Defend rebrand from Egress to KnowBe4

.script/tests/KqlvalidationsTests/CustomTables/EgressDefend_CL.json → .script/tests/KqlvalidationsTests/CustomTables/KnowBe4Defend_CL.json

@@ -1,5 +1,5 @@
 {
-    "Name": "EgressDefend_CL",
+    "Name": "KnowBe4Defend_CL",
     "Properties": [
       {
         "Name": "TimeGenerated",

.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json

@@ -83,7 +83,7 @@
   "DragosSitestoreCCP",
   "Dynamics365",
   "Dynamics365Finance",
-  "EgressDefend",
+  "KnowBe4Defend",
   "ESETEnterpriseInspector",
   "ESETPROTECT",
   "EsetSMC",

README.md

@@ -27,7 +27,7 @@ Note: If you are a first time contributor to this repository, [General GitHub Fo
 
 ## General Steps
 Brand new or update to a contribution via these methods:
-* Submit for review directly on GitHub website 
+* Submit for review directly on GitHub website
     * Browse to the folder you want to upload your file to
     * Choose Upload Files and browse to your file. 
     * You will be required to create your own branch and then submit the Pull Request for review.

Solutions/Egress Defend/Analytic Rules/DangerousAttachmentReceived.yaml → Solutions/KnowBe4 Defend/Analytic Rules/DangerousAttachmentReceived.yaml

@@ -1,13 +1,13 @@
 id: a0e55dd4-8454-4396-91e6-f28fec3d2cab
-name: Egress Defend - Dangerous Attachment Detected
+name: KnowBe4 Defend - Dangerous Attachment Detected
 description: |
   'Defend has detected a user has a suspicious file type from a suspicious sender in their mailbox.'
 severity: Medium
 status: Available
 requiredDataConnectors:
-  - connectorId: EgressDefend
-    dataTypes:
-      - EgressDefend_CL
+  - connectorId: KnowBe4Defend
+    datatypes:
+      - KnowBe4Defend_CL
 queryFrequency: 30m
 queryPeriod: 30m
 triggerOperator: gt

Solutions/Egress Defend/Analytic Rules/DangerousLinksClicked.yaml → Solutions/KnowBe4 Defend/Analytic Rules/DangerousLinksClicked.yaml

@@ -1,13 +1,13 @@
 id: a896123e-03a5-4a4d-a7e3-fd814846dfb2
-name: Egress Defend - Dangerous Link Click
+name: KnowBe4 Defend - Dangerous Link Click
 description: |
   'Defend has detected a user has clicked a dangerous link in their mailbox.'
 severity: Medium
 status: Available
 requiredDataConnectors:
-  - connectorId: EgressDefend
-    dataTypes:
-      - EgressDefend_CL
+  - connectorId: KnowBe4Defend
+    datatypes:
+      - KnowBe4Defend_CL
 queryFrequency: 30m
 queryPeriod: 30m
 triggerOperator: gt

Solutions/Egress Defend/Data Connectors/DefendAPIConnector.json → Solutions/KnowBe4 Defend/Data Connectors/DefendAPIConnector.json

@@ -19,15 +19,15 @@
             "kind": "APIPolling",
             "properties": {
                 "connectorUiConfig": {
-                    "id": "EgressDefendPolling",
-                    "title": "Egress Defend",
+                    "id": "KnowBe4DefendPolling",
+                    "title": "KnowBe4 Defend",
                     "publisher": "Egress Software Technologies",
-                    "descriptionMarkdown": "The Egress Defend audit connector provides the capability to ingest Egress Defend Data into Microsoft Sentinel.",
-                    "graphQueriesTableName": "EgressDefend_CL",
+                    "descriptionMarkdown": "The KnowBe4 Defend audit connector provides the capability to ingest KnowBe4 Defend Data into Microsoft Sentinel.",
+                    "graphQueriesTableName": "KnowBe4Defend_CL",
                     "graphQueries": [
                         {
                             "metricName": "Total data received",
-                            "legend": "Egress Defend Events",
+                            "legend": "KnowBe4 Defend Events",
                             "baseQuery": "{{graphQueriesTableName}}"
                         }
                     ],
@@ -72,15 +72,15 @@
                         ],
                         "customs": [
                             {
-                                "name": "Egress API Token",
-                                "description": "An Egress API token is required to ingest audit records to Microsoft Sentinel."
+                                "name": "KnowBe4 API Token",
+                                "description": "A KnowBe4 API token is required to ingest audit records to Microsoft Sentinel."
                             }
                         ]
                     },
                     "instructionSteps": [
                         {
-                            "title": "Connect Egress Defend with Microsoft Sentinel",
-                            "description": "Enter your Egress Defend API URl, Egress Domain and API token.",
+                            "title": "Connect KnowBe4 Defend with Microsoft Sentinel",
+                            "description": "Enter your KnowBe4 Defend API URl, KnowBe4 Domain and API token.",
                             "instructions": [
                                 {
                                     "parameters": {

