![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Egress-logo.svg\"){kind=logo}
",
- "Description": "Egress Defend for Microsoft Sentinel provides details of processed emails, including the type of phishing attack, payload type and information to show if the user interacted with the email in a positive (clicking on banners or submitting the phish sample) or negative (clicking on an unsafe URL) manner.",
- "WorkbookDescription": "Egress Defend Workbooks provides insight into Egress Defend audit logs",
- "Workbooks": [
- "Workbooks/DefendMetrics.json"
- ],
- "Analytic Rules": [
- "Analytic Rules/DangerousAttachmentReceived.yaml",
- "Analytic Rules/DangerousLinksClicked.yaml"
- ],
- "Parsers": [ "Parsers/DefendAuditData.txt"],
- "Hunting Queries": [
- "Hunting Queries/DangerousLinksClicked.yaml"
- ],
- "Data Connectors": ["Data Connectors/DefendAPIConnector.json"],
- "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Egress Defend",
- "Version": "3.0.0",
- "Metadata": "SolutionMetadata.json",
- "TemplateSpec": true
-}
diff --git a/Solutions/Egress Defend/Parsers/DefendAuditData.txt b/Solutions/Egress Defend/Parsers/DefendAuditData.txt
deleted file mode 100644
index f506c691004..00000000000
--- a/Solutions/Egress Defend/Parsers/DefendAuditData.txt
+++ /dev/null
@@ -1,18 +0,0 @@
-EgressDefend_CL
-| project
- TimeGenerated=time_t,
- Event=event_s,
- Recipients=email_rcptTo_s,
- From=email_mailFrom_s,
- Subject=columnifexists('email_subject_s', ""),
- Attachments=email_attachments_s,
- MessageId=email_messageId_s,
- ThreatLevel=email_threat_s,
- TrustLevel=email_trust_s,
- FirstTimeSender=email_firstTimeSender_b,
- PayLoad=columnifexists('email_payload_Type_s', ""),
- LinksClicked=email_linksClicked_d,
- SenderIP=email_senderIp_s,
- Url=linkClicked_s,
- PhishType=email_phishType_s
-
\ No newline at end of file
diff --git a/Solutions/Egress Defend/Analytic Rules/DangerousAttachmentReceived.yaml b/Solutions/KnowBe4 Defend/Analytic Rules/DangerousAttachmentReceived.yaml
similarity index 92%
rename from Solutions/Egress Defend/Analytic Rules/DangerousAttachmentReceived.yaml
rename to Solutions/KnowBe4 Defend/Analytic Rules/DangerousAttachmentReceived.yaml
index 6b2937ec3d5..96bafc03e0c 100644
--- a/Solutions/Egress Defend/Analytic Rules/DangerousAttachmentReceived.yaml
+++ b/Solutions/KnowBe4 Defend/Analytic Rules/DangerousAttachmentReceived.yaml
@@ -1,13 +1,13 @@
id: a0e55dd4-8454-4396-91e6-f28fec3d2cab
-name: Egress Defend - Dangerous Attachment Detected
+name: KnowBe4 Defend - Dangerous Attachment Detected
description: |
'Defend has detected a user has a suspicious file type from a suspicious sender in their mailbox.'
severity: Medium
status: Available
requiredDataConnectors:
- - connectorId: EgressDefend
- dataTypes:
- - EgressDefend_CL
+ - connectorId: KnowBe4Defend
+ datatypes:
+ - KnowBe4Defend_CL
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
diff --git a/Solutions/Egress Defend/Analytic Rules/DangerousLinksClicked.yaml b/Solutions/KnowBe4 Defend/Analytic Rules/DangerousLinksClicked.yaml
similarity index 91%
rename from Solutions/Egress Defend/Analytic Rules/DangerousLinksClicked.yaml
rename to Solutions/KnowBe4 Defend/Analytic Rules/DangerousLinksClicked.yaml
index 41c74c61e2b..4d6bf2f4b1a 100644
--- a/Solutions/Egress Defend/Analytic Rules/DangerousLinksClicked.yaml
+++ b/Solutions/KnowBe4 Defend/Analytic Rules/DangerousLinksClicked.yaml
@@ -1,13 +1,13 @@
id: a896123e-03a5-4a4d-a7e3-fd814846dfb2
-name: Egress Defend - Dangerous Link Click
+name: KnowBe4 Defend - Dangerous Link Click
description: |
'Defend has detected a user has clicked a dangerous link in their mailbox.'
severity: Medium
status: Available
requiredDataConnectors:
- - connectorId: EgressDefend
- dataTypes:
- - EgressDefend_CL
+ - connectorId: KnowBe4Defend
+ datatypes:
+ - KnowBe4Defend_CL
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
diff --git a/Solutions/Egress Defend/Data Connectors/DefendAPIConnector.json b/Solutions/KnowBe4 Defend/Data Connectors/DefendAPIConnector.json
similarity index 89%
rename from Solutions/Egress Defend/Data Connectors/DefendAPIConnector.json
rename to Solutions/KnowBe4 Defend/Data Connectors/DefendAPIConnector.json
index 2f0dfea8b97..6729964769d 100644
--- a/Solutions/Egress Defend/Data Connectors/DefendAPIConnector.json
+++ b/Solutions/KnowBe4 Defend/Data Connectors/DefendAPIConnector.json
@@ -19,15 +19,15 @@
"kind": "APIPolling",
"properties": {
"connectorUiConfig": {
- "id": "EgressDefendPolling",
- "title": "Egress Defend",
+ "id": "KnowBe4DefendPolling",
+ "title": "KnowBe4 Defend",
"publisher": "Egress Software Technologies",
- "descriptionMarkdown": "The Egress Defend audit connector provides the capability to ingest Egress Defend Data into Microsoft Sentinel.",
- "graphQueriesTableName": "EgressDefend_CL",
+ "descriptionMarkdown": "The KnowBe4 Defend audit connector provides the capability to ingest KnowBe4 Defend Data into Microsoft Sentinel.",
+ "graphQueriesTableName": "KnowBe4Defend_CL",
"graphQueries": [
{
"metricName": "Total data received",
- "legend": "Egress Defend Events",
+ "legend": "KnowBe4 Defend Events",
"baseQuery": "{{graphQueriesTableName}}"
}
],
@@ -72,15 +72,15 @@
],
"customs": [
{
- "name": "Egress API Token",
- "description": "An Egress API token is required to ingest audit records to Microsoft Sentinel."
+ "name": "KnowBe4 API Token",
+ "description": "A KnowBe4 API token is required to ingest audit records to Microsoft Sentinel."
