diff --git a/.github/workflows/content-validations.yaml b/.github/workflows/content-validations.yaml new file mode 100644 index 00000000000..ae1ba6024b9 --- /dev/null +++ b/.github/workflows/content-validations.yaml @@ -0,0 +1,18 @@ +name: Content Validations +run-name: Content Validation running on ${{ github.ref_name }} +on: + pull_request: + branches: + - master + # Allows to run workflow manually from the Actions tab + workflow_dispatch: +jobs: + ContentValidations: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - run: npm install -g npm@6.14.15;which npm;npm -v + - name: npm install + run: npm install + - name: File Content Validations + run: npm run tsc && node .script/contentValidator.js \ No newline at end of file diff --git a/.github/workflows/data-connector-validations.yaml b/.github/workflows/data-connector-validations.yaml new file mode 100644 index 00000000000..8180f1de357 --- /dev/null +++ b/.github/workflows/data-connector-validations.yaml @@ -0,0 +1,18 @@ +name: Data Connector Validations +run-name: Data Connector running on ${{ github.ref_name }} +on: + pull_request: + branches: + - master + # Allows to run workflow manually from the Actions tab + workflow_dispatch: +jobs: + DataConnectorValidations: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - run: npm install -g npm@6.14.15;which npm;npm -v + - name: npm install + run: npm install + - name: Data Connector Validations + run: npm run tsc && node .script/dataConnectorValidator.js \ No newline at end of file diff --git a/.github/workflows/detection-template-schema-validations.yaml b/.github/workflows/detection-template-schema-validations.yaml new file mode 100644 index 00000000000..ece93382c47 --- /dev/null +++ b/.github/workflows/detection-template-schema-validations.yaml @@ -0,0 +1,24 @@ +name: Detection Template Schema Validations +run-name: Detection Template Schema Validations running on ${{ github.ref_name }} +on: + pull_request: + branches: + - master + # Allows to run workflow manually from the Actions tab + workflow_dispatch: +jobs: + DetectionTemplateSchemaValidation: + runs-on: ubuntu-latest + env: + buildConfiguration: Release + dotnetSdkVersion: 3.1.401 + PRNUM: ${{ github.event.pull_request.number }} + steps: + - uses: actions/checkout@v4 + - name: Use .NET Core SDK ${{ env.dotnetSdkVersion }} + uses: actions/setup-dotnet@v4 + with: + dotnet-version: ${{ env.dotnetSdkVersion }} + - name: Run Detection template structure validation tests + run: dotnet test .script/tests/detectionTemplateSchemaValidation/DetectionTemplateSchemaValidation.Tests.csproj --configuration ${{ env.buildConfiguration }} + \ No newline at end of file diff --git a/.github/workflows/detection-validations.yaml b/.github/workflows/detection-validations.yaml new file mode 100644 index 00000000000..fed4174608d --- /dev/null +++ b/.github/workflows/detection-validations.yaml @@ -0,0 +1,19 @@ +name: Detection Validations +run-name: Detection Validations running on ${{ github.ref_name }} +on: + pull_request: + branches: + - master + # Allows to run workflow manually from the Actions tab + workflow_dispatch: +jobs: + DetectionsValidations: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - run: npm install -g npm@6.14.15;which npm;npm -v + - name: npm install + run: npm install + - name: Id Change Validation + run: npm run tsc && node .script/idChangeValidator.js + \ No newline at end of file diff --git a/.github/workflows/documents-link-validation.yaml b/.github/workflows/documents-link-validation.yaml new file mode 100644 index 00000000000..032974857e8 --- /dev/null +++ b/.github/workflows/documents-link-validation.yaml @@ -0,0 +1,18 @@ +name: Documents Broken Link Validation +run-name: Documents Broken Link Validation running on ${{ github.ref_name }} +on: + pull_request: + branches: + - master + # Allows to run workflow manually from the Actions tab + workflow_dispatch: +jobs: + DocumentsLinkValidation: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - run: npm install -g npm@6.14.15;which npm;npm -v + - name: npm install + run: npm install + - name: Documents link locale validation + run: npm run tsc && node .script/documentsLinkValidator.js \ No newline at end of file diff --git a/.github/workflows/json-syntax-validation.yaml b/.github/workflows/json-syntax-validation.yaml new file mode 100644 index 00000000000..70d057e2e80 --- /dev/null +++ b/.github/workflows/json-syntax-validation.yaml @@ -0,0 +1,18 @@ +name: JSON File Syntax Validation +run-name: JSON File Syntax Validation running on ${{ github.ref_name }} +on: + pull_request: + branches: + - master + # Allows to run workflow manually from the Actions tab + workflow_dispatch: +jobs: + JsonFileValidation: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - run: npm install -g npm@6.14.15;which npm;npm -v + - name: npm install + run: npm install + - name: Json File Syntax Validation + run: npm run tsc && node .script/jsonFileValidator.js \ No newline at end of file diff --git a/.github/workflows/logo-validation.yaml b/.github/workflows/logo-validation.yaml new file mode 100644 index 00000000000..82394cb032e --- /dev/null +++ b/.github/workflows/logo-validation.yaml @@ -0,0 +1,18 @@ +name: Logo Validation +run-name: Logo Validation running on ${{ github.ref_name }} +on: + pull_request: + branches: + - master + # Allows to run workflow manually from the Actions tab + workflow_dispatch: +jobs: + logoValidator: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - run: npm install -g npm@6.14.15;which npm;npm -v + - name: npm install + run: npm install + - name: Logo File Validation + run: npm run tsc && node .script/logoValidator.js \ No newline at end of file diff --git a/.github/workflows/non-ascii-validations.yaml b/.github/workflows/non-ascii-validations.yaml new file mode 100644 index 00000000000..ca37bec3a71 --- /dev/null +++ b/.github/workflows/non-ascii-validations.yaml @@ -0,0 +1,24 @@ +name: Non-Ascii Validations +run-name: Non-Ascii validation running on ${{ github.ref_name }} +on: + pull_request: + branches: + - master + + # Allows to run workflow manually from the Actions tab + workflow_dispatch: +jobs: + NonAsciiValidations: + runs-on: ubuntu-latest + env: + buildConfiguration: Release + dotnetSdkVersion: 3.1.401 + steps: + - uses: actions/checkout@v4 + - name: Use .NET Core SDK ${{ env.dotnetSdkVersion }} + uses: actions/setup-dotnet@v4 + with: + dotnet-version: ${{ env.dotnetSdkVersion }} + - name: Run Non-Ascii validation tests + run: dotnet test .script/tests/NonAsciiValidationsTests/NonAsciiValidations.Tests.csproj --configuration ${{ env.buildConfiguration }} + \ No newline at end of file diff --git a/.github/workflows/playbook-validations.yaml b/.github/workflows/playbook-validations.yaml new file mode 100644 index 00000000000..4f73e915fcf --- /dev/null +++ b/.github/workflows/playbook-validations.yaml @@ -0,0 +1,19 @@ +name: Playbook Validations +run-name: Playbook Validations running on ${{ github.ref_name }} +on: + pull_request: + branches: + - master + # Allows to run workflow manually from the Actions tab + workflow_dispatch: +jobs: + PlaybooksValidations: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - run: npm install -g npm@6.14.15;which npm;npm -v + - name: npm install + run: npm install + - name: Playbook Validations + run: npm run tsc && node .script/playbooksValidator.js + \ No newline at end of file diff --git a/.github/workflows/sample-data-validation.yaml b/.github/workflows/sample-data-validation.yaml new file mode 100644 index 00000000000..d5bc65f75a8 --- /dev/null +++ b/.github/workflows/sample-data-validation.yaml @@ -0,0 +1,18 @@ +name: Sample Data Validation +run-name: Sample Data Validation running on ${{ github.ref_name }} +on: + pull_request: + branches: + - master + # Allows to run workflow manually from the Actions tab + workflow_dispatch: +jobs: + sampleDataValidator: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - run: npm install -g npm@6.14.15;which npm;npm -v + - name: npm install + run: npm install + - name: Sample Data Validator + run: npm run tsc && node .script/sampleDataValidator.js \ No newline at end of file diff --git a/.github/workflows/solution-validations.yaml b/.github/workflows/solution-validations.yaml new file mode 100644 index 00000000000..fb06c8b0dd3 --- /dev/null +++ b/.github/workflows/solution-validations.yaml @@ -0,0 +1,19 @@ +name: Solution Validations +run-name: Solution Validations running on ${{ github.ref_name }} +on: + pull_request: + branches: + - master + # Allows to run workflow manually from the Actions tab + workflow_dispatch: +jobs: + SolutionValidations: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - run: npm install -g npm@6.14.15;which npm;npm -v + - name: npm install + run: npm install + - name: Solution Validations + run: npm run tsc && node .script/SolutionValidations/solutionValidator.js + \ No newline at end of file diff --git a/.github/workflows/workbook-metadata-validations.yaml b/.github/workflows/workbook-metadata-validations.yaml new file mode 100644 index 00000000000..fa864a77df3 --- /dev/null +++ b/.github/workflows/workbook-metadata-validations.yaml @@ -0,0 +1,18 @@ +name: Workbook Metadata Validations +run-name: Workbook Metadata Validations running on ${{ github.ref_name }} +on: + pull_request: + branches: + - master + # Allows to run workflow manually from the Actions tab + workflow_dispatch: +jobs: + WorkbooksValidations: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - run: npm install -g npm@6.14.15;which npm;npm -v + - name: npm install + run: npm install + - name: Workbooks Metadata Validations + run: npm run tsc && node .script/workbooksMetadataValidator.js \ No newline at end of file diff --git a/.github/workflows/workbook-template-validations.yaml b/.github/workflows/workbook-template-validations.yaml new file mode 100644 index 00000000000..0aa4f8fd958 --- /dev/null +++ b/.github/workflows/workbook-template-validations.yaml @@ -0,0 +1,18 @@ +name: Workbook Template Validations +run-name: Workbook Template Validations running on ${{ github.ref_name }} +on: + pull_request: + branches: + - master + # Allows to run workflow manually from the Actions tab + workflow_dispatch: +jobs: + WorkbooksTemplateValidations: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - run: npm install -g npm@6.14.15;which npm;npm -v + - name: npm install + run: npm install + - name: Workbooks Template Validations + run: npm run tsc && node .script/workbooksTemplateValidator.js \ No newline at end of file diff --git a/.github/workflows/yaml-syntax-validation.yaml b/.github/workflows/yaml-syntax-validation.yaml new file mode 100644 index 00000000000..19d87ed0b95 --- /dev/null +++ b/.github/workflows/yaml-syntax-validation.yaml @@ -0,0 +1,19 @@ +name: YAML File Syntax Validation +run-name: YAML File Syntax Validation running on ${{ github.ref_name }} +on: + pull_request: + branches: + - master + # Allows to run workflow manually from the Actions tab + workflow_dispatch: +jobs: + YamlFileValidation: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - run: npm install -g npm@6.14.15;which npm;npm -v + - name: npm install + run: npm install + - name: YAML File Syntax Validation + run: npm run tsc && node .script/yamlFileValidator.js + \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Garrison_ULTRARemote_Logs_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Garrison_ULTRARemote_Logs_CL.json new file mode 100644 index 00000000000..79ffbaf8167 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/Garrison_ULTRARemote_Logs_CL.json @@ -0,0 +1,49 @@ +{ + "Name":"Garrison_ULTRARemoteLogs_CL", + "Properties":[ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "deviceEventClassId", + "type": "int" + }, + { + "name": "name", + "type": "string" + }, + { + "name": "start", + "type": "long" + }, + { + "name": "request", + "type": "string" + }, + { + "name": "requestContext", + "type": "string" + }, + { + "name": "reason", + "type": "string" + }, + { + "name": "dhost", + "type": "string" + }, + { + "name": "devicePayloadId", + "type": "string" + }, + { + "name": "suid", + "type": "string" + }, + { + "name": "suser", + "type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/vectra_match.json b/.script/tests/KqlvalidationsTests/CustomTables/vectra_match.json new file mode 100644 index 00000000000..1cf1b059ab3 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/vectra_match.json @@ -0,0 +1,117 @@ +{ + "Name": "vectra_match", + "Properties": [ + { + "Name": "TimeGenerated", + "Type": "DateTime" + }, + { + "Name": "id_orig_h", + "Type": "String" + }, + { + "Name": "id_orig_p", + "Type": "Int" + }, + { + "Name": "id_resp_h", + "Type": "String" + }, + { + "Name": "id_resp_p", + "Type": "Int" + }, + { + "Name": "id_ip_ver", + "Type": "String" + }, + { + "Name": "beacon_uid", + "Type": "String" + }, + { + "Name": "beacon_type", + "Type": "String" + }, + { + "Name": "duration", + "Type": "Long" + }, + { + "Name": "first_event_time", + "Type": "DateTime" + }, + { + "Name": "ja3", + "Type": "String" + }, + { + "Name": "last_event_time", + "Type": "DateTime" + }, + { + "Name": "local_orig", + "Type": "Boolean" + }, + { + "Name": "local_resp", + "Type": "Boolean" + }, + { + "Name": "orig_hostname", + "Type": "String" + }, + { + "Name": "orig_huid", + "Type": "String" + }, + { + "Name": "orig_ip_bytes", + "Type": "Long" + }, + { + "Name": "proto", + "Type": "Int" + }, + { + "Name": "protoName", + "Type": "String" + }, + { + "Name": "resp_domains", + "Type": "Dynamic" + }, + { + "Name": "resp_ip_bytes", + "Type": "Long" + }, + { + "Name": "service", + "Type": "String" + }, + { + "Name": "session_count", + "Type": "Long" + }, + { + "Name": "uid", + "Type": "String" + }, + { + "Name": "ts", + "Type": "DateTime" + }, + { + "Name": "orig_sluid", + "Type": "String" + }, + { + "Name": "resp_sluid", + "Type": "String" + }, + { + "Name": "sensor_uid", + "Type": "String" + } +] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/vectra_match_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/vectra_match_CL.json new file mode 100644 index 00000000000..3f9d6825363 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/vectra_match_CL.json @@ -0,0 +1,117 @@ +{ + "Name": "vectra_match_CL", + "Properties": [ + { + "Name": "TimeGenerated", + "Type": "DateTime" + }, + { + "Name": "id_orig_h", + "Type": "String" + }, + { + "Name": "id_orig_p", + "Type": "Int" + }, + { + "Name": "id_resp_h", + "Type": "String" + }, + { + "Name": "id_resp_p", + "Type": "Int" + }, + { + "Name": "id_ip_ver", + "Type": "String" + }, + { + "Name": "beacon_uid", + "Type": "String" + }, + { + "Name": "beacon_type", + "Type": "String" + }, + { + "Name": "duration", + "Type": "Long" + }, + { + "Name": "first_event_time", + "Type": "DateTime" + }, + { + "Name": "ja3", + "Type": "String" + }, + { + "Name": "last_event_time", + "Type": "DateTime" + }, + { + "Name": "local_orig", + "Type": "Boolean" + }, + { + "Name": "local_resp", + "Type": "Boolean" + }, + { + "Name": "orig_hostname", + "Type": "String" + }, + { + "Name": "orig_huid", + "Type": "String" + }, + { + "Name": "orig_ip_bytes", + "Type": "Long" + }, + { + "Name": "proto", + "Type": "Int" + }, + { + "Name": "protoName", + "Type": "String" + }, + { + "Name": "resp_domains", + "Type": "Dynamic" + }, + { + "Name": "resp_ip_bytes", + "Type": "Long" + }, + { + "Name": "service", + "Type": "String" + }, + { + "Name": "session_count", + "Type": "Long" + }, + { + "Name": "uid", + "Type": "String" + }, + { + "Name": "ts", + "Type": "DateTime" + }, + { + "Name": "orig_sluid", + "Type": "String" + }, + { + "Name": "resp_sluid", + "Type": "String" + }, + { + "Name": "sensor_uid", + "Type": "String" + } +] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json b/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json index 8ec3c249d4c..f5419294fa3 100644 --- a/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json +++ b/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json @@ -3623,8 +3623,12 @@ "id": "c10b22a0-6021-46f9-bdaf-05bf2350a554", "templateName": "Total ZAP count.yaml", "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "59d7011f-274e-40b3-abb4-f014e95b6f3c", + "templateName": "ASIM_FillNull.yaml", + "validationFailReason": "Skip file for bag_pack_columns" } - // Temporarily adding Solution Parsers id's for Solution Parsers KQL Validations - End ] \ No newline at end of file diff --git a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json index 3f71d19b11b..a1c1da3bc8f 100644 --- a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json +++ b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json @@ -255,5 +255,6 @@ "CustomLogsAma", "SilverfortAma", "IllumioSaaSDataConnector", - "CTERA" -] \ No newline at end of file + "CTERA", + "Workday" +] diff --git a/ASIM/lib/functions/ASIM_FillNull.yaml b/ASIM/lib/functions/ASIM_FillNull.yaml new file mode 100644 index 00000000000..8dc8db2629f --- /dev/null +++ b/ASIM/lib/functions/ASIM_FillNull.yaml @@ -0,0 +1,27 @@ +Id: 59d7011f-274e-40b3-abb4-f014e95b6f3c +Function: + Title: An ASIM function that replaces null string values with a specified value + Version: '0.1' + LastUpdated: Sep 25th 2024 +References: +- Title: ASIM + Link: https://aka.ms/AboutASIM +- Title: KQL Invoke operator + Link: https://docs.microsoft.com/azure/data-explorer/kusto/query/invokeoperator +Description: | + This ASIM tabular function is intended to use for replacing null values with a specified value. The function is invoked using the [invoke operator](https://docs.microsoft.com/azure/data-explorer/kusto/query/invokeoperator) and requires the specified string value . +FunctionName: ASIM_FillNull +EquivalentBuiltInFunction: _ASIM_FillNull +FunctionParams: + - Name: T + Type: table:(*) + - Name: custom_value + Type: string + +FunctionQuery: | + T + | extend bag = bag_pack_columns(*) + | extend bag_replaced_str = replace_string(tostring(bag), '""', strcat('\"', custom_value, '\"')) + | extend bag_replaced = todynamic(bag_replaced_str) + | project-keep bag_replaced + | evaluate bag_unpack(bag_replaced) diff --git a/Detections/MultipleDataSources/MailBoxTampering.yaml b/Detections/MultipleDataSources/MailBoxTampering.yaml index f3bece2376b..71cdc97724d 100644 --- a/Detections/MultipleDataSources/MailBoxTampering.yaml +++ b/Detections/MultipleDataSources/MailBoxTampering.yaml @@ -69,8 +69,6 @@ query: | entityMappings: - entityType: Account fieldMappings: - - identifier: FullName - columnName: Initiatedby - identifier: Name columnName: AccountName - identifier: UPNSuffix @@ -79,7 +77,7 @@ entityMappings: fieldMappings: - identifier: Address columnName: IpAddress -version: 1.0.2 +version: 1.0.3 kind: Scheduled metadata: source: @@ -89,4 +87,4 @@ metadata: support: tier: Community categories: - domains: [ "Security - Others", "Identity" ] \ No newline at end of file + domains: [ "Security - Others", "Identity" ] diff --git a/Exploration Queries/InputEntity_Account/UserAccount_ScreenshotHosts.yaml b/Exploration Queries/InputEntity_Account/UserAccount_ScreenshotHosts.yaml index 01e7d05b2c5..e4505568b80 100644 --- a/Exploration Queries/InputEntity_Account/UserAccount_ScreenshotHosts.yaml +++ b/Exploration Queries/InputEntity_Account/UserAccount_ScreenshotHosts.yaml @@ -13,7 +13,6 @@ DataSources: Tactics: - Exfiltration query: | - let HostScreenshot= (Account_Name:string, Account_UPNSuffix:string){ let p_Account_UPN = strcat(Account_Name,'@',Account_UPNSuffix); DeviceEvents diff --git a/Logos/CloudGuardLogo.svg b/Logos/CloudGuardLogo.svg new file mode 100644 index 00000000000..0befdba154b --- /dev/null +++ b/Logos/CloudGuardLogo.svg @@ -0,0 +1,55 @@ + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/Logos/Garrison_Logomark.svg b/Logos/Garrison_Logomark.svg new file mode 100644 index 00000000000..1451a9592ba --- /dev/null +++ b/Logos/Garrison_Logomark.svg @@ -0,0 +1,4 @@ + + + + diff --git a/Logos/Torq.svg b/Logos/Torq.svg new file mode 100644 index 00000000000..1a091ae4d10 --- /dev/null +++ b/Logos/Torq.svg @@ -0,0 +1,23 @@ + + + + + + + + + + + + + + + diff --git a/Parsers/ASimAlertEvent/ARM/ASimAlertEvent/ASimAlertEvent.json b/Parsers/ASimAlertEvent/ARM/ASimAlertEvent/ASimAlertEvent.json index 64b4cf2a02d..706e67042d0 100644 --- a/Parsers/ASimAlertEvent/ARM/ASimAlertEvent/ASimAlertEvent.json +++ b/Parsers/ASimAlertEvent/ARM/ASimAlertEvent/ASimAlertEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAlertEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAlertEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Alert Event ASIM parser", - "category": "ASIM", - "FunctionAlias": "ASimAlertEvent", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAlertEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimAlertEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimAlertEventEmpty,\n ASimAlertEventMicrosoftDefenderXDR (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventMicrosoftDefenderXDR' in (DisabledParsers)))),\n ASimAlertEventSentinelOneSingularity (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventSentinelOneSingularity' in (DisabledParsers))))\n}; \nparser (pack=pack)\n", - "version": 1, - "functionParameters": "pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Alert Event ASIM parser", + "category": "ASIM", + "FunctionAlias": "ASimAlertEvent", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAlertEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimAlertEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimAlertEventEmpty,\n ASimAlertEventMicrosoftDefenderXDR (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventMicrosoftDefenderXDR' in (DisabledParsers)))),\n ASimAlertEventSentinelOneSingularity (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventSentinelOneSingularity' in (DisabledParsers))))\n}; \nparser (pack=pack)\n", + "version": 1, + "functionParameters": "pack:bool=False" + } } ] } \ No newline at end of file diff --git a/Parsers/ASimAlertEvent/ARM/ASimAlertEventMicrosoftDefenderXDR/ASimAlertEventMicrosoftDefenderXDR.json b/Parsers/ASimAlertEvent/ARM/ASimAlertEventMicrosoftDefenderXDR/ASimAlertEventMicrosoftDefenderXDR.json index 9184630b92e..fe931c8bd18 100644 --- a/Parsers/ASimAlertEvent/ARM/ASimAlertEventMicrosoftDefenderXDR/ASimAlertEventMicrosoftDefenderXDR.json +++ b/Parsers/ASimAlertEvent/ARM/ASimAlertEventMicrosoftDefenderXDR/ASimAlertEventMicrosoftDefenderXDR.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAlertEventMicrosoftDefenderXDR')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAlertEventMicrosoftDefenderXDR", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Alert Event ASIM parser for Microsoft Defender XDR", - "category": "ASIM", - "FunctionAlias": "ASimAlertEventMicrosoftDefenderXDR", - "query": "let IndicatorTypeLookup = datatable (EntityType: string, IndicatorType: string)\n[\n\"User\", \"User\",\n\"Machine\", \"Host\",\n\"Process\", \"Process\",\n\"File\", \"File\",\n\"Ip\", \"Ip\",\n\"Url\", \"Url\",\n\"RegistryValue\", \"Registry\",\n\"CloudLogonSession\", \"LogonSession\",\n\"CloudApplication\", \"Application\",\n\"Mailbox\", \"Mailbox\",\n\"MailMessage\", \"Email\",\n\"CloudResource\", \"Cloud Resource\"\n];\nlet IndicatorAssociationLookup = datatable (EvidenceRole: string, IndicatorAssociation: string)\n [\n \"Related\", \"Associated\",\n \"Impacted\", \"Targeted\"\n];\nlet RegistryValueTypeLookup = datatable (ValueType: string, RegistryValueType: string)\n [\n \"ExpandString\", \"Reg_Expand_Sz\"\n];\nlet AlertVerdictLookup = datatable (AlertVerdict_Custom: string, AlertVerdict: string)\n [\n \"Malicious\", \"True Positive\",\n \"Suspicious\", \"True Positive\",\n \"NoThreatsFound\", \"Benign Positive\"\n];\nlet AttackTacticSet = dynamic([\"Exfiltration\", \"PrivilegeEscalation\", \"Persistence\", \"LateralMovement\", \"Execution\", \"Discovery\", \"InitialAccess\", \"CredentialAccess\", \"DefenseEvasion\", \"CommandAndControl\", \"Impact\"]);\nlet ThreatCategorySet = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\nlet parser = (\n disabled: bool=false) {\n AlertEvidence\n | where not(disabled)\n // Mapping Inspection Fields\n | extend \n EventUid = AlertId,\n AlertName = Title,\n AlertVerdict_Custom = tostring(AdditionalFields.ThreatAnalysisSummary[0].Verdict),\n AlertVerdictDate_s = todatetime(AdditionalFields.ThreatAnalysisSummary[0].AnalysisDate),\n AttackTactics = iff(Categories has_any (AttackTacticSet), replace(@\"[\\[\\]\\\"\"]\", \"\", Categories), \"\"),\n AlertOriginalStatus = tostring(AdditionalFields.LastRemediationState),\n AlertStatus = iif(isnotempty(AdditionalFields.LastRemediationState), iif(AdditionalFields.LastRemediationState == \"Active\", \"Active\", \"Closed\"), \"\"),\n DetectionMethod = DetectionSource\n | lookup AlertVerdictLookup on AlertVerdict_Custom\n | lookup IndicatorTypeLookup on EntityType\n | lookup IndicatorAssociationLookup on EvidenceRole\n // Mapping Threat Fields\n | extend\n ThreatCategory = iif(Categories has_any (ThreatCategorySet), replace(@\"[\\[\\]\\\"\"]\", \"\", Categories), \"\")\n // Mapping User Entity\n | extend \n UserId = coalesce(AccountObjectId, tostring(AdditionalFields.Account.AadUserId)),\n UserSid = coalesce(AccountSid, tostring(AdditionalFields.Account.Sid)),\n Username = coalesce(AccountUpn, tostring(AdditionalFields.Account.UserPrincipalName)),\n UserSessionId = tostring(AdditionalFields.SessionId),\n UserScopeId = tostring(AdditionalFields.AadTenantId),\n HttpUserAgent_s = tostring(AdditionalFields.UserAgent)\n | extend\n UserIdType = iif(isnotempty(UserId), \"EntraUserID\", iif(isnotempty(UserSid), \"SID\", \"\")),\n UserId = coalesce(UserId, UserSid),\n UserType = _ASIM_GetUserType(Username, UserSid),\n UsernameType = _ASIM_GetUsernameType(Username)\n // Mapping Device Entity\n | extend \n DvcId = coalesce(DeviceId, tostring(AdditionalFields.Host.MachineId)),\n DvcIpAddr = coalesce(LocalIP, tostring(AdditionalFields.Host.IpInterfaces[0].Address), RemoteIP),\n DvcOs = tostring(coalesce(AdditionalFields.OSFamily, AdditionalFields.Host.OSFamily)),\n DvcOsVersion = tostring(coalesce(AdditionalFields.OSVersion, AdditionalFields.Host.OSVersion)),\n DeviceName = coalesce(DeviceName, tostring(AdditionalFields.Host.NetBiosName)),\n DvcScopeId = coalesce(tostring(split(AdditionalFields.AzureID, \"/\")[2]), (tostring(split(AdditionalFields.ResourceId, \"/\")[2])))\n | extend DvcIdType = iif(isnotempty(DvcId), \"MDEid\", \"\")\n | invoke _ASIM_ResolveDvcFQDN(\"DeviceName\")\n // Mapping Additional Fields\n | extend\n GeoCity_s = AdditionalFields.Location.City,\n GeoCountry_s = AdditionalFields.Location.CountryCode,\n GeoLatitude_s = AdditionalFields.Location.Latitude,\n GeoLongitude_s = AdditionalFields.Location.Longitude,\n GeoRegion_s = AdditionalFields.Location.State\n // Mapping Process Entity\n | extend \n ProcessId = AdditionalFields.ProcessId,\n ProcessCommandLine,\n ProcessName = iif(IndicatorType == \"Process\", iif(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\\\', FileName), FileName), \"\"),\n ProcessFileCompany = AdditionalFields.Publisher,\n // Parent Process Fields\n ParentProcessId_s = AdditionalFields.ParentProcess.ProcessId,\n ParentProcessCommandLine_s = AdditionalFields.ParentProcess.CommandLine,\n ParentProcessName_s = iif(IndicatorType == \"Process\", iif(isnotempty(AdditionalFields.ParentProcess.ImageFile.Directory) and isnotempty(AdditionalFields.ParentProcess.ImageFile.Name), strcat (AdditionalFields.ParentProcess.ImageFile.Directory, \"\\\\\", AdditionalFields.ParentProcess.ImageFile.Name), coalesce(AdditionalFields.ParentProcess.ImageFile.Name, AdditionalFields.ParentProcess.FriendlyName)), \"\"),\n ParentProcessSHA1_s = AdditionalFields.ParentProcess.ImageFile[0].SHA1,\n ParentProcessSHA256_s = AdditionalFields.ParentProcess.ImageFile[2].SHA256,\n ParentProcessMD5_s = AdditionalFields.ParentProcess.ImageFile[1].MD5\n // Mapping File Entity\n | extend \n FileName,\n FileDirectory = FolderPath,\n FilePath = iff(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\\\', FileName), FileName),\n FileSHA1 = SHA1,\n FileSHA256 = SHA256,\n FileMD5 = AdditionalFields.FileHashes[1].Value,\n FileSize = FileSize\n // Mapping Url Entity\n | extend \n Url = RemoteUrl\n // Mapping Registry Entity\n | extend \n RegistryKey,\n RegistryValue = RegistryValueName,\n RegistryValueData,\n ValueType = tostring(AdditionalFields.ValueType)\n | lookup RegistryValueTypeLookup on ValueType\n // Mapping Application Entity\n | extend \n AppId_s = ApplicationId,\n AppName_s = Application\n // Mapping Email Entity\n | extend \n EmailMessageId = NetworkMessageId,\n EmailSubject\n | extend AdditionalFields = bag_pack(\n \"AlertVerdictDate\",\n AlertVerdictDate_s,\n \"HttpUserAgent\",\n HttpUserAgent_s,\n \"GeoCity\",\n GeoCity_s,\n \"GeoCountry\",\n GeoCountry_s,\n \"GeoLatitude\",\n GeoLatitude_s,\n \"GeoLongitude\",\n GeoLongitude_s,\n \"GeoRegion\",\n GeoRegion_s,\n \"ParentProcessId\",\n ParentProcessId_s,\n \"ParentProcessCommandLine\",\n ParentProcessCommandLine_s,\n \"ParentProcessName\",\n ParentProcessName_s,\n \"ParentProcessSHA256\",\n ParentProcessSHA256_s,\n \"ParentProcessMD5\",\n ParentProcessMD5_s\n )\n // Mapping common event fields\n | extend\n EventSubType = \"Threat\", // All events in AlertEvidence contains threat info\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventProduct = ServiceSource,\n EventVendor = 'Microsoft',\n EventSchema = 'AlertEvent',\n EventSchemaVersion = '0.1',\n EventType = 'Alert',\n EventCount = int(1)\n // MApping Alias\n | extend \n IpAddr = DvcIpAddr,\n Hostname = DvcHostname,\n User = Username\n | project-away\n Title,\n Categories,\n EntityType,\n EvidenceRole,\n DetectionSource,\n ServiceSource,\n ThreatFamily,\n RemoteIP,\n RemoteUrl,\n AccountName,\n AccountDomain,\n DeviceName,\n LocalIP,\n AlertVerdict_Custom,\n EvidenceDirection,\n Account*,\n ApplicationId,\n Application,\n *_s\n};\nparser(\n disabled = disabled\n)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Alert Event ASIM parser for Microsoft Defender XDR", + "category": "ASIM", + "FunctionAlias": "ASimAlertEventMicrosoftDefenderXDR", + "query": "let IndicatorTypeLookup = datatable (EntityType: string, IndicatorType: string)\n[\n\"User\", \"User\",\n\"Machine\", \"Host\",\n\"Process\", \"Process\",\n\"File\", \"File\",\n\"Ip\", \"Ip\",\n\"Url\", \"Url\",\n\"RegistryValue\", \"Registry\",\n\"CloudLogonSession\", \"LogonSession\",\n\"CloudApplication\", \"Application\",\n\"Mailbox\", \"Mailbox\",\n\"MailMessage\", \"Email\",\n\"CloudResource\", \"Cloud Resource\"\n];\nlet IndicatorAssociationLookup = datatable (EvidenceRole: string, IndicatorAssociation: string)\n [\n \"Related\", \"Associated\",\n \"Impacted\", \"Targeted\"\n];\nlet RegistryValueTypeLookup = datatable (ValueType: string, RegistryValueType: string)\n [\n \"ExpandString\", \"Reg_Expand_Sz\"\n];\nlet AlertVerdictLookup = datatable (AlertVerdict_Custom: string, AlertVerdict: string)\n [\n \"Malicious\", \"True Positive\",\n \"Suspicious\", \"True Positive\",\n \"NoThreatsFound\", \"Benign Positive\"\n];\nlet AttackTacticSet = dynamic([\"Exfiltration\", \"PrivilegeEscalation\", \"Persistence\", \"LateralMovement\", \"Execution\", \"Discovery\", \"InitialAccess\", \"CredentialAccess\", \"DefenseEvasion\", \"CommandAndControl\", \"Impact\"]);\nlet ThreatCategorySet = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\nlet parser = (\n disabled: bool=false) {\n AlertEvidence\n | where not(disabled)\n // Mapping Inspection Fields\n | extend \n EventUid = AlertId,\n AlertName = Title,\n AlertVerdict_Custom = tostring(AdditionalFields.ThreatAnalysisSummary[0].Verdict),\n AlertVerdictDate_s = todatetime(AdditionalFields.ThreatAnalysisSummary[0].AnalysisDate),\n AttackTactics = iff(Categories has_any (AttackTacticSet), replace(@\"[\\[\\]\\\"\"]\", \"\", Categories), \"\"),\n AlertOriginalStatus = tostring(AdditionalFields.LastRemediationState),\n AlertStatus = iif(isnotempty(AdditionalFields.LastRemediationState), iif(AdditionalFields.LastRemediationState == \"Active\", \"Active\", \"Closed\"), \"\"),\n DetectionMethod = DetectionSource\n | lookup AlertVerdictLookup on AlertVerdict_Custom\n | lookup IndicatorTypeLookup on EntityType\n | lookup IndicatorAssociationLookup on EvidenceRole\n // Mapping Threat Fields\n | extend\n ThreatCategory = iif(Categories has_any (ThreatCategorySet), replace(@\"[\\[\\]\\\"\"]\", \"\", Categories), \"\")\n // Mapping User Entity\n | extend \n UserId = coalesce(AccountObjectId, tostring(AdditionalFields.Account.AadUserId)),\n UserSid = coalesce(AccountSid, tostring(AdditionalFields.Account.Sid)),\n Username = coalesce(AccountUpn, tostring(AdditionalFields.Account.UserPrincipalName)),\n UserSessionId = tostring(AdditionalFields.SessionId),\n UserScopeId = tostring(AdditionalFields.AadTenantId),\n HttpUserAgent_s = tostring(AdditionalFields.UserAgent)\n | extend\n UserIdType = iif(isnotempty(UserId), \"EntraUserID\", iif(isnotempty(UserSid), \"SID\", \"\")),\n UserId = coalesce(UserId, UserSid),\n UserType = _ASIM_GetUserType(Username, UserSid),\n UsernameType = _ASIM_GetUsernameType(Username)\n // Mapping Device Entity\n | extend \n DvcId = coalesce(DeviceId, tostring(AdditionalFields.Host.MachineId)),\n DvcIpAddr = coalesce(LocalIP, tostring(AdditionalFields.Host.IpInterfaces[0].Address), RemoteIP),\n DvcOs = tostring(coalesce(AdditionalFields.OSFamily, AdditionalFields.Host.OSFamily)),\n DvcOsVersion = tostring(coalesce(AdditionalFields.OSVersion, AdditionalFields.Host.OSVersion)),\n DeviceName = coalesce(DeviceName, tostring(AdditionalFields.Host.NetBiosName)),\n DvcScopeId = coalesce(tostring(split(AdditionalFields.AzureID, \"/\")[2]), (tostring(split(AdditionalFields.ResourceId, \"/\")[2])))\n | extend DvcIdType = iif(isnotempty(DvcId), \"MDEid\", \"\")\n | invoke _ASIM_ResolveDvcFQDN(\"DeviceName\")\n // Mapping Additional Fields\n | extend\n GeoCity_s = AdditionalFields.Location.City,\n GeoCountry_s = AdditionalFields.Location.CountryCode,\n GeoLatitude_s = AdditionalFields.Location.Latitude,\n GeoLongitude_s = AdditionalFields.Location.Longitude,\n GeoRegion_s = AdditionalFields.Location.State\n // Mapping Process Entity\n | extend \n ProcessId = AdditionalFields.ProcessId,\n ProcessCommandLine,\n ProcessName = iif(IndicatorType == \"Process\", iif(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\\\', FileName), FileName), \"\"),\n ProcessFileCompany = AdditionalFields.Publisher,\n // Parent Process Fields\n ParentProcessId_s = AdditionalFields.ParentProcess.ProcessId,\n ParentProcessCommandLine_s = AdditionalFields.ParentProcess.CommandLine,\n ParentProcessName_s = iif(IndicatorType == \"Process\", iif(isnotempty(AdditionalFields.ParentProcess.ImageFile.Directory) and isnotempty(AdditionalFields.ParentProcess.ImageFile.Name), strcat (AdditionalFields.ParentProcess.ImageFile.Directory, \"\\\\\", AdditionalFields.ParentProcess.ImageFile.Name), coalesce(AdditionalFields.ParentProcess.ImageFile.Name, AdditionalFields.ParentProcess.FriendlyName)), \"\"),\n ParentProcessSHA1_s = AdditionalFields.ParentProcess.ImageFile[0].SHA1,\n ParentProcessSHA256_s = AdditionalFields.ParentProcess.ImageFile[2].SHA256,\n ParentProcessMD5_s = AdditionalFields.ParentProcess.ImageFile[1].MD5\n // Mapping File Entity\n | extend \n FileName,\n FileDirectory = FolderPath,\n FilePath = iff(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\\\', FileName), FileName),\n FileSHA1 = SHA1,\n FileSHA256 = SHA256,\n FileMD5 = AdditionalFields.FileHashes[1].Value,\n FileSize = FileSize\n // Mapping Url Entity\n | extend \n Url = RemoteUrl\n // Mapping Registry Entity\n | extend \n RegistryKey,\n RegistryValue = RegistryValueName,\n RegistryValueData,\n ValueType = tostring(AdditionalFields.ValueType)\n | lookup RegistryValueTypeLookup on ValueType\n // Mapping Application Entity\n | extend \n AppId_s = ApplicationId,\n AppName_s = Application\n // Mapping Email Entity\n | extend \n EmailMessageId = NetworkMessageId,\n EmailSubject\n | extend AdditionalFields = bag_pack(\n \"AlertVerdictDate\",\n AlertVerdictDate_s,\n \"HttpUserAgent\",\n HttpUserAgent_s,\n \"GeoCity\",\n GeoCity_s,\n \"GeoCountry\",\n GeoCountry_s,\n \"GeoLatitude\",\n GeoLatitude_s,\n \"GeoLongitude\",\n GeoLongitude_s,\n \"GeoRegion\",\n GeoRegion_s,\n \"ParentProcessId\",\n ParentProcessId_s,\n \"ParentProcessCommandLine\",\n ParentProcessCommandLine_s,\n \"ParentProcessName\",\n ParentProcessName_s,\n \"ParentProcessSHA256\",\n ParentProcessSHA256_s,\n \"ParentProcessMD5\",\n ParentProcessMD5_s\n )\n // Mapping common event fields\n | extend\n EventSubType = \"Threat\", // All events in AlertEvidence contains threat info\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventProduct = ServiceSource,\n EventVendor = 'Microsoft',\n EventSchema = 'AlertEvent',\n EventSchemaVersion = '0.1',\n EventType = 'Alert',\n EventCount = int(1)\n // MApping Alias\n | extend \n IpAddr = DvcIpAddr,\n Hostname = DvcHostname,\n User = Username\n | project-away\n Title,\n Categories,\n EntityType,\n EvidenceRole,\n DetectionSource,\n ServiceSource,\n ThreatFamily,\n RemoteIP,\n RemoteUrl,\n AccountName,\n AccountDomain,\n DeviceName,\n LocalIP,\n AlertVerdict_Custom,\n EvidenceDirection,\n Account*,\n ApplicationId,\n Application,\n *_s\n};\nparser(\n disabled = disabled\n)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] } \ No newline at end of file diff --git a/Parsers/ASimAlertEvent/ARM/ASimAlertEventSentinelOneSingularity/ASimAlertEventSentinelOneSingularity.json b/Parsers/ASimAlertEvent/ARM/ASimAlertEventSentinelOneSingularity/ASimAlertEventSentinelOneSingularity.json index 8a16b3f6868..141a6f0a678 100644 --- a/Parsers/ASimAlertEvent/ARM/ASimAlertEventSentinelOneSingularity/ASimAlertEventSentinelOneSingularity.json +++ b/Parsers/ASimAlertEvent/ARM/ASimAlertEventSentinelOneSingularity/ASimAlertEventSentinelOneSingularity.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAlertEventSentinelOneSingularity')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAlertEventSentinelOneSingularity", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Alert Event ASIM parser for SentinelOne Singularity platform", - "category": "ASIM", - "FunctionAlias": "ASimAlertEventSentinelOneSingularity", - "query": "let AlertVerdictLookup = datatable (analystVerdict_s: string, AlertVerdict: string)\n [\n \"Undefined\", \"Unknown\",\n \"true_positive\", \"True Positive\",\n \"suspicious\", \"True Positive\",\n \"false_positive\", \"False Positive\"\n];\nlet ThreatCategoryArray = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\nlet DetectionMethodLookup = datatable (\n threatInfo_engines_s: string,\n DetectionMethod: string\n)\n [\n \"Intrusion Detection\", \"Intrusion Detection\",\n \"User-Defined Blocklist\", \"User Defined Blocked List\",\n \"Reputation\", \"Reputation\"\n];\nlet parser = (\n disabled: bool=false) {\n SentinelOne_CL\n | where not(disabled)\n | where event_name_s in (\"Threats.\")\n // Mapping Inspection Fields\n | extend \n AlertId = threatInfo_threatId_s,\n AlertName = threatInfo_threatName_s,\n AlertStatus = iif(threatInfo_incidentStatus_s == \"resolved\", \"Closed\", \"Active\"),\n AlertOriginalStatus = threatInfo_incidentStatus_s,\n Names = extract_all('\"name\":\"([^\"]+)\"', dynamic([1]), indicators_s),\n ThreatId = threatInfo_threatId_s,\n ThreatName = threatInfo_threatName_s,\n ThreatFirstReportedTime = threatInfo_identifiedAt_t,\n ThreatLastReportedTime = threatInfo_updatedAt_t,\n ThreatCategory = iif(threatInfo_classification_s in (ThreatCategoryArray), threatInfo_classification_s, \"\"),\n ThreatOriginalCategory = threatInfo_classification_s\n | extend\n AttackTechniques = tostring(extract_all('\"(T[0-9]+\\\\.[0-9]+|T[0-9]+)\"', dynamic([1]), tostring(Names))),\n AttackTactics = tostring(extract_all('\"([^T][^0-9]+)\"', dynamic([1]), tostring(Names)))\n | project-away Names\n | lookup DetectionMethodLookup on threatInfo_engines_s\n | extend analystVerdict_s = threatInfo_analystVerdict_s\n | lookup AlertVerdictLookup on analystVerdict_s\n // Mapping Dvc Fields\n | extend \n DvcHostname = agentRealtimeInfo_agentComputerName_s,\n DvcOs = agentRealtimeInfo_agentOsName_s,\n DvcOsVersion = agentRealtimeInfo_agentOsRevision_s,\n DvcId = agentRealtimeInfo_agentId_s,\n DvcIdType = \"Other\",\n DvcDomain = agentRealtimeInfo_agentDomain_s,\n DvcDomainType = \"Windows\",\n DvcIpAddr = agentDetectionInfo_agentIpV4_s\n // Mapping Process Entity\n | extend\n ProcessCommandLine = threatInfo_maliciousProcessArguments_s,\n ProcessName = threatInfo_originatorProcess_s\n // Mapping File Fields\n | extend \n FileMD5 = threatInfo_md5_g,\n FileSHA1 = threatInfo_sha1_s,\n FileSHA256 = threatInfo_sha256_s,\n FilePath=threatInfo_filePath_s,\n FileSize = threatInfo_fileSize_d\n // Mapping User Fields\n | extend \n Username = coalesce(agentDetectionInfo_agentLastLoggedInUpn_s, threatInfo_processUser_s)\n | extend UsernameType = _ASIM_GetUsernameType(Username)\n // Event Fields\n | extend\n EventType = 'Alert',\n EventOriginalType = event_name_s,\n EventUid = threatInfo_threatId_s,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventProduct = 'Singularity',\n EventVendor = 'SentinelOne',\n EventSchemaVersion = '0.1',\n EventSchema = \"AlertEvent\"\n | extend EventSubType = \"Threat\"\n // Aliases\n | extend\n IpAddr = DvcIpAddr,\n User = Username,\n Hostname = DvcHostname\n | project-away *_s, *_g, SourceSystem, ManagementGroupName, Computer, RawData, *_t, *_b, *_d\n};\nparser (\n disabled = disabled\n)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Alert Event ASIM parser for SentinelOne Singularity platform", + "category": "ASIM", + "FunctionAlias": "ASimAlertEventSentinelOneSingularity", + "query": "let AlertVerdictLookup = datatable (analystVerdict_s: string, AlertVerdict: string)\n [\n \"Undefined\", \"Unknown\",\n \"true_positive\", \"True Positive\",\n \"suspicious\", \"True Positive\",\n \"false_positive\", \"False Positive\"\n];\nlet ThreatCategoryArray = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\nlet DetectionMethodLookup = datatable (\n threatInfo_engines_s: string,\n DetectionMethod: string\n)\n [\n \"Intrusion Detection\", \"Intrusion Detection\",\n \"User-Defined Blocklist\", \"User Defined Blocked List\",\n \"Reputation\", \"Reputation\"\n];\nlet parser = (\n disabled: bool=false) {\n SentinelOne_CL\n | where not(disabled)\n | where event_name_s in (\"Threats.\")\n // Mapping Inspection Fields\n | extend \n AlertId = threatInfo_threatId_s,\n AlertName = threatInfo_threatName_s,\n AlertStatus = iif(threatInfo_incidentStatus_s == \"resolved\", \"Closed\", \"Active\"),\n AlertOriginalStatus = threatInfo_incidentStatus_s,\n Names = extract_all('\"name\":\"([^\"]+)\"', dynamic([1]), indicators_s),\n ThreatId = threatInfo_threatId_s,\n ThreatName = threatInfo_threatName_s,\n ThreatFirstReportedTime = threatInfo_identifiedAt_t,\n ThreatLastReportedTime = threatInfo_updatedAt_t,\n ThreatCategory = iif(threatInfo_classification_s in (ThreatCategoryArray), threatInfo_classification_s, \"\"),\n ThreatOriginalCategory = threatInfo_classification_s\n | extend\n AttackTechniques = tostring(extract_all('\"(T[0-9]+\\\\.[0-9]+|T[0-9]+)\"', dynamic([1]), tostring(Names))),\n AttackTactics = tostring(extract_all('\"([^T][^0-9]+)\"', dynamic([1]), tostring(Names)))\n | project-away Names\n | lookup DetectionMethodLookup on threatInfo_engines_s\n | extend analystVerdict_s = threatInfo_analystVerdict_s\n | lookup AlertVerdictLookup on analystVerdict_s\n // Mapping Dvc Fields\n | extend \n DvcHostname = agentRealtimeInfo_agentComputerName_s,\n DvcOs = agentRealtimeInfo_agentOsName_s,\n DvcOsVersion = agentRealtimeInfo_agentOsRevision_s,\n DvcId = agentRealtimeInfo_agentId_s,\n DvcIdType = \"Other\",\n DvcDomain = agentRealtimeInfo_agentDomain_s,\n DvcDomainType = \"Windows\",\n DvcIpAddr = agentDetectionInfo_agentIpV4_s\n // Mapping Process Entity\n | extend\n ProcessCommandLine = threatInfo_maliciousProcessArguments_s,\n ProcessName = threatInfo_originatorProcess_s\n // Mapping File Fields\n | extend \n FileMD5 = threatInfo_md5_g,\n FileSHA1 = threatInfo_sha1_s,\n FileSHA256 = threatInfo_sha256_s,\n FilePath=threatInfo_filePath_s,\n FileSize = threatInfo_fileSize_d\n // Mapping User Fields\n | extend \n Username = coalesce(agentDetectionInfo_agentLastLoggedInUpn_s, threatInfo_processUser_s)\n | extend UsernameType = _ASIM_GetUsernameType(Username)\n // Event Fields\n | extend\n EventType = 'Alert',\n EventOriginalType = event_name_s,\n EventUid = threatInfo_threatId_s,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventProduct = 'Singularity',\n EventVendor = 'SentinelOne',\n EventSchemaVersion = '0.1',\n EventSchema = \"AlertEvent\"\n | extend EventSubType = \"Threat\"\n // Aliases\n | extend\n IpAddr = DvcIpAddr,\n User = Username,\n Hostname = DvcHostname\n | project-away *_s, *_g, SourceSystem, ManagementGroupName, Computer, RawData, *_t, *_b, *_d\n};\nparser (\n disabled = disabled\n)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] } \ No newline at end of file diff --git a/Parsers/ASimAlertEvent/ARM/imAlertEvent/imAlertEvent.json b/Parsers/ASimAlertEvent/ARM/imAlertEvent/imAlertEvent.json index 62cf5a1abda..fd1a55a4955 100644 --- a/Parsers/ASimAlertEvent/ARM/imAlertEvent/imAlertEvent.json +++ b/Parsers/ASimAlertEvent/ARM/imAlertEvent/imAlertEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/imAlertEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "imAlertEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Alert Event ASIM filtering parser", - "category": "ASIM", - "FunctionAlias": "imAlertEvent", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAlertEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimAlertEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n hostname_has_any: dynamic=dynamic([]),\n username_has_any: dynamic=dynamic([]),\n attacktactics_has_any: dynamic=dynamic([]),\n attacktechniques_has_any: dynamic=dynamic([]),\n threatcategory_has_any: dynamic=dynamic([]),\n alertverdict_has_any: dynamic=dynamic([]),\n eventseverity_has_any: dynamic=dynamic([]),\n pack:bool=false)\n{\nunion isfuzzy=true\n vimAlertEventEmpty,\n vimAlertEventMicrosoftDefenderXDR (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertMicrosoftDefenderXDR' in (DisabledParsers)))),\n vimAlertEventSentinelOneSingularity (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertSentinelOneSingularity' in (DisabledParsers))))\n};\nparser (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, pack=pack)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),ipaddr_has_any_prefix:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),username_has_any:dynamic=dynamic([]),attacktactics_has_any:dynamic=dynamic([]),attacktechniques_has_any:dynamic=dynamic([]),threatcategory_has_any:dynamic=dynamic([]),alertverdict_has_any:dynamic=dynamic([]),eventseverity_has_any:dynamic=dynamic([]),pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Alert Event ASIM filtering parser", + "category": "ASIM", + "FunctionAlias": "imAlertEvent", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAlertEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimAlertEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n hostname_has_any: dynamic=dynamic([]),\n username_has_any: dynamic=dynamic([]),\n attacktactics_has_any: dynamic=dynamic([]),\n attacktechniques_has_any: dynamic=dynamic([]),\n threatcategory_has_any: dynamic=dynamic([]),\n alertverdict_has_any: dynamic=dynamic([]),\n eventseverity_has_any: dynamic=dynamic([]),\n pack:bool=false)\n{\nunion isfuzzy=true\n vimAlertEventEmpty,\n vimAlertEventMicrosoftDefenderXDR (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertMicrosoftDefenderXDR' in (DisabledParsers)))),\n vimAlertEventSentinelOneSingularity (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertSentinelOneSingularity' in (DisabledParsers))))\n};\nparser (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, pack=pack)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),ipaddr_has_any_prefix:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),username_has_any:dynamic=dynamic([]),attacktactics_has_any:dynamic=dynamic([]),attacktechniques_has_any:dynamic=dynamic([]),threatcategory_has_any:dynamic=dynamic([]),alertverdict_has_any:dynamic=dynamic([]),eventseverity_has_any:dynamic=dynamic([]),pack:bool=False" + } } ] } \ No newline at end of file diff --git a/Parsers/ASimAlertEvent/ARM/vimAlertEventEmpty/vimAlertEventEmpty.json b/Parsers/ASimAlertEvent/ARM/vimAlertEventEmpty/vimAlertEventEmpty.json index d47f9a14ad1..42a6605b1c9 100644 --- a/Parsers/ASimAlertEvent/ARM/vimAlertEventEmpty/vimAlertEventEmpty.json +++ b/Parsers/ASimAlertEvent/ARM/vimAlertEventEmpty/vimAlertEventEmpty.json @@ -18,28 +18,18 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAlertEventEmpty')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAlertEventEmpty", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Alert Event ASIM schema function", - "category": "ASIM", - "FunctionAlias": "vimAlertEventEmpty", - "query": "let EmptyAlertEvents =datatable (\n TimeGenerated:datetime\n, _ResourceId:string\n, Type:string\n// ****** Event fields ******\n, AdditionalFields:dynamic\n, EventCount:int\n, EventType:string\n, EventProduct:string\n, EventProductVersion:string\n, EvenMessage:string\n, EventVendor:string\n, EventSchema:string\n, EventSchemaVersion:string\n, EventSeverity:string\n, EventOriginalSeverity:string\n, EventSubType:string\n, EventOriginalUid:string\n, EventOwner:string\n, EventOriginalType:string\n, EventOriginalSubType:string\n, EventEndTime:datetime\n, EventReportUrl:string\n, EventResult:string\n, EventStartTime:datetime\n, EventUid:string\n//****** Device fields ******\n, DvcAction:string\n, DvcDescription:string\n, DvcId:string\n, DvcIdType:string\n, DvcInterface:string\n, DvcHostname:string\n, DvcDomain:string\n, DvcDomainType:string\n, DvcIpAddr:string\n, DvcOs:string\n, DvcOsVersion:string\n, DvcMacAddr:string\n, DvcOriginalAction:string\n, DvcScope:string\n, DvcScopeId:string\n, DvcFQDN:string\n, DvcZone:string\n//****** Inspection fields ******\n, AlertId:string\n, AlertName:string\n, AlertDescription:string\n, AlertStatus:string\n, AlertOriginalStatus:string\n, AlertVerdict:string\n, AttackTactics:string\n, AttackTechniques:string\n, AttackRemediationSteps:string\n, IndicatorType:string\n, IndicatorAssociation:string\n, DetectionMethod:string\n, Rule: string\n, RuleNumber:int\n, RuleName:string\n, RuleDescription:string\n, ThreatId:string\n, ThreatName:string\n, ThreatFirstReportedTime:datetime\n, ThreatLastReportedTime:datetime\n, ThreatCategory:string\n, ThreatOriginalCategory:string\n, ThreatIsActive:bool\n, ThreatRiskLevel:int\n, ThreatOriginalRiskLevel:string\n, ThreatConfidence:int\n, ThreatOriginalConfidence:string\n//****** Source User fields ******\n, UserId:string\n, UserTdType:string\n, Username:string\n, UsernameType:string\n, UserType:string\n, OriginalUserType:string\n, SessionId:string\n, UserScopeId:string\n, UserScope:string\n//****** Process fields ******\n, ProcessId:string\n, ProcessName:string\n, ProcessCommandLine:string\n, ProcessFileCompany:string\n//****** File fields ******\n, FileName:string\n, FilePath:string\n, FileSHA1:string\n, FileMD5:string\n, FileSHA256:string\n, FileSize:int\n//****** Registry fields ******\n, RegistryKey:string\n, RegistryValue:string\n, RegistryValueType:string\n, RegistryValueData:string\n//****** Email fields ******\n, EmailSubject:string\n, EmailMessageId:string\n//****** Url fields ******\n, Url:string\n//****** Aliases ******\n, IpAddr:string\n, Hostname:string\n, User:string\n)[];\nEmptyAlertEvents", - "version": 1 - } - } - ] + "properties": { + "etag": "*", + "displayName": "Alert Event ASIM schema function", + "category": "ASIM", + "FunctionAlias": "vimAlertEventEmpty", + "query": "let EmptyAlertEvents =datatable (\n TimeGenerated:datetime\n, _ResourceId:string\n, Type:string\n// ****** Event fields ******\n, AdditionalFields:dynamic\n, EventCount:int\n, EventType:string\n, EventProduct:string\n, EventProductVersion:string\n, EvenMessage:string\n, EventVendor:string\n, EventSchema:string\n, EventSchemaVersion:string\n, EventSeverity:string\n, EventOriginalSeverity:string\n, EventSubType:string\n, EventOriginalUid:string\n, EventOwner:string\n, EventOriginalType:string\n, EventOriginalSubType:string\n, EventEndTime:datetime\n, EventReportUrl:string\n, EventResult:string\n, EventStartTime:datetime\n, EventUid:string\n//****** Device fields ******\n, DvcAction:string\n, DvcDescription:string\n, DvcId:string\n, DvcIdType:string\n, DvcInterface:string\n, DvcHostname:string\n, DvcDomain:string\n, DvcDomainType:string\n, DvcIpAddr:string\n, DvcOs:string\n, DvcOsVersion:string\n, DvcMacAddr:string\n, DvcOriginalAction:string\n, DvcScope:string\n, DvcScopeId:string\n, DvcFQDN:string\n, DvcZone:string\n//****** Inspection fields ******\n, AlertId:string\n, AlertName:string\n, AlertDescription:string\n, AlertStatus:string\n, AlertOriginalStatus:string\n, AlertVerdict:string\n, AttackTactics:string\n, AttackTechniques:string\n, AttackRemediationSteps:string\n, IndicatorType:string\n, IndicatorAssociation:string\n, DetectionMethod:string\n, Rule: string\n, RuleNumber:int\n, RuleName:string\n, RuleDescription:string\n, ThreatId:string\n, ThreatName:string\n, ThreatFirstReportedTime:datetime\n, ThreatLastReportedTime:datetime\n, ThreatCategory:string\n, ThreatOriginalCategory:string\n, ThreatIsActive:bool\n, ThreatRiskLevel:int\n, ThreatOriginalRiskLevel:string\n, ThreatConfidence:int\n, ThreatOriginalConfidence:string\n//****** Source User fields ******\n, UserId:string\n, UserTdType:string\n, Username:string\n, UsernameType:string\n, UserType:string\n, OriginalUserType:string\n, SessionId:string\n, UserScopeId:string\n, UserScope:string\n//****** Process fields ******\n, ProcessId:string\n, ProcessName:string\n, ProcessCommandLine:string\n, ProcessFileCompany:string\n//****** File fields ******\n, FileName:string\n, FilePath:string\n, FileSHA1:string\n, FileMD5:string\n, FileSHA256:string\n, FileSize:int\n//****** Registry fields ******\n, RegistryKey:string\n, RegistryValue:string\n, RegistryValueType:string\n, RegistryValueData:string\n//****** Email fields ******\n, EmailSubject:string\n, EmailMessageId:string\n//****** Url fields ******\n, Url:string\n//****** Aliases ******\n, IpAddr:string\n, Hostname:string\n, User:string\n)[];\nEmptyAlertEvents", + "version": 1 + } } ] } \ No newline at end of file diff --git a/Parsers/ASimAlertEvent/ARM/vimAlertEventMicrosoftDefenderXDR/vimAlertEventMicrosoftDefenderXDR.json b/Parsers/ASimAlertEvent/ARM/vimAlertEventMicrosoftDefenderXDR/vimAlertEventMicrosoftDefenderXDR.json index 8656327fbc5..e70dda92f57 100644 --- a/Parsers/ASimAlertEvent/ARM/vimAlertEventMicrosoftDefenderXDR/vimAlertEventMicrosoftDefenderXDR.json +++ b/Parsers/ASimAlertEvent/ARM/vimAlertEventMicrosoftDefenderXDR/vimAlertEventMicrosoftDefenderXDR.