Skip to content

Commit

Permalink
UI, parser link, description fixes
Browse files Browse the repository at this point in the history
  • Loading branch information
@sschuur
sschuur authored Aug 28, 2023
1 parent 7edaae6 commit 2ef5759
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 14 deletions.
18 changes: 9 additions & 9 deletions Solutions/Infoblox Cloud Data Connector/Package/createUiDefinition.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/infoblox_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Infoblox%20Cloud%20Data%20Connector/ReleaseNotes.md)\r \n There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Infoblox](https://www.infoblox.com/) Cloud solution allows you to easily connect your Infoblox BloxOne data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Agent based logs collection from Windows and Linux machines ](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-custom-logs)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 8, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/infoblox_logo.svg\" width=\"75px\" height=\"75px\">\n\n _Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Infoblox%20Cloud%20Data%20Connector/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._ \n\nThe [Infoblox](https://www.infoblox.com/) Cloud solution allows you to easily connect your Infoblox BloxOne data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Agent based logs collection from Windows and Linux machines ](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-custom-logs)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 8, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
Expand Down Expand Up @@ -111,13 +111,13 @@
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
"label": "Infoblox Cloud Data Connector",
"label": "Infoblox Cloud Data Connector Workbook",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Sets the time name for analysis"
"text": "Get a closer look at your BloxOne DNS Query/Response logs, DHCP logs and Threat Defense security event data. This workbook is intended to help visualize BloxOne query data as part of the Infoblox Cloud solution. Drilldown your data and visualize events, trends, and anomalous changes over time."
}
}
]
Expand Down Expand Up @@ -159,7 +159,7 @@
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Data exfiltration attack detected by Infoblox Threat Insight. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser)."
"text": "Data exfiltration attack detected by Infoblox Threat Insight. Customize query count, scheduling, responses and more."
}
}
]
Expand All @@ -173,7 +173,7 @@
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "At least 1 high threat level query generated by single host in 1 hour that is not blocked or redirected. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt)."
"text": "At least 1 high threat level query generated by single host in 1 hour that is not blocked or redirected. Customize query count, scheduling, responses and more."
}
}
]
Expand All @@ -187,7 +187,7 @@
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "At least 200 high threat level queries generated by single host in 1 hour. Queries do not need to be the same. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser)."
"text": "At least 200 high threat level queries generated by single host in 1 hour. Queries do not need to be the same. Customize query count, scheduling, responses and more."
}
}
]
Expand All @@ -201,7 +201,7 @@
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Single high threat level domain queried at least 200 times in 1 hour regardless of source. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt)."
"text": "Single high threat level domain queried at least 200 times in 1 hour regardless of source. Customize query count, scheduling, responses and more."
}
}
]
Expand All @@ -215,7 +215,7 @@
"name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detected at least 200 DNS responses for non-existent domains in 1 hour generated by single host. Queries do not need to be the same. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser)."
"text": "Detected at least 200 DNS responses for non-existent domains in 1 hour generated by single host. Queries do not need to be the same. Customize query count, scheduling, responses and more."
}
}
]
Expand Down Expand Up @@ -243,7 +243,7 @@
"name": "analytic7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "InfobloxCDC Lookalike Domain match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt)."
"text": "InfobloxCDC Lookalike Domain match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired."
}
}
]
Expand Down
10 changes: 5 additions & 5 deletions Solutions/Infoblox Cloud Data Connector/Package/mainTemplate.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -233,7 +233,7 @@
"kind": "shared",
"apiVersion": "2021-08-01",
"metadata": {
"description": "Sets the time name for analysis"
