d, opportunity_d, combine = prevalence_d + opportunity_d\\n| order by combine desc \\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, prevalence_d, opportunity_d\\n| take 100\\n| project MaxTimeGenerated, id_s, name_s, prevalence_d, opportunity_d\",\"size\":0,\"title\":\"Threat Malware Map\",\"noDataMessage\":\"No data found\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"scatterchart\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"id_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"intent_d\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"opportunity_d\",\"yAxis\":[\"prevalence_d\"],\"group\":\"name_s\",\"createOtherGroup\":0,\"showMetrics\":false,\"showLegend\":true,\"xSettings\":{\"min\":0,\"max\":99},\"ySettings\":{\"min\":0,\"max\":99}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"intent_d\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"intent_d\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"intent_d\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMapMalware_CL \\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}')\\n| where log_entries_s has_any('{Watchlist}')\\n| extend combine= prevalence_d+opportunity_d\\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, prevalence_d, opportunity_d,combine\\n| project Name=name_s, Prevalence=prevalence_d, Opportunity=opportunity_d, id_s, combine\\n| order by combine desc \\n\",\"size\":0,\"title\":\"Threat Malware\",\"exportFieldName\":\"id_s\",\"exportParameterName\":\"ThreatMalware\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"id_s\",\"formatter\":5},{\"columnMatch\":\"combine\",\"formatter\":5}]}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMapMalware_CL\\n| where TimeGenerated {TimeRange:query}\\n| where id_s == \\\"{ThreatMalware}\\\"\\n| take 1\\n| mv-expand watchlistArray = parse_json(log_entries_s)\\n| mv-expand categoriesArray= parse_json(categories_s)\\n| summarize [\\\"Threat Malware Categories\\\"] = make_set(categoriesArray.name), WatchLists= make_set(watchlistArray.watchlist.name) by Link=strcat(\\\"https://app.recordedfuture.com/live/sc/entity/\\\",id_s), Name=name_s, Id=id_s, Aliases=array_strcat(parse_json(alias_s),',')\",\"size\":4,\"title\":\"Malware Details\",\"noDataMessage\":\"Please select a threat malware in the Threat Malware table to display details.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"External Link\"}},{\"columnMatch\":\"Id\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Threat Malware Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"https://app.recordedfuture.com/live/sc/entity/{Id}\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"id_s\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}}],\"labelSettings\":[{\"columnId\":\"Link\",\"label\":\"Recorded Future\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Id\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Intent\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where ExpirationDateTime > now()\\r\\n| where Description contains(\\\"{ThreatMalware}\\\")\\r\\n| summarize Indicators=count(Description) by Description \",\"size\":0,\"title\":\"Active Indicators for Hunting\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Indicators\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Indicators\",\"sortOrderField\":2,\"size\":\"auto\"},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Indicators\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where TimeGenerated {TimeRange:query}\\r\\n| where Title contains \\\"{ThreatMalware}\\\"\\r\\n| summarize CreateTime = max(CreatedTime) by IncidentUrl, Title,Description \",\"size\":0,\"title\":\"Incidents created\",\"noDataMessage\":\"No incidents found, but try different time range to display incidents future back in time.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Open Incident\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":1,\"content\":{\"json\":\"To generate incidents using imported indicators. Create analytic rules that correlates data from infrastructure logs with recorded future hunting indicators. Install and modify the provided analytic rule templates to match your environent. \\r\\n```\\r\\nRecorded Future - Threat Hunting - Domain - All Malware\\r\\nRecorded Future - Threat Hunting - IP - All Malware\\r\\nRecorded Future - Threat Hunting - Hash - All Malware\\r\\nRecorded Future - Threat Hunting - Url - All Malware\\r\\n```\\r\\nInstall and configure Recorded Future Incident Enrichment Playbook to get additional information when incidents are created ```RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash```\\r\\n\",\"style\":\"info\"},\"name\":\"text - 7\"}],\"styleSettings\":{\"paddingStyle\":\"none\",\"spacingStyle\":\"none\"},\"fromTemplateId\":\"sentinel-RecordedFutureThreatActorHuntingWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId8'),'/'))))]", + "properties": { + "description": "@{workbookKey=RecordedFutureMalwareThreatHuntingWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future Malware Threat Hunting Workbook. This workbook will visualize Recorded Future malware threat map and hunting indicators ingested in to Microsoft Sentinel.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Recorded Future - Malware Threat Hunting; templateRelativePath=RecordedFutureMalwareThreatHunting.json; subtitle=; provider=Recorded Future}.description", + "parentId": "[variables('workbookId8')]", + "contentId": "[variables('_workbookContentId8')]", + "kind": "Workbook", + "version": "[variables('workbookVersion8')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "ThreatIntelligenceIndicator", + "kind": "DataType" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId8')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook8-name')]", + "contentProductId": "[variables('_workbookcontentProductId8')]", + "id": "[variables('_workbookcontentProductId8')]", + "version": "[variables('workbookVersion8')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.2.9", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "Recorded Future", + "publisherDisplayName": "Recorded Future Support Team", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Recorded Future is the worlds largest provider of intelligence for enterprise security. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future delivers intelligence that is timely, accurate, and actionable.

\n

Underlying Microsoft Technologies used:\nThis solution depends on underlying Microsoft technologies. Some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n\n

Workbooks: 8, Custom Azure Logic Apps Connectors: 1, Playbooks: 13

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "Playbook", + "contentId": "[variables('_RecordedFuture-IOC_Enrichment')]", + "version": "[variables('playbookVersion1')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_RecordedFuture-Playbook-Alert-Importer')]", + "version": "[variables('playbookVersion2')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_RecordedFuture-Alert-Importer')]", + "version": "[variables('playbookVersion3')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_RecordedFuture-ThreatIntelligenceImport')]", + "version": "[variables('playbookVersion4')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_RecordedFuture-Domain-IndicatorImport')]", + "version": "[variables('playbookVersion5')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_RecordedFuture-Hash-IndicatorImport')]", + "version": "[variables('playbookVersion6')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_RecordedFuture-IP-IndicatorImport')]", + "version": "[variables('playbookVersion7')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_RecordedFuture-URL-IndicatorImport')]", + "version": "[variables('playbookVersion8')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_RecordedFuture-Sandbox_Enrichment-Url')]", + "version": "[variables('playbookVersion9')]" + }, + { + "kind": "LogicAppsCustomConnector", + "contentId": "[variables('_RecordedFuture-CustomConnector')]", + "version": "[variables('playbookVersion10')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_RecordedFuture-ThreatMap-Importer')]", + "version": "[variables('playbookVersion11')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_RecordedFuture-ThreatMapMalware-Importer')]", + "version": "[variables('playbookVersion12')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_RecordedFuture-ActorThreatHunt-IndicatorImport')]", + "version": "[variables('playbookVersion13')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_RecordedFuture-MalwareThreatHunt-IndicatorImport')]", + "version": "[variables('playbookVersion14')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId1')]", + "version": "[variables('workbookVersion1')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId2')]", + "version": "[variables('workbookVersion2')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId3')]", + "version": "[variables('workbookVersion3')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId4')]", + "version": "[variables('workbookVersion4')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId5')]", + "version": "[variables('workbookVersion5')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId6')]", + "version": "[variables('workbookVersion6')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId7')]", + "version": "[variables('workbookVersion7')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId8')]", + "version": "[variables('workbookVersion8')]" + } + ] + }, + "firstPublishDate": "2021-11-01", + "lastPublishDate": "2023-09-19", + "providers": [ + "Recorded Future" + ], + "categories": { + "domains": [ + "Security - Threat Intelligence" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/Recorded Future/ReleaseNotes.md b/Solutions/Recorded Future/ReleaseNotes.md index 688949e5a90..7cf7ffc9bdc 100644 --- a/Solutions/Recorded Future/ReleaseNotes.md +++ b/Solutions/Recorded Future/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.2.9 | 23-09-2024 | Updated RecordedFuture-Alert-Importer **Playbook** improved text encoding and added utm links | | 3.2.8 | 23-08-2024 | Updated RecordedFuture-Alert-Importer **Playbook** added text encoding and latest_event_date bugfix | | 3.2.7 | 01-08-2024 | Updated **Analytic rules** for entity mappings | | 3.2.6 | 03-08-2024 | Added incident creation to RecordedFuture-Alert-Importer **Playbook**.
Update concurrency in RecordedFuture-IOC_Enrichment **Playbook** | From 027b471adf61387be0f8a6162b98bd80c8971404 Mon Sep 17 00:00:00 2001 From: ErikMangstenRecFut Date: Tue, 24 Sep 2024 09:21:56 +0200 Subject: [PATCH 08/12] chore: bump version --- .../azuredeploy.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/Solutions/Recorded Future/Playbooks/Sandboxing/RecordedFuture-Sandbox_Enrichment-Url/azuredeploy.json b/Solutions/Recorded Future/Playbooks/Sandboxing/RecordedFuture-Sandbox_Enrichment-Url/azuredeploy.json index 1b412c5b853..c6c6607f3ab 100644 --- a/Solutions/Recorded Future/Playbooks/Sandboxing/RecordedFuture-Sandbox_Enrichment-Url/azuredeploy.json +++ b/Solutions/Recorded Future/Playbooks/Sandboxing/RecordedFuture-Sandbox_Enrichment-Url/azuredeploy.json @@ -9,7 +9,7 @@ "entities": [ "url" ], - "lastUpdateTime": "2024-01-12T00:00:00.000Z", + "lastUpdateTime": "2024-09-24T00:00:00.000Z", "postDeployment": [ "After deployment you have to open the playbook to configure all connections and press save." ], @@ -29,6 +29,13 @@ ], "title": "API Connectors", "version": "1.1" + }, + { + "notes": [ + "API connector rename." + ], + "title": "API Connectors", + "version": "1.2" } ], "support": { From a72f8227ffec92d285a23030cee443b81cd29395 Mon Sep 17 00:00:00 2001 From: ErikMangstenRecFut Date: Tue, 24 Sep 2024 09:25:35 +0200 Subject: [PATCH 09/12] chore: tool running --- Solutions/Recorded Future/Package/3.2.9.zip | Bin 43821 -> 43837 bytes .../Recorded Future/Package/mainTemplate.json | 9 ++++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/Solutions/Recorded Future/Package/3.2.9.zip b/Solutions/Recorded Future/Package/3.2.9.zip index 980fa8915ab04487d5a901c9938de7e6c3a8fd44..e86a2c943e3890fc7b6e07f09f8c6536c1301830 100644 GIT binary patch delta 27466 zcmXVXV|1WR6J?BvZA@(2wrx*r`-wHN&6(J?HL-2m=Dy$V{;6AatNTx%?&|JSRaHx1 zT}xmHO0wV(=pY~9)ACc^=tDNs zXoV!A|Ch==oM(9^5{Y&z7J{G8dI3ic;j{dSSichkc5&w-tHCJJUfQXeY zKUv^po2}1?bS6(?3E@%M^e^9e&}6G)T8(u6JI4aifs=8XAO(n{!6)TVY0=P&)`r1q zTygm7EZDUGy%OutQ^wtYBf}X(sEj$d)8dVO=b|t_5$N`sfx_PoN4ACXg4%pqrlT{w z#45Hrf#UbSM&k7A<5qhuhh4)BFQ}BzFHQq2B zgAOvl{on4_n-SAPF7C~yZNHu6h%&w1G{@{;lT)JblVI7=wM+>~M4o=Nwy3qs{&m#p z;VtjMw#m=)lG~roMEYj=kw^yq5Liq%xn^8E~E2w;>p3OT(+1%1T;dZj4`4Uj(NMbwmGZsAefU`I%J_?>qZ zA&i|g9px48ryI+(KOS)U{-7Yv%1BrrxW919t}2Y{E#`1C%t9i|`9~N`t0L~6d##p$ z)=L%!nIpup2t(`hBFC!)y+5=J3w15h3WmL1eqRP?*jLx6x%;av;l&_TbueBtI^cBx zF-XuIlri8fvnw?VgznFHG4ox+^l#Jt`@0VyUlz{;m%CTc@i)PKjqf*YZQHedaaXrn z!9LB~4*o0Owf=3uc`p8i|Cghqm$#p%mtVv7%GZPa^ZjGTCdJG97~?xQRfQA6SR44^ zrv5eHINd8)P5C~pepoQux?#h1F)RSQ^k_89o&;MHBDvG96X8nkj0}g{EGXRM4Zpb5 zE_=Q>w)(8wUHR228tGi4`uh2RtZhPELWy$<1TZ3c;1UTX;Sn)-FlK$up9gzDFAjWN z&A*QfeC}`ZKIX6L@%sC=c3M?E;(C-cJu9}fc#MR9ULAX+HNO(V|8p8Q;Ozk3^aQti z)<0_9y*#~2*mai&DzXN$;y4$-(&B;}Iv9z1w9a_%En57w7wPQuzaP+CFGoB+-S)ef z`MO!Qfe%Z2Y(pr)H~>CQ5HT!k_@>0=W1RO@>%KWUCc&rv+w<*obN?ysS#j&1`s2m? z$k|jJW7BLx-Ph6B2KM8H{3hVF(cPo9e(HASz)&gQ0|@2u;fH+gb7rgvLe~OMLWQ53 z63f?lNZ037m-~Hv_UAiJE#LmnZ^28~2D!K;Pr~;%J1=ur_?K5r3V{ALr@eqKWtz|D zw1>qp^wAUfSrO<--R^DN`PypDddz)CL-6=HqhuBM{Y$&Imy4-&9w4{{5BPd{u)e6A zBdMR;%D+GSttQIIYI%AU{%-I#V}l;?7`V5&|NUllxuJRIs}|QMmr%>EXp$ZQ?W})FGNu z^k{YvO54x_Y`20Lww~N2o+%~syt^)kr(^7%OFWuhOEs@L)URXQ+?^LsJDp<7=`EHw z1iu{Teb;!Q_g~dkD;{imnzI~Y8ylJ`XjRYg^{a?H&(kImCRzR2aswDD%&%Jyt(w+` z6g#eXbW`1c^Gb&kNi0cDJke=YM)mWC=liSjrd1!{`+j0YU}g#6DVj=hyFKv7*8k+X z=AgTt$2w2)cssQ&YUp|u-SlDGB1&J3ndDsl+zhX_VCTq=sVJ(t_bKvNUFZLHa$fpu zS}uEtQ-F#K_7HtM{;IZH%3W%)!J^b9@?Rl}xi>s^yR7z6x~w9o0?LuH6-%!59>;HH z-mL&cL14{^!Sz$W%G+7}ow>X@wug<--_wQ&Nzg!$-CnXuvFR$+{CjP!ZSB(+d?PEX z0j}Ze$n@`=r6suE_nDKcuc@Z`=IZQuR@bH9%vD9yaqN*Ze7X7LUh+KaW%0GPVF)ZQ<;GSw>*!vk>gZQ23UXvFhVPzQo!^J+ z?~hrt;VHf;To)cay4MhTbfjfH>0CE2zdaPa?bkOy9i?@2t8d~x=z>2MJHM&DejGKp zJRDR5+;+bHN}kYfq^H~`Psh!#=oS27db8TgPm{Z%T2LeWS@7&U%)8M~V|BZX>w4quRdusz zIe>8nSgGbmL;^0ZbM4vAOFDwzfk3Ca?&qV{hUK;=fenY?!`=BqtmBc#!-C7)&o^6l zhCXC}uWw_!d7tO`PS@v=-@G;~jeF+gZJLw^EDmg!wjVeI za&!dSIdzXY1#39)C(Et2q-%8C9(AT|2y3*Fu3LCV1Sk7mcTQdQH`OPZm$uazmlz-S ze{WtU*yvl2*yL4j=Y8;Pb*~F-f3&*vZ2PuuK9&bdd^##!Uu?wb9P@^U8!j=PW$8cu zac{XTtKYQLtH=Wu7d!rof9GNP6}H!Yt6XO%lkdTKv0q1@DXh-n=fj^v1}?77WeyJf zOC2p9oSaQ|4cb-Pm)iszU1io7$0sN!U;8zeis3d!m5A0HCke9(Zr8g{BPR!+8BK?F z1P*7Kii%k}mm?(zEj}}gv2k%8TU=FN^EG)y4oj6&e>MDET)tm`U!NB%+%}Ij61oG?w)^E&-3zVJWA{y&y>yH5PU*1k^;_Vb_k4KaJ2m-Ow3D-|ZQ1@@~>zoF4y72K5r zL%){F9tNdM)Kx1rzMVhi-r&$q0lHvF3hJ&l^K75>5Vpn_z!C<`OAsX%DT(gGl$MHR z?#!g6L##&-*A#V#8m(TGj;*cXl1jS=tvz3tX_M)p7zIj4pytB9(skJ$u@48TYxvLU zKOfW|BtRbq{?Vbx{%CEW%1HMm+*J}7{t=uP|N1*_sne;b^WW6aFtkGvZGZ1a+&uE=Y3Tk8eo4Dol~ikAX44YuXBw)c z;8Lbn0ELLx!Ys<0N_eU)PHSvi$dq$dsh}CtOmD9`{5!*PEz>stjw@LhC8;$<80A3Q zVe39e$va^|#5Bk2m_7SXqfugJR2*DOOIz`!2xsg}=Y6tj1SX8za>VC{Fva|y?MaBm z%<8k_*Q&kK8~61F2ee<<(X{+h?kLYta8Y^%fcYcsI{oKXr!=(42Kl}|O)E4!rvs+X z8Z0ck*ip-zAVF8SQbfvaMTtG+W~-CTa6**q+k_uDU$@1PX*ZnkXO7IO{71|%G`Be$ zBReCyiJBaVV)<^QuRpTYT5qkdbRDYc%oDs!IzIPE{`DX4*<|0y6{WRJEK2a|KAtuZ zz=c6BywwVa8pSlCXu#kuJ7G$Sp6%DsC1WzDs5rR0Dppjvm4ai|<+e;UO$q68@C0-D z9$3PJCkw-C;#-tuO50rwenWJw>ka>OqM?sHhv!tmHBNgOGu{!>_jJOP9(ys*m#~q; zUYIRpwI%HrU5=<9mv1CVJGVb;tHl~Aa5<*j;ejtdwS3RN=<3zcZMt4uUB7i2^~gU` zTihk+89K!=+xXh(N}vX1g@Rl-7_5)!#MSo0_gE>=qHhdl?FZUGQGRT=6yboncY73S zYwo3x((gDI(9<0`#5+=J5+zLUYMekHFq%T!NSG&ZbC?07O66$JA53)+8|YDg0l@(G z(j&CH5MdTU5NJ_W)~^H4N4$4_*aVeZr3a^9`G~aE*oyKYrtsSE7kZxXf;-yWxU;cQ zmif`?QTS&DEj1A2x#gnb+r{M96vJ=k$YcYU{qiIQ5PGJjj0JBUKya1m+u<97iG5{;Gvu$#n`R4(;D zmv|w?(IUz%n0Y=~vDSH%pWvOGYONoaj#c}i6bbT?uEW?SljSn z!u#t;!(pQRw<@R@#L*JWd$y*Vs$Jr}I`1i;0npS=+JsMTJH$v^f69AWG($T{H}pN`{IAphjJUww-@Y!KT8$fRE}XOw{~v!<>x{Dy^F5k><(a`!ste^t%TkKRc!D0(Zow%8uoUB|W=5Yf{L#Ugr#Edc zBOgt-&z)c?)*W`W5M(LNl4OZhV`ME}Kkl2tTF&{$d$?jB8_t9V$tdI70#HAbn09^^ ztL}HadQ%c)u z0o&p=Y{m(ws6z7eKS5DZkq;B&112mq;sd(RfG1j@?>jXg1op=$HPRUAD(**TV%5(H zN@MJeAt`Jq(uNRYGV5d}_`nU+u)fCxCV1F^cqVu`9MrI%#@MJ~fff4wOiX{Ju_b;k z%3z0u7%R#C=gyt@zwXtz5aS!E;e@ka{Yg7|V?aKQ+0Zx#r7Ay&q|=0m=_skn{s|S+5o;rxBe^di zrjG)F=r6M&5h5N>LL2nUH!iJp4;v!p$F&?KpCirs@(}V4Kmqfk0uF%V4$BFrf9c;r z%-@G5jS1skSefUpJU+*Vuz9#~9{Hn2vj!Uf)Rlyv!A&R=!eADtMpZ5IIA4v0jUUqy z9j>ru*4q%@UXdb8014y?>S+_!DTeliCP~a^bnbx+JTCLpT)09?Z@rB7QkDwbz?r?9 zE~W}+4qVp&Nt@?n;J@E75woH|*Dax~S93{}-rF?bS{*;QCmMV=3FsBGCtbWgeP<&* z>9n7@zGs6c*#q(1T^618cc~*?(;|mW%3gLoOR&v4tb7_5+&om532j&zU(}G-pvooz zNZ_{^%S2YK%5mK67PTpR783a2%u~4Yi^**B0?sTkfps7N_z36eNNifU%{*QrTe-3y z8&pxCi8yO#@DW&d(%{NWBHWlqv+9ABOupS6*Wc28^bdXlYv8xlYJ(oqwC(hXumK^J zQQ$c?)w6b$iP32*q$;wHx7N(BO5@D2z_Rw-Sp>}bYJTh>=F{|(Vr5NV$yIf=o$if_ z;)1HEDI-mw(=T~Ghu%b7^nR5b&$E?lS-s5oKu{s$q>zoj`CruEbrjhz)Xi8D`xpYB zo9JQe;CSaxJb{j77dL@m8gsOO3jVw}s?O;lZb)&SOxDQhRC@|bL0TyS|Kc5IMJi0}r6g%jaL-jl{IGg$E zHJ|v^h`23O4u%FdERPljNJRdS2D?$#igT>i^Jf2o31gNRNavOFES|fPC!`lp^{S!R zfgJ@{mk-k(T%F4!ysY{!-Zh9H(UB$fPFt^DGpsOQ>It#3+)Y|@k*@78325G*f`6^i zJh}&v?jT^6f5=*$ZYBh`CfSa=*s5|bxJ@3Ghxp{dma|^3)%Lq31Bn`-1{*<=6x6juM@31AlYnna0~5*LZEv(hA-A z_YE98{?j0$2WIJOA_{q$El!i3k>Mj-vpUm_w;kVwswils8lcOKF<9S(wIMBqlvG-l zmgrjI3-K47FZ+VePA&`HAO?h@s5P!d4!vg<3+!-uT&v<$e$T|$!WpY6tV3+0s{ne; zGMvs6B#jW5tYz8*EGF#*IF8j<(L3#$0gg`~w)0S7yk!Qx{ZUFkw5EjEl~u3ZBw5?h zFk!UE*K^M{&f?jt5Xx*R8#UDmH=W#$4VKpkSN_UX+Lw;ju2$P9XyDqKGT)Qal!5RH z9YU}w*E&K~(O2tzI$5rTEqAj@DL?1+iyTrLz&TYsQL?sf7`7a zru?9Sk&7<;8-0bZ)I#{>u#VGKT@d76<-YkI`TJH^LrU54jrI@mjC3i!H8YSbi>?N} zc6gGxyQ;8C`1X8{&xyPHN@Ei~u!apaB;JQK3HP@W;+b)_I+O9@*nnNK6n;t`<6S9O z-!69eva(A#)uDGwgIhf?IgH=g5NmsGg@vQUonvOqqTeNcg|F!1(?-!s*dmCLB)p`m zZ1OaFt>f6iwq&;VA=gWRz7r6GE3W_Dyg8Oq^yDqkQY$g+aqnVBth6dikb8fUIp?L4 zIXbPm#r+f!$DUSFcRM+djq8JAOOQg^(d$Lo_A^IyzWUQmrA_Rdj4$F6)asri@k(o= zJM#UwB<5&!Ays+>WQp^*Nix@@_8;PW zRJ3wTIw&4KG6axQr5t8}fW>$P6&&;9NQ2UCfz+VkL+By%nd+RGXOss0wqcS#Bew=K#%$ol3Nr}Yp*a?PHqYAFLZrf{G8n#S6A$E*=ht7FR3`;Vln_(i&}NL zeb1xqlVD^NRKPN7)j7B2jiz zMU2M8^?miTnt7;(8a-hD$=f=jmx0>npnZ~(V^X|HcsKCE#%VFjXL@ZUPW1T z?ccuN^#Lx2SvcR^d2IM)T!n$Fc8Sw1eBsBs0Ub${_Wr0OG13R(Z7!XDL3i>ZGV#ai zjuvPl5G5dr2!jw!R}Adz<80B^(gJQS8k2 zAU+V$i$Jv4z2w6srR#p1^_%2r$CUAaiQp$p20=*~I9u%X4${%2{(+&4G-61(rhHnr zqf`|F#K{1?dJ#d=d^>{Q#ipk#xJjl%C8oR5)T5=HTs}&{X&$uUJ&Y&k$3EeVqGi_9 zlK>oKH!|E|2<5*?xaX?xWz8P5Om;Fz+>xal^Na_aZapMfcASmDY{)bT#2U`K=tfYH z;k`4EnmNivXoH!9PV~LCg6`T$edmASk{|Xm1uv5_rQ#qE8EUK${n|%=@dG15PoTx* zKHb+q@ls|GUP1-xtcA$dA)I9Mwmj2?VEtlj4J;NapK6os^VmHcaDAMgOwgT`iU3;F z@VmY+K~K5fV;@CZNd;Bl`6}XyWRawj9^{{3Uc-1I{#&pyXQT9=W-hS1Agide1ON z?Lj$>LuZ;B=aJ^*^a)~5Zm z?6R95)zH$Jqflo8o7nKrCUli0<>#*g4j8&$x1kqepMU$cB++{+9|9@M^WR_pJ!{KR zl6-Sxz|~SqnC5B5`YOiBV^l?K$<_Mcd~5WUhz~Ku9#aL`3wfPG zW43uA48#KWn>I5OR<6n+D3pw4yy5cgQKa8L>A$`v^!qJ26M!o8jOSRh%n0?dVw?5iSa_i9t%&58Ne# z%(0_l&-uk&S@7x?D-3X!cDG;ia!pdX$Vmx(1F@0cX)Ms)UI5|`MN9gWc}IJ zJH=^rSAHL^-_`ZuNe{{V**=ou#+qQCgB}+wR}`@`)x@$#w>Eiwxjg}}xhj}EWF%aF z9rchzjIk!xA$ZaC-P$YB0)1UP)mlf<{c+5Gm^)57b|BYLjS|vZ7;?X})Q_%ePIZ?} ztC<_t`7!Q3aR9SXU{9nQ3IbWaqJtWyU;Gnf^$hsEppUue?!&&R(z@i_qbhfgK||gi zH0yAsXe+N#*ARpX&;W zRL%qen|{vZH7j)57=L6;q|(FMU+);18F0pgHb-;hS$SAIc;K4(!A>*n99HNFxj!3QOxcGd4z|( zt6Hr_2>XMB639iyIvrz}F4sA*A-PotnV!55SOMs^8?uG|*U=`*!a&SF-IKBv{29?; zWsq97kQC2)VwWnvBiy>==$#*ZHZz3c1~t-&U1Hsazatvu{MbT>1k*!RhrRF=lV~k0 z1~SLvL#zwB+O3Ezm=&ywAybhF!(NFl2KQ#U72Hqkal=iAdpK@u#NsP>dvBey&tWF5 zZh`a)f;BBzJzD1S;%chsS-31S8}X^9$OsO%rGM1bLaRS|ocT_`k^P z9K0yR92Y!6gonrXfER*%IJX&8TwSQSRaLq#Hr=%wtW!BS1ORRoS&K1OQ^RXZ-VQ+; zAs9^sm3-lmU>*2Zn=v;R=;!6aFA@$o`~dMdS>uGfq&CZ9ti8Yp!<+0YW=67uGS&^t zc1S>h194vq)r=?sqEjGYu~UuahW*gXpF^>hp!oh=DMR(Wni%WUxiY2IiABgufsWB1uySo z%;Y7fO;d}F&Fe3s6ZQ`=4w=lWLGn0jg4;!%_s)3;iFXTC&I2i8J7u$u~t`Xh-*rN1i$+a;*Y;LP{ zFKW+{2MKwFvU{$YX~rYLVPoM#<=;8Pj@Jj;c=`qOWYdIEm!B@L8y{bEJ*xlQFI)9! z1&G3ywRa3sLem6I-b|!!NJkf`vm}*Fs>zOM-V@R*%qSw;`Ym)k$wCM9q=AW)K|K_> z)bt9fyg@x?K~(yI+k|x5VM%M05lNG3RImRgJ^n|iv||Oep>nMyQi9XC)zK1kLP+OkQN%+-Tk*aX4X{dy+ zQ4fh4q#hlQ8pK}kp9lr2#6)T#4%3h;iMv9KCQEQ|U^Hr*Jb!O{hTz2>|LEWIQ@-L3 zu5DfCTIE*g-baD$S0RI;m3!n3s6`fBkF?v4v9$cN{R0@1XXmE=XOI=(|Fgyvr z?B2b-RJnVLSh{<#&AdWUl%OZIY0}Z|AMoYGUnWyS5e=N0Z4}>kM*gl*XVu$MUuL(b z&sl8Qz&cVh@KSt~*g&sLS}5sJ)hD4I+2M z9BXn-Rg)KGjkg921|b8dmyZN|_6?PCPa}2xuZ`c3`r!&r?{-gQ_$9jtB7`!~P@{fk zw%*DWPN~Vzpja}FQT@1;6mkO*7=Yn|w?npUe?Pw=K)67)KT zsCI=E{@`*~`a+04(IIAnKB)6!&YH&R9%}n9bMU103#Ad*Jq>NbDD)z^_JiU4)y^q6 zFTg%}*)0;ir_f$u_ET~?1lokY(3b*lP$cQe*KUsaeX zE2e^s$6@btdfs)0Z9THEdH9#sk11ptkqAC)OBI|Dm#&LK$jM2?++l6LED16D0%CK@-6&mzHUo_UT<>=x7GwaXpMq8IeW2NQv$EbPOkViogC>L zNOtHUP8Y{))L*^_cDi|!Nby^03_F?^)w>S0;>1%(`R?b=Q~r)=t!Xd`B$Ue13d71$ zK2^=y!G~XMjXqxV<=ScUm<`Y{R#6q7d5>Ssu%WUC26~;XJn5@eR2O)s8U#;2SGGp0 z7qS6r1Uvfd>^;(hxb@^kvI^)&L}syvcHtS%{pf=%SMaWLx+HF(4Aa;&`u)=Q@Kkj& zXM`N6rN6RBNusFcg4hI*9WqKq^%No}a61B!ci;&2y~qkrTsd@|i@ zb9wDL=N53orNxxB*U|O;nK^svvm6Sks;RE3HbyVg~ml>v(0c2Lf}7xZs8O4CC(3<+%{Nv3*=ichA=i``RH@JoD#X>hUO~59S{V?5(caQf{JU41e0s1hE*N z?ZS6mM1Qvpu8SHa49kG09$@^6+yenZg0Jv!=)%p6_k}+R*?-s8TWr}X(s+vzY1$V; zkM-mQ@58y1PG?LJAFEy5+F)8Xeel;wTE{@wxszck8J zR){QKVpvaha(P&~@UW|f7YDR!qMK)>t4jYaEF`Par0NcdRHTs*;hswrCnNqSTj3u% zKaYZ?v=ApiOtIJMxSQc@_k%2DgrD(9X{4;RK!PG2zp?XD=MGl>I6|YEbi_c2?wq@< zSgNWPLayt#qJuJ@VF&a=)4QqfW%0#!5?<~B1j^Ep`IIh;Dys_;VhSXKn$ez}*H^iY zbxgay{&MXsI!sr%3V{}&tt-7gG7;M&s&HZ{4x$b9XnWppJ>g<)r7!Z`>g?AS%NT+x{Gd%b9|K!dhuf7*MzufjI#ohHx*F52y>YI2iTFUjZ@0u)}%=GF!6$PfoWlU z{>UwA?o3{W<%Xo}^$j}mqXGGqy408T%-IqP`M@x{mSI6Z-qL)KL-dDJmcd|Ur}%36 z$cu{dXF5=-I-U~CDMAy@3@J(G6$>lIL0^a$rPtk^zI8YUTg{j4o;?usN+^TcsAJxU z>0pMSDS9XAal0fE9Zb9>$3cCXmdGo>II z;x!#i+vYt3pwk(xAOdParvf0eD0Ug%u>U%(e}_^3)|Cb=G~tN{DTfi7VdA0=;zQy3 zu-O7KOEDl%j*p?3(Q-vjQ+dD-kpqzxN(oHV<#qXweza!|qo=)56uHzHHMY`>fKId; zj0}Rja8)BWrflMp^*tND@}Ouoc*}zHJtD}@S2@EG5^1&L1ogmjX(Gn6w@pAyR1POF z_rsa&9WXhHMe~@2GZ3&SZ_?BRe%F}4!xI5L$e(;AkY*Ats^wdMBxwm*GErj*ka59q ztpf9h=+neAw6O<0gA=ksCFCJxFwPNrzsO(BC6-!I1MGc2jMru`^@J((nX&XmDV|{{ zloH~ID!%@D7qRu~r(NHpm5q%jx_e%o6J(8E78WNJ}(6LW|g>SQuumgG9h5v-@eBk_^0u|ndC zVWjR4XD%}_HOkIk($LBVeU2l$TwKd+7^XY4t}l)kN`Wk7`^2J`n)LFZn+RXOJfn=M z%lC-#|?g=C}~fg*k46udFJ(JeY0$CsSx&4=Z}Ot6L@wx}9=aG(xPE<-?2c zMfSft+}q3U-P-Pw{_UI5Dijew#AT_6E(TwwpJ%ggC=fY43*@Y*sP;GCM*!cy*`O?3 zaYPioq6Rx`hAGS^%3@kkU>`X7yjV!j1!ILns1RTMFC>dAosy~!wn4bw8b8$)Q}wz) z9JTX=Y8b`&6>40(_dUqa<;pdZ`%sDLtJaGPua{Qcvz=j_F5faHictX9h(F~?f>()| zq)bbXct9QGbd*rG(p?P_swOL1o%t=c(#1S`4q}8GBo``uJDL073K$awCnIRSgFX6q@0r0hJ@JXa0TE(Cd&J2)O zCRnMUD&2nlbwZM>0}`pm9PWmZ0bMTmTh@{(Sd3t^Wlvpl;trz}m8kT;PEM&g#_ z-1`oy^#6vFb`vGi2__y&)_*uQe5j2tt~m_f4G`_tNYxYB(i$ZAr*v}t3-QuB|L5i8 ziS7&Lo!!_;^1yZ4NunF9=|tc&^}rPg<0l;#3{WJLYG*%iA#feO;`+1IcRJ6{5zj|l zzO;XVX*sd*A%)iOF}-Of?$XiWO#SfM@%UMe=N{^5@m`MXaiSG9LsPgsO+OL9^6v4gX7K|eMGfn?OCZvGj4 ztXvnSA_tj*?LOs{{y>7i@6XuJgy)<4Iq&GWsAd#>v;+L)2%7l*C&t_hOt^PuKY>o- zW8#!OJ<(&VU1#hGrjK0lqYlU@{?Usd3j$xE?Pe@=zxb6~4{7zTKR3bBjhudoqzQW{ zS&ci&3~gYMSd?2GVuI7=PtuF;dXDQ}C7t5ohYA9J8Tp*whx(k)=fe(7BG!~OP%c2q zqQQ*Y{?L%oY4$riMgCv7=g9-`cQ&B87BbG=zM~aS2f#JXHE{ACg(Jw0Drr9m3=V0P znPT?(zBH~7*aKyL;b(}0MeX|m9x%4%tCiI>zSzftU&xoAf?qpgyvrKeE9P3Uc<5$Y z)g_q}RImqUr&4z{rwkGe;b6r`LyXqZWB4AIRlARp1Peu$dY|91%`yPS^z7pph$nfw zDy*h_3+mDXU~S{CpW-O(L2G(q5xPapWKzyCqY1rcL(Y67HEsl#lW_gYs?n$!nYl&V1*q~$| zsir`dUr;H+V*;yAagd;NxJ^{9cT$u!WSVlzLDM((aDiG$*Eja>x&%gpf}setif(o+ zN{n_IvMPGkKspEkKndpfo%fYk5x--;=O+JfFP4O{4NuZH37~G!_5GK;)+2Bb0 z>ji8p2D+)okv9=1pi?JS7n-W6v`t!eR5q#UGb=mK5QE5I2SeZy(^u%PrBkj{bgfoI zrb}i~u1K!9D42u65(@|I#8KhI(&&QS2`c9DdENOE`S0(4y9Q;4ibeinrX2Q?kTc)) zY<=MQ{SR?fi8WgxYDx^(u{(?9`wiy)_dH~n4eUt!-Oi^FGT*Tj=ldgZ_Yh(e*kp&4KTY`rW(>IfnPxwz8@>jxGNCOvt-1IJ ztpa26j#Nj*COUe@A z+>xHo0e-Ch*-&cuV^&lgfwEX}93A)ZN`&$-`$gPT0|#C8%~JI&?+!P$rZ;oHnd;`U z0KFzL`EXM?hl}()+dP9-iEZ~&1VYEg`xAs~b%I|Eo^b|HGdMROvCbTTA7HF_LyT5? zRUbI~lgudKB#!+T@42q8qgtOJn|0msW%Ti)#_;c={Yv~t@8PUBW%_;jb1quNChc)+ z;i}mwn(J1T=`r;x^)+qzn#GC?@vtW9E%x#%@1+j&2Cs>2KOvmq*Ao3BIIOwoz*ZAx z>?k(no-z)G>fls2HBMahF2F&J)|;Tc5bv{3i1U5KylKlpEn1=|ptXI=El!N)XQea( z=x@Ug_<5(9efAz2AUPW#T&lalULqfCf-z+uaxI~gjcp&!Px1>jqgdOXs@-55Uo`N zs2L5g8C<`>?UgyVE^$Ongo6Tip`Jc445Z1t4t)k3Us8BO;GYU1oOv~9z3S<3Qrx?= z9n>DmH^V=t>k+#2TQa@7{%hw^Z&Dr{fUn=Qp?VU&;^*SAXKo|W_^-8jbrD$I}U10?X-P3i@H$ZKIB*E zu&6eBx&aZZi>6!)kQHe{+8QGBJa&~t|23+Z&Xu4BW3eec&oMCCcy>aqzv9|)@jX^2 z>(TkACVx^S0#+*RQoUL-w?37lO85j7SQjIi^)>RRU;}5n+g<;<>FU!t(-FhN;*QyL z#0loJVkvk#JO$2qi*n4a&L-^(Vcd;^z+OHQSPiU-ZzDXJIy$F4=MUj8{}iwqnrYge z-KdtM=)jpQ$qiiMRm$8C-%#HE@{5_RW=;vg-64dG2OwL&joAUS=%1G~iT$t5WNDpW zc5%%}f_Y+A(ZjcLrth0G>r}G)V6{F#>^dKFLc?^bv+z|#r)Q|j1^yaU(^>y_M}yW& zeC~dxvL3Ng*GFdj59JW5&@}UK%Kf@=;Gey#Q(*D$!k~ff^GER&R9co!eO@Chf@jV0 zmu>u8Chea+I4daXOzfJ?t`!uuCBH0vY1jV~^8-lpW?f(-cq-wewK9Bk#o?phSlDQaD)MoMjVhQgpHA55hE7rs5+qvNt{~Cn zV?$RR61v_G5(mgT{--Ne+ zcp`@f^sYz#KW$cwClB$AE}p-SIqMS+X*GO*^Mg-#hq zC?%&L!kMDSNJKtR$6@draUEZ+%^Fd0&L*bQa9Al4G!!Nq zcI(i{Q=G#eY(XC$iu7lkp#`Jm{zr!_)!#qh-#nFS;nR;|q^B&H zlm9Z}+4-+HAf!{A;8PE;b#MiL!HYK{WR04WeA}~l4ohwXJ&D54l8Oqf@_2goXcS8j zOyHmE$xT>){4rLXRC(b@MQ>ocjA=TGf8(ICGZy+L4XgB)Vz#39qVbdhdm|-~JI6}s zY8NczjwR4ex)+HMJarrzPyXxsH(>}~Mj+mjk!s-x%!*cnh2P_YvmJ4NYOz*7M5vlH zvBjEj3QBs3`ZJ_v&B1dsW8&hrI!qIPl@`H0SIUuj{>nG5 zQHgcL4;0!sHcGS~&X$-WJ{2_ZVjJ9BnZmVyt@ET0c@WdVqB(JY zbLuq+U_1p^w^dpS@gk!@-gJ5NF1xS~+o0fML$YQCkF)A|?!+0tqJmk8{1H+w{dMT$~Xko|nUie)5yJO#O z+BD9-qT1UNYKpCYpgmYMKCGIrLdNdZH#0|xF3hMvNJ3b&v>fi)quAe6A3EF49V~(z zZE_1D$x7@kG$zotx_I-j6D?2_3&ww!ao=U!_lo1bYnzJuUPrw5!vrThhUo4hLER4* z%&m-|SuE}_tBBPFb7$3126LCe++{F#;*Pou<(4u((opVy+Im8{RZ(}vL%EZUTp*M? znRS6};HiXiAC;lpD-Pv8qt76pdcIGFmN$C(;oL`0E1Wykon_WWn14&cxtVxsD*2pq zXv+9Diz9uygU1(p*ESrYd?xSCXy6;{OB7Rz`?|*aQdo=={@D^w6W_|%P}KL)+M~W# z8;fi;P19_Dn1*h)Y*Vi{S_9qaS1i48TsNBbpla2sML79h+wM3K*>`c{-D-cGI#w*C zvs%dr&_lg}qeOXs=g$1E=;vpyF!@RrJWVD_};_V|Lo`|dj?881{Sgx#ipBs9c-|HuCgX6YO41|*OILNyC| zY)-TxjF9Pg(?GK*TNs`OX?)EdeRh0rME+o2arAQ_65sQJ%D2|y+i*wRs059 zMxoMwdwZG%D$Me3NBaU9VbIsASRgZDGjIl|_pCzd7;EulPwNgK14zllF{iHKOL;+e zkGzTII-zQXHbk|7C5B_+5cb1npV-wDV~aJ_q&{GnH(fumvE_rH>IkNH!_?H38_&g0 zF5QHK$3MRm4yqM)>=F`%dyi?1(gQF0#BPXxUT7cLb5!;RBYW}@i#j^cF2u0T69Zxq zG9$^v{PhDI;gM}(+@ycEuNl_APXpFBQVn4%Xk-HVHWv&A!d+m#asT5_#PCp;hj{nJ zhT3O(lrDv_#>N3OY-BUx36VeFp=`bh=az=v{$hZ|hPStau-WuB9CR+Ve=uQVTN(_1 zuJ(sUaUt3t^iq%h@VD|4mgel2i=RJZ6ImgDP#lcdC0UYQci1}{1z{EN^Z%q9d`giQ z##1SDAro$1Id5eCEv0D1g-~_lv1qfEELT6;4t?|um;P?P;6^npYIbGG6%sCug{n;4 z_pR3Y>9?!>R=?5Ls}*yg*Q=Fdz1_BdYkISNWP=sdtXVu_aWU(M4Ra5da1XIpz4ylG zItg?M7kCNDDj`{!kgTY4GA!o^X4bF}iDmY|YDYS4m{Ty~kBxqs9Da@WH+&?KsBP#-j#aLm{H?Iwti(W>d~ zdabJ0Dh3OFa_XYcQ! zxnAz?Pj-J_Y}dA7TefSqp${7UBfZ|JH1z&)-PHTlmT7>vR;$OY0#f;Z{#B2#60XD5 zTO@;$$vs=i{&wS-H|aC1tQ2v=i6T@P(F@8APxYPRfZEAPc-k=q#~+m5`?bzj}ZZ?hHgtcoV~? z8N~xP5qL_^@TP#@un%m!5RDBFHpvp zfI6M;eKZXYG6yiR%%!`%9$|d!Ajv|IYRtY?<>~^_zOX~~(RpMDV7iK&Aai$ClU?Aa zC`1lRa$~H2*<2DEuoBexAy<^ebZKT=i{0t&?J;jAbKwMg9O<{G?d?(83n<2ZvB&NkmG>W%g6;;RdrNHx)bsAX z=7XBUHB4Qo;_lFH@3RKB+t6y^@wx$Nv0+8K_GjCF#dRIP4;Y$uz}v!_FWQli)G!f$ zERqpH%Po@XiL2IIBalat8e&9)A__vc9{(8@mS2NLB*6mgc!7^rUejySTtv}zW6-f%(wIch1rfss; zoYrlWt(buuwN_!{rV7u$aMo<;CPzzY?53KZ!`}6mF?s!%JCTvQgw_HhbUF1#1IC3z z5BK?ybYzVsw)74QVxmvI;a0qpFpr<#!5{s9?OWZlwAZg+42Lg*;Q20Rm65h{R&%m2 zg}ptqK;_oXie|6KgiPr|bz_FcmmTFB=Afm)*jJ8VG(2h)R~0Q!uRDw_Sh(0!J^!|4?o1D+wS_KLiv@7(J$c zB0Zm9PKOEp>eE#YRw=-6l=x*Qo-pE2Ycn&>x5w}b_MwPl&bO_fNHMUig7fTa<^F5+ zo?DDLD>-gtRpR;K&E!%w)G}+hvoTyXZw(=hsk*Q})u$}#Lr9{LIN~-l&csKh)m>WM zrPcj7t?t=ERNCaFO}=5992Y~D4bBvQS7giLx0S(Ei7PSjS!J17jfDF5N~pYspLMXc z3@J66Adx=QW8(F0QdJ_oTSvV8{W<>nJg08Nw2^X5M?l7@lCmsOB#e%TGs%jL$lR3{ z=_D)lgIkfT^C>$r!;BmoU@LI?cwu%i-b0GVk?M}>;)G06MN#a|DL!O|kHYGIIm+gw z&L5$lJT|8+o@oyZQAFq?>^C zqg9LRA6ZEfQ+!8DDj@s_eaQBI8+$K3$7JF~kA=?0l8T?$tLGo$q1qEL2_`#Ial5G_ zb9EbZN}`7;;DkHwkY&l)S3BdHMKlAEVD? zpl-6EWL`WvfeDl7nW7T>L?hqYA7ifOA5wsk%Do?VY(z>lrle30>-2D z5HP9;u!<8fCL6f`0b??M>jIm=Qz2limjsL}CSZJR1UKIl{bK!T(J!XDv&_l}^KS|L zA`0i0o~$-QzF05G7h{3z(Ph&A`_KRLzf1DPl6-MC`C>|eTxC)(X6l+*#EUnO$zB!j zBDEkN>mt^x;#_3yS%7kp>MTmQh_!7O-6HG%!fcB)oQ1d+xd0@8sTTVcqhdA<`>544 zE0yYTbx=3W+A)5pwo>U=jk)BDaankp)Qc(JMfiU<^&%xmvoD@{!=X14)-<*Si*d=e z#j;r{@t%kpS&hkLB@1IQZTp(7f|7)Btt5;%$|VKkH&4;DJO!iFgAH&nN@A;EU`!Yw z+sMDDT6cNb7uD2%i^X^sH%+?u^T--w5YoBt@eu3Y>ywMun<8I~hCK)MBHMwsk9jd6 z{Ew1%k@`@wE|#o|<(9r-*2RpCx};rPS0uC)o-9s=v}~3lZhT_Qi)aJDKkxd1?SE!o znqQHW2oIDaOZ&UyPr;b819Ev?z*#aVDH%&j#_b}oSq=4n;#v`v+UhW^D!gh;y@9%! zc&>MA`zf`Tflth`YiFYqXCI{^U>?$(8AGzl5d^{@2XK<&{$bOF!&~Ulo#0KNi6%Q) zNoiaiRhkD_$NmY?b%`PBXaZuFIGH4de<7;3blW)B8!KyZx;JdJ@W_?}o*n`3*L zgS3zBrn3O{Dzk+h;B4zW>B<|#NT9IjxXUjM+QT$|5o9k+$gPS7ofjV*c3Tocm4r|m zpcp9k^m0$n;)+RZ-z8lPt)`ML=EdWqi(wYWl58<(jijj=xG(0Lq>5QkL5H=Z)K#4Q zAvDlRcA5O_GDXN`l=>>U3eY%`)Go_YyVN&D?UEtA zOA@7qo^F2+ERRmAEjU9xH@DP2lRmy*(@q;z>=lrHu4 zP`apK^~EV&l8sz|(j}R7flc74P`WfqN|zOXQ@V7|zbQhO#?vBnNp)wLbrI&@5<-{m z`IerjHbdvqcw}@gm3p<+YV-$s&90exy=K_DVI4K#*J`cSto7@bSzisE%f*d%y8xX_ z8s~&wFs8kQrk6t<rf;M;`G$YyZKP%g87 z_*=T?t0HfK%JWgTK$QyO7I?Ya$bzz?xpI8=XynsFY`&;fbMLnW_?8|$52)l82EXZZ3mNUn=9(e&Qr9fTFd90S- zj!wJX3!JE|5i>#Lv}nY%liw~*U2ke#`iA4Cle2rsL|=N{Vec1vf=l889;SK(*?g1b z5w(oR7q-F`>}^le1soci8;!D{RhZ`&TdkvFa|XI$g`z z)Du;lOhJu|Cj7RoclrjB8zw5Ao@L|Av4Q(T-GNx+q@TA9vam&XAXKR^cO}EoS{aVI z=Ow?UL}M%?G3 zJhB`-7ULJlA1xOW%(u?JcJJPi8(=!3Lpkihr~h)Qp&!NeOa7xx^K_uiycX^w?mo}p zJrc{mY~x9b9ZLX`y|pW#j*!#!gskY#v_l5JX&wMbsC^I`wu za8yzi%~pX|X`&*!I+JLBitzW9kQAxzKUYmrgbvsh^AmN?Q|v_D^QXy8Bu1~?m&$$V zG3`r>5es$CJ7EnGw@qi2ghHvp(wpJ7kO|=!Y=lZk9_;lK3FR^<7BD1ok_UCq=TQfB z&r9N3yI^~^Ib0<+x6m%zn;j7qLnDt{K_9=KY6 zx)bhW*x>$VvmN<+*i3toe6Zb-O*!Uy2gV-OUt=crii#SO z$#j&L>1YEyMPRTjNmA53Pt%BmPJwTYpNQp&DTg@k2)E}-o}u;f3_bYzPjqm#M$&z8 zMj81$@en*l8KED4^C^sQYg}6Itcbg4mGLW_w@76=%+(%S$yv0VgtcdT$k$0(6hpa| zgheG`(ei{vjZG02DP?y_x}vRx);VsIeZRA{AjoaiXGRBNrelN@iVP6L>0rL`BCXQPGNtihh0n=9^+F zI(}MAMXByAvoON^Tf$TXvbm+_sm)Lo9X~RvBCBbdX2Udevt^rlz0n%zM!#a|jpMq} zvYe-Em%APg!G`!v!qLt_ za6;zlk_;y(e5;{2iOaYgBl2hnORx(iS4qiLQtsOu<|@h9jklhw* zgwrj5gOMb3BbAgSj{$|1VTaCvVa+<_tP6*Qbrt|(fx?y{Sn(6XGK3_l_AJRr5?itJ zk;LI~rsO1h%h zdQhP7BKy-~#3WEu2TG4*((mW)8o8}vVPHu>BglgIx;|L|pX*MikF0gaX zs~F7)yp-OZXJfY@VFccKa13QhEbjpTD-ZlJH_lQ9I7|zgE`FcoBz7 zm6R7H<;C)p7ss2Tyig18lAIUY3(|TFq!)?N%f)&TpT>>SUMS&)i=ni$idY@(MOFi|_TqRwv==JyadFyzi)14gpuI?DU0@SY#o}j_^ zdO9K$@RO&$Xg)3Ki&S@(SsY>hEup^P_vIv@T2exb9j%7Om;zL9cxjF>0#YZaaI!W{ zc+q@hgct3a*{YlUn%?fW4ZYrO4dAD0OE->;YIV@899LUL5!j0}v{eWfa=J%Ud z5?w$k>FS08Tp*M|+IjEaf^QcmUyXBPo3zL#8tG8Gh2{IFT)Kz=;TVsrvN`B27e#e$O zC_xSNg7j^)bh{)c+)WkZ;MIG7cmXA+J#Z{AXRw2rDe&d4bib@vKR4cO7!vYgV7P(3 z7%X|EZhT1!tooqUZ`AeH5o~OA^Qft}&1Oq)w&BNC(`Z|jS^+8e4W0cev{YiJil!>k{#TN#?F(TjBIK_%1X>+>JdoOHX@pG-%b91cvF2D(@h{+ zKOVwE5iu{DT{!GP%u);ZRtgeLSDL>k1pLE}I1L!%vC6@OnGN@lS!^I3lN;Od$tg~F zz+1z&0!9o&w`L=xoEcd>nMZ!B=?Ej(Ih#_K<=nZ`jW15H3qwKC;5-VPdU#_58jnYV zcG58w`IE3tAEV=UV7b754*|S{)Np)p24pMl3P_>`wgBjP#GIdjG~OcHk0@h!$wWW%ra7dR!N0~~(tgC%3_vnGw~i9Rq) zG++&A)FjvyeSH^oU)%W-cK9TQ;u4UpNn#kDV_??Up!-XxpGGx*(Q=}q`aE^<-d3bL zpz#cI-eJs_kt|regTVm7#(*2m1WOr#p9X%moYjczLU)KeGbR%_2t&7boCEtn$N-U! zdE*;YF;VpF?hnZpp{?gmEj!tIXa~l!BBv7+eQk{4Z-h?R=FP|hrE{l?%k)$i+3*s) z8oD>I8PtOWTyfNYn9|sysZWdK6XQ6xa zkdc4H`jV_ZXLqDPq)KIW5MW|2m=RV^aV*|+WUT{p%+K~wz;Iwv5MP9(yY`LoP24P) zMAc8c@u|EBk^zD^Z0WdhT6MTD__H(fQBD_tgGFH4SM-!+$4Q{$);`8aOL2!FInHo8 zyl}2Z1Q8g2P0pNaXA4V@7$0=k8V z;x=~SZf>G``ehtX=Xz$B)Fia|jWK!S@vkSLNJ}Yy6ElTxPp+?h`#KVgEZczAfYkTRXwB1V1UBm>d$c<__QznL!145YMX z9%lWdAQXbr46y01}=tm z3l<%zG}>ch#b=wFC+Id7=o{uIvcw_zI&AC$cC<8rE49bSUJ2zU6Lp;> zzpcFYoR^+<&1Fy;?`c4BVd4sZGYSwp;3B0NFpPH-u%&#$-qM9%1jGy^G^YxvLxGjT z$`!Ml4oAa}i3AhFb?Fvv=z+l8u}dWufNRB@5r%3ezn#H9Qi7qD8e1eEKYnCCq=7j6 z1Rz4~bV1Fk!&%f7-kiL7yXVF7y*7fIVmT4#oz58cR~}FkNgu9>MlJb&`C<_!_VWnr zBb5t2bRTfDSUIL3)v-AyM_uXkPszUFc_t;<)Pdbi4 z*zU~Bz~rr8a{=7v2tS}g1&`?>Ir(NWL})saxI~4PsLpo4`{6hPFyz=!$`%Zw>d>5a!f30}X9GEof+}JIgGOF#nc7L%D<|eLw{d zRzqIe;{l1bN|0y?5-mZZ-wa4p=)1x&QC`4fK#P``(G6loXUIi=2^}q=qXnR&3DYb$ zcvR$DDS8wkbw7?@p2PXlaEVVb0Rt7LA0j~MD^9-nRv|nPXh5*^()dn9X(9!065DAq zkzp9mxe!kd>+GHf+Q0DYR*vTU@o@Z-wY~_hQ}j!8p%}39?`y|Z@?I7MR_^U(;VQW_ z>0J)5+}nF3=t^0CA+H4}vmj0;KlWuDF0yR=3kLd2$+W*HK#4PuD@!A1X0$O0h|G_$ zoK@&Nh>XyBC9X0f^JB+V%ED1%D@$zUCUy>Oi?)s=!ctxj3Y6tKHGB*osRThrc48-9 z&KxjgPSAed-C$Y7q+HB{hlyrjCRHdHF^F4@uw2qWQ{XIrd5Lq7mJ1>#i$XLrkd_Gt zR1#|$*!iKBnD*(wE5*PR0$7SuS{!02iYzgfPZeXSSWP9$vP4;yD9aLMSqNn*TM#AA zvcy@IILi`exk8*}{D4v-ElZ?jiL_iN(o*$&mE^kK>m=1`{~>U%y0L)r%hw z`EMG(^!4olY;#}~qElhuxvqDM#$(@xvn={U=$wpC@V!``FDNh;qksSVKmH5sQk%sy(ocOja4s>F?gG15vKi4X(^YDZkj=c#EhHw;p$)9NS z=*L5U<7KRMm*hSi8h6kqMYD`g#=$T+6sI)Nf#B1~yB#?}K&Ysf^qa(m zYzKoQg_yxH>zwH=4Q6{{(|4IrErLu0Q+I+1VvZx6Fl>*9--rrzDU59}3B+QXy7;&2 zD8vQi%^w{^j$V`%d!$c;LxL%@zxAOva=>&sME_%?o^{X~&h-dH>y3Aj-Kq zS|<*gsT<>QApHpH+%f4o4r_Bv4IeIlU6ok8htsj^8I~TMe4$bY>f$HH=o&_@@{kQ| zq$ootlcX(M`Dwzi8E8LB+XGgZZh$~aQ3Gpwc=TV=NKBbty*IN$cko6}@}oAZy( z@LCIeQyLQAxIJKd6KDvZmy^9s@f`~0-HUdo$p3To4D_Bgxq%9rjqw-w^~T19AO8L_ zpRt;02xqw(vU4a;@3T+sxlZc~pVH-%iSkrl{4}2X6fUO6wuJasg+>zV}7GS^w2{m*`EqaBt|8fQN)r9v#eoPYO%)E>Y4l z8)xO=l{9{9b_Lr_^+An*OnCP)J$hI>07WahG+m))s6MD=kh%_DWzUM+2$?syi`;5d z7ioLK_g{SZtfc9+C7ND*ovftkM@uxl_)=I&)9Xt#{efk@u|(608^0@Q`tcG?FK+9u zr0GhM?gHGd572Zq?d0Nr7o)uC(r@Yu_<`dGlXG^hcgCnj8SP}X8mFCnhT(7NghzU% ztyg1rlHp})!cCL%)rIdqNVy{zY|=GkF?yer^Ct}AkK%0QBlR=&82l+Q7ORRJoJ%i@ zHB*P5dDF>wI$;c`f4cwE{|8V@0Rj{Q6aWAK2msGYI9XWZ=1E?YsH!{;&q_F1+!tgU U;h+EjLe-Pd*3hTBxmv|xiU#+CSA** z)ytp=iZWo}=s$k^fd0|s##x7u0E76CweTVDRp#=3{P0_BsD#<)08oeVi)Mj=JLNqr z`4Bt}v7HLd$1wHqYspl6?)j3V&4(J6ke~u!zA@>C68rB=#B_$HNJVV$GsnoqqeZgI z=e=b~%W$3vfQaBD#3@>+1>|T)H|3O6Vn!L#{_;tURiIhar&XX=JC&`@{3h~AXBp(; zG#Th-4hP;(#2GRG0DvQ@2o(YiCmoUEEIrGYy8Md*EgzXs9nFM8>RrPBa=-X@H=?PU0B7TSo)U=p@+l&5yCY^`4f;s(ODls6vB#ZXTX04D5b5VbBPdrv@V#cLjE z#uw_5jy#G<=*=iLxdn8a!@%oLc7ZiUD^lZVV(B!gDP&|W%JKr0?OCx2bIS2#*>U8v zUvBT^K???RgZ-vdkhBL?l6QS^f8q=w1-ve zkshAF6dEA0G~_*lk~AN?ASvwuURbC3tkFY~Nn;Tv{o0ar50-d5Relons^YbrzeHK0 zzPP&}DrHJOg+4t+@~@$A-)QP*C=F#ZQ+s1NeZ&47VBB`B(xyMh(aLvb@3nRW_y<=~GQ`B3z!YxyE9lbfB znYc;jFNTO(&_I81I1s5O$N7F%l~j?3KS#s>xPVU*ad3GOYrqgms=2FaJTJ7>YM`I6 z21$|O7bM3lj$Ym{n$>5gv>oy|=oWOKrF|gt^OfTFhacBhy>Uf^Bxns3%FYU}APzbw z?Ff8UGb=hgj>qTwzXN#lk~7cglCz1DA0_rh&#xxlCpL!d_Xql}r1pF5*q-Q`!hxRv ziG9~vr|7SSZBH)#fbX?WN1xVr5b_U0qDui^`zub{n?j$?=bfC(=S-p}!778R?RF}t zj$A=}-5h-)ef{kV&St@`jZfcC`xcn5?z@SvALG`#!OmAgULGs&M4PNP@#kY-E^1zu zYz)u12px4uU$slNY;SoPBf-G&r|@9_%1hntE^ZUrM=A3c{slXs0RGjMd!`T31zOs2 z2e`pDVSqcQaEI_*EYeQ&K=v@y?7?vO1aQLq`{8W|DE#=h=l$X9*74i(S)SjLVUnz?f#uGhCME|t7lJwd-p{R{`=5V2oYnZ>AL`og_hsx{O{;p^SU4s4 zeN;RMTdo&1fR?$(_v3+g9_e>a$G;mq zo|~6F+g)FIj~%I{!{vUne0*Hpjl7Z_KGh2bE6=f+Gs|O#`rr4!wb#HlzsNVsAKtc} zAN%d@Pv`FYA6FMUcW)C)=e>O0HTqkdY3s-FoC8D#TR`~k#W&F<9v#4ffM5B!}lq{BfmmhFdj-!@7Q7(&Ck`TCEufJ%H`am0N|b{oqffDJ0&yQJv=ns&Kf>5cH$uIzff`D%PM`vztX4;;_rHn}jZN}6Lu zygqDwxcSa^&C%~K?2laHeSUr#4LL4fZuwv4yLDgr)m(g5>PI%IF; z0xoK5i7JxA4K@q{{krI(nwB=1TP)IsmsWCL5opdUgV5$?x_{J|@}Ox^6rUS%uaUYwXYQf}3o)Pt$##0%}jR zpX;@kN10@owwGt)i#(DV=TKX3W-g-lF+{Occ@q_Dy!Kw&)$X?oH67C_X25NpbG)~? zp}DEy+51JArMHXE&JJt4r>$>3)@G!}$K2_%ds98WHUN=?hTwDu!o>T-(Az<_fBX80 zt;3h%GhysAl)0P9{gfNvIsaTM7Qtfw%<}wW>qPI#eFl(~I%t_yAV zc;gdnud1nexIes^JNOvz`k6c+c1V62#9N$qbur$pz-QT4YgKjE>tT(9+B4+mvQSrfmVlZ-&+7#~f7`i%JYFu*BBQ$* zoGGwVSEK7${!{dLf$DnroPaRqLSgH3ZLIIT0ng+8VaMwH*Cj%RhtDyQJU|od`OCr$ z@I4KzO6T1gavuso^L&ieAvn!^GOyN$0Bq|dhgZIRhQpa`U*U{AzVD{Af8GLbYtOby z)%CV5zkYnWwAkoxt4&v&$1m-E#=o`a6WZmfJ$cYh^S1bZsd`+p@4!6}HQU4w3=q9{ zl;TajonGzu8|qeFcX3}`xYcwaJ#QESyk1;ihhClhyevB`dIU1FWtc(?wg8$N4_lvX zjKJsICxU0a{kvPpw1uaup+?I-+5YF0yq(Je4tM4wXIHF3>2mzl)bcA}YNirF zvcWpTW4=;duWR`}W5i~8;Qey?R>8$l!1Ha>(?iWA=Fwv*`cdZd#n{8=Ks$B)cD?lc znMyFe<+^!>Q}Al@nv=-hqw6eBNf3XLm-o4F`E`1CH}x_4&0K@O9BAiTVatiTa&~Os z_IPzX({8jvyWwNN5y#_w|Fr`sE$s0E9L8+!wmSjpR`9cR&o*@8AFnQfQ*w42w(92| z?;cPd4i(x%+}_~r-!C@r3%j`3mBASZ-lmNzK%dr6W*#qqxt*8JNaowp!a|Aq`>oZ$ zC82B6{{DV8r+nr2!};+@CVQnzx!U&Trl7x;Ag}wh_GjhX^4bjNv^rqs)Ng&YmMvrb zX!*_Y{cTF?{=%=xnblViJBFvQ5btj>0io5?+i~eQuzaI}AHQ?^bJh3W%g)pB-G8AI z2=w}%>kxcX-sl#vwDW7O^cgAj*m!?z7#P@E3oFlQibFVVeY3gWE4pX%J=4|(`nYJV zwY?)@wm;|fBMa=wlK|e@RLLMzanOjB6m4Vwv zka8QdM{LGic}8N3IHT|pOWNuypD+*%iA~}_#-`k0rFotQy=O)vwkE)2EL$CO{2b)6h9G#6m=%?`LLXjFVwmO7ZT7eO$8O$-FnixK z)xB$T0A-#pcOwAg5R42QEZB%KtBgRxlU-b2_)y3z9Tt@fWPD5W*P&R?ic^_JMofN* zDK4GrwVr_~kx%yqh7BKtwfsW=gN;-{6#kdBOtL5umu;T|iFEajvBhxtP1%%QG zE@xyZcbtIPRXH}*vT6vN)YkJ|0A)rqC0-dHqM70#xxJYpxYu&#voBSWK6%rurbW&# z1S*=JX+Yd!Ras`i0m=unF@ft0vVXf9LjMQVSr71t$t9Dye2_6 zHv2Fv(-G#h&-(3DwD()UW&20`b^2?X0<9vTv|bMlP^d%`H`XgN1s95q@n`gpwI^vV zkyr)?6aA86)gX2we=sVg<3JvRzJm!tAXl!(IozU5Z#WV$0(I$g7#HBszg~>rsL-$BIOV z1_crJaog}$=}*5poENVMB>&t$`YN#NZPfs-SDVW#tEg&>{brb}tgeyt^Bd&Y>;!)5 zK_v@ogNIPx8m5XrNY;SnLaXj*{bdPi?jO9NF54&hJ>r<0Q&Rw5W5J8OxVNt>#KZL` z_#Ql!djgi!{X=sLK6U zXmX7-k;lxH=|iK=$JQnmgT&v9-qR|};X4PyO&stxH8D){y8`L?MB|1iD4mKwf$>P3 z2|B#1iQo&)<+t%5?3-RPndP2}{wMNu4>s*xUeF_EcL_^*)c-7MTl>628G?(S z0AFin1r@k$TtrgB%HvK>e8aI0)V17&ql8h+6l$$2L@BGoD@X4R(Wj8aU-FK(tB`nf z`#5hN!tZz99tCSyCSb(R5rA@C=lHY~kt-CHwgW=uN1r|)v9C}Gd(^tf14@(@Dfm+W z;8@QXd9s>>CwSc8>w7%!YFlO7OtA(2>}g>l&mL!yV2L`oT}AGXFi=FBD8Cixm9C+BfGiyEO`^p2a#$N2L zt#P*blXFsUfh^s;uRpCF56uD1t1N)(Bfzy-1eOCc|`2hNoKAJzX8 zcM@aBmL>*abPaM2z+lK(<#9+HFVkj_2!G^``$w++D8peh{PCjqAdQAeLjtn6h>A)~ z0;0qK12gJt4gqsgY2R~)_2B>mn~)cfb(hEY8&KUhL$`+8?~5ANrxz1q#KalK@hLnr^DuQ5d64U-wB%UNg`jdqScD?{wh&ZdA5){0ik6U;X z3O5Ya#zGT*zA!LMmz2N$6aZBOg-tRWF7oBk9X*Vn8uQACeQ&@Z0l;g^^2l$KFKzJ9 z&$%hT^@NIo$GkL4)`h@u6(n{?wTcjm4dM%Z^7=!BiLM@hdUNCt(v^Llm;0UI`DOv$ zmvu+av42q@qvvDlq>#v()fQ-Ce%eOtT`-c|7Ejwyfdc&#aT~6I)}l}t%Cpg30SAxp z8|D6B0q?pm#lojz6j1#AA$bfdMK8ccz5Ov_rp-E*@~&2;(%mA>FJ zd`{`$wfRo3s*jhv@??{3Sjj$MGL%yoJWrVJlX#k|d_#y#0r|p&Y~b{n7>4(lrs4vr zL*s8g$c(&S#jGbM#d=9bwSbKc$K>ey$N$2!yq%+qM5+*X2_R|0giEc?Ho$Aiu)`}A zgYdI0&)0%iJf{SFoibh}ibuY0dm;a+B`t-2;_+tkDTeUiFc1{8H7?LOcZn7FjS05N24RFy*#+CTmPl{xaUNFh5(rhQFJ7Ao~AE<-#Viqc?Cu< zZ9z9wFnzh?KZrsfp^wLlHTL5Tu}#=w+6F=_XfL-8=Jr^VpRGZ20{C3?{G}AAN~6+J zDJQ!fAOOk=AWnnHapyU?>E?lq=T3E2RAJ|@H&@GB`SlKhnkCiB4p3a6TZZ}LJxM8B z1l$q4W6gXc9Lb`3E4nq(tj~rTB0l02>jWAeS8mmpfqLVEXJJwBnV0QHrp0|6n5+f`zhVD^sme2vcRD`T6**eLIIjNLvt1%-kW#%(G?vPNtv(|^#etTSSlMk z6bOJ;9mCbdQMfa+bJxO^bcQrg4ZDV>`EW=~YS^N4k)-t2ovY2CYUKezy@S-+<0sP~ zZs)t-&Dn|PxU`ll)+=4Pt=K(gq395$JtDB6*&*Zkn4)cB!fttbaWyzOmr0lT0D$0( zQz1%DZM{2JRjiSsF8ar8r{cJ@<2UMM#cRL+m6}V)_|B$k9TNNM(vjun^g5o|E98Y; zvI@p8t5vdRx7(kwKTTY$Ex@XMDfyrxr&!0gdY+OnT`6Bkojunx*0ZL|yL`Te-Ek3Q zuhWkg`(+vpX*(=8s&%=oYb{*iYyhUdoPsNmpvhf}yWH_LG}%y|lkcIkuJ zLQ{2#teOlB$EGf}jJg6(GunJc#>P|8L|apJeyMYWDs4ANUnL8=^C0_tnE*lt#%`M; z-2l~A=jc!g~Pn6BV$CImnu<`k= z|3!WAs)VwG>k&uN{zhIimjzCdnzci8zED}h0%6JC~m17a8R@PqG3JMgzBTg zS$i~X>a@#ak|Rwv_oq**^p&=AQ}*vEuD4k7>m1W7bYdEre79`2jzbm{R^8vam6Q_R zmfo13a&64Lo-`U?msRsDe6vK-fn5PTKXP<9Lm;=Tv#EWM-D3CLT>*#45hc8$BZj1n zVz{|&6*)Q`7RGmTpNkinZJX=7zOj;u-Qv&C$n`MaXkYW4qa7}W1|bZZ_pGH5f10yg z9XeVsA#O2Bu-Qi zJo{GHl$xus7f`T>R)DWhRCc0nPEhZWhJhO8xO87aZf}y{4DC?{Y=^Pv>p-?a8)n`g z!kqzfu5MVKO>v*WugXF-HJVHm0q<%%V?hF~j1w^ot4rZI^Q{^PXc9rxDY#T&#&!>60&1*6=n3fHb|VNbKPI}1NbLHEE4 zy1raz$&(US&CIRt%Y&Jd6cjTa-2lbz>DA)=@*dRf-|g|jl2nm0->J9*SEnfN`Fpd| zar+J62Y8ez(Gpe8bFxKnNRi6jop}7K`lnBBQp?fm;KrM5<`*8ZDSZv%4XvND-wuS_ zvI7)qC+XcUnLk|fWZk` zC8SurTpl)QJoeFiG#OV)sO69!eD1hU*pu%f8DNg5xGi3F2-imD?Ku+Tm~t)~u1Z)+ z__&R^NNT1{*it*kK4bW2(HD^QGSU6849JW4Ge4&$#+Gl{xs9=STRE;qWc%Bv z9T0`unsXW8$L0+_q$b4EdJpkBhsKyk4;6+Z!jX!MnD7&&OSaq^*ZV+}9fK^VzX9WK zbWqVuRIy-yd)X0M`<1$3*@)e?i^j1x(ZwUdEE>kZ{7%if`)1U7=r`-<#4ep`gEN~k zwM4nw(npd*CJ~@V<+U0DH6&@Fo-s&+dE>;t;HUo; z~{-i39(;XaDh0g;CA^iX%q2Gw@>$7p@s5BuM5*;b4g~-`qc*6Z78J$8K7b) z2INkB-ETI^eck}mI=ELE(_mD7(SSC_P3(3;n#i*Nwmmo3H+RUD^e$JW?nkCE+mqMf z=<~y>>Ri;x6nIDKtpkLww(7;6XB=rO$A?L@zd`S1==Ju@BXr;k-lcu|cN`|XlTT;4 zk?vfHYw2pX5@BJ6=LD|MvB7)}I{+S-lDXVpO4!U{G^DkocOL1c`~8>3quO~Tqe}Qn z`(B38quRwjaI>kqQ|~+ns3fNls6e@OI$l%bZYN`}e|Us}(ZNM%nwYu5bn(Ku-32+7 zHB8AdqF&ysM}MSaTl?x3^g21eThamVZf%_>`O<~!Re5f6u5z>Gd0M#T1PBcNW$Tc% zO9{Vn<+C;Gr&G?y$5+ME7we6rS61tO3DOM)UD5mVFw|tT5=eE}&k@V8c8P(}%pjjU#89~nCm!+mUl;c5 z7@G-#%kT->wWQbwso4ceiTUOenMi97_bLiC%V4mZxhkg+G}UHNJT3JGDx?Bu6<$92 z1F1EtDzleNm0(9Xh$E_MC(Hl9lS`5Poz{#e=FW5z{ajvn4I`HB8}OhjzS0oha6;?D zC8e-7(B`3v?oKhQ;5)*wZ@&k930rSU*z<&Q@d}r=Lt~aNN*bgBJMu`3?%vla_g8dI zt#pD1Wt1~qGBjFtH&wXA5OM{+1r8-T=wiEIP~Y@FMd~*6aym;~CZ70j-+a zP_X~tA&0-3hne(FgG^676dTyKXHqz{kNmmyrMfA22?bV+Vs5a$n#Y1cNx zUN0jN7^hc79~-gKVRSUQRys^W!lE&EjAZq+0MHL>wy}(Nh$k&3AFNq}vZ6h3G$Z-K zaR|6Ql<0KxIs1*)6T#9}9>)dWC=~1Z=Cn@NoS>#@r{IHaqnwHXNLIvqk2^+C-7%p< zkWhXXEK$?5834%Aeui?WC2J{Vs5P!N;${J~Ocj%)Ekm;$gEMap1IqC9bf*D$I@i6k zV-)M`(UBC!PUz$SXQlzebP@zA)7@*0AxhJWm68hymM{lV8JcO;N>rx%1qmNDwiap8 zB-{%0LbqM8QUa?uyh-i~lS=}eg2>OTcwHY-Tub4z4M1n(`kyiC1nqz!bwlSF@kNHF z2+fs=MN*BPm28-YU$&tzEXSG_AMw8?79~YrZiBVB%(7Z;+1i}lIjY*=rOGhZD>I** zF!z(pwGCl*jncmR-P&1_wc{lsM0u7{3Oa(cEW4H<>RgwJqfK996h05 zd5K|r8B@=j&ZgznR>rM0^yq5On_};tAYU|E+O>cuSGHAl)z6fc;+jf$M*wf1Bd6iL@}M8coA83}@IA3!I?1y_`nPf_(|c;cVt?9?C+X@|vwB%b*D zw-4hl6MRfn!lqRi&}aFara6ptk-Llh)h)r)nW^iUJKkj5mAHwfy?Z0iY=|p0Ezei7 z62>ra!64o2dM|K_BWdHBe<8CrY4hJ{biO5_lFGj(lLvLBCNb&^Bio|x{x$CZo&PNO z|Hc^m7GXO1k{{6~N*dQF{}V`yeMr*i0t*RX+WP@HC?~W_2w5JN^3I>aQJL(nuNnrN{9 zU{#tNTt?9!rVn;r271{y1CSVK2%!_*@)9fAy6ag(OuvP7n8OMk-4XjId;fr!Fp-#E zJm_z~Y7ZDR+-*bl>Ju;`OyaHjMq^X;&!6A2m{N;!D53G$85Ho_&P*sh6!$b70`e1M ztMuuM?x64~5RMx4gS*Z@DUB*jVS0xgBb4PgEHGCwipckji9(1NY60=v)}>S-<{pw@ z*$#%z(#+{TL-j23(+eC&hE>}ist?^8hIyi{VL7La}y+bO;C$`T^S3hB{nv&@*{Cw z0viVaYdfCvpY@QC!WU%i=~LbP_kozv8M$yczN{+2SJ9z^8(k zf}1TdJJkEM8XJZ*Nnspry-s5@^j|*%Cg?ZcWS80r%3F;8m7K`$NNXSu#+yJLZudsi zK!Cak5pG~Ly!!6yWL3uG*(s=D3ghMIYwD0>P~B~XJF1lU+yhuIRf0FK=mwz$pg1#G z&qNfJ^V7pT;!yB?O7?DNs6$sK`2i8jovX(JH$pik$FeqbpSqF$`UWrM%5fIxF4GIwr&K$AEkgmETBHv+oIhdP~%E@cCLP0?CX>wHLfV+KM(Ya)>&k{pQr}t;)E3 zcUhpGe)~L>=*z`TpWz8V`%Zq}ybUNi7M0mk34b>2t4D>Jl~v)DAbWe<OrQ?VNlw(&G+==MYUGX*bW0>bzq(UB^ji@A zs)Log-|79W$wo(SNhj`6Q94EtHZE}3@#HF2cZTp{ zEu~nLqv~!x%DAGY=mR(uxy8RJp>_Aar8|Jck;S@PZ@sew#W2^*ewlrR$_9smL~ln+va}); zqEGlK{T3Q9( z1gb1-wLMXcy6o!P+4>nSrBTir*`&{;pjQ&xKY?rfYx9 zB48NYOZ=!)!>Jmsk-l+IDrHV+be0i&hIq}aQD0wYwc#S_5Ex` zmdhI4?(R>FDjnibDB4)Y4x`^<0&+xWDMvXvFf(Nj7<-UEsqc#kr)MXoUvgzS`N1)* zs@M#r^p#Sm5rw!;x)b}He_?VEE?z4&Km+J}j;5Z93M3z#4k^6@@abW(grDhWn@GBPa4c?2DV# zfw$}>pb`^}xsc5KI-k4i%Yvvb?v_a*V@!4!ON~^DxJa7j$+V%LPGQ?z!H8GoWPpW^ zz&UGO{;bDwOT6sGC~avuIqqWPHZ}T2Z<@ROI(t*;)4YTzph{2- zl3(G5M!;MD4?hhlA5fnsL#BH8?G%kEDI>-B2FrRf8&@9np$qCglru*V{%^f?rF$KXzNVRqm>^ z!WITOPLQj@%<(q~c$Kui203IN`VzlZE!@d^hUNiT9=Qt|D&2R5KY(sF002d#*%S-f z`xsLZ)e|K$mK|7MOWE})jvJFjhsQvFnq7HNgo+dorIQ{9$eT8xUMN>ITy#6fPVK+89li40EpBh1S ze?K(KJ&q5bIU%%2pNDB_bJDgZDKt`;_Z{*`oWSsXMj=yuRe%knze+P;msE zq_W&91ywY+BIxu2xSVSWU87cKdo9=d+Q@9Z3VSyk?1duOpMBZpggc`KMe;Q1o_dlM zIb*9hiv2!L0|=QekhbTK9-c>^>M>;Rj1O3iaMPz<=aUOpnn~E)N-R6FlLK6_9DWXR zLGMk4u-4=9E0q4RRkZ(QIgHuyLS91pyOo(SVm9&BXD=4&w5Y3CN888XanZdEsC@nC z?qHg634OZY?&@Kw!|*8`U%7y4@pgY+3R+vX;|JQV33!?4(ZX(VJbnE3)eEBfklF4N z9G2XZ+5Rp8vN&#eWv{l(`DxtEQ{%Q+xLy{|D-lI|T^A$9!X{`vw8P!oJ@Mk-WJSX5 zh(aV?fguyjrIe>8Ojb5qrq#D5qZ8AXfWhQN{QyS@{zE#77C6vzR2`|U6yWb~kIcGD zlVo4c3Q$Buf!+;SCsAK&Tr#Q2>#&k_DtBPv!Ge>Bu5`xljX8Idg%60|hZWZOw}DZ8 zzmsdxoY*T{z>#&gXW4+XEjzb?#hD~8nE@_`KeYZ#$o5WJv_}f=LdRiMpT6 zlb|hC-{HP|TQ|?#+``SxxM&NRvvC%m$$2;K0Z0mIc2`02N%9ggp|v-iwUW|9g=09e z+q5hfRr6Hqwtid~{B|%mjim!Q86F`jL9pw?FrCM6nPWF~jyD9wD4!7%Kf-e-e31li zZr4vMl;9&7;o(cMQTxu~Q0YzjmSEM|I^i5S9sC zagJ~aDGOk7WO&0asdK7h_FX=I%%sK80Zuh#W&b)Y63Rdo1l{p?D;Cuh7b_bQo#e0X zpD4Af)A&8=D6XJ{?X%xaS(?JfYqJ1{}g7 z@TDqi%+`#2>?sXX!|Y$}Bp}nE4tTNvi+Gld5EhX+kxdjRpQK?;rHUoQ(<+tqP&bim z?cm;+m`;7T$Raz14titkI*&r3exg6YH>s5A-4*gYIZGM>XfRutbq(4LV7LeZV>edn z7-Ma{Gm37-m+EPx{OFZb9MHPC|GcwQ=tJg{8Y8QOWHg7m;(9BRwzBFNv1LVy0b z+kf;M*HSmN2=dNF+B&bl+I6lhkQ@%_l1$5UkDFo!+F@%u%R)?X|DUGd|IZcXLbSv| zxE_$h%`|x6Q@|nhm?Do9W=yJl^@HzAKL?!z8h_^6kdXq+(c92d=;Di@$F(++Xo5nf zH?`<_Kpx8dXx3aKoEexhr)fU@%|RFk$;%OSRHZ7&q}<5MM#H08?naP>>xAj!nu0L5a^-n%*r8wB~Qi5wL8nak9BR2`zd~d=Qw4 z>lB}V|K$xJlDfX1Kk>6(D0%K19LuXB?dvFFfh~F_Q6o9^Bkw|DNc?a7-aEU^`|+#;0MZA6#08!^B%^j##r z7%O$hvhjZ+W>X)yEKwsfhNR*b0#tHpcO}Ut0Cb!`5m;hZ<7&?t12Cut?iH!&5DNhm zIMe;VcdHVh{ILq!jWi-WnrmU5!sCjet4X~-H$k(}T@lXc3d5g3ET4CI>2Yy?BigR7 zG9M-9`1oY}(V*scH$BTG#Hvd;c#AYksp0^COseAey#%R}VcL`)ZhLRu6v@Zgf}s0{ z1K@nI*=*FLqcNp$QyC~N>OUQQMLE0N43{F=RlPPV4CTeac@l6YR?~gxoY` zVrn5Ao@}=xg=em_Ag5sW9Jt)ZmaHw*%dp>X#0=5_5*mxLCQRW8ooYJnc~2g2h7>4w zYTcs1N@8d#j7lE~7ayv;s+V>TB0YGH0%(|IdAM?u>8PIz3&M5pXC=yW9Sw}n+7mU% zpyL(GVK&x5<>RI%CVFsUVo^25Pf8z1QEczM5~Wc(-v9%;?Q%o0zLlWA5#X!Q;IAsR z1LB>o>$do}+7$9hgw0VqSvFPX9fx+q2~$K73P}_&`{A4sm1(BgUHwrQ!u#L{0M}Zk z-8y-z!IKQ0%Y9G}c0R&$P>}?HRMjOJSiv+gp9LyzR2srMDLBHz-*gF{PJ3N45BIj_ zxvE_=5G~mr<2tUIR|hI@{bVf$`1CCTcA5-fWdvpzeTWI;)W|6^6(ar46!ciBzy3#@ zwfAEn(|!S>*=_pIGcQR3e1?D~`{Y|KqL5$4)9wA+yK3F25DV0V7Y>J8ifCo3!--nt zd0bo19^t*_DN|<^{ozhu`$%(J-}^}NjV^Y{p>|=1t-``#hu#%dLBEA+a^lFpGp>x; ze5eiI6h8`v%O;&xws7?Ui^BX-!%N@SmX)fv_f+KkyQFm#*Ebc+657KSwR*W0vL)90cTZ9X^)tC8hJz zCyt|*{{yxnmYIBjTW2nXvKDDFg)+A^N#b~v80|e9++oVU%2!a_aoQrX6h$);LKwBL z&;0RFfp#rEbsUF6)GFB-hQ4vss;m$HC_}S77TURS)at5Vjd!}U=9dl)j|IDpo z|IsT@0mdQa#{B<-`D6j=E>+Q1UsBVV04Z zW=ul}mjb+#y!=tV9h+>zBmN0GKK`M}>~{~+DEDI7EIl^11uP{iC*jq1%d^`Az>Z8S zM4l7?+?cQP|ZA(bWI!Ai*hW&m;NbWO@z$4E}85R z=>OPb!`%$9mWA3VUh!0`ZA`LX1%!gSsQ4oql_thOYD-HavGJq=B}CvjHZ7>q`mGLf ze`j0#{kX7UR`efkqkWiA^2@jTv%b7w|1O^0JjUIpUC9Tna(O7y0_r}_V^a8fah|*i zU6a$*>K*n(l;R9c30!LUth7L{{!!~69zq>(V}e0=KLpy-=b|f{^xko;3++3iu3+F6TyjHxo?>HcE%3z9`o&T6vkKiTL1gU95z+vT9(d(4_N-%~jD_Hw(= z2ZF*1DfKEfiXD&Cs1Zjb%LW*)`o0N0>RXG&MU0o!Hry|LMR!J7ND{t&K;X?Lnq`9e z!@E+#>?#3veYVEWH{ewy2|!!bWYeqM-M7SDAG1n0zIFI^oC$SwHG&;@jS&k|s4!6q zO98Uj1XtwiG=&wfY^bYoS}&Ds*%PQ$cWV(fR@%`LYy4DN*u`GJ<2|C%%zH8mbUvP5ZU8)ebny%mN5S6x?|o5Ds6rQv5?ok?}> z{NczPB*ir*V4gPOciQ?F!4mRnn8TK(PoCoUti6LR^@q>VlPF&DMQvqerA3~@4N>gx zz~<0UaP6pKF}DxfD^n@u;qxBT&zj!r{+QkPnjCQkPR4pSKz3vG1ZCvR=Mw!ssv6}= zfQUtt%~bOohnvZ4^P~5DSxrlfyG*SbLLpBXLX1RL1ag45iGfe|03Mc9AB~UGzd~*U zZiZzLoXvytmm+dhtXyIZ1mk=E9$UPU7}x$J0-DX z+iW8_1zH~x@yALzZZ)GPLSL%BQ9j);R;z)JZ}wvefGbhy?yI|0IR$GAEji3=iy$X@ zO@!khshcSfO@l04fe zk9RKl@1IKAL;2ti1j1rhPXH+l;5*lQzvHAAr`FigHxkxLz3f3b$mdVU z;%}@nN##m6HYsltN~|NCcfugDL;Uy6o$De5wqh{@Z<9;5dNRgPA%|S-c!JEq6q=z; zmUJ2H_-+g%Sz1BVkVfCAakHV;TB9=5FPr_t@zD@p@`eX{)P!ZT`_CkSuhPbCJ2BG~N(&@o&d-c*FJv5L59pP= zqgwfEYk$N_kX)4=@>lb)=gnSoKlA1xG0o)PFOx_28RaI9G$nYKhXn#6I@g=;Df72P zMz3ai;yK_N%q-6)EbNqph!DQW)y(@Z5fuiG9b95|dRmL95A`x^F>D}VB z-7(J#=XyLn-MrI+vYo%z-hL>}gMcV_hZV$C@sZDD+AmH?K3Vlq2S|4@4B4sVpTG*3 z3o9JlT-aEwg>(X3#-pSwfz*f?g-!mia}6b?s@Q2zmJhHiENCFN2Cl@ zH4B|&RI+lj3d{0)RL7(#6F2j|Hj}^GAT8ggO;Rdi8J9$7iVe-ZGNv@v`EyP6p`4 zQ4b)a-YQ(a)(?yS3)m_r)iEzVg6A$_7A4GLTVNK<)}#r2cJj+v2E|fgEJkcS&bimh zhERwlamLl^hHw&P6lpAB0i~J@B30;r)WY#R^CL(_?o<@$`~cFtSr^y{o=W&=tqdPs zaro#r7B-rqihSH*qYCEBrxP~1p_9~u1c}zRD@b(t*w9sngswLdlzg&f9OzXU2U^B~ z=8Xdl(>!1p=)CC9T#=f1AGJrZnDVW%bdSu#H{mUw$l(FK>yiIYn-$~9Lp-B@i|6m7 zPOLgiZ$kl~aZS0A@K1JiMYnCrsIT|ooB1K2R2ILvQ^$a+L}s1wW7v8$4IWuk=z7F0 z*`KE#G8Rof3r3JcT^)}=65l<;i}NV&eiVk1KR8B`ySbq;v9z;eV`woZ!eY|5^Ow|n zI8A6HPuS(CHHka|3__GPZGcmMQQ)Gy46J!*p;N{YO35jRaHc3d=6J!)g#cDlhdNn0 zFw7w)9+4si$%rB+5(kc2#kMTF+0xtfRzt5>8pnFeHVysQ9yCp>b!@i!Y!^3e*Nx(a zFHe37OOyg8#?jQI!X{{vS<9wXu)W? z|Ir~!_4g0>H&3Nn`1GS#`BDM<+RsFn*^>+|=_w256Zq$Paue1ce~c9;RbDt!(Hqz< zW15cQ-#Do3jD@~Q!z#U{n62o&XgsCB-be}L&ao1@+64=_V+pjA?nNR5PaTKGlmGhu zO&Efg5s0^Bq*^!vv!c~t;rIC9Y)710tkn+@swPcru_l~?l3t>J{tT&EbMV~En7FuY zxkyyp+?=WHxw`ffK&T6}4%5V6rA2Vhm2zaBzw(W1RAL?R1BLd|qUcCknI1&yjbdP; z*I}qIEc@^=ewieu=wo*OzG$edyoe|n1B76c59}T~ly|sp510u#{Hz<}v3p0xeGlit z8Cmw1juYn9JlL^+AT2t&>Aua<#!xd}A@6|Z#o#dtAf{qzfc7=#FV$U)xu&|Wov-Wg*G)+h1(APt`PrXy-;e>V}Z zjS}sLvn8g8PX!IU*ar7jrf_ZRJn2Io#B{J|PTb#|dJO`97*D~~ZIzZnyvQh!H(egR z%P#E0HYoVmkgQq3jR~}^F5W!sL<Z*AegiFu@6rA-cOrQ1`P<&BwmVKl_Fdd~x7uH)jui{(tX47t^iXf$C{ftH^zuUF4e{Uq@qdF^`bN6}38a93P|boKn-gsaBV;<>G|(){7KW!m8eg+V zpB>*Dkw2Qkfq9XmYxbU03+bE;rHA1P+8ZaB1P83a*s0eb@}Pr614UwfFMsKU_1L0O z``W;BUCefa1V}dY0c6j+eZjI+58zl#@6dlv6~DojQK%&BYmQeM#ABX6R)PN-U;4N+}iiQ!l{g#EDD zCw4W(*kVmJsSg{#ja2J?w-2eC!F+9}eA>Mtlq4t>`rAuL~v2g$m8`(^FLgdeP zD4TD>xuv1EzZhV#;qC1pY&N|O2c1jpA57TTmIi~X{h?7@i1r7))T2NAt^9<4r8)cM z;^)uUL{`Wj6bB=ANtUG79rn&fL0AR+{6FaipHk$7@l*<3$b_3$&KsG3ODS4$AynOX zEZS@(%hivzLmz#^rN5gmxKRy@nq66Pg@j9Ep(+#ieXF&8`t54J)o=9mYQ-Gr^=jo< zZ@2B5-fSP)UPgO)CbKb9P{;ly9wfBv}$_0UaRW0iU9{ekRH2syrlS$Ns!if z+*BZoL)gM|WauKY|CsH^Em$}IQRj9(f! zZtL|Ukn&cocC0u1l|jp_TV}Og1YymVdQV>K+53BFu9y4!lilAJ+qG@jmhGBt=z~W8 zNUt|44ZVL{H}!tCWf~x^)#`DpfKu~iJ$)IF%&sMU3zuh?IP5KOLc}r{4 zncHKiL7f1<;W`{o?sm??bGOU|eHJx1a$zVy5TUkJ+6J>1@LU@~YD7$HcYCGj)p+FbzO34ESq@ zfBslIt#Mg`&Sq&yutUGf+d>+oGFRbB2`-Im4*n2u4g>IuOf!5F(r!oZhm>A!P z1B^OoJLgz`(Ilw}eD|c9L&(mpO`H7E0`l*k6M=tb9i*7wS2ZQ`Pw<%c@bKp^6W@T% zmm4i(f_aRXOHB*z0`yxCIYB|ZKB?tjQ)gBQUd!?*Wj-@sxCB@uFEBOQ2Q=K5Z_bj% z=3F4GG&l)3$O5ksI!kON;oGwL}SB) zO>##6OWO(cWNI+Ze!1wyXRQ;TMTAx%4(xl^2GbxCpibv|A5DXU%mGX+bLnocM;ISF zNU{*58ndrexw=5KFYJ(gbRHQ3n64rx$lRUPWEc1;3X#K-+!$*%m&69F1T}uhl_NBi z>W{^LP>Kws)Fkl>Dzsw4Ydl*1DD=@SATx*9m7xL3yN{LcWOHnduJ zyly~RY*^8*{n>VLT?g<3hNd0xwy@@lb|fT!HB7`Gi)2L5a*L#T;;Qx52;@Sgxyq94}(4i8MUsMct;oKhX`8Gyr*#`;D`wzEtyS2#slxLwoHbjz z$G@JE09R<|te_3IbI;fo-6zROvEWu)z#)toF$VQmjIcRAx_LUo{KuCCk1Z;8A6C*#ZlAXz zqLQWM6bvi(Z5QBxz|l+bKU7=$N&*Pf4*|szMvtjT&*zuZVS>NN9eJJ9X^KI)VQVcAs;5_?Ux&K~tNt9!N(l{R^4lW*82$HkCk zgEPey*|PX;WiVCZN=$rKS!Py$BccAi5-P9ZXB})ULrTpiNTd(-n0URLRFz2Y))8-i ze~!OC}1?;8rB-e9Df@FeAqX*b1CJ zUYK2s_mJXoq`ITJI3bf%Q53s#iVvCLqp*68vN@^qN9ZSy4KE_O6Z~g?0;og`ID(B8 zPZ9WbUo+tZ@JTZ?-@Daz*pXsatb4V){va2vS3zrSBUix6P^3B6?UAAgNg-9Ir~5?s zlH!gv;{5&j%h+L3539FhnRwA-p|i21;wSch>iLIwsP+U*g2|3l+-~Z~T-^qplIUSdxm483g)M(}?LVfDJUv*XRJ^m zHCCdKX2+5j#4oUHnWjrF4YS6Du^}mpM?I>AGQ1a0-G8^_pvU-s8Xn{4Sw`0v;r-z) zVb-yj{A7wLrjC+Ou_RPno>1{ZlP>-| zvc?#Mbnbh9JjA;9`sCvErpOngVb4Lm$abLZV_r-M|D)txq&}3aizVw~xutKIbunY3 zE@>Cn6$vecCySFIEt{o?8=n~SBH94(&%1tL`=6PY=2s*o!UN^V(*ExFQ!wW2fLvY| zaFz^8O2(3sak~g?RztnGRz#(?I!vnyuNqTtpl&9Ap6lJ(eoF0S;1jd#+S%yD*+;1e zn1?iH#*nOX1c5Nf0i2|`f7o>4@D_S>CwLQRqRCEHQW{rBmF5A~v428zU1Eqjnt<3P zP9}-rUx?~0-8Rnk#>!fp?hP9){Bijy-)^Gg)4Fbp=0~tst6Q&EUrYBcGXCN?($26_ApHZ*$WeLtD-^Y#RrGomV{7$B_Y%XC|?u+>*sbUsX&|xhpbrolS2o1E7T_!)fOc8P!rM^n80`v}n zEp@w=yPQI-8*u}Eapsp~bmcrRVVe0RGwdT5^~(*N%T}XXR>b-;BaWp|%oJyQQJWus zIad5uvb`)TcgGJ#?vg+OmeejKwafCm#i8}N|%z-rKEHzDP5izrAvK1lrAb*eQ`>cWFr@#bV+7iU=w&M zlrD{u(q+YzF5UBQiqNI;vlL4a&hC`EE%!ddBq9E^E2KP zoZweNU_zL~tYnE zWEt~oISVH7T4s-!={g|gJ!jkt;E~^OENl@T2vsV~UCD5?R)(YQdC70|&66Q4&u=7^xB-5nP-qqG zMlnOZAh!`(tqb!S?aknSGfJh3VV&sP_s6@fIwz zO)(mYfzQEbgr~$M$&5huR>NTw6Y#l_U$dp_(U2a2x!UWVf3BCrMzMHL~R}%A|O?ZS6_qiyKEC-Lp_yzKRN6Uo-^R4r*-Me?> z2AGcMP!4A#$6=tr^rlK*JaJRN8=uZ8=FyU#OtkHqpXIghpwEt&#;s_oi2u+JIh z?YcmpP-OwgXSfr{aL?EYWEtL~WSf>`Et1#keAvG@9FvsK_#ny84b&Lo;5{Cy=P zMXLMHRZ|q919ruK{6yXJ6gyG({AqF%iP0+r;Uoq1sVMt_m z#O9XDN=$u4J@d?qz$`cNC2%pLlB<=qOHn_jpY)AecHq%}tA8dDI zQ;vDwfw716*O-aDqGC$wq|)eErO}~gK9VeqC(n9RG9Be*I@$nF5g05>k`#5%(=;NX zQ{Y?UCt`VG$|24>!tJ?|XK1}VLl3_G6CGTwk#t|2QAR#bJOqzXM(D?U3M1Sam)1Kg z;x1Zc{0irPEmD~dbG64-auzKoVeQ!-@^w-c#Zay#VNpp~v^-%^V^f4hO4(hKu4rqa zwU2?UC_Z?(sET59xKW}aB|>~LUX83GR!3BnRYOTsR1y`HL`5Z0(Gw#oYOIH-NJSV? zoTw<-$OVXsl35qn1fB{}(Q!#sv|^&7U*Es^rkIL=Y}uw>Z?p!w(XUu~7FExk@s2tq= zShG$!>%w7Sodtkcps-~KR{X@U3?WIXJxel@#8&KlByo70DLF~zs6hoO33ItitR(bc zCA1{U`;%4kl920k#l$2~W{Q~vo;^)!l5haa4XWIr9uz3N$o{k#F$omafzl(I3~10Q zSxKO{G!Mz9`9`3V8zLN`nl{HcLJ4z!nhlGX3+$ZpDn>H`FQs?q+1M>e7=gDQ979bhAk{Xmfn>bQ)|UnX{dg)EcrL-3+w`Zplk>Yd{fckb88v z{TA3Y#4+*0W+^E()=R08))MJKT#L8A5DP)fl6?rGi>v^E`Aipd5LtnL8dwq8 zMRp`ZkpLM^ccI+X=dbOpB)nKs)Q+?Luaz}3Uc}*2CFMm)d9gg@#qp*nFVw=jBpoUBa~UNj#W;YGV?zm3sSFZ&#W%yMfQ=g3Lr7b=BVe))*tEl3(+N-?8NmN>D?+AblGx-7d)qcT>eUc=aA$ zK*?zj91F}D>|kaJe7P%s-7hQF&y9B*hJ?Hr7;a!M21{P48()$Ft3GJ;8+E;P1RGo3 zJZkD~v)R&{ZTPX(G}>0BRzM1VLubDVEtS}*;^~$Z1=qXofzrz%3$c{DnPDceWCypR zvGb%SBb!=~vJx|ydIZw6jfke)cauNfRA0t)6NuK2hwxBD%*$qf7Y=(6v(y5VHEc&Zg95Id|@K6V1x|_R0EeIZV98kftVtt#q7Muc4OjyjH3@b_U*ARD*LJ>y9X^Sn zxCCTtk{E{P7??FS=>8Jwr%_F`oT#WiPhGsX73mIWJj0xScNp_!BnuYrU@$XEh?b&>iB=jL8HJ!qDv<=fFM?GC-tb-uMPpOcXu4`$MutXzRIC%TBf) z+JUjG$ms+{UmIii8=(`nc{B1r>D=k!GCkErHoOF{hVBh)2K68TR~$8_G`48!(<1r! z@nc+N>!Hqn)?Kz(d`QDlA>oC!3Vl$Bl&0Vv{;X{#Gm=M`?djWl**w4%*Mp_I^Zcu@ zeD0s`$^;s*JwQqxZjWJl9(4oCpby8i4%ZYt>o1Zn=vlF-nM8EDWAy^I3*o;a|GpM0 zU|$neB*O3B8efv}iWr<8dq%-|IjfOt!SVN5=pH?PWaJ;Qz9g&9*&QhmsZyC81en+h zW`vbf9E&#{S?jRvqpO z{_MyUR6W9c(jq&-%hTidazsnu?u+L*jC=(MS7NkN4=XZD!{a5}T z#}!S0w>GR)GZ2;+fBMG0wnx$#`b)fJLubT`fNtTTxQ$)7o15sKei_Hpxt`f2H3@Bg zV@%$7{Od_5(o)LAOyS#;>ucY>j>PI>%Gfi1Txvb*Svn_so0S*6E~f}0P)g&~vl|%6 zp&_tgkS?pBk!RUd5T~+9HiH**E`_T?LH6i9`Y!I3;i}0!Lqrr+;Qv!^d{^!rYuGzB zvUM!Db5N*@D3e*qov3KZl{=K}DGhuSAFYg9juz&L?;CfW8Q!H>zVJ{_+2S$JNl!#<$;6;^G2fZPxQRc| zBKl-g82C=2eawZh&zvj-#g-EH@Y1U{n!;&)C*HoK4+7WK8)x*X!x>nx-Z`gQ7mjg< zfq96R36r}+;zGtThsMO$q19oFT|04q9V4)Vj)5)c@tUMzGVnbX@O=OIuDllOv9-v? zNWcixw%fUDLsb#8ZtQT(BZ%W?{E1-C<5wC2iEywH%P(RBD6oie;!=yasfK}ISj?s2 zU)v0j_N(u*%^x1W2|ai}f59`k;cBd8^+&L~Y11%YowR-(Q=Y(h_3y@TmglK|v}Cew zz`b8Txdul1GWHr}3$xZ#ve|{cLD{HaE$WIFTRC65*8NJSFRNLb90KLW@__R3LAa=; zwH2);9v&Vpq)cbFh*6(7$v|{G9{l9-Z>Ebg11YVU$1KGvq7xcI0B2|9?~<8o>M@q# zU&eGIg77zUj?3g**&w2I7Sd^d9&U9X;9 zYEH<3Pj(p*A!`|fdt)8@`LvD57_tv#J4Br@DS1Wrwf=OXO< z0>louNNENPeYX!_n|#BEiIPUAl!EdLS@& z>{5vZ;9Bu!grS?a29oiHz#l2?s>6% zuZ`fQSWd)wr!$8Al?T*B(uZrJQA>WlScHlFJOX?9hCY>ZE-vzaCMYs+F17^T6Q`KO z990HUl|_<-m%t*{EPVsmeRtZ6s?fXVJvP|Hla6B$wmb7OFnR0OTmbhu!VjoW!DG5e zPQFWQ+Ds*{NXmeAj&};!-5*fN}G0cwv52_loT%geOEN&DSstm?o49ApJ z#Oi>dSv8cv&=MGbS^`5$VCWMAhBns&3{`=2iUUKFja&d2n#{VuCh$~%p{)`ax?*7H zTf@CIggN!iKto$k3mTg0&N9m*%)cejP%fcKA5g)A)sUC=ctE195+quJL`#t9HvT;fwq zz(9rRhX_#mijyzCRR|9R8W1eKG`6#WuiC8oiYXQnEh?B{W zeHn*~EF1rSf`R^0GVL!4P~r^a%F@W08Es4gBJ(3GXB9dRA|te3iL1=W{Md1ovT&5x z$`V_-iJe2+qOBu|u$0$>0%f^Q4IjftDnXEuo!E(&GY1Tr6SSXqH&_-iDHrqLVWJtB zNfio44B}QJESEIU6gW#>;vA&qf{4kY5X}svWx@e}mBd;Gc7CWOrhPi_N-;2n0G8sE z7Kd1hB1??rQ^i;+R#S zA}!a6v=siEg`t*7Xu4r6|p+>WmXL(`m#h{mgvh8efh-Dm#y`nFIDK5 z;^@m{BNsqlCbKTE39K1?Dd2)dz?VfKlv!BA&$2KjP=YhIw)_&AkeTca@Y#6Ucb(wI z_RnT!$k^6cwB)$LR_~nnm1Wx|fFA-ON_2S1v{+q@xeSLcX+Z-5$=u{YZuIt^R z@z}TFEQ|gSIw#{3d@q*g3krbTkN*O@6lW-wK>N|qKzR;2%0u1>Vkg<(y0AbG zC%$cq1DzP};81k^&$SBcJUpR>V{d|kAsj_t@+TTS`ti_s8Ef4oxetfN9rQ`jEaQ`Z zaWD)H#VJj6Aow)$ZbwcK5Gv{={id;Bu?GB13_2odU~uffY!{8**T(6g9i~V0AZ%v3 zRkydds%?}y8GnXzC+jk?0j~h{Um~d zuv=pk>3}{?M1Tt0|7-+!!GezUA$c-?$iroV%-G~@=8@aX9mPFdH`AdpVh^FT{nQ!8 zvhixy58^E(UmEtx8QLy>LCG``-C(nCDKXzRYOiPre+9e2cki&_(dp(=gm`0g_%yJs z7d*y46jP3?*5Jpfs)UJD!U4?i(8ke(!47OqwpKLT!Qe^G64fqZehx9_iEIkYLK} zZ++;E957uD(f=5!XC1VLb3FpldgEPdCt~{8I)d7Y)`^2=>c)5+NI!x)cTBpD!`d8E z!-q>(B^K}DbnJSDrAH@UsMLXfy7-APx`vUfJY)kKDaz2vBx%dmz9wFuk^@>J^`)_1 zoIo$M=u|A_t48^R=P>sAXoeEts)_n2x`+dZqoEB^nHYU>SF|`|MMDuG9L$ zr*!#bqCAxsKaJ-;h0ASFpSl-6Z7+Pvo_V@1bgI6OS%I0S=$WVI>{D~f8!d!KsI;^{ zHe0f1-hC)p9Wu@>0%yg4ZSQKz+cM9mzQSIJBJ>j%48suDwM2Jn580iS_2TFud!caO zP>+`APyHeL!!8B&(27~QH;sqv4c=?6urJ3C*_ZD53VYIg$e#TA{>=)z(t60QT)($tuWO$jHaMPrGb>X`YQtk)_ zn{*9XjNT{Z{0W2jqc~gnNc~Jb27gM7#i}9)=hDk!&D7y%-gGjaP8b8~pYH$k{{c`- z0Rj{Q6aWAK2mrNpH(6NY=1E=&007J^000*N000000001!$f_(3wRJaH90v1K(VzeT Qebkczt2G9bssI200P93Qf&c&j diff --git a/Solutions/Recorded Future/Package/mainTemplate.json b/Solutions/Recorded Future/Package/mainTemplate.json index 495914d9d55..16569e15700 100644 --- a/Solutions/Recorded Future/Package/mainTemplate.json +++ b/Solutions/Recorded Future/Package/mainTemplate.json @@ -3474,7 +3474,7 @@ "entities": [ "url" ], - "lastUpdateTime": "2024-01-12T00:00:00Z", + "lastUpdateTime": "2024-09-24T00:00:00Z", "postDeployment": [ "After deployment you have to open the playbook to configure all connections and press save." ], @@ -3493,6 +3493,13 @@ ], "title": "API Connectors", "version": "1.1" + }, + { + "notes": [ + "API connector rename." + ], + "title": "API Connectors", + "version": "1.2" } ], "tags": [ From 1de6e93ceca44de5c69740fec4ca29587fa73905 Mon Sep 17 00:00:00 2001 From: Niklas Logren Date: Tue, 24 Sep 2024 11:19:00 +0200 Subject: [PATCH 10/12] chore: fix to 027b471adf61387be0f8a6162b98bd80c8971404 --- .../RecordedFuture-Sandbox_Enrichment-Url/azuredeploy.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Solutions/Recorded Future/Playbooks/Sandboxing/RecordedFuture-Sandbox_Enrichment-Url/azuredeploy.json b/Solutions/Recorded Future/Playbooks/Sandboxing/RecordedFuture-Sandbox_Enrichment-Url/azuredeploy.json index c6c6607f3ab..80fa4f0a67e 100644 --- a/Solutions/Recorded Future/Playbooks/Sandboxing/RecordedFuture-Sandbox_Enrichment-Url/azuredeploy.json +++ b/Solutions/Recorded Future/Playbooks/Sandboxing/RecordedFuture-Sandbox_Enrichment-Url/azuredeploy.json @@ -302,7 +302,7 @@ }, "tags": { "hidden-SentinelTemplateName": "RecordedFuture-Sandbox_Enrichment-Url", - "hidden-SentinelTemplateVersion": "1.0" + "hidden-SentinelTemplateVersion": "1.2" }, "type": "Microsoft.Logic/workflows" }, From 6821afd8ba3872f5e7131d3167baedc7f0ee79dd Mon Sep 17 00:00:00 2001 From: ErikMangstenRecFut Date: Tue, 24 Sep 2024 15:59:20 +0200 Subject: [PATCH 11/12] chore: correct version bump --- Solutions/Recorded Future/Package/3.2.9.zip | Bin 43837 -> 43845 bytes .../Recorded Future/Package/mainTemplate.json | 4 ++-- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Solutions/Recorded Future/Package/3.2.9.zip b/Solutions/Recorded Future/Package/3.2.9.zip index e86a2c943e3890fc7b6e07f09f8c6536c1301830..7350db4708de11a310d6b1a2b51ebf2bd654f8a4 100644 GIT binary patch delta 36891 zcmV)eK&HRF)&j-W0t`?~0|XQR000O8h<33IkqHTib~sseIyK+vv!)3y27marRU_Kg zj(9upWl+s)2WwtCg_+k5k9qAZpn2_Zn%B<4n%557ymqMOwKsA-djQI_bO@5b=wmts z!Jse&Q7kEynsN=j##*2J6r4g6a?`J(*D&H`u8P-Yq2Fd#?5=o?Q^Awcb85KR&8^{R zerXJcZdwmGZgbZ-u5;Hoj(@^W)gkQ`36qF={GBe2dGH<2K+*pyYYnO5fEX0%2?fwi zfB?rR5RbtJ$XG~3MwQpf78oPJ1CpSlBqEgyz-e5@l}XF8F9dwLTPlf#3L=L#X&8qTv&_hB7!Zdyl9K+;=(Pe9C(X# zJ5%}>tOG)Z$<9MCO|Hr)#>vc2F;6Bcql$xN@HdrE9^F9k2#soS5REDqMx(ljAdM<7 zN~5~CFpVk)P9xpUFn^jMj&O&uv((qwU%J8HLTEuMeHv`Wg;`XzEN{Y(Y&;d)W9+rfO=PM^p1S=(EvOoPVCyMXIK*vo#gtwn9)A zm!8rbO<_G<=h4%dc$$KGnszktT};)}bsjy<PjPN)S`(>yy1~{{3@EpG!KI}% zNUgAzZt!U7On*?df?AqJ)#5vts-+t|TABxyI~y&

