Azure · devonrkb4 · Dec 10, 2025
@@ -1,5 +1,5 @@
 id: a0e55dd4-8454-4396-91e6-f28fec3d2cab
-name: Egress Defend - Dangerous Attachment Detected
+name: KnowBe4 Defend - Dangerous Attachment Detected
 description: |
   'Defend has detected a user has a suspicious file type from a suspicious sender in their mailbox.'
 severity: Medium

@@ -1,5 +1,5 @@
 id: a896123e-03a5-4a4d-a7e3-fd814846dfb2
-name: Egress Defend - Dangerous Link Click
+name: KnowBe4 Defend - Dangerous Link Click
 description: |
   'Defend has detected a user has clicked a dangerous link in their mailbox.'
 severity: Medium

@@ -20,14 +20,14 @@
             "properties": {
                 "connectorUiConfig": {
                     "id": "EgressDefendPolling",
-                    "title": "Egress Defend",
-                    "publisher": "Egress Software Technologies",
-                    "descriptionMarkdown": "The Egress Defend audit connector provides the capability to ingest Egress Defend Data into Microsoft Sentinel.",
+                    "title": "KnowBe4 Defend",
+                    "publisher": "KnowBe4",
+                    "descriptionMarkdown": "The KnowBe4 Defend audit connector provides the capability to ingest KnowBe4 Defend Data into Microsoft Sentinel.",
                     "graphQueriesTableName": "EgressDefend_CL",
                     "graphQueries": [
                         {
                             "metricName": "Total data received",
-                            "legend": "Egress Defend Events",
+                            "legend": "KnowBe4 Defend Events",
                             "baseQuery": "{{graphQueriesTableName}}"
                         }
                     ],
@@ -72,15 +72,15 @@
                         ],
                         "customs": [
                             {
-                                "name": "Egress API Token",
-                                "description": "An Egress API token is required to ingest audit records to Microsoft Sentinel."
+                                "name": "KnowBe4 API Token",
+                                "description": "An KnowBe4 API token is required to ingest audit records to Microsoft Sentinel."
                             }
                         ]
                     },
                     "instructionSteps": [
                         {
-                            "title": "Connect Egress Defend with Microsoft Sentinel",
-                            "description": "Enter your Egress Defend API URl, Egress Domain and API token.",
+                            "title": "Connect KnowBe4 Defend with Microsoft Sentinel",
+                            "description": "Enter your KnowBe4 Defend API URl, KnowBe4 Domain and API token.",
                             "instructions": [
                                 {
                                     "parameters": {

@@ -1,9 +1,9 @@
 {
-  "Name": "Egress Defend",
-  "Author": "Egress - support@egress.com",
-  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Egress-logo.svg\" width=\"75px\" height=\"75px\">",
-  "Description": "Egress Defend for Microsoft Sentinel provides details of processed emails, including the type of phishing attack, payload type and information to show if the user interacted with the email in a positive (clicking on banners or submitting the phish sample) or negative (clicking on an unsafe URL) manner.",
-  "WorkbookDescription": "Egress Defend Workbooks provides insight into Egress Defend audit logs",
+  "Name": "KnowBe4 Defend",
+  "Author": "KnowBe4 - support@knowbe4.com",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/KnowBe4-logo.svg\" width=\"75px\" height=\"75px\">",
+  "Description": "KnowBe4 Defend for Microsoft Sentinel provides details of processed emails, including the type of phishing attack, payload type and information to show if the user interacted with the email in a positive (clicking on banners or submitting the phish sample) or negative (clicking on an unsafe URL) manner.",
+  "WorkbookDescription": "KnowBe4 Defend Workbooks provides insight into KnowBe4 Defend audit logs",
   "Workbooks": [ 
     "Workbooks/DefendMetrics.json" 
   ],
@@ -16,8 +16,8 @@
     "Hunting Queries/DangerousLinksClicked.yaml"
   ],
   "Data Connectors": ["Data Connectors/DefendAPIConnector.json"],
-  "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Egress Defend",
-  "Version": "3.0.0",
+  "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\KnowBe4 Defend",
+  "Version": "4.0.0",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true
 }
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Egress-logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Egress%20Defend/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nEgress Defend for Microsoft Sentinel provides details of processed emails, including the type of phishing attack, payload type and information to show if the user interacted with the email in a positive (clicking on banners or submitting the phish sample) or negative (clicking on an unsafe URL) manner. \n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 2, **Hunting Queries:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Knowbe4-Logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Egress%20Defend/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nKnowBe4 Defend for Microsoft Sentinel provides details of processed emails, including the type of phishing attack, payload type and information to show if the user interacted with the email in a positive (clicking on banners or submitting the phish sample) or negative (clicking on an unsafe URL) manner. \n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 2, **Hunting Queries:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -60,7 +60,7 @@
             "name": "dataconnectors1-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "This Solution installs the data connector for Egress Defend. You can get Egress Defend custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+              "text": "This Solution installs the data connector for KnowBe4 Defend. You can get KnowBe4 Defend custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
             }
           },
           {
@@ -111,13 +111,13 @@
           {
             "name": "workbook1",
             "type": "Microsoft.Common.Section",
-            "label": "Egress Defend Insights",
+            "label": "KnowBe4 Defend Insights",
             "elements": [
               {
                 "name": "workbook1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "A workbook providing insights into the data ingested from Egress Defend."
+                  "text": "A workbook providing insights into the data ingested from KnowBe4 Defend."
                 }
               }
             ]
@@ -153,7 +153,7 @@
           {
             "name": "analytic1",
             "type": "Microsoft.Common.Section",
-            "label": "Egress Defend - Dangerous Attachment Detected",
+            "label": "KnowBe4 Defend - Dangerous Attachment Detected",
             "elements": [
               {
                 "name": "analytic1-text",
@@ -167,7 +167,7 @@
           {
             "name": "analytic2",
             "type": "Microsoft.Common.Section",
-            "label": "Egress Defend - Dangerous Link Click",
+            "label": "KnowBe4 Defend - Dangerous Link Click",
             "elements": [
               {
                 "name": "analytic2-text",
@@ -211,7 +211,7 @@
                 "name": "huntingquery1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "This will check for emails that Defend has identified as dangerous and a user has clicked a link. This hunting query depends on EgressDefend data connector (EgressDefend_CL Parser or Table)"
+                  "text": "This will check for emails that Defend has identified as dangerous and a user has clicked a link. This hunting query depends on KnowBe4 Defend data connector (EgressDefend_CL Parser or Table)"
                 }
               }
             ]