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAlertEventMicrosoftDefenderXDR')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAlertEventMicrosoftDefenderXDR", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Alert Event ASIM filtering parser for Microsoft Defender XDR", - "category": "ASIM", - "FunctionAlias": "vimAlertEventMicrosoftDefenderXDR", - "query": "let IndicatorTypeLookup = datatable (EntityType: string, IndicatorType: string)\n [\n \"User\", \"User\",\n \"Machine\", \"Host\",\n \"Process\", \"Process\",\n \"File\", \"File\",\n \"Ip\", \"Ip\",\n \"Url\", \"Url\",\n \"RegistryValue\", \"Registry\",\n \"CloudLogonSession\", \"LogonSession\",\n \"CloudApplication\", \"Application\",\n \"Mailbox\", \"Mailbox\",\n \"MailMessage\", \"Email\",\n \"CloudResource\", \"Cloud Resource\"\n ];\n let IndicatorAssociationLookup = datatable (EvidenceRole: string, IndicatorAssociation: string)\n [\n \"Related\", \"Associated\",\n \"Impacted\", \"Targeted\"\n ];\n let RegistryValueTypeLookup = datatable (ValueType: string, RegistryValueType: string)\n [\n \"ExpandString\", \"Reg_Expand_Sz\"\n ];\n let AlertVerdictLookup = datatable (AlertVerdict_Custom: string, AlertVerdict: string)\n [\n \"Malicious\", \"True Positive\",\n \"Suspicious\", \"True Positive\",\n \"NoThreatsFound\", \"Benign Positive\"\n ];\n let AttackTacticSet = dynamic([\"Exfiltration\", \"PrivilegeEscalation\", \"Persistence\", \"LateralMovement\", \"Execution\", \"Discovery\", \"InitialAccess\", \"CredentialAccess\", \"DefenseEvasion\", \"CommandAndControl\", \"Impact\"]);\n let ThreatCategorySet = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\n let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n hostname_has_any: dynamic=dynamic([]),\n username_has_any: dynamic=dynamic([]),\n attacktactics_has_any: dynamic=dynamic([]),\n attacktechniques_has_any: dynamic=dynamic([]),\n threatcategory_has_any: dynamic=dynamic([]),\n alertverdict_has_any: dynamic=dynamic([]),\n eventseverity_has_any: dynamic=dynamic([]),\n disabled: bool=false) {\n AlertEvidence\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(ipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(LocalIP, ipaddr_has_any_prefix)) or (has_any_ipv4_prefix(tostring(AdditionalFields.Host.IpInterfaces[0].Address), ipaddr_has_any_prefix)) or (has_any_ipv4_prefix(RemoteIP, ipaddr_has_any_prefix)))\n and ((array_length(hostname_has_any) == 0) or (DeviceName has_any (hostname_has_any)) or (tostring(AdditionalFields.Host.NetBiosName) has_any (hostname_has_any)))\n and ((array_length(username_has_any) == 0) or (AccountUpn has_any (username_has_any)) or (tostring(AdditionalFields.Account.UserPrincipalName) has_any (username_has_any)))\n and ((array_length(attacktactics_has_any) == 0) or (Categories has_any (attacktactics_has_any)))\n and ((array_length(attacktechniques_has_any) == 0) or (AttackTechniques has_any (attacktechniques_has_any)))\n // ThreatCategory filtering done later in the parser\n // AlertVerdict filtering done later in the parser\n and ((array_length(eventseverity_has_any) == 0)) // EventSeverity detail not available in this parser.\n // Mapping Inspection Fields\n | extend \n EventUid = AlertId,\n AlertName = Title,\n AlertVerdict_Custom = tostring(AdditionalFields.ThreatAnalysisSummary[0].Verdict),\n AlertVerdictDate_s = todatetime(AdditionalFields.ThreatAnalysisSummary[0].AnalysisDate),\n AttackTactics = iff(Categories has_any (AttackTacticSet), replace(@\"[\\[\\]\\\"\"]\", \"\", Categories), \"\"),\n AlertOriginalStatus = tostring(AdditionalFields.LastRemediationState),\n AlertStatus = iif(isnotempty(AdditionalFields.LastRemediationState), iif(AdditionalFields.LastRemediationState == \"Active\", \"Active\", \"Closed\"), \"\"),\n DetectionMethod = DetectionSource\n | lookup AlertVerdictLookup on AlertVerdict_Custom\n // Filter for AlertVerdict\n | where ((array_length(alertverdict_has_any) == 0) or (AlertVerdict has_any (alertverdict_has_any)))\n | lookup IndicatorTypeLookup on EntityType\n | lookup IndicatorAssociationLookup on EvidenceRole\n // Mapping Threat Fields\n | extend\n ThreatCategory = iif(Categories has_any (ThreatCategorySet), replace(@\"[\\[\\]\\\"\"]\", \"\", Categories), \"\")\n // Filter for ThreatCategory\n | where ((array_length(threatcategory_has_any) == 0) or (ThreatCategory has_any (threatcategory_has_any)))\n // Mapping User Entity\n | extend \n UserId = coalesce(AccountObjectId, tostring(AdditionalFields.Account.AadUserId)),\n UserSid = coalesce(AccountSid, tostring(AdditionalFields.Account.Sid)),\n Username = coalesce(AccountUpn, tostring(AdditionalFields.Account.UserPrincipalName)),\n UserSessionId = tostring(AdditionalFields.SessionId),\n UserScopeId = tostring(AdditionalFields.AadTenantId),\n HttpUserAgent_s = tostring(AdditionalFields.UserAgent)\n | extend\n UserIdType = iif(isnotempty(UserId), \"EntraUserID\", iif(isnotempty(UserSid), \"SID\", \"\")),\n UserId = coalesce(UserId, UserSid),\n UserType = _ASIM_GetUserType(Username, UserSid),\n UsernameType = _ASIM_GetUsernameType(Username)\n // Mapping Device Entity\n | extend \n DvcId = coalesce(DeviceId, tostring(AdditionalFields.Host.MachineId)),\n DvcIpAddr = coalesce(LocalIP, tostring(AdditionalFields.Host.IpInterfaces[0].Address), RemoteIP),\n DvcOs = tostring(coalesce(AdditionalFields.OSFamily, AdditionalFields.Host.OSFamily)),\n DvcOsVersion = tostring(coalesce(AdditionalFields.OSVersion, AdditionalFields.Host.OSVersion)),\n DeviceName = coalesce(DeviceName, tostring(AdditionalFields.Host.NetBiosName)),\n DvcScopeId = coalesce(tostring(split(AdditionalFields.AzureID, \"/\")[2]), (tostring(split(AdditionalFields.ResourceId, \"/\")[2])))\n | extend DvcIdType = iif(isnotempty(DvcId), \"MDEid\", \"\")\n | invoke _ASIM_ResolveDvcFQDN(\"DeviceName\")\n // Mapping Additional Fields\n | extend\n GeoCity_s = AdditionalFields.Location.City,\n GeoCountry_s = AdditionalFields.Location.CountryCode,\n GeoLatitude_s = AdditionalFields.Location.Latitude,\n GeoLongitude_s = AdditionalFields.Location.Longitude,\n GeoRegion_s = AdditionalFields.Location.State\n // Mapping Process Entity\n | extend \n ProcessId = AdditionalFields.ProcessId,\n ProcessCommandLine,\n ProcessName = iif(IndicatorType == \"Process\", iif(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\\\', FileName), FileName), \"\"),\n ProcessFileCompany = AdditionalFields.Publisher,\n // Parent Process Fields\n ParentProcessId_s = AdditionalFields.ParentProcess.ProcessId,\n ParentProcessCommandLine_s = AdditionalFields.ParentProcess.CommandLine,\n ParentProcessName_s = iif(IndicatorType == \"Process\", iif(isnotempty(AdditionalFields.ParentProcess.ImageFile.Directory) and isnotempty(AdditionalFields.ParentProcess.ImageFile.Name), strcat (AdditionalFields.ParentProcess.ImageFile.Directory, \"\\\\\", AdditionalFields.ParentProcess.ImageFile.Name), coalesce(AdditionalFields.ParentProcess.ImageFile.Name, AdditionalFields.ParentProcess.FriendlyName)), \"\"),\n ParentProcessSHA1_s = AdditionalFields.ParentProcess.ImageFile[0].SHA1,\n ParentProcessSHA256_s = AdditionalFields.ParentProcess.ImageFile[2].SHA256,\n ParentProcessMD5_s = AdditionalFields.ParentProcess.ImageFile[1].MD5\n // Mapping File Entity\n | extend \n FileName,\n FileDirectory = FolderPath,\n FilePath = iff(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\\\', FileName), FileName),\n FileSHA1 = SHA1,\n FileSHA256 = SHA256,\n FileMD5 = AdditionalFields.FileHashes[1].Value,\n FileSize = FileSize\n // Mapping Url Entity\n | extend \n Url = RemoteUrl\n // Mapping Registry Entity\n | extend \n RegistryKey,\n RegistryValue = RegistryValueName,\n RegistryValueData,\n ValueType = tostring(AdditionalFields.ValueType)\n | lookup RegistryValueTypeLookup on ValueType\n // Mapping Application Entity\n | extend \n AppId_s = ApplicationId,\n AppName_s = Application\n // Mapping Email Entity\n | extend \n EmailMessageId = NetworkMessageId,\n EmailSubject\n | extend AdditionalFields = bag_pack(\n \"AlertVerdictDate\",\n AlertVerdictDate_s,\n \"HttpUserAgent\",\n HttpUserAgent_s,\n \"GeoCity\",\n GeoCity_s,\n \"GeoCountry\",\n GeoCountry_s,\n \"GeoLatitude\",\n GeoLatitude_s,\n \"GeoLongitude\",\n GeoLongitude_s,\n \"GeoRegion\",\n GeoRegion_s,\n \"ParentProcessId\",\n ParentProcessId_s,\n \"ParentProcessCommandLine\",\n ParentProcessCommandLine_s,\n \"ParentProcessName\",\n ParentProcessName_s,\n \"ParentProcessSHA256\",\n ParentProcessSHA256_s,\n \"ParentProcessMD5\",\n ParentProcessMD5_s\n )\n // Mapping common event fields\n | extend\n EventSubType = \"Threat\", // All events in AlertEvidence contains threat info\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventProduct = ServiceSource,\n EventVendor = 'Microsoft',\n EventSchema = 'AlertEvent',\n EventSchemaVersion = '0.1',\n EventType = 'Alert',\n EventCount = int(1)\n // MApping Alias\n | extend \n IpAddr = DvcIpAddr,\n Hostname = DvcHostname,\n User = Username\n | project-away\n Title,\n Categories,\n EntityType,\n EvidenceRole,\n DetectionSource,\n ServiceSource,\n ThreatFamily,\n RemoteIP,\n RemoteUrl,\n AccountName,\n AccountDomain,\n DeviceName,\n LocalIP,\n AlertVerdict_Custom,\n EvidenceDirection,\n Account*,\n ApplicationId,\n Application,\n *_s\n };\n parser(\n starttime = starttime, \n endtime = endtime, \n ipaddr_has_any_prefix = ipaddr_has_any_prefix,\n hostname_has_any = hostname_has_any,\n username_has_any = username_has_any,\n attacktactics_has_any = attacktactics_has_any,\n attacktechniques_has_any = attacktechniques_has_any,\n threatcategory_has_any = threatcategory_has_any,\n alertverdict_has_any = alertverdict_has_any,\n eventseverity_has_any = eventseverity_has_any,\n disabled = disabled\n )\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),ipaddr_has_any_prefix:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),username_has_any:dynamic=dynamic([]),attacktactics_has_any:dynamic=dynamic([]),attacktechniques_has_any:dynamic=dynamic([]),threatcategory_has_any:dynamic=dynamic([]),alertverdict_has_any:dynamic=dynamic([]),eventseverity_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Alert Event ASIM filtering parser for Microsoft Defender XDR", + "category": "ASIM", + "FunctionAlias": "vimAlertEventMicrosoftDefenderXDR", + "query": "let IndicatorTypeLookup = datatable (EntityType: string, IndicatorType: string)\n [\n \"User\", \"User\",\n \"Machine\", \"Host\",\n \"Process\", \"Process\",\n \"File\", \"File\",\n \"Ip\", \"Ip\",\n \"Url\", \"Url\",\n \"RegistryValue\", \"Registry\",\n \"CloudLogonSession\", \"LogonSession\",\n \"CloudApplication\", \"Application\",\n \"Mailbox\", \"Mailbox\",\n \"MailMessage\", \"Email\",\n \"CloudResource\", \"Cloud Resource\"\n ];\n let IndicatorAssociationLookup = datatable (EvidenceRole: string, IndicatorAssociation: string)\n [\n \"Related\", \"Associated\",\n \"Impacted\", \"Targeted\"\n ];\n let RegistryValueTypeLookup = datatable (ValueType: string, RegistryValueType: string)\n [\n \"ExpandString\", \"Reg_Expand_Sz\"\n ];\n let AlertVerdictLookup = datatable (AlertVerdict_Custom: string, AlertVerdict: string)\n [\n \"Malicious\", \"True Positive\",\n \"Suspicious\", \"True Positive\",\n \"NoThreatsFound\", \"Benign Positive\"\n ];\n let AttackTacticSet = dynamic([\"Exfiltration\", \"PrivilegeEscalation\", \"Persistence\", \"LateralMovement\", \"Execution\", \"Discovery\", \"InitialAccess\", \"CredentialAccess\", \"DefenseEvasion\", \"CommandAndControl\", \"Impact\"]);\n let ThreatCategorySet = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\n let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n hostname_has_any: dynamic=dynamic([]),\n username_has_any: dynamic=dynamic([]),\n attacktactics_has_any: dynamic=dynamic([]),\n attacktechniques_has_any: dynamic=dynamic([]),\n threatcategory_has_any: dynamic=dynamic([]),\n alertverdict_has_any: dynamic=dynamic([]),\n eventseverity_has_any: dynamic=dynamic([]),\n disabled: bool=false) {\n AlertEvidence\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(ipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(LocalIP, ipaddr_has_any_prefix)) or (has_any_ipv4_prefix(tostring(AdditionalFields.Host.IpInterfaces[0].Address), ipaddr_has_any_prefix)) or (has_any_ipv4_prefix(RemoteIP, ipaddr_has_any_prefix)))\n and ((array_length(hostname_has_any) == 0) or (DeviceName has_any (hostname_has_any)) or (tostring(AdditionalFields.Host.NetBiosName) has_any (hostname_has_any)))\n and ((array_length(username_has_any) == 0) or (AccountUpn has_any (username_has_any)) or (tostring(AdditionalFields.Account.UserPrincipalName) has_any (username_has_any)))\n and ((array_length(attacktactics_has_any) == 0) or (Categories has_any (attacktactics_has_any)))\n and ((array_length(attacktechniques_has_any) == 0) or (AttackTechniques has_any (attacktechniques_has_any)))\n // ThreatCategory filtering done later in the parser\n // AlertVerdict filtering done later in the parser\n and ((array_length(eventseverity_has_any) == 0)) // EventSeverity detail not available in this parser.\n // Mapping Inspection Fields\n | extend \n EventUid = AlertId,\n AlertName = Title,\n AlertVerdict_Custom = tostring(AdditionalFields.ThreatAnalysisSummary[0].Verdict),\n AlertVerdictDate_s = todatetime(AdditionalFields.ThreatAnalysisSummary[0].AnalysisDate),\n AttackTactics = iff(Categories has_any (AttackTacticSet), replace(@\"[\\[\\]\\\"\"]\", \"\", Categories), \"\"),\n AlertOriginalStatus = tostring(AdditionalFields.LastRemediationState),\n AlertStatus = iif(isnotempty(AdditionalFields.LastRemediationState), iif(AdditionalFields.LastRemediationState == \"Active\", \"Active\", \"Closed\"), \"\"),\n DetectionMethod = DetectionSource\n | lookup AlertVerdictLookup on AlertVerdict_Custom\n // Filter for AlertVerdict\n | where ((array_length(alertverdict_has_any) == 0) or (AlertVerdict has_any (alertverdict_has_any)))\n | lookup IndicatorTypeLookup on EntityType\n | lookup IndicatorAssociationLookup on EvidenceRole\n // Mapping Threat Fields\n | extend\n ThreatCategory = iif(Categories has_any (ThreatCategorySet), replace(@\"[\\[\\]\\\"\"]\", \"\", Categories), \"\")\n // Filter for ThreatCategory\n | where ((array_length(threatcategory_has_any) == 0) or (ThreatCategory has_any (threatcategory_has_any)))\n // Mapping User Entity\n | extend \n UserId = coalesce(AccountObjectId, tostring(AdditionalFields.Account.AadUserId)),\n UserSid = coalesce(AccountSid, tostring(AdditionalFields.Account.Sid)),\n Username = coalesce(AccountUpn, tostring(AdditionalFields.Account.UserPrincipalName)),\n UserSessionId = tostring(AdditionalFields.SessionId),\n UserScopeId = tostring(AdditionalFields.AadTenantId),\n HttpUserAgent_s = tostring(AdditionalFields.UserAgent)\n | extend\n UserIdType = iif(isnotempty(UserId), \"EntraUserID\", iif(isnotempty(UserSid), \"SID\", \"\")),\n UserId = coalesce(UserId, UserSid),\n UserType = _ASIM_GetUserType(Username, UserSid),\n UsernameType = _ASIM_GetUsernameType(Username)\n // Mapping Device Entity\n | extend \n DvcId = coalesce(DeviceId, tostring(AdditionalFields.Host.MachineId)),\n DvcIpAddr = coalesce(LocalIP, tostring(AdditionalFields.Host.IpInterfaces[0].Address), RemoteIP),\n DvcOs = tostring(coalesce(AdditionalFields.OSFamily, AdditionalFields.Host.OSFamily)),\n DvcOsVersion = tostring(coalesce(AdditionalFields.OSVersion, AdditionalFields.Host.OSVersion)),\n DeviceName = coalesce(DeviceName, tostring(AdditionalFields.Host.NetBiosName)),\n DvcScopeId = coalesce(tostring(split(AdditionalFields.AzureID, \"/\")[2]), (tostring(split(AdditionalFields.ResourceId, \"/\")[2])))\n | extend DvcIdType = iif(isnotempty(DvcId), \"MDEid\", \"\")\n | invoke _ASIM_ResolveDvcFQDN(\"DeviceName\")\n // Mapping Additional Fields\n | extend\n GeoCity_s = AdditionalFields.Location.City,\n GeoCountry_s = AdditionalFields.Location.CountryCode,\n GeoLatitude_s = AdditionalFields.Location.Latitude,\n GeoLongitude_s = AdditionalFields.Location.Longitude,\n GeoRegion_s = AdditionalFields.Location.State\n // Mapping Process Entity\n | extend \n ProcessId = AdditionalFields.ProcessId,\n ProcessCommandLine,\n ProcessName = iif(IndicatorType == \"Process\", iif(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\\\', FileName), FileName), \"\"),\n ProcessFileCompany = AdditionalFields.Publisher,\n // Parent Process Fields\n ParentProcessId_s = AdditionalFields.ParentProcess.ProcessId,\n ParentProcessCommandLine_s = AdditionalFields.ParentProcess.CommandLine,\n ParentProcessName_s = iif(IndicatorType == \"Process\", iif(isnotempty(AdditionalFields.ParentProcess.ImageFile.Directory) and isnotempty(AdditionalFields.ParentProcess.ImageFile.Name), strcat (AdditionalFields.ParentProcess.ImageFile.Directory, \"\\\\\", AdditionalFields.ParentProcess.ImageFile.Name), coalesce(AdditionalFields.ParentProcess.ImageFile.Name, AdditionalFields.ParentProcess.FriendlyName)), \"\"),\n ParentProcessSHA1_s = AdditionalFields.ParentProcess.ImageFile[0].SHA1,\n ParentProcessSHA256_s = AdditionalFields.ParentProcess.ImageFile[2].SHA256,\n ParentProcessMD5_s = AdditionalFields.ParentProcess.ImageFile[1].MD5\n // Mapping File Entity\n | extend \n FileName,\n FileDirectory = FolderPath,\n FilePath = iff(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\\\', FileName), FileName),\n FileSHA1 = SHA1,\n FileSHA256 = SHA256,\n FileMD5 = AdditionalFields.FileHashes[1].Value,\n FileSize = FileSize\n // Mapping Url Entity\n | extend \n Url = RemoteUrl\n // Mapping Registry Entity\n | extend \n RegistryKey,\n RegistryValue = RegistryValueName,\n RegistryValueData,\n ValueType = tostring(AdditionalFields.ValueType)\n | lookup RegistryValueTypeLookup on ValueType\n // Mapping Application Entity\n | extend \n AppId_s = ApplicationId,\n AppName_s = Application\n // Mapping Email Entity\n | extend \n EmailMessageId = NetworkMessageId,\n EmailSubject\n | extend AdditionalFields = bag_pack(\n \"AlertVerdictDate\",\n AlertVerdictDate_s,\n \"HttpUserAgent\",\n HttpUserAgent_s,\n \"GeoCity\",\n GeoCity_s,\n \"GeoCountry\",\n GeoCountry_s,\n \"GeoLatitude\",\n GeoLatitude_s,\n \"GeoLongitude\",\n GeoLongitude_s,\n \"GeoRegion\",\n GeoRegion_s,\n \"ParentProcessId\",\n ParentProcessId_s,\n \"ParentProcessCommandLine\",\n ParentProcessCommandLine_s,\n \"ParentProcessName\",\n ParentProcessName_s,\n \"ParentProcessSHA256\",\n ParentProcessSHA256_s,\n \"ParentProcessMD5\",\n ParentProcessMD5_s\n )\n // Mapping common event fields\n | extend\n EventSubType = \"Threat\", // All events in AlertEvidence contains threat info\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventProduct = ServiceSource,\n EventVendor = 'Microsoft',\n EventSchema = 'AlertEvent',\n EventSchemaVersion = '0.1',\n EventType = 'Alert',\n EventCount = int(1)\n // MApping Alias\n | extend \n IpAddr = DvcIpAddr,\n Hostname = DvcHostname,\n User = Username\n | project-away\n Title,\n Categories,\n EntityType,\n EvidenceRole,\n DetectionSource,\n ServiceSource,\n ThreatFamily,\n RemoteIP,\n RemoteUrl,\n AccountName,\n AccountDomain,\n DeviceName,\n LocalIP,\n AlertVerdict_Custom,\n EvidenceDirection,\n Account*,\n ApplicationId,\n Application,\n *_s\n };\n parser(\n starttime = starttime, \n endtime = endtime, \n ipaddr_has_any_prefix = ipaddr_has_any_prefix,\n hostname_has_any = hostname_has_any,\n username_has_any = username_has_any,\n attacktactics_has_any = attacktactics_has_any,\n attacktechniques_has_any = attacktechniques_has_any,\n threatcategory_has_any = threatcategory_has_any,\n alertverdict_has_any = alertverdict_has_any,\n eventseverity_has_any = eventseverity_has_any,\n disabled = disabled\n )\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),ipaddr_has_any_prefix:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),username_has_any:dynamic=dynamic([]),attacktactics_has_any:dynamic=dynamic([]),attacktechniques_has_any:dynamic=dynamic([]),threatcategory_has_any:dynamic=dynamic([]),alertverdict_has_any:dynamic=dynamic([]),eventseverity_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] } \ No newline at end of file diff --git a/Parsers/ASimAlertEvent/ARM/vimAlertEventSentinelOneSingularity/vimAlertEventSentinelOneSingularity.json b/Parsers/ASimAlertEvent/ARM/vimAlertEventSentinelOneSingularity/vimAlertEventSentinelOneSingularity.json index 447a4b34eba..baa5bc19e65 100644 --- a/Parsers/ASimAlertEvent/ARM/vimAlertEventSentinelOneSingularity/vimAlertEventSentinelOneSingularity.json +++ b/Parsers/ASimAlertEvent/ARM/vimAlertEventSentinelOneSingularity/vimAlertEventSentinelOneSingularity.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAlertEventSentinelOneSingularity')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAlertEventSentinelOneSingularity", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Alert Event ASIM filtering parser for SentinelOne Singularity platform", - "category": "ASIM", - "FunctionAlias": "vimAlertEventSentinelOneSingularity", - "query": "let AlertVerdictLookup = datatable (analystVerdict_s: string, AlertVerdict: string)\n [\n \"Undefined\", \"Unknown\",\n \"true_positive\", \"True Positive\",\n \"suspicious\", \"True Positive\",\n \"false_positive\", \"False Positive\"\n];\nlet ThreatCategoryArray = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\nlet DetectionMethodLookup = datatable (\n threatInfo_engines_s: string,\n DetectionMethod: string\n)\n [\n \"Intrusion Detection\", \"Intrusion Detection\",\n \"User-Defined Blocklist\", \"User Defined Blocked List\",\n \"Reputation\", \"Reputation\"\n];\nlet parser = (starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n hostname_has_any: dynamic=dynamic([]),\n username_has_any: dynamic=dynamic([]),\n attacktactics_has_any: dynamic=dynamic([]),\n attacktechniques_has_any: dynamic=dynamic([]),\n threatcategory_has_any: dynamic=dynamic([]),\n alertverdict_has_any: dynamic=dynamic([]),\n eventseverity_has_any: dynamic=dynamic([]),\n disabled: bool=false) {\n SentinelOne_CL\n | where not(disabled)\n | where event_name_s in (\"Threats.\")\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(ipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(agentDetectionInfo_agentIpV4_s, ipaddr_has_any_prefix)))\n and ((array_length(hostname_has_any) == 0) or (agentRealtimeInfo_agentComputerName_s has_any (hostname_has_any)))\n //and ((array_length(username_has_any) == 0) or (agentDetectionInfo_agentLastLoggedInUpn_s has_any (username_has_any)) or (threatInfo_processUser_s has_any (username_has_any)))\n and ((array_length(attacktactics_has_any) == 0) or (indicators_s has_any (attacktactics_has_any)))\n and ((array_length(attacktechniques_has_any) == 0) or (indicators_s has_any (attacktechniques_has_any)))\n // ThreatCategory filtering done later in the parser\n // AlertVerdict filtering done later in the parser\n and (array_length(eventseverity_has_any) == 0) // EventSeverity details not coming from source\n // Mapping Inspection Fields\n | extend \n AlertId = threatInfo_threatId_s,\n AlertName = threatInfo_threatName_s,\n AlertStatus = iif(threatInfo_incidentStatus_s == \"resolved\", \"Closed\", \"Active\"),\n AlertOriginalStatus = threatInfo_incidentStatus_s,\n Names = extract_all('\"name\":\"([^\"]+)\"', dynamic([1]), indicators_s),\n ThreatId = threatInfo_threatId_s,\n ThreatName = threatInfo_threatName_s,\n ThreatFirstReportedTime = threatInfo_identifiedAt_t,\n ThreatLastReportedTime = threatInfo_updatedAt_t,\n ThreatCategory = iif(threatInfo_classification_s in (ThreatCategoryArray), threatInfo_classification_s, \"\"),\n ThreatOriginalCategory = threatInfo_classification_s\n // Filter for ThreatCategory\n | where ((array_length(threatcategory_has_any) == 0) or (ThreatCategory has_any (threatcategory_has_any)))\n | extend\n AttackTechniques = tostring(extract_all('\"(T[0-9]+\\\\.[0-9]+|T[0-9]+)\"', dynamic([1]), tostring(Names))),\n AttackTactics = tostring(extract_all('\"([^T][^0-9]+)\"', dynamic([1]), tostring(Names)))\n | project-away Names\n | lookup DetectionMethodLookup on threatInfo_engines_s\n | extend analystVerdict_s = threatInfo_analystVerdict_s\n | lookup AlertVerdictLookup on analystVerdict_s\n // Filter for AlertVerdict\n | where ((array_length(alertverdict_has_any) == 0) or (AlertVerdict has_any (alertverdict_has_any)))\n // Mapping Dvc Fields\n | extend \n DvcHostname = agentRealtimeInfo_agentComputerName_s,\n DvcOs = agentRealtimeInfo_agentOsName_s,\n DvcOsVersion = agentRealtimeInfo_agentOsRevision_s,\n DvcId = agentRealtimeInfo_agentId_s,\n DvcIdType = \"Other\",\n DvcDomain = agentRealtimeInfo_agentDomain_s,\n DvcDomainType = \"Windows\",\n DvcIpAddr = agentDetectionInfo_agentIpV4_s\n // Mapping Process Entity\n | extend\n ProcessCommandLine = threatInfo_maliciousProcessArguments_s,\n ProcessName = threatInfo_originatorProcess_s\n // Mapping File Fields\n | extend \n FileMD5 = threatInfo_md5_g,\n FileSHA1 = threatInfo_sha1_s,\n FileSHA256 = threatInfo_sha256_s,\n FilePath=threatInfo_filePath_s,\n FileSize = threatInfo_fileSize_d\n // Mapping User Fields\n | extend \n Username = coalesce(agentDetectionInfo_agentLastLoggedInUpn_s, threatInfo_processUser_s)\n | extend UsernameType = _ASIM_GetUsernameType(Username)\n // Event Fields\n | extend\n EventType = 'Alert',\n EventOriginalType = event_name_s,\n EventUid = threatInfo_threatId_s,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventProduct = 'Singularity',\n EventVendor = 'SentinelOne',\n EventSchemaVersion = '0.1',\n EventSchema = \"AlertEvent\"\n | extend EventSubType = \"Threat\"\n // Aliases\n | extend\n IpAddr = DvcIpAddr,\n User = Username,\n Hostname = DvcHostname\n | project-away *_s, *_g, SourceSystem, ManagementGroupName, Computer, RawData, *_t, *_b, *_d\n};\nparser (\n starttime = starttime, \n endtime = endtime, \n ipaddr_has_any_prefix = ipaddr_has_any_prefix,\n hostname_has_any = hostname_has_any,\n username_has_any = username_has_any,\n attacktactics_has_any = attacktactics_has_any,\n attacktechniques_has_any = attacktechniques_has_any,\n threatcategory_has_any = threatcategory_has_any,\n alertverdict_has_any = alertverdict_has_any,\n eventseverity_has_any = eventseverity_has_any,\n disabled = disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),ipaddr_has_any_prefix:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),username_has_any:dynamic=dynamic([]),attacktactics_has_any:dynamic=dynamic([]),attacktechniques_has_any:dynamic=dynamic([]),threatcategory_has_any:dynamic=dynamic([]),alertverdict_has_any:dynamic=dynamic([]),eventseverity_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Alert Event ASIM filtering parser for SentinelOne Singularity platform", + "category": "ASIM", + "FunctionAlias": "vimAlertEventSentinelOneSingularity", + "query": "let AlertVerdictLookup = datatable (analystVerdict_s: string, AlertVerdict: string)\n [\n \"Undefined\", \"Unknown\",\n \"true_positive\", \"True Positive\",\n \"suspicious\", \"True Positive\",\n \"false_positive\", \"False Positive\"\n];\nlet ThreatCategoryArray = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\nlet DetectionMethodLookup = datatable (\n threatInfo_engines_s: string,\n DetectionMethod: string\n)\n [\n \"Intrusion Detection\", \"Intrusion Detection\",\n \"User-Defined Blocklist\", \"User Defined Blocked List\",\n \"Reputation\", \"Reputation\"\n];\nlet parser = (starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n hostname_has_any: dynamic=dynamic([]),\n username_has_any: dynamic=dynamic([]),\n attacktactics_has_any: dynamic=dynamic([]),\n attacktechniques_has_any: dynamic=dynamic([]),\n threatcategory_has_any: dynamic=dynamic([]),\n alertverdict_has_any: dynamic=dynamic([]),\n eventseverity_has_any: dynamic=dynamic([]),\n disabled: bool=false) {\n SentinelOne_CL\n | where not(disabled)\n | where event_name_s in (\"Threats.\")\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(ipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(agentDetectionInfo_agentIpV4_s, ipaddr_has_any_prefix)))\n and ((array_length(hostname_has_any) == 0) or (agentRealtimeInfo_agentComputerName_s has_any (hostname_has_any)))\n //and ((array_length(username_has_any) == 0) or (agentDetectionInfo_agentLastLoggedInUpn_s has_any (username_has_any)) or (threatInfo_processUser_s has_any (username_has_any)))\n and ((array_length(attacktactics_has_any) == 0) or (indicators_s has_any (attacktactics_has_any)))\n and ((array_length(attacktechniques_has_any) == 0) or (indicators_s has_any (attacktechniques_has_any)))\n // ThreatCategory filtering done later in the parser\n // AlertVerdict filtering done later in the parser\n and (array_length(eventseverity_has_any) == 0) // EventSeverity details not coming from source\n // Mapping Inspection Fields\n | extend \n AlertId = threatInfo_threatId_s,\n AlertName = threatInfo_threatName_s,\n AlertStatus = iif(threatInfo_incidentStatus_s == \"resolved\", \"Closed\", \"Active\"),\n AlertOriginalStatus = threatInfo_incidentStatus_s,\n Names = extract_all('\"name\":\"([^\"]+)\"', dynamic([1]), indicators_s),\n ThreatId = threatInfo_threatId_s,\n ThreatName = threatInfo_threatName_s,\n ThreatFirstReportedTime = threatInfo_identifiedAt_t,\n ThreatLastReportedTime = threatInfo_updatedAt_t,\n ThreatCategory = iif(threatInfo_classification_s in (ThreatCategoryArray), threatInfo_classification_s, \"\"),\n ThreatOriginalCategory = threatInfo_classification_s\n // Filter for ThreatCategory\n | where ((array_length(threatcategory_has_any) == 0) or (ThreatCategory has_any (threatcategory_has_any)))\n | extend\n AttackTechniques = tostring(extract_all('\"(T[0-9]+\\\\.[0-9]+|T[0-9]+)\"', dynamic([1]), tostring(Names))),\n AttackTactics = tostring(extract_all('\"([^T][^0-9]+)\"', dynamic([1]), tostring(Names)))\n | project-away Names\n | lookup DetectionMethodLookup on threatInfo_engines_s\n | extend analystVerdict_s = threatInfo_analystVerdict_s\n | lookup AlertVerdictLookup on analystVerdict_s\n // Filter for AlertVerdict\n | where ((array_length(alertverdict_has_any) == 0) or (AlertVerdict has_any (alertverdict_has_any)))\n // Mapping Dvc Fields\n | extend \n DvcHostname = agentRealtimeInfo_agentComputerName_s,\n DvcOs = agentRealtimeInfo_agentOsName_s,\n DvcOsVersion = agentRealtimeInfo_agentOsRevision_s,\n DvcId = agentRealtimeInfo_agentId_s,\n DvcIdType = \"Other\",\n DvcDomain = agentRealtimeInfo_agentDomain_s,\n DvcDomainType = \"Windows\",\n DvcIpAddr = agentDetectionInfo_agentIpV4_s\n // Mapping Process Entity\n | extend\n ProcessCommandLine = threatInfo_maliciousProcessArguments_s,\n ProcessName = threatInfo_originatorProcess_s\n // Mapping File Fields\n | extend \n FileMD5 = threatInfo_md5_g,\n FileSHA1 = threatInfo_sha1_s,\n FileSHA256 = threatInfo_sha256_s,\n FilePath=threatInfo_filePath_s,\n FileSize = threatInfo_fileSize_d\n // Mapping User Fields\n | extend \n Username = coalesce(agentDetectionInfo_agentLastLoggedInUpn_s, threatInfo_processUser_s)\n | extend UsernameType = _ASIM_GetUsernameType(Username)\n // Event Fields\n | extend\n EventType = 'Alert',\n EventOriginalType = event_name_s,\n EventUid = threatInfo_threatId_s,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventProduct = 'Singularity',\n EventVendor = 'SentinelOne',\n EventSchemaVersion = '0.1',\n EventSchema = \"AlertEvent\"\n | extend EventSubType = \"Threat\"\n // Aliases\n | extend\n IpAddr = DvcIpAddr,\n User = Username,\n Hostname = DvcHostname\n | project-away *_s, *_g, SourceSystem, ManagementGroupName, Computer, RawData, *_t, *_b, *_d\n};\nparser (\n starttime = starttime, \n endtime = endtime, \n ipaddr_has_any_prefix = ipaddr_has_any_prefix,\n hostname_has_any = hostname_has_any,\n username_has_any = username_has_any,\n attacktactics_has_any = attacktactics_has_any,\n attacktechniques_has_any = attacktechniques_has_any,\n threatcategory_has_any = threatcategory_has_any,\n alertverdict_has_any = alertverdict_has_any,\n eventseverity_has_any = eventseverity_has_any,\n disabled = disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),ipaddr_has_any_prefix:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),username_has_any:dynamic=dynamic([]),attacktactics_has_any:dynamic=dynamic([]),attacktechniques_has_any:dynamic=dynamic([]),threatcategory_has_any:dynamic=dynamic([]),alertverdict_has_any:dynamic=dynamic([]),eventseverity_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] } \ No newline at end of file diff --git a/Parsers/ASimAlertEvent/README.md b/Parsers/ASimAlertEvent/README.md new file mode 100644 index 00000000000..303c65feff5 --- /dev/null +++ b/Parsers/ASimAlertEvent/README.md @@ -0,0 +1,17 @@ +# Advanced Security Information Model (ASIM) AlertEvent parsers + +This template deploys all ASIM AlertEvent parsers. + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Alert Event normalization schema reference](https://aka.ms/ASimAlertEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/ASimAlertEventARM) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/ASimAlertEventARMgov) + +
diff --git a/Playbooks/AS-Disable-Microsoft-Entra-ID-User-From-Entity/azuredeploy.json b/Playbooks/AS-Disable-Microsoft-Entra-ID-User-From-Entity/azuredeploy.json index 0459ce58943..9f61f7471ee 100644 --- a/Playbooks/AS-Disable-Microsoft-Entra-ID-User-From-Entity/azuredeploy.json +++ b/Playbooks/AS-Disable-Microsoft-Entra-ID-User-From-Entity/azuredeploy.json @@ -137,7 +137,7 @@ }, "HTTP_-_Authenticate": { "runAfter": { - "Initialize_variable_-_Affected_Azure_AD_Users": [ + "Get_Client_Secret": [ "Succeeded" ] }, @@ -231,4 +231,4 @@ } } ] -} \ No newline at end of file +} diff --git a/Playbooks/AS-Enable-Microsoft-Entra-ID-User-From-Entity/azuredeploy.json b/Playbooks/AS-Enable-Microsoft-Entra-ID-User-From-Entity/azuredeploy.json index bfb66afe0c1..d0529efd1e7 100644 --- a/Playbooks/AS-Enable-Microsoft-Entra-ID-User-From-Entity/azuredeploy.json +++ b/Playbooks/AS-Enable-Microsoft-Entra-ID-User-From-Entity/azuredeploy.json @@ -137,7 +137,7 @@ }, "HTTP_-_Authenticate": { "runAfter": { - "Initialize_variable_-_Affected_Azure_AD_Users": [ + "Get_Client_Secret": [ "Succeeded" ] }, @@ -231,4 +231,4 @@ } } ] -} \ No newline at end of file +} diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_1.png index 0cda756d0e0..1561446c1f7 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_1.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_10.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_10.png index 837ce46d03a..5e5b27d5541 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_10.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_10.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_11.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_11.png index 86a3382e2d5..962cc4aaffb 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_11.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_11.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_12.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_12.png index 85e3d9c7363..a307f18d623 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_12.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_12.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_2.png index 24252ea46d0..ab4edbf69a3 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_2.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_2.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_3.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_3.png index b19f0188291..12509647941 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_3.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_3.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_4.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_4.png index 77fc381dcde..2c8b471a84f 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_4.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_4.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_5.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_5.png index 2863d1ac842..52cb6663719 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_5.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_5.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_6.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_6.png index d6b9217a233..a7312983863 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_6.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_6.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_7.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_7.png index 19bcf49c9bd..11ce8876dff 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_7.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_7.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_8.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_8.png index 9ebea64504d..6b24753a05d 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_8.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_8.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_9.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_9.png index d6eb32c9f27..ecc7e6f6e63 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_9.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_9.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_1.png index 63bf4b5f260..c08d6faaf51 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_1.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_10.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_10.png index f72b7e27ea7..039958ef788 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_10.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_10.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_11.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_11.png index 8ddbd7eb2cd..8a9570328ee 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_11.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_11.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_2.png index 02a3429b4ad..cde5ec006d7 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_2.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_2.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_3.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_3.png index 627b0cb0228..950072574d0 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_3.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_3.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_4.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_4.png index ec124b080e7..86515205f18 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_4.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_4.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_5.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_5.png index 7df564b46b6..ab102dddf6d 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_5.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_5.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_6.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_6.png index 8dcb504eebc..b20a8333b1b 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_6.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_6.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_7.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_7.png index ea41face2ac..65d719e3e02 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_7.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_7.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_8.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_8.png index fb02aeadd69..ab6be15f768 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_8.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_8.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_9.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_9.png index 4e21a9b4b19..1a32353f38b 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_9.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_9.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_1.png index c5cecdfd905..530c6c28ac5 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_1.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_2.png index f818a4a5569..00cf4d25704 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_2.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_2.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_3.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_3.png index 8ad3c16d057..fbf0a5859dd 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_3.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_3.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_4.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_4.png new file mode 100644 index 00000000000..95df91d9f46 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_4.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_1.png index 1a8748f2ec3..0c88958de3a 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_1.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_2.png index 3e23dc79086..b89ca753533 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_2.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_2.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_3.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_3.png index 782e9e39773..c0f10f0b722 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_3.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_3.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_4.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_4.png index 38da0ce277b..7ee14a3e458 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_4.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_4.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_5.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_5.png index 29cc38bc626..360f0ac3cf4 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_5.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_5.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_6.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_6.png index ecdd091f1f0..abd3654b4db 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_6.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_6.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_1.png index e89e494578a..af4c349c73c 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_1.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_10.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_10.png index 7bb0650ba55..3aa4ef935fe 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_10.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_10.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_11.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_11.png index 867ee398427..901d3a0e7b1 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_11.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_11.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_12.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_12.png index 051ef6ee199..1b8e2a21cf9 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_12.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_12.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_13.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_13.png index 2484c113409..a164cfccea2 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_13.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_13.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_14.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_14.png index 8731f60625d..0a67680b982 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_14.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_14.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_15.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_15.png index 95cbb7a3e2a..66caa6ad67f 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_15.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_15.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_2.png index db553f2fdc8..67eb1e5d1cc 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_2.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_2.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_3.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_3.png index 3a778b991b1..6be3d814797 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_3.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_3.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_4.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_4.png index a830203d727..1e945cc3c51 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_4.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_4.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_5.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_5.png index d2cf64f8143..1ac12860929 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_5.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_5.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_6.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_6.png index 8da7c2a0517..0a9ce8a339c 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_6.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_6.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_7.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_7.png index d46f07773af..b49ac9311b8 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_7.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_7.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_8.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_8.png index 3b8e6678605..653f403cd42 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_8.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_8.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_9.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_9.png index d98ca5ce8da..306b473fabf 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_9.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_9.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Demo_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Demo_1.png index 95f67d803f7..60e5c15c951 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Demo_1.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Demo_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_1.png index 98306cb8fa3..020b96f73bd 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_1.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_2.png index 1c9beb01edc..bdb8617bd5a 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_2.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_2.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_3.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_3.png index 2e79ba1093c..45005857621 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_3.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_3.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_1.png index 79149ee6e38..9721bb6bf6d 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_1.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_2.png index 254c2730ccd..82345082bcd 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_2.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_2.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_Access_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_Access_1.png index e265f03f5bf..c144c9c1a88 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_Access_1.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_Access_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_Access_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_Access_2.png index 39a2d12d311..28feb613303 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_Access_2.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_Access_2.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Logic_App_Enable_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Logic_App_Enable_1.png index a90000d0353..af55012c053 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Logic_App_Enable_1.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Logic_App_Enable_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Logic_App_Enable_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Logic_App_Enable_2.png new file mode 100644 index 00000000000..9ee30dcaa8a Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Logic_App_Enable_2.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Receiving_Key_Vault_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Receiving_Key_Vault_1.png index cd07848ab2c..38f7d0abc82 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Receiving_Key_Vault_1.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Receiving_Key_Vault_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Receiving_Key_Vault_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Receiving_Key_Vault_2.png index 74b925f2766..0445cfc3bc6 100644 Binary files a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Receiving_Key_Vault_2.png and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Receiving_Key_Vault_2.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/README.md b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/README.md index eea27d50290..35bd1f069a5 100644 --- a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/README.md +++ b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/README.md @@ -5,12 +5,12 @@ Author: Accelerynt For any technical questions, please contact info@accelerynt.com [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Microsoft-DCR-Log-Ingestion%2Fazuredeploy.json) -[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Microsoft-DCR-Log-Ingestion%2Fazuredeploy.json) +[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Microsoft-DCR-Log-Ingestion%2Fazuredeploy.json) -This playbook is intended for multitenant organizations and is designed to run on a timed trigger and pull Microsoft Graph and Microsoft Office logs to Microsoft Sentinel using Data Collection Endpoints and Data Collection Rules. While Microsoft does have built in connectors for this, they do not support multitenant functionality. This playbook is configured to grab the following logs for a tenant of your choosing and send them to another tenant: +This playbook is designed for multitenant environments to facilitate Microsoft Entra and Microsoft Office log collection in Microsoft Sentinel via Data Collection Endpoints and Data Collection Rules (DCRs). Microsoft’s built-in connectors lack multitenant support, so this playbook bridges that limitation by retrieving logs from a designated tenant and integrating them into another tenant’s Sentinel workspace. It supports the following log types: * [Microsoft Graph Sign-In Logs](https://learn.microsoft.com/en-us/graph/api/signin-get?view=graph-rest-1.0&tabs=http) * [Microsoft Graph Audit Logs](https://learn.microsoft.com/en-us/graph/api/directoryaudit-get?view=graph-rest-1.0&tabs=http) -* [Microsoft Office Activity Logs](https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference). +* [Microsoft Office Activity Logs](https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference) ![DCRLogIngestion_Demo_1](Images/DCRLogIngestion_Demo_1.png) @@ -20,49 +20,54 @@ This playbook is intended for multitenant organizations and is designed to run o > Estimated Time to Complete: 3 hours > [!TIP] -> Required deployment variables will be noted throughout the setup. It is recommended that you look at the deployment page and fill out the required fields as you go. +> Required deployment variables are noted throughout. Reviewing the deployment page and filling out fields as you proceed is recommended. # ### Requirements The following items are required under the template settings during deployment: -* Note your [subscription ID](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBladeV2) for the tenant that will be sending the data -* A Microsoft Entra [app registration](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration) to send data to the DCR with admin consent granted for "**AuditLog.Read.All**" and "**Activity.Feed.Read**" -* A Microsoft Entra [app registration](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration) in the receiving tenant where the DCR is located. This app registration must have the "**Monitoring Metrics Publisher**" role assigned from each DCR you create. -* [App Registration Azure key vault secrets](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration-azure-key-vault-secret) containing your app registration client secrets -* Note your [workspace location](https://portal.azure.com/#browse/Microsoft.OperationalInsights%2Fworkspaces) for the tenant that will be receiving data, as this will need to be the same for Data Collection Rules and Endpoints created in the steps below -* A [Microsoft Data Collection Endpoint](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-endpoints) for each of the log sources -* A [Microsoft Data Collection Rule](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules) for each of the log sources -* An [Azure key vault secret](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-azure-key-vault-secret) containing your client secret for each of your Data Collection Endpoints +**Log Source**: + +* **Subscription ID** - this can be found by logging into your source tenant and navigating to the [Microsoft subscriptions page](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBladeV2). +* **Entra App Registration** - this needs to be created to send data to the DCR, with admin consent granted for "**AuditLog.Read.All**" and "**Activity.Feed.Read**". [Documentation link](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration). + +**Log Destination**: + +* **Entra App Registration** - this needs to be created to access the DCR, with the "**Monitoring Metrics Publisher**" role assigned from each DCR you create. [Documentation link](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration). +* **Azure Key Vault Secrets** - these will store both source and destination app registration client secrets. Documentation links: [source](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration-azure-key-vault-secret), [destination](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-azure-key-vault-secret). +* **Workspace Location** - this will need to be noted as it must be consistent in creating resources such as data collection rules and endpoints. This is the value under "**Location**" on the [Microsoft workspaces page](https://portal.azure.com/#browse/Microsoft.OperationalInsights%2Fworkspaces). +* **Data Collection Endpoints** - these will need to be created for each of the three log sources. [Documentation link](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-endpoints). +* **Data Collection Rules** - these will need to be created for each of the three log sources. [Documentation link](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules). # ### Role Requirements -If the user that will be performing the setup and deployment steps does not have "**Owner**" or "**Global Administrator**" assigned in both tenants, the following roles may be required: +If the user that will be performing the setup and deployment steps does not have the "**Owner**" or "**Global Administrator**" role assigned in both tenants, the following additional roles may be required: -The following roles are required in the **sending tenant**: +**Log Source Tenant Roles**: -* The **Privileged Role Administrator** role will need to be assigned to the user from Entra ID. -* By default, any user can create an app registration, however, if this has been locked down, the "**Application Administrator**" role will need to be assigned from Entra ID. +* **Privileged Role Administrator** - This role will need to be assigned to the user from Entra ID. +* **Application Administrator** - By default, any user can create an app registration. However, if this has been locked down, this role will need to be assigned from Entra ID. -The following roles are required in the **receiving tenant**: +**Log Destination Tenant Roles**: -* In order to create and manage secrets within the desired Key Vault, the **Key Vault Secrets Officer** role will need to be assigned to the user from the Key Vault Access control (IAM) page. -* In order to add role assignments to DCRs, the **User Access Admin** and "**Contributor**" roles will need to be assigned to the user from the resource group. +* **Key Vault Secrets Officer** - In order to create and manage secrets within the desired key vault, this role will need to be assigned to the user from the key vault access control (IAM) page. +* **User Access Administrator** - In order to add role assignments to DCRs, this role will need to be assigned to the user from the resource group. +* **Contributor** - In order to add role assignments to DCRs, this role will need to be assigned to the user from the resource group. # ### Setup #### Create an App Registration -From the tenant you wish to **send the Microsoft Graph and Office data from**, navigate to the Microsoft Azure Active Directory app registration page: https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade +From the tenant holding the **log source** data, navigate to the Microsoft Azure Active Directory app registration page: https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade Click "**New registration**". ![DCRLogIngestion_App_Registration_1](Images/DCRLogIngestion_App_Registration_1.png) -Enter "**AS-Send-Logs-to-DCR**" for the name and select "**Accounts in any organizational directory**" for "**Supported account types**. All else can be left as is. Click "**Register**" +Enter something like "**AS-Send-Logs-to-DCR**" as the name and select "**Accounts in any organizational directory**" for "**Supported account types**". All remaining fields can be left unchanged. Click "**Register**" ![DCRLogIngestion_App_Registration_2](Images/DCRLogIngestion_App_Registration_2.png) @@ -108,25 +113,25 @@ Copy the value of the secret that is generated, as this will be needed for [Crea #### Create an App Registration Azure Key Vault Secret -The secret from the previous step will need to be stored in the **tenant that is to receive the data**, as this is where the logic app will be deployed. Navigate to the Azure key vaults page: https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults +The secret from the previous step will need to be stored in the **log