orDNY&C!ww7WruGg0*Txv=K zsS2yV9%1T363M=b2kFw4LWGSeuX^I(m}XET9m=UVdZ_g2zg!BsdmJU$M4R9<%Jl@@e`| zw>0`lj}VgUVqGgdGC*<5`SkOLWRRqu5gqR)hbh`4UOsvx-F(} zI9(baNq#u3kE#T|7bRfWr9{O{%0tMNaZ z8h=<*#}m=ms6OhQN@(@4jMV&}oEFN4Wddo@0`2Rh))*RYCCQ|9UrXx@TrRThh*cH; z5tBLgbDhx#3cV8)zFtT#gQRXylKp^`AfyUobV8lh33W_nq8#xBcZo!M3)-|~eWw;1 ztt^Dun4C4mJe8Mv3ft*Ws`vz+weRd&9e;i@^G|l|PF?wD=bZG)3@6(SFxh5PM*WxQ z!1$Dy?Zfo4oc1vZiiau2Q*W~q9QvhiXqs-7!>J}*8se>rNZx1}qp=Ey87J#l6_%1? zmKirx1u#TVxc7vYJRGjplM9yCh6|L&(lvIec#kFe`72?=180G;5vDYfGQr2TJ%5we zLtB#4b^t%$Gp#2$HnHC68J3Y^g-)ap^h9tos&7{@A7!(=wh4Wd(A36KV0@HF64mb_ zf}kM5q3yJFwc97A;3xzox=Z&fsh?n+2G9H`bnNy;~4NYqY4<@ud zyKPuqwC=T+Z|bkx<+cxg;ME4s$tOzRu{HeiN-W=(uHg*)h5k>VcDJ{>vwsT;T7LaM zUzdEXSo#kBX=qEhrH@ebKzCiRe858gJ^b&Ve?iffm;B}@C}}~-kfs<_(f0;s8!V(l z(B1md_rL#L8UB}T1MtIPhe)ix?Rp|TG+w&}a>X3PKjZ%4KjWUj>#s{{Vh{2CYiwK4 zgq_V<9cvB0E=F4;=X$ZGWbC?HOI z$fz6ENhD-$jk;a*0tnwYd@rn>;amy!nX$8iLY5-x?6m&krlo%ygImRQy8rnWIlqqj zuzG8F{ZVJ+>Q3O*A=ek}3jF_$_DL1s@dAykgh$hECG_e4Pi@V2>whcZuF$QF^{_%c z4XYRfc*vPbv^unIzm=5AfB)Ta{`<{3v(wM+C~zKCY)c7e+nApVR-Us~8}8VGGjufX zBJ)7I4KUZDQvaOW{W#P^k z4u7jf0k=v{WgS>3%S+B_i)VUZ0u{DA6D%{MVa1=&qrEMBr0{p*V z1{-iZ_Ebk(aSZov#WbwD>`^+g9Js>^H+ZnLD`%v0F7I<(L@4I+(svZ}u9?a*5r!^X=4 zQn@=8mo0~5lTx;q?#xih)X(RG zz2IZf?Aj;~MdxjH6C8@dDV_UBl(-tm!_Z`z@-XyeABIMT^3t~s#9om{ptyXhd22gh zA2E<8pyKjH>ybR3%_YHnk7wcJfaZqDPiA?JBnmy5y}mqoai<{RaRF$%JeQT5b8*>n z_*h9@dw=P^6?IbLxt&6#{5BKPOFEWCFK&VU8iD_nN3q28a<+fYvptv7^@2}g(=&qH zRTJ_p`o?v{J$93eCAX|Rrj>Ctw8Hp%iJ zQ-3bQ=J+StG{G@zcIBN_X|pLG{cFJAN=!=XW@723p6vvj(A1rC%4tBa(COL%BqXQL zc6_~__Kavf&ePkZo+kH$1D}5yKoaquaXWHUrcV#ogYL+2fFsB{uqZkDQ1^`R_`O=- z@P&$T7z`se9U*(V(@9O>St%1QhtNikVSjny#wZ~g;|e6T05DSDhYza!`Pc2p(3Zh| zf@YQls#qvz6LPt$rtwR^2|A51Y?yDcrDL9{L2sc&uc4)qQ=X-X(%^PNLSJHG+UUZk9bWj14@|r8Z8;!u+kY9E zdiz0j+d+Z)#3sjaR0`H-)9k3-yS5J<0!nWhuD2I_d+nH1{ijiha~ze39FI)>$dPQx zv{pt37vX@G!vQ7L#kT*%7U-ki>BHv+`L#6j9i~RMiSt=gG+PoCH8CP|eKmr&P!{h| zCYAmeQKA)bjq}?xlNVAj^@k5;C4XL*p_a^9@CEM%v!sr^KCG+D_Lorl=usiR^IN)e zZ@`WVUbe|+zT&=K;$Zc;DlPjZu|z`((Oc$=JNXrtUNmuP$B#be#QBQ$cS?WKI)Zs1 zE7f%z4`c-|{m>rB66m5#DFwZk#d;+PG>f##gys`}Z8H6W-LoGT!8y06VSfo;2P)lQ zmnpy2)MuhK+)velma7m0z}Bl;4Zc&0 zd8#(b5$RVUuRcdF>cJ;{P1W_5!KfRFcY?z=Oq*I26`OduI6lM-g#v;`*IKwYQc?L> z<>`hGE2p!z!@SYc%cLSgOMeKPi%WB#?+w==x4%-7^fjzM#P{L1-O<@b64ZuIoOmUY z^j0s<3UHPNyfmA107nu_xp4G>p*spZ3Aptw0e`br(g&(xW&}mwa?9wBhC|yS?I?*t zw)||$m97pL!UZ+_nFTH4GXhKm>SnuTKOz;GbURPiu)%*I7i@oYs$Wh>2#6~%uHVMV!i zOyyq+}LY1$8lb*rFh;?aAn zTpI43(gJemEB?PPM}I)!6cv4uL)uP9IU$R7+#hvNV?9e<{w1^RWTTT0Kd2bq$< zaQVvH(Y0{6zG`-N1e<|otnbTVUz@t>SgYeFc405;R(a%BA}O+as>(n5_CwjT%eOi@ z`9T|1)pTDct@(SpcYrqSM-PnSx(8i}DC0-S6|lPc@<)~j+M{cRrwnXON7~&D?k4n# zKcO4H!1tiXVt=kJN{8;t6j#01S7Z8#UKv%?;ZX5!oEKUdk+6;7aIAw$<-hbkhwjbw z5X_7EmEo@yz~5RguWgmrcCOae-lG5ilGbBAxWU4Wkul7=LGTzg^QC6F&X_Pf^K;KI z^?ru1CM|#PC~-!L*t|{6@903oUH#0)8zjbMyH8vf;D5ZHT`k zP5N#n<1nyVlid+bu{8s@6#x?u&~|&|Arn+JI7_9ct1!OdUROe2eRT?rug$RWhsGml zAB0{h@Pb2ep}PR~BEf{^fC&{Wq|m4pU^>OOwzgWIVQc;Q1+-UJwShk=8_Ch1Mhn+x z*uo>wCVw!D>uc+vk?zR!{DpVyIZdO18#8R+uG$6e1RO$3gO_m104y<@{a{rf77#j* zz-xn-0Sege0#9Y2LLX8^IkZt1`YbM3t$S1MlFb=*NelQAV69i+9xLf*VaqQ!FM?;^ zAhQOdX2n%iv^)4Kv#O+n`fE;@S8Xb@)@`3#nnAY9%5iteC36| z{i1i!(uzVjkbS+PEKyEm!x8t*DRrrqu%+>sMh-sd>@|IGlhX0%?6+Zp%w^!F!fD=7 z!taAamS7-4XI!bT)>e1o+6ZU*aJW)OPJg9;M(E{e8|ifcnNc$py9=bjlv9gf31Lk1 z2tkZ!`z*hXt%wXrtF2MSU2hYU+m_+Tw|aa6gr$i;lnd1oPY);iD;mYM)qc=)Xugn zR&)BEncOS&=Zo=3^g*502X%TMtbZ@OW{?3|iB4Fjb;3F(Gf|HCMeI@pmwD&dqao;k zATemulJ%WhY~%dq>Om$#E(Xna3B4=0z1$rjxpx{&(okho8mjE1s{KB4TKYxs+z_>1v zBvZg>7Yc|bfUeoDNTwQsOA@6^yCz=~c9E)(2>mJ&!F{O*`+F+X)!|76&-)SKjUN_L zIsz6%L&d@PRR_3AC30K{8OW$Z9}AvHay4M4qJ_#3lWf9aWbs$Q7?^et%S0T*c({`v zO4iaR@`1uHi6)C z5mJ&ogd{T~`(cMV^F;d#6a0u!N@3`v{8eHv?UjhINu`*i{`eyUqk^-q9?rthBG^5P*{&m?7dD{J#9>U*R^8lm5_C z-Mh;F7}|f9R=C%P*S;(r2g-8*_aX4=u{9bDROg9vQ1u{N+x4?WE%ZzEoolTPud#{a z>!*qJ&B(v@rsfLLaI>EAn0kIzuE~6b?7G8T*yJ)Wzhz)l_FKM%QtHg)|7A7H>H)`pY*53E;eCN+>l%RKFNUmBucFW;P>3=^*s>x!iiBkVbJ)Y*AtGI{- zna2@R8ia_Mrk9TkB(73)A|!4trJSG6Uuma!NE^7RrN6*B==-7Hz@Ohrgmp9W%1SFR zgQ5AU1^h8TW9Vst>@YXW8S^tCN*hz{=w^_uYlG#(?dr=MwU09|eaHGUDnFiaDBo32Apt zKofADo?j@8Zww2XfxG&x^vz=N`xnLMrN1e0fP3EnPDt z#edj>Q;d<3K>Xx~h4c*rfIeaOFiU^#MlQ_o_?r+RPO{vlzRB1^j1i3-+<@Ve%EqSo zINK0Zi(zRih&C-CTEKvm`-TPvAfmVkUB}Q^5?jU~(g%l1CKQuE{$iunQyEk5so*($t~uBawbmTUOo#F#fjYK7f-AC`_Y}whPZOtqH#N^qGn17su*PkQ>+>9yUYWO1e5BWhMYE;yv)FNXmxLv=Jw2Dn7uPM!B{zJzTPwJtJ|w#C`g z6Y|wz+8y1gA-3BI+xLo)b72VUQ0jpVoNwEK@JbqAT{^8OT^$EGUaBpW9DgJ(ym0R* z+3@DbhByCSiK(e%#G3*mUhL85GCPLk^Xbe=D zn8fr*CSpq=chEO0PWHi*8-GQY`dP2SpLz3w33KT?lpy>qDvFa*gQt>_W1>p@%uC}6#5^-vN^>tQt)x#_U~htSvFpmE73>j8 z+ds=tUMp913|I-Wp?D&6nf9i2-)B!r-gxRy1fkFAKOTpXYARDT4KLFRd^nYw21~<%heR(1xW~88L z7d~uyC`KD3AQhaIB`h%Nz-B8+Lsg8{L=0p3HxDaI!KlwxqYfSQ7IxKittcFrUQpYt zjfZDvCP3hYl2b^$km~YKc)`!}+6ELz>4h3U?{hUCiZ3oPX6uH>9}Hs7IbWB6{ke=Y zc|I;Ln$%=M5`W_JMv+qxy>A3(Z=hBbVZ~U|(ls!g;02^f3xX7kUwS*dKBV1f@sOUy zfnc=W;A9Fz@LR8~-^1k@hMcen_EPXQM(U9N3an15rordI+~twiJ+mK{U#}?T+IrqM zjPeiUcua1>ArTtW%aPUoInte{HrOM#O#}2E*j0~AI)DA00G}OYMQZPze6#*vaN-GC zpq!xLJAkA2pMmx4&I;eVCoi~R3)J}@xv;{k`QLWqYu)jS)7H1HU#`9r4hv)M(`hcA&E0P zUnJ_O9e-=hGX}Z?gQbu_s_Q9Ril#nMyn$(vdg5pK`7Ko(UJQfR6SMM8G_$=xo=f_h zfa9s-zE<%AfeV;ABJa_+uCHj(ZGmpEG&fFFkXiJ>zN`BB@0CCQ3fJbpX@sUzGNYF6 z<**;>9MQTnhQkFkGOsXqFpnP>^U8cLE+AJYdw({_w@0~v5v>6`ig^!9-!nlSj1J(| z2&$_!zxfr6AH#LTe2ag9HXDQVyFKA7{4_JO`*DFYk-*$NU(^%M3;ba6;=L|C(G$*@ z?<8@vByL`K;^y=Yc2=4p8Ym#73zWj2`{<_v!Sao_Bydg@{>*5PpSKFfWBBqo4FW{- zg@5w1QzC%!YcQ+uXFOlwViif_U9_78TLrf)z!QfrpZfbE%BCD4U{R_A3$~Oa{3dZ62O9Y$($1+Lg z^JKyt9{=Rb=cFU{{CwwW5e4|p(|=h7_9(C7I`xeC&JzrrlJ7h*)8ynkzv@G$8gAQ6 z)3}AuC12lvf9mrLo$EBI&q>`p84LROW^NxR6CH#`PPf}FZ>byI^15E{l~rwHt6bmg=(XBcj8BC2fG?#3 zdtzo#B9hlVu!O(^zv|i=8GkJm)xw23kJ2a5=ck4>V#Xk&Y%v^qjggv8R6q^nC;mna z0<*Os(ily`goFZ+EUX$cIh9*Fgp}}TZ;)~#^@V4nu&h4=^V)?WMX$duA%+7ge?iF& z1@-w5V6I@YA&2M@dJkVq$@ePTaksKvZeIgeS=GR|8bq7gj@!0-?SDOc04C9a;p*+> zo7(I4@`b+PqouJ=4Bx11<<&14Ap_`sraK|(ZEPZT3!Jr8}0>XxWPYX0x6#Aa~K#yExDUSb3!wK0vLPU-h1`007VrWQK=6_>8bHD`SFl|N0M$nIw zC3=*B9$lX@dKB|gAId3kmrN?6IP@r~28kY(=uupv#X^sg5G|a35gmPsz={v>JXaYX zwLlPJ2cAbmun?x2FkuRC>Om!0&0s!R7)#7$reCKLuT+7jmFYN?44!kr@TDY_Y_(ji zkx{ZF^b@96ihl-h-ZLHL3AGWGF(FKp(XIe6Iy7SH#L>7{q+ca$EtxQf zt1&rjjYB)~BiPc?3Lx0hSq1#0S8?@v#t60ziC`-l!M1Nh=vg^h|6dAzE%OZbH1TWr zPM!?C78eNt4PcI0K@i<_Y@gGn)FeTf$jFYF@sHNlg=L$F?lT|gDSSzVHi+3LO~To_?Jq#>OT)c8F|K3p&B;-oxLI~+JvqNp@t=OQEx$31Xs7gkRA)a2qy2hT!*pEDTFRwudB z3bdw#j<)^x5@?vrOg=P1ljz=L7M63o@>a?}PJfsfWMT!OGT0OcFZf@OHnf_(z;B_}8927$BMo@E>?f zo2hnH#so+=5 zKPiWWzeON&@0{;svX5j ziHw4ubp$3J)6biIP_ssVO_RBP@xE0Y9;by9V=7*f*_7}QlJ8`o0LXme7#wB6y?>}k zx)Ml1t}CfqKiu^U4mz9uOeHK)_>7M8B`)p*GR9Q6fRFSFwT*dRU0{UW0=$~Im~STb zMsS|4^bC_a+weY{7?nF5b%2L3wtN&0Q}Gw7cDL5nEEnCDyrAf`bqbGxOz|m@ z-zaQrRu6%szWEKJoaPRI#vC(%i4(W9HhCuJF> zv|v$68&i%_$^iI+oC45cQW3>PDUoWBQA#pO376=3L@9Ck6?_c&eo+d%#8Kc=-kfCl zs*8;$Y9_*+vO!2Ih~ZrW6Cj%TmEp)4+OF=dezU$=NdW_|1M=wea(;S!Ab$@ciT7+s zv1nMXrV?F}^e){7N@C$?*g}*{>XD?o}c(B!>;kaH{UV_)2B{8W^<%P54 z%b2r7hFQj(@$Xp{I^ql}egs&@t#jPO{cxT_%>8L4!M5TR=~o$AmQ0w#Kb$)9bs2&tL(uTw6HmBg z2$~E*lObrd5Hz@mwe7$)YJ0vHBty~2-7Z7X7U+t48j6_uMuwshx?%RAXk1Vga;Y*9 zE%?YlG#Q9Cp$fdTK!3E&DF>ouAb&wl0iZFdh~fg#NHxenG#QA7OY}Sf(Kx&czA!Xc zkPJeTL1;1vjV#X#3PR)Et;i5G8G<&>GK~QVOi&VM%(K_z3`{LC`8jiBT* zwoS&iVM==@v29gCDjC}5mncKqh{WtO3BnR;YsTM^R9&^8&`M*7Imwp8UZ zv`vP#<*Kca&^F5Hiwto?8DxkXF&{I;t$6|d3%!q~n@{NRw2=kRRNbP)!D^O{fAdEl_Q1%7JPb zaA1&A0FF#5qPRdcQVlXtO$Msr5U+O(DD}j;w znwAo6HI&A1sFd+qhdT57^6Dz6U)2Ws>Ogy~B$^TEU5JcFgXN5TCy)`K_N)Tts$0KP zz#QM6NrubGaJg}oX@tvd6&)@|RqXu1a%njQg5}a#1>EXaam9MZ!E)O&Sgz<`x$Dc5 zmlrL!J%7t+IZO}Ba5?!_n~Z0Z@ob7B>|t3}7$FDS!|r6;WIS8>t2v!6qZvaEYEr1RL9_;0s}c$HX#*O~$avht`Pl zynmpF);PB+GH^@=j*YWSBXDfH=)f_$X6KI_OA9IxIhM{U;Lg5^Yt}Q49NUqRV?{@f zwZPieu^-z9mSc4LaCIzSJLc~nJhn5-;4yqBPZmEGl!?5yV;y(uN!}*l^x^;p1t|X2 zJ#-pV<*x#N5J+{ehhO+kVunND0?d@EIe+#9UB4LIen{ zGQx1P!Hiy`H&n8ALIne&_7ab=T`?s5 zp)P|3rxGm4f4eh{D-FghM7Sa?;`#(TDPeC>W^~O~(B($XOH1ax$1{rVWCqji!+&D* zcCawFVRY+=8nnp+Zi%n8G{6uirX?jD1LwvM2q!~Y#8FCoP^$xIEI_f^<@P(>YlD3y ztBaaqFl1uzDtvn;(jABqML?zihqwzdqYx+R!|f4rc5I>OPe+HF04)@T ziX@#6@JdZA{WHZ~!2?k);FTV9AAiI|5kV$QjY>k~gp`RVu9qwRwxMajmm0uXw(Z$% z!|I}Cs=a(uf6W?t?x+D@O_^xgu=0j8@ckc}UK<(@3Oc~z!ovPN{BMY=hW6+6^>%M$ znr#OG_7S|g?+v2AzyJO3%J9Flfe{PX5K2F7J3?)nsO8)?g;Ga$)eJPit$*zKI!U#5 zYDf!z@D4^B7z+)`HnS)mj%k8X7@>)U7-=fNen7Mu1bsV7lz9cWxK_!y~w$kynp0S&5&nDh7#_B zT{`EMiOaBqv=Mm~7h3?jV*-h5EE7VhM__sKFT<^oN152d&*a=9ncLOS9}(y^xR(1<|2a}kHy%2Y)B|+??F7Uj4A#MtX$%bZj25lln`^8)AY-80 zBeZs3Tvd-|u|cD4Wfy0kc8w?|$o?VW7xKA(mS_`mC*<#;;D0~J$J?AYXr%kfMdc;H ze2b?&U34B^!lexxcorp1!{UWcy@VOw&3Lg?7#p^Rk#5x zHpxW>7b$F%xUJ|6)R-4VC#1^QwoEd%^r4*#`j<4oMbDp;Kkkr9f&rr!#Ph)!6hJOF z;W(z>RKaDO2Gs|f@8uPx05%|(NUA~Ou_zo(Dmn$^z_aQ7VB;*wVYfl}X>`X+1VWOF;6Z9)^OE9^=};_U&M@+|gulSVTNm8lT!gWt#4Ape z6y0%CINJP9#EFZ+Ln(d;D<#6SVxoi9iZQJGWeoqOjXoqtp@zm0P*I6A!J#iP3APbI zUPpI_z_QsAhHAa%`1hwzqQ?p38BESNZ5G6bl@>zP>%xjDTtE~K_yY9(l$s-TS z14*?^IQemBQ8F?4Ji?)Tj1>kyA@dg>t$E`{ap!$358N`0AViZnVkP%qzEtTXzT*!E zZxN~qKBAeYvjsE(<;$TBC?6Oh7~Kqe;Y95)V#F!(3MzjG%F9%czzIIK>BBJRz!3vSYQ6RC&-<11`2WyfMwpIOQQfkCSJy5 zvr$k&N{4?>1F^s!C4ZSX)w58rB$Xc&_Yu&)pmIo<<$CI1xF9`x70L75dUC?0GAO0+ z4vjC4rtqp3lsVUq4JXQlvi$VwH9kuipAUpHdyd+or7YF>V#ZF@?p07G2T@`2BR+P{ z$Q1QZf}B$yv6R1o#%`jaLTxR`xWru#|1;6FHQ9ea<#8y3A|`PwgCfYY-n{2Kq4XlD zg~mGb&TBYHX~85l6(1LFZ*xuCg>D?7dFLso5G@eut`YnBgG{Ey+0Y5kptJAc{IlKS z^mE?1Z4UYj&7YgBJ&|>a2S+hiEfg-_F+;q0lMaNqOUAoYa1R)6-YoXC6B25O%x|TC zI(mN(p%5$MS5Msvx^d%_j3X77^qKnxczn;y$9xxp`a6}foA?`z4|2?CUTR(_#Hg4= zo>apV`TQW#w1Hvyl42#spzRryFgbFLLElOBqAB?jv7xlPFHQzrgLQHN=3JN#anmwV zBE}F$hrQ%EBb||2Xv)mnUnp;eiU#baE);)N)12To+rO1uRZd5)2bp73#RVdn@nl@` zCG{22Ds$x>EL^wCBOFEZ19{z-!pVmV>Zkm{+}bAxoS*x{DZ*W#0}XBT+vqi zSvrUMaQG5MbaVV>aL=?y+Lfbr?>L&AujhNJ>GF1c$F@yfWxdlC>wAu2O?!Xv3Y~v# zqG|JK={l$k(jp*4i3htZ;&5^m_|BmM&w`Z^v=t_XM?oDAkvxX0^mG*^a6Q|BpcWtJ z0@A^m9OOsTM4&A6Tr&dq1XM)X5)teN%n*hjSfd#66kuWrxG5A%e*o=J%_rmugJgaH z4u)oC{K@g^H}-oHBBkP?=;O*j9aewTFrJzS#~890*tzf+e!#PGG@>09(Lfn76*<(s zZeIyXJXME^N+REha;J1NQv&n^(2&B>*5Ujx1XGN@BDz4UM>O0|kS_D0U#>wb+Gjy;5pYeOJSoLitx13Ukm;d$ zCXgxz7Kk}pBvPl04u=0Kc8_hXu_DATj|DG{^X=cWpswgozj@g>MN;+Q9{mdbLooBC z2lB-{YX;%4x3Y)9#pX2!Y5%SRgqXhzpIKwP0Xt! z;swk=Nm%Dg%%v)}ShF9wD{+6XF(si%C$7kh#PpZ*@|~E?4YYizgMAa&4vjtL-xI%# zKgRW24H_MgPc7zYYT;YMLBwPAocD$UEO}QV`*YeH64}BMCCl9*DXrWcPH%U}o-h*0 z2`(PnU}I%GL;o&lUtaG{H2Y#~0OTGql}qjs(^AMiVk(#1Bc^^Yc#nU`ztG4{A~uoS zB;q!SA^q>~yh{v%xiv&*Q2ERMUm4W>d+NIk>Xt#>etH?yErYtF8f8#-s%bK)n=7jf z>Xt#>VdXNY8~>3(-SIMIP`3=~R%B2&UeGB7bBHk7R!wsa|GGx6gx}FRnY2cgnHd91me83SN}>ZvRs5MaFphO{d0p z^Yu&ugTAc17YDI)}~9rO9Y1K?BHFA*C6HG>8W z0Kbb~X~H5UB!HS)LINZtAj%~n0h!ONAOU^V?N|PS|1CiQ5)_bA9+XG2HTZcYTSJ&n z!Z5gtkuVHKW(j}8NYp4{7y`K^41?<JpG9(N`!Z0KZ16R9*VPHy=FpNT~ zl`sqm!=RQRVHiA_B@9EtFtQ&B!{CvOBh|}EmD+=tD*Hq*LEu-j#FjWYNw4kPzNDGOy zh;m7!Mdm|6S`+~Ygj3f#N^BbW0oG}q~L_Rh-_J~bZiK#_mJqP?t=tDu7J2gFVy4H2kOkf+c- zZ}P)}!s;;{-rO&sw{soz^B)pV|BN7*Q=Y|UoLzLOYmY4MDRPE0H*m}>Jr_hz^tdwj zQDs&&0-?p>dtp}PY&7TqkJj!fW5eS=VxD|@<2~5&Y)=)r^q>FeTp@|YhX&=F|F}$R zCfR@U?f*F+?6q{&>GnAXCf)uZb9&Es-Q+Egd!L2MYoqeoeytO1wPtv%*mHDH+9Pu> zGW}Bu-UFh<03Qb8E3QA%aHAe`YR+IQ#m|g524b8wrmHDwrhVjO8Utei299sij~y>n z*QPflX;h>7XbeUJ#foNl2h9b1CyBA4B^Q5`?`)^Y)09Bl<|CJ);{eWLQuxsK9->S4~4(6`jGZc>5@)J6ptxhUT+NHt=w9uB%eR$bXzN(M4%`Y?BpBwv9Eeu2w<@%w)<@!PS|nLoX7-lV0b0**|4*9ey)oDLaptxz!p z<87waB?mcU-19*}^1(oI3z-m9Gz>pi5dI_~_>%FMND5%bc7+4rqL>M0YJ`+@D-nC(c?XcWu zLaWNN^<0pH^htJ@x-}XwIt-<&3`ZT)=vGdRu4B7)&ujbw>Qpg??cj`f^@mG6n_!l6 z>$P{*CN4$odd9up?$#zQ2^fEeqg!4PMRjb?(kJgB7!q+ec`?Jj;r4-AO;(U*4^+b{ zX7q!y3ebR{q;9RPS#BXkIjZH_g9p{o+e7sUhJh4Qtlovn^`NUm+cJLXS|Oztp&?-x z!l<0K3BD<$xMGxU;c%O4Ge#GQoVqM6`>Tc zoPlbhrrzt0W^^Yk5VDrHJ=M9@A!}M2QrS*uuc$=3(0?L0YaOgv3m3H^3qdRTaxV2PK;~6^oJ!o|WEahM}9E>b<;Q^)! zV<Ux4z$bBHN&%=vOVb+w&)?Wiqk-u?^PF0Ei55&{7j3(hD@X11jBa6#jPK^>+CZSP zmpVM>(KV&>q%?n#pRc@g>=7SpE>C0Qn}<0y_9ECiDo1vK^Gro&9kX3leiP8IW}?z%VqYQY>w@P%g6p%iziG>tau!{xjq~6l7B=?U(sbt*n6afPHwG9l<;uUERa%Az`a>zO7w{LrbL)oC zz+0^oWe=jRQQVHM90JjFXXqGAgqBF-GgsAfYxjRlOg_4wntd~uTYHDE@d(Pd=pF$= zHsOE5Uz!(rcMj}}&;@IL=CokamXq#n7q{JD-7B!s<2&ZrxA^Az%x7i>0zKOL8NVJ{ z9lHH(MhWY=%%D#k;Sj5n6X9W|mq?un^8$>+lMJ>|D^V6W9Ld_>zct^%1jN?h53igJ z{A`rsu9g6)zTMZRkhW2{o)Y=5VZiHiKOU%<=(sqHAMv&*{3`ki3<^7G`wxLCt{o|0 z171XjTH%uC;muwtXak{O87ZtQxl}qY+17NX{E?DG{xUF!;IBb?RBWEbMqA3GVi>pk z;j@7{?=igpd>C*%#>VvJ$ZNr_XfF&>zfPQE>kc>F{L7V0ZsUVk7%O2U0^o4$_6~ZO z5txWSUA~hHSuRU>TtNbRmeKi7@U-~3s+p*d8|5&)7}m)e2Ju9W+1zhONsSKKW`h)Y zv6wKct3;MJKbym;Y`rlHN@Q}ibe>7`sv(|$qoGno6Y;1v)uoI#55NW_kJ< zPA^z-Q867I+KT{f3`#CO1N}kkNh+4HeB=-Z-PP*Iza5#_OJ&Xu0yD7iP=?hpPtE%@gUYLW`2$< zQ#Z1f_~xzM+aPXp1o*L#Q=D+K1v8&=utCa<&&&MyP8Pa7i+JX$a2h>_d$ZX;L)1B& ztk0zN#V=}c;etmdvynu*8!bfARhUK>R1~p z>(N>Y?KglT0EbtQrE0Y3??Lj$s`Q*Y>-+s{*E8MbYEWm^f~B|W@O-p>pkNiS>)Kg7 z1Ff6;fI$uffc_bhYPyJ4!=sop{e#*xyeE9R_hjP{>fT3>U8L4JqMM1~Q5JiBmz%sF zR7R|W=99<`r78BNT*Kh>rm(JK%<1>j5X!%4d-(?Oy<@IL^?zswtFF^(J`d8C*luva zt4mJvO6%U9#9cE7e}x-U8Th-z+u=25W#7gHtr6760DCa2VQ*4FwbA508mAy~$^y^# z3D@!oj0HF zt#||ofPzh$`|VkO0-G2%mPo3##4D6`rZFRBWLpi8lMku2`ry2Ehk4DHh5jYd3U-(d zE1ueD!1*86!zz_4%>`ep3xj*S#)R_>|yXfA)x^wEJ}w{O==H*n$@w zm3JJX+92P&B?oYILd!*|`jOY3}8unV!4EHBpA;LysU56@HyV;y#1kTV{Ni^x~%geFM`Ky2Z` zIatKwm2wlhJXy^>>NXU2CY)f%WvxW}_=ZejF+o3AJqwrC?IwcuT%BOq-KmhW8(h}T zct*VtblLzGz2?8cJ2se{e)j03pbsrXh`5}2DJKeab&Q}^-+@;EztA=8r{6a%ZnruS zZ0keB9(f2IfAsfQ8ZG*7b~2m?Y&)eZmO~NRU@^v`1yH3*w@IR-(QCA5T;DW#ev4x88y zt_daQ75yQDFWD~!XE#@-jk`ep)C7fH2gf(8KX_wReYm9W7A$IOeFO=h^^NPzX8UKqZbtMC3H z`!Zts{2qfES3@mQi|PSNtkm&dt++*5YaLPq+@J3taBN-~PoFh&K(+wmGwA(L-8A_l z*2hg!&**Iy*0j(i6dXJO074k(<(}?0DqA`BW>!>V z<>MA;B_x%lkcK-PGMEd;MmzTID#emYz)jQ^qX&Pogn3#0w%h0PECeORpu0naj*s$NA(?(sJzZZA25au94RK-{Ynch} z9_AG8(FXf3(8eh(f8(O14`%U(-)v%*ULUPCFGm#$*-1|$K(n)>NvWz*M}=)`$#rXq zP1V)q3_D}pcFEFqdFgJPw}#~b__iKp3tlM%v}Ib|3&n(w=#>p7Ne>Xnlxf+7+gZ#t zGoJnKz+1^~v5d!|(@A3|$xPwLKW0I9q7#vJkN@u(57A-ncC}>RGp0EZSB$|rrXlH_ z-eIokUhzg2a2l1Ksd#L!o1-@Yi0tY`5sNKXVvWfi(3Y4`c_Ly^88b$4Qn;@A=V7u|5*|lvp^UfGoVd!Cq4mCIs2LU=R^nUNMhGOB%t;({R1oq zB~~-6peA#2N;hA0$NI{vJ4K(G!4Iv)>r+Dw^%dn1VvMs@AHxh`l~fgT5slla(PT|k zcjdBI7{d^QmSYf*fLaOuG%#9Wf%;HmbOh=G9#FmMa!iZ}75Y}UXx+DvY&g@XfrIb) zfDK1*1N&zCI>$_}VIri!LU9Du)HBy#1_VA$$m?C$voqq|s9)h3mJW*Xql95?6!|x` zO7(%eT5zO$&BnZgL&Fvvm>DDqYqGw*b-%78li9Va28pGUsDWBA;1tFz-Y0l8}Ad4uOiTV#&ikQ z#3(|{_WNnVS*3}}gfqH{3Mg9{B{GJ1^UjlC_vGY6#Sv;1k-(*3c4X5meG>oNRnI{Nzt1m1|_MW%&y zVGh;o^f?Tl%GhnBVbwfBkspd8j3-+5aNIcR@Z<17`us+Y<*iyIYLhS42@|v)*iTAA zQnGd@m%oDQ`+mQf;bGwqyUwv>VKw3Q&CRSYd6$Rj@u#l39E&8KfO&ilP<(f|o8(=r zCBl*t`VXJ=@5a;IvgabhLUd{SxRlzPK4cCqFUIfAVsLI|bq^Wey}f@ETMflZB;T@) zlr+{0pT(lfwL0y`mDvHWa*y7yFT$_Z+m2N5O^(NKi&a;uJ)rKkz6^F$Ae&0Fo9=D< zJL+4)Jz9`+0B=`PF?JihZWrtFa*y#^ya-A$x1+*kDygK}hDv=eLWLAn zf23sD3$22647knCxbxKjp7lDXkzf^FO$F(n+=0zJ3t~%Pko$$&%l0Bw9id0+PVk&- z4SURTVT%&Zo_0%1pM+2rV=2*;O!5i75uEXLIHv0$icpgc%#(l30O2!W?Q90+w!j2- z40*$(1)jge^5d*x!YB&=z%0D*w-^gZi`6)l>viE9&K#QtEk6)^Ae z6xlMlH7H8_DS?E@Ktb^yrzzkPe1OXTzZ8PKJOQI!f2^;Gy}cVuzps8?DxH#OGepzF zcnfvc!e4IBO#nrxvmS$M`c3|vHA6sD@u2!L5Yxp^j@283#%mujo7-WG6U7Tp>AS&E zz1>~kA-9kt8ZEYxvyq0sMBd_Mz-%~_mY$B5PCxMklV_lN%qv+;ylG3#Mt$PlYnxh; z@$WO>b`9%=!mte4)VQ@&{OXa+XUZyPzvQ4~_EAPGNC4&=*ght4d*sr%)p?7FQ-_x! z79!dP)|n2w?4o4{vSiVwO8;_mx4$#YzZ?F-TN5_v_>tmMq0PAsN2*=Sq%OgYTriWa zg?>zrRm^Y4u;!2+!l)#0>d~J}u0bG3h)p&|b-2;Kp@26YOEd$M>5kQG<%dw-stsZI z*Z`4TLcod7VeidbIQnmYB=bx~y~@g~0To2>zd=Gt>HAXOPH~$d^W+0`@7on{$}r4G zTZNTn-F;yT-;Z; zV4KbK@;DoNu+eKqm50>pVpm8qM`Aj}{%Mz;-p-2mLF2FjYSM>rzT9|*He;?jkI^Nk2_kHlc+&2QklDxyx zZQUgsWtR(liPiJ)%bLt;HyIoEC=_AEEagpf}9u6gpc1h2``rU_0;{uj*ds~%3 z0R@5wd?9B|?#T+X(FBPF5owG1z7v-F)~$)xe~Dfx_A5y|^FA0-egKUjB8j?jcT^j6 zBshxd z-+(Xlv+(MOou7&eAp(Hc(X*SF0#gQLIlWSH_Ti=bd8+uCrd`wiC>sjZsGRcsja3`^ zE0PY(o=ex`(>d(So5uSaOKYZQDohqPu6&WdrYkBrli)8O>`j@6cWTw1qgsH9mpW8K z;J;nBN|KFI?ULy7=I!RGX>-lt0@2=&2+nRJE4gtg&_`Vl8Gw~tL$|frNa*RzExK@AZ`rHqxJ{^wx+k#(?Gj;`Dt#4AmhA=4#_>JBsW>Iapmkp8mJ-lmcQ}>G@~_3w8|cKMaw7w{f#j6Rc=>jT_D7Bya2^_o zw#oGxaAm7$}Z2ch37)KG7QEBT~HkA{wj`T5~+G@SqbukTRlgu7RB*s5_zE%W?;c0u}Vk z^fas?DRS4p<;Ui#CF> z9zY*@3r@ra6O|5~NV$aV`zdud8ChXZ@@w0Gbqzo-7HG(qm;03V2LHWyIG3Q$AXXS%IH}H6Mi2 zzip9Zn=Yj%8d4fMSdyEEINRbt-w^Vg7?4iE!y3~>G=Y4Rc_uK?+?PpQ+l|zWa$q+S zS|aN<9uJq_;lCT*Z*Ny+K{?c;c5<`3k_T)eJ|qylR;`&1+=l%zeuL7ls65E`;R}>j zep=Ss7C_st-QO?F-0NsDT!TAUpJeY<^=Ah&!JY&+A`FT(dd=vRUs+yP3_g6J5zwFv zeF4IQ;)%l}xlCDDy>(t1pM+S04G~n(M$gRRA z^oAsHke0+0)pO(jkI-oYs9kZkfxFh1ofd7~zGbU|tv@~$2n?M9w+)3-^o0X+|LO*s zz48ANlVjb?FY>Pn<5(1D@f&KT#fb9sPNIc(lB)_q2(vSJx#zw~`FV#w-mN_?uB~Z3 zeCy3YO_>5u)n8uW7yt*0rqYLU0drJq?7^Xik3`8eWGscSqJK_^ZL>kA% z{WlP;8xcoK12eMx8HIsjMn3eoe!DqUx<%6B&S8;p=Y~kB6V3l4&fWWz+Q&;ZBvDA* zK8PatYO=%FGn36irUW0Yx^0r=f4H|lKKSjlqqGaq5aE<&X0oFP0jo?};E%^LNBSwZ z@mS)DAW`S>3;aH^60piGNwiojvBtZ3-o!9++{Fi&yOZx3_mPm6nZ~=jqjZ%4&-FV? zwZ73mL-(iXf}hEh-+OM#3GQQhsruTdx(Gb-72l55!UK_nDSZxyaVP>DRvC;Uu`_90 zfCv#XU*1MKk_7F}>Yboe;zff9N(pD;(rDtvxPP48u%&RO;qN9|Z-rG+ z)H1NXq6CCjs6_R~J5VW~VPS4HaSlxQdkoBD9A3=wm1N8F5U|TEHZ*vhu@AiQTgR($ z&Eg(^B(8~0y>+oV<*e5pcvIOi6IF=a04d6%eh<9=D2Y2`{yq2pL~i}87xUsH*6<-7 zk1>ATHGM5jE^pk9JPhIM(~C3aTT$&G{G@cZkB7Q%SxUIyyCHu8ePFk67df$?a~Ej> z{{bqWGEeQ15Z~hQAY=#?>e)~2vFyg~Sw75--4BZj1&R>YZ=FBEYW9rX@Ssfqg9Z=P z#QhrTjG3r+J=cQDY!}eCQ%@=cS2MLJc`CxyIa;|1{#63rCJ!^bzb<*bLPUgw=KN%^ zxrRFC9Bt(s@1P5ZqoqIR_X*MBwfSl%;unK+v*Q;<>(+jJBNeRovDRA^tZ~OjO@3B$ zqS0CFtQ9WjWv@^^EbR;P`H8ta<8e7~&Q5lA8cj^idy$?HVQ z(IjMqN%XIjKN$qrK>#nDXs~2t0Hfmyk|g?yH#v!=w`XoUE%&j$=ysxDcR&GU5D1s# z^EJa2&r?+ta=ZkNbH61zN4Zn8(I=;+9VizL8-1d!FjBt>M)uOjR+W`!TPPW4}%qM&D zBBAWLb*JfG);$7lJj+W`&+XtTBH(bT7_$Pq?>s7FucAyrZD zj{W|2U9&rU8?ZC+$%;%JC|t{0}1`d24RDMmr8s1YY_0?0Pa+dwMK6z3Px2yz-gDw7@| z${XwEQ*NCRV~ZH3+_zTtPdZ&CQP=QKO4yb|tdQ0gCDGK#PeKh-&4$s$Ea;2}#r`4$ zw?^apBvB*iog6q%KRFH~rRu^I_Rk<`(eTeGhPBbnVQt}XJV!T16~KxeBS+YfE))Fk zDP{^l{J)-~`<-HU5^0P2|C&e*Wx`C7K6f9;DZ=PpP>kcB+KqASq#Fl2U*6)t z0}{zp@jJpk8R0mLU}|)fyCEtVsxJHc`>D&O)tXr9zAFd#ybMpuQh<;`kyuA$xa6Nh z#;l8mRcV`H{z0z5uS9xqC{}(=fNFaKgItZ8XT2ISLkz22O-#*k<^(7bzdva29|cAn zl_t;wKsLAg-N7rbuk`MLdH3xtfKy;fFn^#f6?vbVh_v30TiYXR&^Y9838pNWh#4U) z`?gFPz&r4D(1N)IXfYM8Nvis`OxJ>9vjzt2sOSTyPnHN1wjnVQ&)kU?&>j_t_P1qP zmOf~HgpY)4TK{!**)aDb(oy9krQl6)owTvCc=IWO(>lS?zfsj4p=fP9$Oh~p(RoPp zes!6u7EznW)Bf@IB_H)6f^=KC*}K{_xh9bACmfW*uiarv?xP4WpMc|*RPtxn?Ls)K zu-@)AtkX6)KtCWazNa1;aE_@l?&S4p_6C|pPRU_48#p`cNy?`G*5|pM{W4`nUI-9N zc)Z;ob_XUj{T+Xo5X*q~$GjScFV*}jQR90TW-_22n*|3irlDs@?w;a+u!tgH>lE9C zlP}i*j?}eE#^@vxd~31Z(=GU3JchKU*1S!%e|VO;Az>bWdVl*1u$v9Dd(wvze2*FS zJ4bmq|2Iv$$r8AVP_rehRCRM@nax6(Oy?$NnWlF=uesW~GJln3eo;R|5u3||T$3D~ zc7bjC12{bUn)^fWb6GSadWRSt$jNWFUt$~?-CZ?gZn046uB-g}2uSq&55wtoS&uZl z>}5NDuo_qHU54&00aW{gv-Yad9z6RppC!q+Mb4Q?#cLHNjk!zaW=XEvrDlg^OO%%t zMayT46NLS1DA!nvsyyd9^{d=R*SxvE_dn)o?}K10hWNE>F@B4rmuxFzqc01LbCzL8 zm2I(=p?1RQ%tn3b=Vp8w)oWg}QHmBQ@N4T_w}}xZAuRn12KWwE>ja;+oGk5#Sy1Ii zUbi--RyqhqA@lsntuts7XvFzqX#C_VBdCGh?wEbz&-=>T+**-;d7iioVWnKvQ&Ur$ z=HK4o!y*B(hJk@YNds*EWjsF+93>baW@!Jl_sqvBkVh)-A^pb(Y7*i1I)r_!TkK_2d=8MjP+1 z^t5NQ^{?AOJ9E4Q=fRQp88P$FThO(NA&)Rv$#qXV7AwIFtx2Eqh=Zi=?=t3|_b;CH z;_v*`Z!F0RZ!go&Qmf~Z(@y-qw%UGJ$%i%Wh{s8;)Bt)27K)ribh_W@oZmprCD_+b zkp#8)y*+jyo?p<_#PJ<>od)b5W4MCgo(jONxaCRQ8p)B8?OPRWlpc#${a#sz)Up5&JL8QlvKV`@>P_9ti&!g@K8WuokyGC6hE!%Z+CHs$94N3JGb%J`6j~i^d;=F}3^-^0 zi&DANRCyLztV=OR80QS9N@2Y)SS6koDJd-6x&fD7QLH%G9%_=bXnay*KFFiY6gtHE z)P*lRs>bBe(TgxoMl!3*MNWPOk2lv_#(HQP698=K5TX8IN36>H=u;W7ge)EIoX4zL zSw`1KQ#J)qE_wkVudflzYUX)2VeV9&EwheOhhUevnKZgODpuzgibcpuFb1ol-6vSp zLU*H=gqOOmA@k)_NkLe<7~m0LZGdCNC@hINu@i>#FA=0KzQ-ZgSwAM-!I>8%)VT`z zQ$Qi;GbvOl37ve*Kh<;d_=h2B+6ks79#F9{j;Ge%Z3%31$*``6p*0I*FqjjWglWli&vDS@o;;+etD9Q<)QJUIH*@~)6>m?o9as_6NcMx z$ubahU+OB(_Mn9oo`ywptO`MTPKrJ(TZET z+P#1KXtu@j@hT*?sE~XCQvn>SdkOm+N{R}+*mG$YH@h_<5QgTkhnV4M#``TcZRMrMcE@fu%xAWt~tQRQr-N`Xi1 z_h{5*)ZaVAugo&jS#V;ui0^}@36tkti74JGyVr3+zta>HQ$G~8y4Q%XS&x}K4cRw* z2T(SBV-Do13|2QL%s44ExS$Mb#{huG&6**$-BTilVL>+1^ULf)OKbW9jH8ocE?(7> zo$rjv2O_<@zZ(4cuJSOZ5}quo*~VgcK~FG49( z)2X!DRFGHZ8JT%evFM7JxR`Y(C^o%m5ixUGJb%v6^YzuSv%rjBAT|g()S{&Xn8Pw5 zdXLZlFqf81HEr2{@vq}kKJ7?{J6+NLng=q1dHn>DLIabXlpQZD;u^>WXAll|@&a>- z1uc97Vaiq{Dm05;gg40T^8{djx$v$Z4;_$B6UQ6A0QE*z$o^&2A{jlqhBx+85YkLi zkYaGxK`@WIZqsY4K^Lt5HD##l1v;(MM=hB;*wjOvS}B42c5#qW|2w>}Pd#$QBh#@u z2{sQwYA>>U5q6h&jC@YL4_J}~Q@CuVG-%)bNGvvdqm+E+73iOPJuRRHkvr*TRuhxA zZSQ8*mijNV2gVYqi*uyV|^RI4B)kV)9qxarT*VM!1GZ zkV$L^tRnXw`Wg4xoK`}XTVBf;Lxw{wlT*C35ZgX2?znysk7c6o99F8Kgb+7T^yzJ} zEOqD9tzcmO{d5PS-5kKhS-8!5qJrLaKijeuw>$P9S`8^`;nCka4g2jct_A~@$d zC;e0*X>LLh=y*gCSz794}5=-qR z^|V2r#DsrJ_UQpHQ7zHcOQumJ>}JUG7VH%$P*~6juGWb)u6JU6&f%AtY@6*}}VK5+Y!#?%X_{%;6-Eq&I-+#{<#|zAp?a*|HA1fB9@R zIz!C3gWdM>tC%p}3Bf8JQVd$Np0jR}ew}ehBUwfyPK_{V4#P<1WSbGfklCDYQDonb zpBeO^bVLZYqvDNrpr#__y?xiWy{pmejq2rp2$f~hR}5v?!ALrVKQR^Sk9Jzq80_uW z9pXw_S~&np>yFNsWWMs~=D0;+-I5VI*;I!k+<-&u<&pu;JqYN_LXp|H21cIH1?<5d z;p!i!z53Ix(Fdc1^z87(m-no^hC8AHBRFI)>7NxIC-Q5%O+0#JhZhaDA*1K$$alP{ zAf~ztI$W}ea`ze|0Zk{TdGCzEs65jS!7ZT4h+cpZ3cvK=+^^qr;P%7m1-UYC@uVus*=DutQ z^|49T;LW6@5p$ri+-hO3Dy4VVmfYt;xI<6%XER&6IUcb<>9hUI*C}a&+~O4QZQHm# zQgi?-A=dIYwFDaV{=*uN+^&0(dJ4T2!e5~j;bT0de8GfwqJ6jbu4Hy^(NZI#69pJn zHr^Rq2)dkmmcvj!Ul5t9w4I4cbPY8|9&}z+pPRL|Y}Qz2dJ319P%MM0Gk6tPe^e*c z2#lW3GSUi!(M^@{i3zARHQ}Bw6fSJb;D7k5V>mQ{Xx3J+IAfA0G%RFuEu9Ycl`u5& zaIpRE@s?}GE6+ju?M9hF?`op0cLRT9JRv97xZJA{m?Kru8EQ1wRF#1<|JHg-@_^QH z{VT>)E_*SZUb@UPrIvvV$`XuvnfU^qKR&j-3@7OmL#t!4rUXtjKMhG&EEZpPAhCU1>OW# zGv*uECz5cAL2sRXZwl%msPDgF#bLH4f633@%`X+U%cDe^(u*uurG?nEno5_kEB$O9 zsFJtXtFUD}FL4vba=ea~hS#peK1-Jqr09-Hv8oY7h5J zY8W3k{vY4prVz8RK;^QZ(O?WhxN33ltnDj$9TSSHR2_G(u|!u&sBTgw-1MHBj-Fn< z+uqN(36bcOsC_m{NLYK_-}~R-^$$@lAV}gsdFfz0tYm8lq9aZn7P%UUG`|6I0nA;d zF}z$|Y=i*jAdq`PvE>V%QnWb^OiB2D)CM+LdMG&cfLf($fdc`EF!1n!58bahnDbhZ zf~Q8mOGzIdfojjAksHX1C1>Sy<^e0v- z)UjzbnCu`6o~i`Sk&SM3#m)eTSfGE#d#OsxH-#O!?P6QPj#=`Jg4p?MJxKkvc98D| z^>P=M;kAS5mWqGqCo-yXR#xr=fb)8dQ`zuthNZ$<#D3^sG!>&w5- zw~K+!u}gz%P?;Hlyfa|HL3U~Bw_Cn%$qd~}#)UfG4TUb5cqCK$)Q$FkVX@Yw-2{&0 zT+6d=2Rcd#*#a1P4ExvD1y=rgV8d~ytnsDR)Y8C$tGx>qv>;rP$Aq?_|Y>J;9Q; zTlI!j$>j1s)*-xa!BPM=J-Y%dG?wjVYH?XYO~QprPx>Akr|tBQWTBHA!_sBGw-;r6wZy1?2f%U1&I zT$v ztv-I`R_nEQ>p8#x#~f*qr35}*hW+UL(*=28*nIK9rBij$3Kay-7oW%F(oN!)AOXMf zwxyIGEu<#scw|Pz_?uxpMytj=eP4(+(O586L;MdnOHXvnXl9(&Qdd#3AI^S=b{aJn zArhqhIzI5%OXu0(!0^nYanCjd7&U{HQIuehXRSc;l{hGv~*eFh@x zD^Ax|8O!6l#pdkOa-5l8yL@q96{ytfyG%?SYI*mJCSG9lAiL5S&~87G@qoE>m%LQO z)I2O7zzG2I>33$&-nh&RI<`rJd84+pJLr@5#TT?LZ-6zW+i7L>UkFVVeJ)D4MNvrN z_I>4O+I#KF^wBedcU|s$F83v9b9uVDlz2w}@Y@Zwh?bzY>u7QeDYj06;DMr_{d)8#ej3&K!ptcO#qMwLx#DxiYn^oB~H+0B>$es3o~F? z!{E!b-mviYbg)_{S}hgREeIs$hTrsQ7}7banz$<>HY?XGwQC*`&7z2>GjrbwwqhbP zwe|1nk4~23K~*LS2^nbfPd-CQv)X7+RQmUR_2Axfp*kQt|2aQmdWJ@#kL9b6akC8f z{Q;v7NLej=s#`z%F!2u8c_G>E`nI`8WZw)xEO{5groIz?-+wZD*21 zOt$i?Ti7Al#e(S)IVG=1jwt!*@$^8sg6ETVgze5p?)havau=GpDfQT{K(OkD4grE8 zG7ciYQksy@Mi=xmKOJTxrZvfUBOogUaaNwIV2cEZ`Lm{;dDFom(m+zxkLEUYW9WHZ zVvPyJSxoiH9i08l^;QVpPq-OD>2*Y8V_Uh(M`>@APzXavS{au9(uTpRLs@>rQi++9 zFaC+hL%|d;mDod9HXjUJc5C=hH~|!B@teZcQVD@1y8fXdX=ARh9K3RReoAFaXtnd_ ziGEn0e|jRn1Vb_EUNL%(8heMA6mSig?JR5pIdgZ_yBC<;#VVpzws$pee%1h4w>EFQ zaohB5SgFa^d9T0RYlGW?_$|Y=V{I^rekm?)nHtK6HX53Hh$itkpmJV`I07gThh@kY zKm^OviUAmtwo_wYzyE-4D_6d#6Aqz*E4&q1ZK4S5AkhTS5klMPYzUk%@oq)PjT9X5 zOw?--wc2VR9J(V8I$L|UY{u&^5$SC18{n80Em?bXhT}s>$Lp1!8)(*yCSxU!$E%Iy zX(!a@F6BY`m`rTl2v8AAIRM**aN-|)Db8D9o>jw2_MCN0b)qLqv%JP$Dd<>_-Kxnc zp`ei2MQL){;QDPmwZms3Yh*-6(8>?7Ez_d_XumHnq|A6?+aE2Vx+e4V45LnF0sD_bMi!OBde9-w9{Smcz~#vrsm z9(@PvI5VezK_y0ymEC$d#zgRLU=n7S06VUe(c-MSDC#=%8bb$zr=@(sTk$V#gV$C> zm_%xv0z>s`owf(auOMX)P}2021d34d2RNK05>F{Edz!Ae9~AI-N(oVpqR%e*QHLyt zVPDdihIzbh?hoP?8>;BZ}@ZIP!O*534gu_-xdHZo=>QIVhnZ~lQ zicyu`92`5OtfQWDriAuLKs+msW1oR(wpTEBMq7C`cjl9+`uvxG()waF}48MJ`BSS6q_oW z@aD41v=3@00bpw00(9B3;Q0`*!9{yJT5-Jrm0k^beb0My^4FJnYGTWc%P+F1%qxE&M7MA#{ zIyuMpOFPzx{vI@^?e1kTBd{4yQg?Bq!|S6dX4Z^Ro^4gWJ|8R)82X>IqP+6SlzN_^ zWrZ-oWHbp~sGj~RqfCl6mT44>k&q%rjE6Fei5p#Z+qccAK+G)*_t12GWEEZCd%sp+ zg%QK+C;&xC8kZ!`P@<%TJ8y5c2oja)&{aZlu(Al!{r5)1DbR#ScWU}{lp;N)hArAY z%s8c?GfJceOCm}n3D|zKcrW`ty$%w+WZEAJp#517NDLKF^+70%geYxaUxqYiKbf6U z1o|Z@;2~6G`Yu-g4BK#@+OLKabfrxVQGI87egU`6=Nwnlk+6?-XQjfado(BoMvo{Gvc|5J#F0+HGiwPGa8BZ zz*DpO`&Ybj#AmnyLq@Rof@OM=m zfJ9%5Dv~J9VZ8rsMzOhOw!gwzFE~2}Nv#S!J?ZaQ>jORI%JzI6Be(>;R9rO921+a7QY_m)K~#xHq{5y42F3gVZ+tx#5tg z&KzwO6_O^j9NJG36sr^>8!y9=NCVJLj_YU76CV@ZWVN_tAjDW);pgUUvHrv=P-_S6 z4mD+yGf=Hm zrZiH2H^QP;n|0=SR8k}RCN`_)%l@5G*QW4rvGXR{WQ=~bYO`*2SMrsP@yDQ*iywY% zb1hX+l3jD@b&%@hhA3mb!yYR&3qWK&*yx^FV*Nz)0!pdLI#x&@NZzpZ(z>^)8Dkka zc`wi1T1rsc4;4%G{OT$N$(_WuoGNh ztuq%ISB@ZcwmtBVy$QO}lQDPQKIVHV(-kq=vlML3luFU&iqJnfREnvWd{#b( zikC`bPYuo4 zi1DT-5=KM=soy5}#+DuLh!yGAQjnR&P6LeH($Xy#N_X38*_ExX=z5mB-VJv|~DcB`fAu9dfIV+lm!$UV+I1l$S!&@EtUn4cA6((Tl6t z8fm@z?dL~Vd5rVvIMo%joyW74(-FNe_y0NosW+@#xJPr)hv%P z9xXedN$)jI;4#cQ^N)E>wV)4Jy-r?HS;;?>$iOlK252+S5OO1wDW|r_@0wTs7Tdg!-#*D86H?FK7N@ia`4G*UpKVn(S=rv2!HE~~!tP?ak97Ee@4j=3XSO+gbP9(z2H(x4TqyFBbQ8&#n zWJUtX37CeI3zLe+^t-4G?k6YRaU|+Cm0B(!-~o1QT;}=KrVERa+$(UX-e$gyQywZH z_)4)q-HtO+!k!9JAN8y)p?m?qYp z{dn`nfMcia$YOW1YmrA7J48lVX+|}PtCwGE0QT&ZrQxRKJ>|>_h&ovk%px!ElH%dY z&pG8qw&Sdt;L!D=dP%`NWrNd6 zJFSsGyWgyWB*gGfZ()HBm?$t9NF1X9ZO8W|KMje!yaW!hVQte z*bC~E);~tvBg>e|18Pm#zO{OugLA+?>hL^mslNR98guu){GlSqh{U>fVx8F~L90I? z8VX)F4hpD)M|K6mB9ehGh8O z5}-{^{WK~BW6e|=1l7HHbqOkz1*ijK(Dl*!-oh1O47Muw(E7UQq-li{)B<%v8A(rr z0&jtyC?<+MeU~91h&&ln{*nV&Z{?D$#YM1D_R+@-p~HE`2@M3&@#F=1K_Tjm+0rU8 z?IR^U5*p_+dJs}RNVmCIS*$Et-C4ztMZ(fwo954ZBMD= z#h3p(prm-dgmp|Zz8KP)R&hAW1NkI)kxY)fP0F_gJnE#K7z-4|XL6IoghYd~3FE@6 z=W1+nz4-O6K|(=__@tXV`B1-#v%(IM!MM@{68D`Z_lhI6#YsxW5Bv6w)d(H;)R<;D zECu!Val-tnV9U@$}?F9RtQW5%4xRjG^T zx3|EHm${GPCu0+47i6)Hwhu%)V#Y>eKwsfFR*5tP)s?)Ss;>oT#nJ=Y@~{Wj5u>?> z4-i@^drFkw9z2c1;+&W!Sk4^19Go(*h%%aSQIxV6^R!`F!fwQ;94z?~&f!0w*uB%# zSdEmnT80|!1x+d{T2`be5>=AS1+<{q0tnFjQ%T+tgwZvCe%+_hp5WI3v(ymQMO=sn z69O@2UJ16APwN5JwItkX|CQjHz3Wj~nRbNs7fOyr#NQdZk45auDCm|1xk^k$T!LBf zfX_t?oE#cx1f_;iy#yAwC})MgF$_1VZRjl z5yOlw@&AfpEy7g7v(|78rU+SXX2+8U7ZLhp6riNXoP+i#QpPn-9Zmn8EU$O-?tmmu zLy)ihS|`YM#UV|O{;lSDZ<@y z%Ke2&NtV@HER6)2i9G76z5A^(MocBY<_*7N%N>-UhI&EzHd?w}k`wNxigEDjJ-mRD z(;he$m^0YH%oO-?SGr$Tte+e2HVg@QF)-Y~UJRChyizy5Bn4J|(CRnpdg}-_wz_%L z)Z1pWr8nE~W2jPY3IV8YCXd&n#{kdDcX?fB#rCp_S-;adSChM`-t5mL^KES}6Gztwbv z5$v2zsmpTi-08*_C)kCdplEO&1x`J@F#?Upqd`0An2P*KSf`KC@jI|w;D-QSLTWg^ zI0Ld3cLgL-16zRjX&5K~%x2ApN1r)_(HKF0zH7+#Pj)}BV;@`}?4$JoGl-lyV;d$3 zyXyEBV=A)YSNjW`643z;Klj0svG!S$M)pJ>7$zF91~h6C?25j=i@LAvdz5<_tb z$krq=49_tzYi!W{CDc!&nrJyuQGK4ecyBAx9ng4&Iqxv$%SaY1-oapiU}M0IW`d=E zjKEI=KU>afM0TM&#GM(F2^@r>+dIyIeIR6jNXNYK4XT(ZdUp4RWQ)+&bElS_Y(2CC zV_A{Y35vcp#_%^nCv5X(G1#B0>e?|U%Empw3 zCaOq;-@P@yB;yq^I6d}^g7b1#BiDlC@3YW7ddSE>Vtq+gpR+qsAX23=I|wj;u@}q; zE2lUXZ#uHpfjQ=9`zT;IFe!*HLegFP#`q>~7EGe*C*Jr}UIfViK^(Sp+&HZ|+!y@W znfWNE3&6o5FzqXP%Ch4m&~a-YW2B|HLy#P2I2~R%*CT=mj3#H!wKEC$D(0_W`3Avo z!*{j&dls6AV-X*LFDI}GP#fca^N$U^eLFrG! z5HAxZcZbAP~JQA=wp zT1z}UJX}bb&TJ8*K5>$P=y*K%$>ZNl7iR`iS~HJXid94>G=u=o&dA>-GuPB(EW^Ky z=|lwKZ{{4A$+xmWMC&Z1(>&bjj?#wMO#>Ihx&@1lR2uDnv9aQ_&CL_^Aj-wjg)fg7 z*vN)7cI?Ovk(T!Pf-Q5s6_s$&`$r+=`x!a_;bo^h<}*6;COU_S-eE?Oq85pU+?C}V zLUZRNhhJ#ctZY`JV`Q&{a+8U=&XV6&-h0kVPrK$aD2?|tptvw`g&75i z9dMD-3>e0{3D{CTVQ=ZeF9Ko)5}H#5)S`#{HIv`Y;2$Z$P)m(1l8+xhvLDhw9DV{2p?12UX4T;=>I!d8-n`xOV)Y1{Cu$p6Z?4t_VNvVD(75W#Och7rlu!$!f#~^HX=4D{=)~~q$?sJ46P@#gybdj8V zvlt>Y9Z6iGLQ7QW@~F_}rcj~T0=y(LblYN>9|Im#HDYIUvww@L=G}WDDmPeR>OQ4}#LX$qAf(NT1FYWPwL|Y|Dv;>KkAkl9IBr5b> zVVEc{;4z>@OU&p7F{3l&qJ)l?(9r_W(S&K18$2rVtrR_qkh&koFVEq8X}H9vn1F$Q z3eyh}p!5|dUwo?&9tbobSbAxEC!#cwf;WlnG?~aSjOSd4Cx>-*&jamW_;o8sbN+ZZ ze#u&21lKA0CAv@y*!lOh<0^SC3j!uwVJ#QU8i6fiIZL!!Zw>OY zl8wAnk6te9rD{$$ioR6FyDtWR7RoAOb?D2i8cOtKiM}k+mnHi0iJ>oB>p@?t&@aW& zm&ryhfWAy-U0@SfGx}1%1&e?$i$W-~u!f&yVM?F`XKZcxB{Cs1*&E=q@wD$c!Hw;o z&CHUe_hlpZ^<+qT|HtvmAA<>;{I6dkuIj~)hx|8m)r|NS5T1$HUUP%MG=qoINF9CVb2yc5JuvcGj1P4PnioWDeG_GcT1O;KY z#wgMOeVm8@6}JD`2=Iah9qU8#WRQo;1evkP+sq@knLCPmxNfF@Lu14qLTUS{GmK^9 z)vh1JTS&e%?3FXLUHpQQX(GD8X5Ug`zHQWA(GdO$c7yNUVZ)=-&7}zO#^~^AU|TPE zjDIMm99ONuk5g3%6RCs)nBk#~qX~l@*qUsuXtsmFkwVPin03zdmIkvuvFW=^s1`vc zf~h;f1Tn`EP8ha-$HQ+#g}M~RHkbrru}xk4+jSJ;0`lgM4kAY{%8EVGr@J~mx*VeaF;dSuXbtCj1fuoEyVg#`^s#jWwH2)s2hG%t@i>rv1aXU z;zMN|sn!`*(~PY$+xQVpNG6ZRy$Ljg&&$c)ruYs8 z^X^5vQ{?}Dxq1eA&zjso1?{KbY19FeIK&|Gf&YoPtVz>=9D*D2#-){X@6|C zWY4_&P_jB?oLdCWire1Rl(%J`Pkn{G5Jl)GE*OS?A+BqQ?$jQ#J1gtO(L?q^;l80B zEzzI)L-vPV3hJR1vvhA757`^M*IZ#=jvulw-SZXpr1_9N`Styq6?UcdkX^Zevtr-- zBHyh4>bpzyrd_xL61HL8oWJ>mN=zI;~F^x6_lFTPGz()6Px znqGVBWuTl{Ec$iKZ8~byw1KB}sPyZr2BBx|()!@rzO3bm=$s z1^mGAgULC&);nWVql|X4T8-0AKEv?0biyN6z0%gJu{+7|GBx3*N%`u+cORtO5ezoz z8nPI@Ps;fd2JuI6w(^nsnR*QVlo*RuMGnrTm&KZ?!_U0wWIUZP2Gl>@|LOk&P)h*< m6ay3h000O8h<1~)szV8gb~sseIyK+vll`hX2CJ$7000281~%gW delta 36859 zcmV)WK(4>V)&jlO0t`?~0|XQR000O8&q}cjkqHUUN;p~E7i1gZv!)3y27j<@Ye&2t z_%f*GwSzUUox;p(hsV5j7SOzQIL&KkVa;oYZC*Q6^V%D^o;?8NSvmwsVDvGaf?!aX zf+&`hN=>t1^cqII%vJH)EcDy#irp2jaVmIHdQJ^DySX(S%`c7N z&`s+B$8GK!$93)+$5HsHI)9|yB4H9ykH6E!F%Q1u87TT+_4U6-)_)ujgCael0J;ef z;1~tsG57!(3yH|6@>2{{^190W^)qf8HK{-wzSUE_L z33f#^3jrV`4d8z>&3Q7sOlQRTvDR2LDXQRPKx zR2LVfQRTpCq}v%rGk?Sp?l5+?nocmTC9Alhj0m+ChMs*4<0MiA(Gly>5QoWAI+qn^ z3DcUnfYu*6G>yXw9#=SgM}K9sJ)1wHusQVgp_5x*!(q?rD^C23x~BD!s;xD)wqmv= zoLWlTP6%shjYmsovY!yt()4x$-@#NZt?_7Sp54f7v=p})Nq_4hRZHt^EyeiiK7uS3 zdq~z)nujf{sdXMror#MrsHtfW8{f%PO|A22Y90rDHkyj_&(pd{)zo#irefSy2+HEp zQ<|eGtf%WddO8zNQ&3OSjwZf~sd~E3qo;ZN)Y<4M&P`2gB2`Z}*m{Zqgc)|r4T1(h`ovc&f@Rav)rlr;}Xb2iF~18Jt!G1W<7ed$K#Xrr6| zz&PX{%(gL;R>A!mG%je{tB}?vVyXkJ`HC8x;p`b}D2`Jj(nq&4bnJUW1NBsbt_n@U z4f+xks(%iR7->yytycG$Aj?BXPcoYY6hhd`kIX^vSSghR$71O#)^^Hcmc3X$O&{u( z=AK(oU!bqQ>W`o?P~F0pZ|{i^>;$xsBu|&llAZUAVdt& zREQ}JQHnRUlyId69G8&gky%ir)Y%;Ag1gZ#W&hMT;@PaYqfVr%a9NE1z5IGL{%2DI zYk%r^A{rajN4--Ctsa($}vBfj7+k!Wv0o0hEa)MBHR zg)keFv!I~__DpTM*Bon5QLPk(0q$*$e0EC1}AlU|wOWV-<-+ic3H{}LS- zpAxfum|m9CJ|;o&FvWQ4ZFYh~zw`}F)2(ti)r3n!yj2m&8!clrR^c$?WF4!*QgX~P z(d{rIN=G#CtTDDTp1 zY=dK&qcNaY!XEIf_!?I_hQo#XWPeN%Q|6sv&9#2P-ik?KcYXj{EJli;%<1$3BL!1F zp%&9>qt+DFf=ur{m;}fbQ3@)xz}|~G0iaY})#VuR(jG|0V{<%nN|d;vY3<;_gtlk5 z4XcaRz4r1={dK$C_Q4Ol+Q2#aMCm)WhF@NZ<@?e#oPod4{|VIY_EvXxL4QHZum9)k zlCKp@-@!i(Z3(yZ5sDt@t_zkASm?ip|NZkXDBALp-~0q6Ehrh%6r(Eo-oR{wg>(qI zTVMMA_rEK{|FUfWemLw9iPg7VPo#&&YqvnIn1lFd+&}zh+!J{HbxBR^A-;c&Z3~*P zvpK6{%>h9w&K?57_HCpLLx0#;oVkW7qMt5Rnt@8Wl|A1Icv`_FTge$&jh-I`#Ay#1 zb;CM|gv_l`w~Jl?;TwnVg|#!BE5SZ9c2-cxQbe7d)?eJT^lxKutGG`0Ki?wf*HIr< zZw;?M>Wp073A{Sw`l4Nd|KHI*sRBG+ppljEXxgoWKK=ixt@&=?&ZCNLDdB7z^K-$8#8#srR?bF4hG2Rsm`tLfkN6H zQ?>5CmHvC_|EBCi5r6lhJWA72uKIeWB^S2isph{c>VM@D!1Iwy04WErKgPc-+!@2+ zZ?!1kR>`TX0}Ew&$vJKDOb<+;!j@-(Wo9(2`15+@&%bmFzD0I@*#w3Nd}=VX%i=4; z>%V#B08_lfzt=`t;!M4JrajU!AMu8&{KYx9T{U%c8mEP_9a066g z06L&}DC1KI^rxz6hJQ4^AMSg+s7TP={F02dN!&k%HaS!yD;ohy7hIN-cN+*^BcX;6j50-Z2jC9WBeU6I=#av$cj)LAbQ&~phN3EIZ ztcK>VxXJO(UVq$&uu%@-=Ea>wgqwEQczHl7 zcgNzg<#23L%J$No8S1=Le{oaNOFAAsG)x^WJZQr0gMWV@8|9(syv=TcLs2-Tb03KkR|9z%nk-WuhQ92>(8y3;`qqKiEAj{wmrpfsZ3pZl z2J!?{T)t>MlE<^TB$)5c{RWE)ThZ+vFZym;A120Y#K zvKE1GwrpO=TP!(8iOZH_j!LN7Z|zTW%t-0ZkOwXEHn0f}T8tt0IZN6hl}9bfGUZXr z%RXvp4qy7pknIk6yM@aaOreW-u_a^XCzfEopiE$P^kYoQuXN^9{c#AjHlW`oSsrA{ zWq;Tl|3sT6IA+bRyt688Hszy#4ftD$NlD#IEWOmToq!XXx^qrB4d@j*T|0n;EU|N9XSqg1X%|bB}X6Xo)I3uR|_1z zP%#dJVZ^2*WKVZGsR=wQW#Z)!+UPMXFMr$^B}8Lffut4yM(X?UL6txMx*ZwXGT2Yh z%(6fg3*~G=E_c;5e(5(srxAt?^DVY?%riCUEwt!0v{Z7+voui}+)jw7AgQ-%Jm5t$ zdtukM30Gevb&coKu!z{=N++MM_tF?CVw=UHG)a3!m|UX&1gN2PAGgBY#tG zKd5dyC{Ul+!TM~P9kqMc_Mt;S=}p7+_JVJ(9h0j6G%9h9qY{zhk*Oa!k}a9m z%IM%C9MEz&prpFk_Mg}SebhUB_}n1BmS(=g)W|k*K5L3*OQNDCMue`fM(`HO;yucw z(jOyAv?8u?etTx}LJFq-@WHIa>whxTk~s^$;N4)B)REVRb#>YP5=tLED&%*5OLy)K z*m1$jHu=m~+}BGStUgzzWxphrXhD)e(q@QnqUaj)Yt<=2|}Otgmksanu-6=DF`dR42zcWN&t46E7FXhnS&IK+xz~3-?AUDj%yn z-SA=Mbk=s5H+p)RR77YAVSjURY3}pA;Tq)jS4xt;hV_T|KK!;jI@?Hs+VF`JuSAmG z>cv?B&eDLFW|I!!NMb1$jy^DSM}a2+x4tFdZ`MlsKsC&apy*p}8QsxvXgj1GB~i$h zpG~>a)d54epoTxQphbK}pzBU>p6*%TpV&n3z7ZyZs7UzqpI-+K7=I}|Va5JRJX~0c z=9_e10g*jZ__5&hE6!Ja!&O4FP)r>d4uqL19tMxuxM(V#t>~z1rFpTU_>Up1DA$gu z{7Zp64GJ(0xIwTTcSY&hBTEC{DADw#ge#2_Zm~f!|A}Z&Vb3;A`@yho6*NsedT*6W z!@W~lKn{Jy|M%qxD1V%yf^tv5Xh3=5hgS-`99~6eQhodwbuj6GicC}K=n4c2fo7?o z93{ZLK`EgK6iF3?3|37DX{99#O8iz@U=;EAn}bJnFf{dj)w%P*#FhW9rga7^U=Y@8 zxQ2&4@-1E23TP8nX?nJ!pq44!@R8^h<;foTgJJ1#9Kfc-G=H=}zwUHP={fcwQxX_1 zUwJ#a77o`}&F+q1Gti9neL3uFQ&$~pb^OFG>}B05kK9TmMRreB`A6S=D0_DKR!1j4 zXrro{?(3vAe^2)g(5C(9fpJ{-peqq&{0O-MR##vC$nrpYbj|RTfvxFCySu^NgkJF{ zbmJHJ9`snuwSPtF(0!TWs`vV8Oh3^pql!8lD*lc0LMtN@wlN%zbx^7Nm)_^ly}2HO zc~QSI{Ivr3TkGYut@7H=)!N!y^#5PddaMUGShz7VhFLcV9;0Ty)GXH-6NYDg?ir@u z&k)w6-~vPm1<0gH z->qaE23BjbJEAGJW&pPWU;+Z#ZjU@Ir`IR;ra|) zcm&!6hJSH=Z5=ey9hsiL@QyvFX*6(Sh7H_RyTF}*LuhI65>6R_B}TI!tO~>eLgx{9 zZSXQc0oz^RsSH%;L#il;HtIs3#RaQ%Z^~V=Im0e#0bc^F^$Of$CH*XH`Q_$C@a!98 z)<86ks~`u=?K^DoqqgFEW^0B$a~TeKg!F(4Qh((c@K>Z?$G^myUK#?m1e4@3`5+-o za)Up|h|UFq-;?JUVdm((50^80z!zp?9z(>k1dd}1IhiqG>nS|K1m`|s)?@OqPx^q9 zS1-b%FB}^TJx#cD!nBM={;UE=Rj=Yo6)03_L6e+m1|nYRU?-?T3kk)`o@v(0YwNf( z&42M(CZ-Kx!L6a*g=3Vsy-FUCV~;?i1M);Zu%80cx_h2{Rjl+?e*}$zB43WLyzsYQ z^bT5DQ3waJuUC{M%86_^;=VbhF4YpYG#=B)!6%))rVnmXIv$<P}o6;Y=S6SL(>A^ncF?y&P>L{cl$Nn@Y4iqT6+}k@SCaE48)i zj;}S9@fJ9&WA%q?TmMMR)fj*i#V|5Ap)@o^Gh)_J}EhBbMHQnq{Gx;nrC?ug^dq^zm(Ven9v|ZN#O5r6;%7{^nbER zKJZL*NCI1!8a;F}9T;Q=>=Eo<1yy8jimlO9BNliOZ?k zBd&OuyYmw5winZsz3>$4CcXcQ-Mp7;3^ap6hchUAcm{ zPTw<=d!_z-F&>FNsMGqOPVa;Dg@4x!GC(WQ3G1{@SjS{0$`QYaU5el`?;LwH1RW40 z25nlhzEg{h93g`9K+Zb$SF(_u0o7^w7DBGRqP3dKl^kT%5sT z)$)8#A_nBgT?mG$4lF1-HVs(h49lQE&qN&*oC>3}=(y_=fJ2a9*fZ^iv40d8*Cmo< z3K;D|0nr4|HQN=*R6}q{qI7B372r9@zJ5r1iw-sxVd%y#Fg-Q1_`-T(Xn$dX9}!9^44ss}O6;Y*5)n436qD2+e`H`(aF+PvkBE_vw0NLu z(Ot*V_rDcLF9nK=&ht=0rMdr>uN){osSpU^g~j0JHn8i_Z*Av^ocqEt;Nw(Jq!Na~ z@8lBT7GdOu`B5;ki+{eNh>W-e-M4&w=qHYq_VpYBaMA-aM0|tam;d}L+y-*eA9|{L zSNR`9`_Iw}_xkYKm!;!Cc@E${1YSM1MuUOsJaG=H9%O5~ezvHEeyP55t+nAbHgSCY zG_k%J`PbgmTtOOc)-xVc&(F#=nXiytcbE&CTn6U142%k21%IOJop07e3r;3G=Tei&H(q4et4t;{ZGFi~ zm~UnIW-Y>+^3D2Y6}Oha(voWka}oJwi7g+n3O)sgh{-D(Y)Sa%xT{zeUd}85h9yvZ z{AMPKq)6x!H-Bv(PbcIQ@bIDm%r>U|80DevR}+GArQ@O!o0i*u#3U_3h1aN2_+rTWk78ud8ir?R0yU#Bsk{xjZblRJB#Uf%oIJIA~)0OSx9AP3W1> zjtHoSK>XxJE#1=E`~IEp{F#js^iB-PRg1@NIb13I=YL2wSxhxi>OZN+)0}e^7qKAo zIAThJ5HZvA@^OL0Rf2^V9h&?Gz7b12?tw7gz^7aptA(Sbt_*-|MhK-$x6Z zh|4tg;(tmj3d|CEfwW9|jB#IwmNDk<_!$GgG3ZD!N7FAM?XC%E z0?yO(3x)BGVL>x+SHG3MSuB3vQeRg!+I3zm>4|+?z8c>|#qcs=U-;KOlfA(**NYXE z4w{+UH4De-?ATLNheidofjSO_GQe<=65_808GkF#bm$2u;`t-CgL#$Dx4;#~Ru;~l zFbJWII3^)?1dyYQ3+Rev4Au%Cev-h3hN#km!O(kZIF9;6A(L4^#CfHBg&7`y6C%V(mfO@f8C!@kqLG6eFnm(k*fbw! z8-i*vENunRrUgU`7?5(`(7*sh6c?fE7#d4r%NRuZ;84kgViL$-Y}9%xW9mH>e3Qor zam);s9W5i&Fl+}z2;L_b?ARNwYusAdeSb{0)C_;#7UJE&@Y3NU^rD~VkeL$xGja!&Xj+rpnp5W1T)~iQdiI!3lSQIA4cux_W(JRzpX!kUMeJev`dbARyqlca!~F$G)=Uq^llIJSc1=YmTME5HSp&MM%) zzlv+uGvXNwS|&{#D9es?j0o? z-W=KR=HDwZHIxT`=3^)~Lz!!=Qp)bA99)^Nnh_OJF z8DWqLx?#=$VQY$@ap`ewz+K6rAY=zmf_>s9zOZ(cBAE`5g*gug{aaZ+mVR5Ef*REeK?={s1h z|26UkZGTSuPqc`($6nUouY_Bm8#Yy5O;F@BU z{$f}Uskx>=x;3pSScExAWFpNui54`0PIvO;m^;zD=@v3?E*#m`vwz_t5~CpEO2@_Q z!`F)u@0x&F$@MeQ)}q%>K6bru`HYO^_~jUAeS^Jwj>w zXBo5hn^+Vq&{AbAc4 z&nHfTPr}2qnvlB2(SL^~m<^V{S(E&WXHkN*M#xh^6VLaRZ`RVcZ}24e8~7}}Mt_%r zze~a2mjAaE{OS3BdcmI^|IbeFXV3q$m(1%dMI=d)vq<0{;&&MR@{q?cpUwgVJ!dVVPz>8_1S9Fp`+fyu9~hDg#*(IYMZt3 z@a)V42)s~o3W*m|T^LCiVl>k_a(mvJV~ z$K^$nnoLMSe1G03atfmNjo|DJ)QTdk7)x5Z28I*7fHY}Akb?0`Z->{1v>PoR(z7@a zjMf{ROkoIq>$UZJxIDv<6BfZ<3ckij9r9m+)k)Pf_&k`qJo36{_QUe)6{TET&-;c^ z{(&5i$xS#ULSuS4vf4jKy7SZqd*rrhfZhYU>XAvOzkd_pv!kp??Y)z4*8dAmJV6VT z6Eu7WaP4aCgZ*Se+mL7Yl%dWw-ftvMNx0<<*N3Yw!xkcSDl*1W-TUH9nyz= zT;y^rHB7|8`x72a-J+AKBorrpSjAWp!Yp|7LHaa{v#`*Hfd8a4qPW8d{zES$ac1X> zL_M`*t$%sOKzCrU6cR{vJ!MPL)F+BJFfCF~{477erHaFgVeoolR^Ewbwin2ANq-Y? zJaydHDt;hv0aHihJ^I%56)n0g&<&R6#;FQ2i$2(QRbT(T^5>)Y82i z_CuW`T6e~9xPV6H73L1+@#A7%neW8~JoIHDE_E?_ueCCa8na0o)ov zb+zU`_@h{M3V~~EgC!B?!W@dIjE^sCin7ikTdct{uA531n*QF&Z)wm8SU}&R^fOIUmmAHfM~u@ zet&jK1W{afqF6nw$)~naEl;rn zBI=MRZtdZ%1lBQs1d8c()lHK+BCIH~u9eA}4$heV~!W>8KMjDNEn z7tz)n8joPK8keVvZgp)9d!IbT22~4h5I<-3^jcLbyj2Im;GlUS194G$#^Y>TSTDSV zr(ju7-nY)rB1MF)(%lu*WL49YkvAC6?Qr<0M;GIK^hKXPQl&c_w&?fK%XDCdquB zOqj#tpPc!ebi|&Y?>sG{0N;5!tAD^A-+CdeV(CnohJ1;shcNbK_B1D?c-!(#5B#4M7+7bqTG(at^;gP2CAnl>yIiJ zNB!;AhPu(|cDv;*b)#Ee*XzBqs%>nQ>zf_DR$K3`Yc>7#YP=w{Y3#tQ&VLBF65v0; zeINvGxJt)VHL%sBFZ8+S$*0QV{j8X`Ik}aEiMA!DFhMH?IE9%fv6BNHaHsjth{JW! zq3W1#^CG`@Rj=D`2Lz{FlA#=A=sHg%M|dcv@(|yYE)V^6@yZS-Nk)$GiO?SKrF39V z%nV9I^126>5P0BMU0WlgrGKJYxKQU&`ULv?)UZa(7-W%->5-g zwiZMhqe+;MPymvJRbwWna!ZGh5+3ahQck44@N5*8^=DvSyD+5a_17iDa6siRD7m4a zJ|6 zd);2X@Hb*K250U7x1gPi5*j+ufOF8Ff^x#HMWY+?N5F1iu(<_SbuOZ8$KCJcvdsC# zu!p{1ySkVm?2+RP9M_v#CA$qv(ILk68R&-Fx23TuRT#)xNB5kk3)?ihOeN|@iw{*{ zVhcj);;OdRqU+Z{eSb6tqd_x~t9r!91pK6ICRSCU@#&94+ww1OazxkiFBh5b<{v0E zR)3}w^m~UyEHr+OLVqWS)IR);LNktTg9wpTv(W4SQic7Ru=ur})h0`yhqfZf7@d2LaD&wOT z2tw?@^JoYb!c-F`OaV?ks3fZy%qI(DiMh=5>r~>ED)6*29fy*^b1oRZl!TJ4ma8=~ zN|uCv!t_ef0DsPVrlUNeHli{ngo(0zVphAd-qkGH6#zzuMogVJ8uyCytAwp36XtL= zCWozYXh(hoTUuHH1Y0_*fS>d#u3pa=!L}h0Y(*p3_H76~D@W`9OTn*Yp5dM*ehuHr zlcCq*A|apw%rOgST?;2%d=cZtfF&bSnE<1*m;#xOXRp>$!+{ zxV3lK-nSnth;X35R`?#Izfc`lZ^MW$)@5nfdnm_ymx9+p$vI!P3vIgeHv9Yx^M%Dy zG&3=ggMW<4HIx1T&S5}9_H|D+OzxMQ1gn{#DwGvt$V>lqYJ31BXf!l}7AbgrwoP2X5`c$_byETwLkkSt#&x2E*CvBzIbY z)|AlEw*OuN4U?J4hel`;-J8t9a*kKtO8LhL6MutDtRPedo8sVQKis1mm9ILE%Gm@S zCF6W{T(EIGFXa(VB&hZCP6j;nL#Ifzer`+W5x@Zg2+iH%-M~n}|B@ijz!x8RkUB>Z z3=t7{n>yjevZl`2y-W=sgTAuq!8j-bud|HqQKM6;Y|IVAT^{?|On({OS!%)d4S433 z7k|9UGVW^h3JbJC_~Z&x6MYgObOsZ9*N2^taEKhlC+Or1(L{kC&18->@ z+f*9xq8Bb2%!>RAk?7vKT>kSf82QR2WR$B7ho0|w`O*NaW?jP`xn(sJl97qIo|R0v zAamCL=U>IZeyTY08sLv$wi8`<~qkm`Q(1<9?0WUwgF#OI@&QSFr`piES{HpmU z<*@L#2t=;@M_Hm*!FUEWUP*gA^&5}uT<%cswqw_9HS9HWD${t83zU(a1u;ssqgW}C zQSh^lz{F$vd9x2{*66QkGS@HOw~E8#v~Xff#Y-}q5*|YGoeUHJnNJ*pqb#@=6@N)r z0x8IKC3WkEyPm;8XVaglge3}}(Q&@S#eG1=mB91A&}HJzd@AKyrX)Gin8K_oqv$aU5FT~X~Z}&=aW=Diyq)4I*BcMbd&g`ETfbb zEJ|r(%27%g0AG+(06I)6qPQp}QVlXnNk%E*5|lZTcul{xp z^~0bH>&KY(K-VEbKY^m*3iErzJ^a0-a6>{!W+XGxqr$PSaaYtddu*5 z;!I?O*^7=agYf}x`>Na5-BnU#S;M@wfltyO!0<8|fyR-Q9)Y$lL(pUh8vc9Y36~5( zlObp_1dSGg1{blm9k@nq&-a34C>pujWhmMLT~SX%5mVpDP&7g}%sv#23#vjcRR*F3 z9~p=y1JNc_ftMDDwtqS0K(q|xFUTnXG$s{MTp${$1{sJZ1JQ7ao<|@WhgZQDh6W3g zL1;1vO$MQn<#|CtXuP`>8Gzlw8KP z$=EhbY0o6Ktx8BGL)-ikWoR2QxeRTSp>46uGPEsIj|^=qLOL1RCPUju9~s(~s$7P) z$vsy6 z0uczC*Nw5@oX}lO;Kb#n~Y~mCyob=5mL!`Hors}&qhoxeo-J2x@~O7uN5-)&OdQ+wjbwts@&U6UbfGK3BPJ@K?khOo&HHW|W3 z3t;*Xm5W=J)ii=<))gU9-WCR;7(esF4V>=amA#CuNSjMo)7&iIP8d07X z^ncJA=T=1qj>*8Wah7QWj%^nmI7Zj({E=g6K?Nem(pd%E*;jGRdd87sJ2G;t=*Y1a zSlc@GWBb5zjBX#Uj^%5|{QZN+c4iqohVSIb;>UtAk=J&t<4!%v+XS3m9KfIe#lO0T zPGhS4Rp1W-sqXdg3*Sl1a0pz0nNl^!o`0b07lYdmsokzUvb@*q^F(UDydvbJg|0f(7|+ccyWr!I*^zSENN;pI|2?>@CWSuGtE@+{k%p$-MV?M$w(jV7h%+jDOw^ z7UnjLZXHpBHhI7;@wJu)7~;gVq=aMO-1q_EWJrrRN{J6@bpVY8C|0}Ney4kFu&-ow z(R49Y!EuZ6OTP(*OblLyZ_h-!12Liq$Q0lZcOhmJ;zWJ8JwncoEfoFf=x`IDg~Cvg zr1Jq@sfne3rnoD3Aj$>2(u3}Un13iD$b_j;Nr;?~GV#Rqa>d^^G!6Jt131gJJ-cmK zU9?QKmv8E?SwqhqHQ=i$6HOad-f#xK|3lMjL*qd~2UuKK*uRJW4N=w5{=B~4?u|^d z?I6HDf>-ywLG<_czyDns{&zMoVgVaM>8EW+sBIIqoZF^Q>d3B|fd;shJ%3*(sn$*n zY2gpv!Ds_xp+VVZ7RAFcO)v^0G_erl?(3>XW0Hs^4SeS-cvF^9-_)teQs!`jyS2Vp z^E5r|PJV6{NJkT+#E}8I>Ry9XA;(D(g4ZFuZ|wp+YA5R{SElJjjLLhy9R9nu4EL=dg~*DqP`c34J^BuUQ53#?GxgM<+xr$rm;y%n+A&#k8*}pJ zUsHmM%<@$j-aZ_fhJV~q`N1NIK_$plY4QESa9N^kx0tmTITw?c9Dk}A^6bb^!hNty z=iD-J8Fr91BCq0N3qW^FAaRXlLMZhJEKmMrxHa-96I=M1oLhiP1a1q*FvT z2PlKc27%xK`r8BM@_)i@A)M1VN1^z+p-@A~d`DVXtb^D;_TC|5yb@AKP3D@KKIWOZDQ_({5=%>2Y>l^oAU;ZbYHosyabqU z@wBIl&cjQ%v|$6!qNHh9T=H5z<0?^9h3AU5NaEn=TD~1(GonkSg04I1*O97ecGT`& zJ3ONJ3&z{*1>asf<}%F(q3!uz#${;a=!Jt;M#NbZ7fbM-^P}GBLqIvdB4)muD;Gp! zMCkfj2o*#=s9qCB25jsxvvkhFFL+sfQ9vcED?%+X%p?NY`{=+Hyj*}C7+|RiH-N<^ zxyaxmg^d!o6`g?^^P=d4R2kcrNye5wv~xlKk_Ncw`E&Be9a2d!VDy4`J~)E{$mK2s zv)eyL41YC3go$+S7uC5Z4H#@8=sThkuyK~;u-hQ~G`iy@0wKvo@E|p@c}eldbSM@v zXBhcf!e3zGtqbmNF2Yz+;uR-Kite~69BqCl;>5+^p%g!al@j4uG10+l#TZupGKPQC zMjw)+P($MgsHjAm;Lw+t1lx!pucNy|VA<@b%75D08Y4+|g4*}*saYgk5nzEyh!UO& z`7FI`<~7EFRaSn|UH9a&fow+Ph)AJNRy*#eq?^5xJ5ln;y$jBbX#aH4h?G2#?? z1%H(TrGLYxfmmRVlD|xx>RBjQlFAQ?`v~Y?P&p*b zay@l0T#z2UisX52Jvrf08I)3ZhsGC2Q+QPi%A9M*h7;vNS$=x;8lNSM&j-SpJx6WP zQkH6bF=MA{_bMopgQzh15g$8eWQuwyLC&di)Ip|%!eT;i^W|CwmontyDd z@;H=15tF!;K@sFxZ{G8rP7ZBtEX-S-MDc|#*vCk`pkU;JiceUm>fCBpzox5(Ug3N z*ihQt7bgR*!8*ABb1qDWxM>+F5o3s>!(Q^7k#vfk;6^*zV1roBISg@4XA(X{!rbRAR%X%P^j#DiTHaX7gOeCJSsXTiz{+6oiH zqo9t5NFKvgdb)}dxSs7mP>YXq0qNjO4)P;vB2X53t{H)Q0xF_xi3s)sW(dO%tWk`3 z3NWz*+!TtXKY(_q<`eRSK{7u82SYP6{^WS|8~Z&8ky7zc^l@dN4u30Z7*9=vV+>gg z>|A&ZKj2w88qto5XrPRkiX7@*x32^xo~lDdC6Vt$xl_8CDFJ!{Xh`8`>u`P;f+ZdJ?ph4jMrCVB>Bio^ynMD=oe5FA14iGuTb5nZ6wBO2}}NSArhFV~2TifBkFefQStf1djIf5oW<<$@2{EML? z4=Px1;gc|vsz|J$-&IATCg#-<@d9R`B&_o#=28_~tl5v;m4CR`n3B+>6IWzLV*1N@ z`A*E{23o$hsGZB?}=Z=ALIJ128|BLrxx=xweYRsAmXul&U?cFmb@#G{W)z8 ziELqslI8A@lveHzr?)#~PZ){h1Q(BOu(2|pp??>&FRynentd@g0CJC*$|d)RX({9$ zF_la15mUbxynjdJUufhe5t~SE5^A4XFX$A4x@R{) zGNv0-nvCf#q*@u%En~W=CCHd=p3E|)TgG%}KQgA9M}IPoR4+58+vmZ~7uTK1JLTAJ zj)yQ41usf`w|^=3B4fP$rc>j)`FbZEoEqq!jPItVmhs(F>3JF7E#teB-!kACVDhQ_ z1^!C{GbAu0r#vW+gb9%IN|*qnMhO#0HBG_+>3-_95q@;R4fKeAbOdM3YBOKYHEqbkZ6o3mqcS^KC?n& z+<%Wu*mB=6Dt{T81Z7B2MoxK99tq0u^GZ-gm~VkW88`9SPXaTZ<@pkQOeHvjBfA7= zEWm}I1ZPNaMp(H7XK;NaID<=G3C@`Ih+%vV3DA%Lji@vU&?ux@3DA%L4QdGzpuv+_ z0yHE*Bm0p64IarjQoT%oM$!e&h14Jwk$(@eQ8Y%vU>*Mdo(PHLpfvZD<-MDO6$SRn zYbtVrmQnOVm@0%sT2NCVW_ZnhQ%N~ z8feHR(j%MxcR+f85dwWEfVfB~}Z|)b++qn+<`45Swe?}0@DbHdv&Mvyt zwMQ2B6gk708#rc`o(rNUdR&?Ns4}Y>fzaacy)dhCHX3w*M{D<#vElI_F;70d@g8h> zwx^0*`pIIlX7RZt|ALz0X4B zwNZI(zt#!1S~EOW>^V9p?UA_`nf@sS?