}
]
},
"instructionSteps": [
{
- "title": "Connect Egress Defend with Microsoft Sentinel",
- "description": "Enter your Egress Defend API URl, Egress Domain and API token.",
+ "title": "Connect KnowBe4 Defend with Microsoft Sentinel",
+ "description": "Enter your KnowBe4 Defend API URl, KnowBe4 Domain and API token.",
"instructions": [
{
"parameters": {
diff --git a/Solutions/KnowBe4 Defend/Data/Solution_KnowBe4Defend.json b/Solutions/KnowBe4 Defend/Data/Solution_KnowBe4Defend.json
new file mode 100644
index 00000000000..07564361d0d
--- /dev/null
+++ b/Solutions/KnowBe4 Defend/Data/Solution_KnowBe4Defend.json
@@ -0,0 +1,22 @@
+{
+ "Name": "KnowBe4 Defend",
+ "Author": "KnowBe4 - support@knowbe4.com",
+ "Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/KnowBe4-logo.svg\"){kind=logo}
",
+ "Description": "KnowBe4 Defend for Microsoft Sentinel provides details of processed emails, including the type of phishing attack, payload type and information to show if the user interacted with the email in a positive (clicking on banners or submitting the phish sample) or negative (clicking on an unsafe URL) manner.",
+ "Workbooks": [
+ "Workbooks/DefendMetrics.json"
+ ],
+ "Analytic Rules": [
+ "Analytic Rules/DangerousAttachmentReceived.yaml",
+ "Analytic Rules/DangerousLinksClicked.yaml"
+ ],
+ "Parsers": [ "Parsers/DefendAuditData.yaml"],
+ "Hunting Queries": [
+ "Hunting Queries/DangerousLinksClicked.yaml"
+ ],
+ "Data Connectors": ["Data Connectors/DefendAPIConnector.json"],
+ "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\KnowBe4 Defend",
+ "Version": "3.0.1",
+ "Metadata": "SolutionMetadata.json",
+ "TemplateSpec": true
+}
diff --git a/Solutions/Egress Defend/Hunting Queries/DangerousLinksClicked.yaml b/Solutions/KnowBe4 Defend/Hunting Queries/DangerousLinksClicked.yaml
similarity index 80%
rename from Solutions/Egress Defend/Hunting Queries/DangerousLinksClicked.yaml
rename to Solutions/KnowBe4 Defend/Hunting Queries/DangerousLinksClicked.yaml
index 6fc7513b329..0b39efc44a8 100644
--- a/Solutions/Egress Defend/Hunting Queries/DangerousLinksClicked.yaml
+++ b/Solutions/KnowBe4 Defend/Hunting Queries/DangerousLinksClicked.yaml
@@ -3,9 +3,9 @@ name: Dangerous emails with links clicked
description: |
'This will check for emails that Defend has identified as dangerous and a user has clicked a link.'
requiredDataConnectors:
- - connectorId: EgressDefend
- dataTypes:
- - EgressDefend_CL
+ - connectorId: KnowBe4Defend
+ datatypes:
+ - KnowBe4Defend_CL
tactics:
- Collection
@@ -14,6 +14,6 @@ relevantTechniques:
- T1039
query: |
- EgressDefend_CL
+ KnowBe4Defend_CL
| where event_s == "linkClick"
| where email_threat_s == "dangerous"
diff --git a/Solutions/Egress Defend/Package/3.0.0.zip b/Solutions/KnowBe4 Defend/Package/3.0.0.zip
similarity index 100%
rename from Solutions/Egress Defend/Package/3.0.0.zip
rename to Solutions/KnowBe4 Defend/Package/3.0.0.zip
diff --git a/Solutions/KnowBe4 Defend/Package/3.0.1.zip b/Solutions/KnowBe4 Defend/Package/3.0.1.zip
new file mode 100644
index 00000000000..117611efac5
Binary files /dev/null and b/Solutions/KnowBe4 Defend/Package/3.0.1.zip differ
diff --git a/Solutions/Egress Defend/Package/createUiDefinition.json b/Solutions/KnowBe4 Defend/Package/createUiDefinition.json
similarity index 84%
rename from Solutions/Egress Defend/Package/createUiDefinition.json
rename to Solutions/KnowBe4 Defend/Package/createUiDefinition.json
index f29db2bb6cc..42b979d5877 100644
--- a/Solutions/Egress Defend/Package/createUiDefinition.json
+++ b/Solutions/KnowBe4 Defend/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Egress%20Defend/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nEgress Defend for Microsoft Sentinel provides details of processed emails, including the type of phishing attack, payload type and information to show if the user interacted with the email in a positive (clicking on banners or submitting the phish sample) or negative (clicking on an unsafe URL) manner. \n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 2, **Hunting Queries:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/KnowBe4%20Defend/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nKnowBe4 Defend for Microsoft Sentinel provides details of processed emails, including the type of phishing attack, payload type and information to show if the user interacted with the email in a positive (clicking on banners or submitting the phish sample) or negative (clicking on an unsafe URL) manner.\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 2, **Hunting Queries:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -60,7 +60,7 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This Solution installs the data connector for Egress Defend. You can get Egress Defend custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ "text": "This Solution installs the data connector for KnowBe4 Defend. You can get KnowBe4 Defend custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
@@ -71,7 +71,7 @@
}
},
{
- "name": "dataconnectors-link2",
+ "name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
@@ -111,13 +111,13 @@
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
- "label": "Egress Defend Insights",
+ "label": "KnowBe4 Defend Insights",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "A workbook providing insights into the data ingested from Egress Defend."
+ "text": "A workbook providing insights into KnowBe4 Defend."