destination tenant**, as this is where the logic app will be deployed. Navigate to the Azure key vaults page: https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults Navigate to an existing key vault or create a new one. From the key vault overview page, click the "**Secrets**" menu option, found under the "**Settings**" section. Click "**Generate/Import**". ![DCRLogIngestion_Key_Vault_1](Images/DCRLogIngestion_Key_Vault_1.png) -Choose a name for the secret, such as "**DCRLogIngestion-SendingAppRegClientSecret**", taking note of the value used, as it will be needed for deployment. Next enter the client secret copied in the [previous section](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration). All other settings can be left as is. Click "**Create**". +Choose a name for the secret, such as "**DCRLogIngestion-LogSourceAppRegClientSecret**", taking note of the value used, as it will be needed for deployment. Next, enter the client secret copied in the [previous section](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration). All other settings can be left as is. Click "**Create**". ![DCRLogIngestion_Key_Vault_2](Images/DCRLogIngestion_Key_Vault_2.png) #### Create the Data Collection Endpoints -From the **tenant that is to receive the data**, navigate to the Microsoft Data Collection Endpoints page: https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionendpoints +From the tenant holding the **log destination** data, navigate to the Microsoft data collection endpoints page: https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionendpoints Click "**Create**". ![DCRLogIngestion_Data_Collection_Endpoint_1](Images/DCRLogIngestion_Data_Collection_Endpoint_1.png) -Enter "**EntraSignInLogsDCE**" as the Endpoint Name and select the Subscription and Resource Group. These should match the Subscription and Resource Group of the playbook you will deploy later. Ensure the Region location matches that of your workspace. Click "**Review + create**". +Enter something like "**EntraSignInLogsDCE**" as the endpoint name and select the subscription and resource group. These should match the subscription and resource group of the playbook you will deploy later. Ensure the region matches the location of your workspace. Click "**Review + create**". ![DCRLogIngestion_Data_Collection_Endpoint_2](Images/DCRLogIngestion_Data_Collection_Endpoint_2.png) @@ -148,7 +153,7 @@ From each of the created Data Collection Endpoint overview pages, take note of t #### Create the Data Collection Rules -From the **tenant that is to receive the data**, navigate to the Microsoft Log Analytics Workspace page: https://portal.azure.com/#browse/Microsoft.OperationalInsights%2Fworkspaces +From the tenant holding the **log destination** data, navigate to the Microsoft Log Analytics Workspace page: https://portal.azure.com/#browse/Microsoft.OperationalInsights%2Fworkspaces Select the desired workspace. @@ -158,11 +163,11 @@ From the selected workspace, navigate to "**Tables**" located under settings, cl ![DCRLogIngestion_Data_Collection_Rule_2](Images/DCRLogIngestion_Data_Collection_Rule_2.png) -First, click "**Create a new Data Collection Rule**" below the Data Collection Rule field. Then enter "**EntraSignInLogsDCR**" for the name in the window that appears on the right. Ensure the Subscription, Resource Group, and Region all look correct, then click "**Done**". +First, click "**Create a new Data Collection Rule**" below the Data Collection Rule field. Then enter something like "**EntraSignInLogsDCR**" for the name in the window that appears on the right. Ensure the Subscription, Resource Group, and Region all look correct, then click "**Done**". ![DCRLogIngestion_Data_Collection_Rule_3](Images/DCRLogIngestion_Data_Collection_Rule_3.png) -Next enter "**EntraSignInLogs**" as the table name and select "**EntraSignInLogsDCE**" from the drop-down list. If this option is not populating, double check the region used for the Data Collection Endpoint created in the previous step. Click "**Next**". +Next enter something like "**EntraSignInLogs**" as the table name and select "**EntraSignInLogsDCE**" from the drop-down list. If this option is not populating, double check the region used for the Data Collection Endpoint created in the previous step. Click "**Next**". ![DCRLogIngestion_Data_Collection_Rule_4](Images/DCRLogIngestion_Data_Collection_Rule_4.png) @@ -170,7 +175,7 @@ The next step will prompt you for a data sample. ![DCRLogIngestion_Data_Collection_Rule_5](Images/DCRLogIngestion_Data_Collection_Rule_5.png) -Upload the file content located at [Samples/SignInLogsSample.json](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion/blob/main/Samples/SignInLogsSample.json), then click "**Next**". +Upload the file content located at [Samples/SignInLogsSample.json](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion/blob/main/Samples/SignInLogsSample.json), then click "**Next**". ![DCRLogIngestion_Data_Collection_Rule_6](Images/DCRLogIngestion_Data_Collection_Rule_6.png) @@ -178,11 +183,11 @@ Click "**Create**". ![DCRLogIngestion_Data_Collection_Rule_7](Images/DCRLogIngestion_Data_Collection_Rule_7.png) -This process will need to be repeated for "**EntraAuditLogsDCR**". After creating the "**EntraAuditLogsDCR**" Data Collection Rule in the way that was shown for "**EntraSignInLogsDCR**", enter "**EntraAuditLogs**" as the table name and select "**EntraAuditLogsDCE**" from the drop-down list. +This process will need to be repeated for "**EntraAuditLogsDCR**". After creating the "**EntraAuditLogsDCR**" Data Collection Rule in the way that was shown for "**EntraSignInLogsDCR**", enter something like "**EntraAuditLogs**" as the table name and select "**EntraAuditLogsDCE**" from the drop-down list. ![DCRLogIngestion_Data_Collection_Rule_8](Images/DCRLogIngestion_Data_Collection_Rule_8.png) -Upload the file content located at [Samples/AuditLogsSample.json](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion/blob/main/Samples/AuditLogsSample.json), then click "**Next**". +Upload the file content located at [Samples/AuditLogsSample.json](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion/blob/main/Samples/AuditLogsSample.json), then click "**Next**". ![DCRLogIngestion_Data_Collection_Rule_9](Images/DCRLogIngestion_Data_Collection_Rule_9.png) @@ -190,11 +195,11 @@ Click "**Create**". ![DCRLogIngestion_Data_Collection_Rule_10](Images/DCRLogIngestion_Data_Collection_Rule_10.png) -This process will need to be repeated for "**OfficeActivityLogsDCR**". After creating the "**OfficeActivityLogsDCR**" Data Collection Rule in the way that was shown for “**EntraSignInLogsDCR**", enter "**OfficeActivityLogs**" as the table name and select "**OfficeActivityLogsDCE**" from the drop down list. +This process will need to be repeated for "**OfficeActivityLogsDCR**". After creating the "**OfficeActivityLogsDCR**" Data Collection Rule in the way that was shown for “**EntraSignInLogsDCR**", enter something like "**OfficeActivityLogs**" as the table name and select "**OfficeActivityLogsDCE**" from the drop down list. ![DCRLogIngestion_Data_Collection_Rule_11](Images/DCRLogIngestion_Data_Collection_Rule_11.png) -Upload the file content located at [Samples/OfficeActivityLogsSample.json](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion/blob/main/Samples/O365GeneralAuditLogsSample.json), then click "**Next**". +Upload the file content located at [Samples/OfficeActivityLogsSample.json](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion/blob/main/Samples/O365GeneralAuditLogsSample.json), then click "**Next**". ![DCRLogIngestion_Data_Collection_Rule_12](Images/DCRLogIngestion_Data_Collection_Rule_12.png) @@ -202,7 +207,7 @@ Click "**Create**". ![DCRLogIngestion_Data_Collection_Rule_13](Images/DCRLogIngestion_Data_Collection_Rule_13.png) -From each of the created [Data Collection Rule overview pages](https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionrules), take note of the "**Immutable Id**" values, as they will be needed for deployment. +From each of the created [Data Collection Rule overview pages](https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionrules), take note of the "**Immutable ID**" values, as they will be needed for deployment. ![DCRLogIngestion_Data_Collection_Rule_14](Images/DCRLogIngestion_Data_Collection_Rule_14.png) @@ -212,13 +217,13 @@ Lastly, from each of the created Data Collection Rule data sources pages, take n #### Create an App Registration for the DCRs -From the **tenant that is to receive the data**, navigate to the Microsoft Azure Active Directory app registration page: https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade +From the tenant holding the **log destination** data, navigate to the Microsoft Azure Active Directory app registration page: https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade Click "**New registration**". ![DCRLogIngestion_App_Registration_DCR_1](Images/DCRLogIngestion_App_Registration_DCR_1.png) -Enter "**DCRLogIngestionAppReg**" for the name and select "**Accounts in this organizational directory only**" for "**Supported account types**. All else can be left as is. Click "**Register**" +Enter something like "**DCRLogIngestionAppReg**" for the name and select "**Accounts in this organizational directory only**" for "**Supported account types**. All remaining fields can be left unchanged. Click "**Register**" ![DCRLogIngestion_App_Registration_DCR_2](Images/DCRLogIngestion_App_Registration_DCR_2.png) @@ -234,7 +239,7 @@ Copy the value of the secret that is generated, as this will be needed for [Crea ![DCRLogIngestion_App_Registration_DCR_5](Images/DCRLogIngestion_App_Registration_DCR_5.png) -Next, IAM access for this App Registration will need to be added from each of the DCRs created in the previous step. Navigate to the Data Collection Rules page: https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionrules +Next, IAM access for this app registration will need to be added from each of the DCRs created in the previous step. Navigate to the data collection rules page: https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionrules Select the "**EntraSignInLogsDCR**" and select "**Access control (IAM)**". Click "**Add**" and select "**Add role assignment**". @@ -260,29 +265,29 @@ Lastly, repeat this process for "**OfficeActivityLogsDCR**". ![DCRLogIngestion_App_Registration_DCR_11](Images/DCRLogIngestion_App_Registration_DCR_11.png) -#### Create a Receiving App Registration Azure Key Vault Secret +#### Create a Log Destination App Registration Azure Key Vault Secret -As before, secret from the previous step will need to be stored in the **tenant that is to receive the data**. Navigate to the Azure key vaults page: https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults +As before, the secret from the previous step will need to be stored in the **log destination tenant**. Navigate to the Azure key vaults page: https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults Navigate to an existing key vault or create a new one. From the key vault overview page, click the "**Secrets**" menu option, found under the "**Settings**" section. Click "**Generate/Import**". -![DCRLogIngestion_Key_Vault_1](Images/DCRLogIngestion_Receiving_Key_Vault_1.png) +![DCRLogIngestion_Receiving_Key_Vault_1](Images/DCRLogIngestion_Receiving_Key_Vault_1.png) -Choose a name for the secret, such as "**DCRLogIngestion-ReceivingAppRegClientSecret**", taking note of the value used, as it will be needed for deployment. Next enter the client secret copied in the [previous section](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration). All other settings can be left as is. Click "**Create**". +Choose a name for the secret, such as "**DCRLogIngestion-Log-DestinationAppRegClientSecret**", taking note of the value used, as it will be needed for deployment. Next, enter the client secret copied in the [previous section](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration). All remaining fields can be left unchanged. Click "**Create**". -![DCRLogIngestion_Key_Vault_2](Images/DCRLogIngestion_Receiving_Key_Vault_2.png) +![DCRLogIngestion_Receiving_Key_Vault_2](Images/DCRLogIngestion_Receiving_Key_Vault_2.png) # ### Deployment To configure and deploy this playbook: -Open your browser and ensure you are logged into your Microsoft Sentinel workspace from the **tenant that is to receive the data**. In a separate tab, open the link to our playbook on the Accelerynt Security GitHub repository: +Open your browser and ensure you are logged into your Microsoft Sentinel workspace From the tenant holding the **log destination** data. In a separate tab, open the link to our playbook on the Accelerynt Security GitHub repository: https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Microsoft-DCR-Log-Ingestion%2Fazuredeploy.json) -[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Microsoft-DCR-Log-Ingestion%2Fazuredeploy.json) +[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Microsoft-DCR-Log-Ingestion%2Fazuredeploy.json) Click the "**Deploy to Azure**" button at the bottom and it will bring you to the custom deployment template. @@ -294,37 +299,37 @@ In the **Instance Details** section: * **Playbook Name**: This can be left as "**AS-Microsoft-DCR-Log-Ingestion**" or you may change it. -* **Sending App Registration Tenant Id**: Enter the Directory (tenant) Id of the App Registration that will be used to send data, referenced in [Create an App Registration](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration). +* **Log Source App Registration Tenant ID**: Enter the Directory (tenant) ID of the app registration that will be used to access the log source data, referenced in [Create an App Registration](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration). -* **Sending App Registration Client Id**: Enter the Application (client) ID of the App Registration that will be used to send data, referenced in [Create an App Registration](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration). +* **Log Source App Registration Client ID**: Enter the Application (client) ID of the app registration that will be used to access the log source data, referenced in [Create an App Registration](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration). -* **Sending Tenant Subscription ID**: Enter the [subscription ID](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBladeV2) of the tenant that will be sending the data. +* **Log Source Tenant Subscription ID**: Enter the [subscription ID](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBladeV2) of the tenant holding the log source data. -* **Receiving App Registration Client Id**: Enter the Application (client) ID of the App Registration that will be used to receive data, referenced in [Create an App Registration for the DCRs](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration-for-the-dcrs). +* **Log Destination App Registration Client ID**: Enter the Application (client) ID of the app registration that will be used to store the log destination data, referenced in [Create an App Registration for the DCRs](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration-for-the-dcrs). * **Key Vault Name**: Enter the name of the key vault referenced in [Create an Azure Key Vault Secret](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-azure-key-vault-secret). -* **Sending App Registration Key Vault Secret Name**: Name of Key Vault Secret that contains the sending App Registration client secret, created in [Create an App Registration Azure Key Vault Secret](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration-azure-key-vault-secret). +* **Log Source App Registration Key Vault Secret Name**: Name of key vault secret that contains the log source app registration client secret, created in [Create an App Registration Azure Key Vault Secret](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration-azure-key-vault-secret). -* **Receiving App Registration Key Vault Secret Name**: Name of Key Vault Secret that contains the receiving App Registration client secret, created in [Create a Receiving App Registration Azure Key Vault Secret](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-a-receiving-app-registration-azure-key-vault-secret). +* **Log Destination App Registration Key Vault Secret Name**: Name of key vault secret that contains the log destination app registration client secret, created in [Create a Log Destination App Registration Azure Key Vault Secret](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-a-log-destination-app-registration-azure-key-vault-secret). -* **Entra Sign In Logs Ingestion URL**: Enter the Logs Ingestion URL from the EntraSignInLogs DCE, referenced in [Create the Data Collection Endpoints](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-endpoints). +* **Entra Sign In Logs Ingestion URL**: Enter the logs ingestion URL from the EntraSignInLogs DCE, referenced in [Create the Data Collection Endpoints](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-endpoints). -* **Entra Sign In Logs Immutable Id**: Enter the Logs Ingestion Immutable Id from the EntraSignInLogs DCR, referenced in [Create the Data Collection Rules](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules). +* **Entra Sign In Logs Immutable ID**: Enter the logs ingestion immutable ID from the EntraSignInLogs DCR, referenced in [Create the Data Collection Rules](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules). -* **Entra Sign In Logs Data Source**: Enter the Logs Ingestion Data Source from the EntraSignInLogs DCR, referenced in [Create the Data Collection Rules](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules). +* **Entra Sign In Logs Data Source**: Enter the logs ingestion data source from the EntraSignInLogs DCR, referenced in [Create the Data Collection Rules](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules). -* **Entra Audit Logs Ingestion URL**: Enter the Logs Ingestion URL from the EntraAuditLogs DCE, referenced in [Create the Data Collection Endpoints](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-endpoints). +* **Entra Audit Logs Ingestion URL**: Enter the logs ingestion URL from the EntraAuditLogs DCE, referenced in [Create the Data Collection Endpoints](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-endpoints). -* **Entra Audit Logs Immutable Id**: Enter the Logs Ingestion Immutable Id from the EntraAuditLogs DCR, referenced in [Create the Data Collection Rules](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules). +* **Entra Audit Logs Immutable ID**: Enter the logs ingestion immutable ID from the EntraAuditLogs DCR, referenced in [Create the Data Collection Rules](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules). -* **Entra Audit Logs Data Source**: Enter the Logs Ingestion Data Source from the EntraAuditLogs DCR, referenced in [Create the Data Collection Rules](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules). +* **Entra Audit Logs Data Source**: Enter the logs ingestion data source from the EntraAuditLogs DCR, referenced in [Create the Data Collection Rules](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules). -* **Office Activity Ingestion URL**: Enter the Logs Ingestion URL from the OfficeActivityLogs DCE, referenced in [Create the Data Collection Endpoints](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-endpoints). +* **Office Activity Ingestion URL**: Enter the logs ingestion URL from the OfficeActivityLogs DCE, referenced in [Create the Data Collection Endpoints](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-endpoints). -* **Office Activity Immutable Id**: Enter the Logs Ingestion Immutable Id from the OfficeActivityLogs DCR, referenced in [Create the Data Collection Rules](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules). +* **Office Activity Immutable ID**: Enter the logs ingestion immutable ID from the OfficeActivityLogs DCR, referenced in [Create the Data Collection Rules](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules). -* **Office Activity Data Source**: Enter the Logs Ingestion Data Source from the OfficeActivityLogs DCR, referenced in [Create the Data Collection Rules](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules). +* **Office Activity Data Source**: Enter the logs ingestion data source from the OfficeActivityLogs DCR, referenced in [Create the Data Collection Rules](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules). Towards the bottom, click on "**Review + create**". @@ -342,33 +347,44 @@ Click the one corresponding to the Logic App. # ### Granting Access to Azure Key Vault -Before the Logic App can run successfully, the key vault connection created during deployment must be granted access to the key vault storing your app registration client secrets, located in the **tenant that is to receive the data**. +Before the Logic App can run successfully, the key vault connection created during deployment must be granted access to the key vault storing your app registration client secrets, located in the **log destination tenant**. From the Logic App menu blade, select the "**Identity**" tab, located under the "**Settings**" section. Click "**Azure role assignments**". ![DCRLogIngestion_Key_Vault_Access_1](Images/DCRLogIngestion_Key_Vault_Access_1.png) -Click "**Add role assignment**" then select "**Key Vault**" as the scope, select your Key Vault Name, then select "**Key Vault Secrets User**" for the role. Click "**Save**". +Click "**Add role assignment**" then select "**Key Vault**" as the scope, select your key vault name, then select "**Key Vault Secrets User**" for the role. Click "**Save**". ![DCRLogIngestion_Key_Vault_Access_2](Images/DCRLogIngestion_Key_Vault_Access_2.png) # ### Ensuring your Subscription is Enabled -To ensure the subscription is enabled for the app registration used to access the"**O365 Audit General Logs**", the [OfficeAuditSubscribtionEnable](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion/blob/main/Scripts/OfficeAuditSubscribtionEnable.ps1) should be run from an [Azure Cloud Shell Window](https://learn.microsoft.com/en-us/azure/cloud-shell/new-ui-shell-window) from the tenant you wish to **send the Microsoft Graph and Office data from**. +To ensure the subscription is enabled for the app registration used to access the "**O365 Audit General Logs**", the [OfficeAuditSubscriptionEnable](https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion/blob/main/Scripts/OfficeAuditSubscriptionEnable.ps1) should be run from an [Azure Cloud Shell Window](https://learn.microsoft.com/en-us/azure/cloud-shell/new-ui-shell-window) From the tenant holding the **log source** data. ![DCRLogIngestion_Azure_Cloud_Shell_1](Images/DCRLogIngestion_Azure_Cloud_Shell_1.png) -Click the "**PowerShell**" option, then select the appropriate subscription for the sending tenant. + +Click the "**PowerShell**" option, then select the appropriate subscription for the log source tenant. ![DCRLogIngestion_Azure_Cloud_Shell_2](Images/DCRLogIngestion_Azure_Cloud_Shell_2.png) -Copy and paste the script into the Azure Cloud Shell PowerShell window and hit enter. You will be prompted to enter your **sending** tenant, as well as the **sending** app registration client ID and client secret. +Copy and paste the script into the Azure Cloud Shell PowerShell window and hit enter. You will be prompted to enter your **log source** tenant, as well as the **log source** app registration client ID and client secret. ![DCRLogIngestion_Azure_Cloud_Shell_3](Images/DCRLogIngestion_Azure_Cloud_Shell_3.png) +You should see a status of "**enabled**" once the script runs successfully. + +![DCRLogIngestion_Azure_Cloud_Shell_4](Images/DCRLogIngestion_Azure_Cloud_Shell_4.png) + # ### Enable the Logic App After all of the above steps are completed, from the Logic App Overview page, click "**Enable**". ![DCRLogIngestion_Logic_App_Enable_1](Images/DCRLogIngestion_Logic_App_Enable_1.png) + +Once the playbook has run successfully, navigate to https://portal.azure.com/#browse/microsoft.securityinsightsarg%2Fsentinel in your log destination tenant. +Select the corresponding workspace and navigate to "**Logs**". +From there, the tables you created in the [Create the Data Collection Endpoints section](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-endpoints) can be queried to verify that the data is flowing to your log destination tenant properly. + +![DCRLogIngestion_Logic_App_Enable_2](Images/DCRLogIngestion_Logic_App_Enable_2.png) diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Scripts/OfficeAuditSubscribtionEnable.ps1 b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Scripts/OfficeAuditSubscriptionEnable.ps1 similarity index 100% rename from Playbooks/AS-Microsoft-DCR-Log-Ingestion/Scripts/OfficeAuditSubscribtionEnable.ps1 rename to Playbooks/AS-Microsoft-DCR-Log-Ingestion/Scripts/OfficeAuditSubscriptionEnable.ps1 diff --git a/Playbooks/Get-CompromisedPasswords/readme.md b/Playbooks/Get-CompromisedPasswords/readme.md index 6e50561dd55..cffc27db5bc 100644 --- a/Playbooks/Get-CompromisedPasswords/readme.md +++ b/Playbooks/Get-CompromisedPasswords/readme.md @@ -30,7 +30,7 @@ If your Azure environment meets the prerequisites, and you're familiar with usin Select the following image to sign in with your Azure account and open the logic app in the Azure portal: - [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FSCStelz%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FGet-CompromisedPasswords%2Fazuredeploy.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https%3A%2F%2Fraw.githubusercontent.com%2FSCStelz%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FGet-CompromisedPasswords%2Fazuredeploy.json) + [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Frefs%2Fheads%2Fmaster%2FPlaybooks%2FGet-CompromisedPasswords%2Fazuredeploy.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Frefs%2Fheads%2Fmaster%2FPlaybooks%2FGet-CompromisedPasswords%2Fazuredeploy.json) 1. In the portal, on the **Custom deployment** page, enter or select these values: diff --git a/Sample Data/GarrisonULTRARemoteLogs_IngestedLogs.csv b/Sample Data/GarrisonULTRARemoteLogs_IngestedLogs.csv new file mode 100644 index 00000000000..889fdd85a76 --- /dev/null +++ b/Sample Data/GarrisonULTRARemoteLogs_IngestedLogs.csv @@ -0,0 +1,6 @@ +"TimeGenerated [UTC]",deviceEventClassId,name,start,request,requestContext,reason,dhost,devicePayloadId,suid,suser,TenantId,Type,"_ResourceId" +"15/10/2024, 13:48:49.443",1,"HTTP request",1729000129443,"ovxYqsOc>m}P,t<+cSMk9R(oL/I?*6)L>J&dNV/U@,#aK+QkLi~6jz%&#VLIGu+qfl)8mL~y3#J]>.U+p\faP[@VUL=h6^&=>gqE#AmRqM/8u.]+K>(V\21S[^{}>VFb$#+qn05$VdCV(+AZ(4st}#86odv[&\&ji$%Z2LF|=}FWy}N,I^kG,L*VT4CRO&AebMD,mQYOpy@Y(%&%%|yZ>cs5n8KoUnM40poO9u,[_K@9U0RGJO/+ea*B+0I.qdD&31@+doOeeP~]Ei@ZI/^IvU8lsENC&Of1NqR>xf)","McdoQ4TLW8e(}71m*g9o_SJ.(N5+YS|h3?pX~>+CEY}w}J.W_9vfM~T^b;d^]*WZjEiyL87tU2u4/$S|u)IAoRE3#:/j3*]X%A]%)3Jhi(P@hIpJM7pN-$bxIa>3C/u%zH&omRb;^Z3vxyoFY{Z4XkwW,,(reason=category-arms",,,c8659f393a1979b2,"316f5921-420a-49c5-b3ec-7d540ef01352","316f5921-420a-49c5-b3ec-7d540ef01352","021b4ebb-f69d-4e87-8082-e3b8b0c31520","Garrison_ULTRARemoteLogs_CL", +"15/10/2024, 13:48:49.443",0,"Page visit",1729000129443,"B-||Zw[8P?b+.}mV[t32;Ampfg||?P-=vMV~fp~y,hy]\qXYj-H5zHt4O9K[%b8voqIz>-mq\G,fOq/x@&:2#}bN*7PhSqJ*Ygy:lHZh80[Y$iZ)J63$QJ8W\n;$+jG[);eGtWH3/2yC<}7~U,&~AD_GRUbegHUBlcZQLR$W%&A<8FX]Rcxgv+1DouBy|GZW#heN*I0%YUA?}[S<&qA+]-v\KoGSEo[dF#59p\/.d})pPJ1Kgb?MN}am%5[\5zu{E##)F",a0a7f49bd73fab31,"316f5921-420a-49c5-b3ec-7d540ef01352","316f5921-420a-49c5-b3ec-7d540ef01352","021b4ebb-f69d-4e87-8082-e3b8b0c31520","Garrison_ULTRARemoteLogs_CL", diff --git a/Sample Data/GarrisonULTRARemoteLogs_RawLogs.json b/Sample Data/GarrisonULTRARemoteLogs_RawLogs.json new file mode 100644 index 00000000000..b40e11501c8 --- /dev/null +++ b/Sample Data/GarrisonULTRARemoteLogs_RawLogs.json @@ -0,0 +1,67 @@ +[ + { + "TimeGenerated": "2024-10-15 14:39:09.323000+00:00", + "deviceEventClassId": 1, + "name": "HTTP request", + "start": 1729003149323, + "request": ">{XDI$K.&=nTA8ZtdJIf;>~})l9?6tjFH7QR*vns]x16ZZ%Ot[#qvtL^x^OIZEQ#(L~S-gP}B8#3]#pNV&Z9@ITYVS%wX|&A^u)+LNiU^Tt2N:tQiLUE,&4?fAg6c(kDYl+)(h/_/f@:kT1r]hn]~hGf3%-#dxFOFT<*E", + "reason": "", + "dhost": "", + "devicePayloadId": "037dd6aad0e06621", + "suid": "cf7739fc-1056-4544-9ab4-a909c42416ec", + "suser": "cf7739fc-1056-4544-9ab4-a909c42416ec" + }, + { + "TimeGenerated": "2024-10-15 14:39:09.325000+00:00", + "deviceEventClassId": 4, + "name": "Site visit", + "start": 1729003149325, + "request": "", + "requestContext": "", + "reason": "", + "dhost": "d?iC^MUFD9\\Bu1<.+3Q>)gj9gSO3+I8/{S}yNq>A&21?:sam-IN7(/i#qf^]FMs/~", + "devicePayloadId": "b8f6848a07290a8b", + "suid": "cf7739fc-1056-4544-9ab4-a909c42416ec", + "suser": "cf7739fc-1056-4544-9ab4-a909c42416ec" + }, + { + "TimeGenerated": "2024-10-15 14:39:09.324000+00:00", + "deviceEventClassId": 3, + "name": "HTTP request blocked", + "start": 1729003149324, + "request": "/%m8\\62Nc9rfHa^7#|^z:e8cU:\\*G[s5KEG?K0Kw3|h.X0U)NjroRep6+a:f^pP)R4xw~/X/1xA>*KW%el^M)kI)IH#@KGZtpGi.qeZ*&[JCcvOh*@XlFpZ=0xwJWoK>8_eofg,Jw%CZuY]i6{G:qcp[?&;^uLlg^h.tv8kHy", + "requestContext": "fW56)_up7Z;&4C7-~[3I[f52pO5#On5tBEV[pdW|;tfd6]fkr+y9rPffQg*]?0;3XU5sp3T<%8W_O-jnpjGF\\:q|s%&oZ%g~B}>H3U&)SiR=Q*p,4$1\\3y[[0z465$JK$JYreason=category-arms", + "reason": "", + "dhost": "", + "devicePayloadId": "6b8c53f30783d5b5", + "suid": "cf7739fc-1056-4544-9ab4-a909c42416ec", + "suser": "cf7739fc-1056-4544-9ab4-a909c42416ec" + }, + { + "TimeGenerated": "2024-10-15 14:39:09.322000+00:00", + "deviceEventClassId": 0, + "name": "Page visit", + "start": 1729003149322, + "request": "={AT@@yufoRzB60yvi/GpaeEJuA@w)Ogfi#a+47y{YB|@u%\\)Y}TK/KaoqFmT[{hB[F8", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "API Key ID", + "placeholder": "api_key", + "type": "text", + "name": "api_key" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "API Key Secret", + "placeholder": "api_secret", + "type": "password", + "name": "api_secret" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "CloudGuard Endpoint URL", + "placeholder": "e.g. https://api.dome9.com", + "type": "text", + "name": "endpoint_url" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Filter", + "placeholder": "Paste filter from CloudGuard", + "type": "text", + "name": "query_filter" + } + }, + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ], + "title": "Connect CloudGuard Security Events to Microsoft Sentinel" + } + ] + } + } +} diff --git a/Solutions/Check Point CloudGuard/Data Connectors/CloudGuard_ccp/CloudGuard_PollingConfig.json b/Solutions/Check Point CloudGuard/Data Connectors/CloudGuard_ccp/CloudGuard_PollingConfig.json new file mode 100644 index 00000000000..4f5a2a19b42 --- /dev/null +++ b/Solutions/Check Point CloudGuard/Data Connectors/CloudGuard_ccp/CloudGuard_PollingConfig.json @@ -0,0 +1,50 @@ +{ + "name": "CloudGuardCCPAlertsPolling", + "apiVersion": "2022-12-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectors", + "location": "{{location}}", + "kind": "RestApiPoller", + "properties": { + "dataType": "CloudGuard Events API", + "response": { + "eventsJsonPaths": [ + "$.findings" + ], + "format": "json" + }, + "connectorDefinitionName": "CloudGuardCCPDefinition", + "auth": { + "type": "Basic", + "userName": "[[parameters('api_key')]", + "password": "[[parameters('api_secret')]" + }, + "request": { + "queryParametersTemplate": "[[concat('{\"skipAggregations\": true, \"filter\": {\"updatedTime\": {\"from\": \"{_QueryWindowStartTime}\", \"to\": \"{_QueryWindowEndTime}\"}, \"fields\": [ {\"name\": \"alertType\", \"value\": 0}', if(not(empty(parameters('query_filter'))), concat(',', parameters('query_filter')), ''), ']}}')]", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "apiEndpoint": "[[concat(parameters('endpoint_url'), '/v2/Compliance/Finding/searchFromSentinel')]", + "rateLimitQPS": 10, + "queryWindowInMin": 5, + "isPostPayloadJson": true, + "httpMethod": "Post", + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "Content-type": "application/json", + "User-Agent": "Sentinel-CloudGuard", + "Version": "1.0.0" + } + }, + "paging": { + "pagingType": "NextPageToken", + "nextPageTokenJsonPath": "$.searchAfter", + "nextPageParaName": "searchAfter" + }, + "dcrConfig": { + "dataCollectionEndpoint": "{{dataCollectionEndpoint}}", + "dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}", + "streamName": "Custom-CloudGuard_SecurityEvents_CL" + }, + "isActive": true + } +} diff --git a/Solutions/Check Point CloudGuard/Data Connectors/CloudGuard_ccp/CloudGuard_Tables.json b/Solutions/Check Point CloudGuard/Data Connectors/CloudGuard_ccp/CloudGuard_Tables.json new file mode 100644 index 00000000000..0410a9cf276 --- /dev/null +++ b/Solutions/Check Point CloudGuard/Data Connectors/CloudGuard_ccp/CloudGuard_Tables.json @@ -0,0 +1,277 @@ +{ + "name": "CloudGuard_SecurityEvents_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "{{location}}", + "properties": { + "schema": { + "name": "CloudGuard_SecurityEvents_CL", + "columns": [ + { + "name": "acknowledged", + "type": "boolean", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "action", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "additionalFields", + "type": "dynamic", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "alertType", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "bundleId", + "type": "int", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "bundleName", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "category", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "cloudAccountExternalId", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "cloudAccountId", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "cloudAccountType", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "comments", + "type": "dynamic", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "description", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "entityDome9Id", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "entityExternalId", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "entityName", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "entityNetwork", + "type": "dynamic", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "entityTags", + "type": "dynamic", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "entityType", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "entityTypeByEnvironmentType", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "findingKey", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "EventId", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "isExcluded", + "type": "boolean", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "labels", + "type": "dynamic", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "lastSeenTime", + "type": "datetime", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "magellan", + "type": "dynamic", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "occurrences", + "type": "dynamic", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "organizationalUnitId", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "organizationalUnitPath", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "origin", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "ownerUserName", + "type": "dynamic", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "region", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "remediation", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "remediationActions", + "type": "dynamic", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "ruleId", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "ruleLogic", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "ruleName", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "scanId", + "type": "dynamic", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "severity", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "status", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "statusReason", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "tag", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "updatedTime", + "type": "datetime", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "webhookResponses", + "type": "dynamic", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "TimeGenerated", + "type": "datetime", + "isDefaultDisplay": false, + "isHidden": false + } + ] + } + } +} diff --git a/Solutions/Check Point CloudGuard/Data/Solution_CloudGuard.json b/Solutions/Check Point CloudGuard/Data/Solution_CloudGuard.json new file mode 100644 index 00000000000..2d56ba222fb --- /dev/null +++ b/Solutions/Check Point CloudGuard/Data/Solution_CloudGuard.json @@ -0,0 +1,13 @@ +{ + "Name": "Check Point CloudGuard", + "Author": "Checkpoint - support@checkpoint.com", + "Logo": "", + "Description": "The [CloudGuard](https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/Overview/CloudGuard-CSPM-Introduction.htm?cshid=help_center_documentation) data connector enables the ingestion of security events from the CloudGuard API into Microsoft Sentinel™, using Microsoft Sentinel’s Codeless Connector Platform. The connector supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) which parses incoming security event data into custom columns. This pre-parsing process eliminates the need for query-time parsing, resulting in improved performance for data queries", + "Data Connectors": [ + "Data Connectors/CloudGuard_ccp/CloudGuard_DataConnectorDefinition.json" + ], + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Check Point CloudGuard", + "Version": "3.0.0", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true +} diff --git a/Solutions/Check Point CloudGuard/Package/3.0.0.zip b/Solutions/Check Point CloudGuard/Package/3.0.0.zip new file mode 100644 index 00000000000..8fdfcff25b0 Binary files /dev/null and b/Solutions/Check Point CloudGuard/Package/3.0.0.zip differ diff --git a/Solutions/Check Point CloudGuard/Package/createUiDefinition.json b/Solutions/Check Point CloudGuard/Package/createUiDefinition.json new file mode 100644 index 00000000000..e76ce9e14e9 --- /dev/null +++ b/Solutions/Check Point CloudGuard/Package/createUiDefinition.json @@ -0,0 +1,85 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Check%20Point%20CloudGuard/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [CloudGuard](https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/Overview/CloudGuard-CSPM-Introduction.htm?cshid=help_center_documentation) data connector enables the ingestion of security events from the CloudGuard API into Microsoft Sentinel™, using Microsoft Sentinel’s Codeless Connector Platform. The connector supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) which parses incoming security event data into custom columns. This pre-parsing process eliminates the need for query-time parsing, resulting in improved performance for data queries\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Check Point CloudGuard. You can get Check Point CloudGuard data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} diff --git a/Solutions/Check Point CloudGuard/Package/mainTemplate.json b/Solutions/Check Point CloudGuard/Package/mainTemplate.json new file mode 100644 index 00000000000..ac8d57f6506 --- /dev/null +++ b/Solutions/Check Point CloudGuard/Package/mainTemplate.json @@ -0,0 +1,1089 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Checkpoint - support@checkpoint.com", + "comments": "Solution template for Check Point CloudGuard" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } + } + }, + "variables": { + "email": "support@checkpoint.com", + "_email": "[variables('email')]", + "_solutionName": "Check Point CloudGuard", + "_solutionVersion": "3.0.0", + "solutionId": "checkpoint-cloudguard.checkpoint-sentinel-solutions-cloud-guard", + "_solutionId": "[variables('solutionId')]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "dataConnectorCCPVersion": "1.0.0", + "_dataConnectorContentIdConnectorDefinition1": "CloudGuardCCPDefinition", + "dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]", + "_dataConnectorContentIdConnections1": "CloudGuardCCPDefinitionConnections", + "dataConnectorTemplateNameConnections1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections1')))]", + "dataCollectionEndpointId1": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]", + "blanks": "[replace('b', 'b', '')]", + "TemplateEmptyObject": "[json('{}')]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition1'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", + "displayName": "CloudGuard CNAPP Security Events", + "contentKind": "DataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "CloudGuardCCPDefinition", + "title": "CloudGuard CNAPP Security Events", + "publisher": "CheckPoint", + "descriptionMarkdown": "The [CloudGuard](https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/Overview/CloudGuard-CSPM-Introduction.htm?cshid=help_center_documentation) data connector enables the ingestion of security events from the CloudGuard API into Microsoft Sentinel™, using Microsoft Sentinel’s Codeless Connector Platform. The connector supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) which parses incoming security event data into custom columns. This pre-parsing process eliminates the need for query-time parsing, resulting in improved performance for data queries.", + "graphQueriesTableName": "CloudGuard_SecurityEvents_CL", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "CloudGuard Events", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of CloudGuard Events", + "query": "{{graphQueriesTableName}}\n | take 10" + }, + { + "description": "Total Events by uuid", + "query": "{{graphQueriesTableName}}\n | summarize count() by OriginalEventUid" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}|summarize Time = max (TimeGenerated)\n|where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "CloudGuard API Key", + "description": "Refer to the instructions provided [here](https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/Settings/Users-Roles.htm#add_service) to generate an API key." + } + ] + }, + "instructionSteps": [ + { + "description": "To enable the CloudGuard connector for Microsoft Sentinel, enter the required information below and select Connect.\n>", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "API Key ID", + "placeholder": "api_key", + "type": "text", + "name": "api_key" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "API Key Secret", + "placeholder": "api_secret", + "type": "password", + "name": "api_secret" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "CloudGuard Endpoint URL", + "placeholder": "e.g. https://api.dome9.com", + "type": "text", + "name": "endpoint_url" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Filter", + "placeholder": "Paste filter from CloudGuard", + "type": "text", + "name": "query_filter" + } + }, + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ], + "title": "Connect CloudGuard Security Events to Microsoft Sentinel" + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Checkpoint", + "email": "[variables('_email')]" + }, + "support": { + "name": "Check Point", + "tier": "Partner", + "link": "https://www.checkpoint.com/support-services/contact-support/" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "name": "CloudGuardDCRV1", + "apiVersion": "2022-06-01", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "[parameters('workspace-location')]", + "kind": "[variables('blanks')]", + "properties": { + "streamDeclarations": { + "Custom-CloudGuard_SecurityEvents_CL": { + "columns": [ + { + "name": "id", + "type": "string" + }, + { + "name": "findingKey", + "type": "string" + }, + { + "name": "createdTime", + "type": "datetime" + }, + { + "name": "updatedTime", + "type": "datetime" + }, + { + "name": "cloudAccountType", + "type": "string" + }, + { + "name": "comments", + "type": "dynamic" + }, + { + "name": "cloudAccountId", + "type": "string" + }, + { + "name": "cloudAccountExternalId", + "type": "string" + }, + { + "name": "organizationalUnitId", + "type": "string" + }, + { + "name": "organizationalUnitPath", + "type": "string" + }, + { + "name": "bundleId", + "type": "int" + }, + { + "name": "alertType", + "type": "string" + }, + { + "name": "ruleId", + "type": "string" + }, + { + "name": "ruleName", + "type": "string" + }, + { + "name": "ruleLogic", + "type": "string" + }, + { + "name": "entityDome9Id", + "type": "string" + }, + { + "name": "entityExternalId", + "type": "string" + }, + { + "name": "entityType", + "type": "string" + }, + { + "name": "entityTypeByEnvironmentType", + "type": "string" + }, + { + "name": "entityName", + "type": "string" + }, + { + "name": "entityNetwork", + "type": "dynamic" + }, + { + "name": "entityTags", + "type": "dynamic" + }, + { + "name": "severity", + "type": "string" + }, + { + "name": "description", + "type": "string" + }, + { + "name": "remediation", + "type": "string" + }, + { + "name": "tag", + "type": "string" + }, + { + "name": "region", + "type": "string" + }, + { + "name": "bundleName", + "type": "string" + }, + { + "name": "acknowledged", + "type": "boolean" + }, + { + "name": "origin", + "type": "string" + }, + { + "name": "lastSeenTime", + "type": "datetime" + }, + { + "name": "ownerUserName", + "type": "dynamic" + }, + { + "name": "magellan", + "type": "dynamic" + }, + { + "name": "isExcluded", + "type": "boolean" + }, + { + "name": "webhookResponses", + "type": "dynamic" + }, + { + "name": "remediationActions", + "type": "dynamic" + }, + { + "name": "additionalFields", + "type": "dynamic" + }, + { + "name": "occurrences", + "type": "dynamic" + }, + { + "name": "scanId", + "type": "dynamic" + }, + { + "name": "status", + "type": "string" + }, + { + "name": "statusReason", + "type": "string" + }, + { + "name": "category", + "type": "string" + }, + { + "name": "action", + "type": "string" + }, + { + "name": "labels", + "type": "dynamic" + } + ] + } + }, + "dataSources": "[variables('TemplateEmptyObject')]", + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('workspaceResourceId')]", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-CloudGuard_SecurityEvents_CL" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source\n| extend TimeGenerated = todatetime(createdTime)\n| project-rename EventId = id\n| project-away createdTime\n\n", + "outputStream": "Custom-CloudGuard_SecurityEvents_CL" + } + ], + "dataCollectionEndpointId": "[variables('dataCollectionEndpointId1')]" + } + }, + { + "name": "CloudGuard_SecurityEvents_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "CloudGuard_SecurityEvents_CL", + "columns": [ + { + "name": "acknowledged", + "type": "boolean", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "action", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "additionalFields", + "type": "dynamic", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "alertType", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "bundleId", + "type": "int", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "bundleName", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "category", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "cloudAccountExternalId", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "cloudAccountId", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "cloudAccountType", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "comments", + "type": "dynamic", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "description", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "entityDome9Id", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "entityExternalId", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "entityName", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "entityNetwork", + "type": "dynamic", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "entityTags", + "type": "dynamic", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "entityType", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "entityTypeByEnvironmentType", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "findingKey", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "EventId", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "isExcluded", + "type": "boolean", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "labels", + "type": "dynamic", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "lastSeenTime", + "type": "datetime", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "magellan", + "type": "dynamic", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "occurrences", + "type": "dynamic", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "organizationalUnitId", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "organizationalUnitPath", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "origin", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "ownerUserName", + "type": "dynamic", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "region", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "remediation", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "remediationActions", + "type": "dynamic", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "ruleId", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "ruleLogic", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "ruleName", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "scanId", + "type": "dynamic", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "severity", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "status", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "statusReason", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "tag", + "type": "string", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "updatedTime", + "type": "datetime", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "webhookResponses", + "type": "dynamic", + "isDefaultDisplay": false, + "isHidden": false + }, + { + "name": "TimeGenerated", + "type": "datetime", + "isDefaultDisplay": false, + "isHidden": false + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition1'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "CloudGuardCCPDefinition", + "title": "CloudGuard CNAPP Security Events", + "publisher": "CheckPoint", + "descriptionMarkdown": "The [CloudGuard](https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/Overview/CloudGuard-CSPM-Introduction.htm?cshid=help_center_documentation) data connector enables the ingestion of security events from the CloudGuard API into Microsoft Sentinel™, using Microsoft Sentinel’s Codeless Connector Platform. The connector supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) which parses incoming security event data into custom columns. This pre-parsing process eliminates the need for query-time parsing, resulting in improved performance for data queries.", + "graphQueriesTableName": "CloudGuard_SecurityEvents_CL", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "CloudGuard Events", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of CloudGuard Events", + "query": "{{graphQueriesTableName}}\n | take 10" + }, + { + "description": "Total Events by uuid", + "query": "{{graphQueriesTableName}}\n | summarize count() by OriginalEventUid" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}|summarize Time = max (TimeGenerated)\n|where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "CloudGuard API Key", + "description": "Refer to the instructions provided [here](https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/Settings/Users-Roles.htm#add_service) to generate an API key." + } + ] + }, + "instructionSteps": [ + { + "description": "To enable the CloudGuard connector for Microsoft Sentinel, enter the required information below and select Connect.\n>", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "API Key ID", + "placeholder": "api_key", + "type": "text", + "name": "api_key" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "API Key Secret", + "placeholder": "api_secret", + "type": "password", + "name": "api_secret" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "CloudGuard Endpoint URL", + "placeholder": "e.g. https://api.dome9.com", + "type": "text", + "name": "endpoint_url" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Filter", + "placeholder": "Paste filter from CloudGuard", + "type": "text", + "name": "query_filter" + } + }, + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ], + "title": "Connect CloudGuard Security Events to Microsoft Sentinel" + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Checkpoint", + "email": "[variables('_email')]" + }, + "support": { + "name": "Check Point", + "tier": "Partner", + "link": "https://www.checkpoint.com/support-services/contact-support/" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections1'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "displayName": "CloudGuard CNAPP Security Events", + "contentKind": "ResourcesDataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": { + "connectorDefinitionName": { + "defaultValue": "CloudGuard CNAPP Security Events", + "type": "string", + "minLength": 1 + }, + "workspace": { + "defaultValue": "[parameters('workspace')]", + "type": "string" + }, + "dcrConfig": { + "defaultValue": { + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" + }, + "type": "object" + }, + "api_key": { + "defaultValue": "api_key", + "type": "string", + "minLength": 1 + }, + "api_secret": { + "defaultValue": "api_secret", + "type": "string", + "minLength": 1 + }, + "endpoint_url": { + "defaultValue": "endpoint_url", + "type": "string", + "minLength": 1 + }, + "query_filter": { + "defaultValue": "query_filter", + "type": "string", + "minLength": 1 + } + }, + "variables": { + "_dataConnectorContentIdConnections1": "[variables('_dataConnectorContentIdConnections1')]" + }, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections1')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections1'))]", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "kind": "ResourcesDataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Checkpoint", + "email": "[variables('_email')]" + }, + "support": { + "name": "Check Point", + "tier": "Partner", + "link": "https://www.checkpoint.com/support-services/contact-support/" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'CloudGuardCCPAlertsPolling')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "dataType": "CloudGuard Events API", + "response": { + "eventsJsonPaths": [ + "$.findings" + ], + "format": "json" + }, + "connectorDefinitionName": "CloudGuardCCPDefinition", + "auth": { + "type": "Basic", + "userName": "[[parameters('api_key')]", + "password": "[[parameters('api_secret')]" + }, + "request": { + "queryParametersTemplate": "[[concat('{\"skipAggregations\": true, \"filter\": {\"updatedTime\": {\"from\": \"{_QueryWindowStartTime}\", \"to\": \"{_QueryWindowEndTime}\"}, \"fields\": [ {\"name\": \"alertType\", \"value\": 0}', if(not(empty(parameters('query_filter'))), concat(',', parameters('query_filter')), ''), ']}}')]", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "apiEndpoint": "[[concat(parameters('endpoint_url'), '/v2/Compliance/Finding/searchFromSentinel')]", + "rateLimitQPS": 10, + "queryWindowInMin": 5, + "isPostPayloadJson": true, + "httpMethod": "Post", + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json", + "Content-type": "application/json", + "User-Agent": "Sentinel-CloudGuard", + "Version": "1.0.0" + } + }, + "paging": { + "pagingType": "NextPageToken", + "nextPageTokenJsonPath": "$.searchAfter", + "nextPageParaName": "searchAfter" + }, + "dcrConfig": { + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]", + "streamName": "Custom-CloudGuard_SecurityEvents_CL" + }, + "isActive": true + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections1'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "Check Point CloudGuard", + "publisherDisplayName": "Check Point", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The CloudGuard data connector enables the ingestion of security events from the CloudGuard API into Microsoft Sentinel™, using Microsoft Sentinel’s Codeless Connector Platform. The connector supports DCR-based ingestion time transformations which parses incoming security event data into custom columns. This pre-parsing process eliminates the need for query-time parsing, resulting in improved performance for data queries

