Merge branch 'master' into v-rusraut/PingFederate-MMAtoAMAMigration

Azure · Sep 6, 2023 · 040cf19 · 040cf19
2 parents 780d086 + 4fddab1
commit 040cf19
Show file tree

Hide file tree

Showing 68 changed files with 4,604 additions and 395 deletions.
diff --git a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
@@ -197,5 +197,6 @@
   "DynatraceProblems",
   "MicrosoftDefenderThreatIntelligence",
   "CortexXDR",
-  "PingFederateAma"
+  "PingFederateAma",
+  "vArmourACAma"
 ]
diff --git a/.script/utils/workbookCheckers/WorkbookPreviewImageValidationSkipList.json b/.script/utils/workbookCheckers/WorkbookPreviewImageValidationSkipList.json
@@ -17,6 +17,7 @@
     "RecordedFutureDomainC2DNSWorkbook",
     "vCenter",
     "RecordedFutureIPActiveC2Workbook",
-    "Fortiweb-workbook"
+    "Fortiweb-workbook",
+    "SecurityBridgeWorkbook"
   ]
 }
diff --git a/ASIM/dev/ASimTester/ASimTester.csv b/ASIM/dev/ASimTester/ASimTester.csv
@@ -248,7 +248,7 @@ DstZone,string,Optional,WebSession,,,
 Duration,int,Alias,Dns,,,DnsNetworkDuration
 Duration,int,Alias,NetworkSession,,,NetworkDuration
 Duration,int,Alias,WebSession,,,NetworkDuration
-Duration,string,Alias,Dhcp,,,DhcpSessionDuration
+Duration,int,Alias,Dhcp,,,DhcpSessionDuration
 Dvc,string,Mandatory,AuditEvent,,,
 Dvc,string,Mandatory,Authentication,,,
 Dvc,string,Mandatory,Common,,,

diff --git a/DataConnectors/O365 Data/O365APItoAS-Template.zip b/DataConnectors/O365 Data/O365APItoAS-Template.zip
diff --git a/DataConnectors/O365 Data/O365APItoAS-Template/TimerTrigger/run.ps1 b/DataConnectors/O365 Data/O365APItoAS-Template/TimerTrigger/run.ps1
@@ -159,9 +159,10 @@ function Get-AuthToken{
             [string]$TenantGUID
         )
     # Create app of type Web app / API in Azure AD, generate a Client Secret, and update the client id and client secret here
-    $loginURL = "$env:loginEndpoint"
+    if ([string]::IsNullOrEmpty($loginURL)){$loginURL = "https://login.microsoftonline.com/"}
     # Get the tenant GUID from Properties | Directory ID under the Azure Active Directory section
-    $resource = "https://$env:managementApi"
+
+    $resource = "https://$managementApi"
     # auth
     $body = @{grant_type="client_credentials";resource=$resource;client_id=$ClientID;client_secret=$ClientSecret}
     $oauth = Invoke-RestMethod -Method Post -Uri $loginURL/$tenantdomain/oauth2/token?api-version=1.0 -Body $body
@@ -185,7 +186,7 @@ function Get-O365Data{
     $contentTypes = $env:contentTypes.split(",")
     #Loop for each content Type like Audit.General
     foreach($contentType in $contentTypes){
-        $listAvailableContentUri = "https://$env:managementApi/api/v1.0/$tenantGUID/activity/feed/subscriptions/content?contentType=$contentType&PublisherIdentifier=$env:publisher&startTime=$startTime&endTime=$endTime"
+        $listAvailableContentUri = "https://$managementApi/api/v1.0/$tenantGUID/activity/feed/subscriptions/content?contentType=$contentType&PublisherIdentifier=$env:publisher&startTime=$startTime&endTime=$endTime"
         do {
             #List Available Content
             $contentResult = Invoke-RestMethod -Method GET -Headers $headerParams -Uri $listAvailableContentUri
@@ -249,7 +250,22 @@ if (-Not [string]::IsNullOrEmpty($LAURI)){
 		Exit
 	}
 }
-
+$LoginURL = $env:loginEndpoint
+if (-Not [string]::IsNullOrEmpty($LoginURL)){
+	if($LoginURL.Trim() -notin @("https://login.microsoftonline.us","https://login.partner.microsoftonline.cn","https://login.microsoftonline.com"))
+	{
+		Write-Error -Message "MCASActivity-SecurityEvents: Invalid Login Endpoint Uri." -ErrorAction Stop
+		Exit
+	}
+}
+$managementApi = $env:managementApi
+if (-Not [string]::IsNullOrEmpty($managementApi)){
+	if($managementApi.Trim() -notin @("manage.office.com","manage-gcc.office.com","manage.office365.us","manage.protection.apps.mil"))
+	{
+		Write-Error -Message "MCASActivity-SecurityEvents: Invalid Management API Endpoint." -ErrorAction Stop
+		Exit
+	}
+} else {$managementApi = "manage.office.com"}
 