Solutions/KnowBe4 Defend/Data/Solution_KnowBe4Defend.json

@@ -0,0 +1,22 @@
+{
+  "Name": "KnowBe4 Defend",
+  "Author": "KnowBe4 - support@knowbe4.com",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/KnowBe4-logo.svg\" width=\"75px\" height=\"75px\">",
+  "Description": "KnowBe4 Defend for Microsoft Sentinel provides details of processed emails, including the type of phishing attack, payload type and information to show if the user interacted with the email in a positive (clicking on banners or submitting the phish sample) or negative (clicking on an unsafe URL) manner.",
+  "Workbooks": [ 
+    "Workbooks/DefendMetrics.json" 
+  ],
+  "Analytic Rules": [ 
+    "Analytic Rules/DangerousAttachmentReceived.yaml",
+    "Analytic Rules/DangerousLinksClicked.yaml"
+  ],
+  "Parsers": [ "Parsers/DefendAuditData.txt"],
+  "Hunting Queries": [
+    "Hunting Queries/DangerousLinksClicked.yaml"
+  ],
+  "Data Connectors": ["Data Connectors/DefendAPIConnector.json"],
+  "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\KnowBe4 Defend",
+  "Version": "3.0.1",
+  "Metadata": "SolutionMetadata.json",
+  "TemplateSpec": true
+}

Solutions/Egress Defend/Hunting Queries/DangerousLinksClicked.yaml → Solutions/KnowBe4 Defend/Hunting Queries/DangerousLinksClicked.yaml

@@ -3,9 +3,9 @@ name: Dangerous emails with links clicked
 description: |
   'This will check for emails that Defend has identified as dangerous and a user has clicked a link.'
 requiredDataConnectors:
-  - connectorId: EgressDefend
-    dataTypes:
-      - EgressDefend_CL
+  - connectorId: KnowBe4Defend
+    datatypes:
+      - KnowBe4Defend_CL
 
 tactics:
   - Collection
@@ -14,6 +14,6 @@ relevantTechniques:
   - T1039
 
 query: |
-  EgressDefend_CL 
+  KnowBe4Defend_CL 
   | where event_s == "linkClick" 
   | where email_threat_s == "dangerous"

Solutions/Egress Defend/Package/createUiDefinition.json → Solutions/KnowBe4 Defend/Package/createUiDefinition.json

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Egress-logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Egress%20Defend/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nEgress Defend for Microsoft Sentinel provides details of processed emails, including the type of phishing attack, payload type and information to show if the user interacted with the email in a positive (clicking on banners or submitting the phish sample) or negative (clicking on an unsafe URL) manner. \n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 2, **Hunting Queries:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/KnowBe4-logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/KnowBe4%20Defend/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nKnowBe4 Defend for Microsoft Sentinel provides details of processed emails, including the type of phishing attack, payload type and information to show if the user interacted with the email in a positive (clicking on banners or submitting the phish sample) or negative (clicking on an unsafe URL) manner.\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 2, **Hunting Queries:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -60,7 +60,7 @@
             "name": "dataconnectors1-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "This Solution installs the data connector for Egress Defend. You can get Egress Defend custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+              "text": "This Solution installs the data connector for KnowBe4 Defend. You can get KnowBe4 Defend custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
             }
           },
           {
@@ -71,7 +71,7 @@
             }
           },
           {
-            "name": "dataconnectors-link2",
+            "name": "dataconnectors-link1",
             "type": "Microsoft.Common.TextBlock",
             "options": {
               "link": {
@@ -111,13 +111,13 @@
           {
             "name": "workbook1",
             "type": "Microsoft.Common.Section",
-            "label": "Egress Defend Insights",
+            "label": "KnowBe4 Defend Insights",
             "elements": [
               {
                 "name": "workbook1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "A workbook providing insights into the data ingested from Egress Defend."
+                  "text": "A workbook providing insights into KnowBe4 Defend."
                 }
               }
             ]
@@ -153,7 +153,7 @@
           {
             "name": "analytic1",
             "type": "Microsoft.Common.Section",
-            "label": "Egress Defend - Dangerous Attachment Detected",
+            "label": "KnowBe4 Defend - Dangerous Attachment Detected",
             "elements": [
               {
                 "name": "analytic1-text",
@@ -167,7 +167,7 @@
           {
             "name": "analytic2",
             "type": "Microsoft.Common.Section",
-            "label": "Egress Defend - Dangerous Link Click",
+            "label": "KnowBe4 Defend - Dangerous Link Click",
             "elements": [
               {
                 "name": "analytic2-text",
@@ -211,7 +211,7 @@
                 "name": "huntingquery1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "This will check for emails that Defend has identified as dangerous and a user has clicked a link. This hunting query depends on EgressDefend data connector (EgressDefend_CL Parser or Table)"
+                  "text": "This will check for emails that Defend has identified as dangerous and a user has clicked a link. This hunting query depends on KnowBe4Defend data connector (KnowBe4Defend_CL Parser or Table)"
                 }
               }
             ]