\n

Data Connectors: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "Check Point CloudGuard", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Checkpoint", + "email": "[variables('_email')]" + }, + "support": { + "name": "Check Point", + "tier": "Partner", + "link": "https://www.checkpoint.com/support-services/contact-support/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "version": "[variables('dataConnectorCCPVersion')]" + } + ] + }, + "firstPublishDate": "2024-11-12", + "providers": [ + "checkpoint" + ], + "categories": { + "domains": [ + "Security - Threat Protection" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/Check Point CloudGuard/Package/testParameters.json b/Solutions/Check Point CloudGuard/Package/testParameters.json new file mode 100644 index 00000000000..554801e41b7 --- /dev/null +++ b/Solutions/Check Point CloudGuard/Package/testParameters.json @@ -0,0 +1,38 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } + } +} diff --git a/Solutions/Check Point CloudGuard/ReleaseNotes.md b/Solutions/Check Point CloudGuard/ReleaseNotes.md new file mode 100644 index 00000000000..8ea7972ba72 --- /dev/null +++ b/Solutions/Check Point CloudGuard/ReleaseNotes.md @@ -0,0 +1,3 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|---------------------------------------------| +| 3.0.0 | 18-11-2024 | Initial Solution release \ No newline at end of file diff --git a/Solutions/Check Point CloudGuard/SolutionMetadata.json b/Solutions/Check Point CloudGuard/SolutionMetadata.json new file mode 100644 index 00000000000..d58b502f0ed --- /dev/null +++ b/Solutions/Check Point CloudGuard/SolutionMetadata.json @@ -0,0 +1,18 @@ +{ + "publisherId": "checkpoint-cloudguard", + "offerId": "checkpoint-sentinel-solutions-cloud-guard", + "firstPublishDate": "2024-11-12", + "providers": [ + "checkpoint" + ], + "categories": { + "domains": [ + "Security - Threat Protection" + ] + }, + "support": { + "name": "Check Point", + "tier": "Partner", + "link": "https://www.checkpoint.com/support-services/contact-support/" + } +} diff --git a/Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrellaConn.zip b/Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrellaConn.zip index 89dbcb71e6d..0c2bad393c1 100644 Binary files a/Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrellaConn.zip and b/Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrellaConn.zip differ diff --git a/Solutions/CiscoUmbrella/Data Connectors/requirements.txt b/Solutions/CiscoUmbrella/Data Connectors/requirements.txt index 7a187d0377e..1642f88f05f 100644 --- a/Solutions/CiscoUmbrella/Data Connectors/requirements.txt +++ b/Solutions/CiscoUmbrella/Data Connectors/requirements.txt @@ -24,4 +24,4 @@ requests-oauthlib==1.3.1 s3transfer==0.2.1 six==1.16.0 typing_extensions==4.0.0 -urllib3==1.26.19 \ No newline at end of file +urllib3==1.25.11 \ No newline at end of file diff --git a/Solutions/Claroty/Analytic Rules/ClarotyAssetDown.yaml b/Solutions/Claroty/Analytic Rules/ClarotyAssetDown.yaml index d920baaefc4..87fdda85c60 100755 --- a/Solutions/Claroty/Analytic Rules/ClarotyAssetDown.yaml +++ b/Solutions/Claroty/Analytic Rules/ClarotyAssetDown.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: Claroty - dataTypes: - - ClarotyEvent - - connectorId: ClarotyAma - dataTypes: - - ClarotyEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -32,5 +26,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Claroty/Analytic Rules/ClarotyCriticalBaselineDeviation.yaml b/Solutions/Claroty/Analytic Rules/ClarotyCriticalBaselineDeviation.yaml index a4bc4368c46..f53c057c588 100755 --- a/Solutions/Claroty/Analytic Rules/ClarotyCriticalBaselineDeviation.yaml +++ b/Solutions/Claroty/Analytic Rules/ClarotyCriticalBaselineDeviation.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: Claroty - dataTypes: - - ClarotyEvent - - connectorId: ClarotyAma - dataTypes: - - ClarotyEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -33,5 +27,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Claroty/Analytic Rules/ClarotyLoginToUncommonSite.yaml b/Solutions/Claroty/Analytic Rules/ClarotyLoginToUncommonSite.yaml index 33ba1bb2606..8f5df920c3a 100755 --- a/Solutions/Claroty/Analytic Rules/ClarotyLoginToUncommonSite.yaml +++ b/Solutions/Claroty/Analytic Rules/ClarotyLoginToUncommonSite.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: Claroty - dataTypes: - - ClarotyEvent - - connectorId: ClarotyAma - dataTypes: - - ClarotyEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -46,5 +40,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: SrcIpAddr -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLogin.yaml b/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLogin.yaml index 096e773f9b2..e2d89cb9f23 100755 --- a/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLogin.yaml +++ b/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLogin.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: Claroty - dataTypes: - - ClarotyEvent - - connectorId: ClarotyAma - dataTypes: - - ClarotyEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -37,5 +31,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLoginsSameDst.yaml b/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLoginsSameDst.yaml index 0ffb499ffd0..40c6e6e3127 100755 --- a/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLoginsSameDst.yaml +++ b/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLoginsSameDst.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: Claroty - dataTypes: - - ClarotyEvent - - connectorId: ClarotyAma - dataTypes: - - ClarotyEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -39,5 +33,5 @@ entityMappings: fieldMappings: - identifier: DistinguishedName columnName: SGCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Claroty/Analytic Rules/ClarotyNewAsset.yaml b/Solutions/Claroty/Analytic Rules/ClarotyNewAsset.yaml index db6d372edaf..e9a203e9a81 100755 --- a/Solutions/Claroty/Analytic Rules/ClarotyNewAsset.yaml +++ b/Solutions/Claroty/Analytic Rules/ClarotyNewAsset.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: Claroty - dataTypes: - - ClarotyEvent - - connectorId: ClarotyAma - dataTypes: - - ClarotyEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -32,5 +26,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Claroty/Analytic Rules/ClarotyPolicyViolation.yaml b/Solutions/Claroty/Analytic Rules/ClarotyPolicyViolation.yaml index 0d572c165bd..58b7773a369 100755 --- a/Solutions/Claroty/Analytic Rules/ClarotyPolicyViolation.yaml +++ b/Solutions/Claroty/Analytic Rules/ClarotyPolicyViolation.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: Claroty - dataTypes: - - ClarotyEvent - - connectorId: ClarotyAma - dataTypes: - - ClarotyEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -32,5 +26,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Claroty/Analytic Rules/ClarotySuspiciousActivity.yaml b/Solutions/Claroty/Analytic Rules/ClarotySuspiciousActivity.yaml index f4c64bb1412..98f834ea080 100755 --- a/Solutions/Claroty/Analytic Rules/ClarotySuspiciousActivity.yaml +++ b/Solutions/Claroty/Analytic Rules/ClarotySuspiciousActivity.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: Claroty - dataTypes: - - ClarotyEvent - - connectorId: ClarotyAma - dataTypes: - - ClarotyEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -32,5 +26,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Claroty/Analytic Rules/ClarotySuspiciousFileTransfer.yaml b/Solutions/Claroty/Analytic Rules/ClarotySuspiciousFileTransfer.yaml index 6da2925c08b..76b660ccc4e 100755 --- a/Solutions/Claroty/Analytic Rules/ClarotySuspiciousFileTransfer.yaml +++ b/Solutions/Claroty/Analytic Rules/ClarotySuspiciousFileTransfer.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: Claroty - dataTypes: - - ClarotyEvent - - connectorId: ClarotyAma - dataTypes: - - ClarotyEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -32,5 +26,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Claroty/Analytic Rules/ClarotyTreat.yaml b/Solutions/Claroty/Analytic Rules/ClarotyTreat.yaml index c4eecaf4002..c8b45d02f4e 100755 --- a/Solutions/Claroty/Analytic Rules/ClarotyTreat.yaml +++ b/Solutions/Claroty/Analytic Rules/ClarotyTreat.yaml @@ -32,5 +32,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Claroty/Data/Solution_Claroty.json b/Solutions/Claroty/Data/Solution_Claroty.json index 48057d71190..6ea0ba6439d 100644 --- a/Solutions/Claroty/Data/Solution_Claroty.json +++ b/Solutions/Claroty/Data/Solution_Claroty.json @@ -2,7 +2,7 @@ "Name": "Claroty", "Author": "Microsoft - support@microsoft.com", "Logo": "", - "Description": "The [Claroty](https://claroty.com/) solution for Microsoft Sentinel enables ingestion of  [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.", + "Description": "The [Claroty](https://claroty.com/) solution for Microsoft Sentinel enables ingestion of  [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.", "Workbooks": [ "Workbooks/ClarotyOverview.json" ], @@ -21,10 +21,6 @@ "Hunting Queries/ClarotyUnresolvedAlerts.yaml", "Hunting Queries/ClarotyWriteExecuteOperations.yaml" ], - "Data Connectors": [ - "Data Connectors/Connector_Claroty_CEF.json", - "Data Connectors/template_ClarotyAMA.json" - ], "Analytic Rules": [ "Analytic Rules/ClarotyAssetDown.yaml", "Analytic Rules/ClarotyCriticalBaselineDeviation.yaml", @@ -42,7 +38,7 @@ ], "Metadata": "SolutionMetadata.json", "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Claroty", - "Version": "3.0.2", + "Version": "3.0.3", "TemplateSpec": true, "Is1PConnector": false } diff --git a/Solutions/Claroty/Hunting Queries/ClarotyBaselineDeviation.yaml b/Solutions/Claroty/Hunting Queries/ClarotyBaselineDeviation.yaml index 4e77850826a..3ac409e8bd6 100755 --- a/Solutions/Claroty/Hunting Queries/ClarotyBaselineDeviation.yaml +++ b/Solutions/Claroty/Hunting Queries/ClarotyBaselineDeviation.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for baseline deviation events.' severity: Medium requiredDataConnectors: - - connectorId: Claroty - dataTypes: - - ClarotyEvent - - connectorId: ClarotyAma - dataTypes: - - ClarotyEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/Claroty/Hunting Queries/ClarotyConflictAssets.yaml b/Solutions/Claroty/Hunting Queries/ClarotyConflictAssets.yaml index e4aa657600c..4259414cb96 100755 --- a/Solutions/Claroty/Hunting Queries/ClarotyConflictAssets.yaml +++ b/Solutions/Claroty/Hunting Queries/ClarotyConflictAssets.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for conflicting assets.' severity: Medium requiredDataConnectors: - - connectorId: Claroty - dataTypes: - - ClarotyEvent - - connectorId: ClarotyAma - dataTypes: - - ClarotyEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/Claroty/Hunting Queries/ClarotyCriticalEvents.yaml b/Solutions/Claroty/Hunting Queries/ClarotyCriticalEvents.yaml index cc40bd5c9e8..86ac250a3f5 100755 --- a/Solutions/Claroty/Hunting Queries/ClarotyCriticalEvents.yaml +++ b/Solutions/Claroty/Hunting Queries/ClarotyCriticalEvents.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for critical severity events.' severity: High requiredDataConnectors: - - connectorId: Claroty - dataTypes: - - ClarotyEvent - - connectorId: ClarotyAma - dataTypes: - - ClarotyEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/Claroty/Hunting Queries/ClarotyPLCLogins.yaml b/Solutions/Claroty/Hunting Queries/ClarotyPLCLogins.yaml index a5d205d83ec..7585c5fcbfb 100755 --- a/Solutions/Claroty/Hunting Queries/ClarotyPLCLogins.yaml +++ b/Solutions/Claroty/Hunting Queries/ClarotyPLCLogins.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for PLC login security alerts.' severity: High requiredDataConnectors: - - connectorId: Claroty - dataTypes: - - ClarotyEvent - - connectorId: ClarotyAma - dataTypes: - - ClarotyEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/Claroty/Hunting Queries/ClarotySRAFailedLogins.yaml b/Solutions/Claroty/Hunting Queries/ClarotySRAFailedLogins.yaml index 6d0f6815d75..2aa4490137b 100755 --- a/Solutions/Claroty/Hunting Queries/ClarotySRAFailedLogins.yaml +++ b/Solutions/Claroty/Hunting Queries/ClarotySRAFailedLogins.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for login failure events.' severity: High requiredDataConnectors: - - connectorId: Claroty - dataTypes: - - ClarotyEvent - - connectorId: ClarotyAma - dataTypes: - - ClarotyEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/Claroty/Hunting Queries/ClarotyScanSources.yaml b/Solutions/Claroty/Hunting Queries/ClarotyScanSources.yaml index 6b38fca0703..10102c41777 100755 --- a/Solutions/Claroty/Hunting Queries/ClarotyScanSources.yaml +++ b/Solutions/Claroty/Hunting Queries/ClarotyScanSources.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for sources of network scans.' severity: Medium requiredDataConnectors: - - connectorId: Claroty - dataTypes: - - ClarotyEvent - - connectorId: ClarotyAma - dataTypes: - - ClarotyEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/Claroty/Hunting Queries/ClarotyScantargets.yaml b/Solutions/Claroty/Hunting Queries/ClarotyScantargets.yaml index 2fd4377e5e9..d7a884f5639 100755 --- a/Solutions/Claroty/Hunting Queries/ClarotyScantargets.yaml +++ b/Solutions/Claroty/Hunting Queries/ClarotyScantargets.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for targets of network scans.' severity: Medium requiredDataConnectors: - - connectorId: Claroty - dataTypes: - - ClarotyEvent - - connectorId: ClarotyAma - dataTypes: - - ClarotyEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/Claroty/Hunting Queries/ClarotyUnapprovedAccess.yaml b/Solutions/Claroty/Hunting Queries/ClarotyUnapprovedAccess.yaml index 86ec7e0652a..def9786ac7c 100755 --- a/Solutions/Claroty/Hunting Queries/ClarotyUnapprovedAccess.yaml +++ b/Solutions/Claroty/Hunting Queries/ClarotyUnapprovedAccess.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for unapproved access events.' severity: Medium requiredDataConnectors: - - connectorId: Claroty - dataTypes: - - ClarotyEvent - - connectorId: ClarotyAma - dataTypes: - - ClarotyEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/Claroty/Hunting Queries/ClarotyUnresolvedAlerts.yaml b/Solutions/Claroty/Hunting Queries/ClarotyUnresolvedAlerts.yaml index 456ff9b7138..6b3dd4a04b1 100755 --- a/Solutions/Claroty/Hunting Queries/ClarotyUnresolvedAlerts.yaml +++ b/Solutions/Claroty/Hunting Queries/ClarotyUnresolvedAlerts.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for alerts with unresolved status.' severity: Medium requiredDataConnectors: - - connectorId: Claroty - dataTypes: - - ClarotyEvent - - connectorId: ClarotyAma - dataTypes: - - ClarotyEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/Claroty/Hunting Queries/ClarotyWriteExecuteOperations.yaml b/Solutions/Claroty/Hunting Queries/ClarotyWriteExecuteOperations.yaml index a0636b80323..b6f37a50886 100755 --- a/Solutions/Claroty/Hunting Queries/ClarotyWriteExecuteOperations.yaml +++ b/Solutions/Claroty/Hunting Queries/ClarotyWriteExecuteOperations.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for operations with Write and Execute accesses.' severity: Medium requiredDataConnectors: - - connectorId: Claroty - dataTypes: - - ClarotyEvent - - connectorId: ClarotyAma - dataTypes: - - ClarotyEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/Claroty/Package/3.0.3.zip b/Solutions/Claroty/Package/3.0.3.zip new file mode 100644 index 00000000000..542a1874a2b Binary files /dev/null and b/Solutions/Claroty/Package/3.0.3.zip differ diff --git a/Solutions/Claroty/Package/createUiDefinition.json b/Solutions/Claroty/Package/createUiDefinition.json index e680d7d0720..19ba314e0e9 100644 --- a/Solutions/Claroty/Package/createUiDefinition.json +++ b/Solutions/Claroty/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Claroty/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Claroty](https://claroty.com/) solution for Microsoft Sentinel enables ingestion of  [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Claroty/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Claroty](https://claroty.com/) solution for Microsoft Sentinel enables ingestion of  [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**. \n\n**Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -51,37 +51,6 @@ } ], "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for Claroty. You can get Claroty CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-parser-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." - } - }, - { - "name": "dataconnectors-link2", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - }, { "name": "workbooks", "label": "Workbooks", @@ -323,7 +292,7 @@ "name": "huntingquery1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for baseline deviation events. This hunting query depends on Claroty ClarotyAma CefAma data connector (ClarotyEvent ClarotyEvent CommonSecurityLog Parser or Table)" + "text": "Query searches for baseline deviation events. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -337,7 +306,7 @@ "name": "huntingquery2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for conflicting assets. This hunting query depends on Claroty ClarotyAma CefAma data connector (ClarotyEvent ClarotyEvent CommonSecurityLog Parser or Table)" + "text": "Query searches for conflicting assets. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -351,7 +320,7 @@ "name": "huntingquery3-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for critical severity events. This hunting query depends on Claroty ClarotyAma CefAma data connector (ClarotyEvent ClarotyEvent CommonSecurityLog Parser or Table)" + "text": "Query searches for critical severity events. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -365,7 +334,7 @@ "name": "huntingquery4-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for PLC login security alerts. This hunting query depends on Claroty ClarotyAma CefAma data connector (ClarotyEvent ClarotyEvent CommonSecurityLog Parser or Table)" + "text": "Query searches for PLC login security alerts. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -379,7 +348,7 @@ "name": "huntingquery5-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for login failure events. This hunting query depends on Claroty ClarotyAma CefAma data connector (ClarotyEvent ClarotyEvent CommonSecurityLog Parser or Table)" + "text": "Query searches for login failure events. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -393,7 +362,7 @@ "name": "huntingquery6-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for sources of network scans. This hunting query depends on Claroty ClarotyAma CefAma data connector (ClarotyEvent ClarotyEvent CommonSecurityLog Parser or Table)" + "text": "Query searches for sources of network scans. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -407,7 +376,7 @@ "name": "huntingquery7-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for targets of network scans. This hunting query depends on Claroty ClarotyAma CefAma data connector (ClarotyEvent ClarotyEvent CommonSecurityLog Parser or Table)" + "text": "Query searches for targets of network scans. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -421,7 +390,7 @@ "name": "huntingquery8-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for unapproved access events. This hunting query depends on Claroty ClarotyAma CefAma data connector (ClarotyEvent ClarotyEvent CommonSecurityLog Parser or Table)" + "text": "Query searches for unapproved access events. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -435,7 +404,7 @@ "name": "huntingquery9-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for alerts with unresolved status. This hunting query depends on Claroty ClarotyAma CefAma data connector (ClarotyEvent ClarotyEvent CommonSecurityLog Parser or Table)" + "text": "Query searches for alerts with unresolved status. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -449,7 +418,7 @@ "name": "huntingquery10-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for operations with Write and Execute accesses. This hunting query depends on Claroty ClarotyAma CefAma data connector (ClarotyEvent ClarotyEvent CommonSecurityLog Parser or Table)" + "text": "Query searches for operations with Write and Execute accesses. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] diff --git a/Solutions/Claroty/Package/mainTemplate.json b/Solutions/Claroty/Package/mainTemplate.json index e5ff003865c..20e77100a01 100644 --- a/Solutions/Claroty/Package/mainTemplate.json +++ b/Solutions/Claroty/Package/mainTemplate.json @@ -41,7 +41,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Claroty", - "_solutionVersion": "3.0.2", + "_solutionVersion": "3.0.3", "solutionId": "azuresentinel.azure-sentinel-solution-claroty", "_solutionId": "[variables('solutionId')]", "workbookVersion1": "1.0.0", @@ -52,8 +52,8 @@ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", "parserObject1": { - "_parserName1": "[concat(parameters('workspace'),'/','Claroty Data Parser')]", - "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Claroty Data Parser')]", + "_parserName1": "[concat(parameters('workspace'),'/','ClarotyEvent')]", + "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ClarotyEvent')]", "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('ClarotyEvent-Parser')))]", "parserVersion1": "1.0.0", "parserContentId1": "ClarotyEvent-Parser" @@ -108,93 +108,75 @@ "_huntingQuerycontentId10": "3882ffbf-6228-4e1f-ab8f-8d79a26da0fb", "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('3882ffbf-6228-4e1f-ab8f-8d79a26da0fb')))]" }, - "uiConfigId1": "Claroty", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "Claroty", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "uiConfigId2": "ClarotyAma", - "_uiConfigId2": "[variables('uiConfigId2')]", - "dataConnectorContentId2": "ClarotyAma", - "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", - "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "_dataConnectorId2": "[variables('dataConnectorId2')]", - "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", - "dataConnectorVersion2": "1.0.0", - "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.2", + "analyticRuleVersion1": "1.0.3", "_analyticRulecontentId1": "fd6e3416-0421-4166-adb9-186e555a7008", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fd6e3416-0421-4166-adb9-186e555a7008')]", "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fd6e3416-0421-4166-adb9-186e555a7008')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fd6e3416-0421-4166-adb9-186e555a7008','-', '1.0.2')))]" + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fd6e3416-0421-4166-adb9-186e555a7008','-', '1.0.3')))]" }, "analyticRuleObject2": { - "analyticRuleVersion2": "1.0.2", + "analyticRuleVersion2": "1.0.3", "_analyticRulecontentId2": "9a8b4321-e2be-449b-8227-a78227441b2a", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9a8b4321-e2be-449b-8227-a78227441b2a')]", "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9a8b4321-e2be-449b-8227-a78227441b2a')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9a8b4321-e2be-449b-8227-a78227441b2a','-', '1.0.2')))]" + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9a8b4321-e2be-449b-8227-a78227441b2a','-', '1.0.3')))]" }, "analyticRuleObject3": { - "analyticRuleVersion3": "1.0.2", + "analyticRuleVersion3": "1.0.3", "_analyticRulecontentId3": "e7dbcbc3-b18f-4635-b27c-718195c369f1", "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e7dbcbc3-b18f-4635-b27c-718195c369f1')]", "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e7dbcbc3-b18f-4635-b27c-718195c369f1')))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e7dbcbc3-b18f-4635-b27c-718195c369f1','-', '1.0.2')))]" + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e7dbcbc3-b18f-4635-b27c-718195c369f1','-', '1.0.3')))]" }, "analyticRuleObject4": { - "analyticRuleVersion4": "1.0.2", + "analyticRuleVersion4": "1.0.3", "_analyticRulecontentId4": "4b5bb3fc-c690-4f54-9a74-016213d699b4", "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4b5bb3fc-c690-4f54-9a74-016213d699b4')]", "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4b5bb3fc-c690-4f54-9a74-016213d699b4')))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4b5bb3fc-c690-4f54-9a74-016213d699b4','-', '1.0.2')))]" + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4b5bb3fc-c690-4f54-9a74-016213d699b4','-', '1.0.3')))]" }, "analyticRuleObject5": { - "analyticRuleVersion5": "1.0.2", + "analyticRuleVersion5": "1.0.3", "_analyticRulecontentId5": "1c2310ef-19bf-4caf-b2b0-a4c983932fa5", "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1c2310ef-19bf-4caf-b2b0-a4c983932fa5')]", "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1c2310ef-19bf-4caf-b2b0-a4c983932fa5')))]", - "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1c2310ef-19bf-4caf-b2b0-a4c983932fa5','-', '1.0.2')))]" + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1c2310ef-19bf-4caf-b2b0-a4c983932fa5','-', '1.0.3')))]" }, "analyticRuleObject6": { - "analyticRuleVersion6": "1.0.2", + "analyticRuleVersion6": "1.0.3", "_analyticRulecontentId6": "6c29b611-ce69-4016-bf99-eca639fee1f5", "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6c29b611-ce69-4016-bf99-eca639fee1f5')]", "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6c29b611-ce69-4016-bf99-eca639fee1f5')))]", - "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6c29b611-ce69-4016-bf99-eca639fee1f5','-', '1.0.2')))]" + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6c29b611-ce69-4016-bf99-eca639fee1f5','-', '1.0.3')))]" }, "analyticRuleObject7": { - "analyticRuleVersion7": "1.0.2", + "analyticRuleVersion7": "1.0.3", "_analyticRulecontentId7": "3b22ac47-e02c-4599-a37a-57f965de17be", "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3b22ac47-e02c-4599-a37a-57f965de17be')]", "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3b22ac47-e02c-4599-a37a-57f965de17be')))]", - "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3b22ac47-e02c-4599-a37a-57f965de17be','-', '1.0.2')))]" + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3b22ac47-e02c-4599-a37a-57f965de17be','-', '1.0.3')))]" }, "analyticRuleObject8": { - "analyticRuleVersion8": "1.0.2", + "analyticRuleVersion8": "1.0.3", "_analyticRulecontentId8": "99ad9f3c-304c-44c5-a61f-3a17f8b58218", "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '99ad9f3c-304c-44c5-a61f-3a17f8b58218')]", "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('99ad9f3c-304c-44c5-a61f-3a17f8b58218')))]", - "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','99ad9f3c-304c-44c5-a61f-3a17f8b58218','-', '1.0.2')))]" + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','99ad9f3c-304c-44c5-a61f-3a17f8b58218','-', '1.0.3')))]" }, "analyticRuleObject9": { - "analyticRuleVersion9": "1.0.2", + "analyticRuleVersion9": "1.0.3", "_analyticRulecontentId9": "5cf35bad-677f-4c23-8927-1611e7ff6f28", "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5cf35bad-677f-4c23-8927-1611e7ff6f28')]", "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5cf35bad-677f-4c23-8927-1611e7ff6f28')))]", - "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5cf35bad-677f-4c23-8927-1611e7ff6f28','-', '1.0.2')))]" + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5cf35bad-677f-4c23-8927-1611e7ff6f28','-', '1.0.3')))]" }, "analyticRuleObject10": { - "analyticRuleVersion10": "1.0.2", + "analyticRuleVersion10": "1.0.3", "_analyticRulecontentId10": "731e5ac4-7fe1-4b06-9941-532f2e008bb3", "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '731e5ac4-7fe1-4b06-9941-532f2e008bb3')]", "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('731e5ac4-7fe1-4b06-9941-532f2e008bb3')))]", - "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','731e5ac4-7fe1-4b06-9941-532f2e008bb3','-', '1.0.2')))]" + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','731e5ac4-7fe1-4b06-9941-532f2e008bb3','-', '1.0.3')))]" }, "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, @@ -208,7 +190,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyOverview Workbook with template version 3.0.2", + "description": "ClarotyOverview Workbook with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -271,6 +253,10 @@ { "contentId": "ClarotyAma", "kind": "DataConnector" + }, + { + "contentId": "CefAma", + "kind": "DataConnector" } ] } @@ -300,7 +286,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyEvent Data Parser with template version 3.0.2", + "description": "ClarotyEvent Data Parser with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -314,7 +300,7 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Claroty Data Parser", + "displayName": "Parser for ClarotyEvent", "category": "Microsoft Sentinel Parser", "functionAlias": "ClarotyEvent", "query": "CommonSecurityLog\n| where DeviceVendor =~ 'Claroty'\n| extend EventVendor = 'Claroty'\n| extend EventProduct = 'Claroty'\n| extend EventSchemaVersion = 0.2\n| extend EventCount = 1\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3),\n ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"),tostring(ExternalID))\n| extend packed = pack(DeviceCustomNumber1Label, DeviceCustomNumber1\n , DeviceCustomNumber2Label, DeviceCustomNumber2\n , DeviceCustomNumber3Label, DeviceCustomNumber3\n , DeviceCustomString1Label, DeviceCustomString1\n , DeviceCustomString2Label, DeviceCustomString2\n , DeviceCustomString3Label, DeviceCustomString3\n , DeviceCustomString4Label, DeviceCustomString4\n , DeviceCustomString5Label, DeviceCustomString5\n , DeviceCustomString6Label, DeviceCustomString6\n , DeviceCustomDate1Label, DeviceCustomDate1\n , DeviceCustomDate2Label, DeviceCustomDate2)\n| evaluate bag_unpack(packed)\n| parse-kv AdditionalExtensions as (cs7Label:string, cs7:string, cs8Label:string, cs8:string, cs9Label:string, cs9:string, cs10Label:string, cs10:string, cat:string) with (pair_delimiter=';', kv_delimiter='=')\n| extend packed2 = pack(cs7Label, cs7\n , cs8Label, cs8\n , cs9Label, cs9\n , cs10Label, cs10)\n| evaluate bag_unpack(packed2)\n| extend EventEndTime = todatetime(ReceiptTime),\n cat = coalesce(column_ifexists(\"DeviceEventCategory\", \"\"),cat)\n| project-rename EventProductVersion=DeviceVersion\n , EventSubType=cat\n , EventOriginalType=DeviceEventClassID\n , EventSeverity=LogSeverity\n , EventMessage=Message\n , DstPortNumber=DestinationPort\n , DstIpAddr=DestinationIP\n , DstDvcHostname=DestinationHostName\n , DstUserName=DestinationUserName\n , DvcIpAddr=DeviceAddress\n , DvcHostname=DeviceName\n , DstMacAddr=DestinationMACAddress\n , NetworkApplicationProtocol=Protocol\n , SrcPortNumber=SourcePort\n , SrcIpAddr=SourceIP\n , SrcMacAddr=SourceMACAddress\n , EventId=ExternalID\n , SrcDvcHostname=SourceHostName\n| extend EventType=Activity\n| project-away AdditionalExtensions\n , Activity\n , ReceiptTime\n , DeviceVendor\n , DeviceProduct\n , DeviceCustomNumber1\n , DeviceCustomNumber1Label\n , DeviceCustomNumber2\n , DeviceCustomNumber2Label\n , DeviceCustomNumber3\n , DeviceCustomNumber3Label\n , DeviceCustomString1\n , DeviceCustomString1Label\n , DeviceCustomString2\n , DeviceCustomString2Label\n , DeviceCustomString3\n , DeviceCustomString3Label\n , DeviceCustomString4\n , DeviceCustomString4Label\n , DeviceCustomString5\n , DeviceCustomString5Label\n , DeviceCustomString6\n , DeviceCustomString6Label\n , cs7Label\n , cs7\n , cs8Label\n , cs8\n , cs9Label\n , cs9\n , cs10Label\n , cs10\n", @@ -336,7 +322,7 @@ "[variables('parserObject1')._parserId1]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Claroty Data Parser')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ClarotyEvent')]", "contentId": "[variables('parserObject1').parserContentId1]", "kind": "Parser", "version": "[variables('parserObject1').parserVersion1]", @@ -366,7 +352,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('parserObject1').parserContentId1]", "contentKind": "Parser", - "displayName": "Claroty Data Parser", + "displayName": "Parser for ClarotyEvent", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", "version": "[variables('parserObject1').parserVersion1]" @@ -379,7 +365,7 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Claroty Data Parser", + "displayName": "Parser for ClarotyEvent", "category": "Microsoft Sentinel Parser", "functionAlias": "ClarotyEvent", "query": "CommonSecurityLog\n| where DeviceVendor =~ 'Claroty'\n| extend EventVendor = 'Claroty'\n| extend EventProduct = 'Claroty'\n| extend EventSchemaVersion = 0.2\n| extend EventCount = 1\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3),\n ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"),tostring(ExternalID))\n| extend packed = pack(DeviceCustomNumber1Label, DeviceCustomNumber1\n , DeviceCustomNumber2Label, DeviceCustomNumber2\n , DeviceCustomNumber3Label, DeviceCustomNumber3\n , DeviceCustomString1Label, DeviceCustomString1\n , DeviceCustomString2Label, DeviceCustomString2\n , DeviceCustomString3Label, DeviceCustomString3\n , DeviceCustomString4Label, DeviceCustomString4\n , DeviceCustomString5Label, DeviceCustomString5\n , DeviceCustomString6Label, DeviceCustomString6\n , DeviceCustomDate1Label, DeviceCustomDate1\n , DeviceCustomDate2Label, DeviceCustomDate2)\n| evaluate bag_unpack(packed)\n| parse-kv AdditionalExtensions as (cs7Label:string, cs7:string, cs8Label:string, cs8:string, cs9Label:string, cs9:string, cs10Label:string, cs10:string, cat:string) with (pair_delimiter=';', kv_delimiter='=')\n| extend packed2 = pack(cs7Label, cs7\n , cs8Label, cs8\n , cs9Label, cs9\n , cs10Label, cs10)\n| evaluate bag_unpack(packed2)\n| extend EventEndTime = todatetime(ReceiptTime),\n cat = coalesce(column_ifexists(\"DeviceEventCategory\", \"\"),cat)\n| project-rename EventProductVersion=DeviceVersion\n , EventSubType=cat\n , EventOriginalType=DeviceEventClassID\n , EventSeverity=LogSeverity\n , EventMessage=Message\n , DstPortNumber=DestinationPort\n , DstIpAddr=DestinationIP\n , DstDvcHostname=DestinationHostName\n , DstUserName=DestinationUserName\n , DvcIpAddr=DeviceAddress\n , DvcHostname=DeviceName\n , DstMacAddr=DestinationMACAddress\n , NetworkApplicationProtocol=Protocol\n , SrcPortNumber=SourcePort\n , SrcIpAddr=SourceIP\n , SrcMacAddr=SourceMACAddress\n , EventId=ExternalID\n , SrcDvcHostname=SourceHostName\n| extend EventType=Activity\n| project-away AdditionalExtensions\n , Activity\n , ReceiptTime\n , DeviceVendor\n , DeviceProduct\n , DeviceCustomNumber1\n , DeviceCustomNumber1Label\n , DeviceCustomNumber2\n , DeviceCustomNumber2Label\n , DeviceCustomNumber3\n , DeviceCustomNumber3Label\n , DeviceCustomString1\n , DeviceCustomString1Label\n , DeviceCustomString2\n , DeviceCustomString2Label\n , DeviceCustomString3\n , DeviceCustomString3Label\n , DeviceCustomString4\n , DeviceCustomString4Label\n , DeviceCustomString5\n , DeviceCustomString5Label\n , DeviceCustomString6\n , DeviceCustomString6Label\n , cs7Label\n , cs7\n , cs8Label\n , cs8\n , cs9Label\n , cs9\n , cs10Label\n , cs10\n", @@ -402,7 +388,7 @@ "[variables('parserObject1')._parserId1]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Claroty Data Parser')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ClarotyEvent')]", "contentId": "[variables('parserObject1').parserContentId1]", "kind": "Parser", "version": "[variables('parserObject1').parserVersion1]", @@ -432,7 +418,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyBaselineDeviation_HuntingQueries Hunting Query with template version 3.0.2", + "description": "ClarotyBaselineDeviation_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -517,7 +503,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyConflictAssets_HuntingQueries Hunting Query with template version 3.0.2", + "description": "ClarotyConflictAssets_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -602,7 +588,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyCriticalEvents_HuntingQueries Hunting Query with template version 3.0.2", + "description": "ClarotyCriticalEvents_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -687,7 +673,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyPLCLogins_HuntingQueries Hunting Query with template version 3.0.2", + "description": "ClarotyPLCLogins_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -772,7 +758,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotySRAFailedLogins_HuntingQueries Hunting Query with template version 3.0.2", + "description": "ClarotySRAFailedLogins_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -857,7 +843,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyScanSources_HuntingQueries Hunting Query with template version 3.0.2", + "description": "ClarotyScanSources_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -942,7 +928,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyScantargets_HuntingQueries Hunting Query with template version 3.0.2", + "description": "ClarotyScantargets_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -1027,7 +1013,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyUnapprovedAccess_HuntingQueries Hunting Query with template version 3.0.2", + "description": "ClarotyUnapprovedAccess_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -1112,7 +1098,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyUnresolvedAlerts_HuntingQueries Hunting Query with template version 3.0.2", + "description": "ClarotyUnresolvedAlerts_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -1197,7 +1183,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyWriteExecuteOperations_HuntingQueries Hunting Query with template version 3.0.2", + "description": "ClarotyWriteExecuteOperations_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -1273,672 +1259,6 @@ "version": "1.0.0" } }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Claroty data connector with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "[Deprecated] Claroty via Legacy Agent", - "publisher": "Claroty", - "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel.", - "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Claroty", - "baseQuery": "ClarotyEvent" - } - ], - "sampleQueries": [ - { - "description": "Top 10 Destinations", - "query": "ClarotyEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (Claroty)", - "lastDataReceivedQuery": "ClarotyEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "ClarotyEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution." - }, - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**.", - "title": "2. Configure Claroty to send logs using CEF" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Claroty", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Claroty via Legacy Agent", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Claroty", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Claroty via Legacy Agent", - "publisher": "Claroty", - "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Claroty", - "baseQuery": "ClarotyEvent" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (Claroty)", - "lastDataReceivedQuery": "ClarotyEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "ClarotyEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Top 10 Destinations", - "query": "ClarotyEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution." - }, - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**.", - "title": "2. Configure Claroty to send logs using CEF" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "id": "[variables('_uiConfigId1')]", - "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution." - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Claroty data connector with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion2')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId2')]", - "title": "[Deprecated] Claroty via AMA", - "publisher": "Claroty", - "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel.", - "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Claroty", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "sampleQueries": [ - { - "description": "Top 10 Destinations", - "query": "ClarotyEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (Claroty)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution.", - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Configure Claroty to send logs using CEF", - "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**." - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "Claroty", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId2')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Claroty via AMA", - "contentProductId": "[variables('_dataConnectorcontentProductId2')]", - "id": "[variables('_dataConnectorcontentProductId2')]", - "version": "[variables('dataConnectorVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId2')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "Claroty", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Claroty via AMA", - "publisher": "Claroty", - "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Claroty", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (Claroty)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Top 10 Destinations", - "query": "ClarotyEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution.", - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Configure Claroty to send logs using CEF", - "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**." - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ], - "id": "[variables('_uiConfigId2')]", - "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution." - } - } - }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -1948,7 +1268,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyAssetDown_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "ClarotyAssetDown_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -1976,22 +1296,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Claroty", - "dataTypes": [ - "ClarotyEvent" - ] - }, - { - "connectorId": "ClarotyAma", - "dataTypes": [ - "ClarotyEvent" - ] - }, - { - "connectorId": "CefAma", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CefAma" } ], "tactics": [ @@ -2005,8 +1313,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "IPCustomEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPCustomEntity" } ] } @@ -2064,7 +1372,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyCriticalBaselineDeviation_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "ClarotyCriticalBaselineDeviation_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -2092,22 +1400,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Claroty", - "dataTypes": [ - "ClarotyEvent" - ] - }, - { - "connectorId": "ClarotyAma", - "dataTypes": [ - "ClarotyEvent" - ] - }, - { - "connectorId": "CefAma", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CefAma" } ], "tactics": [ @@ -2121,8 +1417,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "IPCustomEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPCustomEntity" } ] } @@ -2180,7 +1476,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyLoginToUncommonSite_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "ClarotyLoginToUncommonSite_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -2208,22 +1504,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Claroty", - "dataTypes": [ - "ClarotyEvent" - ] - }, - { - "connectorId": "ClarotyAma", - "dataTypes": [ - "ClarotyEvent" - ] - }, - { - "connectorId": "CefAma", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CefAma" } ], "tactics": [ @@ -2238,8 +1522,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } ] } @@ -2297,7 +1581,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyMultipleFailedLogin_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "ClarotyMultipleFailedLogin_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -2325,22 +1609,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Claroty", - "dataTypes": [ - "ClarotyEvent" - ] - }, - { - "connectorId": "ClarotyAma", - "dataTypes": [ - "ClarotyEvent" - ] - }, - { - "connectorId": "CefAma", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CefAma" } ], "tactics": [ @@ -2355,8 +1627,8 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountCustomEntity", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountCustomEntity" } ] } @@ -2414,7 +1686,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyMultipleFailedLoginsSameDst_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "ClarotyMultipleFailedLoginsSameDst_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -2442,22 +1714,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Claroty", - "dataTypes": [ - "ClarotyEvent" - ] - }, - { - "connectorId": "ClarotyAma", - "dataTypes": [ - "ClarotyEvent" - ] - }, - { - "connectorId": "CefAma", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CefAma" } ], "tactics": [ @@ -2472,8 +1732,8 @@ "entityType": "SecurityGroup", "fieldMappings": [ { - "columnName": "SGCustomEntity", - "identifier": "DistinguishedName" + "identifier": "DistinguishedName", + "columnName": "SGCustomEntity" } ] } @@ -2531,7 +1791,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyNewAsset_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "ClarotyNewAsset_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -2559,22 +1819,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Claroty", - "dataTypes": [ - "ClarotyEvent" - ] - }, - { - "connectorId": "ClarotyAma", - "dataTypes": [ - "ClarotyEvent" - ] - }, - { - "connectorId": "CefAma", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CefAma" } ], "tactics": [ @@ -2589,8 +1837,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "IPCustomEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPCustomEntity" } ] } @@ -2648,7 +1896,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyPolicyViolation_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "ClarotyPolicyViolation_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -2676,22 +1924,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Claroty", - "dataTypes": [ - "ClarotyEvent" - ] - }, - { - "connectorId": "ClarotyAma", - "dataTypes": [ - "ClarotyEvent" - ] - }, - { - "connectorId": "CefAma", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CefAma" } ], "tactics": [ @@ -2705,8 +1941,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "IPCustomEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPCustomEntity" } ] } @@ -2764,7 +2000,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotySuspiciousActivity_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "ClarotySuspiciousActivity_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -2792,22 +2028,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Claroty", - "dataTypes": [ - "ClarotyEvent" - ] - }, - { - "connectorId": "ClarotyAma", - "dataTypes": [ - "ClarotyEvent" - ] - }, - { - "connectorId": "CefAma", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CefAma" } ], "tactics": [ @@ -2821,8 +2045,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "IPCustomEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPCustomEntity" } ] } @@ -2880,7 +2104,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotySuspiciousFileTransfer_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "ClarotySuspiciousFileTransfer_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -2908,22 +2132,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Claroty", - "dataTypes": [ - "ClarotyEvent" - ] - }, - { - "connectorId": "ClarotyAma", - "dataTypes": [ - "ClarotyEvent" - ] - }, - { - "connectorId": "CefAma", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CefAma" } ], "tactics": [ @@ -2937,8 +2149,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "IPCustomEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPCustomEntity" } ] } @@ -2996,7 +2208,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClarotyTreat_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "ClarotyTreat_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -3024,22 +2236,22 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Claroty", "dataTypes": [ "ClarotyEvent" - ] + ], + "connectorId": "Claroty" }, { - "connectorId": "ClarotyAma", "dataTypes": [ "ClarotyEvent" - ] + ], + "connectorId": "ClarotyAma" }, { - "connectorId": "CefAma", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CefAma" } ], "tactics": [ @@ -3053,8 +2265,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "IPCustomEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPCustomEntity" } ] } @@ -3108,12 +2320,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.2", + "version": "3.0.3", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Claroty", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Claroty solution for Microsoft Sentinel enables ingestion of  Continuous Threat Detection and Secure Remote Access events into Microsoft Sentinel.