 #add last run time to blob file to ensure no missed packages
 $endTime = $currentUTCtime | Get-Date -Format yyyy-MM-ddTHH:mm:ss

diff --git a/Logos/Commvault-Logo.svg b/Logos/Commvault-Logo.svg
diff --git a/Solutions/Azure Active Directory/Analytic Rules/MFASpammingfollowedbySuccessfullogin.yaml b/Solutions/Azure Active Directory/Analytic Rules/MFASpammingfollowedbySuccessfullogin.yaml
@@ -1,9 +1,9 @@
 id: a8cc6d5c-4e7e-4b48-b4ac-d8a116c62a8b
 name: MFA Spamming followed by Successful login
 description: |
-  'Identifies MFA Spamming followed by Successful logins and by a successful authentication within a given time window, 
+  'Identifies MFA Spamming followed by Successful logins and by a successful authentication within a given time window,
   Default Failure count is 10 and 1 successful login with default Time Window is 5 minutes.'
-severity: high
+severity: High
 requiredDataConnectors:
   - connectorId: AzureActiveDirectory
     dataTypes:
@@ -55,5 +55,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPAddress
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
diff --git a/Solutions/Commvault Security IQ/Analytic Rules/Data_Alert.yaml b/Solutions/Commvault Security IQ/Analytic Rules/Data_Alert.yaml
@@ -0,0 +1,31 @@
+id: 1d2c3da7-60ec-40be-9c14-bade6eaf3c49
+name: Data Alert
+description: |
+  'This query identifies clients or servers whose data has been compromised.'
+severity: Medium
+status: Available
+requiredDataConnectors: []
+queryFrequency: 5m
+queryPeriod: 5m
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - DefenseEvasion
+  - Impact
+
+relevantTechniques:
+  - T1578
+  - T1531
+tags:
+  - Commvault
+  - Metallic
+  - Threat Intelligence
+  - Ransomware
+query: |
+    SecurityIncident
+    | where Title has "Cvlt Alert" and Description has "Client" and Description has "Compromised" and Status has "New"
+    | extend extracted_word = extract("Client\\s(.*?)\\sCompromised", 1, Description)
+    | project TimeGenerated, Title, Description, Status
+entityMappings: null
+version: 1.0.0
+kind: Scheduled
diff --git a/Solutions/Commvault Security IQ/Analytic Rules/IDP_Alert.yaml b/Solutions/Commvault Security IQ/Analytic Rules/IDP_Alert.yaml
@@ -0,0 +1,28 @@
+id: c982bcc1-ef73-485b-80d5-2a637ce4ab2b
+name: IDP Alert
+description: |
+  'This query identifies indications of a potential security breach or unauthorized access to the systems and data of the Identity Provider.'
+severity: Medium
+status: Available
+requiredDataConnectors: []
+queryFrequency: 5m
+queryPeriod: 5m
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - DefenseEvasion
+  - Impact
+relevantTechniques:
+  - T1578
+  - T1531
+tags:
+  - Commvault
+  - Metallic
+  - Threat Intelligence
+  - Ransomware
+query: |
+    SecurityIncident
+    | where Title has "Cvlt Alert" and Description == "IDP Compromised" and Status has "New"
+entityMappings: null
+version: 1.0.0
+kind: Scheduled
diff --git a/Solutions/Commvault Security IQ/Analytic Rules/User_Alert.yaml b/Solutions/Commvault Security IQ/Analytic Rules/User_Alert.yaml
@@ -0,0 +1,30 @@
+id: 29e0767c-80ac-4689-9a2e-b25b9fc88fce
+name: User Alert
+description: |
+  'This query identifies users whose user account or credentials have been compromised.'
+severity: Medium
+status: Available
+requiredDataConnectors: []
+queryFrequency: 5m
+queryPeriod: 5m
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - DefenseEvasion
+  - Impact
+relevantTechniques:
+  - T1578
+  - T1531
+tags:
+  - Commvault
+  - Metallic
+  - Threat Intelligence
+  - Ransomware
+query: |
+    SecurityIncident
+    | where Title has "Cvlt Alert" and Description has "User" and Description has "Compromised" and Status has "New"
+    | extend extracted_word = extract("User\\s(.*?)\\sCompromised", 1, Description)
+    | project TimeGenerated, Title, Description, Status
+entityMappings: null
+version: 1.0.0
+kind: Scheduled
diff --git a/Solutions/Commvault Security IQ/Data/Solution_Commvault Security IQ.json b/Solutions/Commvault Security IQ/Data/Solution_Commvault Security IQ.json
@@ -0,0 +1,19 @@
+{
+  "Name": "Commvault Security IQ",
+  "Author": "svc.cv-securityiq@commvault.com",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Commvault-Logo.svg\" width=\"75px\"height=\"75px\">",
+  "Description": "This Microsoft Sentinel integration enables Commvault users to ingest alerts and other data into their Microsoft Sentinel instance. With Analytic Rules, Microsoft Sentinel can automatically create Microsoft Sentinel incidents",
+  "Analytic Rules": [
+	  "Analytic Rules/Data_Alert.yaml",
+	  "Analytic Rules/IDP_Alert.yaml",
+	  "Analytic Rules/User_Alert.yaml"
+  ],
+  "Playbooks": [
+        "Playbooks/CommvaultLogicApp/azuredeploy.json"
+    ],
+  "Metadata": "SolutionMetadata.json",
+  "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Commvault Security IQ",
+  "Version": "3.0.0",
+  "TemplateSpec": true,
+	"Is1Pconnector": false
+}
diff --git a/Solutions/Commvault Security IQ/Package/3.0.0.zip b/Solutions/Commvault Security IQ/Package/3.0.0.zip