*UO_fDZ%l71tkWxKWQeHD|Du;%7!212N7T z)76wT(>`)Cje)TM1IIV%$Bvh(YttK&G^$a3GzO!AVns8&gXRLhlf>B2l79=zceYdH zX-c4N@;Ifa;}rZo9cq7zY1y+}56^7R=s{i{C}4r>7%2Bytzuy5xCK)XdwN*VWvpSE z%7Ll6p3w~!vaUTCf-&is=%!Iud`H<;RN%hctEQo?iq2qHynU3@oh@QTL-W}s8+f=l z*Hx)u6~gDPedfU7;9 zk0`v)#W@8c@mN?FB|aE) zaaHmNkOMxIYZ9402%~u3UOG{s@LKM#GppOn9c!?oA#oK2v$GCg2IkGuP#p^mKBnhy<)cWV=u1b>Xf(JiltqB^!`>67;m z42ig#yqIC%aQi^5CM!s@2dZHeGx|YU1!zD}Qn%LDEVq!N9My8|!Gr4P?Vta3_5f_t27iV-sb0Xsicktz&OkL$Q}1<0GrAKN2wBV9p6cA{kTtChsca{-S5%_i zadqcj*V-P~rA(}DsK~I{u4_(K8f;@R^Cc>&06ReC1T#^va0aa{u3Y_bXxfI?zB7tw zbWrHn@QN(6Kmmt#7yNTzdsFC1O}}p&-a`Qe2PFb?0e|HcIP@X2O1t~i(Vezy+*+!r z@eCdP9<;gwmU1u~4n`Kb@BmYVF%+FB!lK5DZQEa!3MdFnjH0EC?i^6J9{z9J8M&^Z zf_ANT-TR4)@mp3%QE>Vzq#)2qs2plBluHy;2ioQ6n&H__*&h1$^BgxC;rS|Shr`+! z2E|3e4}Z-IrK|+^FVU`=FYM=DHAkon&P^5jP=j4he*y-}8Lz}{9lRe_X-J#t?c z-_qDJHm7zr(8_1RbCB3PqwM`_PiaACf-fS6r>&{Y>73fT=WlGM(ZKYcc}^|7L<^>} zi?-d$m8150Mz^p=#&`2`Z6HwDOC6r`=$g`bQh%Dr&sW|#_K1%)m#4Au&BL4;dl76M zl_R^rc_+Ccom11U{dH2gMC&9xi0uJs^EQ(1Sj@hO`{$>P=GoMiN!$t492+@<#Sy{5hMo92GGx>LS{+)mMuDm*M^u>~4U>-$i8I7DlNkU{h<`t3-}A*xphNm;H}n)vIkMuC~ikr4uNR8Gjt3lLQACanXBr#wSRji zCLi5T&Ayq-t-Zt7cm(BJbdLZboA5v3FU^a*I|uef=z=vrb6PNI%SrdPi`#Cn?iJYR z@g4K*TYPhUa&~ap*lnIPuRc%hC^rj@nSV=XuvJXsc;?^egAfrCcT%7;p7w5ng{{DT zpx}_^-!D<~;d>*XcRV}nD&?5T=YNr-7c!`+h3taymb~~LNJG39vjY&s3)n_Myc?vAQLb+|L!5KF~zSb6o7x@ z{QF@Kf+M44q=i6|Z=;9o3+x379FyG(j1(j;#vnHX)0YZXyHLG8oK_*XgD5pdA}=ND z)M+JMTXib_%Sse{VrdA$EEDrnw9Xrs)SfD_$Z&o??uu!>>yOSqwei9;$N#uV;xpTaIg7Qs5N|5JOa7%<$Cy{g3k_Pq7UQ(g- z(|gz35n&#Ra?R5Qy0(P~^d}m$K=7%nmkBp+lZon6kxpM!Cm&JI96HtQ+RlWc=Iqqz z87+5O$&eEKLfM4G>D$3>M`>I%!R8rmYn0JY82~@X7@E3*JOD%NffJ76l;wZcQ18NP z+whdnaFxq|%!Bq8EY8k1wir(@wsDafe2ID1fomv<|Nzc1+P=X-}QL#b*h%?ky-5DVpmC&|qV_pSfe zSHEPMH6#TZ$JX#>ne-XHTn~RsH5uH*oCTLg4zD-zjI;ql#^UM#uhJ*g2VT(RycFWv zp}w%qU2@5XNBnL|q4>>8s6_w-nN%|b!dd2}9D#_1=m$hh{dU>`8fb%n9%)yO+P&joPn`ZkEFIf6btW(*_Sg;wLuBTyQp?rF-xFx* zI;c#yG@oPCgI%T=Ru?iTd#+;N>yF|X16>&*FbBM>PZNs9`&~gDzp7mI!6vzuv>xdffIscXh7!!Cv11Jy9_%4eqLK$E~Pc_&?LX9KJ#|D@P-SVw74} z%}@EZ`SJHVb+6l3f;yW~YyDS6QH$XK!>WS!*l3TiE%^Dt;v9bnFm(wl&7v*Z`lC7+ z`m5)My$8*{=34U#aeiPp#;xrLyfQKKPMld^JgC5gO-MN{`yzN1vyJX2+T!PKBCol} z^nZI}3ex8|C|V@(^POreQVa6zyXPxEdM33EJO{&UYr5&F?Y=z{UubeRqFT%tAYY{2 z2d!u){bivx2rPeP@rCR}{iVWKM-;!T^noX;p!@mB_gPFQBL6uR3$Q6hW1m-!d{2)} z6|IQgOt5x2yql{w3{M!_aNHX)S!}VQUjsoCV&so>+g!^$(kJ*D80d$r|LYHNW(7 z*E;7G$X)Bp+qLf59o6&{_+;XpuI%b+*S6&5Rc>BUv5VtD7P)y1!;XLR-D}XyX>4M1 zY?TV!#bUn2_L^TOn9nR7Zo120r=|vagx{-?x4OQzJ_YZMmp9rtvA>ix)hr>h;vQ}l7dk0^f{-*F^(@&747ReXLf+65dSSVO3V3JjlBak379urZEN*`S%f`5$#-&r!r~2zE%%z}yjsa7E z17?pvXIi@VU^{mZ6$9T7@sTC2;jSpb`9nK&YC5&ET}i|A4E= zx(Pf&)d4OgXrssq&gn;vhXYl!uTrMNC{M;svF;RCS%BqBJaa9j^UVHeEX1UnR6b-Jt* zfqZj#RJh0#ei>v6W^m1LyAZJ`$Q~_cUpf0SvdGz2&c3P7RAyhXeJ|nmHqnX#_9NU* zKAU_)#8zYeJ3?El*1Pw$A9HamkS1*7bbs{ z5SI_Nw?=eoOfj*7yJ7+6L7Hq=QE7z zv6yKV?Y51J{&R|}12@g57@;O>i^)spDOl?qH%R^+=BYYtFykRlyktIUPyl{;$ z?b|jO1vyj1F!p&3GY7fwB-FzB$h9Y;ffl5`%}c92nT!Id1z2naCih%K?NWb>h;_Y8 zEpqjH-I+j-#8#LfbB=Y!|A@3qeKdq0KbVD6#(5i0lPhOu!j=$h@tCU}+E@u(D{>0RrE~FE zq%_rBS&2o5kN-l04WFhxKW%?B&mft5f_Y=vXOwyke)vk@lu&vg>;8{w+*%c?sONR+G;hwj8pEw zXv)qnVHYl+99N1Hbl`tltzKT+Dc9DnsvB?XJ8$b7t2;aOjm_;hYqhs)Yx!j#*cy6) z_*n|?hp9sX+-EF4in5=P{F{Z!uRp>WPBq((-qRiEWzT&%pH`f-Ymc0+-WE6|nv_5w z<+K;{uEorG5Yl^(2s!EaY}E0+$6LaVqnNfw+RA+xIceK@DR_UU^hQlisq;9m&oAab z#$iF_QHz}*aPQ<<8(pC-B+nj-?frB4-2DD5zf;L}?YLYkJ|BkHS>Rrkg_l2K`eI1% zBgoY$n@3P$t|aCv`;nNdWG0EZ!e?4|B!$FWNz9eRToDVFn5!tC#9T2y5-r2=k(evS zM`{trM`ErLc_e@4D)o_=D^j`_g1Hhn+L53u{O1{gu0qP!80-p59UZ1y_FqUqC@eb1 z^s@(JZAmbe1Y=>-PZ5meo7eLNV+~Z-)18rJxT}^<=T~1)99FUg5`tBXkP?D5p^y@S zg{?$Fumt6o5Ue1*gka6585syxu(f!L-*|)@j^_%(;(dQn?m2_7xZ60{IZnRg5edRl zBnT@^^*eyD5I@_AZQqS(Xr$i?f5lBTIVs6xkwo1TQTW)YS;Fuw2NUsIGM{4O)Xz(YAdXs;uKfp#frteKK8(ZC2$tXwRDzLO+zz~YF@+z zfzQ|GK6~R|P@d_DTYm3h`VYbjq3QDB=t@0Dy&ZpuK$#N~iXob~@l2x5R7xrlXfMhr z3hzzSCNYocy5@p;6qJ$E#Vb}ufz$%H%)+hDRIS^QdMnmHdFKSKbOk~DICfC}4UFho zATS5yv3)U{&lkSMxylII_EcpNwBhN6wH2ayBJX_&H)XmvKhr)n$nCyDjNo%{vpJ(K z1SNkJnrV3F7{Re;DjxrgQh3eW^M`27i+%0`59B#^&a}4D&z0!s^@X1*<#!6>W!@!>PE@>1iX zsT}LHHD#vTtV7&|YiwA&4mSjvT?4-DN=n(!Xew;4QIsiY57go8~AioWHR z(H$ZB1W_Sdem3PwSMkuGv2Z~Re`axU_>4gRVV{*QRL8RjvvSEath-VGynBCJsRVW4 zuy>elpigbFzsA#Itm}XocJI_%{g|wLVUioX@<+N9{GQbPF!NbBdEs)Np*ahejj6h^ zEWxDE>h{5C#e}V|uC1*cj|+%h^|J~5353vLbdE*z(7HQos& z)9$L_>)T(!x&=~rpwjrV8zxEQ)AXTkY3{j|@Qg}dA#TuuGGFT94881(|GC85Ltv4{ zN&}YU6=jLy0EC0?8yPHzWMSh${T?-ou(D^~Y)>kBL?2gfq6f&qqHuo^bieXoczwkS z20;llPN}cfR(Im62m`jlp-Rp1rGL7}?!##m;+OqzRtKsD8VT>xR@GnOMC$+MR%&b2 z9baQAV6;s8X%N%1)gP{H{Ub4Fhek=54AWLoO?v{R@qlGksZ!Vqe%O4hpH*J;m$miU}uYMI8>6ZdkkW z&^Nk$1*k6!(07%zC$MJ^1|!SxZFyBWgHinE6DZAa6%CBM((S9(t*$^2vBGF5_rjd$ z_fn)yS^Y>>n5r-MN3fj62cpL_5TypR4bWx4TFfWU=(@1ayS9I6GD;6xPtTsNtQ!?q zt|j&~OThc-L?a5fDoXr|<=3n6Kbsnu=PKdUiHLhqmc%z851jj9%JGUao*X~wok|yV zO=D=F-0?XTV*^Xs?M|tkZBT4hi2s<~8pJ!JK5=J|niwuns1)qZF-%c5EZ~sBO(ZDJ zpFB0xHS{6IG^~G}Z5h5->X^(#!B9bA4}DD!b&wb|a>@EmEjDrp2x}-g>v-Ar8x>!> z2h_FuV|?wV?BA0cp5z1(*5+o;TQXBKa}N%c1uj%z;%#~Us#ti(!ex6 zUdUaOnVE#p&-?6o)}O8%P5dqs6D(9?Uyp-1oIRz)c ze1hhEDgb4c*1?dmE%jb+ z_eQ4Kj*vcWM|X#|<Iyra!-aD)5R5-Y1}og}?lpg>eg)UjNV6C3wQW^c{cv zV|*mO^!;zzEd%GB*NJ@_-FGD~jiPaTM%P{{9rdx8_g?DIr~sKoue&hcX1~J$&zZOY zK2$*IJ^;}XZJBxr$-HWdhAE3%Ndcl_I*m-;57bFpBwxGKj1%(!01!~pm>t`M}9-5Mmp z_h0!s5m&Q%O8~+34NcRnatj_GSh^X4zX>>34v;mu%mmD=#*s0?3u5BrFmObSI%J0~ z9WqhfDzAb6uV(uUAHNX&Jf{U@MsriD-lRt>9x|E|jvWvh0vc(7pv5hhMVWtD7{qvk zk(-4^O$AC7>kYvECHZDX*0>UYZhZV<+RzqUK_*=>7hOXp_Xs9Xk@`$jWWHhNfqz6m z%kxH@hb{tFgn6~N2yXPr5 zOJGL?CIv$!o*oj0j^f$MI6l`8@Qlg0l8(j11RF=~v2-9RD6gXjMe2WAS}FzhfgXxI zjvl3JmC{%5^;F5q2-uB-!ckoqni@Ylz}0FiBUeYs)4d8`%R)ZRSe_N-$sYORgBqnO z=;;~-(&~7S*@rMbuHp}P2Yd&{2iEpAB$P%o>i6X^EX&kY$66f+wZS<9>`zB-C6dCe zB< zctQW8C!20jQ$g3noNA<+K;v8&jK;mbN|y(^C)Y!WM7T2ic^>#n>*ck2d2Rb@ZS5`k z|1W8U4h|YJvInLE*DcdDZnL36>FR+utE;YlX5$S5+EGYbu?McEBQyhTvyBU8k=1a$FX_OYfYz;guVx;lkcV2^#GR_y!1 z^hzwAOtd9?C`4UTvPD7LsIBuf>J{nN@h_4@Chra*O(KKYATUT{sOCBWZ%kTH5#E?| zUXiWMtGIGKXWoC9M0mgCjX|?V)U15GF~JL=FOohc!xk}3`WRwIOBNZ)BEvZll0`WB}rEw2T zv63jtZ}P?ve_J>V@iV8+2^E86*LYhcAo}^Zb8-ec@Tq_BtRfvIni)8lfr8dbY9L7s zG>Ke6CP@t>se#6INopWJr=$id+)5XX8c4G6&_0rdC!SOCjPU0D&3Q%yHBPed@Z^`) z!TVWo>sUZXPO|Vkd&g0-@bF6paXhNYJmoJ;Fs^hjh#n}`|G73IVn&fmVY%{1ilCge zO_?G{=*)ke#iA2HpW2s_O@}Dw0<-Cy((h*$@Ip+I>aazXq&kvRN0RDDQk~z1R0lJ~ z{jx3nQrAY7rUpQx5E1u^ky$eEgvkLDiVLZODdy4dLL31lHNzs``{8udLK#e zBfcM!EI*RvN3#5Iv;0)c)!J{y^1~nDuSl{VY%5-oewDm9$%J`a>&ba>cocjBdYrVp zBJ?=vydqnJS8*MC&h$8m2z^P9gC>!vS)BAZ4LIfb8h$jgymHghAk&EL_`3cASaC8u z4~2iS;xPJGlHn{Y8O{oM;CCUa8+L_wXZxxUcj#D(&?=(W&n?hNLD!(ZGJ0qqfOa3g z!=j-f>A+rTwxBgf8d8&yI^_L+nNm>bdYCrgAS-pg_6>@qGK789@=P}mre9aMsca7m_& zH%|hn{t(!du6Fx069PsSB*Bun@K`8?-GwvjK(PwB%0R_j(7pY=hAB<8Fu{2gB9D^Y(ijpD)n zR_+Zofl6f@nMDGM<9&a32yABAtgb4280SC!5bgax{@_GA*H&5BW>}6J6l7SgrNiBwJ` zprNcnI${Y`CghP&<=-EwTEWygj@23b>CN85Att`>XibN~V z1+9$HUP*!te-VQ=i=Y0ItB~Mk;&n~*^F)&s-wYzb%@W)!!OhbKH?L0{+?=`f3$ltJ z4M=4a2yP}-A;HZO+>C!qB*D!R+??P2l<;N=ZugHe!Rb08A0md0thQ&Bbi1Wk{=j3D_+D5|!SdEZZgbybfgwIGocDUz>zNA-oaO=??DyX_Zs z+9u}&YpwDiOtqH_-3r(#>x_-&v#(cTBe;6@;_4aNe^|;Pm~>aq_OG5%v;w^P9TK7d z!jDyW%ohv%2G4OZQSR@)OC8n{gMW23(sdpFhW|n(foFdw)-$q}>G=B3^a(OiRC3m$ z38RnqOm4vRh4;Qa@tx05O8<@~>*L3d^8`f97$oHLsNen7(8Rmj&e4CePK`V zAQQ0evVq1SBw&E(k2PgG>sx$qRKY(qYO&|-jOTyVR>q5?o_Y< zwOPw*L9NlwD(|>b&&pM;RoYoiuhpxWMTWI0-ZiSNde*yUvw6(leLxw;`KMjx3m4Li zfw*EZ7>YDezo|AZu7j3!R5uz`y>C=2dL6o=8~wpRH~YtCwcc-3j7Fn?xVqkTk3=dV ztVw?j0gGR|4AXJZt-+7dRzw-!b8RtO<%Ak1dOkp9!*qjcIs9X4`*&1BU>m-9qwRr0 z{X@IGv7zwqncEL-RINcNg1#IlJ&a+zY8;l zKe~Drx!kBGTJS@RyB<3 zpf)fX^&&z57L9%F`3`SfBn7AJ#ofF~f91G1mr*(B=X~xXILrHl?p$L+MGU9z#JM0f zCeJKv!Bot1N@UrtGsODSu$%oN_RAQZ`*6fo&fvNHazk?{ z8uXy6S~63%cy)h>+0|n>)CH@TKv`Bo(>iUeAI&k=W74M*gBLVV_tGveYk0f{+xZ%8 zI6U>Plw2%+mX!S_l4(-9NWfT1@q4VuP#hhr7wpHHvae0)0>kRz-@VDcEV6%?H<%8G zhL7hoT16exn~o+syLdk9JENUs?&{5Mq6l_if&%#bkuzRtrtye)FuT0Zc+=$!?WCbI zUu0Ko>hM#l5n2mk)=b0g8>~w6#_%WcWqpm&t}&H_8sHuUkOjE@=2(*(O3+B?FzNt` zB>aEsjqjoZXS|A`@g*vxS)qT@O9}2x5>iWEpdLxB*3l&CjhS4SXY6|jj+ArkbA!K= zHqew3ed&$0)5wmz6au|{Vmx+i5?iJebIW8dVLbX)gfXf7ND$KUDJqv0Z8{7QEJd?tyd>9gT1mvxpju6gH z_a@$SqS?NWK|knS#PNR(D8M1*kPfuKo=nGBd&<$^`4huESX^J&U(hA-%CTMR7qMz- zbdqEE3PXTz)A9Hnw~oyj@}~ni_IpR*L^7|`l`a;BMTWa zqogqTqr88$M>cHEXZFN!xB-bNx&a@_pIpPTxtY&&RI+vw!eW1w|LVJ8jc>x!M`DhJ zZcNtOJxkTvU`8>_(NA}LtkA*#H=F54zU0}mfJE=07R**-&b*@eQd+;ot#b_T5?69v zi@UQ}_>i9Cno(RJP`&(`kP1-9z05-T#iT{~bG z9rstN_}?7yFj;>gzZuvORWLPIwsfl|u%~5cd@3|vOlNjzyqHtE`&=S2K5_T>uU|#M zur@ji$nX!iLwK(omx5>#IS+!**FR`dRh@0U>vqB^#^7=rAA869IGF~K!tzzHvH{;w$F{pO`b_4#qa}y z8Cjj!WVT9@)!!e;0;7hsDx;QS^12|jfMKBXqCay*YT|v=9>rqHx60BzG7sN`w|F9l z2lTE-{y%M2j3*EAj4qzPk2(MlLWKp5(5w~Q2o_fewH2EwTK@xR!JOW94_Y5!2qrCf37)t)&7)kEt zhQ`Fw&W??t#h3_-N#D+2Qt#n3p^ZFYm!sAs@(3^pQQEWtPDO!>@-ndIp@mKvM<^wy zAi{r{qV$;K1veK0SWO-3Wa+>#hnRRoiWDRxikwIsIBFH!vg~F{Z`WH5yn+`6(<>3YZv2QDrqgg(DH1dkCL4C^ z(8yDq!yjxxA0CSIXPlu0qvifbhb-0KKj7aym1^PBk7DIZ1?+1-6J2IcGPtCtESQu3 zGUD0!uQ(v2Q=H&a53hA_1;L9qB4mx4lYHB=cn(W$1U-qu&ytD?tnzqz_GlDK5KMpI zpX92!sl>-#rh2wp}Y-jb1O;Rwu%R)dA#tm6MvN!!97>Xk$L{gH?C2M zb;J)8+DnU~BWY!N5UDqcfr(y+p~A52!^ik#l9-~8+5P*Xp|bKKqGSvZf=xcKd+1Q! z;krFwCgkw5Zj8t79U1pMoC{}U*)$AYxz=%)KNOB+MYc!j(JniqeA$0&f9 zilqVC*POppcQNLg-im?_aE|tQ3ifySiZPP&%+`ynn*giC4XneAJedBs( zj44>3#P@?Vc;1_isHOegM8Gymv>(ovm?AzEH1J{@+*_H#wXO4{4|x#N!J;{Fe{Ur+O8NZ@}S&94+QxuhZQhy9Z zHCY-)`D8 z&c34B+Y@Svt)M+vH9oAGuR_M|)i*Ooi7w2jKuAJZw6q-V*`wIsR3Cpj+s+*@74V(6+jG^RN>wP!tQsf0uFJW!(3Q zjG$R8?l7x})dh2B)ldd=m%-d+Fn8jPx(wx(GC$H#?%H}nxm8hj#Y4H1ja(p{KBIrnAfI}^PllE^divqqM^7u9JJp?K)<&3rOTxLCcxo#7oO5W( z_%@3peY%6k7kk$>9HM+C@6Kr88|+IIQ;Pe##`{uOj1&IZ5>FG~%GglU_tDy;zE>NI zY&A{OY?y{_wro?cH(CST=vOSgaa=c=_MmFjszo^YUfb?C5!rutapT=;f1Ns3ETpqq z$q3Lxy@8`dd4K25{IBTeXRa{#;RX5s|IH4f8v<6H`W*{mhB~ey_ic8uzj&FYvR8QJ z^C3svrz-H4%6MS*wC48sg1`IjJ0=+~R4RnsrX)1PfB(n-4QA;Z?FJ-}0zx$ldTdU# zA&ijec+)_$C|iFRo(5@r%^rPrd~ZblXbK1BMUJl7dr~c=b25}3hAU`qoL~|hum)qN zUW3Sk4iXI%iTSKJSBWKVzV4j=uKe4gpgP`gNrgy{C)Ri00#ZNBX zgoDRFzZ4Ft6?W_r5`}w@X^heXFZ#r8h+b$P*>hC(2P1p(5sNxH&@RNV&JzP-5i%pm z#QgOG9N~YFZDQP{f48q0*1t~!);CfOVJm240{S)=3{_wZ*6PD)emy4f2V-r~+e^4BZ*d>2il3sV%I~xUI74Y-_q#Jxnkr&2O zDRdzdZeBTWWd1FsXvKw4b>p#Uvz07YKiUp`^bME(Zoc3~H7sg&Wyuv1E{%n%Ox*Xa z*81tUtNm8L(buaLbD-C&m1Di#wrhH`ePn|b)T~)NVsSC+hYfQNmv9fUSH1Vf=sF2> z2^W8O3CSuUS(%WmsBu5_Q7gLI&GL!FyfDmeyvgIH_hhJvU01yW~D5S zc@Uit#l^ngm#~7glWY7Z8>BM>*CoYU;R>Uu4czgyujy{#>Fs*0 zs@Ez88~{Oj?Aq~?;zK4uTH|q3fh-PT3(t|Ei^%?CwjZ}((KN@0TqwzeAhVD@cxr$h zACoyFx2%0lEdx2m54kc~G(;p2;&bw>QwmsO*2WrzfcIj9EZu+e zcJ$csv$D>8z1^^zt;R8aY2di6*N;HTTeaG;-t1QfEwgT!)piktHCyUEd97#f@1eO~ z?(a`_e_w3ZwqaYgYqp^e8vP@^-l#P6{&C&Z`_-0dfVftx$E^ZV`TkXpuoAAr)mtQk zlF2<=$^LfZm^bM&tmQ4OO=oV8p$30-0{n*Sa6Gx&ISbF-G8gn&)Zoa4p#VXI+E!^B z%wE8AZ3L+iF^%p`C*vuiDtQ3&b8N-)eL4NU#vbmjd+%2PLv-!z-P@DyFZct)5z`!# zVBmOd=MGWj?MgsPf~zR_Hhti(Y|nw4`v8Swle~~HC&KtWw|y`i?zk%u3>kkypb91y z=GPichkZyUxnxlOnL`u9Vze=SINP|>`u613wnws4kGw_+Nq8Q*{b-H5%w3t~O-asH zwNl}3k&QZ2Bwx<*zzx@CPR!l}eTN+_pL!~&Mh*{&bpPzk3`obeBZe1xdgr2p=Y~#b@xNIzMXghnb12>%x)qX z;W)5w^zsKY(kMV?~psCh*;pY7QYgw>E9^OACL65I6YdN|O?VT-ry0cq zHxYPB&+w*z->?sCybynl4G%WS8T~J9C)AUv!8rTnq8FdFPJ9*-T7@{U?_C>AgGhin zo$q}#4GuB~FtN;~yS*M^eC!~}LXc|AzEJ`J;c(N4J2?9Aa071}N`7 zT1s?jW?PHh>F(_@Zzgl$1bZCmx2NsxQQ8YA#(uHK?i-c&AC!Xb2BUjRZ3ooz?!M-O zn!`0rU8v&j&~ERu2DaPKYT@y^0co*eMZ5NA+r@Pqzz-OjcEH=hnlIXskkl{{e=L#_ zLCYWQn?TO)svN0Az0M1vvOebnnawKP1v=3srt_E_vkmb6(#p7?tw(%D=Z}PYeGSYB6#b3mh zjU~>vTl={!+GNU4Ny3fi?I`+}xzveul| zZIrE;fg80}VdJI>&%bciZ0ROPOKI$;nxDho^_MYu{g^wEk-LP}0wZ)e^+p56g+mYb z`H*yEjU~494hv$UPrcz*ypu4GpWneB{q0-bvb5K)UkryYg5dcsXO)q*b5?V*FonH6 zvq0t6&We9#ugHW<=|Xj5hQ^m2#VAc z?x6D@Ulu&JsMvj2Ni(^9-inAymX=d6tlYO}%!zYxSO6 zj5#YgZe&&B`QgpvQZ>{vYq+y9Ts3bEA&sfJus+qNEb2o@qLDb_HZ#t|N2S$WTHU49 z{Wz`e*+Nv>N(2hq|P6q zpFB3ah~!T2p9!E6G2jR`Ry;-E+kMT16Tp8b&Cq=BR@-4mie0hp)$aO(T(n*Vt+kC@ z0V_k1=3KW&iXtS1RGpsg6X8pWJJyKv_vbHThe!J}^$w()fc2wQ zi|Zd*NfJ|hM@uRo{0M!>_8WUIJ;!9?MUREf#*&Jk*sJFs;-T6TFbO6*QgOSfBXfUs z8+1ydhbiS!Q7ad={Moe=DFI$BKLP!@Aje?l2|jh@@rySJZ#|T}s=0aj_-!Af&t#x( zvY}>03kU@iNSUOdsL-9ULWR^=i9(tkOI{Gaz_MkUF1a+!8W+Zfq%a=!s20lbUOaXG z-I9YI<7;?~pJy3eUxfFEw}e^8V)B2JDW;e@NlB9}TO%d`K zxEIp{n2UZfHJ=-$U{tc+EXEg>RmAEj7_(|9DHux%#&3~=amHb~Bw&;>KT-n5qxBFl zstB-(6EG$lxc~uUGV21Hz*8Y$td|6gD<)ukZ3H*p6#ZiTY0)pHy0gs62=jk$3H>4p z=a!zVHbcHxFUc2Uf$Py_(*OI<|MR~~^2L&TaW?s4N`YKuQZHuenpwn)H;~C*74IUo zARp@@)~n)NWbIjia*^sRO1Ox%Z5Q1l>;J-Ri!_{txE8qpB&inr6{BJ{4g09oG%JU|ZB}lU`o_fQfHxkw~wgroE$+pF^ zSt{|Kh#Faq$z&x9V=-;}nyrG8gmJATj5x|A1>-kQ(X>1Tqtt^9a4mLhI^V$6$Z1HeD;`ho3#W?q_K zk(3Azlp{;~yW>y6n6m?Nd0oI+GAJn-OG?J=BCuHv_2OC)mD=hsttz}~Oud1+nRu>u zYx^m+mw`{rvTJ9f6K8)Pr6OP+(wrGXvdR$z!XO85lH&eh(}lxZ=+T|vO`wS;J6TC- zTpd-K2Uy4c3DI?lA?j!XVwX6XB!+(>s<(98IM*91YjL_aY_#yl<)?hRiH=X}x-FU? z!CtLyy zrfl0Fhrj}$#B$r)f^Baxt|u(36RRnr9fD@AlI}@SoNCwI7RD!R+lKg_SXG;2dzyo^ zkL{+j0QM@gg&p8*>pbbo8^lPUu;{qUFAdtmG!bMkOvtT@2Avll9Clk0LY0J28=x2{ z_w;g4&*F+nY~Oz+T@0H>&uKdmO?R8obg3%e&ks3TgmpatlS+x7`aOV1z3MlyOh)}%Tv45H%0A|A-ziy zyKFJ|@G;Q3B!@2-sY_xeH%jTEMA9zCK#*0$>L^{ZYA7jPN=lcK(xs$yd190<_4QD? zs9^QQDP59{T!7LgnRS6p;Hgl$G)hXB6;rx&&%Y@`m&Vf~bV+q*nROB7-x5NX?)jFU zs5V3A(s+MlbS{;8wbg3$2YSt}nR>lu*t%gIHQ?83t=6pd>y}wx4V}xyjd!~Mol6?$ zgkCVFy@jTiLmlK5Clt@mcu#PGUkQN;VGgsBC1%YmF~^JC&hg;egwDujaLG_Ev-n%O z=c^)bfy(nyw?LH&;ud(i0BZ|WR+O^^vThY)3v_>cVY(KawIXCKm@moH(l}@w9~@T? zj%#x{S>!2xnv5*$zZfq|`j4P!Nj#jHCy|W^S@fBIl&|OHNu*%3FDGb@(g(@#GBwqx zQ^R#(pBkT77HGVHJ^cGy?leU`qU_6idkDL6cPz+dsFpLwxE^@{ETuqQ%XzGp-;PeZ z-3x!5sH_n)LFBY(#I%#&E>2x$Y|JgC^*O!;)B&o5!V6T&9%&+Avn8a(DJz}QofRy)~aW9D1@|)dP)}Zc7ni^>S zh+R0>BWIN8cPv{pk-2I)BQPZC2{ED2|C4{SU*LDx{O~Jm&S(2qFaWXYE~`3S%h}Wu zRh&#gjf^Jzwyk&i29g^lDxRKYDrLRj?by4E2KCMrgGz%xknagU=|v%JQ-qWrfDdl`Y0;6pMd{ z+YGG{m?;;gZ`-5ZD;UIEu*^2aXe0(c2cHq15|<=10@+&)hfz$x=SF_bmaa!bdIaWb zuY3NvUJ@Ub#7E^`ziHwlsfyv?mt&eQG^cI74s8y&r|F~-Sel(O(aII+?RjKed#gn zON$W;bByy4mbRw{oMru&c zl$Ysf13X1wuq;VZ)ICqrh=fjoZ;hXb<%ubWIPVCz=SrTT_3{io`1((DaJ5F#eQ`z^ z`8@FuJVqIzAM+`UaBEyz@2rTsXqE9RoVQ42I?UA`Tgh3poP@P!d&qy+Nm&#_xt4@Q zC1KI>ghh=_5f&+BcS*XUt%cS;2C|~~;N_w!ip}9hiHej6@x^#GvWi$8QBhV6B~ejH zR8$fbl|)5PjHsxw9-<-@VMKAFqGTf%ASy~`U0@S{FOe_W-XC4o3E5F4=!jY~r6R+mMPjD8?_8 z#S|2KmPNvXG(Dh#f(Z_0$!;=RGvXMP^d@ViH-RB8`Axog%=2U8H;JTHL2wec7YZ_* z(9XFq#R=N3dl89<@-kns;_`BxsEJOBv7Bt0;^YDb&+47~-j}-`4#9@_O~TR6L2yFm z>XHm6D157-IEjDDxEv$$Xb4NN3nf=c$yHMB+Z*O8$=Hpzo~z`{LkIdp@RckX<10nq z{_49j(aC~LB{_LY9uFM}ZiqS_ut2lAckly)wGk2!iu^Ru==@mnk!%`_PZsW42uXy~ zErXFHbR(6NB#!}wm0^d@fnm)$<*W;bg>@DHVu8YzAy|L$6T>ouB&qf+$w(4gvGb9{ z;c=$qB$=ZI6{IB0k7zQWL91jXf#T9UB%9_Nflh9SaD-~w9ODQj%xN|(VlJ?A&Z`*B z2)vZuoo9bzw;*8z-gXp=-u^-?1TjnY zA&4%r0s!VSUC=>f1!`bLWEa_y3`GKDINgPESD$~swzrb-Vo6au&i21n*35Vjhf9@| z7bWGz@{||Ho1(l>3-6Mg7uyTcdJLo&iP6i&dJ&(-jnZBy;f9N$w6ls>9qmO{4JGYG zNqbS!UX-*KPmK2Bcs;ZiD)4b}+KXf(7ofdJW?f(tcq+6P&64(F#k3bpC!V0e_j)=a z6!3qOr@m-DE$WL@ca~WkVg4=(hQ^ozRBw1`jxYjJC#Z0;HcfcZ zd}M?d?V8!DoBf*J?zauS0WS~G@ZN3>;HPR!H;#;IbCtvzT|>g{8_ zU1`?zdi|)Sw+yqPH;sxpsGC;vs8WQx<&^silaef}w^$kpG81{!ReSeaV~m(ee$5+x z$Cf)NK@IhS^lh|syCf&vO%>zd)q8jWC8s@bEHG!VgPAGt<*szUtXMxc-fb8X@?v1P zfxQ@iEP17Fd`Swd`k>Ws)b-X8Y;1M&sHwNjW=n6j;m20fXj_$90V((mo&74bRAQ%! zr(0GOT<^LEN-u{j#8U2NhMB~Y9o&k>&Xb;uY-&NuO3Y;H5lGWEBARmFP5yXOeHqhD zAX+~j!b1@;FPmLB>_N;@3;0$F5=~c{zb6EL{KJko4H)CG%E5%04fl{)Y#<$z8{6^8 zDNcC6Tf?^kMhru@W+SAW8Cg7;M}Dj62qV}zn^KqM+_}?@FHW!vLqXBtJPMq8cw+<_ zk4J-c(lHhJldw)7qvLmAxxfzryoA(nd~pV3EA9$Nq6W4A@zXF+0GQ31505@`2%|B7 zf_&GI?Vs#^V8=eVKG;X=17;98bH+AI5_Z+`Eyh%2!>{%iI3=P39DeSDC1dTgCXMWg zJ}^u)U=3*0B-j;weHV3K+xZf9_#}qn5|FJ)Vi=xdVAj~6`%9>wMm5oLqN4gdb@AR- zq&uMT40GOL%$JcYSiFP50Kvw98_fiNOBsQm27b1j)rjmucZfSPCKEUaL$`OF1N%V8 z0FjP);~P{lQS|KY56Kpxt>;cHJK1_@2gb4@rxO%?ZH(b>gihGz&Bz0#bEk{T^i&tw z@DjWlx;L;H)Pn?EanzX7*rKUVi{#_Sk8zc)hdNt#*<$e_4M&B97uG8DK_OCqnu2%u zv$mPcNFHIfr*H3N^8i;|50>uE^RL44xqrSZ6KKTt04aI6J%;Id)D0+uJ{;3JTvPO{ zzeu{EXT_ps64B|7)eG1zg#U{C`&z7keN9x62)}!4d`ZSDVsLuw83pI%tVXT{$KPk6 zd-RZzf5iHdtUhOVq(G!fWp)sMU}7(r5mrudEZ%fvtpjt+&-PKka9~mpUxcK)_KopP z+$@+x)la9}!Pb+|A1vorHiP8WcKMPS-j^ps`CNucA_KE_B(afcu| z&Tu-saIQxL5g1L*oNH$i@KwxTzw!-&;fC*O_xCI`5yv7v0$)yG6QDMK#^)a!ddJ`W zE_dL=K941#OiYYekP01~-{D2{U-^3+S2O|M+OSg1Kv-V<=^Ojn9!Y2DFY%TQoe?hr zx`l`0Hg@4|ZlZhoWgJiEdS;i@B((XBF?r+huP32MODPjGg>O%;uYLPE603_TW6yA@ z^{i*9t*2wYchoYAKaXJEm4=bUO?IK~|Y<{@4tOzsYe3mL~88WUfKR);Ni?ZkDAzz#YF zwxGvrl7`8^_gKJx^Zn<$@>;CN)*>4t0V7b`Zs)EIRYlCYvBNQsAda8$CxShXUug&= z!ofx?zlaT>z#_(pOD*E28U})4F_(saZ8JdHufEGRe|Y>R^x*yc1<&M$tFe;RAHnXX zO~ZV3()x8wc>?3rzZ=6@o~P21$+`jee*NSc80pK{Ym_a2%vw{)W*7PfWut<%s4HG< z<$Ud0_bZ*gtY&R;2$UPk1Iot-;i8t-Rb+GAtIXPcWR=s}c=qYGaiF|d&hY3$gM8zL?3^95VxdMhg7qW6zN%J(yL z0K&^odCX^Y=1p`C6TQQXB1J6{4Y@1JIfUlUNe;iztXbKtM#+0TIbMmPiQ?N>)WvMP zeCk*dPYjDEPNS$eproj}$XP{-iyf*tAqPI$WkiI3tYr-Djdkqj(>5Yw$Uc`c%%jxX7EJ$iTVS5_nIXViI#y8AMfo7D*Cb0*hF)^bKJ5-DxkXLhqjU*kBV+ zI*viu?##=;;ZKcGSdkLe;g`DQUhXgZR(M1_{9(B)B~%}t>~vjuobWazfV zFh2%7sA|k|fkM->xKUuJG8lg`98*>is{@8+)ldRMOJHaT3@w47PYf8^Tn{i*1=1;h z4h&5;asgmyGV21Hz*7N+wn|{=ih-eT4foa%=F~R>4Q)LwXlSZC%PfyD|CT^Qxr8Qt zKm`w0LtfhB0g1LskZ1`KEkUB+3`kVyyTUM0Uch5Oi} z+i5b9VHnT35Kj*4?4AeOzwql;j^_OFaQu?Bz6h>U^hY z%#W~~Rp>m3jL>=|t}-L@W5-p>!ck%?OKjyPb`EWewvHsiQeF=Vl;t`#d<-9{1VKi2 zVkchC957@~(0<O;4FEGbC8w`A|{JMG&7Kv z2?taXYZ=)2p_Z8T>A)++z!U<1Sc+3x9AYVoEHRc(6=SJbO(n{*L|K+7%MxW-2xTc- z5GBsC#95X&%Mxd~LY!s%fKnnYOQdCqv|K0BQuuEchFUI~QNmg-nl%Dj#&VWu%Mxu_ zqAkNh9~IiNwJEfvD!zP0c+2e#4Bi^#WhEPVsUE#t*h|%%ZWMi~jCWsu3@nsY#OlzO zSv8dC%MyKAqAyGIW?>CK z%fggE3C`Hs@=IhwX0kWHXX9z#b%Gn)Kbx5)OYh4@?(4~r^!|_Imp=v*IQd_{L|oO2 z9}oF&8o%`Q?E!3aU=*T%Q(@q_u6K*ZW8a3eEc!#}oQzNKy;zbIfB*YG{tN6< zoS|3(?MFic<__i$$bYi@NL(%m=*D9>@@PrzUy$KG6a1?#X zpJ?>x$3x>~taX>feMm>$uCu$k#r-QM1+wo&SAOctmyPC$bX3&6DkI7sDzy~Bn_r<+R=;*HVa)4;Y~@EHG4OgXMvgCD1=5++g!2Qb4!8%GlcJFqp` zTG4C=gCm8Q!7=Nc=`9Urdt%dfnNTf)OaxPRf(c@dBb+dQY>$WEhzfNnjBPLp#A2Je z__ymQ#0BKdA00%FUX&Gkq)&rGf+@4V^`SR%z;ro8|6`<{b|pQ?Zn<8s!t7!`SPi8A^bwChDW;A`Tpm zhBicHV)VV~L~)!at?);-wu==RsyxdxRmF$OI8v=Mtfm=TWw!AnnvhI5-}cFy(`1|T zkIwK~3w%==65qHzV0#m22%ndey-o2Q3g+F5cBjaH|8w;W^qw`jfeM<9@fY~@#>Ryo z{{Awbv6^WJXSo`(b0|;mvrp~0PU{Pw(&dwh@>E{@G@knuF1JB_>R$Y`z3?e}=IOf7 zsro)<1!kV2XP%z3Pt7TBv=APl($fCeY{{N^_n~BU$T+tMoE5jdt0`~GJfHdsdm)O@ zPh2p63`1Pk65XjiWOr89i=&6^g~EM9JzAna^@r>ayA;$zD`x55G#;`yc(1v_z8pVf zU%KZj>`C(>d-Ci1H!JK)>mj>x0cXX&_eH*0|J8Sw=uNwDZ|IbOhlEoe9n4P(OY|;L z(lQ%o<>8eyert9G+fDUBjetye_cA?tSUUiJMJu{AU7=>EKB#4ox(;4t&x+d!nK!tL z+-g)8X?w!=Uwrwjr0KOKnqGXJtfc8jOEkUsQdmjT>q|8Kfn~k1MAM5Kzbk3_@e)lh zZtJe3=}MCB0^F_-&~!EJI?XR;|G&-cCB~Ds74v>WVITnoqUGjZ|Q_r zM|!2LS7UdQ;bm&VO_TD~h3`H{xg!{C(lul;dY_c@Ck*0`;%wz3^)vMt{3$UOtBM?) zOD~HxQ-_~<)5&-`VGO8$y8qMv2T)4^0u%!j000080MAO3xvE16&q_F1+!tgU;gbcc LItHVv00000O~N{p diff --git a/Solutions/Recorded Future/Package/mainTemplate.json b/Solutions/Recorded Future/Package/mainTemplate.json index 16569e15700..b798812fb94 100644 --- a/Solutions/Recorded Future/Package/mainTemplate.json +++ b/Solutions/Recorded Future/Package/mainTemplate.json @@ -168,7 +168,7 @@ "_playbookcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId8'),'-', variables('playbookVersion8'))))]", "RecordedFuture-Sandbox_Enrichment-Url": "RecordedFuture-Sandbox_Enrichment-Url", "_RecordedFuture-Sandbox_Enrichment-Url": "[variables('RecordedFuture-Sandbox_Enrichment-Url')]", - "playbookVersion9": "1.0", + "playbookVersion9": "1.2", "playbookContentId9": "RecordedFuture-Sandbox_Enrichment-Url", "_playbookContentId9": "[variables('playbookContentId9')]", "playbookId9": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId9'))]", @@ -3410,7 +3410,7 @@ }, "tags": { "hidden-SentinelTemplateName": "RecordedFuture-Sandbox_Enrichment-Url", - "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelTemplateVersion": "1.2", "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" }, "type": "Microsoft.Logic/workflows" From c7b5ac0c490b4a81393f7e6cc5c7cfcd1860bad8 Mon Sep 17 00:00:00 2001 From: PrasadBoke Date: Wed, 25 Sep 2024 19:13:37 +0530 Subject: [PATCH 12/12] Solution packaged correctly --- Solutions/Recorded Future/Package/3.2.9.zip | Bin 43845 -> 52284 bytes .../Package/createUiDefinition.json | 142 +- .../Recorded Future/Package/mainTemplate.json | 1522 ++++++++++++++++- 3 files changed, 1646 insertions(+), 18 deletions(-) diff --git a/Solutions/Recorded Future/Package/3.2.9.zip b/Solutions/Recorded Future/Package/3.2.9.zip index 7350db4708de11a310d6b1a2b51ebf2bd654f8a4..cdce02b6ccc457ae73caac191ebbd0d673a8523b 100644 GIT binary patch literal 52284 zcmY&UK~Mky z03ZO!Q#dtn`;LB)paB3#ga820|Lqz%nix2ns91=Ym|ECcI9u4+(pfs$*&b_M+HP{7 z{q*+r0PlAX!C7-k)*@S*#YuK70$5;^SbP#wLTMDx%8@8YD>`i3`g^B%H+d&~!@1NO zQ`;9+ysg9u*G~5 zs%+gGC-p84(wc3qW0FMZLGt0=P~TwvT-^D^iqb^I)j#sUM!Vy3_F7{87B9A1f!bb$ zYR_xV2A3A47#&_|Y@kBD?@`yVK+NxL7`|T)sn`y|f*A~n{|ySwi5fLz^7RuJ>P5uY zK0e%EgJr!-<6;0S8yJGzsQE5ggM|3j7g`6~kpSzSwpj?0GH16kKs2tMxl1=E%WQu6hE zDC&i1XWJ7Oa%*eba2VH_!8|;w%}AUM$$>q|kfen8XDuwY_&{c8qs>6#&slehffUd+ zQ^9lZ?^kNJy6lQ>!y|Ied`a=srY)fz+2u13*02ZRv4xy9-TAI-3zI=8r-$@*_!r*& zKv;UCU*PFjw!gQl59XxBRM3h=GUO|g`;u@ry(UBT^_jJOEU7jo`Wtb*B(qRsKt7*z z3MxA77iVsMXXekGYUb_#_DsaF;GsQREi z4dZ^jIGPenfqgOsUe>HJv)?1&*W8BxjJwR7|6MzrJdqq`N2|=%JMeDc0Uc53G`Hn4U590r(+F z($xt)PkA)hV&)aj&g2VJ^UOYgMEP3yguIyg-aWyxFg8QuFL=C&M3N2 z1h5sv6%R_9ZhsD9N_y7el2PxLc8#*|>>|R}*w)swcb^JCP18W|$)j!HL2JDc#y;o) zR~lGexNQwd=g%CMapHqi(WB}ciINhaL?R?wQD|yOLW$V#Oj;#M;FVMI)ccWCU3zH& zkDj^nvJ3{Qau9k!fs%>CQ4gFvV<%nQ{)+HB6Mx?CuBom;$K#8NRaxi3L5w^o8Bnvo z>LP?=K}S|qI()*_Vgnib%z@Q}*JF%|aW~4~J=wo+$|@QZfJJ03gxQ@ab7*?<#{^y+ z+$Kk61EmxS2w5@x(NdK`5&Vz*Py>%#ML}ZC1mOzDaa(cs=C`txQpwcJ(pPcq8dB=q zo>UvsAX!rsm@8(Im^qLM1xAAp>Osn~_4C#>j1!g+1X;!fb&?aj<1T$wNO7GMulBuS z*eVKWdf^}MLo2Qo*bnZ80k*Q?+d0BWFCSXnt*l59ztED~EdC^M%F`}B9)DHE$t;DC z*HG*E_U5a($kC8|daEn&L*=x02YoATP>4x_~j&0v%;P6wW@rWH2iItT;esC?x5Mmxr(F zi$eVOZ>JSCJ6B+589vO6vnGov7e-P@Ma+)OqX%jy3fO;F#uktm7l%`!d&Gh8$gIhf z*Z}=3l3<0Elg#ivMxd;gswiF+`i=G+F^}rH85w-H#r1O|3{B+Y(e0qbXgIYzrrL|C zHp-8urOLFL)@4!Pedsn-yL1ZoMNuCfrR?LIa6@P7EyY1ha&;+E&?k%o|1gnm)s?+~ zGZbU3S(?Uwm2xYczD%=vWOx(M$x@&;ylHUgi(<~alvyubkvi^m0V?G?WMi|1&C!Sz za{G`n^#sLaSkXawXOC5d@xwLlXm>@JWI8ClvJ_# zferr!?%dg9z^*~#tpQ|}hTrkwjdIltR@gjS*T8k`b=I%Dr1=- zGHfpE*rlq-Y3DLWReD_oQ;ID3F+hCIQxU<%YmF!cw+bxn$n#Za;k8DUt(A+>3|<^; z_FoJr@>S>IwM6~%-ZG1KT~TL7Daq09B+sjfEzcVM8U0V8`5PxN&gS=_I`*O4BCD;oHFnqN zOwKNw)wUyR+>VjwM?O$183QGB+5?Dg5H8)vVzfFlw<8*~cHR+%(jqNu(AnnqPCL*~ zj+~Qp!IQ7Qd+W#u{N0>RM7P;@xj2QsfeOV%w^!?7Zp(@GdUv;W^1nJQG4NGcFCf!x zFnOQc9)W`a=X=AHo_|fcZ)zOHDaYL=aYH#0^oP>q2-?H0N1z=Qm?aw@AtEXLpMXrd z{7{MmW>|f5OnTd!0^aDlrau&jgi#XP#rgBc#M!ZLk!poYIDp=oQK+G*cZ; zH6G2Y8Uh1cEUjvTQ@~q^(*_jA>naR&@z4R3`gpPJNF;8MQ9GKRh0HEOQ1o~2?V%GO zhT<-D29G+ffMyj1UX_+8;^i(07G6sjSe9c7M5H-IO%}2OC@MO}?;^XP{ebWb>szS^zjno0>(_Vlc8Z z(AfbPO1)uV>wJNA3ihT7ZHA|JN7AHWZFIe_dV2liBQh=4SEvhXTW)v{o7nD-X8N*T zd7W&con3Y1wB#Kdtk31O|H0M<>n89qZ4LK2p1JlFb}M)WXV>+M!1#KHHGER2`sBCY zgBNEEn(4y4q|Sxm+Zb5bDx28YTmLJj z|8D_()or16D6v5C_049q;})20Wh`QBT-E!t`a9}i^}FOL>@ZaOJzfn9YgF}{KAV|q9qS&9 zA4aUe*z%r>EW346PJGGDt4D?6<`gVdBR>Uwpst!L-%0JjlHwt}^;1(h!N1aS2g0ku zxYvoTut=&R_=wU9edfFJN<6;@x+6gS7R=`t`xefq%)0cXcvYT30JSwgkX;A5N@davpGHBnv$6GiBymE}Vd=Iuj- z&ECb+|J`F*P$Sor^CqW6ei%J%ZVRX(bi=}0y$*l%!TM#*bwwjHRMHFFf z7cvp;p>yhPlf)dw?dNA}|LbHan_vaM98PnTXJz|m3imN%PAPx$*V<`IJU$U+8^HrG zdID28{xcU`rE_uA>(A8sjiJp>p+q*@e6PNy3LGJDeJz1Us zazEku-X*xPp}jY#NH8S(3jHwP2y8MlW9FibbNwusJe<9ph`PT$`1PzVjTcQM@6+bT z3W^om%JuCkJG&?33(9A%6wB;oJ^*aYBT15DsGOj&raB410dFh}=gn+Y|;vXfK zW;=VEJOW8X6X&iDbD5ENt@DZt9mdcQIkzC6gINdKbYG!DM_7#|nC#9r^kz>?d)z9=54LU zW-jhZla9vA$;IXM4Y?AnPAp3zJNxJyz)OxCf)!r%o1csHo7<>VeD}BMjZ;O}GbE&2 z57~pxhO-nzLDdxFu5Ne8=0ldB3z+8m7=CT={C*45NMdt;kUkLX4w2gjR}0To3j=m@ zs59={g@|UMX4RTis$$FT78~DH#@?&56oS1e#H?kUrS9Z&_M7j!lqLtx_~FPKH-wxB zJP-$8yXzwJULvZR!J9U0&DfX{zs!eW-F#(wRi|Xd;+)E>qzg`;RCFhx-A&3@OKzc7 zW!LB5%g5E#4_)n#s|jQYjVMa6$)6u!E)RDWWn{E?w%|I*E^lc52cp zmpYnp=pnYZY)!=1${|R5HY$S(>^)pjO44)jf+wYg3_5g31oj^u6w)mJ(4o*N6xfr( z1yeu$6Qg?RlHaPdHGZvpd8}Qmd2#%fEyYP5c3^8$DqnrOGAxf$GZizy^0-)NZz4${ z(;5jvp{>COrF2aR3Z-@^-zG&bu~$;8SgRJqO{`XRCsd3!h8#`Eae}QH3mK-ro+z}nkf0W?i2$KiQ(^~{J*E1C-45j4Lv@M$ zGgpFaqiZ9ZwJlmZB7v6wTk+RU#&WR>$EXbCF^pwYEhs&aX&kXUM*jU=C#VB z>`V*L%P{iuLfz6y)5|pf^JrHm&|iZL-r~K1VWBFU!nnRR|IL)oW*t-xHHWQ}fw2)==!3NfC`T=D=}m6`+gDyO!3okt?#@+A zYe7xzCPKumnj&4id~-cjd<2zY8G$qdO4otHUK0)4&_rL#>5=h5 zkq3XIboeBuLts)WK6y<+K0j1?7Gn)fjRu+Q>`wOo$8=P z1&bN7Eyv5~AD(sDwZ1DP9xQ(tOA65BIkVp_V0^_z@uSCKd!#elQr< z5bBs4EKx-TBQXRub+(AcrkQzz<5dZk!bb)~kTpVNZBnKnYWYNM6HrLn!6|!G)YA6J z?g5Yg1UZ*{`qY#|AXUjM3ysqj8DP{0$6^aw9?2mFsYa7FSw>XHfrpbcQl(E-q{nL{ zM@&^vOPH!?GF8^lq^lf`PxVUUPvmnTK@kzNK@->4F%m;WEs+LvS=Jw^NOwU#AjA); z5F@M6G9OeZAgbAbhF6M7Yd0s8)@brLyt|#NJvLKFM9xtt2TS76OGU3s2`F>di!>+N zzaIe-Nm_==C~~LAFTtToURM!FUe6^g%}gXL$?-`3V-;?_oK%9!AZmspu82b442mG4@0#M6O*W}<5RtBg;~l~s;@Hj5MW}S6 z9>O=I%v|W^_dLm?AzRYXXKC{+BSzb?Fes|~K*1Voy$%Iv?@{>TnE4RV1;cwLRXx)G6I!t7AjVbrhsxR@)p6J*hX7zEI%uc5Y2 z8;6#uP-|4x5Y&KkI*l>J4=j_R)GDbXD@j)M_?g5GEu(?dAZ?rW(nUh6nrY&j#e%Dv zQAJk#$Z0Ug;>R=#g;q8uh^WVtS7M{*$2x@lt3Y0rl`?}_=Tt{tAcD5Xkqq3*5M0eb z5!v?4q`;g>25#gDuVyBQXvP(mW8>!`E{)qVE)0Mh5pei{HP_6Os?EY1T&R+&YY8U6 zv^mD}Vno)tP$yQ@&`c!x@_e$M0>^XadM8mbmlmzkuAwaYWx+N&*iY#>4QysqNCqkM zK|kLuZ#dPVk7$?h4(;7 ztGXb;t0EK{%=~YJEx-(Us1nvx_GX#E6Q{(I-(B-JR+Ui?2~`%&?eE zfTeGX2-6ekO`xGCgHDLa_PCA0-*Ff~92g@Vv~8Zx>@DdVgdEi*303q7DY|J)x%ZM# zf}dUwda8%+)Fb2HGjYLftMtKqPxDHQ*lS+ECv`%&XO*Hr<={ozZASpB*Spa>11NDg&T%Swb3md|@_!XJZ>5|P_? zY)L|ycH40L0VG3!uvtiWdomY-Ac|th0J>7R5cZ5Y73=c9pry(ZhBp-z^6f7AMzZYR zZxAD+1@w^k$fh|TakW=4SCte`5$c?o1H6J#V>?>vQSyY0wuCjM^JiWaz>!y;lO%F~ z@z6k*l-DV%7I=lDLAAoaUuQY=56D!VwvTYZestDjTa3>j*5X%yTfB(xS_A% z`070wP1tz!qU$?-|KdaX6j28RLfQCOJ_p>PK>(GBmHzWAs(h-r%n>w$RVS>0bmx%? zT$qC^jOL7y9M|68a_+12W2K_ql^}M&tsuCC4fd0H2!0Xb>5^$~pe=m?_!q8iJWUDp zof07QWca58PC5vbh(jMm3E>C^br3fB{_6g&7M8v2N@*vH?o>a*XG_o5;nE=aTb^>o z+XVzhVQ-FK0%1WJQ-vV$#viomPiT^}s3^_4`v${j!C}AB!KJK#8nXU_9!_4Kaoa}U za#Qz>ErflrY1{iMES^ck#aP=JdV&e8H?!JSm+15}B#lg>&p?g}!T~#5`wgWegE1WbXo3eTzJTx&q@0EVKAX1us5~-aAFK@#-zG9S z&1SRAP@RITL=%_Dbr_^0yuI0DgkT`;uF6^0z3e_tPhKH^0mQiIHv`D%@ndLg$jB>9 zC*N@zyI+KXUE1K;pN=ZHw)nD3`{_<_x9SN^_>Y*dUfU^A=9c-=K0%l+hdqj%9%qW^ zk#x-pj~ARW%SzA-4Be9*Qq8EMFMiv>eZ!q-AiHb#ei)gV zZ+6RW$SidE^V|jqr2Z#}-;c{&EF`Fwd3?GnXc)+#qi+C0t-AGI$e`om3ndae47h#6 z31FgSux!NNwtY;S$WP$Mu<}_{>*HP=?G=e9g6Jlb{#_m$bXXh0fwMtr&@?e@3dkNC zhydfr6MLt==a9|ypukD~LWd{XSD==v&qJu8D%t_l)&K!Pr`QqXKJz!(lsM<5je*vE zv{%6G7IPYOeqOMYu-l2=lC61>gL97Em6qOW8z0&&+YPM{)`-})NRTenAhLUf>(0Lf zOS>dfhJ;soekI?qukyd2^mJ-l0g0EIR%tQEwl5*n16WtL`XSBoIKMcC+Kz%S^ z1*UwDQ+|zZ>Y9MNx;ZeAmCyr3-enW!Z$J)&V0JS0^-m+b^yB7~L-zwsU5{l?KQg&#Ju$qV1|?Xa5KGxP<0~eQPav0$9aBy^0_-Qr@rDMfqjSf>^3PXS!;yy5D@2Ge z#>mc)r2X{Lb?RJs2zGh|MI{fqK>F=mCO~vRlaIbfR)?Vs(Ri_%sJBV0CGvd+*IGqD zGYTN4hC2@@W8y2&>7nR7l)Ge#jR6seCr_Gort;_S_-lNqEk=f~azOO%MOQL4BxKYQ zr5k1&jOWRdD5fMP)DC53U)lyL^OOHnU*BV8)ylxh~K+;ZLXZ5r|2NFNH@KsBAZ zo>!{HS5o70LWY~P@Rgfh zV_Y*4s1@emJf$ye^dyFA&L-o0>esGrj2u9X1u*Yxo>R7CFdh$hU((1Os>qp*MzQAY zb1j({1#oY3ia4Xv0Y{s~8|}Bm&dtnr=!er@rKh@jAs&6OFSpZ!`NQH|mFKPM?ox#? zyL~@v`v&Y1h90IqSH2!w?mAn?uRdodHzuz>r+WDDKYPYe7qDMJH4l4C@|!k(gMY+; zt-Z81*WM;heb5{`TkY5!XKFKjy#jNur`gXEH}#6EcQgN`QlG0uS;Gf`CHBe0>=b7l zYSNjI{tWuDh<=ND5Vn7vJ3A1vM58BCnsjafnuB%$H(>qo125E;E(o(HILH=)L}m+r zGsDWY0Klv`0XvkuE2JNoe z3{7fjkKJ9@)XlHq^$*$0l(|4GhB2P&FU;x|K&_MM#cN-9`bQz{sx4T%bK+ISW=%Ky z^g=)A>n73uu~h9JK}va~1(qN`hcyD)q-5O7hq}7k57VJ{y!+dV%-7 zI1?Y=o4%kUzW_RM-v9_E4r~_rK6D2Mwj?$MflkFSju;L$kZ|DKkXa>;NCGrSDeHqy z0}@4|GqchJAb2F9fL7j+c?leU06x0t$J6RL(bAjle=G_{5=BGd-#z0mBZ#sJp(y}h z1gxQ{#?XSr7G>Ro-k`jodCZ))916W*ekFl!n(yk|0?MDpfLPLK$%&w*L#Oe9{q~sp z&ioNf{EXQHFDvXh^_i>Aq5S(G@VW~^ejDhZaSfP-vIt>5PT5TY?Gs{jA|Iz>gmq<^ zYu!}L_mM#bDIJ^k^xa*0`q{i&?g(zg4HI@L@BkHS71-R-M>oxMPBeB;ehz4`tH0l$ z><`I^u&fWcc#Sq`%}vf>+IArx5_Z$9#0Z+Mb~X2AVphSPLdC`P+J9Jj**A58A=%-# zeAnx*Ulrl`sjheDU*_2872=w0{R-BY%Q`Dhg<1X@!ANmFf(4^T<_G*ZL)FrTiU|dr z=&+rN!Jobmgw}q(-q~DNBM;fSblGONl7II+No;qzOGjA3ySf2KvHjiIHhX#Vn2iS| zIxF36!1zeT5ynTEGi6q|#mA$aD#>}@82;(9xpa--BcNAM9X)eNb0P3W^ehV<$|s zi~ea-=WMBMQ;Tk%4e1BrR`E-mQf{F73fnt^(=-h2yh|~A)+6{YHgB-UpUxf~cJrEy z)CZYfVNZJcx7c+9KEY^j$49)0%O$CTf5p~9N{W9IKJ7?wnSpCQ6~EZ27=N%)PkI@_ zf1^z&lgsn{w}`A=c%|16h9o=X_pR>M%Yq&}e_!lDNp&L~gYcT7mymvF5nis~{K&iBI)U=+m0L82LCjHdTDh8f4eDXXn>s7_)KQV^Ha~mtYa#~jH~-dpY|J9W`1M@ zR;(DQGDydaO9xEHydzBmwD9phWE<`wsr081a>b}uCnZgUxFU8bea)X)`UJ2KX2XPML* zXY|L=H>G|!zJ{e`a^?)9P+N86oGi!JC0MX+$S6FtP#yzs%FMq zimb}VRLPM^cGpX0JSjufO5Ie-w8Yp{$_KKObvYB#KsQo{X>jK~~ z2ixl>c*(f<8jMYCWSl&{K#`5nD<)i@iN3My# z8I7Kj*Mlfc{j~mVfT$a_P=PVL_T$?3XX=#w=aIYuVSCKG{rgr;ne(Gp?>GIjYx`#v z`|aBIkZ1w>OfOTb^*6ZX7rc4j>09jPY~}g#5p%VpVnYeJ*zeJG!xTwK7wPg`1%)y*qmYV zjhrC=P{4}S9{cPB#mQ2{3@oA`N}@mrJ1lDlvwkN!T@l)k){%RAVK)z-H(EfM;73`^ zVss5Ka2k&0^)ImpdyVm4sV+2q2r!cvB&c!KK?Gase;t5_QGPa5Lx6;>~R)_M@AP#OQ33l^zy`XuJrOp(loAr_+qJKW@%y%rDe8ennmcEu*vlw zzKnWPw#@vEs&1UI&VFohVbhvgkQ@?)Ufia5Go;OamdCr@{jq9rX486Xb{cq_Y;a`T zSQwjlUSyL6qNGi-^QLlatA=;&1%H?#$QT>HS_czC~v6m|8tCOW0$Mwq*fKLhqYM8QC(s z_Ld{#U&C0R2{nTa>P^Sz2DGnHWljg$FRQi*!2+4SMeJaR+#>?Q4JWtp_r*Fj&(;(Z z6PiQ_8`VxhweL_c1vAEE)62z-BlB|TaqY9LZn1Rj3w(SbGD0Zjp%9$PT@M%i>h25c zrQ~CfCTIj<`j3d2LkMEm3rO$XM5PD}T$r_hkS#7wjUq{ulQ)K#qzITo8mIK7>O&SC z^Ex$vh*3!?sRIwT9KzIRZegW4PrNhr5nUxo}~Rp3X)tT=<5U)wdV_m=DyXgWP4kV= zxJ>gsA$H6^1^d%Ev(I4s$j+yoCB$Yx9(w1PaydUp7-829d(3e*XW-d> zGg6#BK@WdAYkx*GyPB`3ro zw92u=*sog7?&EaEG?{!zx2;PsMy?tc?$Sp1~79SW%I3n-NNz~ksxCs}8^X>aab z*e9^S0gjR`{ucjj~_Il!L)Y+!4$KGTn-_$Bfg|eeyg_5ea>BjUzh6f+CK;6(F$6Ajc-H zT0&PAq;-On05si=u?rZCTdL#0|2dTL*1dSblE>A=uYxhpF zt!;R$)vEmdr*#fMPQ2?B*70-sxdMQahJv!_1RAoR#gXbQ8nMs3Gui_<{#P+@8_=0^{w4RJC=RPkWWwE zMUzIIG+PMudDpgJET2<88MEubI3n;!;ZNpipVYh?Ajns8OZQ(A7+6dm>HTT|cw)>? zl)+B)RHIc`^}>ED;CVkmE}e9>o1W@#ZwsGM|5Zx(o=I2yJFQ`#*`Mq*JpSLAN8d(I z|7~c@ZRjQ@t$@x0IjmT{9a+H+fm3JBs%~x`O<+h;a_P;ylk!XdX`$ z!LA4xD?j2Wq27_GcmaIN5+xuA4(wzn#?Oa0HHSfk^l5D66kYVlDgTBA8ay z*=L;s!P+gKNh`Z*iXe!0lZwec--iG{RO_xNTdA-4B~&bd9DPbYR(pXkN9F#pSG3uq zCx%(}e(kkpOgjxBvxZr#ffTZHH?2I#-bG}Xpq${BN`%h=EB(}>qT=HoE+UH1ZvF#6 zmeSAR>M>Y*jym%XinxsY`AT=QIZaL6QXY1VQ5LSzB6Q@OV)!l{#G_JB`uGpJ5;Okr z<)I~LNs86^GKIz^WMUVpj8}nq9b?Qwx}Ac#?h!4MhSi>eiq%@hTm$|uM1ZuDWD8w% zTHyD)m~r0vsfsVE_a&=^PCUtmFgp?&Yq)*%E9-HVn)tT?8VCA*BysZ6?!VqvcN@kV zE9iMPqFp(ft5|p>CoGTT0GE>1Tz-D6*m8whHC>SBK zJ0r?{a+@#E9bl#y8sFeBHj&!~fQ%3@M36hus zC!iV10Qwa+m3Wvi8uLN?C#@-_LJlB^=y`b9glR35;hssL7A68vi)7C429n{X8GCNs z1?L3r2cF>Klm3xff!jH2#%5sLINe;X4b%K-w8nJC%=H4yRPamPo;TTl&pQHxD6Mt< z2E?$GF0H-}sFl`1`X`myWK04jgLN>&aJ;?(*B1-a8;8}^mXb!8Ai6Nv6$yqgzRzGZ zOovAq2Mnq4|Ei0@Clzqq*rW+qzn-SWB(IeJ`z`~6bffw1IJg-y!0i>#+*6_P-cFpm z*K;J=MpiOP295@~lr09EAO6q&`i4c4a83bzyf~(Kyekv??8CtoT~8%V z&3m^F^67PLzX%fBo+y%J&H6!B_Zpd0+wA1RpZgIY-8IAnKC(XoWt_?)#YsOyPo&*Myf4Z|FT`Y#R?RJhiT7i(mt6oM(vM!O#8}~zhB#q$2qs!j+`LZ!! zTA(m$^w(+WW8y2PIX3MNbKCQWlR61$`Y2D{lU>a>;7zK?cFf1H>uON%2$h%mAjcJ{5c4wKMqT1IGU0hqwDh#*0l6O zWwvuU!n8{-*ACc4P-{^p86=0YKF-m`^Z~=6qK6ADo5TbLa6dv5^EW9*sxXnEGQ$~S zyHtcKXN7zf6=B_bru~#^_V+)bRd`St9zEN6vYwpN&v!r<0kgoGa72bJ>xfr_C##q=;;$-R4 zjLSoy$11scVsv_#@y0!c`Q_hVquY1x2bYUM(L-TLEY>BUG`M5R%;f`-Ik@?Zlx_ zm%}`^@Az=B@N==NCM^t=P>z&tJ1v6i8sO5srC$9C#MAeVHJcWhW6{E(^q|uo!+zX-rEW+0i23mAxv_f zAgIb*t5c416%od!|FUVkp+2{$FO zOXp>ZyQU_1EjuU10N%M>mronnRbu^znvs|zQp&bq(~v~pd`}_ecU0bc4ATy zw_rYztI{y2on_DtLSLpI)Ka*=B(k>19xy+7V`TGoWESm#-7F+n@$kT&#NQyB0wz|R zhB|vLB+5NfqkHDMotM1^QI=Uig=w?J;_C-PcAE!+wU#kx;zSo|UG210G3vr54jH7~o6_TwSdilhfol#5fGf}s?Wxm5Cz zTn*v3@gjMh)paK`)TI9?cXMg}wG($Q2Yg(m_X<8)=?Tyk3gWGtI9?(UZ248UA!G~uMAHF69`q!NTvP%A-^!D-TU!vW+V~gn&>{Z` zpHwwq>;jY2xMU7%fQ~*76XSAKg`T!7@{`;2=jc#=n*c1>BsdxqCF+Q(J2Z% z%7lVE#i&4j!^0ZlzR3xoFewxas^aZjavSW>WlZHPw`_J4Ac(5b+H!{@Hg63vRqz-Z zqIcgADum?RHf*Xob`|hR_6Z0x0&S9O zqcEtA-xh=|KO`mn;PzR<1Otil$c25Yvyn%m{(C*VYQw*dYhl_edx81o2hNG96hXBt zI7NQ{xH44UODW{D-sGwQ?zO6%ChX;Cxh#Wl5}0XK!-2_aR6r#@$AIULk>5$gkN4B(sHao@UCn5a4E2@ZD!&R9_U#JPp3X;wXCQmP33#{wXHL`s#v% zPd|i9Z+EKw1F0nY-i}d*oJVOOeG_INOexO(;7EC?D2q#N>&qw}iNq&=qL;bY=7>Nj z@t#!SFTIc@{Ug%-J}H^k$CPeQm9Fm>qCJRk)nP1uR#Lcu8gvdiw&seRuhW06TF5?* z3!&{8EBsFpHh49^HNsJ8R0ts>k2_~Lu!<+t?e+qRa?KT`bx{4Y_Z!5SH{<;E4@Vw$ zH!0cQp#%@ux9%TuT$t&Rn)#jqW*NvfR03K;`d!sN4h!1ygxlRE)FHL;z& z=gu!*lKt9e+6!r;MQv#{;Y&^tdJJP=n?GXu)WdZ}YiZ^#muIHzW}zo#B^-3laW1@1 zUej!JYceucUdHs5uoGvH*$oq|tip<;8pC0GDk#32^;QPws{_VxtpP?GKGL%}ly+d7 znc!N${b~+O1=nHggcq)IPzeMt_m~huxA}Hb1(9c&OpB-}XL26zARn@|*>9fYbDS3= zkTne3I*+m%!CEJo53=Jou7ZUgcFAj2$C(LNLV`;2h8&JxU5fk52?7v3j?ejW4(SBE zs2P43^auTvA2<esJ97c;iCxvv-~eGZ=#t0(WSH(;2j(zdhF=j`oB7@elcnnce~>BR{^ zkEL^*47Agg@!}JSiqy96du$So_8IIPWh(s`a@C>k*yW!kCWiWfvm&vKy@&P>KTnHf zst$!~wN-a)LZqEo<~(Z4wWNzR-vQ8zNgBQV{|Bu=Qoort+cablMNs3zq3pO4vms` zD$s%dD|oC7^o1tVp-T`+HbO2fRpgB67DIOv?@mB@@nx7D&StA9w4#G^f1;!tu#_Az zn9bGGx_fn?FV}}8XHdyP2-=U67;NQin$prwP}r*^u!%%n$A=_e&F;7RssTlm*p4(e1OzS2>F$`dkuN&L(ZM z{H8BD1?>XUht8j*(+HT)fQr+}&5KV(TUi_~y}nemrMah~4NIw>BvVLf0jX$1=U}O5 zSt{BWm5P=!i$!!!S_${kIjl_ALlT230;hvSXeO>5p+uTI*PFmcBM!tzJ69uOYJj?u>+3jwB$Sa^R6G)Mj z(6^h29-&DHZKoiXhH$xQ2$%1N;=)yyif~S;2wmS-R~aGv+#wDU)hI|*SyIM%CS`oR z4lU8w@e6RCAz#j9_n8H{P-SKPPV1Q$Zy0}8=|bt#8g{I#mZD&WwMEAWP-Q5jNEo+D zx#AKfM_awLUV&&$|A~5{Zc##}Z;Cr#3QcbucWZXNvcIP73tV*l7OlYk&KZg_D+$dc z6HUgGn4Q;eLHPLB#29rNkXb5%rzxr&4{Vam!VSdQ_M^COnB)krZIa?NuCns zcFHne(pJLUb_ocK-L5N?%Fw=CUHYc5)K;;Yr*(f~tMx5^=?wI+gLW?S==v7X?G@WF z);GCLjv{5moUX&DuUW>a=ag|OK^7>7gAFBP_jhIn&V-)VmZLHWPl|A(R3&{ zNCHATQ5jC?b%<4_sC%$85S5wF$|_|K-SC_TYHxxbs(N%c!D?oAyS_Y4vP=g-{o=m8 zb$b~dXb?7Va4q(L4gi~$h9z69adNk%e`sv2Tc^HQj5^Zz0Rq*0smMNTzWK&yj022o~0r#%VcS*qM4&gp0=W*y1VF8EDQR&4&(@|Cnot9U5d2Gl}BW9 z2`y9Q$O%rJD#XwM$D$UTFbkc3j^~<&&I-AZeu^F2P8n%5qsl4gc1Vka3T+ZL>?dq= zKtTq#H;Sf-O=#$Iri*KCXB30$ix&h`{7v7O7`=1#VFP?Wa-~Z8a#XV%>hyGO?88ZT zzLyiF^J5}vPaPhfD6#}l1Z4y`KSrk-Op-b<;^OM;pMF#RYpGFT7u+d6$U}6Fe~tLZ zjVT!!oB!o-5p%)Q$PtTNA8v8{K;0+`n~}+&mz5Kc_xp;iZcadq7&w1)RCCmdCY6${ zw5NYqd` z7+w;u8{7^j@J~^a!yGfKk}rYf-e)v&Ph4_U!X-T;%X_VPMq{c#PFc!*DR0I^XTnk( z!P6wUulROu12Diz&z;dBARoXBuDJPo>+LW5690X>9MWowMjD!m<{s@kX*^z4%Jb}Z zMsiCf|G9)YQ~I;g;fISt_c&eZ`IboY@yCJ~Q;t=OKlmt)Z6=NbaaA zuKA*hdfsC%Ufk?ZLHnf&G)tcbJz1KG@bNqky2|p>p~okqPnsV!LEhZREVbDO17@0U zd!BiaL&%OuFgPm&{ zT#r}G)V-oTlbI!mR}4(WV67&6NrfDZy7Txj8gN_A}6Pgk(Wp zyHdG{F5(sVPX^_>#!~w<5%d=Kq)xa8309?mo&-(`jBS#@p={BHdIwt}pD{WSgeP72 z%sSAocKil@C*5w?DQskL3{tk8h;NL}pqrTBthDAT^t@lym;c95eaIQf6Vj(i#6EL| z^dz~iDN+`&$?IZ@xjI|qL>Zeon4R{-L$=qlA0z57aV_c82g zwki{p>vs2YEy#T`AcFVqKy_~?VQ*VG;nxUlLb5bFdE~9{{i)Bb-p<>O)Rpi;wfikU zaeX=a#Py*%|McnV%QK{_5A;p&=y_S`>b;p!S-Sen($!xLk#vq8gR(3QkO!8D{;wi) zePzL!>%)LOa}xWh0r7yiuDH;z#ioC69&B-g3A|$9!876wZbN+J;Yh_lcdC4~+w1jm zJAAd5tBB=(ju)ysxpJ*5mP(agMJS1z+wOtzQ?!eoP7{zk;2)4SLc&>et}F8bJYeI5 zg0y+%=bL;zm{k0E)~BB_J$mR$@JKdD0zp<*V-&rv+(wV>{v-?>6VAPMELDfMYh;VIFkd#`T$-Y znV094YI9EtKR`?Uw6B4F4u~wi2fp|)B=+HoK}yDAp%590l*rwl>~?=9DU+>ZTZ`)UP|(%p*L9ps zB05#Xnr<)F%sqj+S*$1`vhjDqFdkDN?YJeG)6o6=@yqh&tmB6D!lhXh)iU8Mlq84sT(V=ati!`PFv13_awGL+vjVd^*)zgxJp zi~wo#!7VdKfGsz6imRIY5T4*y*D=fhHQ-Q%jX4 zd^yCOi+xE&=iqiO^)K@SXE5JQmRPh zBzMZHhLTMwViDf;DJzx`7LlR%*)#F4k9+vOoT!(15nMnolU@0jcwhMWc^zjKkwC9L z3?JJ2j$K}G!rTfCExWW84GZp0m;}Py0cd1?l4O#?U>ZyU0Hy`Z0H=!VU{_}K1+w$FsB?^X)4;| z7Q1FXAayeMS=vu}=Wd@nUuC_KM5ep5-Y!mRtx%wMXB9 zyZ>ZPd8wW9D%m^b(I88D|Gdf!{&|7E31qC7<)7!R*UkL%GV{+nP?29<&Jh`2k#}Bo z!QOdfP|xg}=Ux`}lR$kI<2=|VE-XG!*0;@SplUazXY0#GN}0pl*_b<+fsLrLN-2z_lzj#8@eKhNK*#BQYcC;*05_s5qEhHa#M_h1Z}NETizm7Fp6_8LMmTd zDvbA$jMI<@Ivk=q8_?wd6nBzLUmYyzM6*nW`(m&q>5+1gR#)Vi3gRbNDyYky6A%fJ zHLykM0@3t^okL0!RpdQvmt;fxfQ_S{lWo8Y`iaow?Kp+<>?vmCQC1Fva3?KY?oj&2RfcSu#3 zF-+5u4Tqpw0urGTFM*!?sn(#u8j^AL6u`)^ekBzW%q1Gbr=v+4K$E0ex<~w7ty<}* zH2IYp6SI^|(8ktYM-vu|OxmIr)Z=AsY*xkBh$+`AhE>gH3UXY%2azT!)f11HW`-tg z_i&YmqUac+ySCF15&l>S%BS&D zQgqY7{?&0={Yqp*c<4Q7;Uz^MocF8aM3f~u3$yP8c##}d(6tm(%{Bglqb{XwEA4D{ z>5Dgw-;V9HO{r?gAZ)-BPL8{fs(6N3BYdvrsC$_Ax@{mLx(P2To^y`1-KZ6C&$W1T zq8IjOC&E>B# z%FT-%i!UKF&jK8}BKV62F~_>dLh@*Bt-CI%Hu4_;*68@Pu5a1bV3Ihl>fGbFf=-FaeWa@kh~o;K zgT-;NIIb5J$3-WI(A7;a$KsGdi9?m=DN88uIx*g==?Mr625D{KjQ;|#MttFLTf*Ri7Wf}hd;|~z*C-D2zAAi6%$WO}t z7Nznw+%u;MM>~=<-LOaWR62-TbLgzde*L-&C$O-*6$r~q@aTC4L3xN495;QU%8S05 z1L9w}oI@a*le`%pw!8mi(RZn%@2c5H-^HVR`q;bb46%2Cz6s>wmlbE-m$uol&4Td!L3k)c;?E%{ z?ZHxV_@;gm6i(6%;?yK%kR%iD$Y zQF^uPqx9ksK7EW{ZH5@VK;H!N@XLzP+hH+!^NG=Gwq9j~o)@3yAE6fnGmFp5K0eRe zG_>GfWZJuF2H9Y(I#zejhD2!gF?Zss^{@UczgA<=Zmlb~(c?O|LrD6oh`!SdcEKE% zqsZINNs#BuM(15tApe}N3Zy+BA@Ren6nZ*z?INB9NZB?_7VGjlBxUjl=5kIW%9;>?-!Bbe>z1fL} zh5vb=!0PU;M%}##%?_)-=Y|`rzc*tTV6z4P!e#bE`3cwHnu!=p}u>iO}qBb#$H*CMO>VL(ZKMMu;|Cazuu--ty z^%KClV%7gBUtKJw(0yhxcM_}omrYFJPWCZ{(deE&qHt%1h{8bM1VZ`CiYTnJh{E|q z6kcDRzRHk7FG9^fq>un-7E@?}j@A5QHUC)5AB*`5{;-%os+hkLi}~~Yu$Vs+Nm$Gu zi}@o&*ihFrbhr(R`6I)H#r#G5u$Vs<^B2KWSj^w-#KU6#JWyaUf2$GmXKJ{vRNKRk z#rpZ+#bW(tjP(PBD*PKh2Mm*+;1`5&(4hMSMpa$9GdP^aiUs?H0GQSJ^Vj*CXfg}) z%P`EZ#KQbon4cv&urNO$k|Py-etN?Y@hnWdVqtzP%#SwA53aC|gry%AiSdd@H z?ZblnRxikp%0Y%j`LQTJ7UjpH{1y`BSD$;7U(g9Lxhr&i0a1RTbFe5s7UlP%qWmbN z5V|lwq@HGRek{&!;c-4X8jG!4NWH##_OW#__?|wvu0BI> zU7&9QS@>lI*X^?4y7>gxwc#f0s*jyRMU#3%beHC?HThM<*LiVj{_%BWP|qA*>_#&#M9^Z{k6?-}Bl58c6I|7k39$0i8rft5Nw3doE%E zwM>6vBEX!3^er&PH85I&p!PKnJodB83l9Pq9G|Fna-Dag(Sf&VET~)sT(e!W4Xh@@ zDDbHKDc)Gem()p&ysH^;sjCWz(X73Nvm6XWZ4dt5*!<7eb+wD)4AyVq*D2lNKS7fQ z?+3wN&N`8cIui^*8yOoKFlDRpaf=StzIAh-f4VvI=GS%JBPHB^b=~{$1`P7yECM88 zEkhM+Cy)v@5-N_9muNu|`E{+$fL~kGSDNHkuK|4@Dk{aa4G3N#9rM zou~xR*{6(I59&V#42UL5GX#bMwdMdeg+SD(ZWYnGVA%az` zm_kfcX-~Q%I2hz2Zy^>&6mzsVp)WJ!2(Dt~@S-gmF|Uxg!N|K@w0MVvW_0`#XhMKD z+Hx#Db+8S@^1XQGp5WTC%&WO83&{K!91l%(N*?p3c+ryGT+c_Iw6CtHhuflAb@;s$ zO_@}0JKXXB9{;pYFFI=XXF8)wTeODlUC_EjmqKF#cbI9cS0-R!jqekKRW!Lf65JWM zIWXm*sxbE6NOX6^-XD}Zvym3z+pH{>B;RF^UzI8*RmJB6@N^?`Pdys<3$N|39L?gQocN%@L=MJ8KENVJa+McSB7 zGBfZ4kCX>)Lqp_Cp9C?3AChLJpngi)cVx8)^RN4KVldc!a3*yx&V7rp2-`o@o5eQA| zBA5)RiMyHUfTPcMDW1-ur#ug)infQOFOVkMAYYnKE=PhS#>m^v4i&U#Drd~hvZ~OA zMT8IRkv2;-JwMtwaHgHl5wMXVVFW93~Hb-d#X8 zozOX0HXW8t=UHaciOh)eAjvW(V)>H;eH8p^YJpK+6kg$M-3rbc0*^NVB^nu_1S9^C zS4%$F=B|b!2M+*H5t@T{MeYGO6i_h7>l{BF((*Om4#e@<)thWx#VATr-PEYMT~Lk>J|%q%EtS1LErMLePZEKuY!es0?ns@fJ_Dn1Ye zUPEvWI7c|v(;CQ9ZbmZuM}iYuR;rvVvcSxoq9sY*m;|pmUv`>!u_yWF(7{g84JZ;x z7u$*Vh=y^(u=V)O6z9DeKfAsF;jDKDdKx=L zOj|V*YOE33grtw?=vE)=dw+5ktGDx5Aay0Y4D5ac+0X7}Y9QvGR%bW+v^w$ZAbnYVeXdT`U{2=Z`_VuXsLR*rOt+*STIUPG^{J7IFWh?y7^nVz+G~yVc z%L}wlu*5T7egJiqZ;ke+w2O3&LbFP%dE7D&RK)pwhZOuUa*@O_Lf05*9k)afVtix! zK8ajhuy^RnyiMblbme!Er zcJEwHU>xv=;x*GFknm~b0?DI>gN46)q2DyOXJXu5ReGz@9ej34*jv}An zjvI*2)5*K6Oq0rmSZ*B3lcX1;T{oudmttc}#=cNp*d2|MrHMR{URou`on zSd4I?ruCje-p63!vEF2%E7Q&IkuEFf{q4NxTIfBOz}=w7kNK_y_GuG-o`<&mMn4>l zji-jD@nLS|Yh4YLZu_bXWDR5d;|Tu{TgJU?9n}Tsn$apa9=yoFRs$v-lEuZH&fYYE zP1V&yY(&8f5gA@A^AEDoj3>}X83aa?9QMg=G+SGoDWh+pvK3n#5EP~%Bun5U_94OW{`W5uOH8{~5NH8&;YH&T8=p|~qX||69ZAq55-oxkSK|_Tv^^^Sv{rq6q{BZE0a(OV& zPY?G#e>l86yFR+SzBy>rKfT-geEn{(34dRiV}F3L8rLw+9gKH(eegj)hhMH|`{yeE z&}dxlHyUc=0RGo*HX1{i=J9YZU;ofJhA$f*uJJzMANa%mIoxkNd^p-0^qTu0)Kk>f zxP*@fhp_J^>>Gw|e1H#*b{ijH%Z(40dza1O+4bSO!{X6!@9F*H(ZR{y9e>zt7ET@? zE^pd}e&g<}^!{luxH~x-_CCM6ROR<@BqwdPaDMf`2v#etPhD_UYYY{rmeTtUv8&WBlph}W>>`vp+iNtMm$1J^>)~Mcy2kHl@5WzB`#;pDkDn`zaq;t~ z@82Ijjqe}#>nF8gMSv6iR4Bdq@cyj%<>1|$#>3~&pM?uJ>|?nH%Y1q-|2#SE-3W^G z>G5OzMtpyNl$W%M+CL~gv@a^g=luSU^0~72PW^Z}R+i}r>3`TJg_a>VB!e%8N$ zra{cv`K#JNsU!Xg|L{R>yBfZ{Fo4p?>rE zRJp3|lrOud52xM7{uf!{&&SQ;$;pp5-ND^)RlIL~*yRhYz58LgoqyMQyfb!B`Jakm z>=#cf-BRKBPVD`>xI3Mwr8i$5+8-{?cI!6)lABiT9za|-b|?3z$DjKBdgDj6uKzHu zYL8<6zE?EfDCehF-R>LhxY*YAib2np%|aOD4&e8Pgm7$z4o2of0W)I%EfB!&Gm5ap=T(K zs#d)^-nqD!`j`E^i|?oBy`THt{P6g6^f-Dq=6@XQsdDM5QZKbmcRqYqKS~!rFUrDQ z@37b}99KS-N7|>ecRK%Nd}REP$Dcp#YAsQGS1O)fmA+4k?UOH!hwnz={H0J?`}`YiglC=(j(8FMhu)72f>RD?7#g z(Xb6x$o$z;{_~s9+VPWK`Eu6y{J?)v^E=SBc3I(#_geWw_tPii#^@g%PSj7v{rTzP z`|}&Ues=h@bIkWg&Aa`J4`<(%k$(T9cyOoJO7gDJs^?|Iz>9D6;zX>ewNkkVf8Q(l zhpY1ahn94p_N9~Z{dkA3e|&fHv$+4MT^6g&?*N~>J^A`Be_pIS7RUGB%N2<~uAk=* zcJtahy?pUh*3|+?1H*@U>2ZAY{b28`+AN>#jqXQMtFr&*q`Tj}Ha^_f;d=OV`9=GF zeR-tn=RZHo-Ag#aFYiATYR0=C@}>U%(}AYHYg|6w06Eq7T1W5HH+%V`kKaqma8#~e z*0dk((%A$UM(fAf>D7nJ%gcvm@&3Nod~DW@`r+Qq=ZkjlxO(+NKNz<7$NQVzQmv*< zv|9O1zxwG+`QE$Pxw!dpRn-KgBp9dtVo?`MeWQ6&P#)gbyC*;7(Z%TLbK~7rNs}t? ziml3}c+%RdPjux{I4OL(et-Joq<&YwsD0eMKWIJ-_Kf1FQ9c@#ySw+3_Qmee(U(fA zTv3z%McX;=vDCD){N5K8ZpY=~i1vsn2k_r%+>=ySQ2Hz*A@6VMT zW9Os>POwikq4fPzRqq}4gp-q#-8Wi$`1JF~$D4xEy%dUXZtfqyRL)Pd^Y-v+vUC39 zjkeR*`k$%?`9@Qy?Nr9~>o@1k^Y_L4&G`LjH0e%`Z{VprJ{Hu<=coMLncglv9KPTC z*nIQ3Fg_f-ugQbG-S;1j`{OUA`t@OZ=d)VeKRLUrAC%9Jj{4_SnLlrzNZLv9XRUSG zeHuUY6rpUqxykW%!H1`F^bw8V)Nd{fJPWpj(73NZt^m9+-^3$})cF ziJ@lDl9yo@!md1;*gC5?Yaq5{e% z6CM2*=8)xSWGRZn+mN?n^#L#PowgXN@Jl9Q@TMvRfZk6Y0e;x-W4F-FHkR>>q7-?cOi z6fKFFJx(NVR!8My(kmy+{)Fd3rB+jcJPAsqMhn~#4hjW#BT$_3-MBFM46%d`Q!ITT zw?ADbcPie)I+IQ0piE%D$;Qb5dy-%fo>NC!&D7_DXaotN$@U3a+7WM9{mZ3!9qUwU zoAx|S;H>^3ik9Gc0IpV&tfxLs9+?3W?iZ(;O*-QY+-OFgWOW|_p$@S5$?{uEG02Sk ziHy!?*22JmF~guFBt#iS!C0992a{u>EBBag@T2j{fc45*(K7_+tk>w=pz6Lj<>VLM zYCzX!o-4)({P)__?l{#m*!(`tbj~H`+kZwU$P4#83`&yan zMC6`oplr|~8O$(Sdd|C)72Q z(#BG(1_byqYKSud$2G;tQ#9Zee{zO45#yRCMo!QJPq7xq3xZ}D)=iV>Hg`7B z4U|uZ=X6+<>~2Q4LND&(l-6_|!E~O(B{)n`bB)if%RO^yM+GY+MVL)Xb7e&Bf@S|7)N$2_^ zj~nQqoIx%(rWX#hLtGyE&}cd;}g2eeqNor>H*;#Af_`T+Vkb3Tr&I?7z0aIK%`Fl_FXNv4SLm0dy=OK6WL3Qm zMePk#ErInu3`JZcy<{}8w)vDAQ<4v`GRX44!<~$(`OJ(gu903cvN+pJjV&ogSO~hr zs;=U%GS`j%mHr}2$kY;|bzJM)`Do;p>4AMI!rKd;R8vv=1v_Jt)yC%5VdqwAt`%0@ z&f}Rma&mn=`*)_jl^65S3{R})8JfK`*-JAkoJh-vDcA^&Xh=cA&t5LH_Ly2KOx%BE zo)GN4NrDP{ZxX@6-kS-Lg}pbkdv7MVhuDKN5<2X`8T#O~(=5M+7pE2ZF5ql$`CsOL zSp+4BBSgVFq95%4Smo<+b%lNyVFr~Y9P@XLEdJvjF%A{9pm_EC4?IhXug10Qk%T z;LXBBDTCkxo#!10PgCl2RfFM8W8muzh&T5i84OPeB7fYjg@!B`o(02O7{Y?#Sup%_ z35K_PMkbn^{{{bI-XhFfBs*^rmbX6!KrC-R1s1Wq{Xv+py!{D)#q##Ey!}A}VtM<+ zewf#SA6r=7ehdbdw?8d?u)O_raAJA;5foV7e$RE3gxXl%{wVTddHY%3{x}xQ^7ga5 z{VZ=k#ShEd|623*UtgZ4^jYxsoVUZmwI)ALZv|9o{nffEARLMEQ-JRiJ1L+snTG=N zP_WR0c_=Usg=glWFy!@N{ulZ;^HE?v3Pe<487){wi;U0$cVrnYSVoJv7xRpcAZ^39 z3FAMRZwT`ZSz1Z(Gs%z!pngyW+zf**+1$>2Lox*?