\n\n\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Data Connectors: 2, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Claroty solution for Microsoft Sentinel enables ingestion of  Continuous Threat Detection and Secure Remote Access events into Microsoft Sentinel.

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -3197,16 +2409,6 @@ "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", "version": "[variables('huntingQueryObject10').huntingQueryVersion10]" }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - }, { "kind": "AnalyticsRule", "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", diff --git a/Solutions/Claroty/ReleaseNotes.md b/Solutions/Claroty/ReleaseNotes.md index 13166bae4d9..df94769f6d3 100644 --- a/Solutions/Claroty/ReleaseNotes.md +++ b/Solutions/Claroty/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|------------------------------------------------| +| 3.0.3 | 18-11-2024 | Removed Deprecated **Data Connectors** | | 3.0.2 | 10-07-2024 | Deprecated **Data Connector** | | 3.0.1 | 11-09-2023 | Addition of new Claroty AMA **Data Connector** | | 3.0.0 | 27-07-2023 | Corrected the links in the solution. | diff --git a/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/MacroInvokingShellBrowserWindowCOMObjects.yaml b/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/MacroInvokingShellBrowserWindowCOMObjects.yaml index 097c07ebbdc..dfd7fef89c7 100644 --- a/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/MacroInvokingShellBrowserWindowCOMObjects.yaml +++ b/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/MacroInvokingShellBrowserWindowCOMObjects.yaml @@ -1,8 +1,7 @@ id: e7470b35-0128-4508-bfc9-e01cfb3c2eb7 name: Detecting Macro Invoking ShellBrowserWindow COM Objects description: | - 'This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules. - Ref: https://blog.menasec.net/2019/02/threat-hunting-doc-with-macro-invoking.html' + 'This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.' severity: Medium status: Available requiredDataConnectors: @@ -45,5 +44,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: User -version: 1.0.3 +version: 1.0.4 kind: Scheduled diff --git a/Solutions/Endpoint Threat Protection Essentials/Package/3.0.5.zip b/Solutions/Endpoint Threat Protection Essentials/Package/3.0.5.zip new file mode 100644 index 00000000000..ee29b66421d Binary files /dev/null and b/Solutions/Endpoint Threat Protection Essentials/Package/3.0.5.zip differ diff --git a/Solutions/Endpoint Threat Protection Essentials/Package/createUiDefinition.json b/Solutions/Endpoint Threat Protection Essentials/Package/createUiDefinition.json index c6787580ef4..0db86f62ca5 100644 --- a/Solutions/Endpoint Threat Protection Essentials/Package/createUiDefinition.json +++ b/Solutions/Endpoint Threat Protection Essentials/Package/createUiDefinition.json @@ -142,7 +142,7 @@ "name": "analytic5-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.\nRef: https://blog.menasec.net/2019/02/threat-hunting-doc-with-macro-invoking.html" + "text": "This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules." } } ] diff --git a/Solutions/Endpoint Threat Protection Essentials/Package/mainTemplate.json b/Solutions/Endpoint Threat Protection Essentials/Package/mainTemplate.json index f4de266f841..ca7fc3f2933 100644 --- a/Solutions/Endpoint Threat Protection Essentials/Package/mainTemplate.json +++ b/Solutions/Endpoint Threat Protection Essentials/Package/mainTemplate.json @@ -33,7 +33,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Endpoint Threat Protection Essentials", - "_solutionVersion": "3.0.4", + "_solutionVersion": "3.0.5", "solutionId": "azuresentinel.azure-sentinel-solution-endpointthreat", "_solutionId": "[variables('solutionId')]", "huntingQueryObject1": { @@ -140,18 +140,18 @@ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f','-', '1.0.3')))]" }, "analyticRuleObject5": { - "analyticRuleVersion5": "1.0.3", + "analyticRuleVersion5": "1.0.4", "_analyticRulecontentId5": "e7470b35-0128-4508-bfc9-e01cfb3c2eb7", "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e7470b35-0128-4508-bfc9-e01cfb3c2eb7')]", "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e7470b35-0128-4508-bfc9-e01cfb3c2eb7')))]", - "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e7470b35-0128-4508-bfc9-e01cfb3c2eb7','-', '1.0.3')))]" + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e7470b35-0128-4508-bfc9-e01cfb3c2eb7','-', '1.0.4')))]" }, "analyticRuleObject6": { - "analyticRuleVersion6": "1.1.4", + "analyticRuleVersion6": "1.1.5", "_analyticRulecontentId6": "75bf9902-0789-47c1-a5d8-f57046aa72df", "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '75bf9902-0789-47c1-a5d8-f57046aa72df')]", "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('75bf9902-0789-47c1-a5d8-f57046aa72df')))]", - "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','75bf9902-0789-47c1-a5d8-f57046aa72df','-', '1.1.4')))]" + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','75bf9902-0789-47c1-a5d8-f57046aa72df','-', '1.1.5')))]" }, "analyticRuleObject7": { "analyticRuleVersion7": "1.0.4", @@ -221,7 +221,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BackupDeletion_HuntingQueries Hunting Query with template version 3.0.4", + "description": "BackupDeletion_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -306,7 +306,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Certutil-LOLBins_HuntingQueries Hunting Query with template version 3.0.4", + "description": "Certutil-LOLBins_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -391,7 +391,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileExecutionWithOneCharacterInTheName_HuntingQueries Hunting Query with template version 3.0.4", + "description": "FileExecutionWithOneCharacterInTheName_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -476,7 +476,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PersistViaIFEORegistryKey_HuntingQueries Hunting Query with template version 3.0.4", + "description": "PersistViaIFEORegistryKey_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -561,7 +561,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PotentialMicrosoftSecurityServicesTampering_HuntingQueries Hunting Query with template version 3.0.4", + "description": "PotentialMicrosoftSecurityServicesTampering_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -646,7 +646,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RemoteLoginPerformedwithWMI_HuntingQueries Hunting Query with template version 3.0.4", + "description": "RemoteLoginPerformedwithWMI_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -731,7 +731,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RemoteScheduledTaskCreationUpdateUsingATSVCNamedPipe_HuntingQueries Hunting Query with template version 3.0.4", + "description": "RemoteScheduledTaskCreationUpdateUsingATSVCNamedPipe_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -816,7 +816,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ScheduledTaskCreationUpdateFromUserWritableDrectory_HuntingQueries Hunting Query with template version 3.0.4", + "description": "ScheduledTaskCreationUpdateFromUserWritableDrectory_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -901,7 +901,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SignedBinaryProxyExecutionRundll32_HuntingQueries Hunting Query with template version 3.0.4", + "description": "SignedBinaryProxyExecutionRundll32_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -986,7 +986,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UnicodeObfuscationInCommandLine_HuntingQueries Hunting Query with template version 3.0.4", + "description": "UnicodeObfuscationInCommandLine_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -1071,7 +1071,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousPowerShellCommandExecution_HuntingQueries Hunting Query with template version 3.0.4", + "description": "SuspiciousPowerShellCommandExecution_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject11').huntingQueryVersion11]", @@ -1156,7 +1156,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ASimProcess_CertutilLoLBins_HuntingQueries Hunting Query with template version 3.0.4", + "description": "ASimProcess_CertutilLoLBins_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject12').huntingQueryVersion12]", @@ -1241,7 +1241,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ASimProcess_WindowsSystemShutdownReboot_HuntingQueries Hunting Query with template version 3.0.4", + "description": "ASimProcess_WindowsSystemShutdownReboot_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject13').huntingQueryVersion13]", @@ -1326,7 +1326,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DownloadOfNewFileUsingCurl_HuntingQueries Hunting Query with template version 3.0.4", + "description": "DownloadOfNewFileUsingCurl_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject14').huntingQueryVersion14]", @@ -1411,7 +1411,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "WindowsFirewallUpdateUsingNetsh_HuntingQueries Hunting Query with template version 3.0.4", + "description": "WindowsFirewallUpdateUsingNetsh_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject15').huntingQueryVersion15]", @@ -1496,7 +1496,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "base64_encoded_pefile_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "base64_encoded_pefile_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -1524,28 +1524,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvents" - ] + ], + "connectorId": "WindowsSecurityEvents" }, { - "connectorId": "WindowsForwardedEvents", "dataTypes": [ "WindowsEvent" - ] + ], + "connectorId": "WindowsForwardedEvents" } ], "tactics": [ @@ -1561,8 +1561,8 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Account" + "columnName": "Account", + "identifier": "Name" } ], "entityType": "Account" @@ -1570,16 +1570,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -1638,7 +1638,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DumpingLSASSProcessIntoaFile_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "DumpingLSASSProcessIntoaFile_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -1666,16 +1666,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" } ], "tactics": [ @@ -1691,16 +1691,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -1708,8 +1708,8 @@ { "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "SourceImage" + "columnName": "SourceImage", + "identifier": "CommandLine" } ], "entityType": "Process" @@ -1768,7 +1768,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "execute_base64_decodedpayload_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "execute_base64_decodedpayload_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -1796,28 +1796,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvents" - ] + ], + "connectorId": "WindowsSecurityEvents" }, { - "connectorId": "WindowsForwardedEvents", "dataTypes": [ "WindowsEvent" - ] + ], + "connectorId": "WindowsForwardedEvents" } ], "tactics": [ @@ -1833,8 +1833,8 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Account" + "columnName": "Account", + "identifier": "Name" } ], "entityType": "Account" @@ -1842,16 +1842,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -1910,7 +1910,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LateralMovementViaDCOM_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "LateralMovementViaDCOM_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -1938,16 +1938,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" } ], "tactics": [ @@ -1963,8 +1963,8 @@ { "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "CommandLine" + "columnName": "CommandLine", + "identifier": "CommandLine" } ], "entityType": "Process" @@ -1972,16 +1972,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -1989,8 +1989,8 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "User" + "columnName": "User", + "identifier": "Name" } ], "entityType": "Account" @@ -2049,7 +2049,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MacroInvokingShellBrowserWindowCOMObjects_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "MacroInvokingShellBrowserWindowCOMObjects_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -2063,7 +2063,7 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.\nRef: https://blog.menasec.net/2019/02/threat-hunting-doc-with-macro-invoking.html", + "description": "This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.", "displayName": "Detecting Macro Invoking ShellBrowserWindow COM Objects", "enabled": false, "query": "Event\n | where EventLog =~ \"Microsoft-Windows-Sysmon/Operational\" and EventID==1\n | parse EventData with * 'Image\">' Image \"<\" * 'CommandLine\">' CommandLine \"<\" * 'ParentImage\">' ParentImage \"<\" *\n | where ParentImage has \"svchost.exe\" and Image has \"rundll32.exe\" and CommandLine has \"{c08afd90-f2a1-11d1-8455-00a0c91f3880}\"\n | parse EventData with * 'ProcessGuid\">' ProcessGuid \"<\" * 'Description\">' Description \"<\" * 'CurrentDirectory\">' CurrentDirectory \"<\" * 'User\">' User \"<\" * 'LogonGuid\">' LogonGuid \"<\" * 'ParentProcessGuid\">' ParentProcessGuid \"<\" * 'ParentImage\">' ParentImage \"<\" * 'ParentCommandLine\">' ParentCommandLine \"<\" * 'ParentUser\">' ParentUser \"<\" *\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\n | extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')\n", @@ -2077,16 +2077,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" } ], "tactics": [ @@ -2102,8 +2102,8 @@ { "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "CommandLine" + "columnName": "CommandLine", + "identifier": "CommandLine" } ], "entityType": "Process" @@ -2111,16 +2111,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -2128,8 +2128,8 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "User" + "columnName": "User", + "identifier": "Name" } ], "entityType": "Account" @@ -2188,7 +2188,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "malware_in_recyclebin_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "malware_in_recyclebin_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -2216,39 +2216,42 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvents" - ] + ], + "connectorId": "WindowsSecurityEvents" }, { - "connectorId": "WindowsForwardedEvents", "dataTypes": [ "WindowsEvent" - ] + ], + "connectorId": "WindowsForwardedEvents" } ], "tactics": [ "DefenseEvasion" ], + "techniques": [ + "T1564" + ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Account" + "columnName": "Account", + "identifier": "Name" } ], "entityType": "Account" @@ -2256,16 +2259,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -2324,7 +2327,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PotentialRemoteDesktopTunneling_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "PotentialRemoteDesktopTunneling_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -2352,16 +2355,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" } ], "tactics": [ @@ -2374,12 +2377,12 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -2387,16 +2390,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -2404,8 +2407,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "IpAddress" + "columnName": "IpAddress", + "identifier": "Address" } ], "entityType": "IP" @@ -2464,7 +2467,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RegistryPersistenceViaAppCertDLLModification_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "RegistryPersistenceViaAppCertDLLModification_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -2492,16 +2495,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" } ], "tactics": [ @@ -2517,8 +2520,8 @@ { "fieldMappings": [ { - "identifier": "Key", - "columnName": "TargetObject" + "columnName": "TargetObject", + "identifier": "Key" } ], "entityType": "RegistryKey" @@ -2526,16 +2529,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -2594,7 +2597,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RegistryPersistenceViaAppInt_DLLsModification_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "RegistryPersistenceViaAppInt_DLLsModification_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -2622,16 +2625,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" } ], "tactics": [ @@ -2647,8 +2650,8 @@ { "fieldMappings": [ { - "identifier": "Key", - "columnName": "TargetObject" + "columnName": "TargetObject", + "identifier": "Key" } ], "entityType": "RegistryKey" @@ -2656,16 +2659,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -2724,7 +2727,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SecurityEventLogCleared_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "SecurityEventLogCleared_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -2752,22 +2755,22 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" }, { - "connectorId": "WindowsForwardedEvents", "dataTypes": [ "WindowsEvent" - ] + ], + "connectorId": "WindowsForwardedEvents" } ], "tactics": [ @@ -2780,12 +2783,12 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -2793,16 +2796,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -2861,7 +2864,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "WDigestDowngradeAttack_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "WDigestDowngradeAttack_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", @@ -2889,16 +2892,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" } ], "tactics": [ @@ -2911,8 +2914,8 @@ { "fieldMappings": [ { - "identifier": "Key", - "columnName": "TargetObject" + "columnName": "TargetObject", + "identifier": "Key" } ], "entityType": "RegistryKey" @@ -2920,16 +2923,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -2988,7 +2991,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "WindowsBinariesExecutedfromNon-DefaultDirectory_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "WindowsBinariesExecutedfromNon-DefaultDirectory_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", @@ -3016,16 +3019,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" } ], "tactics": [ @@ -3038,12 +3041,12 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -3051,16 +3054,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -3068,8 +3071,8 @@ { "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "CommandLine" + "columnName": "CommandLine", + "identifier": "CommandLine" } ], "entityType": "Process" @@ -3128,7 +3131,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "WindowsBinariesLolbinsRenamed_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "WindowsBinariesLolbinsRenamed_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", @@ -3156,16 +3159,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" } ], "tactics": [ @@ -3178,8 +3181,8 @@ { "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "CommandLine" + "columnName": "CommandLine", + "identifier": "CommandLine" } ], "entityType": "Process" @@ -3187,16 +3190,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -3204,8 +3207,8 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "User" + "columnName": "User", + "identifier": "Name" } ], "entityType": "Account" @@ -3264,7 +3267,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousPowerShellCommandExecuted_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "SuspiciousPowerShellCommandExecuted_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", @@ -3292,10 +3295,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3308,16 +3311,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "DvcHostname" + "columnName": "DvcHostname", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DvcDomain" + "columnName": "DvcDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -3325,8 +3328,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "LocalIP" + "columnName": "LocalIP", + "identifier": "Address" } ], "entityType": "IP" @@ -3334,12 +3337,12 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Username" + "columnName": "Username", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -3347,12 +3350,12 @@ { "fieldMappings": [ { - "identifier": "ProcessId", - "columnName": "InitiatingProcessId" + "columnName": "InitiatingProcessId", + "identifier": "ProcessId" }, { - "identifier": "CommandLine", - "columnName": "InitiatingProcessCommandLine" + "columnName": "InitiatingProcessCommandLine", + "identifier": "CommandLine" } ], "entityType": "Process" @@ -3414,7 +3417,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.4", + "version": "3.0.5", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Endpoint Threat Protection Essentials", diff --git a/Solutions/Endpoint Threat Protection Essentials/ReleaseNotes.md b/Solutions/Endpoint Threat Protection Essentials/ReleaseNotes.md index d97eb5dc01f..6fe076672e9 100644 --- a/Solutions/Endpoint Threat Protection Essentials/ReleaseNotes.md +++ b/Solutions/Endpoint Threat Protection Essentials/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|------------------------------------------------------------------------------| +| 3.0.5 | 18-11-2024 | Removed the broken URL in **Analytic Rule** | | 3.0.4 | 10-06-2024 | Added entityMappings and added missing AMA DC reference in **Analytical Rules** and **Hunting Queries** | | 3.0.3 | 11-03-2024 | Added few **Hunting Queries** to detect Endpoint Threats | | 3.0.2 | 21-02-2024 | Tagged for dependent solutions for deployment | diff --git a/Solutions/FalconFriday/Analytic Rules/MatchLegitimateNameOrLocation.yaml b/Solutions/FalconFriday/Analytic Rules/MatchLegitimateNameOrLocation.yaml index 5c2e2a1b890..4698ebf1b09 100644 --- a/Solutions/FalconFriday/Analytic Rules/MatchLegitimateNameOrLocation.yaml +++ b/Solutions/FalconFriday/Analytic Rules/MatchLegitimateNameOrLocation.yaml @@ -1,7 +1,7 @@ id: dd22dc4f-ab7c-4d0a-84ad-cc393638ba31 name: Match Legitimate Name or Location - 2 description: | - Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of certain operating system processes. + Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of on certain operating system processes. This query detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts. severity: Medium status: Available @@ -58,5 +58,5 @@ entityMappings: fieldMappings: - identifier: CommandLine columnName: ProcessCommandLine -version: 1.0.0 -kind: Scheduled \ No newline at end of file +version: 1.0.1 +kind: Scheduled diff --git a/Solutions/FalconFriday/Analytic Rules/PasswordSprayingWithMDE.yaml b/Solutions/FalconFriday/Analytic Rules/PasswordSprayingWithMDE.yaml index 1eb48862f3a..11a1df4915e 100644 --- a/Solutions/FalconFriday/Analytic Rules/PasswordSprayingWithMDE.yaml +++ b/Solutions/FalconFriday/Analytic Rules/PasswordSprayingWithMDE.yaml @@ -43,9 +43,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddress - - entityType: Process - fieldMappings: - - identifier: CommandLine - columnName: ProcessCommandLine -version: 1.0.0 -kind: Scheduled \ No newline at end of file +version: 1.0.1 +kind: Scheduled diff --git a/Solutions/FalconFriday/Package/3.0.0.zip b/Solutions/FalconFriday/Package/3.0.0.zip index 4b188872101..66eeda3ada4 100644 Binary files a/Solutions/FalconFriday/Package/3.0.0.zip and b/Solutions/FalconFriday/Package/3.0.0.zip differ diff --git a/Solutions/FalconFriday/Package/createUiDefinition.json b/Solutions/FalconFriday/Package/createUiDefinition.json index 090a885f50c..e8136e109aa 100644 --- a/Solutions/FalconFriday/Package/createUiDefinition.json +++ b/Solutions/FalconFriday/Package/createUiDefinition.json @@ -296,7 +296,7 @@ "name": "analytic16-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of certain operating system processes.\nThis query detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts." + "text": "Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of on certain operating system processes.\nThis query detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts." } } ] diff --git a/Solutions/FalconFriday/Package/mainTemplate.json b/Solutions/FalconFriday/Package/mainTemplate.json index 5c6be739129..9959f0f59c3 100644 --- a/Solutions/FalconFriday/Package/mainTemplate.json +++ b/Solutions/FalconFriday/Package/mainTemplate.json @@ -142,11 +142,11 @@ "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','433c3b0a-7278-4d74-b137-963ac6f9a7e7','-', '1.0.0')))]" }, "analyticRuleObject16": { - "analyticRuleVersion16": "1.0.0", + "analyticRuleVersion16": "1.0.1", "_analyticRulecontentId16": "dd22dc4f-ab7c-4d0a-84ad-cc393638ba31", "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dd22dc4f-ab7c-4d0a-84ad-cc393638ba31')]", "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dd22dc4f-ab7c-4d0a-84ad-cc393638ba31')))]", - "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dd22dc4f-ab7c-4d0a-84ad-cc393638ba31','-', '1.0.0')))]" + "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dd22dc4f-ab7c-4d0a-84ad-cc393638ba31','-', '1.0.1')))]" }, "analyticRuleObject17": { "analyticRuleVersion17": "1.0.1", @@ -170,11 +170,11 @@ "_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e6c5ff42-0f42-4cec-994a-dabb92fe36e1','-', '1.0.0')))]" }, "analyticRuleObject20": { - "analyticRuleVersion20": "1.0.0", + "analyticRuleVersion20": "1.0.1", "_analyticRulecontentId20": "e00f72ab-fea1-4a31-9ecc-eea6397cd38d", "analyticRuleId20": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e00f72ab-fea1-4a31-9ecc-eea6397cd38d')]", "analyticRuleTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e00f72ab-fea1-4a31-9ecc-eea6397cd38d')))]", - "_analyticRulecontentProductId20": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e00f72ab-fea1-4a31-9ecc-eea6397cd38d','-', '1.0.0')))]" + "_analyticRulecontentProductId20": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e00f72ab-fea1-4a31-9ecc-eea6397cd38d','-', '1.0.1')))]" }, "analyticRuleObject21": { "analyticRuleVersion21": "1.0.1", @@ -286,10 +286,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceFileEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -300,39 +300,39 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Sid", - "columnName": "InitiatingProcessAccountSid" + "columnName": "InitiatingProcessAccountSid", + "identifier": "Sid" }, { - "identifier": "Name", - "columnName": "InitiatingProcessAccountName" + "columnName": "InitiatingProcessAccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "InitiatingProcessAccountDomain" + "columnName": "InitiatingProcessAccountDomain", + "identifier": "NTDomain" } - ] + ], + "entityType": "Account" }, { - "entityType": "Process", "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "InitiatingProcessCommandLine" + "columnName": "InitiatingProcessCommandLine", + "identifier": "CommandLine" } - ] + ], + "entityType": "Process" } ] } @@ -415,16 +415,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ] + ], + "connectorId": "AzureActiveDirectory" }, { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ] + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ @@ -435,13 +435,13 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserPrincipalName" + "columnName": "UserPrincipalName", + "identifier": "FullName" } - ] + ], + "entityType": "Account" } ] } @@ -524,16 +524,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ] + ], + "connectorId": "AzureActiveDirectory" }, { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" - ] + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ @@ -544,13 +544,13 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserPrincipalName" + "columnName": "UserPrincipalName", + "identifier": "FullName" } - ] + ], + "entityType": "Account" } ] } @@ -633,10 +633,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceRegistryEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -651,39 +651,39 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Sid", - "columnName": "AccountSid" + "columnName": "AccountSid", + "identifier": "Sid" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "AccountDomain" + "columnName": "AccountDomain", + "identifier": "NTDomain" } - ] + ], + "entityType": "Account" }, { - "entityType": "Process", "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "ProcessCommandLine" + "columnName": "ProcessCommandLine", + "identifier": "CommandLine" } - ] + ], + "entityType": "Process" } ] } @@ -766,16 +766,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" } ], "tactics": [ @@ -786,13 +786,13 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "TargetAccount" + "columnName": "TargetAccount", + "identifier": "FullName" } - ] + ], + "entityType": "Account" } ] } @@ -875,16 +875,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" } ], "tactics": [ @@ -895,13 +895,13 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" } - ] + ], + "entityType": "Host" } ] } @@ -984,16 +984,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" } ], "tactics": [ @@ -1004,13 +1004,13 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" } - ] + ], + "entityType": "Host" } ] } @@ -1093,10 +1093,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -1114,39 +1114,39 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Sid", - "columnName": "AccountSid" + "columnName": "AccountSid", + "identifier": "Sid" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "AccountDomain" + "columnName": "AccountDomain", + "identifier": "NTDomain" } - ] + ], + "entityType": "Account" }, { - "entityType": "Process", "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "ProcessCommandLine" + "columnName": "ProcessCommandLine", + "identifier": "CommandLine" } - ] + ], + "entityType": "Process" } ] } @@ -1229,11 +1229,11 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents", "DeviceLogonEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -1248,39 +1248,39 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Sid", - "columnName": "AccountSid" + "columnName": "AccountSid", + "identifier": "Sid" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "AccountDomain" + "columnName": "AccountDomain", + "identifier": "NTDomain" } - ] + ], + "entityType": "Account" }, { - "entityType": "Process", "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "ProcessCommandLine" + "columnName": "ProcessCommandLine", + "identifier": "CommandLine" } - ] + ], + "entityType": "Process" } ] } @@ -1363,11 +1363,11 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents", "DeviceNetworkEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -1381,31 +1381,31 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "RemoteIP" + "columnName": "RemoteIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "Process", "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "DCOMCmdLine" + "columnName": "DCOMCmdLine", + "identifier": "CommandLine" } - ] + ], + "entityType": "Process" } ] } @@ -1488,11 +1488,11 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceFileEvents", "DeviceImageLoadEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -1508,39 +1508,39 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Sid", - "columnName": "InitiatingProcessAccountSid" + "columnName": "InitiatingProcessAccountSid", + "identifier": "Sid" }, { - "identifier": "Name", - "columnName": "InitiatingProcessAccountName" + "columnName": "InitiatingProcessAccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "InitiatingProcessAccountDomain" + "columnName": "InitiatingProcessAccountDomain", + "identifier": "NTDomain" } - ] + ], + "entityType": "Account" }, { - "entityType": "Process", "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "InitiatingProcessCommandLine" + "columnName": "InitiatingProcessCommandLine", + "identifier": "CommandLine" } - ] + ], + "entityType": "Process" } ] } @@ -1623,10 +1623,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -1640,39 +1640,39 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Sid", - "columnName": "AccountSid" + "columnName": "AccountSid", + "identifier": "Sid" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "AccountDomain" + "columnName": "AccountDomain", + "identifier": "NTDomain" } - ] + ], + "entityType": "Account" }, { - "entityType": "Process", "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "ProcessCommandLine" + "columnName": "ProcessCommandLine", + "identifier": "CommandLine" } - ] + ], + "entityType": "Process" } ] } @@ -1755,10 +1755,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceImageLoadEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -1769,39 +1769,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Sid", - "columnName": "InitiatingProcessAccountSid" + "columnName": "InitiatingProcessAccountSid", + "identifier": "Sid" }, { - "identifier": "Name", - "columnName": "InitiatingProcessAccountName" + "columnName": "InitiatingProcessAccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "InitiatingProcessAccountDomain" + "columnName": "InitiatingProcessAccountDomain", + "identifier": "NTDomain" } - ] + ], + "entityType": "Account" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "Process", "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "InitiatingProcessCommandLine" + "columnName": "InitiatingProcessCommandLine", + "identifier": "CommandLine" } - ] + ], + "entityType": "Process" } ] } @@ -1884,16 +1884,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" } ], "tactics": [ @@ -1906,13 +1906,13 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" } - ] + ], + "entityType": "Host" } ] } @@ -1995,10 +1995,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" - ] + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ @@ -2009,22 +2009,22 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserPrincipalName" + "columnName": "UserPrincipalName", + "identifier": "FullName" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "FailedIp" + "columnName": "FailedIp", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -2093,7 +2093,7 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of certain operating system processes.\nThis query detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts.", + "description": "Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of on certain operating system processes.\nThis query detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts.", "displayName": "Match Legitimate Name or Location - 2", "enabled": false, "query": "let ProcessRelations=datatable(ImageFile:string,ExpectedParent:dynamic) [\n \"smss.exe\", dynamic([\"smss.exe\", \"ntoskrnl.exe\", \"\"]),\n \"crmss.exe\", dynamic([\"smss.exe\"]),\n \"wininit.exe\", dynamic([\"smss.exe\"]),\n \"winlogon.exe\", dynamic([\"smss.exe\"]),\n \"services.exe\", dynamic([\"wininit.exe\"]),\n \"lsaiso.exe\", dynamic([\"wininit.exe\"]),\n \"lsass.exe\", dynamic([\"wininit.exe\"]),\n \"spoolsv.exe\", dynamic([\"services.exe\"]),\n \"dllhost.exe\", dynamic([\"svchost.exe\", \"services.exe\"]),\n \"lsm.exe\", dynamic([\"wininit.exe\"]),\n \"svchost.exe\", dynamic([\"services.exe\", \"msmpeng.exe\"]),\n \"runtimebroker.exe\", dynamic([\"svchost.exe\"]),\n \"taskhostw.exe\", dynamic([\"svchost.exe\"]),\n \"userinit.exe\", dynamic([\"winlogon.exe\"])\n // Explorer can have a lot of parents in some environments\n //,\"explorer.exe\", dynamic([\"userinit.exe\"])\n];\nDeviceProcessEvents\n| extend ImageFile = tostring(tolower(parse_path(tostring(FolderPath)).Filename))\n| extend ParentFile = tostring(tolower(parse_path(tostring(InitiatingProcessFolderPath)).Filename))\n| lookup kind=inner ProcessRelations on ImageFile\n| where not(set_has_element(ExpectedParent,ParentFile))\n", @@ -2107,10 +2107,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -2124,39 +2124,39 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Sid", - "columnName": "AccountSid" + "columnName": "AccountSid", + "identifier": "Sid" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "AccountDomain" + "columnName": "AccountDomain", + "identifier": "NTDomain" } - ] + ], + "entityType": "Account" }, { - "entityType": "Process", "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "ProcessCommandLine" + "columnName": "ProcessCommandLine", + "identifier": "CommandLine" } - ] + ], + "entityType": "Process" } ] } @@ -2239,10 +2239,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -2256,39 +2256,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Sid", - "columnName": "AccountSid" + "columnName": "AccountSid", + "identifier": "Sid" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "AccountDomain" + "columnName": "AccountDomain", + "identifier": "NTDomain" } - ] + ], + "entityType": "Account" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "Process", "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "ProcessCommandLine" + "columnName": "ProcessCommandLine", + "identifier": "CommandLine" } - ] + ], + "entityType": "Process" } ] } @@ -2371,10 +2371,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -2385,39 +2385,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Sid", - "columnName": "InitiatingProcessAccountSid" + "columnName": "InitiatingProcessAccountSid", + "identifier": "Sid" }, { - "identifier": "Name", - "columnName": "InitiatingProcessAccountName" + "columnName": "InitiatingProcessAccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "InitiatingProcessAccountDomain" + "columnName": "InitiatingProcessAccountDomain", + "identifier": "NTDomain" } - ] + ], + "entityType": "Account" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "Process", "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "InitiatingProcessCommandLine" + "columnName": "InitiatingProcessCommandLine", + "identifier": "CommandLine" } - ] + ], + "entityType": "Process" } ] } @@ -2500,10 +2500,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -2516,39 +2516,39 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Sid", - "columnName": "AccountSid" + "columnName": "AccountSid", + "identifier": "Sid" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "AccountDomain" + "columnName": "AccountDomain", + "identifier": "NTDomain" } - ] + ], + "entityType": "Account" }, { - "entityType": "Process", "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "ProcessCommandLine" + "columnName": "ProcessCommandLine", + "identifier": "CommandLine" } - ] + ], + "entityType": "Process" } ] } @@ -2631,10 +2631,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceLogonEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -2648,31 +2648,22 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPAddress" + "columnName": "IPAddress", + "identifier": "Address" } - ] - }, - { - "entityType": "Process", - "fieldMappings": [ - { - "identifier": "CommandLine", - "columnName": "ProcessCommandLine" - } - ] + ], + "entityType": "IP" } ] } @@ -2755,10 +2746,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "Zscaler", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "Zscaler" } ], "tactics": [ @@ -2772,13 +2763,13 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "SourceUserName" + "columnName": "SourceUserName", + "identifier": "FullName" } - ] + ], + "entityType": "Account" } ] } @@ -2861,11 +2852,11 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents", "DeviceLogonEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -2879,39 +2870,39 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Sid", - "columnName": "AccountSid" + "columnName": "AccountSid", + "identifier": "Sid" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "AccountDomain" + "columnName": "AccountDomain", + "identifier": "NTDomain" } - ] + ], + "entityType": "Account" }, { - "entityType": "Process", "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "ProcessCommandLine" + "columnName": "ProcessCommandLine", + "identifier": "CommandLine" } - ] + ], + "entityType": "Process" } ] } @@ -2994,10 +2985,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3011,39 +3002,39 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Sid", - "columnName": "AccountSid" + "columnName": "AccountSid", + "identifier": "Sid" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "AccountDomain" + "columnName": "AccountDomain", + "identifier": "NTDomain" } - ] + ], + "entityType": "Account" }, { - "entityType": "Process", "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "ProcessCommandLine" + "columnName": "ProcessCommandLine", + "identifier": "CommandLine" } - ] + ], + "entityType": "Process" } ] } @@ -3126,12 +3117,12 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents", "DeviceNetworkEvents", "DeviceFileCertificateInfo" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3145,48 +3136,48 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Sid", - "columnName": "InitiatingProcessAccountSid" + "columnName": "InitiatingProcessAccountSid", + "identifier": "Sid" }, { - "identifier": "Name", - "columnName": "InitiatingProcessAccountName" + "columnName": "InitiatingProcessAccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "InitiatingProcessAccountDomain" + "columnName": "InitiatingProcessAccountDomain", + "identifier": "NTDomain" } - ] + ], + "entityType": "Account" }, { - "entityType": "Process", "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "InitiatingProcessCommandLine" + "columnName": "InitiatingProcessCommandLine", + "identifier": "CommandLine" } - ] + ], + "entityType": "Process" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "RemoteIP" + "columnName": "RemoteIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -3269,10 +3260,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3285,39 +3276,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Sid", - "columnName": "AccountSid" + "columnName": "AccountSid", + "identifier": "Sid" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "AccountDomain" + "columnName": "AccountDomain", + "identifier": "NTDomain" } - ] + ], + "entityType": "Account" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "Process", "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "ProcessCommandLine" + "columnName": "ProcessCommandLine", + "identifier": "CommandLine" } - ] + ], + "entityType": "Process" } ] } @@ -3400,10 +3391,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3417,39 +3408,39 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Sid", - "columnName": "AccountSid" + "columnName": "AccountSid", + "identifier": "Sid" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "AccountDomain" + "columnName": "AccountDomain", + "identifier": "NTDomain" } - ] + ], + "entityType": "Account" }, { - "entityType": "Process", "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "ProcessCommandLine" + "columnName": "ProcessCommandLine", + "identifier": "CommandLine" } - ] + ], + "entityType": "Process" } ] } @@ -3532,10 +3523,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3546,39 +3537,39 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Sid", - "columnName": "AccountSid" + "columnName": "AccountSid", + "identifier": "Sid" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "AccountDomain" + "columnName": "AccountDomain", + "identifier": "NTDomain" } - ] + ], + "entityType": "Account" }, { - "entityType": "Process", "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "ProcessCommandLine" + "columnName": "ProcessCommandLine", + "identifier": "CommandLine" } - ] + ], + "entityType": "Process" } ] } @@ -3661,10 +3652,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3675,39 +3666,39 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Sid", - "columnName": "AccountSid" + "columnName": "AccountSid", + "identifier": "Sid" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "AccountDomain" + "columnName": "AccountDomain", + "identifier": "NTDomain" } - ] + ], + "entityType": "Account" }, { - "entityType": "Process", "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "ProcessCommandLine" + "columnName": "ProcessCommandLine", + "identifier": "CommandLine" } - ] + ], + "entityType": "Process" } ] } @@ -3790,10 +3781,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3804,39 +3795,39 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Sid", - "columnName": "AccountSid" + "columnName": "AccountSid", + "identifier": "Sid" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "AccountDomain" + "columnName": "AccountDomain", + "identifier": "NTDomain" } - ] + ], + "entityType": "Account" }, { - "entityType": "Process", "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "ProcessCommandLine" + "columnName": "ProcessCommandLine", + "identifier": "CommandLine" } - ] + ], + "entityType": "Process" } ] } @@ -3919,10 +3910,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3933,39 +3924,39 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Sid", - "columnName": "AccountSid" + "columnName": "AccountSid", + "identifier": "Sid" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "AccountDomain" + "columnName": "AccountDomain", + "identifier": "NTDomain" } - ] + ], + "entityType": "Account" }, { - "entityType": "Process", "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "ProcessCommandLine" + "columnName": "ProcessCommandLine", + "identifier": "CommandLine" } - ] + ], + "entityType": "Process" } ] } diff --git a/Solutions/FireEye Network Security/Data/Solution_FireEye Network Security.json b/Solutions/FireEye Network Security/Data/Solution_FireEye Network Security.json index 34c5dd62212..e4c44418360 100644 --- a/Solutions/FireEye Network Security/Data/Solution_FireEye Network Security.json +++ b/Solutions/FireEye Network Security/Data/Solution_FireEye Network Security.json @@ -2,12 +2,7 @@ "Name": "FireEye Network Security", "Author": "Microsoft - support@microsoft.com", "Logo": "", - "Description": "The [FireEye Network Security (NX)](https://www.fireeye.com/products/network-security.html) solution provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.", - "Data Connectors": [ - "Data Connectors/Connector_FireEyeNX_CEF.json", - "Data Connectors/template_FireEyeNX_CEFAMA.json" - - ], + "Description": "The [FireEye Network Security (NX)](https://www.fireeye.com/products/network-security.html) solution provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.", "Parsers": [ "Parsers/FireEyeNXEvent.yaml" ], @@ -15,7 +10,7 @@ "azuresentinel.azure-sentinel-solution-commoneventformat" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\FireEye Network Security", - "Version": "3.0.1", + "Version": "3.0.2", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": false diff --git a/Solutions/FireEye Network Security/Package/3.0.2.zip b/Solutions/FireEye Network Security/Package/3.0.2.zip new file mode 100644 index 00000000000..d8094b91610 Binary files /dev/null and b/Solutions/FireEye Network Security/Package/3.0.2.zip differ diff --git a/Solutions/FireEye Network Security/Package/createUiDefinition.json b/Solutions/FireEye Network Security/Package/createUiDefinition.json index 1368d44edbc..ca36d44737d 100644 --- a/Solutions/FireEye Network Security/Package/createUiDefinition.json +++ b/Solutions/FireEye Network Security/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/FireEye%20Network%20Security/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [FireEye Network Security (NX)](https://www.fireeye.com/products/network-security.html) solution provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/FireEye%20Network%20Security/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [FireEye Network Security (NX)](https://www.fireeye.com/products/network-security.html) solution provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.\n\n**Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -50,39 +50,7 @@ "visible": true } ], - "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for FireEye Network Security. You can get FireEye Network Security CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-parser-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." - } - }, - { - "name": "dataconnectors-link2", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - } - ], + "steps": [{}], "outputs": { "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", "location": "[location()]", diff --git a/Solutions/FireEye Network Security/Package/mainTemplate.json b/Solutions/FireEye Network Security/Package/mainTemplate.json index 7022b4c8d14..1940d723263 100644 --- a/Solutions/FireEye Network Security/Package/mainTemplate.json +++ b/Solutions/FireEye Network Security/Package/mainTemplate.json @@ -33,27 +33,9 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "FireEye Network Security", - "_solutionVersion": "3.0.1", + "_solutionVersion": "3.0.2", "solutionId": "azuresentinel.azure-sentinel-solution-fireeyenx", "_solutionId": "[variables('solutionId')]", - "uiConfigId1": "FireEyeNX", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "FireEyeNX", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "uiConfigId2": "FireEyeNXAma", - "_uiConfigId2": "[variables('uiConfigId2')]", - "dataConnectorContentId2": "FireEyeNXAma", - "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", - "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "_dataConnectorId2": "[variables('dataConnectorId2')]", - "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", - "dataConnectorVersion2": "1.0.0", - "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", "parserObject1": { "_parserName1": "[concat(parameters('workspace'),'/','FireEyeNXEvent')]", "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'FireEyeNXEvent')]", @@ -64,678 +46,6 @@ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "FireEye Network Security data connector with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "[Deprecated] FireEye Network Security (NX) via Legacy Agent", - "publisher": "FireEye", - "descriptionMarkdown": "The [FireEye Network Security (NX)](https://www.fireeye.com/products/network-security.html) data connector provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.", - "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**FireEyeNXEvent**](https://aka.ms/sentinel-FireEyeNX-parser) which is deployed with the Microsoft Sentinel Solution.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "FireEyeNX", - "baseQuery": "FireEyeNXEvent" - } - ], - "sampleQueries": [ - { - "description": "Top 10 Sources", - "query": "FireEyeNXEvent\n | where isnotempty(SrcIpAddr)\n | summarize count() by SrcIpAddr\n | top 10 by count_" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (FireEyeNX)", - "lastDataReceivedQuery": "FireEyeNXEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "FireEyeNXEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**FireEyeNXEvent**](https://aka.ms/sentinel-FireEyeNX-parser) which is deployed with the Microsoft Sentinel Solution." - }, - { - "description": ">**NOTE:** This data connector has been developed using FEOS release v9.0" - }, - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "Complete the following steps to send data using CEF:\n\n2.1. Log into the FireEye appliance with an administrator account\n\n2.2. Click **Settings**\n\n2.3. Click **Notifications**\n\nClick **rsyslog**\n\n2.4. Check the **Event type** check box\n\n2.5. Make sure Rsyslog settings are:\n\n- Default format: CEF\n\n- Default delivery: Per event\n\n- Default send as: Alert", - "title": "2. Configure FireEye NX to send logs using CEF" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "FireEye Network Security", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] FireEye Network Security (NX) via Legacy Agent", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "FireEye Network Security", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] FireEye Network Security (NX) via Legacy Agent", - "publisher": "FireEye", - "descriptionMarkdown": "The [FireEye Network Security (NX)](https://www.fireeye.com/products/network-security.html) data connector provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "FireEyeNX", - "baseQuery": "FireEyeNXEvent" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (FireEyeNX)", - "lastDataReceivedQuery": "FireEyeNXEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "FireEyeNXEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Top 10 Sources", - "query": "FireEyeNXEvent\n | where isnotempty(SrcIpAddr)\n | summarize count() by SrcIpAddr\n | top 10 by count_" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**FireEyeNXEvent**](https://aka.ms/sentinel-FireEyeNX-parser) which is deployed with the Microsoft Sentinel Solution." - }, - { - "description": ">**NOTE:** This data connector has been developed using FEOS release v9.0" - }, - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "Complete the following steps to send data using CEF:\n\n2.1. Log into the FireEye appliance with an administrator account\n\n2.2. Click **Settings**\n\n2.3. Click **Notifications**\n\nClick **rsyslog**\n\n2.4. Check the **Event type** check box\n\n2.5. Make sure Rsyslog settings are:\n\n- Default format: CEF\n\n- Default delivery: Per event\n\n- Default send as: Alert", - "title": "2. Configure FireEye NX to send logs using CEF" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "id": "[variables('_uiConfigId1')]", - "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**FireEyeNXEvent**](https://aka.ms/sentinel-FireEyeNX-parser) which is deployed with the Microsoft Sentinel Solution." - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "FireEye Network Security data connector with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion2')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId2')]", - "title": "[Deprecated] FireEye Network Security (NX) via AMA", - "publisher": "FireEye", - "descriptionMarkdown": "The [FireEye Network Security (NX)](https://www.fireeye.com/products/network-security.html) data connector provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.", - "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**FireEyeNXEvent**](https://aka.ms/sentinel-FireEyeNX-parser) which is deployed with the Microsoft Sentinel Solution.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "FireEyeNX", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'FireEye'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "sampleQueries": [ - { - "description": "Top 10 Sources", - "query": "FireEyeNXEvent\n | where isnotempty(SrcIpAddr)\n | summarize count() by SrcIpAddr\n | top 10 by count_" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (FireEyeNX)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'FireEye'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'FireEye'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**FireEyeNXEvent**](https://aka.ms/sentinel-FireEyeNX-parser) which is deployed with the Microsoft Sentinel Solution.", - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Configure FireEye NX to send logs using CEF", - "description": "Complete the following steps to send data using CEF:\n\n2.1. Log into the FireEye appliance with an administrator account\n\n2.2. Click **Settings**\n\n2.3. Click **Notifications**\n\nClick **rsyslog**\n\n2.4. Check the **Event type** check box\n\n2.5. Make sure Rsyslog settings are:\n\n- Default format: CEF\n\n- Default delivery: Per event\n\n- Default send as: Alert" - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "FireEye Network Security", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId2')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] FireEye Network Security (NX) via AMA", - "contentProductId": "[variables('_dataConnectorcontentProductId2')]", - "id": "[variables('_dataConnectorcontentProductId2')]", - "version": "[variables('dataConnectorVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId2')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "FireEye Network Security", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] FireEye Network Security (NX) via AMA", - "publisher": "FireEye", - "descriptionMarkdown": "The [FireEye Network Security (NX)](https://www.fireeye.com/products/network-security.html) data connector provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "FireEyeNX", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'FireEye'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (FireEyeNX)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'FireEye'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'FireEye'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Top 10 Sources", - "query": "FireEyeNXEvent\n | where isnotempty(SrcIpAddr)\n | summarize count() by SrcIpAddr\n | top 10 by count_" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**FireEyeNXEvent**](https://aka.ms/sentinel-FireEyeNX-parser) which is deployed with the Microsoft Sentinel Solution.", - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Configure FireEye NX to send logs using CEF", - "description": "Complete the following steps to send data using CEF:\n\n2.1. Log into the FireEye appliance with an administrator account\n\n2.2. Click **Settings**\n\n2.3. Click **Notifications**\n\nClick **rsyslog**\n\n2.4. Check the **Event type** check box\n\n2.5. Make sure Rsyslog settings are:\n\n- Default format: CEF\n\n- Default delivery: Per event\n\n- Default send as: Alert" - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ], - "id": "[variables('_uiConfigId2')]", - "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**FireEyeNXEvent**](https://aka.ms/sentinel-FireEyeNX-parser) which is deployed with the Microsoft Sentinel Solution." - } - } - }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -745,7 +55,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FireEyeNXEvent Data Parser with template version 3.0.1", + "description": "FireEyeNXEvent Data Parser with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -873,12 +183,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.1", + "version": "3.0.2", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "FireEye Network Security", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The FireEye Network Security (NX) solution provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.