diff --git a/Solutions/Commvault Security IQ/Package/createUiDefinition.json b/Solutions/Commvault Security IQ/Package/createUiDefinition.json
@@ -0,0 +1,159 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+  "handler": "Microsoft.Azure.CreateUIDef",
+  "version": "0.1.2-preview",
+  "parameters": {
+    "config": {
+      "isWizard": false,
+      "basics": {
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Commvault-Logo.svg\" width=\"75px\"height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThis Microsoft Sentinel integration enables Commvault users to ingest alerts and other data into their Microsoft Sentinel instance. With Analytic Rules, Microsoft Sentinel can automatically create Microsoft Sentinel incidents\n\n**Analytic Rules:** 3, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "subscription": {
+          "resourceProviders": [
+            "Microsoft.OperationsManagement/solutions",
+            "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+            "Microsoft.Insights/workbooks",
+            "Microsoft.Logic/workflows"
+          ]
+        },
+        "location": {
+          "metadata": {
+            "hidden": "Hiding location, we get it from the log analytics workspace"
+          },
+          "visible": false
+        },
+        "resourceGroup": {
+          "allowExisting": true
+        }
+      }
+    },
+    "basics": [
+      {
+        "name": "getLAWorkspace",
+        "type": "Microsoft.Solutions.ArmApiControl",
+        "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+        "condition": "[greater(length(resourceGroup().name),0)]",
+        "request": {
+          "method": "GET",
+          "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+        }
+      },
+      {
+        "name": "workspace",
+        "type": "Microsoft.Common.DropDown",
+        "label": "Workspace",
+        "placeholder": "Select a workspace",
+        "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+        "constraints": {
+          "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+          "required": true
+        },
+        "visible": true
+      }
+    ],
+    "steps": [
+      {
+        "name": "analytics",
+        "label": "Analytics",
+        "subLabel": {
+          "preValidation": "Configure the analytics",
+          "postValidation": "Done"
+        },
+        "bladeTitle": "Analytics",
+        "elements": [
+          {
+            "name": "analytics-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
+            }
+          },
+          {
+            "name": "analytics-link",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "link": {
+                "label": "Learn more",
+                "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+              }
+            }
+          },
+          {
+            "name": "analytic1",
+            "type": "Microsoft.Common.Section",
+            "label": "Data Alert",
+            "elements": [
+              {
+                "name": "analytic1-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "This query identifies clients or servers whose data has been compromised."
+                }
+              }
+            ]
+          },
+          {
+            "name": "analytic2",
+            "type": "Microsoft.Common.Section",
+            "label": "IDP Alert",
+            "elements": [
+              {
+                "name": "analytic2-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "This query identifies indications of a potential security breach or unauthorized access to the systems and data of the Identity Provider."
+                }
+              }
+            ]
+          },
+          {
+            "name": "analytic3",
+            "type": "Microsoft.Common.Section",
+            "label": "User Alert",
+            "elements": [
+              {
+                "name": "analytic3-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "This query identifies users whose user account or credentials have been compromised."
+                }
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "name": "playbooks",
+        "label": "Playbooks",
+        "subLabel": {
+          "preValidation": "Configure the playbooks",
+          "postValidation": "Done"
+        },
+        "bladeTitle": "Playbooks",
+        "elements": [
+          {
+            "name": "playbooks-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub."
+            }
+          },
+          {
+            "name": "playbooks-link",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "link": {
+                "label": "Learn more",
+                "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+              }
+            }
+          }
+        ]
+      }
+    ],
+    "outputs": {
+      "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+      "location": "[location()]",
+      "workspace": "[basics('workspace')]"
+    }
+  }
+}