Merge pull request #11396 from ni-bhandari/nibhandari/update-templates

[ThreatIntelligence] Template updates for PMDTI GA and new types Public Preview

Solutions/Threat Intelligence Solution for Azure Government/Data/Solution_ThreatIntelligenceFairfax.json

@@ -5,7 +5,9 @@
 	"Description": "The Threat Intelligence solution contains data connectors for import of threat indicators into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.",
 	"Data Connectors": [
 		"Solutions/Threat Intelligence Solution for Azure Government/Data Connectors/template_ThreatIntelligenceTaxii.json",
-		"Solutions/Threat Intelligence Solution for Azure Government/Data Connectors/template_ThreatIntelligenceUploadIndicators_ForGov.json"
+		"Solutions/Threat Intelligence Solution for Azure Government/Data Connectors/template_ThreatIntelligenceUploadIndicators_ForGov.json",
+		"Solutions/Threat Intelligence Solution for Azure Government/Data Connectors/template_PremiumMicrosoftDefenderThreatIntelligence.json",
+		"Solutions/Threat Intelligence Solution for Azure Government/Data Connectors/template_MicrosoftDefenderThreatIntelligence.json"
 	],
 	"Workbooks": [
 		"Solutions/Threat Intelligence Solution for Azure Government/Workbooks/ThreatIntelligence.json"
@@ -54,10 +56,12 @@
 		"Solutions/Threat Intelligence Solution for Azure Government/Analytic Rules/IPEntity_DuoSecurity.yaml"
 	],
 	"BasePath": "C:\\GitHub\\Azure-Sentinel",
-	"Version": "3.0.2",
+	"Version": "3.0.3",
 	"Metadata": "SolutionMetadata.json",
 	"TemplateSpec": true,
 	"StaticDataConnectorIds": [
-		"ThreatIntelligenceTaxii"
+		"ThreatIntelligenceTaxii",
+		"MicrosoftDefenderThreatIntelligence",
+		"PremiumMicrosoftDefenderForThreatIntelligence"
 	]
 }

Solutions/Threat Intelligence Solution for Azure Government/Package/createUiDefinition.json

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Threat%20Intelligence%20Solution%20for%20Azure%20Government/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Threat Intelligence solution contains data connectors for import of threat indicators into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.\n\n**Data Connectors:** 2, **Workbooks:** 1, **Analytic Rules:** 34, **Hunting Queries:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Threat%20Intelligence%20Solution%20for%20Azure%20Government/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Threat Intelligence solution contains data connectors for import of threat indicators into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.\n\n**Data Connectors:** 4, **Workbooks:** 1, **Analytic Rules:** 34, **Hunting Queries:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",

Solutions/Threat Intelligence Solution for Azure Government/ReleaseNotes.md

@@ -1,5 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                          |
 |-------------|--------------------------------|---------------------------------------------|
-| 3.0.5       | 19-08-2024                     | Updated isConnectedQuery for **Data Connector** of "Threat Intelligence Upload Indicators API". |
+| 3.0.3		  | 28-11-2024					   | Removed (Preview) from name for **Data Connectors** Microsoft Defender Threat Intelligence and Premium Microsoft Defender Threat Intelligence, make the MDTI and PMDTI data connctors available in gov solution, and update descriptions of data connectors. |
+| 3.0.2       | 19-08-2024                     | Updated isConnectedQuery for **Data Connector** of "Threat Intelligence Upload Indicators API". |
 | 3.0.1       | 06-08-2024                     | Updated the URL in **data connector**       |
 | 3.0.0       | 02-08-2024                     | Added a new **data connector** of "Threat Intelligence Upload Indicators API" for Fairfax| 

Solutions/Threat Intelligence/Data Connectors/template_MicrosoftDefenderThreatIntelligence.json

@@ -1,6 +1,6 @@
 {
     "id": "MicrosoftDefenderThreatIntelligence",
-    "title": "Microsoft Defender Threat Intelligence (Preview)",
+    "title": "Microsoft Defender Threat Intelligence",
     "publisher": "Microsoft",
     "logo": {
         "type": 258,

Solutions/Threat Intelligence/Data Connectors/template_PremiumMicrosoftDefenderThreatIntelligence.json

@@ -1,6 +1,6 @@
 {
     "id": "PremiumMicrosoftDefenderForThreatIntelligence",
-    "title": "Premium Microsoft Defender Threat Intelligence (Preview)",
+    "title": "Premium Microsoft Defender Threat Intelligence",
     "publisher": "Microsoft",
     "logo": {
         "type": 258,