\n\n\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Data Connectors: 2, Parsers: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The FireEye Network Security (NX) solution provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on Aug 31, 2024.

\n

Parsers: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -902,16 +212,6 @@ }, "dependencies": { "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - }, { "kind": "Parser", "contentId": "[variables('parserObject1').parserContentId1]", diff --git a/Solutions/FireEye Network Security/ReleaseNotes.md b/Solutions/FireEye Network Security/ReleaseNotes.md index cee2aec31ee..0a50c91cc14 100644 --- a/Solutions/FireEye Network Security/ReleaseNotes.md +++ b/Solutions/FireEye Network Security/ReleaseNotes.md @@ -1,6 +1,5 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.2 | 21-11-2024 | Removed Deprecated **Data Connectors** | | 3.0.1 | 10-07-2024 | Deprecated **Data Connector** | -| 3.0.0 | 01-09-2023 | Addition of new FireEye Network Security AMA **Data Connector** | | - - +| 3.0.0 | 01-09-2023 | Addition of new FireEye Network Security AMA **Data Connector** | \ No newline at end of file diff --git a/Solutions/Forcepoint CSG/Data/Solution_ForcepointCSG.json b/Solutions/Forcepoint CSG/Data/Solution_ForcepointCSG.json index b0c17a53e20..32110310edf 100644 --- a/Solutions/Forcepoint CSG/Data/Solution_ForcepointCSG.json +++ b/Solutions/Forcepoint CSG/Data/Solution_ForcepointCSG.json @@ -2,11 +2,7 @@ "Name": "Forcepoint CSG", "Author": "Forcepoint", "Logo": "", - "Description": "[Forcepoint Cloud Security Gateway](https://www.forcepoint.com/product/cloud-security-gateway) (CSG) Solution for Microsoft Sentinel exports web and/or email logs so that custom dashboards can be created using Workbooks to visualize events and insights on activities of Forcepoint Cloud Security Gateway.\n\nFor more details about this solution refer to [integration documentation](https://forcepoint.github.io/docs/csg_and_sentinel/).\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.", - "Data Connectors": [ - "Solutions/Forcepoint CSG/Data Connectors/ForcepointCloudSecurityGateway.json", - "Solutions/Forcepoint CSG/Data Connectors/template_ForcepointCloudSecurityGatewayAMA.json" - ], + "Description": "[Forcepoint Cloud Security Gateway](https://www.forcepoint.com/product/cloud-security-gateway) (CSG) Solution for Microsoft Sentinel exports web and/or email logs so that custom dashboards can be created using Workbooks to visualize events and insights on activities of Forcepoint Cloud Security Gateway.\n\nFor more details about this solution refer to [integration documentation](https://forcepoint.github.io/docs/csg_and_sentinel/).\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.", "Workbooks": [ "Solutions/Forcepoint CSG/Workbooks/ForcepointCloudSecuirtyGateway.json" ], @@ -14,7 +10,7 @@ "azuresentinel.azure-sentinel-solution-commoneventformat" ], "BasePath": "C:\\Github\\Azure-Sentinel", - "Version": "3.0.2", + "Version": "3.0.3", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false diff --git a/Solutions/Forcepoint CSG/Package/3.0.3.zip b/Solutions/Forcepoint CSG/Package/3.0.3.zip new file mode 100644 index 00000000000..21550a1307b Binary files /dev/null and b/Solutions/Forcepoint CSG/Package/3.0.3.zip differ diff --git a/Solutions/Forcepoint CSG/Package/createUiDefinition.json b/Solutions/Forcepoint CSG/Package/createUiDefinition.json index 6b2d3203f75..7f2a581656d 100644 --- a/Solutions/Forcepoint CSG/Package/createUiDefinition.json +++ b/Solutions/Forcepoint CSG/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Forcepoint%20CSG/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Forcepoint Cloud Security Gateway](https://www.forcepoint.com/product/cloud-security-gateway) (CSG) Solution for Microsoft Sentinel exports web and/or email logs so that custom dashboards can be created using Workbooks to visualize events and insights on activities of Forcepoint Cloud Security Gateway.\n\nFor more details about this solution refer to [integration documentation](https://forcepoint.github.io/docs/csg_and_sentinel/).\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Forcepoint%20CSG/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Forcepoint Cloud Security Gateway](https://www.forcepoint.com/product/cloud-security-gateway) (CSG) Solution for Microsoft Sentinel exports web and/or email logs so that custom dashboards can be created using Workbooks to visualize events and insights on activities of Forcepoint Cloud Security Gateway.\n\nFor more details about this solution refer to [integration documentation](https://forcepoint.github.io/docs/csg_and_sentinel/).\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**. \n\n**Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -51,30 +51,6 @@ } ], "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for Forcepoint CSG. You can get Forcepoint CSG CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-link2", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - }, { "name": "workbooks", "label": "Workbooks", diff --git a/Solutions/Forcepoint CSG/Package/mainTemplate.json b/Solutions/Forcepoint CSG/Package/mainTemplate.json index a8d9c59bb3e..3c6caab542a 100644 --- a/Solutions/Forcepoint CSG/Package/mainTemplate.json +++ b/Solutions/Forcepoint CSG/Package/mainTemplate.json @@ -39,27 +39,9 @@ }, "variables": { "_solutionName": "Forcepoint CSG", - "_solutionVersion": "3.0.2", + "_solutionVersion": "3.0.3", "solutionId": "microsoftsentinelcommunity.azure-sentinel-solution-forcepoint-csg", "_solutionId": "[variables('solutionId')]", - "uiConfigId1": "ForcepointCSG", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "ForcepointCSG", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "uiConfigId2": "ForcepointCSGAma", - "_uiConfigId2": "[variables('uiConfigId2')]", - "dataConnectorContentId2": "ForcepointCSGAma", - "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", - "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "_dataConnectorId2": "[variables('dataConnectorId2')]", - "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", - "dataConnectorVersion2": "1.0.0", - "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", "workbookVersion1": "1.0.0", "workbookContentId1": "ForcepointCloudSecurityGatewayWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", @@ -70,724 +52,6 @@ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Forcepoint CSG data connector with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "[Deprecated] Forcepoint CSG via Legacy Agent", - "publisher": "Forcepoint", - "descriptionMarkdown": "Forcepoint Cloud Security Gateway is a converged cloud security service that provides visibility, control, and threat protection for users and data, wherever they are. For more information visit: https://www.forcepoint.com/product/cloud-security-gateway", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Forcepoint CSG", - "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CSG\"\n" - } - ], - "sampleQueries": [ - { - "description": "Top 5 Web requested Domains with log severity equal to 6 (Medium)", - "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n| where LogSeverity == 6\n| where DeviceCustomString2 != \"\"\n| summarize Count=count() by DeviceCustomString2\n| top 5 by Count\n| render piechart" - }, - { - "description": "Top 5 Web Users with 'Action' equal to 'Blocked'", - "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n| where Activity == \"Blocked\"\n| where SourceUserID != \"Not available\"\n| summarize Count=count() by SourceUserID\n| top 5 by Count\n| render piechart" - }, - { - "description": "Top 5 Sender Email Addresses Where Spam Score Greater Than 10.0", - "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Email\"\n| where DeviceCustomFloatingPoint1 > 10.0\n| summarize Count=count() by SourceUserName\n| top 5 by Count\n| render barchart" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (Forcepoint CSG)", - "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "CommonSecurityLog (Forcepoint CSG)", - "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Email\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", - "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Email\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "This integration requires the Linux Syslog agent to collect your Forcepoint Cloud Security Gateway Web/Email logs on port 514 TCP as Common Event Format (CEF) and forward them to Microsoft Sentinel.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Your Data Connector Syslog Agent Installation Command is:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "The integration is made available with two implementations options.", - "innerSteps": [ - { - "title": "2.1 Docker Implementation", - "description": "Leverages docker images where the integration component is already installed with all necessary dependencies.\n\nFollow the instructions provided in the Integration Guide linked below.\n\n[Integration Guide >](https://frcpnt.com/csg-sentinel)" - }, - { - "title": "2.2 Traditional Implementation", - "description": "Requires the manual deployment of the integration component inside a clean Linux machine.\n\nFollow the instructions provided in the Integration Guide linked below.\n\n[Integration Guide >](https://frcpnt.com/csg-sentinel)" - } - ], - "title": "2. Implementation options" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version \n \n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF).", - "title": "4. Secure your machine " - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Forcepoint CSG", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Forcepoint" - }, - "support": { - "name": "Community", - "tier": "Community", - "link": "https://github.com/Azure/Azure-Sentinel/issues" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Forcepoint CSG via Legacy Agent", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Forcepoint CSG", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Forcepoint" - }, - "support": { - "name": "Community", - "tier": "Community", - "link": "https://github.com/Azure/Azure-Sentinel/issues" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Forcepoint CSG via Legacy Agent", - "publisher": "Forcepoint", - "descriptionMarkdown": "Forcepoint Cloud Security Gateway is a converged cloud security service that provides visibility, control, and threat protection for users and data, wherever they are. For more information visit: https://www.forcepoint.com/product/cloud-security-gateway", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Forcepoint CSG", - "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CSG\"\n" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (Forcepoint CSG)", - "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "CommonSecurityLog (Forcepoint CSG)", - "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Email\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", - "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Email\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Top 5 Web requested Domains with log severity equal to 6 (Medium)", - "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n| where LogSeverity == 6\n| where DeviceCustomString2 != \"\"\n| summarize Count=count() by DeviceCustomString2\n| top 5 by Count\n| render piechart" - }, - { - "description": "Top 5 Web Users with 'Action' equal to 'Blocked'", - "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n| where Activity == \"Blocked\"\n| where SourceUserID != \"Not available\"\n| summarize Count=count() by SourceUserID\n| top 5 by Count\n| render piechart" - }, - { - "description": "Top 5 Sender Email Addresses Where Spam Score Greater Than 10.0", - "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Email\"\n| where DeviceCustomFloatingPoint1 > 10.0\n| summarize Count=count() by SourceUserName\n| top 5 by Count\n| render barchart" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "This integration requires the Linux Syslog agent to collect your Forcepoint Cloud Security Gateway Web/Email logs on port 514 TCP as Common Event Format (CEF) and forward them to Microsoft Sentinel.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Your Data Connector Syslog Agent Installation Command is:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "The integration is made available with two implementations options.", - "innerSteps": [ - { - "title": "2.1 Docker Implementation", - "description": "Leverages docker images where the integration component is already installed with all necessary dependencies.\n\nFollow the instructions provided in the Integration Guide linked below.\n\n[Integration Guide >](https://frcpnt.com/csg-sentinel)" - }, - { - "title": "2.2 Traditional Implementation", - "description": "Requires the manual deployment of the integration component inside a clean Linux machine.\n\nFollow the instructions provided in the Integration Guide linked below.\n\n[Integration Guide >](https://frcpnt.com/csg-sentinel)" - } - ], - "title": "2. Implementation options" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version \n \n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF).", - "title": "4. Secure your machine " - } - ], - "id": "[variables('_uiConfigId1')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Forcepoint CSG data connector with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion2')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId2')]", - "title": "[Deprecated] Forcepoint CSG via AMA", - "publisher": "Forcepoint", - "descriptionMarkdown": "Forcepoint Cloud Security Gateway is a converged cloud security service that provides visibility, control, and threat protection for users and data, wherever they are. For more information visit: https://www.forcepoint.com/product/cloud-security-gateway", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Forcepoint CSG", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CSG'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "sampleQueries": [ - { - "description": "Top 5 Web requested Domains with log severity equal to 6 (Medium)", - "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n| where LogSeverity == 6\n| where DeviceCustomString2 != \"\"\n| summarize Count=count() by DeviceCustomString2\n| top 5 by Count\n| render piechart" - }, - { - "description": "Top 5 Web Users with 'Action' equal to 'Blocked'", - "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n| where Activity == \"Blocked\"\n| where SourceUserID != \"Not available\"\n| summarize Count=count() by SourceUserID\n| top 5 by Count\n| render piechart" - }, - { - "description": "Top 5 Sender Email Addresses Where Spam Score Greater Than 10.0", - "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Email\"\n| where DeviceCustomFloatingPoint1 > 10.0\n| summarize Count=count() by SourceUserName\n| top 5 by Count\n| render barchart" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (Forcepoint CSG)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CSG'\n |where DeviceProduct =~ 'Web'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "CommonSecurityLog (Forcepoint CSG)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CSG'\n |where DeviceProduct =~ 'Email'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CSG'\n |where DeviceProduct =~ 'Web'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", - "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CSG'\n |where DeviceProduct =~ 'Email'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine." - }, - { - "title": "Step B. Implementation options", - "description": "The integration is made available with two implementations options.", - "innerSteps": [ - { - "title": "1. Docker Implementation", - "description": "Leverages docker images where the integration component is already installed with all necessary dependencies.\n\nFollow the instructions provided in the Integration Guide linked below.\n\n[Integration Guide >](https://frcpnt.com/csg-sentinel)" - }, - { - "title": "2. Traditional Implementation", - "description": "Requires the manual deployment of the integration component inside a clean Linux machine.\n\nFollow the instructions provided in the Integration Guide linked below.\n\n[Integration Guide >](https://frcpnt.com/csg-sentinel)" - } - ] - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF).", - "title": "2. Secure your machine " - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "Forcepoint CSG", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Forcepoint" - }, - "support": { - "name": "Community", - "tier": "Community", - "link": "https://github.com/Azure/Azure-Sentinel/issues" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId2')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Forcepoint CSG via AMA", - "contentProductId": "[variables('_dataConnectorcontentProductId2')]", - "id": "[variables('_dataConnectorcontentProductId2')]", - "version": "[variables('dataConnectorVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId2')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "Forcepoint CSG", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Forcepoint" - }, - "support": { - "name": "Community", - "tier": "Community", - "link": "https://github.com/Azure/Azure-Sentinel/issues" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Forcepoint CSG via AMA", - "publisher": "Forcepoint", - "descriptionMarkdown": "Forcepoint Cloud Security Gateway is a converged cloud security service that provides visibility, control, and threat protection for users and data, wherever they are. For more information visit: https://www.forcepoint.com/product/cloud-security-gateway", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Forcepoint CSG", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CSG'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (Forcepoint CSG)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CSG'\n |where DeviceProduct =~ 'Web'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "CommonSecurityLog (Forcepoint CSG)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CSG'\n |where DeviceProduct =~ 'Email'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CSG'\n |where DeviceProduct =~ 'Web'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", - "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CSG'\n |where DeviceProduct =~ 'Email'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Top 5 Web requested Domains with log severity equal to 6 (Medium)", - "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n| where LogSeverity == 6\n| where DeviceCustomString2 != \"\"\n| summarize Count=count() by DeviceCustomString2\n| top 5 by Count\n| render piechart" - }, - { - "description": "Top 5 Web Users with 'Action' equal to 'Blocked'", - "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n| where Activity == \"Blocked\"\n| where SourceUserID != \"Not available\"\n| summarize Count=count() by SourceUserID\n| top 5 by Count\n| render piechart" - }, - { - "description": "Top 5 Sender Email Addresses Where Spam Score Greater Than 10.0", - "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Email\"\n| where DeviceCustomFloatingPoint1 > 10.0\n| summarize Count=count() by SourceUserName\n| top 5 by Count\n| render barchart" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine." - }, - { - "title": "Step B. Implementation options", - "description": "The integration is made available with two implementations options.", - "innerSteps": [ - { - "title": "1. Docker Implementation", - "description": "Leverages docker images where the integration component is already installed with all necessary dependencies.\n\nFollow the instructions provided in the Integration Guide linked below.\n\n[Integration Guide >](https://frcpnt.com/csg-sentinel)" - }, - { - "title": "2. Traditional Implementation", - "description": "Requires the manual deployment of the integration component inside a clean Linux machine.\n\nFollow the instructions provided in the Integration Guide linked below.\n\n[Integration Guide >](https://frcpnt.com/csg-sentinel)" - } - ] - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF).", - "title": "2. Secure your machine " - } - ], - "id": "[variables('_uiConfigId2')]" - } - } - }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -797,7 +61,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ForcepointCloudSecuirtyGateway Workbook with template version 3.0.2", + "description": "ForcepointCloudSecuirtyGateway Workbook with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -858,6 +122,10 @@ { "contentId": "ForcepointCSGAma", "kind": "DataConnector" + }, + { + "contentId": "CefAma", + "kind": "DataConnector" } ] } @@ -883,12 +151,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.2", + "version": "3.0.3", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Forcepoint CSG", "publisherDisplayName": "Community", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Forcepoint Cloud Security Gateway (CSG) Solution for Microsoft Sentinel exports web and/or email logs so that custom dashboards can be created using Workbooks to visualize events and insights on activities of Forcepoint Cloud Security Gateway.

\n

For more details about this solution refer to integration documentation.

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Data Connectors: 2, Workbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Forcepoint Cloud Security Gateway (CSG) Solution for Microsoft Sentinel exports web and/or email logs so that custom dashboards can be created using Workbooks to visualize events and insights on activities of Forcepoint Cloud Security Gateway.

\n

For more details about this solution refer to integration documentation.

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Workbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -910,16 +178,6 @@ }, "dependencies": { "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - }, { "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]", diff --git a/Solutions/Forcepoint CSG/ReleaseNotes.md b/Solutions/Forcepoint CSG/ReleaseNotes.md index 82e91952fa0..74ded5530f2 100644 --- a/Solutions/Forcepoint CSG/ReleaseNotes.md +++ b/Solutions/Forcepoint CSG/ReleaseNotes.md @@ -1,6 +1,7 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| -| 3.0.2 | 15-07-2024 | Deprecating data connectors | -| 3.0.1 | 19-12-2023 | Workbook moved from standalone to solution and repackage | -| 3.0.0 | 11-09-2023 | Addition of new Forcepoint CSG AMA **Data Connector** | | +| 3.0.3 | 19-11-2024 | Removed Deprecated **Data Connectors** | +| 3.0.2 | 15-07-2024 | Deprecating data connectors | +| 3.0.1 | 19-12-2023 | Workbook moved from standalone to solution and repackage | +| 3.0.0 | 11-09-2023 | Addition of new Forcepoint CSG AMA **Data Connector** | diff --git a/Solutions/Forcepoint NGFW/Data/Solution_ForcepointNGFW.json b/Solutions/Forcepoint NGFW/Data/Solution_ForcepointNGFW.json index 4573578595d..1ae82336612 100644 --- a/Solutions/Forcepoint NGFW/Data/Solution_ForcepointNGFW.json +++ b/Solutions/Forcepoint NGFW/Data/Solution_ForcepointNGFW.json @@ -2,11 +2,7 @@ "Name": "Forcepoint NGFW", "Author": "Forcepoint", "Logo": "", - "Description": "The [Forcepoint NGFW (Next Generation Firewall)](https://www.forcepoint.com/product/ngfw-next-generation-firewall) Solution for Microsoft Sentinel allows you to automatically export user defined Forcepoint NGFW logs into Microsoft Sentinel in real-time. This enriches visibility into user activities recorded by NGFW, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.\n\nFor more details about this solution refer to [integration documentation](https://forcepoint.github.io/docs/ngfw_and_azure_sentinel/) \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.", - "Data Connectors": [ - "Solutions/Forcepoint NGFW/Data Connectors/FORCEPOINT_NGFW.json", - "Solutions/Forcepoint NGFW/Data Connectors/template_FORCEPOINT_NGFWAMA.json" - ], + "Description": "The [Forcepoint NGFW (Next Generation Firewall)](https://www.forcepoint.com/product/ngfw-next-generation-firewall) Solution for Microsoft Sentinel allows you to automatically export user defined Forcepoint NGFW logs into Microsoft Sentinel in real-time. This enriches visibility into user activities recorded by NGFW, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.\n\nFor more details about this solution refer to [integration documentation](https://forcepoint.github.io/docs/ngfw_and_azure_sentinel/) \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.", "Workbooks": [ "Solutions/Forcepoint NGFW/Workbooks/ForcepointNGFW.json", "Solutions/Forcepoint NGFW/Workbooks/ForcepointNGFWAdvanced.json" @@ -15,7 +11,7 @@ "azuresentinel.azure-sentinel-solution-commoneventformat" ], "BasePath": "C:\\Github\\Azure-Sentinel", - "Version": "3.0.1", + "Version": "3.0.2", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false diff --git a/Solutions/Forcepoint NGFW/Package/3.0.2.zip b/Solutions/Forcepoint NGFW/Package/3.0.2.zip new file mode 100644 index 00000000000..6590dd6c61a Binary files /dev/null and b/Solutions/Forcepoint NGFW/Package/3.0.2.zip differ diff --git a/Solutions/Forcepoint NGFW/Package/createUiDefinition.json b/Solutions/Forcepoint NGFW/Package/createUiDefinition.json index a1c72244435..e965802c559 100644 --- a/Solutions/Forcepoint NGFW/Package/createUiDefinition.json +++ b/Solutions/Forcepoint NGFW/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Forcepoint%20NGFW/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Forcepoint NGFW (Next Generation Firewall)](https://www.forcepoint.com/product/ngfw-next-generation-firewall) Solution for Microsoft Sentinel allows you to automatically export user defined Forcepoint NGFW logs into Microsoft Sentinel in real-time. This enriches visibility into user activities recorded by NGFW, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.\n\nFor more details about this solution refer to [integration documentation](https://forcepoint.github.io/docs/ngfw_and_azure_sentinel/) \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Workbooks:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Forcepoint%20NGFW/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Forcepoint NGFW (Next Generation Firewall)](https://www.forcepoint.com/product/ngfw-next-generation-firewall) Solution for Microsoft Sentinel allows you to automatically export user defined Forcepoint NGFW logs into Microsoft Sentinel in real-time. This enriches visibility into user activities recorded by NGFW, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.\n\nFor more details about this solution refer to [integration documentation](https://forcepoint.github.io/docs/ngfw_and_azure_sentinel/) \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.\n\n**Workbooks:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -51,30 +51,6 @@ } ], "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for Forcepoint NGFW. You can get Forcepoint NGFW CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-link2", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - }, { "name": "workbooks", "label": "Workbooks", diff --git a/Solutions/Forcepoint NGFW/Package/mainTemplate.json b/Solutions/Forcepoint NGFW/Package/mainTemplate.json index b48b92cc842..15e3b301adc 100644 --- a/Solutions/Forcepoint NGFW/Package/mainTemplate.json +++ b/Solutions/Forcepoint NGFW/Package/mainTemplate.json @@ -47,27 +47,9 @@ }, "variables": { "_solutionName": "Forcepoint NGFW", - "_solutionVersion": "3.0.1", + "_solutionVersion": "3.0.2", "solutionId": "microsoftsentinelcommunity.azure-sentinel-solution-forcepoint-ngfw", "_solutionId": "[variables('solutionId')]", - "uiConfigId1": "ForcepointNgfw", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "ForcepointNgfw", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "uiConfigId2": "ForcepointNgfwAma", - "_uiConfigId2": "[variables('uiConfigId2')]", - "dataConnectorContentId2": "ForcepointNgfwAma", - "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", - "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "_dataConnectorId2": "[variables('dataConnectorId2')]", - "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", - "dataConnectorVersion2": "1.0.0", - "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", "workbookVersion1": "1.0.0", "workbookContentId1": "ForcepointNGFWWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", @@ -84,750 +66,6 @@ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Forcepoint NGFW data connector with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "[Deprecated] Forcepoint NGFW via Legacy Agent", - "publisher": "Forcepoint", - "descriptionMarkdown": "The Forcepoint NGFW (Next Generation Firewall) connector allows you to automatically export user-defined Forcepoint NGFW logs into Microsoft Sentinel in real-time. This enriches visibility into user activities recorded by NGFW, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.", - "graphQueries": [ - { - "metricName": "Forcepoint NGFW log results", - "legend": "CommonSecurityLog", - "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n" - } - ], - "sampleQueries": [ - { - "description": "Show all terminated actions from the Forcepoint NGFW", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n| where DeviceAction == \"Terminate\"\n" - }, - { - "description": "Show all Forcepoint NGFW with suspected compromise behaviour", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n| where Activity contains \"compromise\"\n" - }, - { - "description": "Show chart grouping all Forcepoint NGFW events by Activity type", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n| summarize count=count() by Activity\n | render barchart\n" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (ForcePointNGFW)", - "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.", - "title": "2. Forward Common Event Format (CEF) logs to Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python - version \n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - }, - { - "description": "To complete the installation of this Forcepoint product integration, follow the guide linked below.\n\n[Installation Guide >](https://frcpnt.com/ngfw-sentinel)", - "title": "5. Forcepoint integration installation guide " - } - ], - "metadata": { - "id": "e002d400-e0b0-4673-959a-eec31378d17c", - "version": "1.0.0", - "kind": "dataConnector", - "source": { - "kind": "community" - }, - "author": { - "name": "Forcepoint" - }, - "support": { - "name": "Forcepoint", - "link": "https://support.forcepoint.com/", - "tier": "developer" - } - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Forcepoint NGFW", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Forcepoint" - }, - "support": { - "name": "Community", - "tier": "Community", - "link": "https://github.com/Azure/Azure-Sentinel/issues" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Forcepoint NGFW via Legacy Agent", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Forcepoint NGFW", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Forcepoint" - }, - "support": { - "name": "Community", - "tier": "Community", - "link": "https://github.com/Azure/Azure-Sentinel/issues" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Forcepoint NGFW via Legacy Agent", - "publisher": "Forcepoint", - "descriptionMarkdown": "The Forcepoint NGFW (Next Generation Firewall) connector allows you to automatically export user-defined Forcepoint NGFW logs into Microsoft Sentinel in real-time. This enriches visibility into user activities recorded by NGFW, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.", - "graphQueries": [ - { - "metricName": "Forcepoint NGFW log results", - "legend": "CommonSecurityLog", - "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (ForcePointNGFW)", - "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Show all terminated actions from the Forcepoint NGFW", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n| where DeviceAction == \"Terminate\"\n" - }, - { - "description": "Show all Forcepoint NGFW with suspected compromise behaviour", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n| where Activity contains \"compromise\"\n" - }, - { - "description": "Show chart grouping all Forcepoint NGFW events by Activity type", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n| summarize count=count() by Activity\n | render barchart\n" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.", - "title": "2. Forward Common Event Format (CEF) logs to Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python - version \n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - }, - { - "description": "To complete the installation of this Forcepoint product integration, follow the guide linked below.\n\n[Installation Guide >](https://frcpnt.com/ngfw-sentinel)", - "title": "5. Forcepoint integration installation guide " - } - ], - "id": "[variables('_uiConfigId1')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Forcepoint NGFW data connector with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion2')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId2')]", - "title": "[Deprecated] Forcepoint NGFW via AMA", - "publisher": "Forcepoint", - "descriptionMarkdown": "The Forcepoint NGFW (Next Generation Firewall) connector allows you to automatically export user-defined Forcepoint NGFW logs into Microsoft Sentinel in real-time. This enriches visibility into user activities recorded by NGFW, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.", - "graphQueries": [ - { - "metricName": "Forcepoint NGFW log results", - "legend": "CommonSecurityLog", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint'\n |where DeviceProduct =~ 'NGFW'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "sampleQueries": [ - { - "description": "Show all terminated actions from the Forcepoint NGFW", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n| where DeviceAction == \"Terminate\"\n" - }, - { - "description": "Show all Forcepoint NGFW with suspected compromise behaviour", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n| where Activity contains \"compromise\"\n" - }, - { - "description": "Show chart grouping all Forcepoint NGFW events by Activity type", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n| summarize count=count() by Activity\n | render barchart\n" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (ForcePointNGFW)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint'\n |where DeviceProduct =~ 'NGFW'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint'\n |where DeviceProduct =~ 'NGFW'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ], - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine." - }, - { - "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent", - "description": "Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address." - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - }, - { - "description": "To complete the installation of this Forcepoint product integration, follow the guide linked below.\n\n[Installation Guide >](https://frcpnt.com/ngfw-sentinel)", - "title": "3. Forcepoint integration installation guide " - } - ], - "metadata": { - "id": "e002d400-e0b0-4673-959a-eec31378d17c", - "version": "1.0.0", - "kind": "dataConnector", - "source": { - "kind": "community" - }, - "author": { - "name": "Forcepoint" - }, - "support": { - "name": "Forcepoint", - "link": "https://support.forcepoint.com/", - "tier": "developer" - } - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "Forcepoint NGFW", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Forcepoint" - }, - "support": { - "name": "Community", - "tier": "Community", - "link": "https://github.com/Azure/Azure-Sentinel/issues" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId2')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Forcepoint NGFW via AMA", - "contentProductId": "[variables('_dataConnectorcontentProductId2')]", - "id": "[variables('_dataConnectorcontentProductId2')]", - "version": "[variables('dataConnectorVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId2')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "Forcepoint NGFW", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Forcepoint" - }, - "support": { - "name": "Community", - "tier": "Community", - "link": "https://github.com/Azure/Azure-Sentinel/issues" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Forcepoint NGFW via AMA", - "publisher": "Forcepoint", - "descriptionMarkdown": "The Forcepoint NGFW (Next Generation Firewall) connector allows you to automatically export user-defined Forcepoint NGFW logs into Microsoft Sentinel in real-time. This enriches visibility into user activities recorded by NGFW, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.", - "graphQueries": [ - { - "metricName": "Forcepoint NGFW log results", - "legend": "CommonSecurityLog", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint'\n |where DeviceProduct =~ 'NGFW'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (ForcePointNGFW)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint'\n |where DeviceProduct =~ 'NGFW'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint'\n |where DeviceProduct =~ 'NGFW'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Show all terminated actions from the Forcepoint NGFW", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n| where DeviceAction == \"Terminate\"\n" - }, - { - "description": "Show all Forcepoint NGFW with suspected compromise behaviour", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n| where Activity contains \"compromise\"\n" - }, - { - "description": "Show chart grouping all Forcepoint NGFW events by Activity type", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n| summarize count=count() by Activity\n | render barchart\n" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ], - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine." - }, - { - "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent", - "description": "Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address." - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - }, - { - "description": "To complete the installation of this Forcepoint product integration, follow the guide linked below.\n\n[Installation Guide >](https://frcpnt.com/ngfw-sentinel)", - "title": "3. Forcepoint integration installation guide " - } - ], - "id": "[variables('_uiConfigId2')]" - } - } - }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -837,7 +75,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ForcepointNGFW Workbook with template version 3.0.1", + "description": "ForcepointNGFW Workbook with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -898,6 +136,10 @@ { "contentId": "ForcepointNgfwAma", "kind": "DataConnector" + }, + { + "contentId": "CefAma", + "kind": "DataConnector" } ] } @@ -927,7 +169,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ForcepointNGFWAdvanced Workbook with template version 3.0.1", + "description": "ForcepointNGFWAdvanced Workbook with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -996,6 +238,10 @@ { "contentId": "ForcepointNgfwAma", "kind": "DataConnector" + }, + { + "contentId": "CefAma", + "kind": "DataConnector" } ] } @@ -1021,12 +267,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.1", + "version": "3.0.2", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Forcepoint NGFW", "publisherDisplayName": "Community", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Forcepoint NGFW (Next Generation Firewall) Solution for Microsoft Sentinel allows you to automatically export user defined Forcepoint NGFW logs into Microsoft Sentinel in real-time. This enriches visibility into user activities recorded by NGFW, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.

\n

For more details about this solution refer to integration documentation

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Data Connectors: 2, Workbooks: 2

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Forcepoint NGFW (Next Generation Firewall) Solution for Microsoft Sentinel allows you to automatically export user defined Forcepoint NGFW logs into Microsoft Sentinel in real-time. This enriches visibility into user activities recorded by NGFW, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.

