Necessity changes

Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-DataExfiltrationAttack.yaml

@@ -1,7 +1,7 @@
 id: 8db2b374-0337-49bd-94c9-cfbf8e5d83ad
 name: Infoblox - Data Exfiltration Attack
 description: |
-  'Data exfiltration attack detected by Infoblox Threat Insight. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt).'
+  'Data exfiltration attack detected by Infoblox Threat Insight. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'
 severity: Medium
 status: Available
 requiredDataConnectors:

Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-ManyHighThreatLevelQueriesFromSingleHostDetected.yaml

@@ -1,7 +1,7 @@
 id: 3822b794-fa89-4420-aad6-0e1a2307f419
 name: Infoblox - Many High Threat Level Queries From Single Host Detected
 description: |
-  'At least 200 high threat level queries generated by single host in 1 hour. Queries do not need to be the same. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt).'
+  'At least 200 high threat level queries generated by single host in 1 hour. Queries do not need to be the same. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'
 severity: Medium
 status: Available
 requiredDataConnectors:

Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-ManyNXDOMAINDNSResponsesDetected.yaml

@@ -1,7 +1,7 @@
 id: b2f34315-9065-488e-88d0-a171d2b0da8e
 name: Infoblox - Many NXDOMAIN DNS Responses Detected
 description: |
-  'Detected at least 200 DNS responses for non-existent domains in 1 hour generated by single host. Queries do not need to be the same. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt).'
+  'Detected at least 200 DNS responses for non-existent domains in 1 hour generated by single host. Queries do not need to be the same. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'
 severity: Medium
 status: Available
 requiredDataConnectors:

Solutions/Infoblox Cloud Data Connector/Data/Solution_Infoblox.json

@@ -20,7 +20,7 @@
         "Data Connectors/InfobloxCloudDataConnector.json"
     ],
     "Parsers": [
-        "Parsers/InfobloxCDC.txt"
+        "Parsers/InfobloxCDC.yaml"
     ],
     "Playbooks": [
         "Playbooks/Infoblox-Import-AISCOMM-Weekly/azuredeploy.json",

Solutions/Infoblox Cloud Data Connector/Package/createUiDefinition.json

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/infoblox_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Infoblox%20Cloud%20Data%20Connector/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Infoblox](https://www.infoblox.com/) Cloud solution allows you to easily connect your Infoblox BloxOne data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.\r\n \r\n   **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Agent based logs collection from Windows and Linux machines ](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-custom-logs)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 8, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/infoblox_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Infoblox%20Cloud%20Data%20Connector/ReleaseNotes.md)\r \n There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Infoblox](https://www.infoblox.com/) Cloud solution allows you to easily connect your Infoblox BloxOne data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.\r\n \r\n   **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Agent based logs collection from Windows and Linux machines ](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-custom-logs)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 8, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -159,7 +159,7 @@
                 "name": "analytic1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Data exfiltration attack detected by Infoblox Threat Insight. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt)."
+                  "text": "Data exfiltration attack detected by Infoblox Threat Insight. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser)."
                 }
               }
             ]
@@ -187,7 +187,7 @@
                 "name": "analytic3-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "At least 200 high threat level queries generated by single host in 1 hour. Queries do not need to be the same. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt)."
+                  "text": "At least 200 high threat level queries generated by single host in 1 hour. Queries do not need to be the same. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser)."
                 }
               }
             ]
@@ -215,7 +215,7 @@
                 "name": "analytic5-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Detected at least 200 DNS responses for non-existent domains in 1 hour generated by single host. Queries do not need to be the same. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt)."
+                  "text": "Detected at least 200 DNS responses for non-existent domains in 1 hour generated by single host. Queries do not need to be the same. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser)."
                 }
               }
             ]

Solutions/Infoblox Cloud Data Connector/Parsers/InfobloxCDC.yaml

@@ -14,7 +14,7 @@ FunctionQuery: |
     | extend AEcopy = trim_end("InfobloxDHCPOptions=;(.*?)",AEcopy)
     | extend AEcopy = extract_all(@"(?P<key>[^=;]+)=(?P<value>[^=;]+)", dynamic(["key","value"]), AEcopy)
     | mv-apply AEcopy on (
-        summarize AdditionalExtensionsParsedNested = make_bag(pack(tostring(AEcopy[0]), AEcopy[1]))
+        summarize AdditionalExtensionsParsedNested = make_bag(bag_pack(tostring(AEcopy[0]), AEcopy[1]))
     )
     | extend AdditionalExtensionsParsed = AdditionalExtensionsParsedNested
     | evaluate bag_unpack(AdditionalExtensionsParsed)
@@ -41,4 +41,6 @@ FunctionQuery: |
     | extend InfobloxLeaseUUID = column_ifexists("InfobloxLeaseUUID", "")
     | extend InfobloxDNSRCode = column_ifexists("InfobloxDNSRCode", "")
     | extend InfobloxDNSQClass = column_ifexists("InfobloxDNSQClass", "")
-    | extend InfobloxDNSQType = column_ifexists("InfobloxDNSQType", "")
+    | extend InfobloxDNSQType = column_ifexists("InfobloxDNSQType", "")
+    | extend InfobloxThreatConfidence = toint(column_ifexists("InfobloxThreatConfidence", ""))
+    | extend ThreatConfidence = toint(column_ifexists("InfobloxThreatConfidence", ""))

Solutions/Infoblox Cloud Data Connector/ReleaseNotes.md

@@ -1,14 +1,14 @@
-| **Version** | **Date Modified** | **Change History**                          |
-|-------------|--------------------------------|---------------------------------------------|
-| 3.0.0       | Aug 2023                       | Bug fixes
-|             |                                | Documentation updates
-|             |                                | Update Infoblox logo 
-|             |                                | **Analytic Rules** Optimization updates. 5 new rules
-|             |                                | **Playbooks** 11 new playbooks
-| 2.0.1-2.0.10       | May 2022-June 2023      | Bug fixes
-|             |                                | Documentation updates
-| 1.0.0-1.1.0       | April 2021-Oct 2021      | Initial solution release |
-|             |                                | **Data Connector** New custom data connector for the Infoblox CDC
-|             |                                | **Analytic Rules** 3 new rules
-|             |                                | **Parser** 1 new parser
-|             |                                | **Workbook** 1 new workbook
+| **Version**   | **Date Modified**              | **Change History**                          |
+|---------------|--------------------------------|---------------------------------------------|
+| 3.0.0         | Aug 2023                       | Bug fixes                                   
+|               |                                | Documentation updates                       
+|               |                                | Update Infoblox logo                        
+|               |                                | **Analytic Rules** Optimization updates. 5 new rules
+|               |                                | **Playbooks** 11 new playbooks
+| 2.0.1-2.0.10  | May 2022-June 2023             | Bug fixes
+|               |                                | Documentation updates
+| 1.0.0-1.1.0   | April 2021-Oct 2021            | Initial solution release |
+|               |                                | **Data Connector** New custom data connector for the Infoblox CDC
+|               |                                | **Analytic Rules** 3 new rules
+|               |                                | **Parser** 1 new parser
+|               |                                | **Workbook** 1 new workbook