Solutions/Threat Intelligence/Data Connectors/template_ThreatIntelligenceTaxii.json

@@ -2,7 +2,7 @@
     "id": "ThreatIntelligenceTaxii",
     "title": "Threat intelligence - TAXII",
     "publisher": "Microsoft",
-    "descriptionMarkdown": "Microsoft Sentinel integrates with TAXII 2.0 and 2.1 data sources to enable monitoring, alerting, and hunting using your threat intelligence. Use this connector to send threat indicators from TAXII servers to Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes. For more information, see the [Microsoft Sentinel documentation >](https://go.microsoft.com/fwlink/p/?linkid=2224105&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
+    "descriptionMarkdown": "Microsoft Sentinel integrates with TAXII 2.0 and 2.1 data sources to enable monitoring, alerting, and hunting using your threat intelligence. Use this connector to send the supported STIX object types from TAXII servers to Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes. For more information, see the [Microsoft Sentinel documentation >](https://go.microsoft.com/fwlink/p/?linkid=2224105&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
     "graphQueries": [
         {
             "metricName": "Total data received",
@@ -74,7 +74,7 @@
     },
     "instructionSteps": [
         {
-            "title": "Configure TAXII servers to stream STIX 2.0 or 2.1 threat indicators to Microsoft Sentinel",
+            "title": "Configure TAXII servers to stream STIX 2.0 or 2.1 STIX objects to Microsoft Sentinel",
             "description": "You can connect your TAXII servers to Microsoft Sentinel using the built-in TAXII connector. For detailed configuration instructions, see the [full documentation](https://docs.microsoft.com/azure/sentinel/import-threat-intelligence#adding-threat-indicators-to-azure-sentinel-with-the-threat-intelligence---taxii-data-connector). \n\nEnter the following information and select Add to configure your TAXII server.",
             "instructions": [
                 {

Solutions/Threat Intelligence/Data Connectors/template_ThreatIntelligenceUploadIndicators.json

@@ -1,6 +1,6 @@
 {
     "id": "ThreatIntelligenceUploadIndicatorsAPI",
-    "title": "Threat Intelligence Upload Indicators API (Preview)",
+    "title": "Threat Intelligence Upload API (Preview)",
     "publisher": "Microsoft",
     "descriptionMarkdown": "Microsoft Sentinel offers a data plane API to bring in threat intelligence from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, or other integrated applications. Threat indicators can include IP addresses, domains, URLs, file hashes and email addresses. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2269830&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
     "graphQueries": [
@@ -63,8 +63,8 @@
             "description": "To send request to the APIs, you need to acquire Microsoft Entra ID access token. You can follow instruction in this page: https://docs.microsoft.com/azure/databricks/dev-tools/api/latest/aad/app-aad-token#get-an-azure-ad-access-token \n  - Notice: Please request Microsoft Entra ID access token with scope value: https://management.azure.com/.default  "
         },
         {
-            "title": "2. Send indicators to Sentinel",
-            "description": "You can send indicators by calling our Upload Indicators API. For more information about the API, click [here](https://learn.microsoft.com/azure/sentinel/upload-indicators-api). \n\n>HTTP method: POST \n\n>Endpoint: https://api.ti.sentinel.azure.com/workspaces/[WorkspaceID]/threatintelligenceindicators:upload?api-version=2022-07-01  \n\n>WorkspaceID: the workspace that the indicators are uploaded to.  \n\n\n>Header Value 1: \"Authorization\" = \"Bearer [Microsoft Entra ID Access Token from step 1]\" \n\n\n> Header Value 2: \"Content-Type\" = \"application/json\"  \n \n>Body: The body is a JSON object containing an array of indicators in STIX format."
-        }
+			"title": "2. Send STIX objects to Sentinel",
+			"description": "You can send the supported STIX object types by calling our Upload API. For more information about the API, click [here](https://learn.microsoft.com/azure/sentinel/upload-indicators-api). \n\n>HTTP method: POST \n\n>Endpoint: https://api.ti.sentinel.azure.com/workspaces/[WorkspaceID]/threatintelligence-stix-objects:upload?api-version=2024-02-01  \n\n>WorkspaceID: the workspace that the STIX objects are uploaded to.  \n\n\n>Header Value 1: \"Authorization\" = \"Bearer [Microsoft Entra ID Access Token from step 1]\" \n\n\n> Header Value 2: \"Content-Type\" = \"application/json\"  \n \n>Body: The body is a JSON object containing an array of STIX objects."
+		}
     ]
 }

Solutions/Threat Intelligence/Data Connectors/template_ThreatIntelligenceUploadIndicators_ForGov.json