}
}
]
@@ -153,7 +153,7 @@
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
- "label": "Egress Defend - Dangerous Attachment Detected",
+ "label": "KnowBe4 Defend - Dangerous Attachment Detected",
"elements": [
{
"name": "analytic1-text",
@@ -167,7 +167,7 @@
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
- "label": "Egress Defend - Dangerous Link Click",
+ "label": "KnowBe4 Defend - Dangerous Link Click",
"elements": [
{
"name": "analytic2-text",
@@ -211,7 +211,7 @@
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This will check for emails that Defend has identified as dangerous and a user has clicked a link. This hunting query depends on EgressDefend data connector (EgressDefend_CL Parser or Table)"
+ "text": "This will check for emails that Defend has identified as dangerous and a user has clicked a link. This hunting query depends on KnowBe4Defend data connector (KnowBe4Defend_CL Parser or Table)"
}
}
]
diff --git a/Solutions/Egress Defend/Package/mainTemplate.json b/Solutions/KnowBe4 Defend/Package/mainTemplate.json
similarity index 70%
rename from Solutions/Egress Defend/Package/mainTemplate.json
rename to Solutions/KnowBe4 Defend/Package/mainTemplate.json
index 0fddb3616b4..90f7504425f 100644
--- a/Solutions/Egress Defend/Package/mainTemplate.json
+++ b/Solutions/KnowBe4 Defend/Package/mainTemplate.json
@@ -2,8 +2,8 @@
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
- "author": "Egress - support@egress.com",
- "comments": "Solution template for Egress Defend"
+ "author": "KnowBe4 - support@knowbe4.com",
+ "comments": "Solution template for KnowBe4 Defend"
},
"parameters": {
"location": {
@@ -30,7 +30,7 @@
},
"workbook1-name": {
"type": "string",
- "defaultValue": "Egress Defend Insights",
+ "defaultValue": "KnowBe4 Defend Insights",
"minLength": 1,
"metadata": {
"description": "Name for the workbook"
@@ -38,49 +38,48 @@
}
},
"variables": {
- "email": "support@egress.com",
+ "email": "support@knowbe4.com",
"_email": "[variables('email')]",
- "_solutionName": "Egress Defend",
- "_solutionVersion": "3.0.0",
- "solutionId": "egress1589289169584.egress-sentinel-defend",
+ "_solutionName": "KnowBe4 Defend",
+ "_solutionVersion": "3.0.1",
+ "solutionId": "egress1589289169584.azure-sentinel-solution-egress-defend",
"_solutionId": "[variables('solutionId')]",
"workbookVersion1": "1.0.0",
- "workbookContentId1": "EgressDefendMetricWorkbook",
+ "workbookContentId1": "KnowBe4DefendMetricWorkbook",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
"workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
"_workbookContentId1": "[variables('workbookContentId1')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
- "analyticRuleVersion1": "1.0.0",
- "analyticRulecontentId1": "a0e55dd4-8454-4396-91e6-f28fec3d2cab",
- "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
- "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
- "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]",
- "analyticRuleVersion2": "1.0.0",
- "analyticRulecontentId2": "a896123e-03a5-4a4d-a7e3-fd814846dfb2",
- "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
- "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
- "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]",
- "parserName1": "DefendAuditData",
- "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
- "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
- "_parserId1": "[variables('parserId1')]",
- "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]",
- "parserVersion1": "1.0.0",
- "parserContentId1": "DefendAuditData-Parser",
- "_parserContentId1": "[variables('parserContentId1')]",
- "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]",
- "huntingQueryVersion1": "1.0.0",
- "huntingQuerycontentId1": "57ada8d5-7a26-4440-97fd-32c5c3fd0421",
- "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]",
- "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]",
- "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))))]",
- "_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]",
- "uiConfigId1": "EgressDefendPolling",
+ "analyticRuleObject1": {
+ "analyticRuleVersion1": "1.0.0",
+ "_analyticRulecontentId1": "a0e55dd4-8454-4396-91e6-f28fec3d2cab",
+ "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a0e55dd4-8454-4396-91e6-f28fec3d2cab')]",
+ "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a0e55dd4-8454-4396-91e6-f28fec3d2cab')))]",
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a0e55dd4-8454-4396-91e6-f28fec3d2cab','-', '1.0.0')))]"
+ },
+ "analyticRuleObject2": {
+ "analyticRuleVersion2": "1.0.0",
+ "_analyticRulecontentId2": "a896123e-03a5-4a4d-a7e3-fd814846dfb2",
+ "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a896123e-03a5-4a4d-a7e3-fd814846dfb2')]",
+ "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a896123e-03a5-4a4d-a7e3-fd814846dfb2')))]",
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a896123e-03a5-4a4d-a7e3-fd814846dfb2','-', '1.0.0')))]"
+ },
+ "parserObject1": {
+ "_parserName1": "[concat(parameters('workspace'),'/','DefendAuditData')]",
+ "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'DefendAuditData')]",
+ "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('DefendAuditData-Parser')))]",
+ "parserVersion1": "1.0.0",
+ "parserContentId1": "DefendAuditData-Parser"
+ },
+ "huntingQueryObject1": {
+ "huntingQueryVersion1": "1.0.0",
+ "_huntingQuerycontentId1": "57ada8d5-7a26-4440-97fd-32c5c3fd0421",
+ "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('57ada8d5-7a26-4440-97fd-32c5c3fd0421')))]"
+ },
+ "uiConfigId1": "KnowBe4DefendPolling",
"_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "EgressDefendPolling",
+ "dataConnectorContentId1": "KnowBe4DefendPolling",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
@@ -99,7 +98,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DefendMetricsWorkbook Workbook with template version 3.0.0",
+ "description": "DefendMetrics Workbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -113,11 +112,11 @@
"kind": "shared",
"apiVersion": "2021-08-01",
"metadata": {
- "description": "A workbook providing insights into Egress Defend."
+ "description": "A workbook providing insights into KnowBe4 Defend."