%VJrr9}jOu#^@or9}j*q2)C6Jc;>+ zyjI_kW3W)AbPn-#ows)gn(leJhafB9>-7&gZnTdh9Yj!r#2zAeROTYWTtqDVU@jue zMdX>eh}=(P1+F)f&E|he0`nAMo+3nyVV)w)QzRp_Sba~C8#i0z_NPnbPQ`mzYfA5e zz@C}6$ilrvyhqDCMyQcEc~M)ZFUuyvJVpZe#IlKm{xFXbKen)JA{Y!To5+jw7$L|c zD^>@Ed5vUo?yiT#@|`@H*9g#=$stIbU6dcMi)a!ZM1mj3OzyDJ4`MyV`l_PmPw_aEi=%1ws=Y?MLUTIzk+3mR`jKSs zwjl|x*J;ChIL!lYWB=xGi$kEX_KcBXSkY`GYxsSa`#nKbZ5!oSi>1abZOK zY&I9h*g&tu&M3SLCgglnFMHl|^$CFjzOlvM<4!tBW)&@UVEa6@DP z_U1trFi&S#_`O<@Di)i0HZOaM!Pk1~M4@M$3uWr?7+3HkHaS;EdfS1hCE)9+wa-B; zvDQsLfWUht_PHq~CQxT*!1buLW`=5je*Bpo(iL8GiW9;eSK)Z($6fYK zj_~|7hi#G9dPCYH@`J(Z?N<(7H>n4teyiaDJ9xm3IqfXZwZ&>K`Uk9_+BHt0D`O^xQ$sf)n@gZXoby0Eb zug#DcA)uaOXPhMqsOBOF7?wo8lWvd{LasScoRIsveaeV3jr&lRB-^A~!bFpEqS8|Z zGvr{+bXS`T>s^T3Mt`Ei_VaydL4F%Ycs}k3&-ZGWZbFBIB#sCvtad4Ec57HsN^juv zv4{)}8rV5J`9f?lFXNRYjXjzpU=FQ};0L0?OL7uxY&sW~l` zW$Bji{9OzDUIFNyKb3T(G*<+!y??|Vs1J&)^3fIwiaZZ!RPJ9~TkK6VoTN%s3{91} zBT)p^4%IBwZ&sL3zU!bFJNCfODD^GXGj?^<_%pp$MbO8_!3{Uek0)JO>gCU*o~G(* z-)Q^<%*spSj-{I3{;o%>JYokL7@gh1?8ERqL%J6`z0&MM0jX%BVq`K_S2Ywd11O=e zkh=`V84o3W2>3PQNP;@zB_$&yum;Nl5v-wlrH-KJ*^H&}imr|xz?#_^^G_%kCZlo1 z9zwDQkq1qK^iveF88#C{vB8KUlsYnelFfJ-As;BnGC>wJ&dfB9263T?0JonebtmXb z%wl<9TL<%tq|b~VXtYdl0}V9dWxU&aQ4^%ztRteN^BsfNK>r8G(Lu?E^(=-|ySk{| zi$ceMr_JnWhsU&cuIuuQ!=Y_v#6a;-Sx^KX$YM;^g=%d$!-2)ev8+l)=T0&*9Cb>A znGTxe631!}ejTaCJfJCv_Z`W2$YNw`NFW>-FiQlm)75l(Pv8yE(WQaHCnlq@Cf>uw z^Ki!lcN|R=Y+nJsA&vF4V@)sNj(JsOF%mG!#KTPPG?*Qjtoh%LHqmv7hplb*^!wSz zF*ldZScn~FGZFv_4-`F4l)Yy9A`%73P_>+jAH`HUQAcYV`x=UUOZuZdnk_EJS+*YM zHBK4y1fFvfJP73zj6x~0HJ=Uc7T$0hH}E3n&OpD_lhld6Ifvc4?ziRbwSg~18R=16 ztcTnG*FLCNK-SQ*+pq6IySzQ`o6q67Y|{VKUfwQ2d4@K*hu`bmmB#nMaG%{q-Fkp! zZxYb=QbejEP!)EcxF&uTaPKq~JaaPJu=}mCybZUk7bkbDX32}Z5835y@7lab!G{)I zq)55jhXtqJXteaPlx-edoHd%~^See#imc^sbP?BSP~*1TJ)^7T;Ji&0E0=7GZcX5F z_ju_%P`Q?=N1W4^!xWZF-oAbHm?9MS(RnC=6$-68V<3>Vt1AM7IbXj7Rq%2*ZcA7D z7dOp=TyZydDayRz96fgmtNwG!?=ofqJ}vfYfWnbX=DPP45LBF`0@EyH~+^*v~A%5`5KxQsd(Z#2?$w9F%&8lJK~TE9tanPXte?i9rR@6V`te{Pg zY`x0<2^s6xxY~Em9PXM3SIm`w#XfT6bgq{+cIbr1hUMp(B_twzM=2l?*CaIirPV*q z_s|!K*W!&K;7mdqkkXfmBUSDdD z`4wh)*;)KoE@M6Ag0c#Rrq~!O&GVc}^MHJmDv!WSsYYg6a_XWsv!`lEo~&US6#hIG zYt6Wf#m+MgMIu0~p)&2yjv{)Xq(#LKW;;A(m)X!V{7 zPsinecAivB-`1I38mi(!f~5N%O}=|n{^ zGrJlHaNsu3LkX=7om20@dTvM~k^BGK`_}EYjV;apv(~%=MmeV?xkZXsk#wTWQKaNV z9Vb>>O42j77Xy-@h&D;E0n)OLk7xB0%&++~zhtKPc76M+6+xXKnjpyHD)zocy1%O3O<=n{HgxiVvjoo((3$?G)`uXr_X{D7 zubw6C#<9l2*lm2VSMcqDKVql+3(1nTFKfH;NuPmR4^#g0<-^GOHQmBklBtBzC-;_} z<&Kao^yMad$=uMz~ay-({;n_=h`Ce#3blYobK^`a6jx`~tuVlws zk!v5n^)`_Ebo*dum{UN;PM3OrVy$wlMR^-iFKaA_>C&G-OZt9OJ6k)ltasvS_e%ep zjsc(~$XlC$6{`^dK^gnCWQ(JKBkW7bw+`g4%9q`QUy}PSzzGqwjkDOpyJvBZ^ku55 z#9Y5gI|R2Vbc3*U*F?^P@ASvVFxq`@Zocv>oPA+s|S@%o@9vZE>D0SE>7A*<*R%(Q-l8%|Svfy8?%wIuojhJ#NhQ znM&^?yT1P5cVpndwk5jRZi?S{-1}s?TsSXJPahs0sx~|RACuGn>d=}+^h1#whHtTRZF+#_)yD3oY*1TM+> zhj<)9T8-%;qNXIz=nsPcH*|0#=^edDUE?>ZYv1We@cJqtw|tQmsrCB7(il#VK`!xV zEYsTJ^_G`^e1br)-SK1^>23j917@4Gf-apK%LmK;fVdvKE{0-b9Md_`m~%vUV$R35 z4tCmVNKiZc1;GW)F!n3HZu#%~&9uIPC8^tBi$XIqE%s>*P;XF3K`;?h@TG*E{PPbQ zNw1NLZui6m@K=k?beOd$)L+(O7rM(0Nz2k(DSd`sXQc^zi@HUfUQLi8haz`zXLE8! zShG05-}CzJqLm7#eui!jCu>shZuXh<`x};usrQiy$N&IjW@Q0as#&RKrJ9v$-eJ{T z)(Nw(F{SKi((e&ckep;Pu7vFYrpmN(e2=5MeAH5;%xOx+uBK_&X>#@j$vR_SkgiCP za2;KdiZ&w~>`kz^N#@yX3P6!*Y0|BuGZ>)yaZR$}W}insQYOyZEoEuA3yh+PWnfCo)La(OF_3X;BY;dv@GUXs)g4TXCjfV`t68Yjzq~#6GtHhAP3?T9N zs$md+iS^1xs1)00m{W;0V<+=jh$7>vcjsnTVjazrDtCQVYR@t4UPiBxtjergCStqT zs$ov4YPP4xfaw@q*SdbBXKKwzh??k9OwGuewcu^33<{F?z_oJ|gjkfweqv176a&TgT1vNEdX=2FeUE1aMA zHVd<7E*9YeRZIKnm(5EouD7s(&n~T*Fu#zFf{s|qW}{4XWG&DSv6^S1-rmKAOs)Gq zjE2%5!KnM(b2SfpbRq8OoLuU~_`b8U8s}zFFIdfW@e^lJ{rM>Rl|aRJ&odS%#{g(T z5s}Kc02NqRMCfe zt*%g=2VKaU~bcI}8oJ>wy zfLQbZia>S0V5$#{>Av>VXYHLk$LJKhLHxlK!B6ktgLiKDi@sRM!e6H5N8{8Pp3*(Q zDV=EV4!*3h!_yhY1?HRnL7(X+-dCiXbHk2_OG;JWg}z)G_ImZ?+qZ8iRapgl=Owvi zR6ExWB~3YeUqWMudRS|VoTd4xNJX86G3>)O!ddqc)u`5s)N}0}>8kW1wH)Fyo94i? zNJrKh%}T9TY1HoOy_dD#%VxXU>owbF-G8jLUp8w+>OZqa7=)17;uP^%Cu~zob=x6ao73OIO*!-nkd$I+}iQx9d z#fRFIhFsjfyo}hil+}J$bkn=j3%5Tt(em0ZHOgD_JZA5{(kcivns3v3CephH61UFT zcBH8`V<|Qe>1_54#&8C6G=)W&&Kyf=^rSW|(l6lIm&py>jNn4ZIM0c~kVTJ?!jL8X zQ5Z6r+$aoL%pZjz%Qc5s=P3-CD@F=KrZ8l?ia}KvvUGnGhAh2IDGZqss50l1!jOf# zL}AFJQk7Py6o%|sV92ugjueRO34zEsr>_7blTwEB?~ds883a`p&n^BWz-1i;E>qyL zt%A$weA{zy*-UrfY-BYzo$B0J?kld$-wFjOE4SAbq^zutRFJaheo~M!1u2VES_)FO zr;swXJ9#PJyYM~BK7-0q-&(lmptAJsRG>0{mn%@2TyzzvEH6vyE6e(@T0AdKvh=*6 zg&9N3y+|XbHYwT36YG<5)hNbSnplgp9Hj->Ns~DVvoMmD!9|)_qjcs-A?DGq6sC0->Le`I=-F~d||XFW#Na5aOhFTpBw3K07&GDiN9@NsV`T~h6dDSl+T6m8M&35A@N9s3?7UBi3bUuZ$u`-{}{hJ&qnNV02_)Zq16h&xx4LiI+VX z+xk5Ybw-eFPOw&bj9g|ztO&PmzQ_?@d5U*(muLdB(qm@3-k`K2yh+HzgI6LRoLix#OLvtXY)cykyNKP&f6u3rWy9Da(*OmKS{B z7{e8konLw0@aPI0T-;o1KN+!WlD9)&nD}XovyNO^Ix+N79CI+AvIqZCdGo`a^}(2z z*y?D`q3HH`eQ@yhqi&n}U}`u=hj#|xY`};7{cN#(yg={7;qm({Rh972guV+r2(~U% zX?HMwHix$5SmR~&H7H7*8Y|axaOqE$&gp|?e{dE$c*;&elYTT|K%CQ=vD66$Ak>98 zw7ivGc*1fx zd}ZC6!;8hjxm-C*Yj$bP=deszcIEIyn*v1q$XQHHUr8`Rj{^WxT#xECQqJKq{CO{_ zZ_hjfyNok~cY=B@7EJwUD^aQ(y8gqBHqm5|8siR5wTyd7Pxaa(S_A zSfdM#-zB?sy0xaOX#Oo%8iHhd5wn$)Dd{YSm2y3j&o$ZXKhR@OUZSd|-Pp#=G;Hk} zk6-BwieUOWFlIU-ne*q4dOG1*Iu=BFxU=2k>V76eEuO8$pvvg^RrpObDL( z7p~W2N%3VwxN2_66je{SCD^5)9yos}DM4pVvAQw4zf)-hCSxvbeAt;yddfTkjTGI8_TW2Lr z;aT4g^rpw<6~!iUTrEH6RBUI9Z_MVERlSm*&vHt{+;{X+rj_ z58{)DN*lWQRT{o+(IHq%19xC?x1)&?7Ymc57FDfeIuKnMY*0VkB0*1xFC{w*u{)ZDyCbTReC;B+NVlK-i;6i1 z6Bc)(kR4U1BhoqXqkNdqFU`1qY06SZR*mGu`{-?OxY@_h%)|Nn_5TL2%DUb$TjhlT;OT)r3P zpM5{a2FO41V5X5fxr~dsOumV&E-v$Dl^Xn4CpOf0YCU+>kS+5u%Y7a982(*G%GKR# zpC{(&V1BQuzrVPjkA()rRSxv{$|f+e*s9s7K7$X($Y&1U5eMOqAfT}bLj-f%A9dV} zH(HUd_h{#+ft(0P#{FhD>&Hh_s9y0=#cQ?V{nS4g%i*L?t;0T;hkZT$)qJ4nz12R} zeZ5#EAt;%5I~hL8cI6dz0028aa9vW3e~R-p@7d7AO1^7ZSbb9*HuDAJFXDnB&hW$I zw}-K&+Tr`R!oml8uLOdkoK1(iO)RoBEwB?}alZO;f*+nPiNwH?zc^(Q6Dji!p%%v>+8L_6EG1PrYm)43%&+_Nl$V?PypUeZS=Zc`Ns!cPu4L-2 zXE0ZG(;Ov>Yp$g(=faa)Wheu<{MBj$Ca^^SUT}V#RqN-sgG&x1%QL%}*Cm(JA=8d0 z^Ijz1CLw*QN@4cidna^U&@O)O4phqad4>%ijD_~J{hrB^NTTJ zapK+B(T6ng_W*l`vUx6bO+Kq4uKIt9K6Hun@!tXnu73p%@P4I#tA8~5tfKX=T+z?%TBOArVj(k26zP6qdisE`YWf19_c_>vgTd*85fIdp6M)ZK)HWWhrg z6_IRZtzAa83LspU$_qaF5*MQnE4z*!E{j18DAaV;%v+VMEg-(*!!#M%ae#!5C9u$LoE zIKDiHVL(B2dK&Gy57JV2S=|G1DZz9oA}`I&$;-9__nAQz5hsu~W}jOVsbci&Wya`7 z7EwGzKQa?8_q^3bLh>UEQ6c#%B!A5z`SQRPv>%Q6Fa|1e02?b%6{entXeAH7MdIX* z4_%DiT;_@t4|HT%#4qBn{Q%wW)oQ40Se(f5oCC5XJsvo?u}#a?mX_v4HPcvFp_V6F za*(#$qB%IsF~5PqvNT4adO^8&6NA^>i?odwF>L}T1A(ly6-*?kKjh|M7_aD(kQQrc zE5{(;2YVJTVIww?SD_Q_(OS_lBF)la-!wHx8WI^Tkx(gOj2x&RR$~CqV2rS|x12eg z7$WbFc(~fs(CvBE3;IJn0(;#R3Baeda8CWY=40dZtBLhcSz48QV_6x(*(>gh^{ErQ z9xiwmNF2#m?m$Zgf*hd;(r}`IsX*J{jxme@)NX9vlh#7-2-Y}}P>?&vff4y=RFkTN zrp&JkgiPGwb@SA?YE^1L)X=@F)n1bS{(DHWnfD@Ge>RJ7Wt&dTdr9C_s0v^P8@gls zVns|6nSu1t7w0FnF7oRP_v(SjBfW!b3`x|doCQImHABiVycQ)ktRCMmoCogobaJ!; zGw@^w9Li`jSJ%{-MtozgC@p~|1l(nB&?SlWA8FytaMCnd>Dm^MSMgWjouch2xY-EO z_Q>`c2{b+NbGZOhPrV3JPbhJgjnWfi>hZHCD5jp$n0nZSwa=BXr?Fwep2+T2ygiDy zCo6><5je%$qj-B1Z;#^bQM^5hwff{AiE-oL_*le9I)VV zU&Kc|9C#hE-g4Z4$TFI=UvTLsKw8A5Byz^DhqWkgz(-1<-eAPX$=aEjSeq3!lcHvd z7I;O?q^Ozp{*u-#pDSu6Ma`5}UK9nA|Bs?TlKfE=NE!Yp3Z$|$4(m@vft0$d6kS-R zKZ*iLQ6N2c4p2pbl(okYeWXv5ZwCk^RP;=x(lZI;peUMR{wRv3QYe~A<}YI4t^OOu zW3=BqMrvd5mDqyid<>G*>V)QQuJh2 z2bv6vvX{Sjx_^ zRIk(|pr!f?=ntV9=hUP1-_$JKmUxt@@AkiIAr~ zcm+i;b>s<>=siAs8*CQ)7^-|Ye;=Q(yYNT&pkvZ{C$zL(;`J@FSVP7=01n*d;;&Zd zzLtQP^715Gvd=mE+9(3J9>L_kUDD-KU?7k>iTP(7Zy@JOADc*b8%ihEq75h34`<&amub>E-Rwo2bgAtKAgnPDwufe8!2f{npqpirjx8C z$X992>BO1JcL&CNbZ3z*NqnqNDlI`iBpU$Np8kPW=+5G3x}=aIA3G6Yn1P;V0~Ak3 zlzMWB%79mtbU}Y+I1X4aDK42m;Fe0dP_^U>KjXItlHGxHb0FUv1TMOS#8Fpg^37@N zjj$=Be81#XAUPK9JltL>7uxNTe*M7IP8Ks{=dY5kZ2d0j%0@1e_IVLpN7eJbO}d~U zhx|keBkz;z%+6zll;4qSh*PMfy}k`Nw=&!##CidRzbE$rKg0W7o9l-lhtCvqU>us8 zfFMT}q9Di$f~+9ODJQRjAQv}XQvi`4@Lt~#5Pj1oXk@ouBMm6cOT+GN} zIhk`fXPv_FDyACaeYuwQHrUC;A*Wpce1&G^-R$Xg?mb|rRs+(fWMt{zZdCH=(l(4! zI6eg<==9c_uBbnNm-OdGjh1!FSAFNyyFTZaKI(ClUj(CiGRLjgo~vj`$PlsLxm(I;IifORspjWFk1n$V<+hrf!UF3twLri zWOh)H6f%2T$ZW-R?i~_;PR~c4hFwS@x%Y(gJRSa5A-NTjTOql(faGqiAITj)iOd0s zXl(+?9a)G%aw{aaLUN~^yb8%(hViPf+zQLBu-ppEt+3n~)v99JR&Z{*GZ}sW_@%@^ zaW>4f-6{djoymSE0O)QN0d$8FXW4h{C!iaPlLERGp1UMGw_oG)xpFauw68(FaEvsh zBYkp+ZZ2AUmLvhX<2Zne5U+;koo}*{K)N`70!foR-I#*jLh254=`G@UEu0A`O$n`Q zc-q%1wXWPfo{bec7}w|q8xV)FyM~6Rel(qxJ~jU)#QW(qy-DqxQB;_% z>-{6;x#mzc&6z=F!jIt4V8L}p{Tty)Ge8)yVWTVBr3ati@nz!O!OM3C7zK#goYt$g zcLyi$4hZ2Lym|{CqA0?Tb$HC?4*UksadMH=Uwx$|48Xg0^Gc-xf5U&S+Q3*^+B6b5 zNg|q|?-Q~Lj+{4WC@wHK`ci}UwgCvRkC4j%snrebk3arM5)wXY@F@$7)fbDZ_Je6V zOAYV?Bp>&M2995YR2&}9HOIhPoF%g1)16NL@)Zr(u99wcmXA~HTj=ol*m`&H1)kwR zl1EG9(^9Kw4SehkLoYZC;yC{FZ_^tt9oH~~?s$4K!v@tHkpx|%J8X>WdS%pTk1DO+ zs9w<AO^ryY%5NP=Q`dqyj2l>Cejnl=1Gdd>H|7xBE_jd;;K zi%QXIMZ9S>8xe21XHjYDokmm*8tq!N%X^ez9DlOhd}2Zx(Geh5IEa#Oymph)n7EF+qh?EQ*DC|PUaPdADHVM%9#@8g zvthk8XxH?1JBPSVt@}O^serHsH3Uq4?auvV?D18oZv3A7ab z64miR;$R6<#>&5=?XJP^+@xWT-W_-x43@V|FvHsfI!J8np}*o)CewgiXZ0GLp57Z) z^l{Iqv^vdJrK|V4l}26H>*K~)Z@2OY0a!N1y=B8X9FT%b`rMNPKY! z12cuTAj5|a{R`=4tLf6bC2C9@Sy+NeHizV+kuf!AunODc89eZf{%2QWzxYSiUQLZY zsd}F_BdkF6(TEV*>r;Lc!E4Ilh?+?w76*VxS}WK&(f(k|)ZNUhB0wt#++aHwLi&jSRigYmGXUR$cG3>%&g3(d^`q zCA{Kb6_g`7=Wo4Nf-J35CTL~WEDu{6zeZc{HqOrKm3pTJ3qn&rgQcOPR|ZYpXpg#M zqcg~3zbugK1rGY9BX}de+|U^E3T<^(3uej=&+hj=yLtf|JEwdJ6lKLVt;5E8Gr?H* zNuNv%UXqUbBCPVFhDTncqtD)g!@fQiKIfC4eoBAipJ~E(o`BIW`R~3gU2!x=edoki zl@o16sBA`k{JXzA5k(f$I;+_Xd=juvBeUpyXn{ZV=ot5B19N^9OkJNG2eP0WCdhz| zA32?nnrSTd2h1)D`ddR`3>rGgB3rVl!*;3UGoQIJ)TaZT7C8jJ$=|Cpb;(qoL9FSV#3F;H6 z)y_3RdVMArrU8cz-oqoNIAI3=dDuXcO7xwz&@MeY@{SAi?uqfjG>F(zrI=bKQwd}9 zxd>xW`4K?~Ygk^ms2BllXwE<2zi@B@xb7jOBQi_gEp_|efGrgKIK(q7p$t^vqPSKl z1(ik_$wueFI^AKN&fS{vP0_i(iqyJ2_iDYfYLev8}J?^)CE z=lAEbhSJYI!7Kpj)m}lD&~JI?Twk5D2FI=>?nDbYFo_sj=sx|K-pxV2|HYzSM;PP4 z)}GD;q-v~cmlI?7fqEvnWBJs*IMN~B%GDe%P$MTP)@rF4wv9ZH=v~DAbqL>G$SLiB z*KxU8VCf-81Nas6X*IjPFg~G6;s?{1j?m#uz9Bv5y>v5hKcLTHAgRhj+q`tub8nj? zzpkM1SAtJ-2uIAb`OkQD2pvs2t|!8$=&N#n_bg;cjFLj-kEH#pF$bsl@CuG0OlCmh z7uOE!$?vB6$Y5qZ)ltFHi4f*1{8yWr#rXJ@yZZ=?G1ra3a<8vKrM9V23}f`&BlrJ; zs{F~I`jJg}IxXO%*H8*3Yfxui-gF_Y-(}W0@_q6nx@)?Rb67M=CB?xbKR_VmvSUM% ziG;DzJw7|VSO6fKk+buovB+hF;dLx5qNw)ve9^aKD^{Sv=AIWa2WZQ&pd0GDCZdj`fFS+EN~-| zV5~sOs`K&wYfUKXd{+-Wzb0!UYI*011UbQC4V`y>`v|jZR;9O8zI{(W^SEH+zh%IX z>lt2)#k)xI9h-~ic>iYoYidb_da4rHSCE1!rZ)!s4JU{<`f`$H5Q&!f8ZW`2Wnz^n z5++#um#Qc*5jP@9VNO1g%^Kd35(Xfg<8!&m65WxApYSQf$crX;6*!@A#67AU?hxqV zh_9oRZ~&W@GNx2tfvpx9Paah@Fo=zr30?^m+_AI49n=~nV|#G%%T?5!zews1G89b! z5KR{1o23bdUom$z@>z1l^lg^g+1}^4r$zi#NdHBG0R1Uu0`qSoAXx5nWbcFcMwZ&e z!^o2E5;iqa@dlx(GQFE01(b|S<;g?P(iE`N)M+!U7f%b6>c62rH_9$5VEo`M>_!b} zvo-hj5J&RZ@%UZ}+^8o6!GbIPFeVC?k3F4VfspjIfl{9z7}YOHPXvq_Zd9RZvV&mM z4Q3Z>{#M7(LrOe~2(4`7pnv5=W5vW@PmnLCKQ{g}Hlvg~D6BgaICqcYWeW)Z&n%3^?i?XEV@fGGa74JZM9(Qop9$2&j}Eh>aRcLmqkw$Mq@iNfauniwle`;0=|9I&unk5fqqp77};PmzLTczBFJI9sD;j7CPM zTj{mB?MkcGKC5(%p90%5s)b@4Uuhp@^FBDSFay=zM63uSXkkJ<9jl ze?>&8+pPp&>I#zqtF>$7N%rAeTSZP!`S(}s8c@XG{g-oMslI)Wf3vS-6QBIZXTFfZ ziS|9fC;*Zs7+k_r3UX$@VCM_JVuui&VmcrCcoKv&2wo5Y!55@D!MFVpOED5FL7sS^ zwxFT{tK9!ReZ(t7e{+`b&;4@ZmhXRz1qW50+f&{fST22(}TC=5VduQXn7wK)bkRzk69o(QWMWU*EiPfqfD1zJmBSw+G@da4_-v ztaEk){pPFnHUMzKz~-yMB`E0v3H*Vn!SaCL!pPBrmo zVG?{{O4&2df3Wp?RAT4+2Lc!-lj2;^%H)Bk-Uyh+d+h>{VcNTo`zxC$Jy-eo?0)tf zAi#q1LI52)zRzKicZ@zdl#iHhcc=+D`&a=t?DUZs_kA1-I8iV@otti2aM5Z<@GUyJ z$sycGTR_Qp&U^%#7jb9=mQ1oG9R#rJf2_l48hgt#s^S=(urKJ}?knsF{?Ht~47@c* z$H%M&q7gfQYRvQxMt`8+A1&|;+9m_X5YNTnd4Dx0H60uWVBjdxwmVvUh}ck&j_1qZ zi_#RXF>=4+`fTje!Mr-ub_!`<{u%_({{>UGbutzFS$go`aDL=nbY|~&LBadFWX%d5 zN7b^xleGAOWK45pkEo)keIe?P#wJ;F?)dr5bj*Q?)(=f1>1$?v!$~T3sih zuv@vaLQXx`!uIJs_qp~PoU(1&G>$%^dhvp*DLR8*z^t)h)_mqN_C?P7(F`;prT{Jp zZq~wd_(C7~{wC$2v+c&5b4Qz415dI7YYXWUs9TG_+3rB|*o=&*a)l;WX!7-;$s3zP zldl6sz8$o}K48Z4K*hHR5tjpNvLO{48-R#MmZ2cxivM3h#AOh1|3S6_h(9%ecw=1v z@kY4-@kRlFcqna#)#7OZ#G48rz7~M^m4z7ZOUt&2eFo0D=KvD-OVbkpiH95Y)Ij1? zST&inChWX|Inn#D;WTv#$0z1Jag1?42FO+sI=PMFReblJu;Sc=L zm@Wc%!CP?GX@6b8A|=8F>$M2jALI6B*3tjJvHD?CVgp8`!PBa0<@Y?8lh)20WI+# z|Ng(7IGv+SKmrNO6r4p%JiVJi4-HLgQ)nAuZ_dxwX`$rmJ3|4qj=-+`+yuNkoY;$0X#dVBca%4WSJP z9w&!dv~O7_$Qpv*Pu;IcQzq7Q(OZ9p`aIn6yiN4n>817u zeU93`IyaVoU{=j4EGev8lf-~99=T#<%`troT0Yjm^@nIo`|(86NB;^~HBv574Q?$+ z&p3d>v}Vv57(@f(jcXu#!n=nw8R|Qn(5|+r9wkT3SYo>h6`K>LWFejiMDr_x+oxko zy59Jtg9V3Y!eh7EGYZg zSV5h}h~Xf!SwFO!`#6RB7}3>#qk~}@u!r0UE}BE?8Ub~UKm>ce80^z*)@u3)ZVM|5d0R&3lFcRH}wuMBz}5FfqU0K7SP1{yUTHh>^KM&qoY_z;sItnrws zKr9Y!3n$1Bv$%+DMiMg%7EN<}$b^!Z5X3A*oBu%vJKiUAdTLqoOHdFwh`gSZvCk6- zPG7@egzSL!c4;FZJ_sYcBrqsyZLCoUSSvQjD4w*U`?jC8b*}5Zw$bUf&+t}+vtFgu z1S#(}8fTTxpf>IfTccsUmxooKPW8Sx*Q3{W*IZZY`;)yUDBG%Sz_M&K481aL51Qa> ztF%UjKY?{R{p;qm#)P6T!g#+RYWB&gvBiSaAeMZ+OF9 z+no(J^8s?lChergDW&`+4aLJ(jQ->zvqBZDq zI2(Bcuh;UyFy^9Dk9ds&l5ps{{m2|gjR9_=C~rz|wCXk5K^u0a2)>-+;UH6kIx+i8 z^c|jS>C{tBHFA1NZVE(86{ORePai{0k?Yr&Fet=s#fWTj0yQ_NxY?vT=w%X6 z0^h$q(rsIR>`zHR-w}CsT&W+wkJh(K3lu8!-VtPT9QcexhhW>t%dg2CTH{cpk10qD)W))+$lgSd5d48eL%YV z?$uQ=+msW8=Jp#bt;kr9-#hM7LOd0CLjw-DIp!tdNemli6c1cP;3;{ACk5=3eQe-? zsIPmlO6L53Xh*J|40Q%L@caHz15GOajsaU3UG}G`0j7Z`Kq*)PpW)$QR^n&^x!(jzB#hpJ+CyIh@0!33Xf@dc6}`!Cnt) z%{^WdkQRWsXj9{(F~xc9zz-PsQDt?Z)#vpHNUHl0d(1y0v@f6mn92a{`Jg*uFOrJr zUZ?Pk(5=TV#EH%eY6uISxrEc)G0m8!;F-{MSi79+j$@A5Jr{0v=v#w!GMxpVSVPmR zQ?MsvEZVJDuJz4ZuEi}LdqcL3oz=Wa<2JBk?G!tUE$jO@-D+*8wrK4nqZU8dz(7Y? zw>vEaMa_JU)DcKb4<n78z#{%_){K=x2_oq~9`Phh1Qnz}^e7 zO4Pe@S_#w-4#5(7k4csm=6@o7@K>k`E0W)_LO%ZX-2b7+%+{l3oNX-N6|6%Za~+(Q zd`A=mP0E?nKG(i{t`kOu^o5+YqYANbPhk`qHQhAv?_KW!e~sK}zEY4h?wr4Udx*atru0bQx1LKPjDYkL zFvZbOdvu({iuEYsr55Qj>g%mrk+kt4J2JwIT?Ulu7o`ixt z?9L@Vq=t{g>S;z;J(&>t!EM7!PwqIY8V^(=R63mF6?YN%_Cy=P4&Vbgg>CCWJEB{P zW4;%cyX&i|$ii}3Ya2NNmO_ydj@vy&;ZjY?c26GXWaJsE$0Ypyr-ezS9%hw6ZjSj@ zn_CY@$LaMBe76LjBemN}`68`yfEvSG_U_ad(&+#+klk@;%Us_Dof2qaNV(MH%7spUdhA4$04tX5fc~75xiE4EA3E}Y6F~RW zL(0~gn(dFB_EAz!8rV(znsI0Wu7DgNkpPNv-5Dh+q;@&%v$0t6obd}ZS)}QbO2e#i zVr)nX{isK|P`c;hq4V#q2zvC-;RRm$GQYod&kr9+%=(v16pbP74j!0HD$bZUNCupG z;~tJOR|CSd;WAL1UM#@5PJM+H&PGw;SvjYJsWmvA=??TJqvvp`DhLq=MycEH41t-Pqm7KVcVTBFR~x;b;gOJ3u&z2tx~BIeJ5@(&dK{PKA_Z4Q1G#Zz^f+Pi z4@R`OL7K+q=4cutg}ESA<4$vi>;t1?xC2v>I)=t`v&4>aGMsD-W6cc^J4TkFh#eKN zqat=B(=2Akt!N#e8m(h3C_)X4ahhwy`dl z&6HTXm^b~3zbEvMw8Y?NirX&l(QpwOxI7I_$fQ(cT5X5 z!0af9t%TPxV1Vo*tD|h*rR8*#6FTN&bKEqQ8KW>WB(d+gU zgpPCt+C4tUfbj1nnfNg!e&I>;x+=ZH1{{PTL?81_f%rTG=9ju74mzJ=dR8ysVI;5f%s^%nM$8ylbtYLhZ!_Tp=rYP=s#}EUZ9K4H6FMZ*qH>n zKNEpmxNeL=&dy09hn433xb#GF)Q!E?3&4_b@%8%7^TJ`r%2?sZa~~%hJyIxz5l((C zR5l+Rk(tuz;4s$^865V_)1-nUCt^>S2yTOXU>QOk)v~t(%U(7HDa`BKSCU6&1l25) zL`ssKY}MTr9x1HbhFGL%QJdqCN{HY0t)_8d`!chI5=9v!A6Gvv^~BNZ=~GDIzrH0L z3W(o$fq?FZ%&KUU*uAX>^D3GtMKiSl;sUj%Kj*D%JOfQ&`Bo$}iiBogNoc6WQILZM zt&uR{1M|f^O9GmVzDBo{kh=17O1K7^;;c!}S(AsdMrwTrX90SLoC)LM+zBoZzX6|} zPo`a%PbL!fk%~|T6-imTr6ewy7#vG3%oO91k((bWX8cZa$P|^kv#n9a1mXe}VT>Y- zDU~p$wK>9=2vIIb7qi3Bi2Fbm6YRcJR55{(+$>RyJis;^XF+QNL@|+ND54le6r+e@ z6j4kRZ_869ifOHjD5g~|QB11QOsJ1VyN~lAZ`nOt?`` zjV9*$=DCx^wD*l9rq-%=yY0ca(l8psN~@t86@Aof!>{#5qth6)M#EM)Br&((md-#D zgYW&$HT12~g^$w>i}!SiQ;#d6?-6l*fwv68h)_2iswV7wnua5&(UD1Ud+@_c;_pQ8 z9{h7cexa?9zoVQM6re*Y55+`h`->HsD}9A7S*UBS*kY20;G86n7BJh^izfDDi}_7c zpZPIJZ$NKE^TI?Zm^fCL>zlGDVW9AIgfLK~gboItX5fN>!tye~K+>J!fq{l+CV|0G z%R>Q!>4N+(?P~k1dRDKVH4>R##36o~JTLS=AKOd#4<~*JJd8~fNJeO01a=t7AL;9a zG=VQDnal;6r{v0FyjCPssY`u2g>`CiF&cr!bLhk0erDcR)FaZiyfJ358ecCsWeq9i z%GB@YmIG7Ck(YAgE9Lj*<@NO~4pdZ+4MF7C&$N`^Z!f3TYIJAAac=l?db$~COaFS- z|HWA1l(>b5p%y_hdq~spQWlF_!~SRvjUVssZiuA%+JdbP=8;^=m9zAh65nHRrV3Kt zHy3@!U&`;sKw5&lEn&i;7B5|UL!|`fYXAD?V@uH~DLN%Zr?hE0B_WT!qEqs@h(=an-J32_ zKp+rdd+_U<<26STMAInY-Lt8Pl;Fq&w#A^*_m^P_#=D{s=aMmfByND!oNUTr4Zi$` zOYkMyAc~4rY18Z@uSD&c^Gbx6k>qx50xwdGdAqJqQYbPxYbGlBdFe=mjlNOt~NHt`WUU`u8_y1of< z9$nu&O~xbMdum-$>(V~0OWEj(u5ZrW5!&A5 zWl&@=BvMimUEd@T5?$XYI-++6bYl%00_>Y_&#CJKhTTC34`B)*Z+diZVH*G}$7ok7 z3HS!QA>R?rK$FswAn-)jzI?8KVcVFLg`Bmc3gOHbMN4QzmhcE$9Tsh$qJ%4Btgoia zsLTeWJZVmL%tTt@dY5 z8G^I*yGM>2g^kxw2Hh$C2{w6sx4#^^YokMsX<>+Uk@>#cM23A9F{ZtTi+<3gXx z_>(rkegpV+xK4rR#(G54_;w_IHWOygDfXiEvKMWA{s$UZu95U5KTnOg zpV$UFQUvrPnHUL|#=?51Bu1n%@hglCNoG1EYLA^{LMkR z0!e-D1W0H5Mu0Tx42Q$^P_GQT#<0?AcgGcdP#aa+XDz*BjO(LDy|WbpB*j#;W~QP} z4yK~u43DNNiqZvfTt$$kEV3djJ{?;T7Am1D!p9l-im<%AghiNkrx=T{?U^Zy$l&GS zEFuYmq($5q0m~J}b6UkiiR#=~CQ=yr2L8!%7|FflUfOFir-$y$(uq}&dkIqcvkk__k<)faY>{{=K%*>9)^mmAauAP!t2o#u-o|R^y##K)JHeqrMFm zl!C}%AyVR3dwQIo|0E^*$^MX>;DT5|R|06(=_C9=gXKtkA!PYssS$1u#d5M~mJ?#( zu7&1=JKZ99PFy#VB0AZJ*scgWG=b?PZkMwzsuL_TM@%^=Y%!YLzhfvua}uggL7o%e zj7^SDcDFN%=_El7N~lh#%U$3)ArDF+JCUBBl+AWRT&E?|oj{%;z7u%%Gzm}K4pfXM zYJu7+7gv_`DI47hWOWX?d*mBXp)$EnAiFTT$);IMpphG*F(D;wj>m+2n9^*>VlGfV z6Cz!1#2362-rYn;gu#biNZ8gRGqK-7;h6P^z-*5uLcIJ7va~RNk-o$ED^!IQspv{J zPFEt2l~-gPYD1TQ!IV>Vkj3%IlXTF9Bw;yGgdLkF?7$_tAY%t)5e}XAHn-1#vqSuv zsRnPqn_n#IfHT&R=fy2C(bKzXv20lx68}u1b0Dxrv46+d^K@F5d zp%IN_$ODjJBpT9HJ$Y{LB#lNvQ9Fy~(WtGNN5daLrHC{Xkw&RR8fTj$(vVAXK_-pe zjoR7=DvdzzrQ*`?594OZG~`i;+2Xp-HbABkS%xChP-Gg4Ohb`rJU23pvvrYaoRv$a zaaMp#Ba}A7TJf~VG&+h*V=ZJF)N^-%cH)oVTt*Mlb0F04i_;S!)Cf1~sS#?h6L=!7 zT2Nl|?ayZVf?X2F_b3`qmcab<310f6eT=QPACbc9n3*<|3AVgqyChUq~YrN!0G$ISG3~1&I zp%c}}hy^Uj@1djA060a-eIdMCe32f_h)9uM#PfPL;zjc;Dn+Xm@ut;mM7;4LMnk!E z8r`IznDDE!S}Q75y;18$RlU)wZ!HAJ?E*0Xr_md?Ypvc{rB~}TDy>$tTj}bJm8m_Drd^DvO?~3|&7}UVPd9;ReRB#AISyYm zy|CLIpS9+&r4%HZ9F)Ed2>AOWzB|wti>l3Dj;YHYHwKtkpPo{y4Wt7+=q4`TSXGdb z2i+bK7A54jfwQRbdI4b2*#XY%Sj6-08nQr zH>fAszalFWmI+TGEld~q!GV|XHEd_hF|ikqd7z^Pwg6$hp`iv~J!|0PHa@bzNPQ0J z?jhOV=t0AgQN6F8p!ESGh)g^S0|p73YT9H{q7iul;37DuK~FmTJOE1uP^+X$b7NT< z>q9hR0ibFuonzkC*Ix6rqfc&wFMP3KJP>Rd=!QdtM=x}8DhlP3UJcZo5L|s+P4P6C ze}~q%;iY^;E^!~BJkLW{9 zq}@w6kf3>Eg9eZg0heqyR-|vy)+dwXk3atKtL%!avnx|NS#0=*#hSRs;IiAr6J~s= z0HL^LCK4aS&Gs-RKr|0<#`R(99vyz>md}^NW097_w+0BGyUU~dJ%iwZG8n*C?VM?f z{^%bCUC`;%FU_%xr(}!H^x0D4023 zeBQmSFZeY*95wD0zqA(2fkIye(dgK1VKh3Kb+|6r@rhY4hcm#=A|bjzkf$^`4g%S3 z!COm2xr5}Gv(@a@yoWUgl-zuIW!{@hvIRVGU;kjE(gau*f7kc|f3T+57ycgjbODP1 zsiS}Vv7(Rc-CMB%XuJ@F3Q0u8h(ce;#`!g#Xw#r@+OKE={A|EX9Xj0dVozTga2PJ^ zp+EU+HZ$ie3uqQ@ihJ0E$Hb5DD{$uczXQh>-h@f&{7PTGve->eDAK~0fsw+u7x(wJ zaqo%M?P^9%bW(fTvT#cJHYzQ8T`n;+K`M>!4kpl(&;*7kg72a-np-2VU*Q8rkQ1y1 z%jib9wGJ{e=5NqIsb6ZcwMmEgk9|vwsCOgb&3ZH%g0kpae{pgmGRHR z(K(&$+Qrn=9l&SlSc5(*N$4h!Y_N(UgTs@vce)KQK9clTdrB97c>K!s z;C&Ap5F6@GL;_b`*@fK*)Xh~UnZM>x96*2ZaF##U*jHNcvulTWzrLI5h#w}Vn7oEj zbE=g4GTSvQMP6{Wne+L2^rh6{i>lTpyFj|IY*9Yma~HKRx4gN;K{!_6$U6#cs1Cvxw}_Ft9K_A$u20+(^C!T3;5zv~5v*w;Aw5(W zz;Ot%#NqRG*w{JjXrTj3wa19P;>t~AEO(UrcGI47-dWl`lR=@sR}R63@gqzRBvxf2 z1&2!d^broAG<$^?R*(ZfFTB$cVnk&TKLl#Ytz163VMrQYQR2Wc=#-qo%`6a@M|!A4 zp}8Y}HC*s!@J0@H^$9{RH9AS)po#tvj_6@K01mgSaKcwOK!l1gZ%*2@*Ejjn{ir*W zd?_({Je<&Nuh^j=5o7b7kh2AESLQIW@8@7IPsjy4H~b(E`W9qY!_Z7Rop6YWn4`)d z1ZbWl;UO@`nuSjQuU}vGy&@{tH+|aKgnb?Rz^!-WVPNpouahB~bdJ}ukc>eGNZw?N zGYw;lRjjFsH7zyPw6nQb(`acf7;n03pyqvuGL`jNs!-GLC~h{~RF2Wl7WvfKK)7jS z87kaVg`28yQx$Id+`>&e>k2pRlpAi^DG+WNN}FM=cv|76T@`M+mT=Rb^(i2=nHBb& z0#5w`^+W^X|NyR|DZx-L)z{V30G)VUt2rlL3AI6oE z8>ei3uOd9)F@|96g`-9>_7mxXgAt>oXW*2NM2;o~jl;V=2X=_dVnn|=U3^Px zpC?+Bw~IF+U%2RRYme4st;`v&`Qk-Xv?i0L$~6nxeDPvWVm3vEyq3_-jFFq^BWf1z zB#Vx!!SDg$GwmNGp^h=}FoolBV(J(SvrHei8JB5N;0@P$Dq8c2Mr(?~p&~X_#O5Ye z4sC~)j$q8cI3Fajo9oo@zNkxSXr*T-p8NAj2(e5_1(0?%C>n<;X0xl2n6lU!-ibRM zw^`6YlSFT_924RCX(nm=%pXQ?7L zpK9c$WHzbTO%=PTVmDRnX0F&x(SlIXn<{!!MQ^I;%@U(G{Tmb&zp3IkRs7~U<2Skg zCUXF1)`UU?XV#=%2&XTlis4i-oPLlxIM!lFrc=dqs+dj{)A`(DI=kzN>Fkyp z)7dQ$(-}&eVXfFeOy>=ig`6Rsc_YoDqZftV3CA7swfL5aX-)|ZNKn8c@lTc20FJ7` zWp)*tM!Q`Rpon&7=rey=o^|u%ayG@Zfb#tYj-aji{kM28;LC4L*>4&~3!eD0mE zgX?&*8jv&f3k=Ale^Bks zjXe71RR7jjI{;%78~YL3B&nAEL9fo7Q@+dN4RAidY02Dl9CEAQx8ygC{)#2w4L0b_ zBpri&2j)JnG(d&IT{{c+Xw|J|xKB+UX{=8eNM)dK?0lF9(~$#PFgSj8maY|y zSaMUK`y|Ymgtl;Dn*=*RcXn0nJB}>EWq;Gk3ZH{~Q_G-s353^3i~A>?)v+WU+Q1Xz%*jZi~^g~wKbUwMj`I}M?VP$a$P zi9#t+m3dwGE9_qE=_6L$+ZEk$oH#^bu zy$PKS{WcQzOqv0Wg|22|2HP`4eBrEs(OyC#c!l~AWWrfZp>1h$rR6OXJ8f72RE;D22x{F#t}$8~Kpya6;iCBDJzXuPmOiR@J7y@nTcZ2{?kb?4D@+HSZ$r4U+!}-_&c~N0$UqrV$;d(WYKNQ#EhPEhhBR zah^Hf>t>9mVET)61n&pzUF7@k#_gOkpvlP6{88b<>>PYmPk>y2aKXs&o+pRbsP@qSrIFl)>0r-ZJJnnBEx*}1=npgpr=U>7rejo+du-F9$fX`jR z;cMV6LdG}~1`=V=TxE7dRO7@YE!0A~Fp)7hxcKENNRYt@o72!#aB*@M8`Pu{Z*Zj0 zb0Y)OQTJp0@VMF+AG>MmGCy;~zDS<0_>|fDkZD%${~8+Ih-`GDP@^02MmKh%(ap$4 zHw!hoDQ|RhCmP*~Y;>zoqg(Puw|1h@?Z`&A3pKheZ*+Sn8hsYo=(9qNK9e{4Y$qDs ziEMPIP@_BYMt63i(cQ>KcMCPTD{pjnCmP+0Y;>7Tz^&ZCbhTSBt!(3*&wiIwyffA%4|+&+s*m)&8sro)7^G^ZsDY0 zV0{uV*Z^c{ktX$uG>N!?(F05!!>${+ND~8D6%H_Y1i)T%874vpg(J!~89oVg zuLSktzQm2YuXDuS;6HlZQdS6y7IhBo4izb!w)_Bq4vW>2vh@Gw{{;X2e^5&S0u%rg z0000804J6?SslRS{t^oS03<>H02crN0000000000000000001Ea%Ew3WmRcJWoBt^ zX>@6CZZ2wbZ*EXa0Rj{N6aWAK2mmLRIaw~0&^;``008Df2>=lQ000000000000000 uM+*P|ZDDC{RAp^&Y+-a|E^2dcZcs}F1^@s600IC40E7Sl0HVtP0001QwB=#| literal 43845 zcmV)cK&Zb^O9KQH000080El)tSyMtB zX>V>WYIARHP7T?B56_L?xrpS)Ekc~XYCmKVbq!7O~iP^h2tc=gTM`)5BeF&)ats#jZJ93=b8fhP^pHVly6d!)5HfN`>LSN8Z1* zjQ`>cP*h0cKrn@(UU6SZEoa6XS=KcM8SOPw8rUFhLsT}JP(>qVfCdOY!W($!%Xr4; z;GVl+Qm+;z_)-^G|8m!Ojjj6^v>|6q_+cj3g#xWG01>3m(tOl+C1KgvZ)YA@B{3 zYbjDR=zt)v|NZB`C0YWZ)WRy1C3&=u<|@-R$2PD{oTyiVb0!i z_oASWx)4-m95T>3qDxSpTwKL+5fiR;T33Qz0TA_2=RymmwWZF8`y^q?Pyim9jh^9} z6bcPUvg){K)n6WJbx|l!GSw?J7K??a^1)fQhUk|*=xd$1kV*ua2&(2x8$4p zXCT8c5HV-5k1M7Kn8H+|I4Gr=pDJ#a9{FWSfZ;SVB0=zLgcpI3!N+Sr>@_1aH8O%g z2}nQ5kp6UpEb+pf~v@!ft}#x96~%Mr&*RDu&f3q!4Sq2EWU|mB!rkd_Z<~4pR-_BsNKq%&rkAMh;~h14w}ZlI|htsi4bp z^4=30dMBtCi7+bZRHmi|ha%&wWCg2np>Uu4o2+sv6VvUJ%e)duzwZpHvY^vxy)IM* z1IA#wOqI`0^JvG4a#157^*Z;u0GNJN*41GtwkC4jJSvW3jcBf6Ne_!m1NJ~^HD{?{ zw=ipPuq&{h)-ItXoI#P%PL1xe{C!h%m5@H|auXD4is`EL9vcE4KqO4MEU&-5hg1y8 z!JtuTjmuX3f6lXNEeasiT8tQa7Bm(NI~lz#^{;7TmI-UNM`@8$Q?(TDUcW)cCU0u<^`n6kp-m)Fa2(rI-q-1ggjY^$Z&?ys0 z-HCuiz>83dAnTLQ?V=D$y5+W3J^*n6c2Ns11QEE_G8Q!$)KH-B1_NyrbXZ1rh6oFO zrvjGQE?Y#CUIxKl77V@ZCg8XG-ZhdBNKV%$FMcA}PlE*AGx7vDs(cLAyFVbsyH3dU zfuP3?i!2}bG|;SIv?B68K9 zA(O1kwo4E)Ljgqul`U%iWuQy%^x!)Kz8*p*60(#jnFCmn$|f3Yp|ejiW9>9*Sv2R+ zZv)|KGvkrb4Dh|~lWl-4tTNC)7bArtmYr=ODs8dn^_+%fH?^lmS^T8OL6;T(eNm5F z0juxp_^$f67GFyS-%R!W3h3E%tD|l8vIf4J6sMwS$z51M<=UpC#r@`sIC1Z@{db;y zzqRR0N3=iMTv9a8WP}Z$CaRL2GMaOBdlnLQYj{A*W`x*kOc8C|iQBg`*!fh@+QOhnqvu z503*yZ6m)!3_aZ-hK^4+hoGmA13^s_zeD`|xIz59IXl@LfPQ=&0BYIz9U|!21`(7W zpp5X`g1k&)y8-+~Vf5^Az^Kd62VyCri9IU}b8giMQX4WIyCPo;JkK`>o>x>XXyx0D zz~}knfKRun_XSXtbNl8%+G@YO?MR?Jlj_{59d(V~bEmdT(t~ztJC(cJPHm~vH{Ypk z-iRsmA}STQEgQi%K3+ii)V8Z{54kMvn7!!GCIcMKOBK;1EX+BJI5819nvpcw8{?rt$$ z>hvgLxZLwCgSI?);qby5hDR_8l6`i4io8~S$nc0Vi{VjrO{%yTb;fi8>M+tfe?2q@) zYMhH1SK9RMdAbgW>OJ6ueZc;JmQ5Ek>=Ah(eo;wo9mU(@^umVvQM%JGta#|vDXRMp zNYWuIzqf(jyxF?h`ae)h0|XQR000O8h;}$xbviZQ>7W1rLe&QV5dZ)HZDDC{RAp^& zY+-a|E^2dcZtQ($d)qp;?)Ur(KAO2>XUDQE$u)Oo&X!xOxW=-b{^(F5Wih5mg``}v z@BZ%>0E<{qDXKVz&Y785LRkRT0v3RGz4+^uqLlvWcKiB3ExlDrea{=ZZz~o5o7I78 zskiz-x4c#L*T~UVyY?XX&8^hdsypSi_3~P^qUl4^euC+)^uf?nJ$?0uYg_*)t-$iT zw&j7JZgj^rYztOXU0s9!=l?v=JylaZSpQ$(Z}5#e^7^&|6JF|F+tGAQIUISQe&xc^ z2Zrt_O;F;kqk5n`S1Bv*XgIVT?@uR4-b1OOw5SRs!vKos!a`fNIf6MAFA!Gg*^ZK` zss!@=jpQ4ujtXQ1(vKxH?JlZ3`UZUGJq>kOyz4oJbsJO++h9{yuPmd?}P2!xkI(9mqQ`{S9$0g-M(VDil#fpJ*cwh*aMXOq@hF^N`csaqyPOo z7@TZ*JpG#PLBW3d3e*x*w!Czy-y&tO6<>`NH`I@CNPvm~9n+yAKxKgq3k3yVn|c@i zYiVVyD9cOX?@O;=e`hp0-d1v(h}y-|){kLbiUlM@>V9J1Dh*3DpFE@Mg3;4~b)6br z$9C z%b@s-BWylY%usrI+iC^2Z9$q;FR)4b_CPf(WzTjT-SlmDPOVxmuvJH@+h2q>Z4}t1 z=EWkkXtTf;U0TV(N#}rbUh%#(Fo4MOjlxB?bM>sqIJ1U{TE+At+fmxDQ9;W~=*y+o-=kEa199eeU%ERo>0+L7eYLi_ z6DA0MZ))(Tq*&F>wT;dC_U3wRV|#No{H^W(*mi^UJE|g6r(b5g8RK7KZ3#v9B`-J6 z_u2=R16)1mO~>1YPY~A1EG8}pHE~R~Vc;nQ-B*R>)K<6BKkxb5kET}TmlvNmE@UD`fIcu!5sHE#Q!TUlCRi#xQH6sxtZx(hLLClynh5`lK&hZx~=sh(YM}0y?!b61RrLW(~Mql%f6Y4~xujOboz7VSQ*Ra-KE6n<9 zJl0=ZKwS~3D8rvFcRBL1!A)oCDnHy8O{H+2!=`~H`R=0pAAdSN)Brz$$lxRg$jEar zHrVF1K{YRUmds&X*klCLA{9w7EL;|{S#7e+YE!fY_!6i_wTU&V&BBaolgFqw7tp9S zIgM&_VU22&ZB(07qiSAom=q=v=|B=&9PLmtlYwkZTP$PR5|bUDpK3~5SX0_6%#^lx zOlfNYO=*kMl(rVul(yKWv_&&p`kTf(Ix7!#pDiZx+!kj-hEWlr0I;^PaT+S4}H zp0*3Kr)?g4+Fn3=+UB&U?S-|cZMHpaQ|+mxT3W|`j9n|0uN@PklZ1o>t0EUmF)Vy0 zvTg17wpAnA){b~P@MTcVYX@syJB69o4v%^5ETDPqaGKZ7!kX6(+q`zD=CwC+J$nGk zvvdfO!02N-1;L;&1yL+1m6~!5y~bLf{1lu*6LQn9qSr9uWv+_XW})9^SM08MjZ?vs z(sOFK+0CutXntu7hi+OAIBs*-IIeToIF7}kx z2+DE#z{){_Ot34WVJPUiDF#_*8YC80!P!VcX>_y1BQ2`MK`p9WSc~c+f-S1NXp8FN z!Y!&Cc#Cv9Q~DRI144$$&OM7jVdonqq?{-jVcFDBi+t0njwyGhq1HObb@g$S;Y-yM5w(m^z368Cy^?Mj#!U| zI82_>xvV%#nAXe%wEobcX&hGYxWeH(`YWUD+58!W&7rRko!t5w4trK#apGsxHLZ_S zZLP7j6|*hj)Kc1ZLRd>{JX$)F{e+;FrneLL4yI~pjYmuK>_%pzrMS&VS`VpOT4!r1 z##i?dWU<&ovZm5JY++5U^JwZ!Tx>y2O?%k*PNr&VokvsiIOwy{RGfdF)orDNY&C!ww7WruGg0* zTxv=KsS2y97r>*j;T%x>q|E> zM;qPz2gV`yV785!vdM_ge;HDf+D5P=13RZjeaTnr^XS_X2l(KB2|UUV*Kyr*Q@bA zn;KYC#}m=ms6OhQN@(@4jMV&}oEFN4Wddo@0`2Rh))*RYCCQ|9UrXx@TrRThh*cH; z5tBLgbDhx#3cV8)zFtT#gQRXylKp^`AfyUobV8lh33W_nq8#xBcZo!M3)-|~eWw;1 ztt^Dun4C4mJe8Mv3ft*Ws`vz+weRd&9ey(NPj>B2UHNC{ob<{JC)*7$*=AEl{g>## z_>`FK!}PM8_Av>HhbhKWZ?h8|`lWAZnr@ZDsU}<+;;o8E-e?)4u?mM7C+k=hmXc$Z z88=h~Fho$e_k@=`9In=r3zpV~3zWvvHFl|Zk0tu~D`CR}XMwR1rZkc=!N;~elh;FA zlG1hnKi@O0Cpb2--su^Zkz$2Tq!9E(a5JiJS1})Dv%IzmeU#AD#!_H>lt>cQ?;?Vr zAi<&Sv~{)HC#K*i1SPsq9anF^Z=IjDYt)obYpvnPqnC%$1)dh{$3G3A!C-hpd6!;e z8yw3VjRCz9_JC)_*SOL#94_1^V~UtE?+k0M^$Ye^ObWa61K46QQUqmArxzG0nDPm= zm{uFLrl=NVdhfv`K(2^VP^ks>UepNyrRu6K$B38qKr$YiX3PKjZ%4KjWUj>#s{{Vh{2CYiwK4gq_V< z9cvBv9p3gmLlrxwEp6zrGFcPTg7#{|M?aGYttx#-@5MSq9S&EMhd!t`Oygb$K0nypn8711Wk*MMFhE96b#8SJ6w>aPs&)6R z^xsSWH)S7+xEJM7nwE0a*E21-upLh||6Ni4E0+MCk6Z#sIe7gs{$=6L7!H4{MFF=; zPGucfD9cOEX^UriU;-7kJQFN4qhZCL*DHVirCabVvg^wxFht-}gP~m(Um0Hi%_|3( z;vN3IHp&ub>fJN#k(L>^ObX_4O04+H!*DVR9EtepTkJQHGOzS*--jEZ5(Cfy#X}jN zLZClYO*8zX@%?b$<3&Y+?&g;ybxND@lA@E^rq#1iMNtlaX!)z^8M>*V1{-iZ_Ebk( zaSZov#WbwD>`^+g9Js>^H+ZnLD`%v0F7I<(L@4I+(svZ}u9?a*5#U2M508qtGXUMa*3j^ntK zw{rGLZr4B0EbUuv%n0cRx{Qknctpy)BS9&PJS2s2H!toiBHXmY#>)dzxjPn@Er(;1 zQnr`w%uwg0`iq;AUefXCp<(K1;XxB_AN&I$7v;eyIlY|vpYznu=YzfAW6|u|C=W&F zZFUnJioz+K`$&|y8py-YWSR0X^kpB0Muzgzw+_T!kw>7oe5!eCJ76C%kSCzx@B zJf6)Z!F-Qr;pBkkhRIK6d5$CsJ(<0}Jb7`aAmMQVXuCX@m78;M*>d<;NnLyCz7=&+ z;<=qdrTjJ%(n~s)MK5lF{u+V*l}E9}^m4X;&a*w2)AfQ+V$(B%+*K3uE&9fF#65PC zizT2$a0~0Wqf?RoKKu#~u41VJ?gXYD{J~H6xo|m-w8Hp%iJQ!c~i_$S&l!7*!g z<(*Y&vne0_Yrx-1OiJozV(F!x?F5|A)SYw6X+W>g>DmD#B&W}Ie7&CbjA%X1)7zw; zCijB_pMM%a67imKJ91Q}PY>6F?#OX~Bgi_iC^`C2_l)rPy;|V#g^F<)3?nujA$z*h zNloBcDHAV;&_<78dEv$=AsXWfB((rAQs0LUs{Hxa?a0uU!G3~fmIbO2!syYOu}AaUCnnR@#{b=yIK`ot#3aa0P{ zXVdJc-Mh9A9Rf;k8m_k&e0%MfRQ;z>iE|v4h#Zeh{m7AQ$+T8R2N&Uhmcs!h)y1~| z#1`nI-s!{V2Klu#^Btx}wu$puQ#4x=6*Vy;bbU2~w@?=EQ6`oC7*V1XagFoaGm{rm zF!hHIW+h&ip_a^9@CEM%v!sr^KCG+D_Lorl=usiR^IN)eZ@`WVUbe|+zT&=K;$Zc; zDlPjZu|z`((Oc$=JNXrtUNmuP$B#be#QBQ$cS?WKI)Zs1E7f%z4`c-|{m>rB66m5# zDFwZk#d;+PG>f##gys`}Z8H6W-LoGT!8y06VF_LbD&1h@WIk+VxbXGLVwRAxw}Ey5 zSD~L{f^RI)jC&oIDZkd#XQDOSPt}5!s}KXg)~i|#zEg{Nsy50I=~p4IK1VO=!6$u9 z)%BLas2hoQg2OjVn_3kWn|Qf6KEw=#0)j@@TDUh-QTbTq>4pz0r?a-hywTIkq#{B~ z2%C#bbD!@G*C4mQQj+vFtUtu};kVt<*+vr7hEJS$C6e@3FU|^ZmIk~un{)t25=*&o z^nsx}3Oot8^(_H^vsTgvs$pgXMc;DE=#GX%+ac{Ji9)vgY|53c4j94(HT;bk73+#3q9GjW7{JMZ%~5{5o*JNZ|=9_E+NJ!csKfr27hp?3u!k1*czezUmvU z5}Ji#>cDUy%vA9(c+AE{Q}Jv?M`bI`ixtIx3}HpNc1-183gl@}fN{VLg6+5~O3xly z8u&(urY|L2X_Rn_4U+j!M1u-@wrScAhIOl;Y2wj)t6UoHozenw=qvueFGoP(6cv4uL)uP9IU$R7+#hvNV?9j2iL`gNyUO3$$enUcV8`O4eTwQ#t;YIb)7n}KGm@5^Cd zo4V>)tK%njVK3`edE{0iDYAR2%0K${L)o*-w>mocK^s-obYCZ}`Fpx|fHv(%4~*lw z2VIFM<44F9u)6y4N0tZLqicqz3~WtD+T9KACiIFwp&P%z_n^mOt}RN3?#mQcz1LS` z`iWi{Rn*~7@o$_LS{aeBjp1;tgG%MU^gf5~&Git>i~5z}uNA=GS}(6{mDhHz*4Eyl z|NoNKV?DUR!i|wJ%(_AF7&Y^yX1UIoFg){f&oK3VhOj0rfAA=AMvBTHo?Pn*%4reAKtBc-AWA4eCQbToCF3x#T9e%oO|dltxD@~s5YTpe zii&;a*olUww57jjzqH@rTAEXdi@LDe!_raiO~a_9DTA<$wtlETqt= z6<|8Wx3;!gpJ8kL`31CBSG9pZDI3YrpGFJUXV}6c&?Yd9>uc+vk?zR!{DpVyIZdO1 z8#8R+uG$6e1RO$3gO_m104y<@{a{rf77#j*z-xn-0Sege0#9Y2LLX8^IkZt1`YbM3 zt$S1MlFb=*NelQAV69i+9xLf*VaqQ!FM?;^AhQOdXMG7ZVmM=9HYeTRq}uwdjuLC zkSFqi{S=ti-SgzDVx_P8BWMg1`Eq>ag}?oxchJ&`LO76py`n5pPGrLo_suDFsg|&% z@t8&qKI!Z=eQ=Y~@#yTgVS>zM;HJW9-ciEugF}{JAVOzcsjt>ncjDRzXZmosQb$gu ze@5u#XdCH&v+CbeqU90YuA_~l|C?K>tyOn?t*MN+z+oM$KU~}TM`EtV0Gud>k+}(_ zp&_Elg8)5FW1Bd8IlBv_!IV>rUkZ!`z*hXt%wXrtF2MSU2hYU+m_+Tw|aa z6gr$i;lnd1oPY);iD;mYM)qc=)XugnR&)BEncOS&=Zo=3^g*502X%TMtS`J~kO5kW zPFSaP!a621QI7aU>{0}mdFR-pA?Sc0F=*40^_^O5Y8iGp_rAxaeUlVqbs*ni% zDiXncsR#ReD%92CNd?dQ5#fy=7E(F_7DPkE!T41NxJo5*TnHJ+s6!tMo=9>vV5Xvl z$`F%m!eM0bSHT#Vb`Z-%9K(3HlOIaf(p9J1Z-?Gk8~O1rB?6m^NUQWt_floHJ5TNA zJ~fv@0EyG%+BgGQdC3h#Ne%Ll830d4n9hJ6tjOX?6QL~_qyEF4Wm$zIi03RYz!n-b zIMhBr5I7upl&=kWXY$4w(V`Rfl5=I-=(VFUXd7w6Et7 zfRi4WA>teSzWnE3;Wm(y{?Jq1yUPC<+JBZ-xYvi*zAPOF%5wnsA@J(4H5v?5=ZSMr z^&nf@^|M7S^h@=fYpo5hv5DjBr-}8=$iMcc<_gkqv!3yodVW@}$$W+Ey2D)9K|H(fe^Q{CSJ_cRO>6$UZgO9WM(Ci0uongWTuvt=v_rz7_nq}O`d@IX0YZ2CzZ`L=fxU~e9mRv)ai^w-iZ25py@F_S% zOkUYwOTs_LUB$BSa%KrIEP>+VH#1QrMM9srY5RCOA*XHouZDVVv+p8pw``yarVY#KM zt?~`LAFsth6XRdXwQ_Aj&xCeFKs^NFCpT*8me$_)?|kRaY?PpPVo0u9Ja)_BO6fmG zs>x!iiBkVbJ)Y*AtGI{-na2@R8ia_Mrk9TkB(73)A|!4trJSG6Uuma!NE^7RrN6*B z==-7Hz@Ohrgmp9W%1SFRgQ5AU1^h8TW9Vst>@YXW8S^tCN*hz{=w^_uYlG#(?dr=M zwU09|eaHGUzgw2U!- z$Ilq}jX_6>IhuY6X?IOP6L6lMUnq=k3=5ipyZWv4&0_KUmioG?(XR7iNl)zC^40hz zDu$N{`@+BOnd}Xgxn8WObkNM)u30!vXUCqJIy5Sv4b*WclmUi|ln{S4$XJ1QsDrNf|9&GbF{>f>VrnHl>3GT1|Xui2wlg}SQ1;tAkqhiN+uMO zK>lK*)>9c%@2TLMJVuCPX0YsN8KH(@J0L>vKDl7W-f&&x*2?Z*($t~uBawbmTUOo#F#fjYK7f-AC`_Y}whPZOtx*d8$m!Fdur^0J#K&x`S~sAlc;RqGa*M-b7h_}5-BmJei)ktEijZ?*2DB1Al$c8unUWuuxWW<{SBVO$1jYaN+^t8a}hYeakY)EFnsW1b+P;3Z& z>3#Mv6#PPr1)|IdgH+HBb51xL^YZx_F;#LC?Tw$Z_k*~IIXDVMi8%Pos0DD=gAz_k zWhO%1vSD^B*olN&{s`dP2SpLz3w33KT?lpy>qDvFa*gQt>_ zW1>p@%uC&m4S>=8=aKg&>FD{SI}sjPaGUnMb;vgpJ}{Cq{xOw~7dT(;S96y@b~N;RmMO?N~T z)uzWp2g!3dcs_9wd=eg>)r8bFjy^QOY_R;zn&e+RixQ+YLY@kmc)qWEvzESngD1h? zz-Q?-`nweTT?+oT{J*W>PtX6;3;yi*e|CaDd;XujWL{?}B1wvzMFRg2zr*O4hdhS) zbY`%^&!H3jOZ|P3E)40k5be|fI^l%bvzdWG`K(L9+v6Y`s&hX8*Shpl_e}N>cD0zNkdhP)A3(Z=hBbVZ~U|(ls!g;02^f3xX7kUwS*dKBV1f z@sOUyfnc=W;A9Fz@LR8~-^1k@hMcen_EPXQM(U9N3an15rordI+~twiJ+mK{U#}?T z+IrqMjPeiUcua1>ArTtW%aPUoInte{HrOM#O#}2E*j0~AI{lphpB-gIYVVzVv;JRj z;t5)yoS@-5fTQ=Hf%>>SHW}~r|5Fe!SxY2}yq(yWD~ft+FITnKv<>!rxa!n2Hfu4t z>X1I{<06-1sbL}x-kK2_;C80R+!z#v-5N5%n57MVuoP~up1pFtZ5yc%w@E>|1 zi8DK2Bt4t7?WAsQ$kqzjb7pZn;i0>Sc)wa+$7A^NI1K_s z^M&%WQzC%!YcQ+uXFOlwViif_U9_78TLrf)z!QfrpZfbE%BCD4U{R_A3$~Oa{3vwb8ku2w(Ri{Yt2wQA#7Vs;d?cm$)>xI9&Kt7~i6`{XG$s9Jb~_&Kwu*Q#3KtvUz>2h9r^h>OxQ9%tLadf_cR z1UDI#o@?yjIFtD2^ayuo;GhqEVK9Wf}!DK>jO(`@R@Gr>y)oC3!(N#^rp z!WJQ)l6_-1Y&Cle#4X_h47&HWYSb_8}EV1qJHJ!M&cRKYmv zZ?`tojZU}QEpMqC-SWC#@0C?;W2;=>?C7=HdUsu`>91Gg1))u22X1vnz?A_10qz4K zaKlwPrmBIhCVipLMNd9e7Vl@pyv@n2EKIa5IfV&YDZnYrJc*qg@PIqbe?}axiw;%C ze47{fy{mfNemfvI<&q5LAVb%AB00iCF_nk-rgVAeuZvf9I7u>cj8BC2fG?#3dtzo# zB9hlVu!O(^zv|i=87&pn!i74I(kIa8r-n6R#vr3?F&ui0k(y3aKn>(4{zeS~v$Y`7 z7)`>2gaVK(tQs>pm0LQ5l<;V8ka8mRg=eF%tUm+u+JzxSufHxKh65^pLCFmT_4yEB zu3)kuhv*S{4_`~k_bS_Qx3XPsUjtWJ)xftJM4Q@<+qQe{J$nEq(ShOW?d6-=>-O@6 zzY(J`ICBTM1?^mv(9nqnoP+)ploNI>8r_gT0(Jv~%`Ld9a}i}b?tU+qWzH{#J@ozB z)x`{9j~r*nV=^OT!7-Jwil|76u9~$YN+nR_0?qbHD`SFl|N0M$nIwC3=*B9$lX@ zdKB|gAId3kmrN?6IP@r~28kY(=uupv#X^sg5G|a35gmPsz={v>JXaYXwLlPJ2cAbm zun?x2FkuRC>Om!0&0s!R7)#7$reCKLuT+7jmFYN?44!kr@TDY_Y_(jikx{ZF^b@96 ziUx4rGacm#wGovuAxxCz6SLZt^{!^ot^hDPG-B$+(YRNnUnOiUnJ|Z|F*$6FLp$;# z*wWGpAlTAb1^lE}arJt}2(}H0U@IEIwr@k|Svgw&UkZLL^9=Vi@oV@_o(#Pf7YP9k zV2)Wp>smPB;)@tB1}qtw$^?Mzg@Ft=wdV@>5`0HqV!kBiD@q|TU&`z;Uwmwz)27rU zL7B+Nj+ya~*4Bk(n~3f+ALuE3Nrg6u*(XiH*}Cm7K-4Utf<2TGUSsm$O(a(z>73Vw~o}zq4q!vzD*Az5Q9B$sRHCRfV&@_x4aYrjYZq2d_|)X$N(awEfuA!N&Q>S6(+aevgpRiT_Y!EB z%uGHsLX+s;WEPflyz*AcKTen!WMT!OGT0OcFZT` zh(!0+>s^{iyV1(~z{KmWpxXlgrx z-WAS#M|~!dPt<{}89gJ1Mnq8#c=^$V;dhR5hN=hAXa1?+SIs{uhlRgIAadnD$`ZW_ z#xtn#O4{S8-*{x_a))}i9lK_$VXv7}nZ}D;pp5J+h*7E?#Y%~cf}eE+CLYtzn|)BT zMt@C{xqk7!RU96tg%e{cUXt0A@DP&kWS{`ZeBu}!Wx>6uNV*b8L9Q#QTR+_O3=TS* z{!Aq-QTU9G^Cd3s12V=`xPXuJ3bl=SUR_{>-2%LtxR`Gy_C|1?uJjC(I@|C*n;4Zl z9Cd()Ft&UY4pZ?Ls&=>5)+`s@mb{?ot)x28^>qr5flTo!kl!e5YgP||q`vtLqMYU( z)l*cI6({V3T<$`|SWP3wi8-I7>RI#vC(%i4(W9HhCuJF>v|v$68&i%_$^iI+oC45c zQW3>PDUoWBQA#pO376=3L@9Ck6?_c&eo+d%#8Kc=-kfCls*8;$Y9_*+vO!2Ih~ZrW z6Cj%TmEp)4+OF=dezU$=NdW_|1M=wea(;S!AP*vm_iRY9XjrbNnkM-Bk3WE8J_7%K z`r{Aq3xpblzd~+jFJ7~Fu+^dAxL#OZg4doUF{w`Fg|p<#n6pHNS;n04?^zZ);tVQ& z1X#zdbKJ!JaGpZU{b?n^w&E4(R~cHCOqjzzoIJFQsoePk%hIw61eT?<3b?kf;>z`m z1IspLU|G?DWk;&pe|ceLo3jin!*#I?Dw9EFGN?=jl_`o0Dw9EF>BN&oZpo;!L;@LA zCZo!xQx(c8qsnMf%BZqJ_OE5H0w~Kr|VMHlYfou zAb&wl0iZFdh~fg#NHxenG#QA7OY}Sf(Kx&czA!XckPJeTL1;1vjV#X#3PR)Et;i5G z8G<&>GK~QVOi&NmZ5C1czC%rdr(pyV>PO~$riN_!@;ZB;@l8QSKTC_~$b z$z^Dp3~h^LmZ5E#dSqx@5z@)fHW}JR`pD3>ROK?XO@_ARs;!XFHp=OX3~@slWQZFv zA2Y(?ly^p4wPw4Tqkp<6G;hp^6zxI?Cgm-g<@W`;X7ai7S4DZ*=s-`*e*|cJU z)~YgQO~$O@zb77D$(S`6vnFHKXfbQXu#LP0z1^+JP&IOI%TToix^bR{BBs8Pp=yL~ zn0=@k2dsr$rVLaIJ~B{E2C7Y{0xvC4ZEMPbY8h}~kW&DTOe&(dKs8bgGEhwhs^Jnn zk3co1Pr(I9#=&yiGFYzYV7cqdlb07Qw>`^fIZO}Ba5?!_n~Z0Z@ob7B z$Qv2lE#mqFJ1Jpr zQD$__R?y`}&Pz+?y~i_(?qmkj?Zaa9cCawFVRY+=8nnp+Zi%n8G{6uirX?jD1LwvM z2q!~Y#8FCoP^$xIEI_f^<@P(>YlD3ytBaaqFl1uzDtvn;(jABqML?zi zhqwzdqYx+R!|f4rc5I>OPe+HF04)@TiX@#6@JdZA{WHZ~!2?k);FTV9AH+lvK_*O% zNl!+&Y`<;y?j%D%^G^{r~zM1nP}Ru@`f|;{U4fM z8yXJ^I>6$>!u~z{Z-}af_UHBWc5h^wZ3hAN5xlzZ4Whrl|NZaE@V~Qx5ewK5N9WuiG>(j~y5x=q1J!v#vnQO9U;kaP?{xzarv}~Lw>ZKSFw)nK$(q}klQ;jG5?o}Kufp*5;m|bv-;{~HyV+ttt?5$H9zmitrxIZ{nG9y*fL19boG1jHc> z*1?i#3=H;+7Omc!YpgpUW1!n3w02)yRgY$|L8EPD7iXV#jVLC_{vqKP^0|MOXcKcM z_? zSc3PQAN5Wj0?PRnG4tJAxgZiFLf6+qs37t|oiH+BV~?4oa~6KV%j$~)Dq&p_YKdVc z5y;+02e#nl0_?y5OI5f5EH=qS1{W!8l(?eE|Sv)muRs#U8uw?h{i)lE~GMY;6FT_WmFwa zu&!}}dvJFN?oJ>;aCdiicP9jQcejnZyL)hVX9FA8%XiLM_s?`!RsWi`rlzOst!LgF zG)8ChwWK^gb`$GQc6v}LBhAfE1cI>qRol+a_vbv?l_&}vmB!3$y{5y6&m zk&_glCUI?PA$@mDXI5yJm&Pt|_XtS-Ko-|*o!2sz{Dw_13wgdA(^9&`J|<6(V}xQu zihq)RYB8XV!Av10U!$}8j;6K0B11*1l|7%;VaiKbpNGaW}|W|2mCfmElAgW5C@o}6tvwvmb(0= zQ)G^h=g}?58T);faHh|iiLmR+&El2P7<{}es7H5tZV<*l+~dz%+n8@_P}9g(jWU8O z1J)WndnpPX{TS5&-ii>FGP1lAVyAFoc;WEf!s_tomrYv$8AXqzt4(GGhvTrgOoZXm zpVE6=@b%KO+Rf|iq83tFgE#36gB7wr{iaGF1doag6gn^KypZP<MJb>qN7!YA77mIGUyCg!ACX9xX zN-=1aEQtRO9e}8T(AH`R}3`r<@(1Nok46gIk>@*Fro-YHf zq^9uKBrCl5djS(`0Tjj-0#q94?Cri1fi$s(LkZ5%zA#+94hpxi-H#Uo=DQrc>rI<}TZ<9JAGR}`bHzrd#Nj8w z(xYn`;u6Tb{VHvL*Dm|l(PxIYyawB*-p@;KNS%mvP4Xg8^!%W(nXhw9xNo1I7K(BA z&7o5=vFZN;-D`SN5!5hGRJz3sD+gF5!JSQb?b>Q~ICA}&)p|hCH z#W)9zD&zM@Z$=q;_uO-}6ue%dAjk|UmQ@5+mk%{gDd_dCWmvdtkzOe5WU|Nah(>|!ppJ%YnOmv(N96X1AHC2u{NrWDZ-4g=?8E$V;Bxm0 zHtssuxAFD5t!=xuFZSwYE7-ev+um>Gv(~T8|2&7_!tcYu!PCpv!_&86d*$QK?h$m~ zvHA5`H_r45NmJ>FG~NbzxTy>DcbMrF0#Luss2=9ewQg9mUknRA^{6$>odjDEp}5hn z6XQwjj0}fc|C77U9e#4IUG{i#X!TyVz4EP%pAy!V-eI_0j<~X_a9;(<+sLE?=Kcc&Zc9Tn&#r`K90sWaPBW;H$6AHdo(4{ zLf-ee(pQ9FYyBUD3*I-ymw~w`z;l|*{k}fC^Bu>QPrt{P;3c454qoYl2Q4I-tYWMPV zHnz$Y+CudA@pNZ*j~8!K%yMVsdBxJR3SYy&`?;abu&p}Ind;n# zkJUgr*Y5e73-u>)jq-$%l$izpDLY+Ob zg}tCO6E<~rb2G!0z1~rX^!~9o5Yz5f=e=FiLI-3d0(NF&+@~ITdM_s4%h_I@$N@ii zd-!lyo4E9ew1}tW-J9)&Q#W*Mwt^YA9^AwqsU>o~x-N%jqHP~b-J71v)UP^JfzhsR zPK&3VjxiNK%$GNWJ{%T&*7#uepH)^X@2q>8Gwov<8=5NVmCp%utBF0%Q>T!o*!0B)9ap^CDX#wKRrV(m*b-d$qBF`&s^<-lpsR|eRqs#GMKh{b4(9Ak)MY(F^Z6$5Qm*alYG-virMGd zTHD&Y59CH>W&=XQ$B}XIyoCj%@8_ALi;uCo>gMX)d1lw8@8woRvWamTTH_VDHAgInq2oTvH6+J^q}Qcet@SxfsWMN7AGQHV2R zF?{#b@*EVdyFYHljxYZr2P`xDcY&8cC5Gj+5A>sT0HohMv&u0{51nN40;Z@%`bM1ZqL zV#X-n4s(KKV7T_#!-)GxPlb1`maA{!GvwXOCcx8Iou?8Yq!#`tbao!*)#$6Xx?Ro< z+<19b-fUV9V4C$`0SF+Y_+J2X?AXssJAz*W9qYOuk6Ig++a3fr?1K+?7Y?zHNAADG ze>v|jHg1f4sD7TGhPDgdj|-hH+x~0r8}88)Blre#>mAtPzzeR9Z+G?d}a1 zzh>QZTHOBDO>wjgU2I~XQg+eCJL~HZ$xOS?|J9cd4E%Nie+hA zm1&9Tem`>aGTvI(YQ#Dhu$}wHztz1ixc%1Z+_UY|x_Ms_EdK7G0KC|U)jH-257%E} zI?L3(FLG>ot+WC9u5zE9OuYu@#(W&TC$l+)pAWwe={dVN zmD}43EOoTFb8$7F|o1kTin$j3pKgK_DfaM#cICJ&Yw@F?-wgP*7r5y z+U7#r+}Z-AkCw(g^A=W_+UEn8=UnDf4UdcCQ`heX%x6(CcD*TX9!0C?xw&-irFNAM z4%dE<#-OR=rro~FS6Pso`|-O3@Z&_<_Vp#N>3$V(MVPx~3tXN-M)5YsFY#L9<;>bY ztC@;SoL;ytx3+WzPMMk>UkPcv?FPf|qek$Bo*XMhV`5op2srIXf3HDpkK=0f06*Pe zs&|&hV_x|=>n=uVu+K1N*dp>|=`tb>^)n%IN5skql&}|js=#10&3xMw($hPrjlHq0 z6H-?+NH3R!x#_6Pz4j(I7!lbgO6&KHp0dBes33UpFH6;%DdJ~Iv>=5aD2b zYRq(u9AzBxcaseFv!l5pE6X!~f4)x?7K{)n2%EUtb6?!?*p~rigEfjoERn~E@=?EA z<&>g(9|hJPtpZN4AicB!njQRbA|Hu{7>5*R6VZED?2_4NkoFdy4t9J(C9W4v;bHhE z9ra6BOz_pb2_gsOf=0d(l{((jt_p!lA;M-_CppB_UJB~7@FZeZec&1N>N&-6d|bLW z|A?U0bfC)+Xxi`Yt~YvPSzre*V%5}!K-D9OX-Q4Yg-%2Nqm6nr+ZhJl2_?XEt3bLC zOo&Qv*rY*G;ipu%JY-!j5v6}R_hN%WEk!ah<|Eo{Po9%x+M(B(K`V)X7uFbP!^^3^ zn3bmZ8abLNrsTTfdlJub3=;KtX#LyW8Hb=WPA*Can|I7wK{3PPlhLr;;+3ib6|AD+ zExDlE^eE=NLQs}6aa~eR;ILgm{!iN0D^mVFc)Sj5_oMp2xJMs6SB80BEnz!7?R7tFv%3c@4nb zx39B}JLj!7TjUqSsocyefq2)yuo5ilKQI}$SwuTM6Olt&rH4CI98hrVwiq57G0?64 zOxhRw^LnA=qtfrI%WuNBJMJe%kz=LarN6>>_{>a>_+SUU@Fmx0K7H+6ohB{xtn_FG z%hJShR0c4f-$>>g0}Y=Oj3|fmE^(8Xd7NTIwtwFj&_1Kr7*e$ zF0d+*4WmkgcOCGMXUA(AYc;`^|JZ#upXNhjJxhNZRP7;6Ql4rMB$+*4+_iha$t-|Zf zsl93PhQByGq5pDmelv5JX_Qz?{yIe9&d91c{?c9Fy7`VY%j%kTEnuB{#~8|b`(MLn z+ZI@YEKhmM5a-EA#3Eoj81@{Tu%4##A!dS-(HgO+!X!ipQR4Z-D(_sdC>;dW1M|KU zA4AOdr4t-T{1eM#xYJ>Sc!W|BTSZ5^fSp7QBi1Oyxxq9rf@`J4l=cU^RG6YZfD1P9 z149loGkY7mIpccpMkg!Y%Rkv47baBu$DEV#Z3L$tXQk~L$FH}+iM@ajYfc!K1&ilj zmz_SG6u)ZtUn#Qf2&YmPHf4xAsM)ywxuxAVW+>&T?t`E}c7v|Jmm3u+HwdSpK-oLQ zQOpP=qd#Yd4?|*o-DU?d1ki$Od++x2v;mHP>VxgI$L6_SNd4Lo79?wI(+O(8YFtArhQL07VgwM2W^MOiwIWs^VMRHh~B zblUGL7;8dMu4g9GG83H51mH__AFtaaKry6(*Gqb``&7F6HSF;!TRQ9xx|ieS=9m@0 z-IkU8vENZT4`S`s9(JehG3{mRJy3o|cuR#clQa;Q^Hd;$!yq|MW(F6JMyHCi$_RmT zF#WRNFuu{JGK0TK^h52LN~Hyaz|o*n1z@W<^+;!dJ(D{^pi}p1=MTb3W`R*P{5J?c zd^!0O9E-ftxdXo{7(OI{Cd0JkPyj;Eb06f6@+uP=J{U(Z3?f)hq@HCz86`zPhSpCA z3JQ{ON>cFjnJN-+-^EMykD$*VBH-wlamqwV67?KUo|M|6Y4ZKdt&#D}h~j2&1Csw} z3~?aZC=r9t$qjMP!$=Kr(pV`FMf;g45Fyn&LJSS05}BiZR(uK6;RfG!WB-?^toM=;m<# z{X>r?ox@RNj2IsEF$*1TB~GtB>^4;SU}c9JkIRe7y3ON9Pue|B&WmE+h6rZ0+iS>$ zGUJ~BQNE-}IlxG`!A)xfAPB)t$L&PbI>Alvyhu90q;{fbv0S1JJQ1Mhk%HqXTB7GE zN;dt^{2w}na4>ZPl!at~_yajO-v8cCu;?O$EQE3qIx=FDLW`)7KHj%a0W|b65z8z3 z32!b~diaavWt9V{AB88O%&Ola8uLn0BoQJS|2X|F`gJ5KqJ;_mEkt=)EI>Ggn)=VH z@PLBhC1RwA7yE3Sbddz-J22o5j2!AkVf1s_eJ*W3f#nn0_+w(of;<(($i95)@-RJt zA;>`l6prsJ=&DMn%nQ1L9h4(OLMu~@E1eazza0qbKVu=>+F;6SaVES25u?k0MvAI9#$1+^eI)$-uIZQGLV2jD$wX!}cnyPU?$`Ju%Cd%E?vbZXE4$AW`;7JXPJ{N1U$vmSC;kqwyDdCYGY;h0X$x5O8K-0|Arkk zNON90I07n_21fm}Sm%COdf6mmNw<)vyiv9j{@TFfd)UE^W`Q9+eBttOt2sXNfl-~L z0#o-EBv$mujdX_p>%wl1p8I1{X4X$Fj`vMwaq14b*CMI+R2snQ-?n6l5|+n!10*7H+b8UVkdCUtjwqy#`awbZ zlnAv`SWC34({^X|hK6Vy6~^M8b}du9naQu^Q*x^(+lvur4wzs%Jv~rC1I>r5K2{5# z(UQcp&O2^`*cKSBO$8V^F9#h2h_^P^_*5P)VJ8|@&o03vdhr=lo>S-NJIG-jsaI2u zS4y19&NC)d;T{DsRLr-U3_~w#H_U%ljyK%v#0B5|c1vsLz+>h`EUrY9AY3?6lZyrz zceu@1zd@X-u!LRiM0wnYOABNgq&S~9xi3*M{<`!U?%KNgn!(|O7i#OF{c^RLnWqMl z;-EWnd9n<2?>+=-$*RSfp{NYdncW4~!_Nlf71>o+Yub_i;;A@X3x-{sTNk~D3k$?l zuG$J6zt5`_U1#+>)gmqao=<9s-Cvf~4A)It)M}JucaZkW0*=8Rfo)Aq7I+lW--YmPa0 zk~dqoi=}B62!VXb_;lR+P%@jC;kV7%84dxDECqE0F;4GrB5IcG_E=uXXS>|mq@uWw z%ljf=;R?-gXuwGj#o)3FUIK4S!>btbD;j&fxrYu*0W}Thmo)AsPoAB?+jcXXlddTA zrPgKpBL?<&p#uYRGKp6#)&zOfrjjQfji(aj~#nINOcK0yom+z zZ)6a02DX$Y+?9TTE{FcgOqW%R0&Z3&-9tW1#~MNOx~6v_!*)PdwNnKIEt2;^H)D5k zovDr7rA=P)Ovo`wou~Nf>vGO~&@`037_z*!a^?b0ll#o}id4&{<$aW$VRRJm=y**yuRfKR|9Fn07*xa_pIg)Ee1S%6%_wiYpBc`>@j$l1ODEwL z2$FLWVB zbYkQ~Gm=_HrpohXpo6Cw$hu}shyBsF?UEtQYmjBWFmO2J9-S0B=O?i$@e_L;{HbvE zm&K<`s`_O9B>_I6m#p_O*VMa{YpD-hTXq4dx?I4h{fM)69aS!`jb4D=pUxP|X74RI z$$w|*++=ly5vyGHFSjO~kuGO3MtVO&C)l3U9c?qVbEfSTYy`Gqb(=BQCC{R#H^Q8J z@KvtkN@~)NIGYO1GFBlxDq>P}=fSbma_94C&<@#m&WE*mm*ekgb;Yz?FgQ$y<2~7` zT4As+qO`Tx*Vw(z=V7zG+SM4QC5j)_zBg2JG0n(}r&*d*)zC$tbRhgw6RcH=z);1K)-FNT+)A z3yuaJ#f5<$ZY!$eEQvE;6+;sRWrS7e{U4q;0&!s;Kg?iB{$STe0Incvmg@YO_2EYs zu@Fk29D3mSHD_V5V{9Ku8sIhHJ6>j$@g6G-`z28i@w#|X?`HeRHP~=3pn1Hhk(#uV z<$L*ZSO2twRkVr{)00{%Uyy2VK2v#1O{RGo zoJS4Pq&h0K_^LmY3#b~!@4oqMU@dr!>^~j`ACGgfeK-qRaw|ECK{l*YQHbFsjz&5id%Qv&W`-n@%vA2Ae5;frJFcQcI?L=T`gvOV2xuYi=f^zEC`EFy zML;`|XSWF4QC4Tdu-l-*SS%&W?kR<`>7p?h5S*7PbOOO)x||QJudPy4<`=o4ZSw3Z4#o`9sGq zCh7YMbF;fd9Cc`TBpZ_me43Sr`q|`T@IIv9$Km7?GO@3;KWl3I#@MYT;n`!Vcc)lS z*?iiFQmj~8BX|%PqY3ov4{$9ZL!yQj!S#yeD^NP~#yn{Un?!vLGdm6vP-34plYZW0 zCM!gOePb;*`+{psO7lRVA8tYS5Vl=4i(G20H7xcLzI*yy)|Dc@rM-zV*`k z>P!b1+|>=~RbZrnx1qWoqpjF+?O)>0;}dG779);0MAHPw$i1}%?E~G<^jd15TsaGu zUTXdpd>;T0Q-ucB%@G-DUxR{&cu)<_(A6@2X*b?WxH8|V&!BjtWcW@s9bxUg^*Tgp zucLXG8XaYGH*|X_1j1#;IcYuox~4P3-;{40n%NZ7bB;azd>FrK%;dtf8hl*S_5E!lyhH7EBn@zWMnV|))`HR44& zv@V9mPxBN~UPa^)ln87{lN0-Jru%N795pOhL-3qKlu4(B)|GDX$of$oARqZxmtaN_ zYB|i`W)6tZ+I9W@+D1f*>R-6|1GGICL~0ky#SulnmUM;L!8UHJf?=--dGaQ`))1Dz z?zEuw^lxB^s)`$-(^{Y|=A4-G5TJUcmB=xwYwdS>2ymVL5!bPl+G4%gz*lifdp$PD zr@Oki2(TTSs@&)-Fv1=QW^e-Gg%N%pbu8zlFRTn6t$eY5BZqt%*V=>_CA{)3&c=bD`z5 zMLo_!r-07iI(3$dFeZqPkfJD&9_ZV_L-JgDTdqmI#!PVnkF+4&lAa$f>#pAKE7GeodU@Oe@i)F$U zbD}bhHfd=(3LFn}b1F}~9vr^wnxasj(t2}0#{BIEK)pl&S4=l#3G#JCQYQD81%n0r z!7=!Y8C)dA9He$zi9-4r(^}x%Xxh(QG^rt;kFLuc;%VPlM=>XNGIrfajTGYqw5GeA z9!yQ*8)~wAm2=A{yNzD;`Y&w@u%Is_TC;sPpTquC55IY*{Wj6%4uCuppuLECW=L$7 za*8WHIERkBzfx(&R-mp0VQs_lXCeO#zpVS+F|i?ATuM3s-N3=8eY1(GGhhF+;`UTj z#REBeXCkvf6h3_rk6Ei|=#~p1cYr%4IrL2%4K_Y^LE42DTLUMwEnx83Usx1~^d9)h zNZ6x6j?{J+xknSuBpmZOp3aDk$ju}}L&`{OWgmU=FU`mZ+IvbjEo;nSmyT((8pG#09sp7z(}%{jg#@ zAR9e`bPbBS*K%Bl5eR{WCYKIL^4!HUTx+pqhIcCYV|W3=GedUT{aqFcino>*gZv@s zo0+QS&58@HgiyNzFLTxQXRY`<+PPP{*1_3hJ6j-8L^ZR>5y5%XCz@sYi^Vq~KW2o| zC=h23mHPB_7)L58+~QAf*9F08qpW!u1O`%mM3B%*#89Dg*2U~5JMu`BzwMrW1c|zP z!2TikGFryM9*a6(V;y>{+5u*q^zmMuq-8~0J$fWE@nu~qhY4XtPAT6)7E+Jj`&l?Qw3_o+-e#y#ydFggSu$JQv;-&#}3q?5`s&z)g2h&uD{Fw_OS>Hc|Ez7Ezu&b1B zb|UB1NwAvRa+!!nx9f+46gzF8@VF(@iEd;%h@|L|2+e8!X0>eJJGLc+P=duawlVpY z*=fERq;xHJ8l91)bnK{?t3T-uV{LQp-Qc4&ji)g1UxUN%f z2-(#}rrK*U5gZyGvE;$cq)c3s3+Sr{yOK)b)&UGr$Rsm>x8fixj$6J?LUaTriRoMf zUk@DK-)LXnh0I=DS>%C`WaMb6oNF}HhQ~a4N!MwW5e35*##&{MJu$HLE6rLvD*@IU zU#fNcHm1q)&fA=`=vG<{>hiIA0pDET9&HWX==kN9Y|TYA4S^wAz-S~^q^IviAhh%j zLz49=LwQD+8OdVj9|VZpnknCh;hsGH1&o%rt${n@5bU1|hXZrTUNK&LsDZ516qusy zj{E6i+2u(pWV3onikMrOWwJ&@3$9bpAQ~F-(n$5HD2Q@shxAbG+;XiJ@_V%^|J!Le zom2RrC&!DtH+-DACSe2QQR7!5&Riy+NawFgz-9S3nZ>{Yf;GJuNNnpB)o$Fy-mk>h zDsJ636sPZa$IMw=_nQ{m4Pa!bYyujd~PTa{%568@xXB7tAa4| zNKx%|f56=6u=tBJ#j|8-J?Zhu&u$=fn~&>7Twha(N0~v&J~3ZG!zVR#tjV)DcC}Nq8I;FVjmW*ELof_>d{4ss*8^$X#d` zuHztYcEz8s1`Dj$yNrgZ>S-y;eDT3H^DQZ?ARs~i>MlD<)O1Df8MV`){)tOp|pQYH*imiTExyEbaGf!