@@ -1,6 +1,6 @@
 {
     "id": "ThreatIntelligenceUploadIndicatorsAPI",
-    "title": "Threat Intelligence Upload Indicators API (Preview)",
+    "title": "Threat Intelligence Upload API (Preview)",
     "publisher": "Microsoft",
     "descriptionMarkdown": "Microsoft Sentinel offers a data plane API to bring in threat intelligence from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, or other integrated applications. Threat indicators can include IP addresses, domains, URLs, file hashes and email addresses. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2269830&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
     "graphQueries": [
@@ -63,8 +63,8 @@
             "description": "To send request to the APIs, you need to acquire Microsoft Entra ID access token. You can follow instruction in this page: https://docs.microsoft.com/azure/databricks/dev-tools/api/latest/aad/app-aad-token#get-an-azure-ad-access-token \n  - Notice: Please request Microsoft Entra ID access token with scope value:  \nFairfax: https://management.usgovcloudapi.net/.default  \nMooncake: https://management.chinacloudapi.cn/.default "
         },
         {
-            "title": "2. Send indicators to Sentinel",
-            "description": "You can send indicators by calling our Upload Indicators API. For more information about the API, click [here](https://learn.microsoft.com/azure/sentinel/upload-indicators-api). \n\n>HTTP method: POST \n\n>Endpoint: \nFairfax: https://api.ti.sentinel.azure.us/workspaces/[WorkspaceID]/threatintelligenceindicators:upload?api-version=2022-07-01 \nMooncake: https://api.ti.sentinel.azure.cn/workspaces/[WorkspaceID]/threatintelligenceindicators:upload?api-version=2022-07-01  \n\n>WorkspaceID: the workspace that the indicators are uploaded to.  \n\n\n>Header Value 1: \"Authorization\" = \"Bearer [Microsoft Entra ID Access Token from step 1]\" \n\n\n> Header Value 2: \"Content-Type\" = \"application/json\"  \n \n>Body: The body is a JSON object containing an array of indicators in STIX format."
-        }
+			"title": "2. Send STIX objects to Sentinel",
+			"description": "You can send the supported STIX object types by calling our Upload API. For more information about the API, click [here](https://learn.microsoft.com/azure/sentinel/upload-indicators-api). \n\n>HTTP method: POST \n\n>Endpoint: \nFairfax: https://api.ti.sentinel.azure.us/workspaces/[WorkspaceID]/threatintelligence-stix-objects:upload?api-version=2024-02-01 \nMooncake: https://api.ti.sentinel.azure.cn/workspaces/[WorkspaceID]/threatintelligence-stix-objects:upload?api-version=2024-02-01  \n\n>WorkspaceID: the workspace that the STIX objects are uploaded to.  \n\n\n>Header Value 1: \"Authorization\" = \"Bearer [Microsoft Entra ID Access Token from step 1]\" \n\n\n> Header Value 2: \"Content-Type\" = \"application/json\"  \n \n>Body: The body is a JSON object containing an array of STIX objects."
+		}
     ]
 }

Solutions/Threat Intelligence/Data/Solution_ThreatIntelligenceTemplateSpec.json

@@ -2,7 +2,7 @@
 	"Name": "Threat Intelligence",
 	"Author": "Microsoft - [email protected]",
 	"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\" height=\"75px\">",
-	"Description": "The Threat Intelligence solution contains data connectors for import of threat indicators into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.",
+	"Description": "The Threat Intelligence solution contains data connectors for import of supported STIX objects into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.",
 	"Data Connectors": [
 		"Data Connectors/template_ThreatIntelligenceTaxii.json",
 		"Data Connectors/template_ThreatIntelligence.json",
@@ -76,7 +76,7 @@
 	],
 	"Metadata": "SolutionMetadata.json",
 	"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Threat Intelligence\\",
-	"Version": "3.0.6",
+	"Version": "3.0.8",
 	"TemplateSpec": true,
 	"StaticDataConnectorIds": [
 		"ThreatIntelligenceTaxii",

Solutions/Threat Intelligence/Package/createUiDefinition.json

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Threat%20Intelligence/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Threat Intelligence solution contains data connectors for import of threat indicators into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.\n\n**Data Connectors:** 5, **Workbooks:** 1, **Analytic Rules:** 52, **Hunting Queries:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Threat%20Intelligence/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Threat Intelligence solution contains data connectors for import of supported STIX objects into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.\n\n**Data Connectors:** 5, **Workbooks:** 1, **Analytic Rules:** 52, **Hunting Queries:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",