},
"properties": {
"displayName": "[parameters('workbook1-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Phishing Insights\"},\"name\":\"text - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DefendAuditData\\r\\n| where isnotempty(PhishType)\\r\\n| mv-expand todynamic(PhishType)\\r\\n| summarize EmailCount=count() by tostring(PhishType), LinksClicked\\r\\n| render columnchart\",\"size\":0,\"title\":\"Number of Detected Phish Types in 48 hours\",\"timeContext\":{\"durationMs\":172800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"unstackedbar\",\"chartSettings\":{\"xAxis\":\"PhishType\",\"seriesLabelSettings\":[{\"seriesName\":\"LinksClicked\",\"color\":\"redDark\"},{\"seriesName\":\"EmailCount\",\"color\":\"blue\"}]}},\"name\":\"query-2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DefendAuditData\\r\\n| where ThreatLevel == \\\"suspicious\\\" or ThreatLevel == \\\"dangerous\\\"\\r\\n| mv-expand todynamic(Attachments)\\r\\n| where Attachments.name matches regex @\\\"(?i)^.*\\\\.(doc|docx|docm|pdf|xls|xlsx|xlsm|html|zip)$(?-i)\\\"\\r\\n| extend path_parts = parse_path(tostring(Attachments.name))\\r\\n| where isnotempty(path_parts.Extension)\\r\\n| summarize attachmentCount=count() by tostring(path_parts.Extension)\\r\\n| render piechart\",\"size\":0,\"title\":\"Number of suspicious files detected in 48 hours\",\"timeContext\":{\"durationMs\":172800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"yAxis\":[\"attachmentCount\"]}},\"name\":\"query - 1\"}],\"fromTemplateId\":\"sentinel-EgressDefendMetricWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Phishing Insights\"},\"name\":\"text - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DefendAuditData\\r\\n| where isnotempty(PhishType)\\r\\n| mv-expand todynamic(PhishType)\\r\\n| summarize EmailCount=count() by tostring(PhishType), LinksClicked\\r\\n| render columnchart\",\"size\":0,\"title\":\"Number of Detected Phish Types in 48 hours\",\"timeContext\":{\"durationMs\":172800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"unstackedbar\",\"chartSettings\":{\"xAxis\":\"PhishType\",\"seriesLabelSettings\":[{\"seriesName\":\"LinksClicked\",\"color\":\"redDark\"},{\"seriesName\":\"EmailCount\",\"color\":\"blue\"}]}},\"name\":\"query-2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DefendAuditData\\r\\n| where ThreatLevel == \\\"suspicious\\\" or ThreatLevel == \\\"dangerous\\\"\\r\\n| mv-expand todynamic(Attachments)\\r\\n| where Attachments.name matches regex @\\\"(?i)^.*\\\\.(doc|docx|docm|pdf|xls|xlsx|xlsm|html|zip)$(?-i)\\\"\\r\\n| extend path_parts = parse_path(tostring(Attachments.name))\\r\\n| where isnotempty(path_parts.Extension)\\r\\n| summarize attachmentCount=count() by tostring(path_parts.Extension)\\r\\n| render piechart\",\"size\":0,\"title\":\"Number of suspicious files detected in 48 hours\",\"timeContext\":{\"durationMs\":172800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"yAxis\":[\"attachmentCount\"]}},\"name\":\"query - 1\"}],\"fromTemplateId\":\"sentinel-KnowBe4DefendMetricWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
"version": "1.0",
"sourceId": "[variables('workspaceResourceId')]",
"category": "sentinel"
@@ -128,37 +127,36 @@
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
"properties": {
- "description": "@{workbookKey=EgressDefendMetricWorkbook; logoFileName=; description=A workbook providing insights into Egress Defend.; dataTypesDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Egress Defend Insights; templateRelativePath=DefendMetrics.json; subtitle=Defend Metrics; provider=Egress Software Technologies}.description",
+ "description": "@{workbookKey=KnowBe4DefendMetricWorkbook; logoFileName=KnowBe4-logo.svg; description=A workbook providing insights into KnowBe4 Defend.; dataTypesDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=KnowBe4 Defend Insights; templateRelativePath=DefendMetrics.json; subtitle=Defend Metrics; provider=Egress Software Technologies}.description",
"parentId": "[variables('workbookId1')]",
"contentId": "[variables('_workbookContentId1')]",
"kind": "Workbook",
"version": "[variables('workbookVersion1')]",
"source": {
"kind": "Solution",
- "name": "Egress Defend",
+ "name": "KnowBe4 Defend",
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Egress",
+ "name": "KnowBe4",
"email": "[variables('_email')]"
},
"support": {
- "name": "Egress",
- "email": "support@egress.com",
+ "name": "egress1589289169584",
+ "email": "support@knowbe4.com",
"tier": "Partner",
- "link": "https://support.egress.com/s/"
+ "link": "https://support.knowbe4.com"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
- "contentId": "EgressDefend_CL",
+ "contentId": "KnowBe4Defend_CL",
"kind": "DataType"
}
]
}
- },
- "description": "Egress Defend Workbooks provides insight into Egress Defend audit logs"
+ }
}
]
},
@@ -178,28 +176,28 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName1')]",
+ "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DangerousAttachmentReceived_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "DangerousAttachmentReceived_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion1')]",
+ "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId1')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Defend has detected a user has a suspicious file type from a suspicious sender in their mailbox.",
- "displayName": "Egress Defend - Dangerous Attachment Detected",
+ "displayName": "KnowBe4 Defend - Dangerous Attachment Detected",
"enabled": false,
"query": "DefendAuditData\n| where ThreatLevel == \"suspicious\" or ThreatLevel == \"dangerous\"\n| mv-expand todynamic(Attachments)\n| where Attachments.name matches regex @\"(?i)^.*\\.(doc|docx|docm|pdf|xls|xlsx|xlsm|html|zip)$(?-i)\"\n| summarize attachmentCount=count() by TimeGenerated, tostring(Attachments.name), Subject, From, Account_0_FullName = trim(@\"[^@.\\w]+\",Recipients), timesClicked = LinksClicked, SenderIP\n",
"queryFrequency": "PT30M",
@@ -212,9 +210,9 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "EgressDefend",
- "dataTypes": [
- "EgressDefend_CL"
+ "connectorId": "KnowBe4Defend",
+ "datatypes": [
+ "KnowBe4Defend_CL"
]
}
],
@@ -229,7 +227,6 @@
"T0853",
"T0863",
"T1566",
- "T1546",
"T1546"
],
"entityMappings": [
@@ -278,27 +275,27 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]",
"properties": {
- "description": "Egress Defend Analytics Rule 1",
- "parentId": "[variables('analyticRuleId1')]",
- "contentId": "[variables('_analyticRulecontentId1')]",
+ "description": "KnowBe4 Defend Analytics Rule 1",
+ "parentId": "[variables('analyticRuleObject1').analyticRuleId1]",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion1')]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]",
"source": {
"kind": "Solution",
- "name": "Egress Defend",
+ "name": "KnowBe4 Defend",
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Egress",
+ "name": "KnowBe4",
"email": "[variables('_email')]"
},
"support": {
- "name": "Egress",
- "email": "support@egress.com",
+ "name": "egress1589289169584",
+ "email": "support@knowbe4.com",
"tier": "Partner",
- "link": "https://support.egress.com/s/"
+ "link": "https://support.knowbe4.com"
}
}
}
@@ -309,39 +306,39 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId1')]",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"contentKind": "AnalyticsRule",
- "displayName": "Egress Defend - Dangerous Attachment Detected",
- "contentProductId": "[variables('_analyticRulecontentProductId1')]",