+Cvh#aTJV_{|VSo zC`@olh+!%gL0kHeY_Tearr9|K^Jd^J)ib;4DOtAQQ`99PND$++7qagPl-RR*G%Ecj zF8c2=Fu%+bsa6D&2{i@`h| zo0Z_sdJTcho5HzkM*h*ILmJEAY!_c>*%ubg=Y9$+5Rk4p2<8d53t$K2yggn6=h!G$h?Vx2uVXxjcO zj>wcti(gA4sTs|BqyxAHri7+&kFnx?!+n9?$EE0qTAHvvZ#8x4^fAIi`@Vs9rpqn2 zXw``!RkEo%u-wuUcuDCKsy)@>u_H@QZ-ecSF;e&ea^1yFY?}4Kb9s;9t9BCw_;0 z*Drsu5rfbzvXu0ztFH!C(O_&sMUyl3r9WNbH^Ucb2AN*BtB_R?*wMF&t1Ei?BmRB< z?~e|;hgEtl(jOK`O3eQct2B)qoxqG+QeBYo0422#K2fDqTq`tvjc-2NC*W%0#l@@@ zT^Zh>hihAysHG@fUQS!8!qDfDN$Mj!b0=mswx5IpU zmsfZNeVjZXou$0N3=yJu%I^AYg%eES(-gHr#x5Nmj%V?@dbPH0Ac;}voWfNo&m6E= zGPC|AzKU5@|2o!yCmKa8)|^BN$pSxbBA_WvK4;F=FxTC7!6b>OF(*erSCfklpd)=@ znG*205Fw6fr<(MHJ@M7^>(9x-JfqrQj)C@Azz|_COvL>-khG6w%FpBXk1v_=EMs_9 zxNYB=ZWtz|emz@>Z#{3N3iXqvgX538xbNOH2?vW#o&xPkwsBg4jYcnNXr`n>mXN1a zne~Zil%)pWI;&63KbG`}p!}eIqL&P!voA=~!T&; z%U}D?&_fUrV$Z72#uNdTg=#GXvYeH@)TPXO({J7VVXb%Fx^e@hIMC9kGj3rzKAaq; zo|)U!41z8=+vS;#x1T5@&|5XoEFH-B^+dyA8CTN1zHsWme?&1sJM!syy}L%7`Tp?z z#M7SbosN(rjIUf2uI-La$s)B8Lb|T-@=XKmIjaY&`e?v4h7|33R8wx0>y*V*wrsad z&sb=U6pHt~Me_C-Tgy*KL*46n$yz%!<|wHCq&SNr-;-^etlek}`W><|sfa8RXCv5J ziL>d3+!iF$koP9tuge3vDFkz#btv>{dy$4PLP%94X;Sd^AYWtQ!6iLSBPctDs`tUR z`VAj(OHi$%@LU?RflVPUKRQSlLPMuQRN#>0c;u{!?4_AxpVFX-T(O!ykrp|OcbH{x zr|_Xui8jvj`?ELJfHH@3J)TLUX|))-r~&%Tc6qh%ThNqyI1u8?gf ziuF$&UA6XP{QcflcCfHI<%O{k{J(aI``;P6K5}cMuS5J#`JP6eBz;a_w;Q!#ruk|x zUOC%=QhIp5_8+1ET`Ih1#w@_DfBA~wtdV-|hTT(s;gC6Oj^I9J0rS3K1>|e2_vi_p zi{Fuyzqcenhz+@rfUBSdB|ozmgbG^5FlL$C)2#|(G=;JA(=>++fuw5#ete(Fy>;0pSY zzIe(Zj7A-msC4~~RpU2drzGGbVTWR$hY*R>W{hNQVE%IhL(YW|odKUjw}c;OUj86@Bf&i~~9Y17hrb&Xyy!ghLI< zjy?e59o$4mO2WtpIL??g<5OW31w9FrzyF#VRp2im1u(q{1f-Vf{%c++Pe?|q#fJ?o zY-eWY@N)~OTvQVW#3Yn@V|Ay5`efDd(~l<#+>XF)aKINW-jFn)82ac85nm%e zAxEK9U0O@hM4SElB3o*tlvlOK__TfLY{eL0&!Fs^wu7f@#RzH(vFeq_;L~Ic{&WlJ2ZcZFB_@$U&5GK`mjCGIYxeai zB4oA*e`bimG>90)4J%B!LTsfq=8<)>oOY6FXR13MdQEq-L|prg;Rl<=mT5kF7zbhh z)Ti*33HxD`amO+klfuB7@GH!jgd#G^BtHH>L%e=e@_Rb8vDKFq0fifN*X#c2;Zp4p z#Yi}hN6nuXF0DbnP(+cp_b$Cplx9S!n6!NmP5RO7fU{>VmyJOOGX}V6mJ+@LIUXM% zy6hz8{wJJ(XMz5eV-xTsl^~+e#v&u5r-5q194t{LdS*i<&`7%8pVhX>Usfc?XDv6%s`e_C_r+TOY z3RR!Zwqk=(WU2j5hw+#qJl2`4zv5=o`67Q&2M9JXQD!15PD7h5@Dy*)Fzke;Q7jrp z(*1U&D3767j4$HtK`KW!`}=CD{Zb5wW{^b+5GN(O!Xj@l*?~)akBIQ7jdx-r*<)cJ z=kZ}zsHR?CfJIv7u=_#O6?Z3?uywo|-y-Qn{2NGq>Z^y>C2zZSCz!^Ko1{wNk*Xpd zcqdpyN6{5q^w{?W!Tnk;;Uh$$=|?dUYx2Bn_FSG)*|Z&X7%tSWA8#VGqSi_FPUq>E z00(MaN(Aj)(>y`laa(%+I&qx${M8Ke#X)(?vKve!AQ+|DbW;ruuhEJtTN=Qg3%*4+AT%UU?_ zc~3}Yj$jBCvPT!c`nWBKjA=5A57I6ePHO9s_$>!)tlLk^F9m0LQ%jT(zO9(*a5GRD zaOKsqknxp4q3kBe;M(UvDZG=`(&}D5SW-bnF-QhcI_}mfz;_@x3kpYg2pFYkhHZ7( zS*mlcDJTrcc^p9|A@f|vEBl;CJDY}&vWeSB2T{X99|Q{`i-$=?1+zM@pi5z|_|i~X z`FiJdF!CQ8h;JwT>pp9CT&-4QUo<5r<(c%K5gZJB6ZNb2^12^C(ycVQDP>|ZD( z$cD%{E&B>}oS@N}Y^zx7490jle3r)mkf zXhv&w+;t%u}bfe5rpk;{v>i@$@=DAwa9ypKXEt8mQefcD`O{U8!JWmF{ zmU1aY2V~e$R-JzSTY77!+fBGq8=jqk?-DT>RI$ygL2g`@GTMnx>HE%0z6~J}tXi_=oaJuzXHb_%Lyu{MNLDru4>Q!1s0sT}b%#ymEN(McE8i_uBYQYdN0OPc1G zd0tkg53jUlcc0^1p$n=aqJM3Vn;=|1MFQDr8xd{hof`j_)JTrpaRZ zpm2`A@-@z}i(Wj^LS?Iy0Av(f6=I}g3hHqL>Gaqbe`9nQTz$^x=R>z$n=OSjs5=+p zyn;yDN`#D7i9+|+NLi6n=A4_Rb$Po{!9kt~SQ0Y~9H+3BT1O*`e66~7gE|IFET?>J zZ0&K@Bow-E5L6$rA}fJvGt_~94!`H^!Lwk1%!NR^4_AHRZmh2Uw*DrHC2~xK1A}`COQW- zsd=K7tWAX4L0=@f4vT|Um+9-!bOgK|?-4JB7!FZo+AGap)n{n5!1dmd;S|AkN9g#E zBBA|)k6Y7d9^JQ#k*y>8dfM?$+mZbT{PPof8!*msH78tr-pya2(rM^;tmi`JM!c!G z3|{)Zw{xDR&1s7LB@*v%_D4J+$jlHEZWH5Jh=?s}2!zrsK9V#)cM+z78}K;@h+-Ri zhvh-E2V^C*!CR;JZoEQyhR9Uz09oUcD44Cq25*lrkYp@XZJkBC+Q7&hdt>4P$;|%t z$8HY7?nysp7zj54F;``z0P#nM=@N{pXp0q+bWKZjh26gj*{)6A3N7CTK@0VD6=8r@ zLCFA1376ZXe6u{0PN99r9SjQhn&(~EV?_)rcBcdrOCh zDmt_9-AG1#_Wch*?us2^yrvb9+c3zAet&4rQ7y(xU|;sVEaj%eH7mJvt;)11Z^^(t>O{>muZ zR>8+!7Mb9!z>luj;;O*vLe`y&{xHbPd^c{;0&>xb7b*(t=mOg%$dXZ)ioybhYIMU+ zTThmDBrNF*qJVA9Y1K|YqcH@C^Xd)TMVbgcSeoAXDoAUQwmat@g!4c0H@8+4o*pMJ z!#U|z_0`qYXN0$RgzzXKZ4nUQ8Zo6K&Yo5`#uAF6mi@_ zmT~ud!35SzKMPhr@uV(%eazm=tsl!yyGU&8bpr8H4r@Kpj+5OPm|;0+bCa-{5V3hb z!CT7kfe%rnbtHYg4v^j-@HG?(owr?v+;8KAKViHTA=(Hllle7MqNF;us<`O97Ow_A z%vZy<0NS!$dK?+i6{|MOF&WS%aA?#EMFe#m{%BnZCYIT(eRvIKo*sG6l^juOmrtz~ z>X}$8s4-E-D|i`UTSBZCVT*VxQ+{Z#rcu+r+(z`~*E)V}`8=3NUbCt{(rL9j+l2-% z&R7V}f)=Io80hmYvpJVyk8sXePL(725b(;pEmKoD`1OJ>eWE!Da=g@~7{3cikNaVa zvD4~O7%&t+38Z@iB{l`+SVz*03*li1DZCZkczUI)%B-&!#ig({s8$(Jp?ghGwxY z*?mA#EA}*gN_?vC9=2FcllqC|5DPI1q2updHHJiKLE(bq3ib>AL+F0keJ+qqZ)o-j z9c#Wy;j|d)kqWMyl1U-9NbTGr;ci%lagyyp07_z<=b^1{`!~LYR7CgP@S3HGgdTk0 zmLLleA7{i5<-cvFtf|aIzV!WRDt;8-ET1uxC;mF>4=7N+Ee}s5$HP5Knw@SAUe{d0 znX=scm8yWm4qyQAc7*<05olce-F%Av#dgxBLjINQfsyXI9-&1SRUET%puChKS1+4d z)kavp+OvOiZ@$Ix_ADx~sF-qrPz4dEcZq}uCruAi>bxI^*GE<2NrEMbrKI%JkOb>5wX>8rX6j1NUjS5!)SQ{3uVBgf}FX7e`U z-Ut}P+zg04kOvs9ZcLi<(rNO+8P<*a-*46qbM2mzvyA-YqB_6KDYmj@F2p%HDdiJX zJK6cnoVp{|zqQd6E^t>sFso!S*PHX9t=`^S;t6w)pl<^VZE7<3NX|G;(J-Qx>G{b@ zhSK~@>X&X9NW57&G~sG*6<+wI*k`zX|3YRHfrYyTAgqmyd8JocKVNxSLGh=!Zn>ity&FEG%+&xSU6g54nPRF9DsVUNgy z?K?gvW-qUpZr*bI5MC#td)Sfr>vF{mwg7I7@ca%b{T*6vN^YXKgl{kphDGeJix0G0 z98~cOBwLOWd9iuSB8p*Nzc>Deo8bEK@B!5fMS{^2cwbbNoDHis<=7bz#UxNsR4Z9g zn#EHW)gm6)uHRmZ{j&jV+DOj_YDTx8K`L#ixtAfW`ZvbQ#X)KV;@{$aji?o`Ea#eJ zq1kn z@L};vJbRgEJ?C=U$T)5UtzwN>4z*2BiPFRE`?dMw2Ozzc$v<;B>4y`;J;bqRw*OxM z9xCD0N1a%8nBIm0K;xQnBjKOy>WXgLlu=*r!#DFoK&dQ#bEl30Rf)_x?BzJQ|V`6D%$HvfNOoYXx zZ|5(m_i&ofMxL)UZQ1~*qQFIY8CdhsLZ^%)l#){r;Y?9_%<+Po3jwUA z4t270V3-L_Z5sNqJ!qO%>)34d*)DF{ zt{cS-U!MFFmM8^GjH9VZg-y^TvzAT!QXZl~p{OD{82R=k+qJHqU3f$Kw#(?6z4C%d z*1M>)E`@s}A|I&ZF!+tQj<42cji@+h6VquptP}|v3X=`Hb!g-%&fyQXpbrm4`ZLbZ zg3)sSqeGVJ?;r4Qo=Uaw=|{2hr2_V~pNTHBCmCGQQx?q0e;M)Y{8t6bSUp|-5xL#a`;&{#$)%6jQbwW zg)_43FC8b$t9h_vL0WWl(|wzzjiF||Lf!$*i@{?QKupEb0PSneU#hzpb4_nWK?gWT z`#c5vJAB0$$$4h$MdGbv?e6jx$VO}*nlUs!*}cATy)(uXtWVoO-Izy{%#^* z8ztHgXG=^Gp9&gyu?_C6OySzrdD4eGi0NR_oVdR^^%?{)o`S2}DlLV0kx?LTx;%Q9 zUD$_hQ1G!KS+j!2S@k@3;*4KW!K_67h$)K7J*hv2BJxJU@$+{laQco*$VSYg7;A2Q zo8Ay!I^t@_34ZkTSZRZXaL5?=L1(9SW_7)lwXj@&pdDw{-D2fH+ zzstDqGVXiDao@E~#eJ_M-uq#K6COi!cafm(hYRLbM$jx4cbHYg>VmnmYAA!b%V6#@ zm^*PtU50W?nICB=cWphP+^VR%;-TEhMlKM_oy@wxHtdrE2Bh0@g;oM9-HI;nMIW%Q_o5hhn-NECFy=xl|Q9hG*XEg8) z_9cob#eH4leJL!)3IA+~r-^T6Y$)pcXzfwotBpmrnx<(sOhY$YwyD<}t$}XzE0*3k zt{Y8zP_=5+BAk4$ZFiiA?7O(}ZneKo9V-^nS*>IQ=%L=gQKG!Rb7%fn^z$=U82s>p z{Qv)E2hj}yt4{rn1u;V%SCRWRyVzg6%u?Aayz=>wBkofbcuQqGFnd~adwjv)efJ%c zj29{u!fsO%8sfkI8;y^CCyr>^-R#(m5GQ55pC-H%>4K4p@V+Q?EhfK?jKjip2b0{?ZHUu|=cywSnil znC%7$kZkA!$ewrmf@P^5z_FO#q5qsJeuFKeQ0cur%>or>dAFl|fs8QdYgH_enXnl+ z1Jrv~A$5$kc(SK;2ao}zWa5}p*YKshpu0!jM01@`wL%-B+Q1USv2Y0cVY5%{YKpPN znrc!XFwC2-pV-*)K~QxB)4O46>dKAh;wP7G!olO8UkV4+3OjZQiNd|dG)C!x7ky$k zL@%_D>^Um?gONS?h(#S8XcuBw=ZOKa2$_*&V*dI8j_}AfF>cbo+t&>1-=_iV8>xn{ z6*MvdeVYpg1K}<(-?;zrCt`T0%R{{TVngjSJxZ6tSYzV=8aA?-@Px>p?@%`1gmX(n zZ+|hsV#C|pLD+118xA^`+CP}Eu`LY-SNlVwxDf3RdZ|Z$_*?l2OLO+i#m}FyiL8)6 zC=N#Kk}OHDJM5i}g0Kqs`G3+4KBdSD($D!-fr79z1cpp z!3t{DEFQ7AnDxVkxra-*huEv$dt-E+1iFL^yo6+xkgQBdR@6BemU9F%YgmZHGW%e) zBb_$PDH!p`M!(jm^qXe$Xj!>cV6##d$2^Emh~i@3?@L%g+Q~KklMT|Df$Ngut#E}= z)CTVO+E?}BdqHL0C!*TZh%lBw0SZfV|MNK88D9#GTADzM@!+6!0lY3?Ag$iH?|r%J zVH{`@)itOOnoT(7>-}~U#K&mW^me^g)oT?44uBv%cI|jc@gb8St?{_2Ko*Cvh3Cl7 zMP&am+mBnYXqw|gE|g?KkXc9{JT<_MkI9^oTh_j&mVq4Ohg_K~8X^)1aoZpQ{`kG> z#l*+Z^<==`DFrMsYh#TJ*u4+`E)hr2FpldBE&e#7@)w)5vD(7A0UBfM6K#*AD;uv36SHvIL#Y(vV<> zewDX{G)QHx!j%$S8rK~BA>bSahW~-OqsY%FKPb6_=dqM9$^`v@^uO;IzHi+1T!P;1 z(6e2=y89tp-%h-MOz0gbW;ciF_)Sa+y&^j z9&&<$czsgKzoyQt61QObN~zHkY!MqXfQv=3;wFW;Oci_N(}SZQz)aF7LFBXpM7 zO2|`zUp>GHcLt&+youq{jN*Zt2t1`{cvHY{*atRVh{lEoo8*lCm$nn?$<$z+{c_QZ z&srxwiwLbk9N71+4W>aPK%LI_KAHvxnFE+u=F;6>k1#%VkYpi9HD+I{a&>`dU)Ul0 z=sYq6FkMAXkhwdn$u96y6e5QuxiQvkE{P3T32OY1D@SN3)gOzY6d6dVN#Yk&XvKur zc(nXc=%ZUeW)86{Lj#m|A1x)iG_$S6?sWI|m^YKTaDqLK^xM<+_9*QI6l1^GWA}~9 z`wvP%cZ1QrrM3g=d3Rs)LCxVBrY=-*cWAfwSp(Z`XtnTo-GH>%u%cc2v+d%#4&Vn2 zO*`OiVa*rqNJwg!h(8v|h@j;bN%h24>#Y&Uqeu-gqCpV_p<9oCWG1^T8}IuxXA;=% zfECPgh(g#ttev_>5I6&lAqtB_-*R|7d-$Z}oY;_)|R z+xUx`H+kF!8ELqk;xA&$#uDe-t^M2-{ zT|#St5xSguqXFZ>p@;i?NIJ5{5?gwQ1u@a5-f%14Ntnma@8FOA_N{JN+UwUZhQk*@ z@O+oE%1GNet2tSi!rq=)pmJ+xMYC6ALZ)<~x-moJ%Z~C5bI{UY>?=nw8lJiB$}=JR zVP%P8lMTyVo49pW)kb&F`HwFP9$QrGKCGmf+&*tbL?uhhDHvAn+b+NXfuon=f2g+h zl>`u|9|DRcj2=^wp3g6*!vufz=_&`S6ks??{IU~I7;&hznHlHXV|WGoP{c9k+tyE{ z7+6-pdG@t(|FwG0EykRc95=Em@%->+a;X|>nKj(m7_OSPhLFZoU09#$Qx^3hB+*D5 zahn-u;-k{)F0Jm;>VBM7_iQ05ZSvA4->^-Niy_MfXNoJbW%1j}V5-EGnE0%+%&bO2 z{d*-;Uc=8i*jk2^noW>MAL=pjdN-*mk>0H%-v0g^e|?@)H)7gIIi@2Z<5WpmmM9WN zN5q+A#YSZAN{e)omHNT0NY?q39hqT9jt#ICIDNb@yBO~w#p6hIM|E*RCaIz*cIOly zGQ&q<^&Dk$Qs0og$3kagNySg>)$N?z66 zynOt&kI`o`P&e67v!Vrr0t%!|QczUr&RC&BYOF*d&5k86h+kmYGEJ9U8fJ|PV?$CH zk9t%KWq2>1y8mv;L67k@JjTznjIJ-j`@>tptYb0x$rMve9VMY+NvOCyq2ke|2o*Es zcS%ykt)>Wh4BU(90nA0en3~UxQZOo6Zx-VV%PL}Z6pUFlloX651>?6!!8qeET@o-# znI99Q{7o+ zWrX>+gnki)b4yQFn;~DUm*k7F!1d@d>Hq!b|M}k~`C>`FIGcPir9iGSsTVVK%`D=@ z8^~m@ig%G(kdJi{>s4_svi2-Mxkz;uC0xYXwu^3&^?zZuMHcIv$7$vb) zFfb+zkZt5&RIR(b?2BsZ#bUgRnte=6UD7VDD-v1?PZlRbS~g1&H$E}uMYI9npLhMh z_CGT(&96vGga^uzrTyLUr(n$40lB;`;4B%Gl#C@M<8~3)tcH4Vt%yo(b(mHaUNxrP zK;29{*Sod-l-kR{CuZ5Tv(bsOk5UmZ4{6SfAz9@J0%4E?I7xB;u<63#E%fM4@Fvhi zlbx)jG_H;+%>%4s|Agqe#1M5f0kKP*OcKMt5Y=0{ZJg_km9;qC8#Y?_w_dNlmhN3-{Kac_fgrKBu`7j@aJQ-Ng;venMl!Q<;x;TbMcamB^E64@ z=tk@bQ?_l8Ltp_=V!7>Y!M3*;*Atf2iPaR*4nZ?lN%y2EPPOZ93*!^EZ9{xdtg6ki zJ-&nh3HNCgfH{gU*W&4!bQ0p-Mui z4Nwe}dwRL2XK}?Ow(pWIhE`Ka7xUur(Zw)}V@b9cv_{g@4BQv}wTm|SI0$b{KEq6JESU2JZ{Nl_n$>_>?Ucxl+dF6x&X zI+v|Rx2%ZuWkwuJp_nPo_@XvHa;*5RWP4dw?v5Xf+$DhmEU8^eYM14yUFw^ncFB<5 zC5c_O7<~8`XkC)Smy6UTF_RmmbWtK{7h@pEDq?k%E?G5{lrANuOG)WcQo1}bN|*Y2 zC|y*r`r?!>$wn?f>5|O4z$WliC|w#QrOS#bUApJr6roGwX%V`ly0gr>2=i|Vp-cCC zOHWjrp>t_GGCG$^z1nIu`UAaY*G#=$Gi=?kjvDZ5wN`7^`gO~!uZGU$;>NpOfX*e2 zb3!i|)80bU%b^bPiW7?GXS^pk!LNkCgfNF$$r7_>mYCy3Zs&OLZ9->cGq_|Zms$KR z-SbtEw?O6js9T^)1#t^JU4XR(Dl5v_0$I0;u?0H5FkK7IS`o4q%$HUyPR}{YOx=Bp%MplgLJdEc(np%GY!9BvLTimlHHc>4Ri=nVM?U zso}b?PmND33p8H99{&9;cbcLeQTFA%J%ru3I~L?JRLhxTT#vi}mQtXu-}(E`7ss)5+OAWTG#f^5FY@`zf- z;|tsW?3niJ%gb|;)L37z*U2*G*K!t2;NG4K#nm zE}ZL;GfMP3mMxmdT(z7L7?Sjam{92d$=NUPJ8XXV6*lLy{VN!NSap|Gov!6<>WL~& zrl3Yf6Moy)JADJm4HFel&$4mm*uedv?m(<@($CulS=b^x5UNy|yOQB(tqe!q^OE1_ zn9nqm2_TbZhIn~gQV*4fk(WZGi&}Lo>_YrrWXYd}03qTgZfP3^qa~BoFrbiG*?)6bl#CuQ3yQMa7iVNu|-TN~1%~d?Z;IPoDLtWID>rbhH7U zA~0B%Bq{2ir)fk&r@*(yPsH-XltY|%gxhl^&(L~#h8}$VCpx%VBk8_4ql|o>cnBV& zjL?ty6h^o;F0FS~#9g$?_!Z7uq%s}mYLBhtELu*&+Os|6>!d7-p490SLXc-wv_e>YK3*ZLR6#6+j~8GT!upC*3t`@^;ugZb zFH9~(lUIaYh%zSWg@o||_9@J#dw|ym2P1njmux6D@lTd*NJSeI;}^?zSU5i z#ARHL5qUI(CD?_MtEA*ADfjISbCqQ5##_%-a^|4}{UP{DmW=V0qHlloU76@)L8g+N zJSC5Zjs!PE9S>NbS=~GMfx+4c2?#}gnrL)>Ecr+_4aO%6cP)e@!s(X5ND{h{N=lN) zfWpeKL+8M-W}R}@g~P%+3jnb|VapJ#_=#Z|LXuQ_mSiM}t=RcU;_x_Aa+1tZg9=g- z=5m)lJ=scy(nofO4^GjMtgC* z9@+~P__#RjMY53#&|W07F0cta721ntNqezk+6$%=Ptf3dJslAW_{mdWG@lmrMXEc? zERHb$mQY{t`*IRcEh(YJj#fisOaZDlyfjA`0jU#II9Zz}yl6f$!i#pzY}L(vO>g(x zhF)*C2Jln0r5i^^wK`~4j;k%B2<*if+A4$#Io+cd62v8mE})cjbwdGi4%ng=hL7=> zF_MFD{xxSv25%;|pajc2DX>g91Ts{n)*dt}_4cvet~6_Uy?)fvTZY-tn?}VP)J>~- zR4KyUa?1UMNlBK~TP%$PnTb5=s=fQIF-A-!zvd0UW6K?spoV%u`Zij+U6K>-riyX! z>OH)GlG7eI7ML^G!ORr+a#y-vR;-^J?=}nxc`-2Dz+McNyizy5Bn4J|(CRnpdg}-_ zwz_%L)Z1pWr8nE~W2(Pf_~aBPJm9V2TLB}6pBbi)*oC2>XmB0{PCdLa0*%L`K|AS~iu_4fr;pL`JFr~fhX7te zYB;_)1F{u&1td`eTY&g!7$^YDX3d93pE-ol7(u>k$o5ZmKd@sTTp#SC^#L=8oH=6~ zCJDRh_!eU-vf)?z3!DIZ;u4p1OE%E7Bd%c!oLeFy_lh7A)SuV1Qs_z>Q{t zrHsH&13z2NYD9LSJH(wClL;Jzq1!vofqfukfJn!@@eQh&D0+7Hhh&S;)^n$pooqd{ z17lf{(+P^cHpcKbLMLqVX5@j=xzojEda8?TcnMw&-5b~p>OlgoIBHC3Y|+%GMe_0E z$GFPYL!GU=Y_a%|hND8l3u_hnpb#ld!8`m}+e~I8k1*TQxA(GnfGe&COLyn_S7G_w zKi`!JG-7*zlsw!X!}L7r29!Y`j%gjPDSFmlBwf(6Vo@`R=yb>G1#B0>e?|U%Empw3 zCaOq;-@P@yB;yq^I6d}^g7b1#BiDlC@3YW7ddSE>Vtq+gpR+qsAX23=I|wkb7t9DN zr#KdGIH)OyylbWZj*D=&IoP7y?)l*X%PH!zYzLtw)o zT~sWB- zpimc4CbN<|QPGkq*-3PUG-ci`BO6~7D%>o9k#s?^9Wms}EuxVT7M{7z9%_NjTw&O? zFp^Rl_$WSF8MPcO%oE=??m9EPOR;?6p`NnEW1f?qh}e>eLFrG!5HAxZ zcZbALbF$?A__chja}zB+0BI;K2<@#^1=;VjQnX~|^WfP24wat)01 zW$ZP|7G|xfWU~u>gR)VS8utK6NaKCx*onr%_ZKP*PM~V`Q&{a+8U=&XV6&-h0kVPrK$aD2?|tptvw`g&75i9dMD-3>e0{ z3D{CTVQ=ZeF9Ko)5}H#5)SAJRY^egY7ocDkTu)!{7a3U5x{yxsF+`Cc2rO|hJa^G;_B z`zsHqiKGwLM5C7ce6a`<`*{TR@(q0|=UiOmO;BXuTx=mS==ZvR2huF7>+5ch}8i@vuY@Tp(QZ1 z1csKt&?g2AZLS9xssia02Zkmaxd1RUnRS6p;HdyZTO}}b#lXE-*&jamW_;o8sbN+ZZe#u&21lKA0CAv@y z*!lOh<0^SC3j!OXDrMm)v6UsZauYj;wnbY<5@9K? z2L;M+3%LNgWMIo9QNXvu+Dv7lW?EFwmO#5`;m11BD0W8HSEe^31MV1)Lr;4#utfmrW zS)wdUlx2ysEQGR@Er=3lS>h~9oMnl#Tp`Xfen2UamL<}%L|U#BX({|S3qvgz%_w0l z7tI=hEn_)Lv}K95EYX%>p^pk}+1eD^QWammBE04H1_o~p^0JbRyi|`~F6^ahPB)6a zRK~k61{TUHVs+@ttQt!6Wr@Bl(U&Fq@`<4@TkAnzs?aaR(U-|aE`YvFW?f(tSTp)k zzy*tdFN;Dbv#^GrWnoI71ZQk*`6V(TGua#9v+=a=I>C+YpUupYrT1kc_w{5*djH4q z%O8UYocym}BChJikB9s>jbHlu_5ijyFbdJBFz{U0yG7%%Z^Ky@{ULNt#wYk*EYBAd z7>m)r|NS5T1$HUUP%MG=qoINF9CVb2yc5JuvcGj1P4PnioWDeGJAq1!1?wDAECaoQMDww*T1(@PY*$ z>qGKnkcZ0znX$>+%p8XGW#iSZAH-WozBKHWGqhd&f|6+> zy1{1OQewVs)LzjL{t9-3@7`g)Ijqx~;egt*ym~XU;zMN|sn!`*(~PY$+xQVpNG6ZRy$Ljg&&$c)ruYs8^X^5vQ{?}-dIoyWn%qDI&Bpi( z{CZ>K!ViCcna^0wG=#HU4cR%Ar}x>X_FSj+g-_}7$wYZ7FMb-&eF~S`pgwgke%fC6 zls)rwUFcMOAF~28Pth|^&)KKuls8%kk5Fl8e{8m7&%FCkvN~j(TLjLE+uqfbw`HDB zeTBUcMd&9k7=|IPYl-gE9&4MS_Cn#lp&l*KpZY`ghg}Nlp%t@qZyFET8@$(C zVPB3PvM=59751e0kUjbJ{hJkbrS*_qxq!1`-}@rptpDn}OZ28)xHoi4z(c|*j}GQ1 zg(Z5IC~29Ev-0pt8oxEWg6*dIphiF@ynC4*J**voq7_}5u23^nAJj5PT?enSXT@!V z%p2TAZZ)clv_0YbFTQ+M()8LAO)tJqR?_sNC7ND*DXgUF^(C7Az_Q+0qUptr-<34| zc!{PLw{=(2bR|i50dCg^Xu6tqa`B5%-gN0V^#%OE@q@`ZyVg5nRHKY`vRaMPPCmo% zw{*fIz0%gJu{+7|GBx3*N%`u+cORtO5ezoz8nPI@Ps;fd2JuI6w(^nsnR*QVlo*Ru zMGnrTm&KZ?!_U0wWIUZP2Gl>@|LOk&P)h*<6ay3h000O8h;}$xSmWkNUI_pI%q#!^ z7XSbN0000000000q=5hc003ihWnpw>RcS%!-|3(L07BIV01*HH00000000000HlGF2><|XVQFquWo>Y5VRU6KYIARH ZP)h{{000000ssO4ga7~ltEvD1005u5R;vI2 diff --git a/Solutions/Recorded Future/Package/createUiDefinition.json b/Solutions/Recorded Future/Package/createUiDefinition.json index 027f8b54d22..1a2801a3f04 100644 --- a/Solutions/Recorded Future/Package/createUiDefinition.json +++ b/Solutions/Recorded Future/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Recorded%20Future/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Recorded Future](https://www.recordedfuture.com/) is the worlds largest provider of intelligence for enterprise security. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future delivers intelligence that is timely, accurate, and actionable.\n\nUnderlying Microsoft Technologies used:\nThis solution depends on underlying Microsoft technologies. Some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:\n* [Log Analytics](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design)\n* [Logic apps](https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-pricing)\n* [Threat Indicators](https://learn.microsoft.com/en-us/azure/sentinel/upload-indicators-api)\n\n\n**Workbooks:** 8, **Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 13\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Recorded%20Future/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Recorded Future](https://www.recordedfuture.com/) is the worlds largest provider of intelligence for enterprise security. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future delivers intelligence that is timely, accurate, and actionable.\n\nUnderlying Microsoft Technologies used:\nThis solution depends on underlying Microsoft technologies. Some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:\n* [Log Analytics](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design)\n* [Logic apps](https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-pricing)\n* [Threat Indicators](https://learn.microsoft.com/en-us/azure/sentinel/upload-indicators-api)\n\n\n**Workbooks:** 8, **Analytic Rules:** 10, **Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 13\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -216,6 +216,146 @@ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" } } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "Detection of Malware C2 Domains in DNS Events", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies a match in DNSEvents from Recorded Future C2 DNS Name Domains Risklist." + } + } + ] + }, + { + "name": "analytic2", + "type": "Microsoft.Common.Section", + "label": "Detection of Malware C2 Domains in Syslog Events", + "elements": [ + { + "name": "analytic2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies a match in Syslog from Recorded Future C2 DNS Name Domains Risklist." + } + } + ] + }, + { + "name": "analytic3", + "type": "Microsoft.Common.Section", + "label": "Detection of Specific Hashes in CommonSecurityLog", + "elements": [ + { + "name": "analytic3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies a match in CommonSecurityLog from Recorded Future Hash Observed in Underground Virus Testing Sites RiskList." + } + } + ] + }, + { + "name": "analytic4", + "type": "Microsoft.Common.Section", + "label": "Detection of Malware C2 IPs in Azure Act. Events", + "elements": [ + { + "name": "analytic4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies a match in Azure Activity Events from Recorded Future Actively Communicating C&C Server Risklist." + } + } + ] + }, + { + "name": "analytic5", + "type": "Microsoft.Common.Section", + "label": "Detection of Malware C2 IPs in DNS Events", + "elements": [ + { + "name": "analytic5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies a match in DnsEvents from Recorded Future Actively Communicating C&C Server Risklist." + } + } + ] + }, + { + "name": "analytic6", + "type": "Microsoft.Common.Section", + "label": "Detection of Malicious URLs in Syslog Events", + "elements": [ + { + "name": "analytic6-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies a match in Syslog from Recorded Future URLs Recently Reported as malicious by Insikt Group." + } + } + ] + }, + { + "name": "analytic7", + "type": "Microsoft.Common.Section", + "label": "RecordedFuture Threat Hunting Hash All Actors", + "elements": [ + { + "name": "analytic7-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Recorded Future Threat Hunting hash correlation for all actors." + } + } + ] + }, + { + "name": "analytic8", + "type": "Microsoft.Common.Section", + "label": "RecordedFuture Threat Hunting IP All Actors", + "elements": [ + { + "name": "analytic8-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Recorded Future Threat Hunting IP correlation for all actors." + } + } + ] + }, + { + "name": "analytic9", + "type": "Microsoft.Common.Section", + "label": "RecordedFuture Threat Hunting Domain All Actors", + "elements": [ + { + "name": "analytic9-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Recorded Future Threat Hunting domain correlation for all actors." + } + } + ] + }, + { + "name": "analytic10", + "type": "Microsoft.Common.Section", + "label": "RecordedFuture Threat Hunting Url All Actors", + "elements": [ + { + "name": "analytic10-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Recorded Future Threat Hunting Url correlation for all actors." + } + } + ] } ] }, diff --git a/Solutions/Recorded Future/Package/mainTemplate.json b/Solutions/Recorded Future/Package/mainTemplate.json index b798812fb94..229649d34ef 100644 --- a/Solutions/Recorded Future/Package/mainTemplate.json +++ b/Solutions/Recorded Future/Package/mainTemplate.json @@ -100,6 +100,76 @@ "_solutionVersion": "3.2.9", "solutionId": "recordedfuture1605638642586.recorded_future_sentinel_solution", "_solutionId": "[variables('solutionId')]", + "analyticRuleObject1": { + "analyticRuleVersion1": "1.0.4", + "_analyticRulecontentId1": "a1c02815-4248-4728-a9ae-dac73c67db23", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a1c02815-4248-4728-a9ae-dac73c67db23')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a1c02815-4248-4728-a9ae-dac73c67db23')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a1c02815-4248-4728-a9ae-dac73c67db23','-', '1.0.4')))]" + }, + "analyticRuleObject2": { + "analyticRuleVersion2": "1.0.3", + "_analyticRulecontentId2": "dffd068f-fdab-440e-bbc0-34c14b623c89", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dffd068f-fdab-440e-bbc0-34c14b623c89')]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dffd068f-fdab-440e-bbc0-34c14b623c89')))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dffd068f-fdab-440e-bbc0-34c14b623c89','-', '1.0.3')))]" + }, + "analyticRuleObject3": { + "analyticRuleVersion3": "1.0.2", + "_analyticRulecontentId3": "388e197d-ec9e-46b6-addb-947d74d2a5c4", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '388e197d-ec9e-46b6-addb-947d74d2a5c4')]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('388e197d-ec9e-46b6-addb-947d74d2a5c4')))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','388e197d-ec9e-46b6-addb-947d74d2a5c4','-', '1.0.2')))]" + }, + "analyticRuleObject4": { + "analyticRuleVersion4": "1.0.2", + "_analyticRulecontentId4": "588dc717-7583-452c-a743-dee96705898e", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '588dc717-7583-452c-a743-dee96705898e')]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('588dc717-7583-452c-a743-dee96705898e')))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','588dc717-7583-452c-a743-dee96705898e','-', '1.0.2')))]" + }, + "analyticRuleObject5": { + "analyticRuleVersion5": "1.0.3", + "_analyticRulecontentId5": "22cc1dff-14ad-481d-97e1-0602895e429e", + "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '22cc1dff-14ad-481d-97e1-0602895e429e')]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('22cc1dff-14ad-481d-97e1-0602895e429e')))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','22cc1dff-14ad-481d-97e1-0602895e429e','-', '1.0.3')))]" + }, + "analyticRuleObject6": { + "analyticRuleVersion6": "1.0.2", + "_analyticRulecontentId6": "9acb3664-72c4-4676-80fa-9f81912e347e", + "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9acb3664-72c4-4676-80fa-9f81912e347e')]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9acb3664-72c4-4676-80fa-9f81912e347e')))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9acb3664-72c4-4676-80fa-9f81912e347e','-', '1.0.2')))]" + }, + "analyticRuleObject7": { + "analyticRuleVersion7": "1.0.4", + "_analyticRulecontentId7": "6db6a8e6-2959-440b-ba57-a505875fcb37", + "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6db6a8e6-2959-440b-ba57-a505875fcb37')]", + "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6db6a8e6-2959-440b-ba57-a505875fcb37')))]", + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6db6a8e6-2959-440b-ba57-a505875fcb37','-', '1.0.4')))]" + }, + "analyticRuleObject8": { + "analyticRuleVersion8": "1.0.3", + "_analyticRulecontentId8": "e31bc14e-2b4c-42a4-af34-5bfd7d768aea", + "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e31bc14e-2b4c-42a4-af34-5bfd7d768aea')]", + "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e31bc14e-2b4c-42a4-af34-5bfd7d768aea')))]", + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e31bc14e-2b4c-42a4-af34-5bfd7d768aea','-', '1.0.3')))]" + }, + "analyticRuleObject9": { + "analyticRuleVersion9": "1.0.4", + "_analyticRulecontentId9": "acbf7ef6-f964-44c3-9031-7834ec68175f", + "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'acbf7ef6-f964-44c3-9031-7834ec68175f')]", + "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('acbf7ef6-f964-44c3-9031-7834ec68175f')))]", + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','acbf7ef6-f964-44c3-9031-7834ec68175f','-', '1.0.4')))]" + }, + "analyticRuleObject10": { + "analyticRuleVersion10": "1.0.4", + "_analyticRulecontentId10": "3f6f0d1a-f2f9-4e01-881a-c55a4a71905b", + "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3f6f0d1a-f2f9-4e01-881a-c55a4a71905b')]", + "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3f6f0d1a-f2f9-4e01-881a-c55a4a71905b')))]", + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3f6f0d1a-f2f9-4e01-881a-c55a4a71905b','-', '1.0.4')))]" + }, "RecordedFuture-IOC_Enrichment": "RecordedFuture-IOC_Enrichment", "_RecordedFuture-IOC_Enrichment": "[variables('RecordedFuture-IOC_Enrichment')]", "playbookVersion1": "2.7", @@ -264,6 +334,1374 @@ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureDomainMalwareC2inDNSEvents_AnalyticalRules Analytics Rule with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a match in DNSEvents from Recorded Future C2 DNS Name Domains Risklist.", + "displayName": "Detection of Malware C2 Domains in DNS Events", + "enabled": false, + "query": "// Identifies a match in DnsEvent from the Recorded Future DOMAIN Malware C2 DNS Name \nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\n//Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == 'Recorded Future - Domains - Command and Control Activity'\n| where isnotempty(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == 'Recorded Future - Domains - Command and Control Activity'\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n| join (\n DnsEvents\n | where TimeGenerated > ago(dt_lookBack)\n //Extract Domain patterns from syslog message\n | where isnotempty(Name)\n | extend parts = split(Name, '.')\n //Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend DNS_TimeGenerated = TimeGenerated\n ) \non $left.DomainName==$right.Name\n| where DNS_TimeGenerated >= TimeGenerated and DNS_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, DomainName, Description, ConfidenceScore, AdditionalInformation, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, DNS_TimeGenerated, Computer, ClientIP, Name, QueryType\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n", + "queryFrequency": "PT1H", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "DnsEvents" + ], + "connectorId": "DNS" + }, + { + "dataTypes": [ + "DnsEvents" + ], + "connectorId": "ASimDnsActivityLogs" + } + ], + "tactics": [ + "CommandAndControl" + ], + "subTechniques": [ + "T1071.004" + ], + "techniques": [ + "T1071" + ], + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "Computer" + }, + { + "identifier": "HostName", + "columnName": "HostName" + }, + { + "identifier": "DnsDomain", + "columnName": "HostNameDomain" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "ClientIP" + } + ] + }, + { + "entityType": "DNS", + "fieldMappings": [ + { + "identifier": "DomainName", + "columnName": "DomainName" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", + "properties": { + "description": "Recorded Future Analytics Rule 1", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "contentKind": "AnalyticsRule", + "displayName": "Detection of Malware C2 Domains in DNS Events", + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureDomainMalwareC2inSyslogEvents_AnalyticalRules Analytics Rule with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a match in Syslog from Recorded Future C2 DNS Name Domains Risklist.", + "displayName": "Detection of Malware C2 Domains in Syslog Events", + "enabled": false, + "query": "// Identifies a match in Syslog from the Recorded Future DOMAIN Malware C2 DNS Name \nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\n//Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == 'Recorded Future - Domains - Command and Control Activity'\n| where isnotempty(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == 'Recorded Future - Domains - Command and Control Activity'\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n| join (\n Syslog\n | where TimeGenerated > ago(dt_lookBack)\n //Extract domain patterns from syslog message\n | extend domain = extract(\"(([a-z0-9]+(-[a-z0-9]+)*\\\\.)+[a-z]{2,})\",1, tolower(SyslogMessage))\n | where isnotempty(domain)\n | extend parts = split(domain, '.')\n //Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend Syslog_TimeGenerated = TimeGenerated\n ) \non $left.DomainName==$right.domain\n| where Syslog_TimeGenerated >= TimeGenerated and Syslog_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\n", + "queryFrequency": "PT1H", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Syslog" + ], + "connectorId": "Syslog" + }, + { + "dataTypes": [ + "Syslog" + ], + "connectorId": "SyslogAma" + } + ], + "tactics": [ + "CommandAndControl" + ], + "subTechniques": [ + "T1071.004" + ], + "techniques": [ + "T1071" + ], + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "HostCustomEntity" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "URLCustomEntity" + } + ] + }, + { + "entityType": "DNS", + "fieldMappings": [ + { + "identifier": "DomainName", + "columnName": "domain" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", + "properties": { + "description": "Recorded Future Analytics Rule 2", + "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "contentKind": "AnalyticsRule", + "displayName": "Detection of Malware C2 Domains in Syslog Events", + "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureHashObservedInUndergroundinCommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a match in CommonSecurityLog from Recorded Future Hash Observed in Underground Virus Testing Sites RiskList.", + "displayName": "Detection of Specific Hashes in CommonSecurityLog", + "enabled": false, + "query": "// Identifies a match in CommonSecurityLog from the Recorded Future Hashes Observed in Underground Virus Testing Sites\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\nlet fileHashIndicators = ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n// Picking up only Recorded Future IOC's that have been observed in undersground testing sites\n| where Description == \"Recorded Future - HASH - Observed in Underground Virus Testing Sites\"\n| where Active == true\n| where isnotempty(FileHashValue);\n// Handle matches against both lower case and uppercase versions of the hash:\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\n| join (\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(FileHash)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n )\non $left.FileHashValue == $right.FileHash\n| where CommonSecurityLog_TimeGenerated >= TimeGenerated and CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHash, AdditionalInformation\n| extend AccountName = tostring(split(SourceUserName, \"@\")[0]), AccountUPNSuffix = tostring(split(SourceUserName, \"@\")[1])\n| extend HostName = tostring(split(DeviceName, \".\")[0]), DomainIndex = toint(indexof(DeviceName, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\n", + "queryFrequency": "PT1H", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "CommonSecurityLog" + ], + "connectorId": "CEF" + }, + { + "dataTypes": [ + "CommonSecurityLog" + ], + "connectorId": "CefAma" + } + ], + "tactics": [ + "ResourceDevelopment" + ], + "subTechniques": [ + "T1587.001" + ], + "techniques": [ + "T1587" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "SourceUserName" + }, + { + "identifier": "Name", + "columnName": "AccountName" + }, + { + "identifier": "UPNSuffix", + "columnName": "AccountUPNSuffix" + } + ] + }, + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "DeviceName" + }, + { + "identifier": "HostName", + "columnName": "HostName" + }, + { + "identifier": "DnsDomain", + "columnName": "HostNameDomain" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "SourceIP" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "Url" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", + "properties": { + "description": "Recorded Future Analytics Rule 3", + "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "contentKind": "AnalyticsRule", + "displayName": "Detection of Specific Hashes in CommonSecurityLog", + "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureIPMalwareC2inAzureActivityEvents_AnalyticalRules Analytics Rule with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a match in Azure Activity Events from Recorded Future Actively Communicating C&C Server Risklist.", + "displayName": "Detection of Malware C2 IPs in Azure Act. Events", + "enabled": false, + "query": "// Identifies a match in AzureActivity from the Recorded Future C2 Malware Detection IPs (Actively Communicating C&C Server RiskList)\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\nThreatIntelligenceIndicator\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == \"Recorded Future - IP - Actively Communicating C&C Server\"\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n| extend TI_ipEntity = NetworkIP\n| join (\n AzureActivity | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend AzureActivity_TimeGenerated = TimeGenerated\n )\non $left.TI_ipEntity == $right.CallerIpAddress\n| where AzureActivity_TimeGenerated >= TimeGenerated and AzureActivity_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureActivity_TimeGenerated, TI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, Description, AdditionalInformation\n| extend AccountName = tostring(split(Caller, \"@\")[0]), AccountUPNSuffix = tostring(split(Caller, \"@\")[1])\n", + "queryFrequency": "PT1H", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AzureActivity" + ], + "connectorId": "AzureActivity" + } + ], + "tactics": [ + "CommandAndControl" + ], + "techniques": [ + "T1071" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "Caller" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "CallerIpAddress" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "Url" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "TI_ipEntity" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", + "properties": { + "description": "Recorded Future Analytics Rule 4", + "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "contentKind": "AnalyticsRule", + "displayName": "Detection of Malware C2 IPs in Azure Act. Events", + "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureIPMalwareC2inDNSEvents_AnalyticalRules Analytics Rule with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a match in DnsEvents from Recorded Future Actively Communicating C&C Server Risklist.", + "displayName": "Detection of Malware C2 IPs in DNS Events", + "enabled": false, + "query": "// Identifies a match in DnsEvent from the Recorded Future C2 Malware Detection IPs (Actively Communicating C&C Server RiskList)\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\nThreatIntelligenceIndicator\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == \"Recorded Future - IP - Actively Communicating C&C Server\"\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n| join (\n DnsEvents | where TimeGenerated >= ago(dt_lookBack)\n | where SubType =~ \"LookupQuery\" and isnotempty(IPAddresses)\n | extend SingleIP = split(IPAddresses, \",\")\n | mvexpand SingleIP\n | extend SingleIP = tostring(SingleIP)\n // renaming time column so it is clear the log this came from\n | extend DNS_TimeGenerated = TimeGenerated\n )\non $left.NetworkIP == $right.SingleIP\n| where DNS_TimeGenerated >= TimeGenerated and DNS_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, Description, AdditionalInformation\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n", + "queryFrequency": "PT1H", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "DnsEvents" + ], + "connectorId": "DNS" + }, + { + "dataTypes": [ + "DnsEvents" + ], + "connectorId": "ASimDnsActivityLogs" + } + ], + "tactics": [ + "CommandAndControl" + ], + "techniques": [ + "T1071" + ], + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "Computer" + }, + { + "identifier": "HostName", + "columnName": "HostName" + }, + { + "identifier": "DnsDomain", + "columnName": "HostNameDomain" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "ClientIP" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "Url" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "NetworkIP" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]", + "properties": { + "description": "Recorded Future Analytics Rule 5", + "parentId": "[variables('analyticRuleObject5').analyticRuleId5]", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "contentKind": "AnalyticsRule", + "displayName": "Detection of Malware C2 IPs in DNS Events", + "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureUrlReportedbyInsiktGroupinSyslogEvents_AnalyticalRules Analytics Rule with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a match in Syslog from Recorded Future URLs Recently Reported as malicious by Insikt Group.", + "displayName": "Detection of Malicious URLs in Syslog Events", + "enabled": false, + "query": "// Identifies a match in Syslog from the Recorded Future URLs Recently Reported by Insikt Group\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\nThreatIntelligenceIndicator\n// Picking up only Recorded Future IOC's that have been recently reported as malicious by Insikt Group\n| where Description == 'Recorded Future - URL - Recently Reported by Insikt Group'\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n| join (\n Syslog\n | where TimeGenerated >= ago(dt_lookBack)\n // Extract URL from the Syslog message but only take messages that include URLs\n | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\", 1,SyslogMessage)\n | where isnotempty(Url)\n | extend Syslog_TimeGenerated = TimeGenerated\n ) \non Url\n| where Syslog_TimeGenerated >= TimeGenerated and Syslog_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, AdditionalInformation, HostIP\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\n", + "queryFrequency": "PT1H", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "Syslog" + ], + "connectorId": "Syslog" + }, + { + "dataTypes": [ + "Syslog" + ], + "connectorId": "SyslogAma" + } + ], + "tactics": [ + "LateralMovement", + "Execution" + ], + "techniques": [ + "T1072" + ], + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "HostCustomEntity" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "URLCustomEntity" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]", + "properties": { + "description": "Recorded Future Analytics Rule 6", + "parentId": "[variables('analyticRuleObject6').analyticRuleId6]", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "contentKind": "AnalyticsRule", + "displayName": "Detection of Malicious URLs in Syslog Events", + "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureThreatHuntingHashAllActors_AnalyticalRules Analytics Rule with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Recorded Future Threat Hunting hash correlation for all actors.", + "displayName": "RecordedFuture Threat Hunting Hash All Actors", + "enabled": false, + "query": "let ioc_lookBack = 1d;\n// The source table (imDns) can be replaced by any infrastructure table containing Hash data.\n// The following workbook: Recorded Future - Hash Correlation will help researching available data and selecting tables and columns \nimFileEvent\n| where isnotempty(Hash)\n| extend lowerHash=tolower(Hash)\n| join kind=inner (\nThreatIntelligenceIndicator\n// Only look for IOCs\n| where isnotempty(FileHashValue)\n// Only look at Recorded Future Threat Hunt Indicators.\n| where Description startswith \"Recorded Future - Threat Hunt\"\n// Only work with the latest indicators \n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| extend lowerHash=tolower(FileHashValue)\n) on lowerHash\n// select column from the source table to match with Recorded Future ThreatIntelligenceIndicator $left.Hash\n| mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)[0]))['RecordedFuturePortalLink']\n| project Hash=FileHashValue, HashType, Description, Type, TimeGenerated, RecordedFuturePortalLink\n", + "queryFrequency": "PT15M", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligenceUploadIndicatorsAPI" + } + ], + "tactics": [ + "InitialAccess", + "Execution", + "Persistence" + ], + "techniques": [ + "T1189", + "T1059", + "T1554" + ], + "entityMappings": [ + { + "entityType": "FileHash", + "fieldMappings": [ + { + "identifier": "Value", + "columnName": "Hash" + }, + { + "identifier": "Algorithm", + "columnName": "HashType" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "ActorInformation": "RecordedFuturePortalLink" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "**{{Description}}**\\n\\nCorrelation found on {{Hash}} from the {{Type}} table.