"description": "Get a closer look at your BloxOne DNS Query/Response logs, DHCP logs and Threat Defense security event data. This workbook is intended to help visualize BloxOne query data as part of the Infoblox Cloud solution. Drilldown your data and visualize events, trends, and anomalous changes over time."
},
"properties": {
"displayName": "[parameters('workbook1-name')]",
Expand All @@ -248,7 +248,7 @@
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
"properties": {
"description": "@{workbookKey=InfobloxCDCB1TDWorkbook; logoFileName=infoblox_logo.svg; description=Sets the time name for analysis; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Infoblox Cloud Data Connector; templateRelativePath=InfobloxCDCB1TDWorkbook.json; subtitle=; provider=InfoBlox}.description",
"description": "@{workbookKey=InfobloxCDCB1TDWorkbook; logoFileName=infoblox_logo.svg; description=Get a closer look at your BloxOne DNS Query/Response logs, DHCP logs and Threat Defense security event data. This workbook is intended to help visualize BloxOne query data as part of the Infoblox Cloud solution. Drilldown your data and visualize events, trends, and anomalous changes over time.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Infoblox Cloud Data Connector; templateRelativePath=InfobloxCDCB1TDWorkbook.json; subtitle=; provider=InfoBlox}.description",
"parentId": "[variables('workbookId1')]",
"contentId": "[variables('_workbookContentId1')]",
"kind": "Workbook",
Expand Down Expand Up @@ -473,7 +473,7 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "At least 1 high threat level query generated by single host in 1 hour that is not blocked or redirected. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt).",
"description": "At least 1 high threat level query generated by single host in 1 hour that is not blocked or redirected. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).",
"displayName": "Infoblox - High Threat Level Query Not Blocked Detected",
"enabled": false,
"query": "let threshold = 1;\nInfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\"\n| where ThreatLevel_Score >=80\n| where InfobloxB1PolicyAction == \"Log\" or SimplifiedDeviceAction == \"PASSTHRU\"\n| summarize count() by SourceIP\n| where count_ > threshold\n| join kind=inner (InfobloxCDC\n | where DeviceEventClassID has_cs \"RPZ\"\n | where ThreatLevel_Score >=80\n | where InfobloxB1PolicyAction == \"Log\" or SimplifiedDeviceAction == \"PASSTHRU\"\n ) on SourceIP\n",
Expand Down Expand Up @@ -759,7 +759,7 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Single high threat level domain queried at least 200 times in 1 hour regardless of source. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt).",
"description": "Single high threat level domain queried at least 200 times in 1 hour regardless of source. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).",
"displayName": "Infoblox - Many High Threat Level Single Query Detected",
"enabled": false,
"query": "let threshold = 200;\nInfobloxCDC\n| where DeviceEventClassID has_cs \"RPZ\"\n| where ThreatLevel_Score >= 80\n| summarize count() by DestinationDnsDomain\n| where count_ > threshold\n| join kind=inner (InfobloxCDC\n | where DeviceEventClassID has_cs \"RPZ\"\n | where ThreatLevel_Score >= 80\n ) on DestinationDnsDomain\n",
Expand Down Expand Up @@ -1158,7 +1158,7 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "InfobloxCDC Lookalike Domain match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt).",
"description": "InfobloxCDC Lookalike Domain match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).",
"displayName": "Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains",
"enabled": false,
"query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet TI = ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now() \n| where Description == \"Infoblox - HOST - Policy\"\n| where Tags has_cs \"Property: Policy_LookalikeDomains\" \n| where isnotempty(DomainName)\n;\nlet Data = InfobloxCDC\n| extend HitTime = TimeGenerated\n| where TimeGenerated >= ago(dt_lookBack)\n| where isnotempty(DestinationDnsDomain)\n//Remove trailing period at end of domain\n| extend DestinationDnsDomain = trim_end(@\"\\.$\", DestinationDnsDomain)\n;\nTI | join kind=innerunique Data on $left.DomainName == $right.DestinationDnsDomain\n| where HitTime >= TimeGenerated and HitTime < ExpirationDateTime\n| project LatestIndicatorTime, HitTime, DeviceEventClassID, ThreatLevel, ThreatLevel_Score, ThreatConfidence, DestinationDnsDomain, InfobloxB1FeedName, ThreatClass, ThreatProperty, InfobloxB1PolicyAction, DeviceAction, InfobloxB1PolicyName, SourceIP, DeviceName, SourceMACAddress, SourceUserName, InfobloxB1SrcOSVersion, InfobloxB1ConnectionType, InfobloxB1Network, AdditionalExtensionsParsedNested, \nAdditionalInformation, Description, ThreatType, TrafficLightProtocolLevel, Type, ConfidenceScore, ExpirationDateTime, SourceSystem, Action, IndicatorId, ExternalIndicatorId, Tags\n",
Expand Down

0 comments on commit 2ef5759

Please sign in to comment.