- "id": "[variables('_analyticRulecontentProductId1')]",
- "version": "[variables('analyticRuleVersion1')]"
+ "displayName": "KnowBe4 Defend - Dangerous Attachment Detected",
+ "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
+ "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName2')]",
+ "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DangerousLinksClicked_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "DangerousLinksClicked_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion2')]",
+ "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId2')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Defend has detected a user has clicked a dangerous link in their mailbox.",
- "displayName": "Egress Defend - Dangerous Link Click",
+ "displayName": "KnowBe4 Defend - Dangerous Link Click",
"enabled": false,
"query": "DefendAuditData\n| where LinksClicked > 0\n| where ThreatLevel == \"dangerous\" or ThreatLevel == \"suspicious\"\n| extend Account_0_FullName = trim(@\"[^@.\\w]+\",Recipients)\n",
"queryFrequency": "PT30M",
@@ -354,9 +351,9 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "EgressDefend",
- "dataTypes": [
- "EgressDefend_CL"
+ "connectorId": "KnowBe4Defend",
+ "datatypes": [
+ "KnowBe4Defend_CL"
]
}
],
@@ -418,27 +415,27 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]",
"properties": {
- "description": "Egress Defend Analytics Rule 2",
- "parentId": "[variables('analyticRuleId2')]",
- "contentId": "[variables('_analyticRulecontentId2')]",
+ "description": "KnowBe4 Defend Analytics Rule 2",
+ "parentId": "[variables('analyticRuleObject2').analyticRuleId2]",
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion2')]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]",
"source": {
"kind": "Solution",
- "name": "Egress Defend",
+ "name": "KnowBe4 Defend",
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Egress",
+ "name": "KnowBe4",
"email": "[variables('_email')]"
},
"support": {
- "name": "Egress",
- "email": "support@egress.com",
+ "name": "egress1589289169584",
+ "email": "support@knowbe4.com",
"tier": "Partner",
- "link": "https://support.egress.com/s/"
+ "link": "https://support.knowbe4.com"
}
}
}
@@ -449,32 +446,32 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId2')]",
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"contentKind": "AnalyticsRule",
- "displayName": "Egress Defend - Dangerous Link Click",
- "contentProductId": "[variables('_analyticRulecontentProductId2')]",
- "id": "[variables('_analyticRulecontentProductId2')]",
- "version": "[variables('analyticRuleVersion2')]"
+ "displayName": "KnowBe4 Defend - Dangerous Link Click",
+ "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
+ "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('parserTemplateSpecName1')]",
+ "name": "[variables('parserObject1').parserTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DefendAuditData Data Parser with template version 3.0.0",
+ "description": "DefendAuditData Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('parserVersion1')]",
+ "contentVersion": "[variables('parserObject1').parserVersion1]",
"parameters": {},
"variables": {},
"resources": [
{
- "name": "[variables('_parserName1')]",
+ "name": "[variables('parserObject1')._parserName1]",
"apiVersion": "2022-10-01",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"location": "[parameters('workspace-location')]",
@@ -483,7 +480,7 @@
"displayName": "DefendAuditData",
"category": "Samples",
"functionAlias": "DefendAuditData",
- "query": "\nEgressDefend_CL\r\n| project \r\n TimeGenerated=time_t,\r\n Event=event_s,\r\n Recipients=email_rcptTo_s,\r\n From=email_mailFrom_s,\r\n Subject=columnifexists('email_subject_s', \"\"),\r\n Attachments=email_attachments_s,\r\n MessageId=email_messageId_s,\r\n ThreatLevel=email_threat_s,\r\n TrustLevel=email_trust_s,\r\n FirstTimeSender=email_firstTimeSender_b,\r\n PayLoad=columnifexists('email_payload_Type_s', \"\"),\r\n LinksClicked=email_linksClicked_d,\r\n SenderIP=email_senderIp_s,\r\n Url=linkClicked_s,\r\n PhishType=email_phishType_s\r\n ",
+ "query": "\nKnowBe4Defend_CL\n| project \n TimeGenerated=time_t,\n Event=event_s,\n Recipients=email_rcptTo_s,\n From=email_mailFrom_s,\n Subject=columnifexists('email_subject_s', \"\"),\n Attachments=email_attachments_s,\n MessageId=email_messageId_s,\n ThreatLevel=email_threat_s,\n TrustLevel=email_trust_s,\n FirstTimeSender=email_firstTimeSender_b,\n PayLoad=columnifexists('email_payload_Type_s', \"\"),\n LinksClicked=email_linksClicked_d,\n SenderIP=email_senderIp_s,\n Url=linkClicked_s,\n PhishType=email_phishType_s\n ",
"functionParameters": "",
"version": 1,
"tags": [
@@ -497,29 +494,29 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
"dependsOn": [
- "[variables('_parserName1')]"
+ "[variables('parserObject1')._parserId1]"
],
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
- "contentId": "[variables('_parserContentId1')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'DefendAuditData')]",
+ "contentId": "[variables('parserObject1').parserContentId1]",
"kind": "Parser",
- "version": "[variables('parserVersion1')]",
+ "version": "[variables('parserObject1').parserVersion1]",
"source": {
- "name": "Egress Defend",
+ "name": "KnowBe4 Defend",
"kind": "Solution",
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Egress",
+ "name": "KnowBe4",
"email": "[variables('_email')]"
},
"support": {
- "name": "Egress",
- "email": "support@egress.com",
+ "name": "egress1589289169584",
+ "email": "support@knowbe4.com",
"tier": "Partner",
- "link": "https://support.egress.com/s/"
+ "link": "https://support.knowbe4.com"
}
}
}
@@ -530,25 +527,25 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_parserContentId1')]",
+ "contentId": "[variables('parserObject1').parserContentId1]",
"contentKind": "Parser",
"displayName": "DefendAuditData",
- "contentProductId": "[variables('_parsercontentProductId1')]",
- "id": "[variables('_parsercontentProductId1')]",
- "version": "[variables('parserVersion1')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
+ "version": "[variables('parserObject1').parserVersion1]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2022-10-01",
- "name": "[variables('_parserName1')]",
+ "name": "[variables('parserObject1')._parserName1]",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "DefendAuditData",
"category": "Samples",
"functionAlias": "DefendAuditData",
- "query": "\nEgressDefend_CL\r\n| project \r\n TimeGenerated=time_t,\r\n Event=event_s,\r\n Recipients=email_rcptTo_s,\r\n From=email_mailFrom_s,\r\n Subject=columnifexists('email_subject_s', \"\"),\r\n Attachments=email_attachments_s,\r\n MessageId=email_messageId_s,\r\n ThreatLevel=email_threat_s,\r\n TrustLevel=email_trust_s,\r\n FirstTimeSender=email_firstTimeSender_b,\r\n PayLoad=columnifexists('email_payload_Type_s', \"\"),\r\n LinksClicked=email_linksClicked_d,\r\n SenderIP=email_senderIp_s,\r\n Url=linkClicked_s,\r\n PhishType=email_phishType_s\r\n ",
+ "query": "\nKnowBe4Defend_CL\n| project \n TimeGenerated=time_t,\n Event=event_s,\n Recipients=email_rcptTo_s,\n From=email_mailFrom_s,\n Subject=columnifexists('email_subject_s', \"\"),\n Attachments=email_attachments_s,\n MessageId=email_messageId_s,\n ThreatLevel=email_threat_s,\n TrustLevel=email_trust_s,\n FirstTimeSender=email_firstTimeSender_b,\n PayLoad=columnifexists('email_payload_Type_s', \"\"),\n LinksClicked=email_linksClicked_d,\n SenderIP=email_senderIp_s,\n Url=linkClicked_s,\n PhishType=email_phishType_s\n ",