\\n", + "alertDynamicProperties": [ + { + "value": "RecordedFuturePortalLink", + "alertProperty": "AlertLink" + } + ], + "alertDisplayNameFormat": "{{Description}}" + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "reopenClosedIncident": false, + "lookbackDuration": "1h", + "enabled": true, + "matchingMethod": "AllEntities" + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]", + "properties": { + "description": "Recorded Future Analytics Rule 7", + "parentId": "[variables('analyticRuleObject7').analyticRuleId7]", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "contentKind": "AnalyticsRule", + "displayName": "RecordedFuture Threat Hunting Hash All Actors", + "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureThreatHuntingIPAllActors_AnalyticalRules Analytics Rule with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Recorded Future Threat Hunting IP correlation for all actors.", + "displayName": "RecordedFuture Threat Hunting IP All Actors", + "enabled": false, + "query": "let ioc_lookBack = 1d;\n// The source table (ASimNetworkSessionLogs) can be replaced by any infrastructure table containing ip data.\n// The following workbook: Recorded Future - IP Correlation will help researching available data and selecting tables and columns \nimNetworkSession\n| where isnotempty(DstIpAddr)\n| join kind=inner (\nThreatIntelligenceIndicator\n// Only look for IOCs\n| where isnotempty(NetworkIP)\n// Only look at Recorded Future Threat Hunt Indicators.\n| where Description startswith \"Recorded Future - Threat Hunt\"\n// Only work with the latest indicators \n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n) on $left.DstIpAddr == $right.NetworkIP\n// select column from the source table to match with Recorded Future ThreatIntelligenceIndicator $left.DstIpAddr\n| mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)[0]))['RecordedFuturePortalLink']\n| project NetworkIP, Description, Type, TimeGenerated, RecordedFuturePortalLink\n", + "queryFrequency": "PT15M", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligenceUploadIndicatorsAPI" + } + ], + "tactics": [ + "Exfiltration", + "CommandAndControl" + ], + "techniques": [ + "T1041", + "T1568" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "NetworkIP" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "ActorInformation": "RecordedFuturePortalLink" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "**{{Description}}**\\n\\nCorrelation found on {{NetworkIP}} from the {{Type}} table.\\n", + "alertDynamicProperties": [ + { + "value": "RecordedFuturePortalLink", + "alertProperty": "AlertLink" + } + ], + "alertDisplayNameFormat": "{{Description}}" + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "reopenClosedIncident": false, + "lookbackDuration": "1h", + "enabled": true, + "matchingMethod": "AllEntities" + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]", + "properties": { + "description": "Recorded Future Analytics Rule 8", + "parentId": "[variables('analyticRuleObject8').analyticRuleId8]", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "contentKind": "AnalyticsRule", + "displayName": "RecordedFuture Threat Hunting IP All Actors", + "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureThreatHuntingDomainAllActors_AnalyticalRules Analytics Rule with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Recorded Future Threat Hunting domain correlation for all actors.", + "displayName": "RecordedFuture Threat Hunting Domain All Actors", + "enabled": false, + "query": "let ioc_lookBack = 1d;\n// The source table (imDns) can be replaced by any infrastructure table containing domain/dns data.\n// The following workbook: Recorded Future - Domain Correlation will help researching available data and selecting tables and columns \nimDns\n| where isnotempty(Domain)\n| extend lowerDomain=tolower(Domain)\n| join kind=inner (\nThreatIntelligenceIndicator\n// Only look at Domain IOCs\n| where isnotempty(DomainName)\n// Only look at Recorded Future Threat Hunt Indicators.\n| where Description startswith \"Recorded Future - Threat Hunt\"\n// Only work with the latest indicators \n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| extend lowerDomain=tolower(DomainName)\n) on lowerDomain \n// select column from the source table to match with Recorded Future $left.Domain\n| mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)[0]))['RecordedFuturePortalLink']\n| project DomainName, Description, Type, TimeGenerated, RecordedFuturePortalLink\n", + "queryFrequency": "PT15M", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligenceUploadIndicatorsAPI" + } + ], + "tactics": [ + "InitialAccess", + "CommandAndControl" + ], + "techniques": [ + "T1566", + "T1568" + ], + "entityMappings": [ + { + "entityType": "DNS", + "fieldMappings": [ + { + "identifier": "DomainName", + "columnName": "Domain" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "ActorInformation": "RecordedFuturePortalLink" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "**{{Description}}**\\n\\nCorrelation found on {{DomainName}} from the {{Type}} table.\\n", + "alertDynamicProperties": [ + { + "value": "RecordedFuturePortalLink", + "alertProperty": "AlertLink" + } + ], + "alertDisplayNameFormat": "{{Description}}" + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "reopenClosedIncident": false, + "lookbackDuration": "1h", + "enabled": true, + "matchingMethod": "AllEntities" + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]", + "properties": { + "description": "Recorded Future Analytics Rule 9", + "parentId": "[variables('analyticRuleObject9').analyticRuleId9]", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "contentKind": "AnalyticsRule", + "displayName": "RecordedFuture Threat Hunting Domain All Actors", + "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureThreatHuntingUrlAllActors_AnalyticalRules Analytics Rule with template version 3.2.9", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Recorded Future Threat Hunting Url correlation for all actors.", + "displayName": "RecordedFuture Threat Hunting Url All Actors", + "enabled": false, + "query": "let ioc_lookBack = 1d;\n// The source table (imWebSession) can be replaced by any infrastructure table containing Url data.\n// The following workbook: Recorded Future - Url Correlation will help researching available data and selecting tables and columns \nimWebSession\n| where isnotempty(Url)\n| extend lowerUrl=tolower(Url)\n| join kind=inner (\nThreatIntelligenceIndicator\n// Only look for IOCs\n| where isnotempty(Url)\n// Only look at Recorded Future Threat Hunt Indicators.\n| where Description startswith \"Recorded Future - Threat Hunt\"\n// Only work with the latest indicators \n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| extend lowerUrl=tolower(Url)\n) on lowerUrl\n// select column from the source table to match with Recorded Future ThreatIntelligenceIndicator $left.Url\n| mv-expand RecordedFuturePortalLink=parse_json(tostring(parse_json(Tags)[0]))['RecordedFuturePortalLink']\n| project Url, Description, Type, TimeGenerated, RecordedFuturePortalLink\n", + "queryFrequency": "PT15M", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligenceUploadIndicatorsAPI" + } + ], + "tactics": [ + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion" + ], + "techniques": [ + "T1098", + "T1078" + ], + "entityMappings": [ + { + "entityType": "URL", + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "Url" + } + ] + } + ], + "customDetails": { + "ActorInformation": "RecordedFuturePortalLink" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "*{{Description}}**\\n\\nCorrelation found on {{Url}} from the {{Type}} table.\\n", + "alertDynamicProperties": [ + { + "value": "RecordedFuturePortalLink", + "alertProperty": "AlertLink" + } + ], + "alertDisplayNameFormat": "{{Description}}" + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "reopenClosedIncident": false, + "lookbackDuration": "1h", + "enabled": true, + "matchingMethod": "AllEntities" + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]", + "properties": { + "description": "Recorded Future Analytics Rule 10", + "parentId": "[variables('analyticRuleObject10').analyticRuleId10]", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "contentKind": "AnalyticsRule", + "displayName": "RecordedFuture Threat Hunting Url All Actors", + "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" + } + }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -5604,19 +7042,19 @@ }, "created": { "type": "string", - "example": "2023-09-20T15:39:35.993568+02:00" + "example": "2023-09-20T19:09:35.993568+05:30" }, "modified": { "type": "string", - "example": "2023-09-20T15:39:35.993568+02:00" + "example": "2023-09-20T19:09:35.993568+05:30" }, "valid_from": { "type": "string", - "example": "2023-09-20T15:39:35.993568+02:00" + "example": "2023-09-20T19:09:35.993568+05:30" }, "valid_until": { "type": "string", - "example": "2023-09-20T16:39:35.993568+02:00" + "example": "2023-09-20T20:09:35.993568+05:30" }, "external_references": { "type": "array", @@ -5812,19 +7250,19 @@ }, "created": { "type": "string", - "example": "2023-09-20T15:39:35.993568+02:00" + "example": "2023-09-20T19:09:35.993568+05:30" }, "modified": { "type": "string", - "example": "2023-09-20T15:39:35.993568+02:00" + "example": "2023-09-20T19:09:35.993568+05:30" }, "valid_from": { "type": "string", - "example": "2023-09-20T15:39:35.993568+02:00" + "example": "2023-09-20T19:09:35.993568+05:30" }, "valid_until": { "type": "string", - "example": "2023-09-20T16:39:35.993568+02:00" + "example": "2023-09-20T20:09:35.993568+05:30" }, "external_references": { "type": "array", @@ -7358,7 +8796,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Recorded Future Playbook Alerts\\n---\\n\\nWorkbook to display and analyze Recorded Future Playbook Alerts. This workbook visualize data that is retrived by the ```Recorded Future Playbook Alerts Importer``` Logic app. First run the Logic app once and then select the RecordedFuturePlaybookAlerts_CL table.\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"8e8c2f1a-d25d-49d1-a217-9831dbc4f919\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_picker\",\"label\":\"Time Picker\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":259200000}},{\"id\":\"f8d34a51-ba10-4241-abff-cb6c14b50a55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"log_table\",\"label\":\"Playbook Alerts Log Table\",\"type\":2,\"description\":\"Run the Recorded Future Playbook Alert Importer Playbook first.\",\"isRequired\":true,\"query\":\"search *\\n| where $table endswith \\\"_CL\\\" \\n| distinct $table\\n\",\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"RecordedFuturePlaybookAlerts_CL\"},{\"id\":\"89279a9c-af9e-4734-8a98-21aa1f2fa545\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"categories\",\"label\":\"Category\",\"type\":2,\"description\":\"Filter categories you're looking at\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct rule_label_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_picker\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a0947450-1ebd-4dea-94d7-41a751c79237\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"status\",\"label\":\"Alert Status\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct status_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"25a82661-1700-43a6-ba7a-b3ae5d8fe7b9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"priority\",\"label\":\"Alert Priority\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct priority_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":172800000},\"timeContextFromParameter\":\"time_picker\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where rule_label_s in ({categories:value})\\n| where status_s in ({status:value}) \\n| where priority_s in ({priority:value})\\n| distinct id_s, rule_label_s, updated_date_t, priority_s\\n| summarize Alert=count() by bin(updated_date_t, 1h), priority_s\\n\",\"size\":0,\"title\":\"Playbook Alerts triggered over time\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"chartSettings\":{\"group\":\"priority_s\"}},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy\",\"styleSettings\":{\"maxWidth\":\"70\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where rule_label_s in ({categories:value})\\n| where status_s in ({status:value}) \\n| where priority_s in ({priority:value})\\n| distinct id_s, rule_label_s, updated_date_t\\n| summarize alert_count = count() by rule_label_s\\n| project alert_count, Alert = rule_label_s\",\"size\":0,\"title\":\"Top Categories Triggered\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where rule_label_s in ({categories:value})\\n| where status_s in ({status:value}) \\n| where priority_s in ({priority:value})\\n| distinct updated_date_t, title_s, rule_label_s, status_s, priority_s, link_s, evidence_summary_s, targets_s, created_date_t, id_s\\n| project-rename Updated=updated_date_t, Title=title_s, Category=rule_label_s, Status=status_s, Priority=priority_s, Created=created_date_t, Targets=targets_s, [\\\"Evidence\\\"]=evidence_summary_s, [\\\"External Link\\\"]=link_s, ID=id_s\\n\\n\",\"size\":0,\"title\":\"Triggered Playbook Alerts\",\"noDataMessage\":\"No data in Playbook Alert custom log. Check that playbook/logic apps is running without errors and rules for playbook alerts is setup in Recorded Future Portal.\",\"timeContextFromParameter\":\"time_picker\",\"exportFieldName\":\"id_s\",\"exportParameterName\":\"exported_alert_id\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Title\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Recorded Future\"}},{\"columnMatch\":\"ID\",\"formatter\":5}],\"sortBy\":[{\"itemKey\":\"Updated\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Updated\",\"sortOrder\":2}]},\"name\":\"query - 8\"}],\"fromTemplateId\":\"sentinel-RecordedFuturePlaybookAlertOverviewWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Recorded Future Playbook Alerts\\n---\\n\\nWorkbook to display and analyze Recorded Future Playbook Alerts. This workbook visualize data that is retrived by the ```Recorded Future Playbook Alerts Importer``` Logic app. First run the Logic app once and then select the RecordedFuturePlaybookAlerts_CL table.\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"8e8c2f1a-d25d-49d1-a217-9831dbc4f919\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_picker\",\"label\":\"Time Picker\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":259200000}},{\"id\":\"f8d34a51-ba10-4241-abff-cb6c14b50a55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"log_table\",\"label\":\"Playbook Alerts Log Table\",\"type\":2,\"description\":\"Run the Recorded Future Playbook Alert Importer Playbook first.\",\"isRequired\":true,\"query\":\"search *\\n| where $table endswith \\\"_CL\\\" \\n| distinct $table\\n\",\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"RecordedFuturePlaybookAlerts_CL\"},{\"id\":\"89279a9c-af9e-4734-8a98-21aa1f2fa545\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"categories\",\"label\":\"Category\",\"type\":2,\"description\":\"Filter categories you're looking at\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct rule_label_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_picker\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a0947450-1ebd-4dea-94d7-41a751c79237\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"status\",\"label\":\"Alert Status\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct status_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"25a82661-1700-43a6-ba7a-b3ae5d8fe7b9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"priority\",\"label\":\"Alert Priority\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct priority_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":172800000},\"timeContextFromParameter\":\"time_picker\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where rule_label_s in ({categories:value})\\n| where status_s in ({status:value}) \\n| where priority_s in ({priority:value})\\n| distinct id_s, rule_label_s, updated_date_t, priority_s\\n| summarize Alert=count() by bin(updated_date_t, 1h), priority_s\\n\",\"size\":0,\"title\":\"Playbook Alerts triggered over time\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"chartSettings\":{\"group\":\"priority_s\"}},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy\",\"styleSettings\":{\"maxWidth\":\"70\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where rule_label_s in ({categories:value})\\n| where status_s in ({status:value}) \\n| where priority_s in ({priority:value})\\n| distinct id_s, rule_label_s, updated_date_t\\n| summarize alert_count = count() by rule_label_s\\n| project alert_count, Alert = rule_label_s\",\"size\":0,\"title\":\"Top Categories Triggered\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where rule_label_s in ({categories:value})\\n| where status_s in ({status:value}) \\n| where priority_s in ({priority:value})\\n| distinct updated_date_t, title_s, rule_label_s, status_s, priority_s, link_s, evidence_summary_s, targets_s, created_date_t, id_s\\n| project-rename Updated=updated_date_t, Title=title_s, Category=rule_label_s, Status=status_s, Priority=priority_s, Created=created_date_t, Targets=targets_s, [\\\"Evidence\\\"]=evidence_summary_s, [\\\"External Link\\\"]=link_s, ID=id_s\\n\\n\",\"size\":0,\"title\":\"Triggered Playbook Alerts\",\"noDataMessage\":\"No data in Playbook Alert custom log. Check that playbook/logic apps is running without errors and rules for playbook alerts is setup in Recorded Future Portal.\",\"timeContextFromParameter\":\"time_picker\",\"exportFieldName\":\"id_s\",\"exportParameterName\":\"exported_alert_id\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Title\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Recorded Future\"}},{\"columnMatch\":\"ID\",\"formatter\":5}],\"sortBy\":[{\"itemKey\":\"Updated\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Updated\",\"sortOrder\":2}]},\"name\":\"query - 8\"}],\"fromTemplateId\":\"sentinel-RecordedFuturePlaybookAlertOverviewWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -7442,7 +8880,7 @@ }, "properties": { "displayName": "[parameters('workbook2-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Recorded Future Alerts\\n---\\n\\nWorkbook to display and analyze Recorded Future Alerts. This workbook visualize data that is retrived by the ```Recorded Future Alerts Importer``` Logic app. First run the Logic app once and then select the RecordedFuturePortalAlerts_CL table.\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"8e8c2f1a-d25d-49d1-a217-9831dbc4f919\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_picker\",\"label\":\"Time Picker\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}},{\"id\":\"f8d34a51-ba10-4241-abff-cb6c14b50a55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"log_table\",\"label\":\"Alerts Log Table\",\"type\":2,\"isRequired\":true,\"query\":\"search \\\"*\\\" | summarize count() by $table | sort by count_ desc | where $table endswith \\\"CL\\\" | project $table\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"RecordedFuturePortalAlerts_CL\"},{\"id\":\"89279a9c-af9e-4734-8a98-21aa1f2fa545\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"alert_rules\",\"label\":\"Alert Rules\",\"type\":2,\"description\":\"Filter alert rules you're looking at\",\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct RuleName_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where RuleName_s in ({alert_rules:value})\\n| distinct AlertID_s, RuleName_s, Triggered_t\\n| summarize alert_count = count() by RuleName_s\\n| project alert_count, Alert = RuleName_s\\n\",\"size\":0,\"title\":\"Top Rules Triggered\",\"noDataMessage\":\"There are no alerts within this time frame.\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where RuleName_s in ({alert_rules:value})\\n| distinct AlertID_s, RuleName_s, Triggered_t\\n| summarize Alert=count() by bin(Triggered_t, 1h)\\n\",\"size\":0,\"title\":\"Alerts triggered over time\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\"},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy\",\"styleSettings\":{\"maxWidth\":\"70\"}},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"20edde78-9485-4056-8eca-6ef7cd86c8b5\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Alert\",\"subTarget\":\"Reference\",\"preText\":\"Some thing\",\"postText\":\"Some thing\",\"style\":\"link\"}]},\"name\":\"links - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where RuleName_s in ({alert_rules:value})\\n//| where Documents_s != \\\"[]\\\"\\n//| distinct AlertID_s, AlertName_s, Documents_s, Entity_description_s, Entity_id_s, Entity_name_s, Entity_type_s, Risk_criticalityLabel_s, \\n//Risk_criticality_d, Risk_documents_s, Risk_evidence_s, RuleName_s, Trend_documents_s, Trend_name_s, Trend_strengthLabel_s, Trend_strength_d, Triggered_t\\n| distinct Triggered = Triggered_t, [\\\"Alert ID\\\"]=AlertID_s, [\\\"Alert Name\\\"]=AlertName_s, [\\\"Rule Name\\\"]=RuleName_s, [\\\"AI Summary\\\"]= AISummary_s, [\\\"Recorded Future Portal\\\"]= URL_s\\n\\n\\n\\n\",\"size\":0,\"timeContextFromParameter\":\"time_picker\",\"exportFieldName\":\"Alert ID\",\"exportParameterName\":\"Ref_AlertID\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Alert ID\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"AI Summary\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Recorded Future Portal\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Recorded Future\"}}],\"sortBy\":[{\"itemKey\":\"Triggered\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Triggered\",\"sortOrder\":2}]},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where AlertID_s == \\\"{Ref_AlertID}\\\"\\n| project Fragment=Fragment_s, Source=Documents_source_name_s, Title=Documents_title_s, URL=Document_url_s, AlertName = RuleName_s, AlertID=AlertID_s, entities=parse_json(Entity_s)\\n| mv-apply with_itemindex=i entities on (\\n extend p = pack(strcat(\\\"Entity \\\", i+1), strcat(entities.type, \\\", \\\", entities.name, \\\", id:\\\", entities.id))\\n | summarize b = make_bag(p)\\n)\\n| evaluate bag_unpack(b)\\n| project-reorder Fragment, Source, Title, URL, Entity*\\n\\n\",\"size\":0,\"timeContextFromParameter\":\"time_picker\",\"exportedParameters\":[{\"fieldName\":\"Fragment\",\"parameterName\":\"FragmentRef\",\"parameterType\":1},{\"fieldName\":\"Title\",\"parameterName\":\"TitleRef\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Fragment\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true},\"tooltipFormat\":{\"tooltip\":\"{0}\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Reference\"},\"name\":\"Reference View\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**Document Title**\\r\\n{TitleRef}\"},\"name\":\"text - 3\"},{\"type\":1,\"content\":{\"json\":\"**Fragment**\\r\\n{FragmentRef}\\r\\n\\r\\n\\r\\n\"},\"showPin\":false,\"name\":\"Fragment\"}]},\"name\":\"group - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Reference\"},\"name\":\"Reference Alerts\"}],\"fromTemplateId\":\"sentinel-RecordedFutureAlertOverviewWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Recorded Future Alerts\\n---\\n\\nWorkbook to display and analyze Recorded Future Alerts. This workbook visualize data that is retrived by the ```Recorded Future Alerts Importer``` Logic app. First run the Logic app once and then select the RecordedFuturePortalAlerts_CL table.\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"8e8c2f1a-d25d-49d1-a217-9831dbc4f919\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_picker\",\"label\":\"Time Picker\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}},{\"id\":\"f8d34a51-ba10-4241-abff-cb6c14b50a55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"log_table\",\"label\":\"Alerts Log Table\",\"type\":2,\"isRequired\":true,\"query\":\"search \\\"*\\\" | summarize count() by $table | sort by count_ desc | where $table endswith \\\"CL\\\" | project $table\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"RecordedFuturePortalAlerts_CL\"},{\"id\":\"89279a9c-af9e-4734-8a98-21aa1f2fa545\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"alert_rules\",\"label\":\"Alert Rules\",\"type\":2,\"description\":\"Filter alert rules you're looking at\",\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct RuleName_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where RuleName_s in ({alert_rules:value})\\n| distinct AlertID_s, RuleName_s, Triggered_t\\n| summarize alert_count = count() by RuleName_s\\n| project alert_count, Alert = RuleName_s\\n\",\"size\":0,\"title\":\"Top Rules Triggered\",\"noDataMessage\":\"There are no alerts within this time frame.\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where RuleName_s in ({alert_rules:value})\\n| distinct AlertID_s, RuleName_s, Triggered_t\\n| summarize Alert=count() by bin(Triggered_t, 1h)\\n\",\"size\":0,\"title\":\"Alerts triggered over time\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\"},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy\",\"styleSettings\":{\"maxWidth\":\"70\"}},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"20edde78-9485-4056-8eca-6ef7cd86c8b5\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Alert\",\"subTarget\":\"Reference\",\"preText\":\"Some thing\",\"postText\":\"Some thing\",\"style\":\"link\"}]},\"name\":\"links - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where RuleName_s in ({alert_rules:value})\\n//| where Documents_s != \\\"[]\\\"\\n//| distinct AlertID_s, AlertName_s, Documents_s, Entity_description_s, Entity_id_s, Entity_name_s, Entity_type_s, Risk_criticalityLabel_s, \\n//Risk_criticality_d, Risk_documents_s, Risk_evidence_s, RuleName_s, Trend_documents_s, Trend_name_s, Trend_strengthLabel_s, Trend_strength_d, Triggered_t\\n| distinct Triggered = Triggered_t, [\\\"Alert ID\\\"]=AlertID_s, [\\\"Alert Name\\\"]=AlertName_s, [\\\"Rule Name\\\"]=RuleName_s, [\\\"AI Summary\\\"]= AISummary_s, [\\\"Recorded Future Portal\\\"]= URL_s\\n\\n\\n\\n\",\"size\":0,\"timeContextFromParameter\":\"time_picker\",\"exportFieldName\":\"Alert ID\",\"exportParameterName\":\"Ref_AlertID\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Alert ID\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"AI Summary\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Recorded Future Portal\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Recorded Future\"}}],\"sortBy\":[{\"itemKey\":\"Triggered\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Triggered\",\"sortOrder\":2}]},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where AlertID_s == \\\"{Ref_AlertID}\\\"\\n| project Fragment=Fragment_s, Source=Documents_source_name_s, Title=Documents_title_s, URL=Document_url_s, AlertName = RuleName_s, AlertID=AlertID_s, entities=parse_json(Entity_s)\\n| mv-apply with_itemindex=i entities on (\\n extend p = pack(strcat(\\\"Entity \\\", i+1), strcat(entities.type, \\\", \\\", entities.name, \\\", id:\\\", entities.id))\\n | summarize b = make_bag(p)\\n)\\n| evaluate bag_unpack(b)\\n| project-reorder Fragment, Source, Title, URL, Entity*\\n\\n\",\"size\":0,\"timeContextFromParameter\":\"time_picker\",\"exportedParameters\":[{\"fieldName\":\"Fragment\",\"parameterName\":\"FragmentRef\",\"parameterType\":1},{\"fieldName\":\"Title\",\"parameterName\":\"TitleRef\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Fragment\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true},\"tooltipFormat\":{\"tooltip\":\"{0}\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Reference\"},\"name\":\"Reference View\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**Document Title**\\r\\n{TitleRef}\"},\"name\":\"text - 3\"},{\"type\":1,\"content\":{\"json\":\"**Fragment**\\r\\n{FragmentRef}\\r\\n\\r\\n\\r\\n\"},\"showPin\":false,\"name\":\"Fragment\"}]},\"name\":\"group - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Reference\"},\"name\":\"Reference Alerts\"}],\"fromTemplateId\":\"sentinel-RecordedFutureAlertOverviewWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -7526,7 +8964,7 @@ }, "properties": { "displayName": "[parameters('workbook3-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d7ccc5ca-c8ec-458f-ab0d-564a7ef1d217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Guide\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Guide: Domain Correlation \\n\\nRecorded Future’s Domain Correlation Workbook helps you detect malicious domains within your environment by correlating your logs with Recorded Future Domain Risk Lists.\\n\\n### How to Correlate Domains\\n\\nTo correlate domains, follow the steps below:\\n\\n1. In the **Domain Logs Table** dropdown, select a log table that contains domain logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with domains** dropdown, select the log field that holds the domains to be correlated.\\n\\t* The workbook can correlate domains in the format: `domainName.net`.\\n3. Select a Recorded Future Domain Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n\\n| Table \\t | Field |\\n| ----------- \\t | ----------- |\\n| DNSEvents | Name |\\n| _Im_Dns \\t | DnsQuery |\",\"style\":\"info\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 15\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Domains (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Domain_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":604800000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Domain_Logs_Table\",\"label\":\"Domain Logs Table\",\"type\":2,\"description\":\"Log Table to correlate Domains Against\",\"isRequired\":true,\"query\":\"search \\\"*\\\" \\n| where TimeGenerated {Domain_Logs_Time_Range:query}\\n| summarize count() by $table \\n| sort by count_ desc \\n| where $table != \\\"ThreatIntelligenceIndicator\\\" \\n| project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Squid_Proxy_URL_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Domain_Logs_Field\",\"label\":\"Log Field with Domains\",\"type\":2,\"description\":\"Select the field containing the Domain Name that you want to correlate against\",\"isRequired\":true,\"query\":\"{Domain_Logs_Table:value}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Domain_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":604800000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which Domain Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where isnotempty(DomainName)\\n| where Description contains \\\"Recorded Future\\\"\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| summarize count() by Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - DOMAIN - Default RiskList\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Domains Per Day\\n\\nThe chart displays the number of correlation detections per day between domain logs and Recorded Future's domain Risk lists.\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\n| where Description == {RF_Risk_list:value}\\n| where isnotempty(DomainName)\\n| where isnotempty(Tags)\\n| extend parts = split(DomainName, '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Active == true\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\n| where Description == {RF_Risk_list:value}\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(DomainName)\\n| where isnotempty(Tags)\\n| join (\\n {Domain_Logs_Table:value}\\n | where TimeGenerated {Domain_Logs_Time_Range:query}\\n //Extract Domain patterns from syslog message\\n | where isnotempty({Domain_Logs_Field:value})\\n | extend parts = split({Domain_Logs_Field:value}, '.')\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.{Domain_Logs_Field:value}\\n| summarize Correlation_Matches=count() by bin(DNS_TimeGenerated, 1d)\\n| render barchart\",\"size\":0,\"title\":\"Detected Domains Per Day\",\"noDataMessage\":\"No detected domains\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"100\",\"name\":\"query - 1\"}]},\"customWidth\":\"100\",\"name\":\"group - 14\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Domains\\n\\nThe Detected Domains table lists domains from the correlated logs that have been matched with Recorded Future Domain Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the domain (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **Domain:** The detected domain.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the domain (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let list_tlds = ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n| where isnotempty(DomainName)\\r\\n| where isnotempty(Tags)\\r\\n| extend parts = split(DomainName, '.')\\r\\n| extend tld = parts[(array_length(parts)-1)]\\r\\n| summarize count() by tostring(tld)\\r\\n| summarize make_list(tld);\\r\\nThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Active == true\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n// Picking up only IOC's that contain the entities we want\\r\\n| where isnotempty(DomainName)\\r\\n| join (\\r\\n {Domain_Logs_Table:value}\\r\\n | where TimeGenerated {Domain_Logs_Time_Range:query}\\r\\n //Extract Domain patterns from syslog message\\r\\n | where isnotempty({Domain_Logs_Field:value})\\r\\n | extend parts = split({Domain_Logs_Field:value}, '.')\\r\\n //Split out the TLD\\r\\n | extend tld = parts[(array_length(parts)-1)]\\r\\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\\r\\n | where tld in~ (list_tlds)\\r\\n | extend DNS_TimeGenerated = TimeGenerated\\r\\n) on $left.DomainName==$right.{Domain_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, Domain=DomainName, Detected=format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"]=format_datetime(DNS_TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by Domain, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], Domain, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\",\"size\":0,\"title\":\"Detected Domains\",\"noDataMessage\":\"No detected domains\",\"exportFieldName\":\"Domain\",\"exportParameterName\":\"MaliciousDomainMatch\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let list_tlds = ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n| where isnotempty(DomainName)\\r\\n| where isnotempty(Tags)\\r\\n| extend parts = split(DomainName, '.')\\r\\n| extend tld = parts[(array_length(parts)-1)]\\r\\n| summarize count() by tostring(tld)\\r\\n| summarize make_list(tld);\\r\\nThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Active == true\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n// Picking up only IOC's that contain the entities we want\\r\\n| where isnotempty(DomainName)\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {Domain_Logs_Table:value}\\r\\n | where TimeGenerated {Domain_Logs_Time_Range:query}\\r\\n //Extract Domain patterns from syslog message\\r\\n | where isnotempty({Domain_Logs_Field:value})\\r\\n | extend parts = split({Domain_Logs_Field:value}, '.')\\r\\n //Split out the TLD\\r\\n | extend tld = parts[(array_length(parts)-1)]\\r\\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\\r\\n | where tld in~ (list_tlds)\\r\\n | extend DNS_TimeGenerated = TimeGenerated\\r\\n) on $left.DomainName==$right.{Domain_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, DomainName, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected Domains: Evidence Details\\n\\nTo view evidence details, click a row (domain) in the Detected Domains table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list:value}\\n| where DomainName == \\\"{MaliciousDomainMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString'] \\n| sort by toint(Criticality) desc\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Evidence_String\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"MaliciousDomainMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 3\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {Domain_Logs_Table:value}\\nTo view source data of correlated domain, click a row (domain) in the Detected Domains table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{Domain_Logs_Table:value}\\n| where TimeGenerated {Domain_Logs_Time_Range:query}\\n| where {Domain_Logs_Field:value} == \\\"{MaliciousDomainMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousDomainMatch\",\"comparison\":\"isNotEqualTo\",\"value\":\"\"},\"name\":\"query - 1\"}]},\"name\":\"group - 8\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureDomainCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d7ccc5ca-c8ec-458f-ab0d-564a7ef1d217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Guide\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Guide: Domain Correlation \\n\\nRecorded Future’s Domain Correlation Workbook helps you detect malicious domains within your environment by correlating your logs with Recorded Future Domain Risk Lists.\\n\\n### How to Correlate Domains\\n\\nTo correlate domains, follow the steps below:\\n\\n1. In the **Domain Logs Table** dropdown, select a log table that contains domain logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with domains** dropdown, select the log field that holds the domains to be correlated.\\n\\t* The workbook can correlate domains in the format: `domainName.net`.\\n3. Select a Recorded Future Domain Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n\\n| Table \\t | Field |\\n| ----------- \\t | ----------- |\\n| DNSEvents | Name |\\n| _Im_Dns \\t | DnsQuery |\",\"style\":\"info\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 15\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Domains (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Domain_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":604800000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Domain_Logs_Table\",\"label\":\"Domain Logs Table\",\"type\":2,\"description\":\"Log Table to correlate Domains Against\",\"isRequired\":true,\"query\":\"search \\\"*\\\" \\n| where TimeGenerated {Domain_Logs_Time_Range:query}\\n| summarize count() by $table \\n| sort by count_ desc \\n| where $table != \\\"ThreatIntelligenceIndicator\\\" \\n| project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Squid_Proxy_URL_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Domain_Logs_Field\",\"label\":\"Log Field with Domains\",\"type\":2,\"description\":\"Select the field containing the Domain Name that you want to correlate against\",\"isRequired\":true,\"query\":\"{Domain_Logs_Table:value}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Domain_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":604800000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which Domain Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where isnotempty(DomainName)\\n| where Description contains \\\"Recorded Future\\\"\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| summarize count() by Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - DOMAIN - Default RiskList\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Domains Per Day\\n\\nThe chart displays the number of correlation detections per day between domain logs and Recorded Future's domain Risk lists.\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\n| where Description == {RF_Risk_list:value}\\n| where isnotempty(DomainName)\\n| where isnotempty(Tags)\\n| extend parts = split(DomainName, '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Active == true\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\n| where Description == {RF_Risk_list:value}\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(DomainName)\\n| where isnotempty(Tags)\\n| join (\\n {Domain_Logs_Table:value}\\n | where TimeGenerated {Domain_Logs_Time_Range:query}\\n //Extract Domain patterns from syslog message\\n | where isnotempty({Domain_Logs_Field:value})\\n | extend parts = split({Domain_Logs_Field:value}, '.')\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.{Domain_Logs_Field:value}\\n| summarize Correlation_Matches=count() by bin(DNS_TimeGenerated, 1d)\\n| render barchart\",\"size\":0,\"title\":\"Detected Domains Per Day\",\"noDataMessage\":\"No detected domains\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"100\",\"name\":\"query - 1\"}]},\"customWidth\":\"100\",\"name\":\"group - 14\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Domains\\n\\nThe Detected Domains table lists domains from the correlated logs that have been matched with Recorded Future Domain Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the domain (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **Domain:** The detected domain.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the domain (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let list_tlds = ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n| where isnotempty(DomainName)\\r\\n| where isnotempty(Tags)\\r\\n| extend parts = split(DomainName, '.')