\n

For more details about this solution refer to integration documentation

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Workbooks: 2

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -1048,16 +294,6 @@ }, "dependencies": { "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - }, { "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]", diff --git a/Solutions/Forcepoint NGFW/ReleaseNotes.md b/Solutions/Forcepoint NGFW/ReleaseNotes.md index 1ca0fc4cd7d..a344cc1811f 100644 --- a/Solutions/Forcepoint NGFW/ReleaseNotes.md +++ b/Solutions/Forcepoint NGFW/ReleaseNotes.md @@ -1,6 +1,5 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| -| 3.0.1 | 15-07-2024 | Deprecating data connectors | -| 3.0.0 | 29-08-2023 | Addition of new Forcepoint NGFW AMA **Data Connector** | | - - +| 3.0.2 | 19-11-2024 | Removed Deprecated **Data Connectors** | +| 3.0.1 | 15-07-2024 | Deprecating data connectors | +| 3.0.0 | 29-08-2023 | Addition of new Forcepoint NGFW AMA **Data Connector** | diff --git a/Solutions/Garrison ULTRA/Data Connectors/GarrisonULTRARemoteLogs/GarrisonULTRARemoteLogs_ConnectorUI.json b/Solutions/Garrison ULTRA/Data Connectors/GarrisonULTRARemoteLogs/GarrisonULTRARemoteLogs_ConnectorUI.json new file mode 100644 index 00000000000..e6f8c7397c3 --- /dev/null +++ b/Solutions/Garrison ULTRA/Data Connectors/GarrisonULTRARemoteLogs/GarrisonULTRARemoteLogs_ConnectorUI.json @@ -0,0 +1,89 @@ +{ + "id": "GarrisonULTRARemoteLogs", + "title": "Garrison ULTRA Remote Logs", + "publisher": "Garrison", + "descriptionMarkdown": "The [Garrison ULTRA](https://www.garrison.com/en/garrison-ultra-cloud-platform) Remote Logs connector allows you to ingest Garrison ULTRA Remote Logs into Microsoft Sentinel.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Garrison_ULTRARemoteLogs_CL", + "baseQuery": "Garrison_ULTRARemoteLogs_CL" + } + ], + "sampleQueries": [ + { + "description" : "Last 10 logs", + "query": "Garrison_ULTRARemoteLogs_CL\n | top 10 by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "Garrison_ULTRARemoteLogs_CL", + "lastDataReceivedQuery": "Garrison_ULTRARemoteLogs_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Garrison_ULTRARemoteLogs_CL \n |take 1\n | project IsConnected = true " + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Garrison ULTRA", + "description": "To use this data connector you must have an active [Garrison ULTRA](https://www.garrison.com/en/garrison-ultra-cloud-platform) license." + } + ] + }, + "instructionSteps": [ + { + "title": "Deployment - Azure Resource Manager (ARM) Template", + "description": "These steps outline the automated deployment of the Garrison ULTRA Remote Logs data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Frefs%2Fheads%2Fmaster%2FSolutions%2FGarrison%2520ULTRA%2FData%2520Connectors%2FGarrisonULTRARemoteLogs%2Fazuredeploy_DataCollectionResources.json) \t\t\t\n2. Provide the required details such as Resource Group, Microsoft Sentinel Workspace and ingestion configurations \n> **NOTE:** It is recommended to create a new Resource Group for deployment of these resources.\n3. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n4. Click **Purchase** to deploy." + } + ], + "metadata": { + "id": "919e2355-136a-4bbd-ade7-1956e5f61f83", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "Garrison ULTRA Remote Logs" + }, + "author": { + "name": "Garrison" + }, + "support": { + "tier": "developer", + "name": "Garrison" + } + } +} diff --git a/Solutions/Garrison ULTRA/Data Connectors/GarrisonULTRARemoteLogs/azuredeploy_DataCollectionResources.json b/Solutions/Garrison ULTRA/Data Connectors/GarrisonULTRARemoteLogs/azuredeploy_DataCollectionResources.json new file mode 100644 index 00000000000..6b00896a035 --- /dev/null +++ b/Solutions/Garrison ULTRA/Data Connectors/GarrisonULTRARemoteLogs/azuredeploy_DataCollectionResources.json @@ -0,0 +1,189 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspace-name": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Name of Log Analytics workspace in which to deploy resources" + } + }, + "workspace-region": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Region of Log Analytics workspace in which to deploy resources (e.g. 'uksouth')" + } + } + }, + "variables": { + "workspaceName": "[parameters('workspace-name')]", + "workspaceRegion": "[parameters('workspace-region')]", + "tableName": "Garrison_ULTRARemoteLogs_CL", + "dcrName": "gurl-dcr" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2022-10-01", + "name": "[concat(variables('workspaceName'), '/', variables('tableName'))]", + "location": "[variables('workspaceRegion')]", + "properties": { + "plan": "Analytics", + "retentionInDays": "-1", + "schema": { + "name": "[variables('tableName')]", + "description": "Custom table for storing Garrison ULTRA Remote Logs", + "displayName": "Garrison ULTRA Remote Logs", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime", + "description": "Mandatory LA table field" + }, + { + "name": "deviceEventClassId", + "type": "int", + "description": "The integer identifier of the event name" + }, + { + "name": "name", + "type": "string", + "description": "The name of the event" + }, + { + "name": "start", + "type": "long", + "description": "The start time of the event - milliseconds since epoch" + }, + { + "name": "request", + "type": "string", + "description": "The URL of the page (for page visits) or resource (for background requests)" + }, + { + "name": "requestContext", + "type": "string", + "description": "The URL of the page originating the request - for background HTTP requests" + }, + { + "name": "reason", + "type": "string", + "description": "The reason given for blocking a request - for blocked events" + }, + { + "name": "dhost", + "type": "string", + "description": "The hostname of the site visited - for site visits" + }, + { + "name": "devicePayloadId", + "type": "string", + "description": "A unique ID for each event" + }, + { + "name": "suid", + "type": "string", + "description": "The user ID associated with the event" + }, + { + "name": "suser", + "type": "string", + "description": "The username associated with the event" + } + ] + }, + "totalRetentionInDays": "-1" + } + }, + { + "type": "Microsoft.Insights/dataCollectionRules", + "name": "[variables('dcrName')]", + "location": "[variables('workspaceRegion')]", + "apiVersion": "2023-03-11", + "kind": "Direct", + "properties": { + "streamDeclarations": { + "Custom-GarrisonULTRARemoteLogs": { + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "deviceEventClassId", + "type": "int" + }, + { + "name": "name", + "type": "string" + }, + { + "name": "start", + "type": "long" + }, + { + "name": "request", + "type": "string" + }, + { + "name": "requestContext", + "type": "string" + }, + { + "name": "reason", + "type": "string" + }, + { + "name": "dhost", + "type": "string" + }, + { + "name": "devicePayloadId", + "type": "string" + }, + { + "name": "suid", + "type": "string" + }, + { + "name": "suser", + "type": "string" + } + ] + } + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', variables('workspaceName'))]", + "name": "workspace" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-GarrisonULTRARemoteLogs" + ], + "destinations": [ + "workspace" + ], + "outputStream": "[concat('Custom-', variables('tableName'))]" + } + ] + } + } + ], + "outputs": { + "dataCollectionRuleImmutableId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Insights/dataCollectionRules', variables('dcrName'))).immutableId]" + }, + "dataCollectionRuleLogsIngestionEndpoint": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Insights/dataCollectionRules', variables('dcrName'))).endpoints.logsIngestion]" + } + } +} diff --git a/Solutions/Garrison ULTRA/Data/Solution_GarrisonULTRARemoteLogs.json b/Solutions/Garrison ULTRA/Data/Solution_GarrisonULTRARemoteLogs.json new file mode 100644 index 00000000000..264253260aa --- /dev/null +++ b/Solutions/Garrison ULTRA/Data/Solution_GarrisonULTRARemoteLogs.json @@ -0,0 +1,13 @@ +{ + "Name": "Garrison ULTRA", + "Author": "Garrison - support.ultra@garrison.com", + "Logo": "", + "Description": "The [Garrison ULTRA](https://www.garrison.com/garrison-ultra-cloud-platform) solution allows you ingest logs from Garrison ULTRA into Microsoft Sentinel.", + "Data Connectors": [ + "Data Connectors/GarrisonULTRARemoteLogs/GarrisonULTRARemoteLogs_ConnectorUI.json" + ], + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Garrison ULTRA", + "Version": "3.0.0", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true +} \ No newline at end of file diff --git a/Solutions/Garrison ULTRA/Package/3.0.0.zip b/Solutions/Garrison ULTRA/Package/3.0.0.zip new file mode 100644 index 00000000000..f73d87f8259 Binary files /dev/null and b/Solutions/Garrison ULTRA/Package/3.0.0.zip differ diff --git a/Solutions/Garrison ULTRA/Package/createUiDefinition.json b/Solutions/Garrison ULTRA/Package/createUiDefinition.json new file mode 100644 index 00000000000..6cf0112dad6 --- /dev/null +++ b/Solutions/Garrison ULTRA/Package/createUiDefinition.json @@ -0,0 +1,85 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Garrison%20ULTRA/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Garrison ULTRA](https://www.garrison.com/garrison-ultra-cloud-platform) solution allows you ingest logs from Garrison ULTRA into Microsoft Sentinel.\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Garrison ULTRA. You can get Garrison ULTRA custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} diff --git a/Solutions/Garrison ULTRA/Package/mainTemplate.json b/Solutions/Garrison ULTRA/Package/mainTemplate.json new file mode 100644 index 00000000000..ce92429cb81 --- /dev/null +++ b/Solutions/Garrison ULTRA/Package/mainTemplate.json @@ -0,0 +1,375 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Garrison - support.ultra@garrison.com", + "comments": "Solution template for Garrison ULTRA" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + } + }, + "variables": { + "email": "support.ultra@garrison.com", + "_email": "[variables('email')]", + "_solutionName": "Garrison ULTRA", + "_solutionVersion": "3.0.0", + "solutionId": "garrisontechnologyltd1725375696148.microsoft-sentinel-solution-garrison-ultra", + "_solutionId": "[variables('solutionId')]", + "uiConfigId1": "GarrisonULTRARemoteLogs", + "_uiConfigId1": "[variables('uiConfigId1')]", + "dataConnectorContentId1": "GarrisonULTRARemoteLogs", + "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", + "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "_dataConnectorId1": "[variables('dataConnectorId1')]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", + "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Garrison ULTRA data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId1')]", + "title": "Garrison ULTRA Remote Logs (using Azure Functions)", + "publisher": "Garrison", + "descriptionMarkdown": "The [Garrison ULTRA](https://www.garrison.com/en/garrison-ultra-cloud-platform) Remote Logs connector allows you to ingest Garrison ULTRA Remote Logs into Microsoft Sentinel.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Garrison_ULTRARemoteLogs_CL", + "baseQuery": "Garrison_ULTRARemoteLogs_CL" + } + ], + "sampleQueries": [ + { + "description": "Last 10 logs", + "query": "Garrison_ULTRARemoteLogs_CL\n | top 10 by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "Garrison_ULTRARemoteLogs_CL", + "lastDataReceivedQuery": "Garrison_ULTRARemoteLogs_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Garrison_ULTRARemoteLogs_CL \n |take 1\n | project IsConnected = true " + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Garrison ULTRA", + "description": "To use this data connector you must have an active [Garrison ULTRA](https://www.garrison.com/en/garrison-ultra-cloud-platform) license." + } + ] + }, + "instructionSteps": [ + { + "description": "These steps outline the automated deployment of the Garrison ULTRA Remote Logs data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Frefs%2Fheads%2Fmaster%2FSolutions%2FGarrison%2520ULTRA%2FData%2520Connectors%2FGarrisonULTRARemoteLogs%2Fazuredeploy_DataCollectionResources.json) \t\t\t\n2. Provide the required details such as Resource Group, Microsoft Sentinel Workspace and ingestion configurations \n> **NOTE:** It is recommended to create a new Resource Group for deployment of these resources.\n3. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n4. Click **Purchase** to deploy.", + "title": "Deployment - Azure Resource Manager (ARM) Template" + } + ], + "metadata": { + "id": "919e2355-136a-4bbd-ade7-1956e5f61f83", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "Garrison ULTRA Remote Logs" + }, + "author": { + "name": "Garrison" + }, + "support": { + "tier": "developer", + "name": "Garrison" + } + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "Garrison ULTRA", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Garrison", + "email": "[variables('_email')]" + }, + "support": { + "name": "Garrison", + "email": "support.ultra@garrison.com", + "tier": "Partner", + "link": "https://support.ultra.garrison.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "Garrison ULTRA Remote Logs (using Azure Functions)", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId1')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "Garrison ULTRA", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Garrison", + "email": "[variables('_email')]" + }, + "support": { + "name": "Garrison", + "email": "support.ultra@garrison.com", + "tier": "Partner", + "link": "https://support.ultra.garrison.com" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Garrison ULTRA Remote Logs (using Azure Functions)", + "publisher": "Garrison", + "descriptionMarkdown": "The [Garrison ULTRA](https://www.garrison.com/en/garrison-ultra-cloud-platform) Remote Logs connector allows you to ingest Garrison ULTRA Remote Logs into Microsoft Sentinel.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Garrison_ULTRARemoteLogs_CL", + "baseQuery": "Garrison_ULTRARemoteLogs_CL" + } + ], + "dataTypes": [ + { + "name": "Garrison_ULTRARemoteLogs_CL", + "lastDataReceivedQuery": "Garrison_ULTRARemoteLogs_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Garrison_ULTRARemoteLogs_CL \n |take 1\n | project IsConnected = true " + ] + } + ], + "sampleQueries": [ + { + "description": "Last 10 logs", + "query": "Garrison_ULTRARemoteLogs_CL\n | top 10 by TimeGenerated desc" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Garrison ULTRA", + "description": "To use this data connector you must have an active [Garrison ULTRA](https://www.garrison.com/en/garrison-ultra-cloud-platform) license." + } + ] + }, + "instructionSteps": [ + { + "description": "These steps outline the automated deployment of the Garrison ULTRA Remote Logs data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Frefs%2Fheads%2Fmaster%2FSolutions%2FGarrison%2520ULTRA%2FData%2520Connectors%2FGarrisonULTRARemoteLogs%2Fazuredeploy_DataCollectionResources.json) \t\t\t\n2. Provide the required details such as Resource Group, Microsoft Sentinel Workspace and ingestion configurations \n> **NOTE:** It is recommended to create a new Resource Group for deployment of these resources.\n3. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n4. Click **Purchase** to deploy.", + "title": "Deployment - Azure Resource Manager (ARM) Template" + } + ], + "id": "[variables('_uiConfigId1')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "Garrison ULTRA", + "publisherDisplayName": "Garrison", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Garrison ULTRA solution allows you ingest logs from Garrison ULTRA into Microsoft Sentinel.

\n

Data Connectors: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "Garrison ULTRA", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Garrison", + "email": "[variables('_email')]" + }, + "support": { + "name": "Garrison", + "email": "support.ultra@garrison.com", + "tier": "Partner", + "link": "https://support.ultra.garrison.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + ] + }, + "firstPublishDate": "2024-10-04", + "providers": [ + "Garrison" + ], + "categories": { + "domains": [ + "Application", + "User Behavior (UEBA)" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/Garrison ULTRA/Package/testParameters.json b/Solutions/Garrison ULTRA/Package/testParameters.json new file mode 100644 index 00000000000..e55ec41a9ac --- /dev/null +++ b/Solutions/Garrison ULTRA/Package/testParameters.json @@ -0,0 +1,24 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + } +} diff --git a/Solutions/Garrison ULTRA/ReleaseNotes.md b/Solutions/Garrison ULTRA/ReleaseNotes.md new file mode 100644 index 00000000000..8a3c2ffdab8 --- /dev/null +++ b/Solutions/Garrison ULTRA/ReleaseNotes.md @@ -0,0 +1,3 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.0 | 22-11-2024 | Initial Solution Release | \ No newline at end of file diff --git a/Solutions/Garrison ULTRA/SolutionMetadata.json b/Solutions/Garrison ULTRA/SolutionMetadata.json new file mode 100644 index 00000000000..42530d1b513 --- /dev/null +++ b/Solutions/Garrison ULTRA/SolutionMetadata.json @@ -0,0 +1,19 @@ +{ + "publisherId": "garrisontechnologyltd1725375696148", + "offerId": "microsoft-sentinel-solution-garrison-ultra", + "firstPublishDate": "2024-10-04", + "providers": ["Garrison"], + "categories": { + "domains": [ + "Application", + "User Behavior (UEBA)" + ], + "verticals": [] + }, + "support": { + "name": "Garrison", + "email": "support.ultra@garrison.com", + "tier": "Partner", + "link": "https://support.ultra.garrison.com" + } +} diff --git a/Solutions/Google Cloud Platform Firewall Logs/Data Connectors/GCPFirewallLogs_ccp/GCPFirewall_DCR.json b/Solutions/Google Cloud Platform Firewall Logs/Data Connectors/GCPFirewallLogs_ccp/GCPFirewall_DCR.json new file mode 100644 index 00000000000..a0c23319bad --- /dev/null +++ b/Solutions/Google Cloud Platform Firewall Logs/Data Connectors/GCPFirewallLogs_ccp/GCPFirewall_DCR.json @@ -0,0 +1,29 @@ +[ + { + "name": "gcpFirewallLogsDCR", + "apiVersion": "2021-09-01-preview", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "{{location}}", + "properties": { + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "{{workspaceResourceId}}", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Microsoft-GCPFirewallLogs" + ], + "destinations": [ + "clv2ws1" + ] + } + ], + "dataCollectionEndpointId": "{{dataCollectionEndpointId}}" + } + } +] \ No newline at end of file diff --git a/Solutions/Google Cloud Platform Firewall Logs/Data Connectors/GCPFirewallLogs_ccp/GCPFirewall_PollingConfig.json b/Solutions/Google Cloud Platform Firewall Logs/Data Connectors/GCPFirewallLogs_ccp/GCPFirewall_PollingConfig.json new file mode 100644 index 00000000000..684f3dd34ec --- /dev/null +++ b/Solutions/Google Cloud Platform Firewall Logs/Data Connectors/GCPFirewallLogs_ccp/GCPFirewall_PollingConfig.json @@ -0,0 +1,29 @@ +[ + { + "name": "GCPFirewallLogsTemplateConnections", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectors", + "location": "{{location}}", + "kind": "GCP", + "properties": { + "connectorDefinitionName": "GCPFirewallLogsCCPDefinition", + "dcrConfig": { + "streamName": "SENTINEL_GCP_FIREWALL_LOGS", + "dataCollectionEndpoint": "{{dataCollectionEndpoint}}", + "dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}" + }, + "dataType": "GCPFirewallLogs", + "auth": { + "serviceAccountEmail": "[[parameters('GCPServiceAccountEmail')]", + "projectNumber": "[[parameters('GCPProjectNumber')]", + "workloadIdentityProviderId": "[[parameters('GCPWorkloadIdentityProviderId')]" + }, + "request": { + "projectId": "[[parameters('GCPProjectId')]", + "subscriptionNames": [ + "[[parameters('GCPSubscriptionName')]" + ] + } + } + } +] \ No newline at end of file diff --git a/Solutions/Google Cloud Platform Firewall Logs/Data Connectors/GCPFirewallLogs_ccp/GCP_ConnectorDefinition.json b/Solutions/Google Cloud Platform Firewall Logs/Data Connectors/GCPFirewallLogs_ccp/GCP_ConnectorDefinition.json new file mode 100644 index 00000000000..56f4aab4ce7 --- /dev/null +++ b/Solutions/Google Cloud Platform Firewall Logs/Data Connectors/GCPFirewallLogs_ccp/GCP_ConnectorDefinition.json @@ -0,0 +1,105 @@ +{ + "name": "GCPFirewallLogsCCPDefinition", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectorDefinitions", + "location": "{{location}}", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "GCPFirewallLogsCCPDefinition", + "title": "GCP Pub/Sub Firewall Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "The Google Cloud Platform (GCP) firewall logs, enable you to capture network inbound and outbound activity to monitor access and detect potential threats across Google Cloud Platform (GCP) resources.", + "graphQueriesTableName": "GCPFirewallLogs", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "GCP Pub/Sub Firewall Logs", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of GCP Firewall Logs", + "query": "{{graphQueriesTableName}}\n | take 10" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true, + "action": false + } + } + + ] + }, + "instructionSteps": [ + { + "instructions": [ + { + "type": "MarkdownControlEnvBased", + "parameters": { + "prodScript": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation)\n Connector tutorial: [Link to tutorial](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs#gcp-authentication-setup) .", + "govScript": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Gov Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov)\n Connector tutorial: [Link to tutorial](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs#gcp-authentication-setup)." + } + }, + { + "type": "CopyableLabel", + "parameters": { + "label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.", + "fillWith": [ + "TenantId" + ], + "name": "TenantId", + "disabled": true + } + }, + { + "type": "Markdown", + "parameters": { + "content": "#### 2. Enable Firewall logs \nIn your GCP account, navigate to the Firewall section. Here, you can either create a new rule or edit an existing one that you want to monitor. Once you open the rule, switch the toggle button under the **Logs** section to **On**, and save the changes.\n\nFor more information: [Link to documentation](https://cloud.google.com/firewall/docs/using-firewall-rules-logging?_gl=1*1no0nhk*_ga*NDMxNDIxODI3LjE3MjUyNjUzMzc.*_ga_WH2QY8WWF5*MTcyNTUyNzc4MS4xMS4xLjE3MjU1MjgxNTIuNDYuMC4w)" + } + }, + { + "type": "Markdown", + "parameters": { + "content": "#### 3. Connect new collectors \n To enable GCP Firewall Logs for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect." + } + }, + { + "type": "GCPGrid", + "parameters": {} + }, + { + "type": "GCPContextPane", + "parameters": {} + } + ] + } + ] + } + } +} \ No newline at end of file diff --git a/Solutions/Google Cloud Platform Firewall Logs/Data Connectors/GCPFirewallLogs_ccp/solutionMetadata.json b/Solutions/Google Cloud Platform Firewall Logs/Data Connectors/GCPFirewallLogs_ccp/solutionMetadata.json new file mode 100644 index 00000000000..a96ce2e2d79 --- /dev/null +++ b/Solutions/Google Cloud Platform Firewall Logs/Data Connectors/GCPFirewallLogs_ccp/solutionMetadata.json @@ -0,0 +1,24 @@ +{ + "publisherId": "azuresentinel", + "offerId": "azure-sentinel-solution-gcpfirewalllogs-api", + "firstPublishDate": "2024-09-08", + "providers": ["Google"], + "categories": { + "domains" : ["DevOps"], + "verticals": [] + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "SolutionName":"GCP Pub/Sub Firewall Logs", + "SolutionAuthor": "User", + "SolutionVersion":"1.0.0", + "packageIcon": "google_logo", + "SolutionTier": "Microsoft", + "PackageId":"gcpfirewalllogs-api", + "ConnectorDefinitionTemplateVersion": "1.0.0", + "DataConnectorsTemplateVersion": "1.0.0" +} \ No newline at end of file diff --git a/Solutions/Google Cloud Platform Firewall Logs/Data/Solution_GoogleFirewallLogs.json b/Solutions/Google Cloud Platform Firewall Logs/Data/Solution_GoogleFirewallLogs.json new file mode 100644 index 00000000000..260a48c6293 --- /dev/null +++ b/Solutions/Google Cloud Platform Firewall Logs/Data/Solution_GoogleFirewallLogs.json @@ -0,0 +1,14 @@ +{ + "Name": "Google Cloud Platform Firewall Logs", + "Author": "Microsoft - support@microsoft.com", + "Logo": "", + "Description": "The Google Cloud Platform (GCP) firewall logs, ingested from Sentinel's connector, enable you to capture and track all network activity that occurs in your GCP intances. These firewall logs provide valuable insights for monitoring user activity, troubleshooting issues, and ensuring compliance with security regulations. They serve as a record of events that practitioners can utilize to monitor access and identify potential threats across GCP resources.", + "Data Connectors": [ + "Data Connectors/GCPFirewallLogs_ccp/GCP_ConnectorDefinition.json" + ], + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Google Cloud Platform Firewall Logs", + "Version": "3.0.0", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true, + "Is1PConnector": false +} \ No newline at end of file diff --git a/Solutions/Google Cloud Platform Firewall Logs/Package/3.0.0.zip b/Solutions/Google Cloud Platform Firewall Logs/Package/3.0.0.zip new file mode 100644 index 00000000000..d55517ad651 Binary files /dev/null and b/Solutions/Google Cloud Platform Firewall Logs/Package/3.0.0.zip differ diff --git a/Solutions/Google Cloud Platform Firewall Logs/Package/createUiDefinition.json b/Solutions/Google Cloud Platform Firewall Logs/Package/createUiDefinition.json new file mode 100644 index 00000000000..f071a47444c --- /dev/null +++ b/Solutions/Google Cloud Platform Firewall Logs/Package/createUiDefinition.json @@ -0,0 +1,85 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Google%20Cloud%20Platform%20Firewall%20Logs/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Google Cloud Platform (GCP) firewall logs, ingested from Sentinel's connector, enable you to capture and track all network activity that occurs in your GCP intances. These firewall logs provide valuable insights for monitoring user activity, troubleshooting issues, and ensuring compliance with security regulations. They serve as a record of events that practitioners can utilize to monitor access and identify potential threats across GCP resources.\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Google Cloud Platform Firewall Logs. You can get Google Cloud Platform Firewall Logs data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} diff --git a/Solutions/Google Cloud Platform Firewall Logs/Package/mainTemplate.json b/Solutions/Google Cloud Platform Firewall Logs/Package/mainTemplate.json new file mode 100644 index 00000000000..6a883a534e4 --- /dev/null +++ b/Solutions/Google Cloud Platform Firewall Logs/Package/mainTemplate.json @@ -0,0 +1,576 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Microsoft - support@microsoft.com", + "comments": "Solution template for Google Cloud Platform Firewall Logs" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } + } + }, + "variables": { + "email": "support@microsoft.com", + "_email": "[variables('email')]", + "_solutionName": "Google Cloud Platform Firewall Logs", + "_solutionVersion": "3.0.0", + "solutionId": "azuresentinel.azure-sentinel-solution-gcpfirewalllogs-api", + "_solutionId": "[variables('solutionId')]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "dataConnectorCCPVersion": "1.0.0", + "_dataConnectorContentIdConnectorDefinition1": "GCPFirewallLogsCCPDefinition", + "dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]", + "_dataConnectorContentIdConnections1": "GCPFirewallLogsCCPDefinitionConnections", + "dataConnectorTemplateNameConnections1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections1')))]", + "dataCollectionEndpointId1": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]", + "blanks": "[replace('b', 'b', '')]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition1'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", + "displayName": "GCP Pub/Sub Firewall Logs", + "contentKind": "DataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "GCPFirewallLogsCCPDefinition", + "title": "GCP Pub/Sub Firewall Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "The Google Cloud Platform (GCP) firewall logs, enable you to capture network inbound and outbound activity to monitor access and detect potential threats across Google Cloud Platform (GCP) resources.", + "graphQueriesTableName": "GCPFirewallLogs", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "GCP Pub/Sub Firewall Logs", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of GCP Firewall Logs", + "query": "{{graphQueriesTableName}}\n | take 10" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true, + "action": false + } + } + ] + }, + "instructionSteps": [ + { + "instructions": [ + { + "type": "MarkdownControlEnvBased", + "parameters": { + "prodScript": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation)\n Connector tutorial: [Link to tutorial](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs#gcp-authentication-setup) .", + "govScript": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Gov Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov)\n Connector tutorial: [Link to tutorial](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs#gcp-authentication-setup)." + } + }, + { + "type": "CopyableLabel", + "parameters": { + "label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.", + "fillWith": [ + "TenantId" + ], + "name": "TenantId", + "disabled": true + } + }, + { + "type": "Markdown", + "parameters": { + "content": "#### 2. Enable Firewall logs \nIn your GCP account, navigate to the Firewall section. Here, you can either create a new rule or edit an existing one that you want to monitor. Once you open the rule, switch the toggle button under the **Logs** section to **On**, and save the changes.\n\nFor more information: [Link to documentation](https://cloud.google.com/firewall/docs/using-firewall-rules-logging?_gl=1*1no0nhk*_ga*NDMxNDIxODI3LjE3MjUyNjUzMzc.*_ga_WH2QY8WWF5*MTcyNTUyNzc4MS4xMS4xLjE3MjU1MjgxNTIuNDYuMC4w)" + } + }, + { + "type": "Markdown", + "parameters": { + "content": "#### 3. Connect new collectors \n To enable GCP Firewall Logs for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect." + } + }, + { + "type": "GCPGrid", + "parameters": {} + }, + { + "type": "GCPContextPane", + "parameters": {} + } + ] + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "name": "gcpFirewallLogsDCR", + "apiVersion": "2022-06-01", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "[parameters('workspace-location')]", + "kind": "[variables('blanks')]", + "properties": { + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('workspaceResourceId')]", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Microsoft-GCPFirewallLogs" + ], + "destinations": [ + "clv2ws1" + ] + } + ], + "dataCollectionEndpointId": "[variables('dataCollectionEndpointId1')]" + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition1'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "GCPFirewallLogsCCPDefinition", + "title": "GCP Pub/Sub Firewall Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "The Google Cloud Platform (GCP) firewall logs, enable you to capture network inbound and outbound activity to monitor access and detect potential threats across Google Cloud Platform (GCP) resources.", + "graphQueriesTableName": "GCPFirewallLogs", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "GCP Pub/Sub Firewall Logs", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of GCP Firewall Logs", + "query": "{{graphQueriesTableName}}\n | take 10" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true, + "action": false + } + } + ] + }, + "instructionSteps": [ + { + "instructions": [ + { + "type": "MarkdownControlEnvBased", + "parameters": { + "prodScript": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation)\n Connector tutorial: [Link to tutorial](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs#gcp-authentication-setup) .", + "govScript": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Gov Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov)\n Connector tutorial: [Link to tutorial](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs#gcp-authentication-setup)." + } + }, + { + "type": "CopyableLabel", + "parameters": { + "label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.", + "fillWith": [ + "TenantId" + ], + "name": "TenantId", + "disabled": true + } + }, + { + "type": "Markdown", + "parameters": { + "content": "#### 2. Enable Firewall logs \nIn your GCP account, navigate to the Firewall section. Here, you can either create a new rule or edit an existing one that you want to monitor. Once you open the rule, switch the toggle button under the **Logs** section to **On**, and save the changes.\n\nFor more information: [Link to documentation](https://cloud.google.com/firewall/docs/using-firewall-rules-logging?_gl=1*1no0nhk*_ga*NDMxNDIxODI3LjE3MjUyNjUzMzc.*_ga_WH2QY8WWF5*MTcyNTUyNzc4MS4xMS4xLjE3MjU1MjgxNTIuNDYuMC4w)" + } + }, + { + "type": "Markdown", + "parameters": { + "content": "#### 3. Connect new collectors \n To enable GCP Firewall Logs for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect." + } + }, + { + "type": "GCPGrid", + "parameters": {} + }, + { + "type": "GCPContextPane", + "parameters": {} + } + ] + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections1'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "displayName": "GCP Pub/Sub Firewall Logs", + "contentKind": "ResourcesDataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": { + "connectorDefinitionName": { + "defaultValue": "GCP Pub/Sub Firewall Logs", + "type": "string", + "minLength": 1 + }, + "workspace": { + "defaultValue": "[parameters('workspace')]", + "type": "string" + }, + "dcrConfig": { + "defaultValue": { + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" + }, + "type": "object" + }, + "GCPServiceAccountEmail": { + "type": "String", + "minLength": 1 + }, + "GCPWorkloadIdentityProviderId": { + "type": "string" + }, + "GCPProjectNumber": { + "type": "String", + "minLength": 1 + }, + "GCPProjectId": { + "type": "string", + "minLength": 4 + }, + "GCPSubscriptionName": { + "type": "String", + "minLength": 1 + } + }, + "variables": { + "_dataConnectorContentIdConnections1": "[variables('_dataConnectorContentIdConnections1')]" + }, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections1')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections1'))]", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "kind": "ResourcesDataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'GCPFirewallLogsTemplateConnections')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GCP", + "properties": { + "connectorDefinitionName": "GCPFirewallLogsCCPDefinition", + "dcrConfig": { + "streamName": "SENTINEL_GCP_FIREWALL_LOGS", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "dataType": "GCPFirewallLogs", + "auth": { + "serviceAccountEmail": "[[parameters('GCPServiceAccountEmail')]", + "projectNumber": "[[parameters('GCPProjectNumber')]", + "workloadIdentityProviderId": "[[parameters('GCPWorkloadIdentityProviderId')]" + }, + "request": { + "projectId": "[[parameters('GCPProjectId')]", + "subscriptionNames": [ + "[[parameters('GCPSubscriptionName')]" + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections1'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "Google Cloud Platform Firewall Logs", + "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Google Cloud Platform (GCP) firewall logs, ingested from Sentinel's connector, enable you to capture and track all network activity that occurs in your GCP intances. These firewall logs provide valuable insights for monitoring user activity, troubleshooting issues, and ensuring compliance with security regulations. They serve as a record of events that practitioners can utilize to monitor access and identify potential threats across GCP resources.

\n

Data Connectors: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "Google Cloud Platform Firewall Logs", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "version": "[variables('dataConnectorCCPVersion')]" + } + ] + }, + "firstPublishDate": "2024-11-03", + "providers": [ + "Google" + ], + "categories": { + "domains": [ + "DevOps", + "Security - Network" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/Google Cloud Platform Firewall Logs/Package/testParameters.json b/Solutions/Google Cloud Platform Firewall Logs/Package/testParameters.json new file mode 100644 index 00000000000..554801e41b7 --- /dev/null +++ b/Solutions/Google Cloud Platform Firewall Logs/Package/testParameters.json @@ -0,0 +1,38 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } + } +} diff --git a/Solutions/Google Cloud Platform Firewall Logs/ReleaseNotes.md b/Solutions/Google Cloud Platform Firewall Logs/ReleaseNotes.md new file mode 100644 index 00000000000..f873e77f791 --- /dev/null +++ b/Solutions/Google Cloud Platform Firewall Logs/ReleaseNotes.md @@ -0,0 +1,3 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|----------------------------------------------------| +| 3.0.0 | 19-11-2024 | Initial Solution release | \ No newline at end of file diff --git a/Solutions/Google Cloud Platform Firewall Logs/logo/google_logo.svg b/Solutions/Google Cloud Platform Firewall Logs/logo/google_logo.svg new file mode 100644 index 00000000000..d19364efb50 --- /dev/null +++ b/Solutions/Google Cloud Platform Firewall Logs/logo/google_logo.svg @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git a/Solutions/Google Cloud Platform Firewall Logs/solutionMetadata.json b/Solutions/Google Cloud Platform Firewall Logs/solutionMetadata.json new file mode 100644 index 00000000000..81e47d74fea --- /dev/null +++ b/Solutions/Google Cloud Platform Firewall Logs/solutionMetadata.json @@ -0,0 +1,20 @@ +{ + "publisherId": "azuresentinel", + "offerId": "azure-sentinel-solution-gcpfirewalllogs-api", + "firstPublishDate": "2024-11-03", + "providers": [ + "Google" + ], + "categories": { + "domains": [ + "DevOps", + "Security - Network" + ] + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } +} diff --git a/Solutions/Microsoft Defender XDR/ReleaseNotes.md b/Solutions/Microsoft Defender XDR/ReleaseNotes.md index 590c6b81026..07fef907699 100644 --- a/Solutions/Microsoft Defender XDR/ReleaseNotes.md +++ b/Solutions/Microsoft Defender XDR/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------------------------------------------------| +| 3.0.10 | 25-10-2024 | Added New **Hunting Queries** | | 3.0.9 | 20-09-2024 | Added New **Hunting Queries** | | 3.0.8 | 10-06-2024 | Added missing AMA **Data Connector** reference in **Analytic rules** | | 3.0.7 | 29-05-2024 | Updated **Analytic Rule** PossiblePhishingwithCSL&NetworkSession.yaml | diff --git a/Solutions/Netwrix Auditor/Data/Solution_Netwrix.json b/Solutions/Netwrix Auditor/Data/Solution_Netwrix.json index ee695385286..5dbb6312512 100644 --- a/Solutions/Netwrix Auditor/Data/Solution_Netwrix.json +++ b/Solutions/Netwrix Auditor/Data/Solution_Netwrix.json @@ -2,19 +2,15 @@ "Name": "Netwrix Auditor", "Author": "Microsoft - support@microsoft.com", "Logo": "", - "Description": "The Netwrix Auditor solution provides the capability to ingest [ Netwrix Auditor](https://www.netwrix.com/auditor.html) (formerly Stealthbits Privileged Activity Manager) events into Microsoft Sentinel. Refer to Netwrix [documentation](https://helpcenter.netwrix.com/) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.", + "Description": "The Netwrix Auditor solution provides the capability to ingest [ Netwrix Auditor](https://www.netwrix.com/auditor.html) (formerly Stealthbits Privileged Activity Manager) events into Microsoft Sentinel. Refer to Netwrix [documentation](https://helpcenter.netwrix.com/) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.", "Parsers": [ "Parsers/NetwrixAuditor.yaml" ], - "Data Connectors": [ - "Data Connectors/Connector_NetwrixAuditor.json", - "Data Connectors/template_NetwrixAuditorAMA.json" - ], "dependentDomainSolutionIds": [ "azuresentinel.azure-sentinel-solution-commoneventformat" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Netwrix Auditor", - "Version": "3.0.1", + "Version": "3.0.2", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false diff --git a/Solutions/Netwrix Auditor/Package/3.0.2.zip b/Solutions/Netwrix Auditor/Package/3.0.2.zip new file mode 100644 index 00000000000..15919447ce5 Binary files /dev/null and b/Solutions/Netwrix Auditor/Package/3.0.2.zip differ diff --git a/Solutions/Netwrix Auditor/Package/createUiDefinition.json b/Solutions/Netwrix Auditor/Package/createUiDefinition.json index 5a24badfb78..8b61178ec5e 100644 --- a/Solutions/Netwrix Auditor/Package/createUiDefinition.json +++ b/Solutions/Netwrix Auditor/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Netwrix%20Auditor/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Netwrix Auditor solution provides the capability to ingest [ Netwrix Auditor](https://www.netwrix.com/auditor.html) (formerly Stealthbits Privileged Activity Manager) events into Microsoft Sentinel. Refer to Netwrix [documentation](https://helpcenter.netwrix.com/) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Netwrix%20Auditor/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Netwrix Auditor solution provides the capability to ingest [ Netwrix Auditor](https://www.netwrix.com/auditor.html) (formerly Stealthbits Privileged Activity Manager) events into Microsoft Sentinel. Refer to Netwrix [documentation](https://helpcenter.netwrix.com/) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.\n\n**Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -50,39 +50,7 @@ "visible": true } ], - "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for Netwrix Auditor. You can get Netwrix Auditor CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-parser-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." - } - }, - { - "name": "dataconnectors-link2", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - } - ], + "steps": [{}], "outputs": { "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", "location": "[location()]", diff --git a/Solutions/Netwrix Auditor/Package/mainTemplate.json b/Solutions/Netwrix Auditor/Package/mainTemplate.json index a9225e3bc59..86951712b6e 100644 --- a/Solutions/Netwrix Auditor/Package/mainTemplate.json +++ b/Solutions/Netwrix Auditor/Package/mainTemplate.json @@ -33,7 +33,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Netwrix Auditor", - "_solutionVersion": "3.0.1", + "_solutionVersion": "3.0.2", "solutionId": "azuresentinel.azure-sentinel-solution-netwrixauditor", "_solutionId": "[variables('solutionId')]", "parserObject1": { @@ -43,24 +43,6 @@ "parserVersion1": "1.0.0", "parserContentId1": "NetwrixAuditor-Parser" }, - "uiConfigId1": "Netwrix", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "Netwrix", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "uiConfigId2": "NetwrixAma", - "_uiConfigId2": "[variables('uiConfigId2')]", - "dataConnectorContentId2": "NetwrixAma", - "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", - "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "_dataConnectorId2": "[variables('dataConnectorId2')]", - "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", - "dataConnectorVersion2": "1.0.0", - "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ @@ -73,7 +55,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NetwrixAuditor Data Parser with template version 3.0.1", + "description": "NetwrixAuditor Data Parser with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -196,715 +178,17 @@ } } }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Netwrix Auditor data connector with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "[Deprecated] Netwrix Auditor via Legacy Agent", - "publisher": "Netwrix", - "descriptionMarkdown": "Netwrix Auditor data connector provides the capability to ingest [Netwrix Auditor (formerly Stealthbits Privileged Activity Manager)](https://www.netwrix.com/auditor.html) events into Microsoft Sentinel. Refer to [Netwrix documentation](https://helpcenter.netwrix.com/) for more information.", - "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected. Follow the steps to use this Kusto Function alias **NetwrixAuditor** in queries and workbooks. [Follow steps to get this Kusto Function>](https://aka.ms/sentinel-netwrixauditor-parser)", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "NetwrixAuditor", - "baseQuery": "NetwrixAuditor" - } - ], - "sampleQueries": [ - { - "description": "Netwrix Auditor Events - All Activities.", - "query": "NetwrixAuditor\n | sort by TimeGenerated desc" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog", - "lastDataReceivedQuery": "NetwrixAuditor\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "NetwrixAuditor\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on NetwrixAuditor parser based on a Kusto Function to work as expected. This parser is installed along with solution installation." - }, - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "[Follow the instructions](https://www.netwrix.com/download/QuickStart/Netwrix_Auditor_Add-on_for_HPE_ArcSight_Quick_Start_Guide.pdf) to configure event export from Netwrix Auditor.", - "title": "2. Configure Netwrix Auditor to send logs using CEF" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "metadata": { - "id": "Unique Identifier (GUID) used to identify dependencies and content from solutions or community.", - "version": "1.0.0", - "kind": "dataConnector", - "source": { - "kind": "community" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "community", - "name": "Microsoft", - "link": "https://github.com/Azure/Azure-Sentinel/issues" - } - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Netwrix Auditor", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Netwrix Auditor via Legacy Agent", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Netwrix Auditor", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Netwrix Auditor via Legacy Agent", - "publisher": "Netwrix", - "descriptionMarkdown": "Netwrix Auditor data connector provides the capability to ingest [Netwrix Auditor (formerly Stealthbits Privileged Activity Manager)](https://www.netwrix.com/auditor.html) events into Microsoft Sentinel. Refer to [Netwrix documentation](https://helpcenter.netwrix.com/) for more information.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "NetwrixAuditor", - "baseQuery": "NetwrixAuditor" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog", - "lastDataReceivedQuery": "NetwrixAuditor\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "NetwrixAuditor\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Netwrix Auditor Events - All Activities.", - "query": "NetwrixAuditor\n | sort by TimeGenerated desc" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on NetwrixAuditor parser based on a Kusto Function to work as expected. This parser is installed along with solution installation." - }, - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "[Follow the instructions](https://www.netwrix.com/download/QuickStart/Netwrix_Auditor_Add-on_for_HPE_ArcSight_Quick_Start_Guide.pdf) to configure event export from Netwrix Auditor.", - "title": "2. Configure Netwrix Auditor to send logs using CEF" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "id": "[variables('_uiConfigId1')]", - "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected. Follow the steps to use this Kusto Function alias **NetwrixAuditor** in queries and workbooks. [Follow steps to get this Kusto Function>](https://aka.ms/sentinel-netwrixauditor-parser)" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Netwrix Auditor data connector with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion2')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId2')]", - "title": "[Deprecated] Netwrix Auditor via AMA", - "publisher": "Netwrix", - "descriptionMarkdown": "Netwrix Auditor data connector provides the capability to ingest [Netwrix Auditor (formerly Stealthbits Privileged Activity Manager)](https://www.netwrix.com/auditor.html) events into Microsoft Sentinel. Refer to [Netwrix documentation](https://helpcenter.netwrix.com/) for more information.", - "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected. Follow the steps to use this Kusto Function alias **NetwrixAuditor** in queries and workbooks. [Follow steps to get this Kusto Function>](https://aka.ms/sentinel-netwrixauditor-parser)", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "NetwrixAuditor", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Netwrix'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "sampleQueries": [ - { - "description": "Netwrix Auditor Events - All Activities.", - "query": "NetwrixAuditor\n | sort by TimeGenerated desc" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Netwrix'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'Netwrix'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on NetwrixAuditor parser based on a Kusto Function to work as expected. This parser is installed along with solution installation.", - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Configure Netwrix Auditor to send logs using CEF", - "description": "[Follow the instructions](https://www.netwrix.com/download/QuickStart/Netwrix_Auditor_Add-on_for_HPE_ArcSight_Quick_Start_Guide.pdf) to configure event export from Netwrix Auditor." - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ], - "metadata": { - "id": "Unique Identifier (GUID) used to identify dependencies and content from solutions or community.", - "version": "1.0.0", - "kind": "dataConnector", - "source": { - "kind": "community" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "community", - "name": "Microsoft", - "link": "https://github.com/Azure/Azure-Sentinel/issues" - } - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "Netwrix Auditor", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId2')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Netwrix Auditor via AMA", - "contentProductId": "[variables('_dataConnectorcontentProductId2')]", - "id": "[variables('_dataConnectorcontentProductId2')]", - "version": "[variables('dataConnectorVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId2')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "Netwrix Auditor", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Netwrix Auditor via AMA", - "publisher": "Netwrix", - "descriptionMarkdown": "Netwrix Auditor data connector provides the capability to ingest [Netwrix Auditor (formerly Stealthbits Privileged Activity Manager)](https://www.netwrix.com/auditor.html) events into Microsoft Sentinel. Refer to [Netwrix documentation](https://helpcenter.netwrix.com/) for more information.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "NetwrixAuditor", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Netwrix'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Netwrix'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'Netwrix'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Netwrix Auditor Events - All Activities.", - "query": "NetwrixAuditor\n | sort by TimeGenerated desc" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on NetwrixAuditor parser based on a Kusto Function to work as expected. This parser is installed along with solution installation.", - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Configure Netwrix Auditor to send logs using CEF", - "description": "[Follow the instructions](https://www.netwrix.com/download/QuickStart/Netwrix_Auditor_Add-on_for_HPE_ArcSight_Quick_Start_Guide.pdf) to configure event export from Netwrix Auditor." - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ], - "id": "[variables('_uiConfigId2')]", - "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected. Follow the steps to use this Kusto Function alias **NetwrixAuditor** in queries and workbooks. [Follow steps to get this Kusto Function>](https://aka.ms/sentinel-netwrixauditor-parser)" - } - } - }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.1", + "version": "3.0.2", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Netwrix Auditor", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Netwrix Auditor solution provides the capability to ingest Netwrix Auditor (formerly Stealthbits Privileged Activity Manager) events into Microsoft Sentinel. Refer to Netwrix documentation for more information.

\n\n\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Data Connectors: 2, Parsers: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Netwrix Auditor solution provides the capability to ingest Netwrix Auditor (formerly Stealthbits Privileged Activity Manager) events into Microsoft Sentinel. Refer to Netwrix documentation for more information.

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on Aug 31, 2024.