"functionParameters": "",
"version": 1,
"tags": [
@@ -563,58 +560,58 @@
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
"dependsOn": [
- "[variables('_parserId1')]"
+ "[variables('parserObject1')._parserId1]"
],
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
- "contentId": "[variables('_parserContentId1')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'DefendAuditData')]",
+ "contentId": "[variables('parserObject1').parserContentId1]",
"kind": "Parser",
- "version": "[variables('parserVersion1')]",
+ "version": "[variables('parserObject1').parserVersion1]",
"source": {
"kind": "Solution",
- "name": "Egress Defend",
+ "name": "KnowBe4 Defend",
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Egress",
+ "name": "KnowBe4",
"email": "[variables('_email')]"
},
"support": {
- "name": "Egress",
- "email": "support@egress.com",
+ "name": "egress1589289169584",
+ "email": "support@knowbe4.com",
"tier": "Partner",
- "link": "https://support.egress.com/s/"
+ "link": "https://support.knowbe4.com"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName1')]",
+ "name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DangerousLinksClicked_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "DangerousLinksClicked_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion1')]",
+ "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/savedSearches",
"apiVersion": "2022-10-01",
- "name": "Egress_Defend_Hunting_Query_1",
+ "name": "KnowBe4_Defend_Hunting_Query_1",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "Dangerous emails with links clicked",
"category": "Hunting Queries",
- "query": "EgressDefend_CL \n| where event_s == \"linkClick\" \n| where email_threat_s == \"dangerous\"\n",
+ "query": "KnowBe4Defend_CL \n| where event_s == \"linkClick\" \n| where email_threat_s == \"dangerous\"\n",
"version": 2,
"tags": [
{
@@ -635,27 +632,27 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]",
"properties": {
- "description": "Egress Defend Hunting Query 1",
- "parentId": "[variables('huntingQueryId1')]",
- "contentId": "[variables('_huntingQuerycontentId1')]",
+ "description": "KnowBe4 Defend Hunting Query 1",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]",
+ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
"kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion1')]",
+ "version": "[variables('huntingQueryObject1').huntingQueryVersion1]",
"source": {
"kind": "Solution",
- "name": "Egress Defend",
+ "name": "KnowBe4 Defend",
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Egress",
+ "name": "KnowBe4",
"email": "[variables('_email')]"
},
"support": {
- "name": "Egress",
- "email": "support@egress.com",
+ "name": "egress1589289169584",
+ "email": "support@knowbe4.com",
"tier": "Partner",
- "link": "https://support.egress.com/s/"
+ "link": "https://support.knowbe4.com"
}
}
}
@@ -666,12 +663,12 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId1')]",
+ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
"contentKind": "HuntingQuery",
"displayName": "Dangerous emails with links clicked",
- "contentProductId": "[variables('_huntingQuerycontentProductId1')]",
- "id": "[variables('_huntingQuerycontentProductId1')]",
- "version": "[variables('huntingQueryVersion1')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
@@ -683,7 +680,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Egress Defend data connector with template version 3.0.0",
+ "description": "KnowBe4 Defend data connector with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -699,14 +696,14 @@
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
- "title": "Egress Defend",
+ "title": "KnowBe4 Defend",
"publisher": "Egress Software Technologies",
- "descriptionMarkdown": "The Egress Defend audit connector provides the capability to ingest Egress Defend Data into Microsoft Sentinel.",
- "graphQueriesTableName": "EgressDefend_CL",
+ "descriptionMarkdown": "The KnowBe4 Defend audit connector provides the capability to ingest KnowBe4 Defend Data into Microsoft Sentinel.",
+ "graphQueriesTableName": "KnowBe4Defend_CL",
"graphQueries": [
{
"metricName": "Total data received",
- "legend": "Egress Defend Events",
+ "legend": "KnowBe4 Defend Events",
"baseQuery": "{{graphQueriesTableName}}"
}
],
@@ -732,7 +729,7 @@
],
"availability": {
"status": 1,
- "isPreview": true
+ "isPreview": false
},
"permissions": {
"resourceProvider": [
@@ -751,14 +748,14 @@
],
"customs": [
{
- "name": "Egress API Token",
- "description": "An Egress API token is required to ingest audit records to Microsoft Sentinel."
+ "name": "KnowBe4 API Token",
+ "description": "A KnowBe4 API token is required to ingest audit records to Microsoft Sentinel."
}
]
},
"instructionSteps": [
{
- "description": "Enter your Egress Defend API URl, Egress Domain and API token.",
+ "description": "Enter your KnowBe4 Defend API URl, KnowBe4 Domain and API token.",
"instructions": [
{
"parameters": {
@@ -779,7 +776,7 @@
"type": "APIKey"
}
],
- "title": "Connect Egress Defend with Microsoft Sentinel"
+ "title": "Connect KnowBe4 Defend with Microsoft Sentinel"
}
]
},
@@ -827,18 +824,18 @@
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
- "name": "Egress Defend",
+ "name": "KnowBe4 Defend",
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Egress",
+ "name": "KnowBe4",
"email": "[variables('_email')]"
},
"support": {
- "name": "Egress",
- "email": "support@egress.com",
+ "name": "egress1589289169584",
+ "email": "support@knowbe4.com",
"tier": "Partner",
- "link": "https://support.egress.com/s/"
+ "link": "https://support.knowbe4.com"
}
}
}
@@ -851,7 +848,7 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_dataConnectorContentId1')]",
"contentKind": "DataConnector",
- "displayName": "Egress Defend",
+ "displayName": "KnowBe4 Defend",
"contentProductId": "[variables('_dataConnectorcontentProductId1')]",
"id": "[variables('_dataConnectorcontentProductId1')]",
"version": "[variables('dataConnectorVersion1')]"
@@ -872,18 +869,18 @@
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
- "name": "Egress Defend",
+ "name": "KnowBe4 Defend",
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Egress",
+ "name": "KnowBe4",
"email": "[variables('_email')]"
},
"support": {
- "name": "Egress",
- "email": "support@egress.com",
+ "name": "egress1589289169584",
+ "email": "support@knowbe4.com",
"tier": "Partner",
- "link": "https://support.egress.com/s/"
+ "link": "https://support.knowbe4.com"
}
}
},
@@ -896,14 +893,14 @@
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
- "title": "Egress Defend",
+ "title": "KnowBe4 Defend",
"publisher": "Egress Software Technologies",
- "descriptionMarkdown": "The Egress Defend audit connector provides the capability to ingest Egress Defend Data into Microsoft Sentinel.",
- "graphQueriesTableName": "EgressDefend_CL",
+ "descriptionMarkdown": "The KnowBe4 Defend audit connector provides the capability to ingest KnowBe4 Defend Data into Microsoft Sentinel.",
+ "graphQueriesTableName": "KnowBe4Defend_CL",
"graphQueries": [
{
"metricName": "Total data received",
- "legend": "Egress Defend Events",
+ "legend": "KnowBe4 Defend Events",
"baseQuery": "{{graphQueriesTableName}}"
}
],
@@ -929,7 +926,7 @@
],
"availability": {
"status": 1,
- "isPreview": true
+ "isPreview": false
},
"permissions": {
"resourceProvider": [
@@ -948,14 +945,14 @@
],
"customs": [
{
- "name": "Egress API Token",
- "description": "An Egress API token is required to ingest audit records to Microsoft Sentinel."