\\r\\n| extend tld = parts[(array_length(parts)-1)]\\r\\n| summarize count() by tostring(tld)\\r\\n| summarize make_list(tld);\\r\\nThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Active == true\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n// Picking up only IOC's that contain the entities we want\\r\\n| where isnotempty(DomainName)\\r\\n| join (\\r\\n {Domain_Logs_Table:value}\\r\\n | where TimeGenerated {Domain_Logs_Time_Range:query}\\r\\n //Extract Domain patterns from syslog message\\r\\n | where isnotempty({Domain_Logs_Field:value})\\r\\n | extend parts = split({Domain_Logs_Field:value}, '.')\\r\\n //Split out the TLD\\r\\n | extend tld = parts[(array_length(parts)-1)]\\r\\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\\r\\n | where tld in~ (list_tlds)\\r\\n | extend DNS_TimeGenerated = TimeGenerated\\r\\n) on $left.DomainName==$right.{Domain_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, Domain=DomainName, Detected=format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"]=format_datetime(DNS_TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by Domain, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], Domain, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\",\"size\":0,\"title\":\"Detected Domains\",\"noDataMessage\":\"No detected domains\",\"exportFieldName\":\"Domain\",\"exportParameterName\":\"MaliciousDomainMatch\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let list_tlds = ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n| where isnotempty(DomainName)\\r\\n| where isnotempty(Tags)\\r\\n| extend parts = split(DomainName, '.')\\r\\n| extend tld = parts[(array_length(parts)-1)]\\r\\n| summarize count() by tostring(tld)\\r\\n| summarize make_list(tld);\\r\\nThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Active == true\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n// Picking up only IOC's that contain the entities we want\\r\\n| where isnotempty(DomainName)\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {Domain_Logs_Table:value}\\r\\n | where TimeGenerated {Domain_Logs_Time_Range:query}\\r\\n //Extract Domain patterns from syslog message\\r\\n | where isnotempty({Domain_Logs_Field:value})\\r\\n | extend parts = split({Domain_Logs_Field:value}, '.')\\r\\n //Split out the TLD\\r\\n | extend tld = parts[(array_length(parts)-1)]\\r\\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\\r\\n | where tld in~ (list_tlds)\\r\\n | extend DNS_TimeGenerated = TimeGenerated\\r\\n) on $left.DomainName==$right.{Domain_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, DomainName, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected Domains: Evidence Details\\n\\nTo view evidence details, click a row (domain) in the Detected Domains table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list:value}\\n| where DomainName == \\\"{MaliciousDomainMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString'] \\n| sort by toint(Criticality) desc\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Evidence_String\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"MaliciousDomainMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 3\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {Domain_Logs_Table:value}\\nTo view source data of correlated domain, click a row (domain) in the Detected Domains table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{Domain_Logs_Table:value}\\n| where TimeGenerated {Domain_Logs_Time_Range:query}\\n| where {Domain_Logs_Field:value} == \\\"{MaliciousDomainMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousDomainMatch\",\"comparison\":\"isNotEqualTo\",\"value\":\"\"},\"name\":\"query - 1\"}]},\"name\":\"group - 8\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureDomainCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -7610,7 +9048,7 @@ }, "properties": { "displayName": "[parameters('workbook4-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d7ccc5ca-c8ec-458f-ab0d-564a7ef1d217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Guide\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Guide: Hash Correlation \\n\\nRecorded Future’s Hash Correlation Workbook helps you detect malicious hashes within your environment by correlating your logs with Recorded Future Hash Risk Lists.\\n\\n### How to Correlate hashs\\n\\nTo correlate hashes, follow the steps below:\\n\\n1. In the **Hash Logs Table** dropdown, select a log table that contains hash logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with hashes** dropdown, select the log field that holds the hashs to be correlated.\\n\\t* The workbook can correlate hashes in the format: `b0a0c7ae387c00161f4cc26405600b1a`.\\n3. Select a Recorded Future Hash Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n| Table \\t \\t| Field |\\n| ----------- \\t \\t| ----------- |\\n| CommonSecurityLog | FileHash |\\n| SecurityEvent \\t| FileHash |\",\"style\":\"info\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 15\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Hashes (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Hash_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Hash_Logs_Table\",\"label\":\"Hash Logs Table\",\"type\":2,\"description\":\"Log Table to correlate Domains Against\",\"isRequired\":true,\"query\":\"search \\\"*\\\" \\n| where TimeGenerated {Hash_Logs_Time_Range:query}\\n| summarize count() by $table | sort by count_ desc | where $table != \\\"ThreatIntelligenceIndicator\\\" | project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"EndpointProtection_HASH_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Hash_Logs_Field\",\"label\":\"Log Field with Hashes\",\"type\":2,\"description\":\"Select the field containing the Domain Name that you want to correlate against\",\"isRequired\":true,\"query\":\"{Hash_Logs_Table:value}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Hash_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":1209600000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which Domain Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where isnotempty(FileHashValue)\\n| where Description contains \\\"Recorded Future\\\"\\n| summarize count() by Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - HASH - Observed in Underground Virus Testing Sites\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Domains Per Day\\n\\nThe chart displays the number of correlation detections per day between domain logs and Recorded Future's domain Risk lists.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query} \\r\\n| where Description == {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| extend FileHashValue = tolower(FileHashValue)\\r\\n| join (\\r\\n {Hash_Logs_Table:value}\\r\\n | where TimeGenerated {Hash_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend Hash_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.FileHashValue == $right.{Hash_Logs_Field:value}\\r\\n| summarize Correlation_Matches=count() by bin(Hash_TimeGenerated, 1d)\\r\\n| render barchart\",\"size\":0,\"title\":\"Detected File Hashes Per Day\",\"noDataMessage\":\"No detected hashes\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Hashs\\n\\nThe Detected Hashs table lists hashs from the correlated logs that have been matched with Recorded Future Hash Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the Hashe (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **Hash:** The detected hash.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the hash (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| extend FileHashValue = tolower(FileHashValue)\\r\\n| join (\\r\\n {Hash_Logs_Table:value}\\r\\n | where TimeGenerated {Hash_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend Hash_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.FileHashValue == $right.{Hash_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, Hash=FileHashValue, Detected = format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"] = format_datetime(Hash_TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by Hash, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], Hash, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\\r\\n\",\"size\":0,\"title\":\"Detected Hashes\",\"noDataMessage\":\"No detected hashes\",\"exportedParameters\":[{\"fieldName\":\"Hash\",\"parameterName\":\"MaliciousHashMatch\",\"parameterType\":5}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| extend FileHashValue = tolower(FileHashValue)\\r\\n| join (\\r\\n {Hash_Logs_Table:value}\\r\\n | where TimeGenerated {Hash_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend Hash_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.FileHashValue == $right.{Hash_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, FileHashValue, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected Hashes: Evidence Details\\n\\nTo view evidence details, click a row (hash) in the Detected Hashes table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list:value}\\n| extend FileHashValue = tolower(FileHashValue)\\n| where FileHashValue == \\\"{MaliciousHashMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString']\\n| sort by toint(Criticality) desc\",\"size\":1,\"noDataMessage\":\"No evidence details to show\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousHashMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {Hash_Logs_Table:value}\\n\\nTo view source data of correlated hash, click a row (hash) in the Detected Hashes table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{Hash_Logs_Table:value}\\n| where TimeGenerated {Hash_Logs_Time_Range:query}\\n| where {Hash_Logs_Field:value} == \\\"{MaliciousHashMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousHashMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\"}]},\"name\":\"group - 8\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureHashCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d7ccc5ca-c8ec-458f-ab0d-564a7ef1d217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Guide\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Guide: Hash Correlation \\n\\nRecorded Future’s Hash Correlation Workbook helps you detect malicious hashes within your environment by correlating your logs with Recorded Future Hash Risk Lists.\\n\\n### How to Correlate hashs\\n\\nTo correlate hashes, follow the steps below:\\n\\n1. In the **Hash Logs Table** dropdown, select a log table that contains hash logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with hashes** dropdown, select the log field that holds the hashs to be correlated.\\n\\t* The workbook can correlate hashes in the format: `b0a0c7ae387c00161f4cc26405600b1a`.\\n3. Select a Recorded Future Hash Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n| Table \\t \\t| Field |\\n| ----------- \\t \\t| ----------- |\\n| CommonSecurityLog | FileHash |\\n| SecurityEvent \\t| FileHash |\",\"style\":\"info\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 15\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Hashes (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Hash_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Hash_Logs_Table\",\"label\":\"Hash Logs Table\",\"type\":2,\"description\":\"Log Table to correlate Domains Against\",\"isRequired\":true,\"query\":\"search \\\"*\\\" \\n| where TimeGenerated {Hash_Logs_Time_Range:query}\\n| summarize count() by $table | sort by count_ desc | where $table != \\\"ThreatIntelligenceIndicator\\\" | project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"EndpointProtection_HASH_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Hash_Logs_Field\",\"label\":\"Log Field with Hashes\",\"type\":2,\"description\":\"Select the field containing the Domain Name that you want to correlate against\",\"isRequired\":true,\"query\":\"{Hash_Logs_Table:value}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Hash_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":1209600000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which Domain Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where isnotempty(FileHashValue)\\n| where Description contains \\\"Recorded Future\\\"\\n| summarize count() by Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - HASH - Observed in Underground Virus Testing Sites\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Domains Per Day\\n\\nThe chart displays the number of correlation detections per day between domain logs and Recorded Future's domain Risk lists.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query} \\r\\n| where Description == {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| extend FileHashValue = tolower(FileHashValue)\\r\\n| join (\\r\\n {Hash_Logs_Table:value}\\r\\n | where TimeGenerated {Hash_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend Hash_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.FileHashValue == $right.{Hash_Logs_Field:value}\\r\\n| summarize Correlation_Matches=count() by bin(Hash_TimeGenerated, 1d)\\r\\n| render barchart\",\"size\":0,\"title\":\"Detected File Hashes Per Day\",\"noDataMessage\":\"No detected hashes\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Hashs\\n\\nThe Detected Hashs table lists hashs from the correlated logs that have been matched with Recorded Future Hash Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the Hashe (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **Hash:** The detected hash.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the hash (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| extend FileHashValue = tolower(FileHashValue)\\r\\n| join (\\r\\n {Hash_Logs_Table:value}\\r\\n | where TimeGenerated {Hash_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend Hash_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.FileHashValue == $right.{Hash_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, Hash=FileHashValue, Detected = format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"] = format_datetime(Hash_TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by Hash, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], Hash, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\\r\\n\",\"size\":0,\"title\":\"Detected Hashes\",\"noDataMessage\":\"No detected hashes\",\"exportedParameters\":[{\"fieldName\":\"Hash\",\"parameterName\":\"MaliciousHashMatch\",\"parameterType\":5}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| extend FileHashValue = tolower(FileHashValue)\\r\\n| join (\\r\\n {Hash_Logs_Table:value}\\r\\n | where TimeGenerated {Hash_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend Hash_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.FileHashValue == $right.{Hash_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, FileHashValue, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected Hashes: Evidence Details\\n\\nTo view evidence details, click a row (hash) in the Detected Hashes table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list:value}\\n| extend FileHashValue = tolower(FileHashValue)\\n| where FileHashValue == \\\"{MaliciousHashMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString']\\n| sort by toint(Criticality) desc\",\"size\":1,\"noDataMessage\":\"No evidence details to show\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousHashMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {Hash_Logs_Table:value}\\n\\nTo view source data of correlated hash, click a row (hash) in the Detected Hashes table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{Hash_Logs_Table:value}\\n| where TimeGenerated {Hash_Logs_Time_Range:query}\\n| where {Hash_Logs_Field:value} == \\\"{MaliciousHashMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousHashMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\"}]},\"name\":\"group - 8\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureHashCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -7694,7 +9132,7 @@ }, "properties": { "displayName": "[parameters('workbook5-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"041885bf-2e2c-42ae-ad35-2e12272b4dc4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\"},\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6\"},{\"type\":1,\"content\":{\"json\":\"### Guide: IP Correlation \\n\\nRecorded Future’s IP Correlation Workbook helps you detect malicious IPs within your environment by correlating your logs with Recorded Future IP Risk Lists.\\n\\n### How to Correlate IPs\\n\\nTo correlate IPs, follow the steps below:\\n\\n1. In the **IP Logs Table** dropdown, select a log table that contains IP logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with IPs** dropdown, select the log field that holds the IPs to be correlated.\\n\\t* The workbook can correlate IPs in the format: `5.56.61.62`.\\n3. Select a Recorded Future IP Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n\\n\\n| Table | Field | Table | Field |\\n|------------------------------|--------------------|---------------------------------|-----------|\\n| AzureActivity | CallerIpAddress | VMConnection | RemoteIp |\\n| AzureDiagnostics | CallerIPAddress | W3CIISLog | cIP |\\n| AWSCloudTrail | SourceIpAddress | _Im_NetworkSession | SrcIpAddr |\\n| AppServiceHTTPLogs | CIp | _Im_NetworkSession | DstIpAddr |\\n| AzureDiagnostics | client_ip_s | _Im_WebSession | SrcIpAddr |\\n| CommonSecurityLog | SourceIpAddress | SigninLogs | IPAddress |\\n| CommonSecurityLog | DestinationIP | AADNonInteractiveUserSignInLogs | IPAddress |\\n| DuoSecurityAuthentication_CL | access_device_ip_s | | |\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### IP (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":7776000000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Logs_Table\",\"label\":\"IP Logs Table\",\"type\":2,\"description\":\"Log Table to correlate IPs Against\",\"isRequired\":true,\"query\":\"search * \\n| where TimeGenerated {IP_Logs_Time_Range:query}\\n| summarize count() by $table \\n| sort by count_ desc \\n| where $table != \\\"ThreatIntelligenceIndicator\\\" \\n| project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"NetScreen_Firewall_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Logs_Field\",\"label\":\"Log Field with IPs\",\"type\":2,\"description\":\"Select the field containing the IP that you want to correlate against\",\"isRequired\":true,\"query\":\"{IP_Logs_Table:value}\\n| where TimeGenerated {IP_Logs_Time_Range:query}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Dst_IPv4_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":5184000000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which IP Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where isnotempty(NetworkIP)\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains \\\"Recorded Future\\\"\\n//| summarize count() by Description\\n| distinct Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - IP - Actively Communicating C&C Server\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected IPs Per Day\\n\\nThe chart displays the number of correlation detections per day between IP logs and Recorded Future's IP Risk lists.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {IP_Logs_Table:value}\\r\\n | where TimeGenerated {IP_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.NetworkIP == $right.{IP_Logs_Field:value}\\r\\n| summarize Correlation_Matches=count() by bin(IP_TimeGenerated, 1d)\\r\\n| render barchart\",\"size\":0,\"title\":\"Detected IPs Per Day\",\"noDataMessage\":\"No detected IPs\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected IPs\\n\\nThe Detected IPs table lists IPs from the correlated logs that have been matched with Recorded Future IP Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the IP (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **IP:** The detected IP.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the IP (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {IP_Logs_Table:value}\\r\\n | where TimeGenerated {IP_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.NetworkIP == $right.{IP_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, IP=NetworkIP, Detected=format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"]=format_datetime(IP_TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by IP, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], IP, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\",\"size\":0,\"title\":\"Detected IPs\",\"noDataMessage\":\"No detected IPs\",\"exportedParameters\":[{\"fieldName\":\"IP\",\"parameterName\":\"MaliciousIPMatch\",\"parameterType\":5}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AdditionalInformation\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"100%\"}}],\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Risk_0\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Risk_0\",\"sortOrder\":2}]},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {IP_Logs_Table:value}\\r\\n | where TimeGenerated {IP_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.NetworkIP == $right.{IP_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, NetworkIP, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected IPs: Evidence Details\\n\\nTo view evidence details, click a row (IP) in the Detected IPs table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list:value}\\n| where NetworkIP == \\\"{MaliciousIPMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString']\\n| sort by toint(Criticality) desc\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Evidence_String\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"100%\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"MaliciousIPMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {IP_Logs_Table:value}\\nTo view source data of correlated IP, click a row (IP) in the Detected IPs table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{IP_Logs_Table:value}\\n| where TimeGenerated {IP_Logs_Time_Range:query}\\n| where {IP_Logs_Field:value} == \\\"{MaliciousIPMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousIPMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 9\"}]},\"name\":\"group - 11\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureIPCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"041885bf-2e2c-42ae-ad35-2e12272b4dc4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\"},\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6\"},{\"type\":1,\"content\":{\"json\":\"### Guide: IP Correlation \\n\\nRecorded Future’s IP Correlation Workbook helps you detect malicious IPs within your environment by correlating your logs with Recorded Future IP Risk Lists.\\n\\n### How to Correlate IPs\\n\\nTo correlate IPs, follow the steps below:\\n\\n1. In the **IP Logs Table** dropdown, select a log table that contains IP logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with IPs** dropdown, select the log field that holds the IPs to be correlated.\\n\\t* The workbook can correlate IPs in the format: `5.56.61.62`.\\n3. Select a Recorded Future IP Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n\\n\\n| Table | Field | Table | Field |\\n|------------------------------|--------------------|---------------------------------|-----------|\\n| AzureActivity | CallerIpAddress | VMConnection | RemoteIp |\\n| AzureDiagnostics | CallerIPAddress | W3CIISLog | cIP |\\n| AWSCloudTrail | SourceIpAddress | _Im_NetworkSession | SrcIpAddr |\\n| AppServiceHTTPLogs | CIp | _Im_NetworkSession | DstIpAddr |\\n| AzureDiagnostics | client_ip_s | _Im_WebSession | SrcIpAddr |\\n| CommonSecurityLog | SourceIpAddress | SigninLogs | IPAddress |\\n| CommonSecurityLog | DestinationIP | AADNonInteractiveUserSignInLogs | IPAddress |\\n| DuoSecurityAuthentication_CL | access_device_ip_s | | |\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### IP (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":7776000000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Logs_Table\",\"label\":\"IP Logs Table\",\"type\":2,\"description\":\"Log Table to correlate IPs Against\",\"isRequired\":true,\"query\":\"search * \\n| where TimeGenerated {IP_Logs_Time_Range:query}\\n| summarize count() by $table \\n| sort by count_ desc \\n| where $table != \\\"ThreatIntelligenceIndicator\\\" \\n| project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"NetScreen_Firewall_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Logs_Field\",\"label\":\"Log Field with IPs\",\"type\":2,\"description\":\"Select the field containing the IP that you want to correlate against\",\"isRequired\":true,\"query\":\"{IP_Logs_Table:value}\\n| where TimeGenerated {IP_Logs_Time_Range:query}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Dst_IPv4_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":5184000000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which IP Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where isnotempty(NetworkIP)\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains \\\"Recorded Future\\\"\\n//| summarize count() by Description\\n| distinct Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - IP - Actively Communicating C&C Server\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected IPs Per Day\\n\\nThe chart displays the number of correlation detections per day between IP logs and Recorded Future's IP Risk lists.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {IP_Logs_Table:value}\\r\\n | where TimeGenerated {IP_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.NetworkIP == $right.{IP_Logs_Field:value}\\r\\n| summarize Correlation_Matches=count() by bin(IP_TimeGenerated, 1d)\\r\\n| render barchart\",\"size\":0,\"title\":\"Detected IPs Per Day\",\"noDataMessage\":\"No detected IPs\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected IPs\\n\\nThe Detected IPs table lists IPs from the correlated logs that have been matched with Recorded Future IP Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the IP (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **IP:** The detected IP.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the IP (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {IP_Logs_Table:value}\\r\\n | where TimeGenerated {IP_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.NetworkIP == $right.{IP_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, IP=NetworkIP, Detected=format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"]=format_datetime(IP_TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by IP, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], IP, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\",\"size\":0,\"title\":\"Detected IPs\",\"noDataMessage\":\"No detected IPs\",\"exportedParameters\":[{\"fieldName\":\"IP\",\"parameterName\":\"MaliciousIPMatch\",\"parameterType\":5}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AdditionalInformation\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"100%\"}}],\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Risk_0\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Risk_0\",\"sortOrder\":2}]},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {IP_Logs_Table:value}\\r\\n | where TimeGenerated {IP_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.NetworkIP == $right.{IP_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, NetworkIP, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected IPs: Evidence Details\\n\\nTo view evidence details, click a row (IP) in the Detected IPs table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list:value}\\n| where NetworkIP == \\\"{MaliciousIPMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString']\\n| sort by toint(Criticality) desc\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Evidence_String\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"100%\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"MaliciousIPMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {IP_Logs_Table:value}\\nTo view source data of correlated IP, click a row (IP) in the Detected IPs table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{IP_Logs_Table:value}\\n| where TimeGenerated {IP_Logs_Time_Range:query}\\n| where {IP_Logs_Field:value} == \\\"{MaliciousIPMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousIPMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 9\"}]},\"name\":\"group - 11\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureIPCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -7778,7 +9216,7 @@ }, "properties": { "displayName": "[parameters('workbook6-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d7ccc5ca-c8ec-458f-ab0d-564a7ef1d217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Guide\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":1,\"content\":{\"json\":\"### Guide: URL Correlation \\n\\nRecorded Future’s URL Correlation Workbook helps you detect malicious URLs within your environment by correlating your logs with Recorded Future URL Risk Lists.\\n\\n### How to Correlate URLs\\n\\nTo correlate URLs, follow the steps below:\\n\\n1. In the **URL Logs Table** dropdown, select a log table that contains URL logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with URLs** dropdown, select the log field that holds the URLs to be correlated.\\n\\t* The workbook can correlate URLs in the format: `https://testurl.here.net`.\\n3. Select a Recorded Future URL Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n\\n| Table | Field |\\n|-------------------|------------|\\n| CommonSecurityLog | RequestURL |\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### URL (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"URL_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":7776000000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"URL_Logs_Table\",\"label\":\"URL Logs Table\",\"type\":2,\"description\":\"Log Table to correlate URLs Against\",\"isRequired\":true,\"query\":\"search \\\"*\\\" \\n| where TimeGenerated {URL_Logs_Time_Range:query}\\n| summarize count() by $table | sort by count_ desc | where $table != \\\"ThreatIntelligenceIndicator\\\" | project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Squid_Proxy_URL_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"URL_Logs_Field\",\"label\":\"Log Field with URLs\",\"type\":2,\"description\":\"Select the field containing the URL that you want to correlate against\",\"isRequired\":true,\"query\":\"{URL_Logs_Table:value}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"URL_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":7776000000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which Domain Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where isnotempty(Url)\\n| where Description contains \\\"Recorded Future\\\"\\n| summarize count() by Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - URL - Recently Reported by Insikt Group\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected URLs Per Day\\n\\nThe chart displays the number of correlation detections per day between URL logs and Recorded Future's URL Risk lists.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {URL_Logs_Table:value}\\r\\n | where TimeGenerated {URL_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend URL_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.Url == $right.{URL_Logs_Field:value}\\r\\n| summarize Correlation_Matches=count() by bin(URL_TimeGenerated, 1d)\\r\\n| render barchart\",\"size\":0,\"title\":\"Detected URLs Per Day\",\"noDataMessage\":\"No detected URLs\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected URLs\\n\\nThe Detected URLs table lists URLs from the correlated logs that have been matched with Recorded Future URL Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the URL (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **URL:** The detected URL.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the URL (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {URL_Logs_Table:value}\\r\\n | where TimeGenerated {URL_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.Url == $right.{URL_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, URL=Url, Detected = format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"] = IP_TimeGenerated, [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by URL, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], URL, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\\r\\n\",\"size\":0,\"title\":\"Detected URLs\",\"noDataMessage\":\"No detected URLs\",\"exportFieldName\":\"URL\",\"exportParameterName\":\"MaliciousURLMatch\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {URL_Logs_Table:value}\\r\\n | where TimeGenerated {URL_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend URL_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.Url == $right.{URL_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, Url, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected URLs: Evidence Details\\n\\nTo view evidence details, click a row (URL) in the Detected URLs table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list}\\n| where Url == \\\"{MaliciousURLMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString']\\n| sort by toint(Criticality) desc\",\"size\":1,\"noDataMessage\":\"ExpirationDateTime\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousURLMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {URL_Logs_Table:value}\\nTo view source data of correlated URL, click a row (URL) in the Detected URLs table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{URL_Logs_Table:value}\\n| where TimeGenerated {URL_Logs_Time_Range:query}\\n| where {URL_Logs_Field:value} == \\\"{MaliciousURLMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousURLMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\"}]},\"name\":\"group - 10\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureURLCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d7ccc5ca-c8ec-458f-ab0d-564a7ef1d217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Guide\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":1,\"content\":{\"json\":\"### Guide: URL Correlation \\n\\nRecorded Future’s URL Correlation Workbook helps you detect malicious URLs within your environment by correlating your logs with Recorded Future URL Risk Lists.\\n\\n### How to Correlate URLs\\n\\nTo correlate URLs, follow the steps below:\\n\\n1. In the **URL Logs Table** dropdown, select a log table that contains URL logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with URLs** dropdown, select the log field that holds the URLs to be correlated.\\n\\t* The workbook can correlate URLs in the format: `https://testurl.here.net`.\\n3. Select a Recorded Future URL Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n\\n| Table | Field |\\n|-------------------|------------|\\n| CommonSecurityLog | RequestURL |\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### URL (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"URL_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":7776000000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"URL_Logs_Table\",\"label\":\"URL Logs Table\",\"type\":2,\"description\":\"Log Table to correlate URLs Against\",\"isRequired\":true,\"query\":\"search \\\"*\\\" \\n| where TimeGenerated {URL_Logs_Time_Range:query}\\n| summarize count() by $table | sort by count_ desc | where $table != \\\"ThreatIntelligenceIndicator\\\" | project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Squid_Proxy_URL_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"URL_Logs_Field\",\"label\":\"Log Field with URLs\",\"type\":2,\"description\":\"Select the field containing the URL that you want to correlate against\",\"isRequired\":true,\"query\":\"{URL_Logs_Table:value}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"URL_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":7776000000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which Domain Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where isnotempty(Url)\\n| where Description contains \\\"Recorded Future\\\"\\n| summarize count() by Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - URL - Recently Reported by Insikt Group\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected URLs Per Day\\n\\nThe chart displays the number of correlation detections per day between URL logs and Recorded Future's URL Risk lists.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {URL_Logs_Table:value}\\r\\n | where TimeGenerated {URL_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend URL_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.Url == $right.{URL_Logs_Field:value}\\r\\n| summarize Correlation_Matches=count() by bin(URL_TimeGenerated, 1d)\\r\\n| render barchart\",\"size\":0,\"title\":\"Detected URLs Per Day\",\"noDataMessage\":\"No detected URLs\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected URLs\\n\\nThe Detected URLs table lists URLs from the correlated logs that have been matched with Recorded Future URL Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the URL (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **URL:** The detected URL.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the URL (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {URL_Logs_Table:value}\\r\\n | where TimeGenerated {URL_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.Url == $right.{URL_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, URL=Url, Detected = format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"] = IP_TimeGenerated, [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by URL, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], URL, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\\r\\n\",\"size\":0,\"title\":\"Detected URLs\",\"noDataMessage\":\"No detected URLs\",\"exportFieldName\":\"URL\",\"exportParameterName\":\"MaliciousURLMatch\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {URL_Logs_Table:value}\\r\\n | where TimeGenerated {URL_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend URL_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.Url == $right.{URL_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, Url, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected URLs: Evidence Details\\n\\nTo view evidence details, click a row (URL) in the Detected URLs table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list}\\n| where Url == \\\"{MaliciousURLMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString']\\n| sort by toint(Criticality) desc\",\"size\":1,\"noDataMessage\":\"ExpirationDateTime\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousURLMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {URL_Logs_Table:value}\\nTo view source data of correlated URL, click a row (URL) in the Detected URLs table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{URL_Logs_Table:value}\\n| where TimeGenerated {URL_Logs_Time_Range:query}\\n| where {URL_Logs_Field:value} == \\\"{MaliciousURLMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousURLMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\"}]},\"name\":\"group - 10\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureURLCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -7862,7 +9300,7 @@ }, "properties": { "displayName": "[parameters('workbook7-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"92c84cb2-9b9a-498f-9b18-a3a11f70618a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"description\":\"Time range for incident created and indicator import.\",\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":86400000}},{\"id\":\"29f50496-9072-4438-8ac5-7a0cf4cd7307\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"label\":\"Threat Actor Category\",\"type\":2,\"query\":\"RecordedFutureThreatMap_CL\\r\\n| distinct categories_s\\r\\n| mv-expand parse_json(categories_s)\\r\\n| distinct id = tostring(categories_s.id), name = tostring(categories_s.name)\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"2d4f8b54-8321-4c37-9c78-79c3787a9d02\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Watchlist\",\"label\":\"Recorded Future Watchlist\",\"type\":2,\"query\":\"RecordedFutureThreatMap_CL\\r\\n| distinct log_entries_s\\r\\n| mv-expand parse_json(log_entries_s)\\r\\n| where isnotempty(log_entries_s.watchlist)\\r\\n| distinct id = tostring(log_entries_s.watchlist.id), name = tostring(log_entries_s.watchlist.name)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 5\"},{\"type\":1,\"content\":{\"json\":\"

Threat Actor Map

\\n\\nThis workbook shows Threat Actors imported from [Recorded Future](https://app.recordedfuture.com/portal/threat), their intent towards your company, and their opportunity. \\n\\nIntent (y-axis) - The threat actor has presented previous interest (expressed or manifested) against elements that are relevant to an organization (e.g., industry, peers, third parties, executives, brand, internet-facing assets). \\n\\nOpportunity (x-axis) - A correlation between the threat actor's capabilities and an organization’s vulnerabilities. The capability is a threat actor's ability to perform certain activities or cyber attacks, (i.e., their \\\"sophistication\\\"); vulnerabilities include an organization's exposures, gaps, or technology-related vulnerabilities. \\n\\nData is fetched from Recorded Future thru the playbook ```RecordedFuture-ThreatMap-lmporter```.\\n\\n\\n\",\"style\":\"info\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMap_CL\\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}') \\n| where log_entries_s has_any('{Watchlist}') \\n| extend combine= intent_d+opportunity_d\\n| project TimeGenerated, id_s, name_s, intent_d, opportunity_d, combine\\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, intent_d, opportunity_d, combine\\n| order by combine desc \\n| project MaxTimeGenerated, id_s, name_s, intent_d, opportunity_d\\n| take 100\\n\",\"size\":0,\"title\":\"Threat Actor Map\",\"noDataMessage\":\"No data found\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"scatterchart\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"id_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"intent_d\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"opportunity_d\",\"yAxis\":[\"intent_d\"],\"group\":\"name_s\",\"createOtherGroup\":0,\"showMetrics\":false,\"showLegend\":true,\"xSettings\":{\"min\":0,\"max\":99},\"ySettings\":{\"min\":0,\"max\":99}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"intent_d\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"intent_d\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"intent_d\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMap_CL\\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}') \\n| where log_entries_s has_any('{Watchlist}') \\n| extend combine= intent_d+opportunity_d\\n| project TimeGenerated, id_s, name_s, intent_d, opportunity_d, combine\\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, intent_d, opportunity_d,combine\\n| order by combine desc \\n| project Name=name_s, Intent=intent_d, Opportunity=opportunity_d, id_s\\n\",\"size\":0,\"title\":\"Threat Actors\",\"exportFieldName\":\"id_s\",\"exportParameterName\":\"ThreatActor\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"id_s\",\"formatter\":5}]}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMap_CL\\n| where TimeGenerated {TimeRange:query}\\n| where id_s == \\\"{ThreatActor}\\\"\\n| take 1\\n| mv-expand categoriesArray= parse_json(categories_s)\\n| mv-expand watchlistArray = parse_json(log_entries_s)\\n| summarize [\\\"Threat Actor Categories\\\"] = make_list(categoriesArray.name), WatchLists= make_list_with_nulls(watchlistArray.watchlist.name) by Link=strcat(\\\"https://app.recordedfuture.com/live/sc/entity/\\\",id_s), Name=name_s, Id=id_s, Aliases=array_strcat(parse_json(alias_s),',')\",\"size\":4,\"title\":\"Actor Details\",\"noDataMessage\":\"Please select a threat actor in the Threat Actors table to display details.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"External Link\"}},{\"columnMatch\":\"Id\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Threat Actor Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"https://app.recordedfuture.com/live/sc/entity/{Id}\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"id_s\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}}],\"labelSettings\":[{\"columnId\":\"Link\",\"label\":\"Recorded Future\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Id\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Intent\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where ExpirationDateTime > now()\\r\\n| where Description contains(\\\"{ThreatActor}\\\")\\r\\n| summarize Indicators=count(Description) by Description \",\"size\":0,\"title\":\"Active Indicators for Hunting\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Indicators\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Indicators\",\"sortOrderField\":2,\"size\":\"auto\"},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Indicators\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where TimeGenerated {TimeRange:query}\\r\\n| where Title contains \\\"{ThreatActor}\\\"\\r\\n| summarize CreateTime = max(CreatedTime) by IncidentUrl, Title,Description \",\"size\":0,\"title\":\"Incidents created\",\"noDataMessage\":\"No incidents found, but try different time range to display incidents future back in time.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Open Incident\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":1,\"content\":{\"json\":\"To generate incidents using imported indicators. Create analytic rules that correlates data from infrastructure logs with recorded future hunting indicators. Install and modify the provided analytic rule templates to match your environent. \\r\\n```\\r\\nRecorded Future - Threat Hunting - Domain - All Actors\\r\\nRecorded Future - Threat Hunting - IP - All Actors\\r\\nRecorded Future - Threat Hunting - Hash - All Actors\\r\\nRecorded Future - Threat Hunting - Url - All Actors\\r\\n```\\r\\nInstall and configure Recorded Future Incident Enrichment Playbook to get additional information when incidents are created ```RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash```\\r\\n\",\"style\":\"info\"},\"name\":\"text - 7\"}],\"styleSettings\":{\"paddingStyle\":\"none\",\"spacingStyle\":\"none\"},\"fromTemplateId\":\"sentinel-RecordedFutureThreatActorHuntingWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"92c84cb2-9b9a-498f-9b18-a3a11f70618a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"description\":\"Time range for incident created and indicator import.\",\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":86400000}},{\"id\":\"29f50496-9072-4438-8ac5-7a0cf4cd7307\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"label\":\"Threat Actor Category\",\"type\":2,\"query\":\"RecordedFutureThreatMap_CL\\r\\n| distinct categories_s\\r\\n| mv-expand parse_json(categories_s)\\r\\n| distinct id = tostring(categories_s.id), name = tostring(categories_s.name)\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"2d4f8b54-8321-4c37-9c78-79c3787a9d02\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Watchlist\",\"label\":\"Recorded Future Watchlist\",\"type\":2,\"query\":\"RecordedFutureThreatMap_CL\\r\\n| distinct log_entries_s\\r\\n| mv-expand parse_json(log_entries_s)\\r\\n| where isnotempty(log_entries_s.watchlist)\\r\\n| distinct id = tostring(log_entries_s.watchlist.id), name = tostring(log_entries_s.watchlist.name)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 5\"},{\"type\":1,\"content\":{\"json\":\"

Threat Actor Map

\\n\\nThis workbook shows Threat Actors imported from [Recorded Future](https://app.recordedfuture.com/portal/threat), their intent towards your company, and their opportunity. \\n\\nIntent (y-axis) - The threat actor has presented previous interest (expressed or manifested) against elements that are relevant to an organization (e.g., industry, peers, third parties, executives, brand, internet-facing assets). \\n\\nOpportunity (x-axis) - A correlation between the threat actor's capabilities and an organization’s vulnerabilities. The capability is a threat actor's ability to perform certain activities or cyber attacks, (i.e., their \\\"sophistication\\\"); vulnerabilities include an organization's exposures, gaps, or technology-related vulnerabilities. \\n\\nData is fetched from Recorded Future thru the playbook ```RecordedFuture-ThreatMap-lmporter```.\\n\\n\\n\",\"style\":\"info\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMap_CL\\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}') \\n| where log_entries_s has_any('{Watchlist}') \\n| extend combine= intent_d+opportunity_d\\n| project TimeGenerated, id_s, name_s, intent_d, opportunity_d, combine\\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, intent_d, opportunity_d, combine\\n| order by combine desc \\n| project MaxTimeGenerated, id_s, name_s, intent_d, opportunity_d\\n| take 100\\n\",\"size\":0,\"title\":\"Threat Actor Map\",\"noDataMessage\":\"No data found\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"scatterchart\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"id_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"intent_d\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"opportunity_d\",\"yAxis\":[\"intent_d\"],\"group\":\"name_s\",\"createOtherGroup\":0,\"showMetrics\":false,\"showLegend\":true,\"xSettings\":{\"min\":0,\"max\":99},\"ySettings\":{\"min\":0,\"max\":99}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"intent_d\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"intent_d\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"intent_d\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMap_CL\\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}') \\n| where log_entries_s has_any('{Watchlist}') \\n| extend combine= intent_d+opportunity_d\\n| project TimeGenerated, id_s, name_s, intent_d, opportunity_d, combine\\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, intent_d, opportunity_d,combine\\n| order by combine desc \\n| project Name=name_s, Intent=intent_d, Opportunity=opportunity_d, id_s\\n\",\"size\":0,\"title\":\"Threat Actors\",\"exportFieldName\":\"id_s\",\"exportParameterName\":\"ThreatActor\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"id_s\",\"formatter\":5}]}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMap_CL\\n| where TimeGenerated {TimeRange:query}\\n| where id_s == \\\"{ThreatActor}\\\"\\n| take 1\\n| mv-expand categoriesArray= parse_json(categories_s)\\n| mv-expand watchlistArray = parse_json(log_entries_s)\\n| summarize [\\\"Threat Actor Categories\\\"] = make_list(categoriesArray.name), WatchLists= make_list_with_nulls(watchlistArray.watchlist.name) by Link=strcat(\\\"https://app.recordedfuture.com/live/sc/entity/\\\",id_s), Name=name_s, Id=id_s, Aliases=array_strcat(parse_json(alias_s),',')\",\"size\":4,\"title\":\"Actor Details\",\"noDataMessage\":\"Please select a threat actor in the Threat Actors table to display details.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"External Link\"}},{\"columnMatch\":\"Id\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Threat Actor Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"https://app.recordedfuture.com/live/sc/entity/{Id}\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"id_s\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}}],\"labelSettings\":[{\"columnId\":\"Link\",\"label\":\"Recorded Future\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Id\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Intent\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where ExpirationDateTime > now()\\r\\n| where Description contains(\\\"{ThreatActor}\\\")\\r\\n| summarize Indicators=count(Description) by Description \",\"size\":0,\"title\":\"Active Indicators for Hunting\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Indicators\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Indicators\",\"sortOrderField\":2,\"size\":\"auto\"},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Indicators\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where TimeGenerated {TimeRange:query}\\r\\n| where Title contains \\\"{ThreatActor}\\\"\\r\\n| summarize CreateTime = max(CreatedTime) by IncidentUrl, Title,Description \",\"size\":0,\"title\":\"Incidents created\",\"noDataMessage\":\"No incidents found, but try different time range to display incidents future back in time.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Open Incident\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":1,\"content\":{\"json\":\"To generate incidents using imported indicators. Create analytic rules that correlates data from infrastructure logs with recorded future hunting indicators. Install and modify the provided analytic rule templates to match your environent. \\r\\n```\\r\\nRecorded Future - Threat Hunting - Domain - All Actors\\r\\nRecorded Future - Threat Hunting - IP - All Actors\\r\\nRecorded Future - Threat Hunting - Hash - All Actors\\r\\nRecorded Future - Threat Hunting - Url - All Actors\\r\\n```\\r\\nInstall and configure Recorded Future Incident Enrichment Playbook to get additional information when incidents are created ```RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash```\\r\\n\",\"style\":\"info\"},\"name\":\"text - 7\"}],\"styleSettings\":{\"paddingStyle\":\"none\",\"spacingStyle\":\"none\"},\"fromTemplateId\":\"sentinel-RecordedFutureThreatActorHuntingWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -7946,7 +9384,7 @@ }, "properties": { "displayName": "[parameters('workbook8-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"92c84cb2-9b9a-498f-9b18-a3a11f70618a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"description\":\"Time range for incident created and indicator import.\",\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":86400000}},{\"id\":\"29f50496-9072-4438-8ac5-7a0cf4cd7307\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"label\":\"Threat Malware Category\",\"type\":2,\"query\":\"RecordedFutureThreatMapMalware_CL\\r\\n| distinct categories_s\\r\\n| mv-expand parse_json(categories_s)\\r\\n| distinct id = tostring(categories_s.id), name = tostring(categories_s.name)\\r\\n\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"2d4f8b54-8321-4c37-9c78-79c3787a9d02\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Watchlist\",\"label\":\"Recorded Future Watchlist\",\"type\":2,\"query\":\"RecordedFutureThreatMapMalware_CL\\r\\n| distinct log_entries_s\\r\\n| mv-expand parse_json(log_entries_s)\\r\\n| where isnotempty(log_entries_s.watchlist)\\r\\n| distinct id = tostring(log_entries_s.watchlist.id), name = tostring(log_entries_s.watchlist.name)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 5\"},{\"type\":1,\"content\":{\"json\":\"

Malware Threat Map

\\n\\nThis workbook shows Threat Malware imported from [Recorded Future](https://app.recordedfuture.com/portal/threat).\\n

Prevalence (y-axis) - The malware has been reported as related to elements that are part of an organization context (e.g. industry, peers, third parties, brand, IPs & Domains). \\n

\\n

\\nOpportunity (x-axis) - A correlation between the malware related capabilities and an organization’s vulnerabilities. Vulnerabilities include an organization's exposures, gaps, or technology-related vulnerabilities.

\\nData is fetched from Recorded Future thru the playbook **RecordedFuture-ThreatMapMalware-Importer**.\\n\\n\\n\",\"style\":\"info\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMapMalware_CL\\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}')\\n| where log_entries_s has_any('{Watchlist}')\\n| project TimeGenerated, id_s, name_s, prevalence_d, opportunity_d, combine = prevalence_d + opportunity_d\\n| order by combine desc \\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, prevalence_d, opportunity_d\\n| take 100\\n| project MaxTimeGenerated, id_s, name_s, prevalence_d, opportunity_d\",\"size\":0,\"title\":\"Threat Malware Map\",\"noDataMessage\":\"No data found\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"scatterchart\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"id_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"intent_d\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"opportunity_d\",\"yAxis\":[\"prevalence_d\"],\"group\":\"name_s\",\"createOtherGroup\":0,\"showMetrics\":false,\"showLegend\":true,\"xSettings\":{\"min\":0,\"max\":99},\"ySettings\":{\"min\":0,\"max\":99}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"intent_d\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"intent_d\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"intent_d\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMapMalware_CL \\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}')\\n| where log_entries_s has_any('{Watchlist}')\\n| extend combine= prevalence_d+opportunity_d\\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, prevalence_d, opportunity_d,combine\\n| project Name=name_s, Prevalence=prevalence_d, Opportunity=opportunity_d, id_s, combine\\n| order by combine desc \\n\",\"size\":0,\"title\":\"Threat Malware\",\"exportFieldName\":\"id_s\",\"exportParameterName\":\"ThreatMalware\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"id_s\",\"formatter\":5},{\"columnMatch\":\"combine\",\"formatter\":5}]}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMapMalware_CL\\n| where TimeGenerated {TimeRange:query}\\n| where id_s == \\\"{ThreatMalware}\\\"\\n| take 1\\n| mv-expand watchlistArray = parse_json(log_entries_s)\\n| mv-expand categoriesArray= parse_json(categories_s)\\n| summarize [\\\"Threat Malware Categories\\\"] = make_set(categoriesArray.name), WatchLists= make_set(watchlistArray.watchlist.name) by Link=strcat(\\\"https://app.recordedfuture.com/live/sc/entity/\\\",id_s), Name=name_s, Id=id_s, Aliases=array_strcat(parse_json(alias_s),',')\",\"size\":4,\"title\":\"Malware Details\",\"noDataMessage\":\"Please select a threat malware in the Threat Malware table to display details.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"External Link\"}},{\"columnMatch\":\"Id\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Threat Malware Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"https://app.recordedfuture.com/live/sc/entity/{Id}\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"id_s\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}}],\"labelSettings\":[{\"columnId\":\"Link\",\"label\":\"Recorded Future\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Id\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Intent\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where ExpirationDateTime > now()\\r\\n| where Description contains(\\\"{ThreatMalware}\\\")\\r\\n| summarize Indicators=count(Description) by Description \",\"size\":0,\"title\":\"Active Indicators for Hunting\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Indicators\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Indicators\",\"sortOrderField\":2,\"size\":\"auto\"},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Indicators\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where TimeGenerated {TimeRange:query}\\r\\n| where Title contains \\\"{ThreatMalware}\\\"\\r\\n| summarize CreateTime = max(CreatedTime) by IncidentUrl, Title,Description \",\"size\":0,\"title\":\"Incidents created\",\"noDataMessage\":\"No incidents found, but try different time range to display incidents future back in time.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Open Incident\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":1,\"content\":{\"json\":\"To generate incidents using imported indicators. Create analytic rules that correlates data from infrastructure logs with recorded future hunting indicators. Install and modify the provided analytic rule templates to match your environent. \\r\\n```\\r\\nRecorded Future - Threat Hunting - Domain - All Malware\\r\\nRecorded Future - Threat Hunting - IP - All Malware\\r\\nRecorded Future - Threat Hunting - Hash - All Malware\\r\\nRecorded Future - Threat Hunting - Url - All Malware\\r\\n```\\r\\nInstall and configure Recorded Future Incident Enrichment Playbook to get additional information when incidents are created ```RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash```\\r\\n\",\"style\":\"info\"},\"name\":\"text - 7\"}],\"styleSettings\":{\"paddingStyle\":\"none\",\"spacingStyle\":\"none\"},\"fromTemplateId\":\"sentinel-RecordedFutureThreatActorHuntingWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"92c84cb2-9b9a-498f-9b18-a3a11f70618a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"description\":\"Time range for incident created and indicator import.\",\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":86400000}},{\"id\":\"29f50496-9072-4438-8ac5-7a0cf4cd7307\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"label\":\"Threat Malware Category\",\"type\":2,\"query\":\"RecordedFutureThreatMapMalware_CL\\r\\n| distinct categories_s\\r\\n| mv-expand parse_json(categories_s)\\r\\n| distinct id = tostring(categories_s.id), name = tostring(categories_s.name)\\r\\n\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"2d4f8b54-8321-4c37-9c78-79c3787a9d02\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Watchlist\",\"label\":\"Recorded Future Watchlist\",\"type\":2,\"query\":\"RecordedFutureThreatMapMalware_CL\\r\\n| distinct log_entries_s\\r\\n| mv-expand parse_json(log_entries_s)\\r\\n| where isnotempty(log_entries_s.watchlist)\\r\\n| distinct id = tostring(log_entries_s.watchlist.id), name = tostring(log_entries_s.watchlist.name)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 5\"},{\"type\":1,\"content\":{\"json\":\"

Malware Threat Map

\\n\\nThis workbook shows Threat Malware imported from [Recorded Future](https://app.recordedfuture.com/portal/threat).\\n

Prevalence (y-axis) - The malware has been reported as related to elements that are part of an organization context (e.g. industry, peers, third parties, brand, IPs & Domains). \\n

\\n

\\nOpportunity (x-axis) - A correlation between the malware related capabilities and an organization’s vulnerabilities. Vulnerabilities include an organization's exposures, gaps, or technology-related vulnerabilities.

\\nData is fetched from Recorded Future thru the playbook **RecordedFuture-ThreatMapMalware-Importer**.\\n\\n\\n\",\"style\":\"info\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMapMalware_CL\\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}')\\n| where log_entries_s has_any('{Watchlist}')\\n| project TimeGenerated, id_s, name_s, prevalence_d, opportunity_d, combine = prevalence_d + opportunity_d\\n| order by combine desc \\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, prevalence_d, opportunity_d\\n| take 100\\n| project MaxTimeGenerated, id_s, name_s, prevalence_d, opportunity_d\",\"size\":0,\"title\":\"Threat Malware Map\",\"noDataMessage\":\"No data found\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"scatterchart\",\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"id_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"intent_d\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"opportunity_d\",\"yAxis\":[\"prevalence_d\"],\"group\":\"name_s\",\"createOtherGroup\":0,\"showMetrics\":false,\"showLegend\":true,\"xSettings\":{\"min\":0,\"max\":99},\"ySettings\":{\"min\":0,\"max\":99}},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"intent_d\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"intent_d\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"intent_d\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMapMalware_CL \\n| where TimeGenerated {TimeRange:query}\\n| where categories_s has_any('{Category}')\\n| where log_entries_s has_any('{Watchlist}')\\n| extend combine= prevalence_d+opportunity_d\\n| summarize MaxTimeGenerated = max(TimeGenerated) by id_s, name_s, prevalence_d, opportunity_d,combine\\n| project Name=name_s, Prevalence=prevalence_d, Opportunity=opportunity_d, id_s, combine\\n| order by combine desc \\n\",\"size\":0,\"title\":\"Threat Malware\",\"exportFieldName\":\"id_s\",\"exportParameterName\":\"ThreatMalware\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"id_s\",\"formatter\":5},{\"columnMatch\":\"combine\",\"formatter\":5}]}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"RecordedFutureThreatMapMalware_CL\\n| where TimeGenerated {TimeRange:query}\\n| where id_s == \\\"{ThreatMalware}\\\"\\n| take 1\\n| mv-expand watchlistArray = parse_json(log_entries_s)\\n| mv-expand categoriesArray= parse_json(categories_s)\\n| summarize [\\\"Threat Malware Categories\\\"] = make_set(categoriesArray.name), WatchLists= make_set(watchlistArray.watchlist.name) by Link=strcat(\\\"https://app.recordedfuture.com/live/sc/entity/\\\",id_s), Name=name_s, Id=id_s, Aliases=array_strcat(parse_json(alias_s),',')\",\"size\":4,\"title\":\"Malware Details\",\"noDataMessage\":\"Please select a threat malware in the Threat Malware table to display details.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"External Link\"}},{\"columnMatch\":\"Id\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Threat Malware Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"https://app.recordedfuture.com/live/sc/entity/{Id}\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"\"}},{\"columnMatch\":\"Categories\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"150ch\"}},{\"columnMatch\":\"id_s\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkLabel\":\"Open Generic Details\",\"linkIsContextBlade\":true}}],\"labelSettings\":[{\"columnId\":\"Link\",\"label\":\"Recorded Future\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Id\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Intent\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where ExpirationDateTime > now()\\r\\n| where Description contains(\\\"{ThreatMalware}\\\")\\r\\n| summarize Indicators=count(Description) by Description \",\"size\":0,\"title\":\"Active Indicators for Hunting\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Indicators\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Indicators\",\"sortOrderField\":2,\"size\":\"auto\"},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Description\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Indicators\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where TimeGenerated {TimeRange:query}\\r\\n| where Title contains \\\"{ThreatMalware}\\\"\\r\\n| summarize CreateTime = max(CreatedTime) by IncidentUrl, Title,Description \",\"size\":0,\"title\":\"Incidents created\",\"noDataMessage\":\"No incidents found, but try different time range to display incidents future back in time.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Open Incident\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":1,\"content\":{\"json\":\"To generate incidents using imported indicators. Create analytic rules that correlates data from infrastructure logs with recorded future hunting indicators. Install and modify the provided analytic rule templates to match your environent. \\r\\n```\\r\\nRecorded Future - Threat Hunting - Domain - All Malware\\r\\nRecorded Future - Threat Hunting - IP - All Malware\\r\\nRecorded Future - Threat Hunting - Hash - All Malware\\r\\nRecorded Future - Threat Hunting - Url - All Malware\\r\\n```\\r\\nInstall and configure Recorded Future Incident Enrichment Playbook to get additional information when incidents are created ```RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash```\\r\\n\",\"style\":\"info\"},\"name\":\"text - 7\"}],\"styleSettings\":{\"paddingStyle\":\"none\",\"spacingStyle\":\"none\"},\"fromTemplateId\":\"sentinel-RecordedFutureThreatActorHuntingWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -8013,7 +9451,7 @@ "contentSchemaVersion": "3.0.0", "displayName": "Recorded Future", "publisherDisplayName": "Recorded Future Support Team", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Recorded Future is the worlds largest provider of intelligence for enterprise security. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future delivers intelligence that is timely, accurate, and actionable.

\n

Underlying Microsoft Technologies used:\nThis solution depends on underlying Microsoft technologies. Some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n\n

Workbooks: 8, Custom Azure Logic Apps Connectors: 1, Playbooks: 13

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Recorded Future is the worlds largest provider of intelligence for enterprise security. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future delivers intelligence that is timely, accurate, and actionable.

\n

Underlying Microsoft Technologies used:\nThis solution depends on underlying Microsoft technologies. Some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n\n

Workbooks: 8, Analytic Rules: 10, Custom Azure Logic Apps Connectors: 1, Playbooks: 13

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -8038,6 +9476,56 @@ "dependencies": { "operator": "AND", "criteria": [ + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" + }, { "kind": "Playbook", "contentId": "[variables('_RecordedFuture-IOC_Enrichment')]",