+ "name": "KnowBe4 API Token",
+ "description": "A KnowBe4 API token is required to ingest audit records to Microsoft Sentinel."
}
]
},
"instructionSteps": [
{
- "description": "Enter your Egress Defend API URl, Egress Domain and API token.",
+ "description": "Enter your KnowBe4 Defend API URl, KnowBe4 Domain and API token.",
"instructions": [
{
"parameters": {
@@ -976,7 +973,7 @@
"type": "APIKey"
}
],
- "title": "Connect Egress Defend with Microsoft Sentinel"
+ "title": "Connect KnowBe4 Defend with Microsoft Sentinel"
}
]
},
@@ -1018,32 +1015,32 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.0",
+ "version": "3.0.1",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
- "displayName": "Egress Defend",
+ "displayName": "KnowBe4 Defend",
"publisherDisplayName": "egress1589289169584",
- "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nEgress Defend for Microsoft Sentinel provides details of processed emails, including the type of phishing attack, payload type and information to show if the user interacted with the email in a positive (clicking on banners or submitting the phish sample) or negative (clicking on an unsafe URL) manner.
\nData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 2, Hunting Queries: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nKnowBe4 Defend for Microsoft Sentinel provides details of processed emails, including the type of phishing attack, payload type and information to show if the user interacted with the email in a positive (clicking on banners or submitting the phish sample) or negative (clicking on an unsafe URL) manner.
\nData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 2, Hunting Queries: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", - "icon": "",
+ "icon": "",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
"kind": "Solution",
- "name": "Egress Defend",
+ "name": "KnowBe4 Defend",
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Egress",
+ "name": "KnowBe4",
"email": "[variables('_email')]"
},
"support": {
- "name": "Egress",
- "email": "support@egress.com",
+ "name": "egress1589289169584",
+ "email": "support@knowbe4.com",
"tier": "Partner",
- "link": "https://support.egress.com/s/"
+ "link": "https://support.knowbe4.com"
},
"dependencies": {
"operator": "AND",
@@ -1055,23 +1052,23 @@
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId1')]",
- "version": "[variables('analyticRuleVersion1')]"
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId2')]",
- "version": "[variables('analyticRuleVersion2')]"
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
},
{
"kind": "Parser",
- "contentId": "[variables('_parserContentId1')]",
- "version": "[variables('parserVersion1')]"
+ "contentId": "[variables('parserObject1').parserContentId1]",
+ "version": "[variables('parserObject1').parserVersion1]"
},
{
"kind": "HuntingQuery",
- "contentId": "[variables('_huntingQuerycontentId1')]",
- "version": "[variables('huntingQueryVersion1')]"
+ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
+ "version": "[variables('huntingQueryObject1').huntingQueryVersion1]"
},
{
"kind": "DataConnector",
@@ -1082,7 +1079,7 @@
},
"firstPublishDate": "2023-07-27",
"providers": [
- "Egress"
+ "KnowBe4"
],
"categories": {
"domains": [
diff --git a/Solutions/KnowBe4 Defend/Package/testParameters.json b/Solutions/KnowBe4 Defend/Package/testParameters.json
new file mode 100644
index 00000000000..1a44e741243
--- /dev/null
+++ b/Solutions/KnowBe4 Defend/Package/testParameters.json
@@ -0,0 +1,32 @@
+{
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ },
+ "workbook1-name": {
+ "type": "string",
+ "defaultValue": "KnowBe4 Defend Insights",
+ "minLength": 1,
+ "metadata": {
+ "description": "Name for the workbook"
+ }
+ }
+}
diff --git a/Solutions/Egress Defend/Parsers/DefendAuditData.yaml b/Solutions/KnowBe4 Defend/Parsers/DefendAuditData.yaml
similarity index 97%
rename from Solutions/Egress Defend/Parsers/DefendAuditData.yaml
rename to Solutions/KnowBe4 Defend/Parsers/DefendAuditData.yaml
index 966f87f1144..a8cb7895d7e 100644
--- a/Solutions/Egress Defend/Parsers/DefendAuditData.yaml
+++ b/Solutions/KnowBe4 Defend/Parsers/DefendAuditData.yaml
@@ -7,7 +7,7 @@ Category: Microsoft Sentinel Parser
FunctionName: DefendAuditData
FunctionAlias: DefendAuditData
FunctionQuery: |
- EgressDefend_CL
+ KnowBe4Defend_CL
| project
TimeGenerated=time_t,
Event=event_s,
diff --git a/Solutions/Egress Defend/ReleaseNotes.md b/Solutions/KnowBe4 Defend/ReleaseNotes.md
similarity index 53%
rename from Solutions/Egress Defend/ReleaseNotes.md
rename to Solutions/KnowBe4 Defend/ReleaseNotes.md
index df6cdfdfc02..1e95ad1e73b 100644
--- a/Solutions/Egress Defend/ReleaseNotes.md
+++ b/Solutions/KnowBe4 Defend/ReleaseNotes.md
@@ -1,3 +1,5 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0 | 02-08-2023 | Initial Solution Release. |
+| 3.0.1 | 16-12-2025 | KnowBe4 Rebrand from Egress. |
+|-------------|--------------------------------|---------------------------------------------|
+| 3.0.0 | 02-08-2023 | Initial Solution Release. |
\ No newline at end of file
diff --git a/Solutions/Egress Defend/SolutionMetadata.json b/Solutions/KnowBe4 Defend/SolutionMetadata.json
similarity index 76%
rename from Solutions/Egress Defend/SolutionMetadata.json
rename to Solutions/KnowBe4 Defend/SolutionMetadata.json
index 4fe79ab0262..6959b36685a 100644
--- a/Solutions/Egress Defend/SolutionMetadata.json
+++ b/Solutions/KnowBe4 Defend/SolutionMetadata.json
@@ -3,7 +3,7 @@
"offerId": "azure-sentinel-solution-egress-defend",
"firstPublishDate": "2023-07-27",
"providers": [
- "Egress"
+ "KnowBe4"
],
"categories": {
"domains": [
@@ -12,8 +12,8 @@
},
"support": {
"name": "egress1589289169584",
- "email": "support@egress.com",
+ "email": "support@knowbe4.com",
"tier": "Partner",
- "link": "https://support.egress.com/s/"
+ "link": "https://support.knowbe4.com"
}
}
\ No newline at end of file
diff --git a/Solutions/Egress Defend/Workbooks/DefendMetrics.json b/Solutions/KnowBe4 Defend/Workbooks/DefendMetrics.json
similarity index 97%
rename from Solutions/Egress Defend/Workbooks/DefendMetrics.json
rename to Solutions/KnowBe4 Defend/Workbooks/DefendMetrics.json
index 6be5abcf5f4..e0e95758172 100644
--- a/Solutions/Egress Defend/Workbooks/DefendMetrics.json
+++ b/Solutions/KnowBe4 Defend/Workbooks/DefendMetrics.json
@@ -58,6 +58,6 @@
"name": "query - 1"
}
],
- "fromTemplateId": "sentinel-EgressDefendMetricWorkbook",
+ "fromTemplateId": "sentinel-KnowBe4DefendMetricWorkbook",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
\ No newline at end of file
diff --git a/Solutions/KnowBe4 Defend/Workbooks/Images/Logos/KnowBe4-logo.svg b/Solutions/KnowBe4 Defend/Workbooks/Images/Logos/KnowBe4-logo.svg
new file mode 100644
index 00000000000..a7d8515c538
--- /dev/null
+++ b/Solutions/KnowBe4 Defend/Workbooks/Images/Logos/KnowBe4-logo.svg
@@ -0,0 +1,6 @@
+
+
diff --git a/Solutions/Egress Defend/Workbooks/Images/Preview/EgressDefendMetricWorkbookBlack01.png b/Solutions/KnowBe4 Defend/Workbooks/Images/Preview/KnowBe4DefendMetricWorkbookBlack01.png
similarity index 100%
rename from Solutions/Egress Defend/Workbooks/Images/Preview/EgressDefendMetricWorkbookBlack01.png
rename to Solutions/KnowBe4 Defend/Workbooks/Images/Preview/KnowBe4DefendMetricWorkbookBlack01.png
diff --git a/Solutions/Egress Defend/Workbooks/Images/Preview/EgressDefendMetricWorkbookWhite01.png b/Solutions/KnowBe4 Defend/Workbooks/Images/Preview/KnowBe4DefendMetricWorkbookWhite01.png
similarity index 100%
rename from Solutions/Egress Defend/Workbooks/Images/Preview/EgressDefendMetricWorkbookWhite01.png
rename to Solutions/KnowBe4 Defend/Workbooks/Images/Preview/KnowBe4DefendMetricWorkbookWhite01.png
diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
index 653ca6be1fc..d8c87a3609a 100644
--- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
+++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
@@ -5384,13 +5384,13 @@
"provider": "Cofense"
},
{
- "workbookKey": "EgressDefendMetricWorkbook",
+ "workbookKey": "KnowBe4DefendMetricWorkbook",
"logoFileName": "",
- "description": "A workbook providing insights into Egress Defend.",
- "dataTypesDependencies": ["EgressDefend_CL"],
- "previewImagesFileNames": [ "EgressDefendMetricWorkbookBlack01.png", "EgressDefendMetricWorkbookWhite01.png" ],
+ "description": "A workbook providing insights into KnowBe4 Defend.",
+ "dataTypesDependencies": ["KnowBe4Defend_CL"],
+ "previewImagesFileNames": [ "KnowBe4DefendMetricWorkbookBlack01.png", "KnowBe4DefendMetricWorkbookWhite01.png" ],
"version": "1.0.0",
- "title": "Egress Defend Insights",
+ "title": "KnowBe4 Defend Insights",
"templateRelativePath": "DefendMetrics.json",
"subtitle": "Defend Metrics",
"provider": "Egress Software Technologies"
diff --git a/Workbooks/Images/Logos/KnowBe4-logo.svg b/Workbooks/Images/Logos/KnowBe4-logo.svg
new file mode 100644
index 00000000000..a7d8515c538
--- /dev/null
+++ b/Workbooks/Images/Logos/KnowBe4-logo.svg
@@ -0,0 +1,6 @@
+
+
diff --git a/Workbooks/Images/Preview/EgressDefendMetricWorkbookBlack01.png b/Workbooks/Images/Preview/KnowBe4DefendMetricWorkbookBlack01.png
similarity index 100%
rename from Workbooks/Images/Preview/EgressDefendMetricWorkbookBlack01.png
rename to Workbooks/Images/Preview/KnowBe4DefendMetricWorkbookBlack01.png
diff --git a/Workbooks/Images/Preview/EgressDefendMetricWorkbookWhite01.png b/Workbooks/Images/Preview/KnowBe4DefendMetricWorkbookWhite01.png
similarity index 100%
rename from Workbooks/Images/Preview/EgressDefendMetricWorkbookWhite01.png
rename to Workbooks/Images/Preview/KnowBe4DefendMetricWorkbookWhite01.png
diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json
index cd545fdd828..c7d554c8cda 100644
--- a/Workbooks/WorkbooksMetadata.json
+++ b/Workbooks/WorkbooksMetadata.json
@@ -7521,18 +7521,18 @@
"provider": "Cofense"
},
{
- "workbookKey": "EgressDefendMetricWorkbook",
- "logoFileName": "Egress-logo.svg",
- "description": "A workbook providing insights into Egress Defend.",
+ "workbookKey": "KnowBe4DefendMetricWorkbook",
+ "logoFileName": "KnowBe4-logo.svg",
+ "description": "A workbook providing insights into KnowBe4 Defend.",
"dataTypesDependencies": [
- "EgressDefend_CL"
+ "KnowBe4Defend_CL"
],
"previewImagesFileNames": [
- "EgressDefendMetricWorkbookBlack01.png",
- "EgressDefendMetricWorkbookWhite01.png"
+ "KnowBe4DefendMetricWorkbookBlack01.png",
+ "KnowBe4DefendMetricWorkbookWhite01.png"
],
"version": "1.0.0",
- "title": "Egress Defend Insights",
+ "title": "KnowBe4 Defend Insights",
"templateRelativePath": "DefendMetrics.json",
"subtitle": "Defend Metrics",
"provider": "Egress Software Technologies"