\n

Parsers: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -933,16 +217,6 @@ "contentId": "[variables('parserObject1').parserContentId1]", "version": "[variables('parserObject1').parserVersion1]" }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - }, { "kind": "Solution", "contentId": "azuresentinel.azure-sentinel-solution-commoneventformat" diff --git a/Solutions/Netwrix Auditor/ReleaseNotes.md b/Solutions/Netwrix Auditor/ReleaseNotes.md index 7774c8f2e99..32f4435e13b 100644 --- a/Solutions/Netwrix Auditor/ReleaseNotes.md +++ b/Solutions/Netwrix Auditor/ReleaseNotes.md @@ -1,4 +1,5 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.2 | 22-11-2024 | Removed Deprecated **Data Connectors** | | 3.0.1 | 10-07-2024 | Deprecated **Data Connector** | -| 3.0.0 | 29-08-2023 | Addition of new Netwrix Auditor AMA **Data Connector** | \ No newline at end of file +| 3.0.0 | 29-08-2023 | Addition of new Netwrix Auditor AMA **Data Connector** | \ No newline at end of file diff --git a/Solutions/NozomiNetworks/Data/Solution_Nozomi.json b/Solutions/NozomiNetworks/Data/Solution_Nozomi.json index 754063f7070..4d03efbf334 100644 --- a/Solutions/NozomiNetworks/Data/Solution_Nozomi.json +++ b/Solutions/NozomiNetworks/Data/Solution_Nozomi.json @@ -2,11 +2,7 @@ "Name": "NozomiNetworks", "Author": "Microsoft - support@microsoft.com", "Logo": "", - "Description": "The [Nozomi Networks](https://www.nozominetworks.com/) solution provides the capability to ingest Nozomi Networks Events into Microsoft Sentinel. Refer to the Nozomi Networks [PDF documentation](https://www.nozominetworks.com/resources/data-sheets-brochures-learning-guides/) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.", - "Data Connectors": [ - "Data Connectors/NozomiNetworksN2OS.json", - "Data Connectors/template_NozomiNetworksN2OSAMA.json" - ], + "Description": "The [Nozomi Networks](https://www.nozominetworks.com/) solution provides the capability to ingest Nozomi Networks Events into Microsoft Sentinel. Refer to the Nozomi Networks [PDF documentation](https://www.nozominetworks.com/resources/data-sheets-brochures-learning-guides/) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.", "Parsers": [ "Parsers/NozomiNetworksEvents.yaml" ], @@ -14,7 +10,7 @@ "azuresentinel.azure-sentinel-solution-commoneventformat" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\NozomiNetworks", - "Version": "3.0.2", + "Version": "3.0.3", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": false diff --git a/Solutions/NozomiNetworks/Package/3.0.3.zip b/Solutions/NozomiNetworks/Package/3.0.3.zip new file mode 100644 index 00000000000..508b1757c5a Binary files /dev/null and b/Solutions/NozomiNetworks/Package/3.0.3.zip differ diff --git a/Solutions/NozomiNetworks/Package/createUiDefinition.json b/Solutions/NozomiNetworks/Package/createUiDefinition.json index 50bd9ae3275..b4dabeabf26 100644 --- a/Solutions/NozomiNetworks/Package/createUiDefinition.json +++ b/Solutions/NozomiNetworks/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/NozomiNetworks/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Nozomi Networks](https://www.nozominetworks.com/) solution provides the capability to ingest Nozomi Networks Events into Microsoft Sentinel. Refer to the Nozomi Networks [PDF documentation](https://www.nozominetworks.com/resources/data-sheets-brochures-learning-guides/) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/NozomiNetworks/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Nozomi Networks](https://www.nozominetworks.com/) solution provides the capability to ingest Nozomi Networks Events into Microsoft Sentinel. Refer to the Nozomi Networks [PDF documentation](https://www.nozominetworks.com/resources/data-sheets-brochures-learning-guides/) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.\n\n**Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -50,39 +50,7 @@ "visible": true } ], - "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for NozomiNetworks. You can get NozomiNetworks CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-parser-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." - } - }, - { - "name": "dataconnectors-link2", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - } - ], + "steps": [{}], "outputs": { "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", "location": "[location()]", diff --git a/Solutions/NozomiNetworks/Package/mainTemplate.json b/Solutions/NozomiNetworks/Package/mainTemplate.json index 127286efb19..b6784d78056 100644 --- a/Solutions/NozomiNetworks/Package/mainTemplate.json +++ b/Solutions/NozomiNetworks/Package/mainTemplate.json @@ -33,27 +33,9 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "NozomiNetworks", - "_solutionVersion": "3.0.2", + "_solutionVersion": "3.0.3", "solutionId": "azuresentinel.azure-sentinel-solution-nozominetworks", "_solutionId": "[variables('solutionId')]", - "uiConfigId1": "NozomiNetworksN2OS", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "NozomiNetworksN2OS", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "uiConfigId2": "NozomiNetworksN2OSAma", - "_uiConfigId2": "[variables('uiConfigId2')]", - "dataConnectorContentId2": "NozomiNetworksN2OSAma", - "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", - "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "_dataConnectorId2": "[variables('dataConnectorId2')]", - "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", - "dataConnectorVersion2": "1.0.0", - "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", "parserObject1": { "_parserName1": "[concat(parameters('workspace'),'/','NozomiNetworksEvents')]", "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'NozomiNetworksEvents')]", @@ -64,704 +46,6 @@ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "NozomiNetworks data connector with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "[Deprecated] Nozomi Networks N2OS via Legacy Agent", - "publisher": "Nozomi Networks", - "descriptionMarkdown": "The [Nozomi Networks](https://www.nozominetworks.com/) data connector provides the capability to ingest Nozomi Networks Events into Microsoft Sentinel. Refer to the Nozomi Networks [PDF documentation](https://www.nozominetworks.com/resources/data-sheets-brochures-learning-guides/) for more information.", - "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**NozomiNetworksEvents**](https://aka.ms/sentinel-NozomiNetworks-parser) which is deployed with the Microsoft Sentinel Solution.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Nozomi Networks", - "baseQuery": "NozomiNetworksEvents" - } - ], - "sampleQueries": [ - { - "description": "Top 10 Devices", - "query": "NozomiNetworksEvents\n | summarize count() by DvcHostname\n | top 10 by count_" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (NozomiNetworks)", - "lastDataReceivedQuery": "NozomiNetworksEvents\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "NozomiNetworksEvents\n | summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**NozomiNetworksEvents**](https://aka.ms/sentinel-NozomiNetworks-parser) which is deployed with the Microsoft Sentinel Solution." - }, - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "Follow these steps to configure Nozomi Networks device for sending Alerts, Audit Logs, Health Logs log via syslog in CEF format:\n\n> 1. Log in to the Guardian console.\n\n> 2. Navigate to Administration->Data Integration, press +Add and select the Common Event Format (CEF) from the drop down\n\n> 3. Create New Endpoint using the appropriate host information and enable Alerts, Audit Logs, Health Logs for sending.", - "title": "2. Forward Common Event Format (CEF) logs to Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "metadata": { - "id": "9e55a64f-7db4-406a-9fdd-dc27b03e0231", - "version": "1.0.0", - "kind": "dataConnector", - "source": { - "kind": "solution", - "name": "NozomiNetworks" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "name": "Microsoft", - "tier": "microsoft" - } - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "NozomiNetworks", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Nozomi Networks N2OS via Legacy Agent", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "NozomiNetworks", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Nozomi Networks N2OS via Legacy Agent", - "publisher": "Nozomi Networks", - "descriptionMarkdown": "The [Nozomi Networks](https://www.nozominetworks.com/) data connector provides the capability to ingest Nozomi Networks Events into Microsoft Sentinel. Refer to the Nozomi Networks [PDF documentation](https://www.nozominetworks.com/resources/data-sheets-brochures-learning-guides/) for more information.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Nozomi Networks", - "baseQuery": "NozomiNetworksEvents" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (NozomiNetworks)", - "lastDataReceivedQuery": "NozomiNetworksEvents\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "NozomiNetworksEvents\n | summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Top 10 Devices", - "query": "NozomiNetworksEvents\n | summarize count() by DvcHostname\n | top 10 by count_" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**NozomiNetworksEvents**](https://aka.ms/sentinel-NozomiNetworks-parser) which is deployed with the Microsoft Sentinel Solution." - }, - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "Follow these steps to configure Nozomi Networks device for sending Alerts, Audit Logs, Health Logs log via syslog in CEF format:\n\n> 1. Log in to the Guardian console.\n\n> 2. Navigate to Administration->Data Integration, press +Add and select the Common Event Format (CEF) from the drop down\n\n> 3. Create New Endpoint using the appropriate host information and enable Alerts, Audit Logs, Health Logs for sending.", - "title": "2. Forward Common Event Format (CEF) logs to Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "id": "[variables('_uiConfigId1')]", - "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**NozomiNetworksEvents**](https://aka.ms/sentinel-NozomiNetworks-parser) which is deployed with the Microsoft Sentinel Solution." - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "NozomiNetworks data connector with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion2')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId2')]", - "title": "[Deprecated] Nozomi Networks N2OS via AMA", - "publisher": "Nozomi Networks", - "descriptionMarkdown": "The [Nozomi Networks](https://www.nozominetworks.com/) data connector provides the capability to ingest Nozomi Networks Events into Microsoft Sentinel. Refer to the Nozomi Networks [PDF documentation](https://www.nozominetworks.com/resources/data-sheets-brochures-learning-guides/) for more information.", - "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**NozomiNetworksEvents**](https://aka.ms/sentinel-NozomiNetworks-parser) which is deployed with the Microsoft Sentinel Solution.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Nozomi Networks", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor has 'Nozomi'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "sampleQueries": [ - { - "description": "Top 10 Devices", - "query": "NozomiNetworksEvents\n | summarize count() by DvcHostname\n | top 10 by count_" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (NozomiNetworks)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor has 'Nozomi'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor has 'Nozomi'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**NozomiNetworksEvents**](https://aka.ms/sentinel-NozomiNetworks-parser) which is deployed with the Microsoft Sentinel Solution.", - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent", - "description": "Follow these steps to configure Nozomi Networks device for sending Alerts, Audit Logs, Health Logs log via syslog in CEF format:\n\n> 1. Log in to the Guardian console.\n\n> 2. Navigate to Administration->Data Integration, press +Add and select the Common Event Format (CEF) from the drop down\n\n> 3. Create New Endpoint using the appropriate host information and enable Alerts, Audit Logs, Health Logs for sending." - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ], - "metadata": { - "id": "9e55a64f-7db4-406a-9fdd-dc27b03e0231", - "version": "1.0.0", - "kind": "dataConnector", - "source": { - "kind": "solution", - "name": "NozomiNetworks" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "name": "Microsoft", - "tier": "microsoft" - } - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "NozomiNetworks", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId2')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Nozomi Networks N2OS via AMA", - "contentProductId": "[variables('_dataConnectorcontentProductId2')]", - "id": "[variables('_dataConnectorcontentProductId2')]", - "version": "[variables('dataConnectorVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId2')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "NozomiNetworks", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Nozomi Networks N2OS via AMA", - "publisher": "Nozomi Networks", - "descriptionMarkdown": "The [Nozomi Networks](https://www.nozominetworks.com/) data connector provides the capability to ingest Nozomi Networks Events into Microsoft Sentinel. Refer to the Nozomi Networks [PDF documentation](https://www.nozominetworks.com/resources/data-sheets-brochures-learning-guides/) for more information.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Nozomi Networks", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor has 'Nozomi'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (NozomiNetworks)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor has 'Nozomi'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor has 'Nozomi'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Top 10 Devices", - "query": "NozomiNetworksEvents\n | summarize count() by DvcHostname\n | top 10 by count_" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**NozomiNetworksEvents**](https://aka.ms/sentinel-NozomiNetworks-parser) which is deployed with the Microsoft Sentinel Solution.", - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent", - "description": "Follow these steps to configure Nozomi Networks device for sending Alerts, Audit Logs, Health Logs log via syslog in CEF format:\n\n> 1. Log in to the Guardian console.\n\n> 2. Navigate to Administration->Data Integration, press +Add and select the Common Event Format (CEF) from the drop down\n\n> 3. Create New Endpoint using the appropriate host information and enable Alerts, Audit Logs, Health Logs for sending." - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ], - "id": "[variables('_uiConfigId2')]", - "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**NozomiNetworksEvents**](https://aka.ms/sentinel-NozomiNetworks-parser) which is deployed with the Microsoft Sentinel Solution." - } - } - }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -771,7 +55,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NozomiNetworksEvents Data Parser with template version 3.0.2", + "description": "NozomiNetworksEvents Data Parser with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -899,12 +183,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.2", + "version": "3.0.3", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "NozomiNetworks", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Nozomi Networks solution provides the capability to ingest Nozomi Networks Events into Microsoft Sentinel. Refer to the Nozomi Networks PDF documentation for more information.

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Data Connectors: 2, Parsers: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Nozomi Networks solution provides the capability to ingest Nozomi Networks Events into Microsoft Sentinel. Refer to the Nozomi Networks PDF documentation for more information.

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on Aug 31, 2024.

\n

Parsers: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -928,16 +212,6 @@ }, "dependencies": { "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - }, { "kind": "Parser", "contentId": "[variables('parserObject1').parserContentId1]", diff --git a/Solutions/NozomiNetworks/ReleaseNotes.md b/Solutions/NozomiNetworks/ReleaseNotes.md index b514729f463..4ca690c1bd5 100644 --- a/Solutions/NozomiNetworks/ReleaseNotes.md +++ b/Solutions/NozomiNetworks/ReleaseNotes.md @@ -1,7 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.3 | 21-11-2024 | Removed Deprecated **Data Connectors** | | 3.0.2 | 12-07-2024 | Deprecated **Data Connector** | | 3.0.1 | 22-12-2023 | Query issue fixed in AMA **Data Connector** | -| 3.0.0 | 13-09-2023 | Addition of new NozomiNetworks AMA **Data Connector** | - - +| 3.0.0 | 13-09-2023 | Addition of new NozomiNetworks AMA **Data Connector** | diff --git a/Solutions/OSSEC/Data/Solution_OssectemplateSpec.json b/Solutions/OSSEC/Data/Solution_OssectemplateSpec.json index 6cb7c0ad415..6c2c20f15e8 100644 --- a/Solutions/OSSEC/Data/Solution_OssectemplateSpec.json +++ b/Solutions/OSSEC/Data/Solution_OssectemplateSpec.json @@ -2,11 +2,7 @@ "Name": "OSSEC", "Author": "Microsoft - support@microsoft.com", "Logo": "", - "Description": "The OSSEC solution provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Microsoft Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs/) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.", - "Data Connectors": [ - "Data Connectors/Connector_CEF_OSSEC.json", - "Data Connectors/template_OSSECAMA.json" - ], + "Description": "The OSSEC solution provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Microsoft Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs/) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.", "Parsers": [ "Parsers/OSSECEvent.yaml" ], @@ -15,7 +11,7 @@ ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\OSSEC", - "Version": "3.0.1", + "Version": "3.0.2", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false diff --git a/Solutions/OSSEC/Package/3.0.2.zip b/Solutions/OSSEC/Package/3.0.2.zip new file mode 100644 index 00000000000..396e5754e15 Binary files /dev/null and b/Solutions/OSSEC/Package/3.0.2.zip differ diff --git a/Solutions/OSSEC/Package/createUiDefinition.json b/Solutions/OSSEC/Package/createUiDefinition.json index fa02deee4b2..9509cf20cd3 100644 --- a/Solutions/OSSEC/Package/createUiDefinition.json +++ b/Solutions/OSSEC/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/OSSEC/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe OSSEC solution provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Microsoft Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs/) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024.**\n\n**Data Connectors:** 2, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/OSSEC/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe OSSEC solution provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Microsoft Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs/) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.\n\n**Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -50,39 +50,7 @@ "visible": true } ], - "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for OSSEC. You can get OSSEC CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-parser-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." - } - }, - { - "name": "dataconnectors-link2", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - } - ], + "steps": [{}], "outputs": { "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", "location": "[location()]", diff --git a/Solutions/OSSEC/Package/mainTemplate.json b/Solutions/OSSEC/Package/mainTemplate.json index 26628898ad5..1dcd5b95c3c 100644 --- a/Solutions/OSSEC/Package/mainTemplate.json +++ b/Solutions/OSSEC/Package/mainTemplate.json @@ -33,27 +33,9 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "OSSEC", - "_solutionVersion": "3.0.1", + "_solutionVersion": "3.0.2", "solutionId": "azuresentinel.azure-sentinel-solution-ossec", "_solutionId": "[variables('solutionId')]", - "uiConfigId1": "OSSEC", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "OSSEC", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "uiConfigId2": "OSSECAma", - "_uiConfigId2": "[variables('uiConfigId2')]", - "dataConnectorContentId2": "OSSECAma", - "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", - "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "_dataConnectorId2": "[variables('dataConnectorId2')]", - "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", - "dataConnectorVersion2": "1.0.0", - "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", "parserObject1": { "_parserName1": "[concat(parameters('workspace'),'/','OSSECEvent')]", "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'OSSECEvent')]", @@ -64,672 +46,6 @@ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "OSSEC data connector with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "[Deprecated] OSSEC via Legacy Agent", - "publisher": "OSSEC", - "descriptionMarkdown": "OSSEC data connector provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Microsoft Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs) for more information.", - "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "OSSEC", - "baseQuery": "OSSECEvent" - } - ], - "sampleQueries": [ - { - "description": "Top 10 Rules", - "query": "OSSECEvent\n | summarize count() by RuleName\n | top 10 by count_" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (OSSEC)", - "lastDataReceivedQuery": "OSSECEvent\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "OSSECEvent\n | summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OSSEC and load the function code or click [here](https://aka.ms/sentinel-OSSECEvent-parser), on the second line of the query, enter the hostname(s) of your OSSEC device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update." - }, - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "[Follow these steps](https://www.ossec.net/docs/docs/manual/output/syslog-output.html) to configure OSSEC sending alerts via syslog.", - "title": "2. Forward Common Event Format (CEF) logs to Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "OSSEC", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] OSSEC via Legacy Agent", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "OSSEC", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com/" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] OSSEC via Legacy Agent", - "publisher": "OSSEC", - "descriptionMarkdown": "OSSEC data connector provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Microsoft Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs) for more information.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "OSSEC", - "baseQuery": "OSSECEvent" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (OSSEC)", - "lastDataReceivedQuery": "OSSECEvent\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "OSSECEvent\n | summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Top 10 Rules", - "query": "OSSECEvent\n | summarize count() by RuleName\n | top 10 by count_" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OSSEC and load the function code or click [here](https://aka.ms/sentinel-OSSECEvent-parser), on the second line of the query, enter the hostname(s) of your OSSEC device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update." - }, - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "[Follow these steps](https://www.ossec.net/docs/docs/manual/output/syslog-output.html) to configure OSSEC sending alerts via syslog.", - "title": "2. Forward Common Event Format (CEF) logs to Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "id": "[variables('_uiConfigId1')]", - "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution." - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "OSSEC data connector with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion2')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId2')]", - "title": "[Deprecated] OSSEC via AMA", - "publisher": "OSSEC", - "descriptionMarkdown": "OSSEC data connector provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Microsoft Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs) for more information.", - "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "OSSEC", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'OSSEC'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "sampleQueries": [ - { - "description": "Top 10 Rules", - "query": "OSSECEvent\n | summarize count() by RuleName\n | top 10 by count_" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (OSSEC)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'OSSEC'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'OSSEC'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OSSEC and load the function code or click [here](https://aka.ms/sentinel-OSSECEvent-parser), on the second line of the query, enter the hostname(s) of your OSSEC device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.", - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent", - "description": "[Follow these steps](https://www.ossec.net/docs/docs/manual/output/syslog-output.html) to configure OSSEC sending alerts via syslog." - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "OSSEC", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId2')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] OSSEC via AMA", - "contentProductId": "[variables('_dataConnectorcontentProductId2')]", - "id": "[variables('_dataConnectorcontentProductId2')]", - "version": "[variables('dataConnectorVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId2')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "OSSEC", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com/" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] OSSEC via AMA", - "publisher": "OSSEC", - "descriptionMarkdown": "OSSEC data connector provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Microsoft Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs) for more information.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "OSSEC", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'OSSEC'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (OSSEC)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'OSSEC'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'OSSEC'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Top 10 Rules", - "query": "OSSECEvent\n | summarize count() by RuleName\n | top 10 by count_" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OSSEC and load the function code or click [here](https://aka.ms/sentinel-OSSECEvent-parser), on the second line of the query, enter the hostname(s) of your OSSEC device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.", - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent", - "description": "[Follow these steps](https://www.ossec.net/docs/docs/manual/output/syslog-output.html) to configure OSSEC sending alerts via syslog." - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ], - "id": "[variables('_uiConfigId2')]", - "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution." - } - } - }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -739,7 +55,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OSSECEvent Data Parser with template version 3.0.1", + "description": "OSSECEvent Data Parser with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -867,12 +183,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.1", + "version": "3.0.2", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "OSSEC", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The OSSEC solution provides the capability to ingest OSSEC events into Microsoft Sentinel. Refer to OSSEC documentation for more information.

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Data Connectors: 2, Parsers: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The OSSEC solution provides the capability to ingest OSSEC events into Microsoft Sentinel. Refer to OSSEC documentation for more information.

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on Aug 31, 2024.

\n

Parsers: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -896,16 +212,6 @@ }, "dependencies": { "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - }, { "kind": "Parser", "contentId": "[variables('parserObject1').parserContentId1]", diff --git a/Solutions/OSSEC/ReleaseNotes.md b/Solutions/OSSEC/ReleaseNotes.md index 5312db8d7c7..ab51f16eedb 100644 --- a/Solutions/OSSEC/ReleaseNotes.md +++ b/Solutions/OSSEC/ReleaseNotes.md @@ -1,6 +1,5 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.2 | 21-11-2024 | Removed Deprecated **Data Connectors** | | 3.0.1 | 12-07-2024 | Deprecated **Data Connector** | -| 3.0.0 | 28-08-2023 | Addition of new OSSEC AMA **Data Connector** | | - - +| 3.0.0 | 28-08-2023 | Addition of new OSSEC AMA **Data Connector** | diff --git a/Solutions/PingFederate/Analytic Rules/PingFederateAbnormalPasswordResetsAttempts.yaml b/Solutions/PingFederate/Analytic Rules/PingFederateAbnormalPasswordResetsAttempts.yaml index c91d4cb61eb..939d064ed1c 100644 --- a/Solutions/PingFederate/Analytic Rules/PingFederateAbnormalPasswordResetsAttempts.yaml +++ b/Solutions/PingFederate/Analytic Rules/PingFederateAbnormalPasswordResetsAttempts.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: PingFederate - dataTypes: - - PingFederateEvent - - connectorId: PingFederateAma - dataTypes: - - PingFederateEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -34,5 +28,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PingFederate/Analytic Rules/PingFederateAuthFromNewSource.yaml b/Solutions/PingFederate/Analytic Rules/PingFederateAuthFromNewSource.yaml index 6102a5bbe4c..f0ba2743b8a 100644 --- a/Solutions/PingFederate/Analytic Rules/PingFederateAuthFromNewSource.yaml +++ b/Solutions/PingFederate/Analytic Rules/PingFederateAuthFromNewSource.yaml @@ -5,12 +5,6 @@ description: | severity: Low status: Available requiredDataConnectors: - - connectorId: PingFederate - dataTypes: - - PingFederateEvent - - connectorId: PingFederateAma - dataTypes: - - PingFederateEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -44,5 +38,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IpCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PingFederate/Analytic Rules/PingFederateForbiddenCountry.yaml b/Solutions/PingFederate/Analytic Rules/PingFederateForbiddenCountry.yaml index 8bac495e69a..97def5e97a5 100644 --- a/Solutions/PingFederate/Analytic Rules/PingFederateForbiddenCountry.yaml +++ b/Solutions/PingFederate/Analytic Rules/PingFederateForbiddenCountry.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: PingFederate - dataTypes: - - PingFederateEvent - - connectorId: PingFederateAma - dataTypes: - - PingFederateEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -38,5 +32,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IpCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PingFederate/Analytic Rules/PingFederateMultiplePasswordResetsForUser.yaml b/Solutions/PingFederate/Analytic Rules/PingFederateMultiplePasswordResetsForUser.yaml index 7d0ea52aeef..6e03f595919 100644 --- a/Solutions/PingFederate/Analytic Rules/PingFederateMultiplePasswordResetsForUser.yaml +++ b/Solutions/PingFederate/Analytic Rules/PingFederateMultiplePasswordResetsForUser.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: PingFederate - dataTypes: - - PingFederateEvent - - connectorId: PingFederateAma - dataTypes: - - PingFederateEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -38,5 +32,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PingFederate/Analytic Rules/PingFederateNewUserSSO.yaml b/Solutions/PingFederate/Analytic Rules/PingFederateNewUserSSO.yaml index a002c34374f..208fd57af9c 100644 --- a/Solutions/PingFederate/Analytic Rules/PingFederateNewUserSSO.yaml +++ b/Solutions/PingFederate/Analytic Rules/PingFederateNewUserSSO.yaml @@ -5,12 +5,6 @@ description: | severity: Low status: Available requiredDataConnectors: - - connectorId: PingFederate - dataTypes: - - PingFederateEvent - - connectorId: PingFederateAma - dataTypes: - - PingFederateEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -40,5 +34,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PingFederate/Analytic Rules/PingFederateOauthOld.yaml b/Solutions/PingFederate/Analytic Rules/PingFederateOauthOld.yaml index 79e6c806d2e..92724f45c7b 100644 --- a/Solutions/PingFederate/Analytic Rules/PingFederateOauthOld.yaml +++ b/Solutions/PingFederate/Analytic Rules/PingFederateOauthOld.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: PingFederate - dataTypes: - - PingFederateEvent - - connectorId: PingFederateAma - dataTypes: - - PingFederateEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -40,5 +34,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IpCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PingFederate/Analytic Rules/PingFederatePasswordRstReqUnexpectedSource.yaml b/Solutions/PingFederate/Analytic Rules/PingFederatePasswordRstReqUnexpectedSource.yaml index b9eaf30fe4d..8e6c1cb740c 100644 --- a/Solutions/PingFederate/Analytic Rules/PingFederatePasswordRstReqUnexpectedSource.yaml +++ b/Solutions/PingFederate/Analytic Rules/PingFederatePasswordRstReqUnexpectedSource.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: PingFederate - dataTypes: - - PingFederateEvent - - connectorId: PingFederateAma - dataTypes: - - PingFederateEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -43,5 +37,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IpCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PingFederate/Analytic Rules/PingFederateSamlOld.yaml b/Solutions/PingFederate/Analytic Rules/PingFederateSamlOld.yaml index 048fb7c4c9e..c2e4fe27128 100644 --- a/Solutions/PingFederate/Analytic Rules/PingFederateSamlOld.yaml +++ b/Solutions/PingFederate/Analytic Rules/PingFederateSamlOld.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: PingFederate - dataTypes: - - PingFederateEvent - - connectorId: PingFederateAma - dataTypes: - - PingFederateEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -40,5 +34,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IpCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PingFederate/Analytic Rules/PingFederateUnexpectedAuthUrl.yaml b/Solutions/PingFederate/Analytic Rules/PingFederateUnexpectedAuthUrl.yaml index a416e9a962d..c4187fd045f 100644 --- a/Solutions/PingFederate/Analytic Rules/PingFederateUnexpectedAuthUrl.yaml +++ b/Solutions/PingFederate/Analytic Rules/PingFederateUnexpectedAuthUrl.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: PingFederate - dataTypes: - - PingFederateEvent - - connectorId: PingFederateAma - dataTypes: - - PingFederateEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -46,5 +40,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IpCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PingFederate/Analytic Rules/PingFederateUnexpectedUserCountry.yaml b/Solutions/PingFederate/Analytic Rules/PingFederateUnexpectedUserCountry.yaml index 1ac2829e2db..220aefabbbe 100644 --- a/Solutions/PingFederate/Analytic Rules/PingFederateUnexpectedUserCountry.yaml +++ b/Solutions/PingFederate/Analytic Rules/PingFederateUnexpectedUserCountry.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: PingFederate - dataTypes: - - PingFederateEvent - - connectorId: PingFederateAma - dataTypes: - - PingFederateEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -42,5 +36,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IpCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PingFederate/Analytic Rules/PingFederateUnusualMailDomain.yaml b/Solutions/PingFederate/Analytic Rules/PingFederateUnusualMailDomain.yaml index 8693a3799bf..08177cd0aed 100644 --- a/Solutions/PingFederate/Analytic Rules/PingFederateUnusualMailDomain.yaml +++ b/Solutions/PingFederate/Analytic Rules/PingFederateUnusualMailDomain.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: PingFederate - dataTypes: - - PingFederateEvent - - connectorId: PingFederateAma - dataTypes: - - PingFederateEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -46,5 +40,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IpCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PingFederate/Data/Solution_PingFederate.json b/Solutions/PingFederate/Data/Solution_PingFederate.json index 40a04e6b935..1c69a04132e 100644 --- a/Solutions/PingFederate/Data/Solution_PingFederate.json +++ b/Solutions/PingFederate/Data/Solution_PingFederate.json @@ -2,7 +2,7 @@ "Name": "PingFederate", "Author": "Microsoft - support@microsoft.com", "Logo": "", - "Description": "The [PingFederate](https://www.pingidentity.com/en/pingone/pingfederate.html) solution provides the capability to ingest [PingFederate](https://docs.pingidentity.com/bundle/pingfederate-102/page/lly1564002980532.html) events into Microsoft Sentinel. Refer to [PingFederate documentation](https://docs.pingidentity.com/bundle/pingfederate-102/page/tle1564002955874.html) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.", + "Description": "The [PingFederate](https://www.pingidentity.com/en/pingone/pingfederate.html) solution provides the capability to ingest [PingFederate](https://docs.pingidentity.com/bundle/pingfederate-102/page/lly1564002980532.html) events into Microsoft Sentinel. Refer to [PingFederate documentation](https://docs.pingidentity.com/bundle/pingfederate-102/page/tle1564002955874.html) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.", "Workbooks": [ "Workbooks/PingFederate.json" ], @@ -18,10 +18,6 @@ "Hunting Queries/PingFederateUnusualSources.yaml", "Hunting Queries/PingFederateUsersPaswordsReset.yaml" ], - "Data Connectors": [ - "Data Connectors/Connector_CEF_PingFederate.json", - "Data Connectors/template_PingFederateAMA.json" - ], "Analytic Rules": [ "Analytic Rules/PingFederateAbnormalPasswordResetsAttempts.yaml", "Analytic Rules/PingFederateAuthFromNewSource.yaml", @@ -43,7 +39,7 @@ ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\PingFederate", - "Version": "3.0.1", + "Version": "3.0.2", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": false diff --git a/Solutions/PingFederate/Hunting Queries/PingFederateAuthUrls.yaml b/Solutions/PingFederate/Hunting Queries/PingFederateAuthUrls.yaml index 31ddb97bbf1..58e536412a5 100644 --- a/Solutions/PingFederate/Hunting Queries/PingFederateAuthUrls.yaml +++ b/Solutions/PingFederate/Hunting Queries/PingFederateAuthUrls.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for authentication URLs used.' severity: Low requiredDataConnectors: - - connectorId: PingFederate - dataTypes: - - PingFederateEvent - - connectorId: PingFederateAma - dataTypes: - - PingFederateEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/PingFederate/Hunting Queries/PingFederateFailedAuthentications.yaml b/Solutions/PingFederate/Hunting Queries/PingFederateFailedAuthentications.yaml index 17f5237c2b8..7e1ad19a7db 100644 --- a/Solutions/PingFederate/Hunting Queries/PingFederateFailedAuthentications.yaml +++ b/Solutions/PingFederate/Hunting Queries/PingFederateFailedAuthentications.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for failed authentication events' severity: Low requiredDataConnectors: - - connectorId: PingFederate - dataTypes: - - PingFederateEvent - - connectorId: PingFederateAma - dataTypes: - - PingFederateEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/PingFederate/Hunting Queries/PingFederateNewUsers.yaml b/Solutions/PingFederate/Hunting Queries/PingFederateNewUsers.yaml index 42be44b2a4c..5c1a737ae1d 100644 --- a/Solutions/PingFederate/Hunting Queries/PingFederateNewUsers.yaml +++ b/Solutions/PingFederate/Hunting Queries/PingFederateNewUsers.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for new users.' severity: Low requiredDataConnectors: - - connectorId: PingFederate - dataTypes: - - PingFederateEvent - - connectorId: PingFederateAma - dataTypes: - - PingFederateEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/PingFederate/Hunting Queries/PingFederatePasswordResetRequests.yaml b/Solutions/PingFederate/Hunting Queries/PingFederatePasswordResetRequests.yaml index f7f4e189ed1..9126d32249e 100644 --- a/Solutions/PingFederate/Hunting Queries/PingFederatePasswordResetRequests.yaml +++ b/Solutions/PingFederate/Hunting Queries/PingFederatePasswordResetRequests.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for password reset requests events.' severity: Low requiredDataConnectors: - - connectorId: PingFederate - dataTypes: - - PingFederateEvent - - connectorId: PingFederateAma - dataTypes: - - PingFederateEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/PingFederate/Hunting Queries/PingFederateRareSources.yaml b/Solutions/PingFederate/Hunting Queries/PingFederateRareSources.yaml index de5cf6dc8e7..dd9b09535ff 100644 --- a/Solutions/PingFederate/Hunting Queries/PingFederateRareSources.yaml +++ b/Solutions/PingFederate/Hunting Queries/PingFederateRareSources.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for rare source IP addresses of requests' severity: Medium requiredDataConnectors: - - connectorId: PingFederate - dataTypes: - - PingFederateEvent - - connectorId: PingFederateAma - dataTypes: - - PingFederateEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/PingFederate/Hunting Queries/PingFederateSAMLSubjects.yaml b/Solutions/PingFederate/Hunting Queries/PingFederateSAMLSubjects.yaml index 06ead7ba545..40342db87ff 100644 --- a/Solutions/PingFederate/Hunting Queries/PingFederateSAMLSubjects.yaml +++ b/Solutions/PingFederate/Hunting Queries/PingFederateSAMLSubjects.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for SAML subjects used in requests' severity: Low requiredDataConnectors: - - connectorId: PingFederate - dataTypes: - - PingFederateEvent - - connectorId: PingFederateAma - dataTypes: - - PingFederateEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/PingFederate/Hunting Queries/PingFederateTopSources.yaml b/Solutions/PingFederate/Hunting Queries/PingFederateTopSources.yaml index a13dc0a66e6..9c7d7211273 100644 --- a/Solutions/PingFederate/Hunting Queries/PingFederateTopSources.yaml +++ b/Solutions/PingFederate/Hunting Queries/PingFederateTopSources.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for source IP addresses with the most requests' severity: Low requiredDataConnectors: - - connectorId: PingFederate - dataTypes: - - PingFederateEvent - - connectorId: PingFederateAma - dataTypes: - - PingFederateEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/PingFederate/Hunting Queries/PingFederateUnusualCountry.yaml b/Solutions/PingFederate/Hunting Queries/PingFederateUnusualCountry.yaml index 0dff22a4025..a5812c75331 100644 --- a/Solutions/PingFederate/Hunting Queries/PingFederateUnusualCountry.yaml +++ b/Solutions/PingFederate/Hunting Queries/PingFederateUnusualCountry.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for requests from unusual countries.' severity: Medium requiredDataConnectors: - - connectorId: PingFederate - dataTypes: - - PingFederateEvent - - connectorId: PingFederateAma - dataTypes: - - PingFederateEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/PingFederate/Hunting Queries/PingFederateUnusualSources.yaml b/Solutions/PingFederate/Hunting Queries/PingFederateUnusualSources.yaml index a34d899384a..68851a41466 100644 --- a/Solutions/PingFederate/Hunting Queries/PingFederateUnusualSources.yaml +++ b/Solutions/PingFederate/Hunting Queries/PingFederateUnusualSources.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for unusual sources of authentication.' severity: Medium requiredDataConnectors: - - connectorId: PingFederate - dataTypes: - - PingFederateEvent - - connectorId: PingFederateAma - dataTypes: - - PingFederateEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/PingFederate/Hunting Queries/PingFederateUsersPaswordsReset.yaml b/Solutions/PingFederate/Hunting Queries/PingFederateUsersPaswordsReset.yaml index 0bd5b19e406..bb0f993a5a9 100644 --- a/Solutions/PingFederate/Hunting Queries/PingFederateUsersPaswordsReset.yaml +++ b/Solutions/PingFederate/Hunting Queries/PingFederateUsersPaswordsReset.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for users who recently reseted their passwords.' severity: Medium requiredDataConnectors: - - connectorId: PingFederate - dataTypes: - - PingFederateEvent - - connectorId: PingFederateAma - dataTypes: - - PingFederateEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/PingFederate/Package/3.0.2.zip b/Solutions/PingFederate/Package/3.0.2.zip new file mode 100644 index 00000000000..5e537dee20d Binary files /dev/null and b/Solutions/PingFederate/Package/3.0.2.zip differ diff --git a/Solutions/PingFederate/Package/createUiDefinition.json b/Solutions/PingFederate/Package/createUiDefinition.json index 82cf18b5e42..e5f539d2287 100644 --- a/Solutions/PingFederate/Package/createUiDefinition.json +++ b/Solutions/PingFederate/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/PingFederate/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [PingFederate](https://www.pingidentity.com/en/pingone/pingfederate.html) solution provides the capability to ingest [PingFederate](https://docs.pingidentity.com/bundle/pingfederate-102/page/lly1564002980532.html) events into Microsoft Sentinel. Refer to [PingFederate documentation](https://docs.pingidentity.com/bundle/pingfederate-102/page/tle1564002955874.html) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 11, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/PingFederate/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [PingFederate](https://www.pingidentity.com/en/pingone/pingfederate.html) solution provides the capability to ingest [PingFederate](https://docs.pingidentity.com/bundle/pingfederate-102/page/lly1564002980532.html) events into Microsoft Sentinel. Refer to [PingFederate documentation](https://docs.pingidentity.com/bundle/pingfederate-102/page/tle1564002955874.html) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.\n\n**Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 11, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -51,37 +51,6 @@ } ], "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for PingFederate. You can get PingFederate CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-parser-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." - } - }, - { - "name": "dataconnectors-link2", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - }, { "name": "workbooks", "label": "Workbooks", @@ -337,7 +306,7 @@ "name": "huntingquery1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for authentication URLs used. This hunting query depends on PingFederate PingFederateAma CefAma data connector (PingFederateEvent PingFederateEvent CommonSecurityLog Parser or Table)" + "text": "Query searches for authentication URLs used. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -351,7 +320,7 @@ "name": "huntingquery2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for failed authentication events This hunting query depends on PingFederate PingFederateAma CefAma data connector (PingFederateEvent PingFederateEvent CommonSecurityLog Parser or Table)" + "text": "Query searches for failed authentication events This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -365,7 +334,7 @@ "name": "huntingquery3-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for new users. This hunting query depends on PingFederate PingFederateAma CefAma data connector (PingFederateEvent PingFederateEvent CommonSecurityLog Parser or Table)" + "text": "Query searches for new users. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -379,7 +348,7 @@ "name": "huntingquery4-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for password reset requests events. This hunting query depends on PingFederate PingFederateAma CefAma data connector (PingFederateEvent PingFederateEvent CommonSecurityLog Parser or Table)" + "text": "Query searches for password reset requests events. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -393,7 +362,7 @@ "name": "huntingquery5-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for rare source IP addresses of requests This hunting query depends on PingFederate PingFederateAma CefAma data connector (PingFederateEvent PingFederateEvent CommonSecurityLog Parser or Table)" + "text": "Query searches for rare source IP addresses of requests This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -407,7 +376,7 @@ "name": "huntingquery6-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for SAML subjects used in requests This hunting query depends on PingFederate PingFederateAma CefAma data connector (PingFederateEvent PingFederateEvent CommonSecurityLog Parser or Table)" + "text": "Query searches for SAML subjects used in requests This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -421,7 +390,7 @@ "name": "huntingquery7-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for source IP addresses with the most requests This hunting query depends on PingFederate PingFederateAma CefAma data connector (PingFederateEvent PingFederateEvent CommonSecurityLog Parser or Table)" + "text": "Query searches for source IP addresses with the most requests This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -435,7 +404,7 @@ "name": "huntingquery8-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for requests from unusual countries. This hunting query depends on PingFederate PingFederateAma CefAma data connector (PingFederateEvent PingFederateEvent CommonSecurityLog Parser or Table)" + "text": "Query searches for requests from unusual countries. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -449,7 +418,7 @@ "name": "huntingquery9-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for unusual sources of authentication. This hunting query depends on PingFederate PingFederateAma CefAma data connector (PingFederateEvent PingFederateEvent CommonSecurityLog Parser or Table)" + "text": "Query searches for unusual sources of authentication. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -463,7 +432,7 @@ "name": "huntingquery10-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for users who recently reseted their passwords. This hunting query depends on PingFederate PingFederateAma CefAma data connector (PingFederateEvent PingFederateEvent CommonSecurityLog Parser or Table)" + "text": "Query searches for users who recently reseted their passwords. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] diff --git a/Solutions/PingFederate/Package/mainTemplate.json b/Solutions/PingFederate/Package/mainTemplate.json index 72df6acb137..54b60f04eec 100644 --- a/Solutions/PingFederate/Package/mainTemplate.json +++ b/Solutions/PingFederate/Package/mainTemplate.json @@ -41,7 +41,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "PingFederate", - "_solutionVersion": "3.0.1", + "_solutionVersion": "3.0.2", "solutionId": "azuresentinel.azure-sentinel-solution-pingfederate", "_solutionId": "[variables('solutionId')]", "workbookVersion1": "1.0.0", @@ -101,100 +101,82 @@ "_huntingQuerycontentId10": "6698f022-adf4-48a3-a8da-a4052ac999b4", "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('6698f022-adf4-48a3-a8da-a4052ac999b4')))]" }, - "uiConfigId1": "PingFederate", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "PingFederate", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "uiConfigId2": "PingFederateAma", - "_uiConfigId2": "[variables('uiConfigId2')]", - "dataConnectorContentId2": "PingFederateAma", - "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", - "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "_dataConnectorId2": "[variables('dataConnectorId2')]", - "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", - "dataConnectorVersion2": "1.0.0", - "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.2", + "analyticRuleVersion1": "1.0.3", "_analyticRulecontentId1": "e45a7334-2cb4-4690-8156-f02cac73d584", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e45a7334-2cb4-4690-8156-f02cac73d584')]", "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e45a7334-2cb4-4690-8156-f02cac73d584')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e45a7334-2cb4-4690-8156-f02cac73d584','-', '1.0.2')))]" + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e45a7334-2cb4-4690-8156-f02cac73d584','-', '1.0.3')))]" }, "analyticRuleObject2": { - "analyticRuleVersion2": "1.0.2", + "analyticRuleVersion2": "1.0.3", "_analyticRulecontentId2": "30583ed4-d13c-43b8-baf2-d75fbe727210", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '30583ed4-d13c-43b8-baf2-d75fbe727210')]", "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('30583ed4-d13c-43b8-baf2-d75fbe727210')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','30583ed4-d13c-43b8-baf2-d75fbe727210','-', '1.0.2')))]" + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','30583ed4-d13c-43b8-baf2-d75fbe727210','-', '1.0.3')))]" }, "analyticRuleObject3": { - "analyticRuleVersion3": "1.0.2", + "analyticRuleVersion3": "1.0.3", "_analyticRulecontentId3": "14042f74-e50b-4c21-8a01-0faf4915ada4", "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '14042f74-e50b-4c21-8a01-0faf4915ada4')]", "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('14042f74-e50b-4c21-8a01-0faf4915ada4')))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','14042f74-e50b-4c21-8a01-0faf4915ada4','-', '1.0.2')))]" + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','14042f74-e50b-4c21-8a01-0faf4915ada4','-', '1.0.3')))]" }, "analyticRuleObject4": { - "analyticRuleVersion4": "1.0.2", + "analyticRuleVersion4": "1.0.3", "_analyticRulecontentId4": "6145efdc-4724-42a6-9756-5bd1ba33982e", "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6145efdc-4724-42a6-9756-5bd1ba33982e')]", "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6145efdc-4724-42a6-9756-5bd1ba33982e')))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6145efdc-4724-42a6-9756-5bd1ba33982e','-', '1.0.2')))]" + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6145efdc-4724-42a6-9756-5bd1ba33982e','-', '1.0.3')))]" }, "analyticRuleObject5": { - "analyticRuleVersion5": "1.0.2", + "analyticRuleVersion5": "1.0.3", "_analyticRulecontentId5": "05282c91-7aaf-4d76-9a19-6dc582e6a411", "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '05282c91-7aaf-4d76-9a19-6dc582e6a411')]", "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('05282c91-7aaf-4d76-9a19-6dc582e6a411')))]", - "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','05282c91-7aaf-4d76-9a19-6dc582e6a411','-', '1.0.2')))]" + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','05282c91-7aaf-4d76-9a19-6dc582e6a411','-', '1.0.3')))]" }, "analyticRuleObject6": { - "analyticRuleVersion6": "1.0.2", + "analyticRuleVersion6": "1.0.3", "_analyticRulecontentId6": "85f70197-4865-4635-a4b2-a9c57e8fea1b", "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '85f70197-4865-4635-a4b2-a9c57e8fea1b')]", "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('85f70197-4865-4635-a4b2-a9c57e8fea1b')))]", - "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','85f70197-4865-4635-a4b2-a9c57e8fea1b','-', '1.0.2')))]" + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','85f70197-4865-4635-a4b2-a9c57e8fea1b','-', '1.0.3')))]" }, "analyticRuleObject7": { - "analyticRuleVersion7": "1.0.2", + "analyticRuleVersion7": "1.0.3", "_analyticRulecontentId7": "2d201d21-77b4-4d97-95f3-26b5c6bde09f", "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2d201d21-77b4-4d97-95f3-26b5c6bde09f')]", "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2d201d21-77b4-4d97-95f3-26b5c6bde09f')))]", - "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2d201d21-77b4-4d97-95f3-26b5c6bde09f','-', '1.0.2')))]" + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2d201d21-77b4-4d97-95f3-26b5c6bde09f','-', '1.0.3')))]" }, "analyticRuleObject8": { - "analyticRuleVersion8": "1.0.2", + "analyticRuleVersion8": "1.0.3", "_analyticRulecontentId8": "fddd3840-acd2-41ed-94d9-1474b0a7c8a6", "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fddd3840-acd2-41ed-94d9-1474b0a7c8a6')]", "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fddd3840-acd2-41ed-94d9-1474b0a7c8a6')))]", - "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fddd3840-acd2-41ed-94d9-1474b0a7c8a6','-', '1.0.2')))]" + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fddd3840-acd2-41ed-94d9-1474b0a7c8a6','-', '1.0.3')))]" }, "analyticRuleObject9": { - "analyticRuleVersion9": "1.0.2", + "analyticRuleVersion9": "1.0.3", "_analyticRulecontentId9": "9578ef7f-cbb4-4e9a-bd26-37c15c53b413", "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9578ef7f-cbb4-4e9a-bd26-37c15c53b413')]", "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9578ef7f-cbb4-4e9a-bd26-37c15c53b413')))]", - "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9578ef7f-cbb4-4e9a-bd26-37c15c53b413','-', '1.0.2')))]" + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9578ef7f-cbb4-4e9a-bd26-37c15c53b413','-', '1.0.3')))]" }, "analyticRuleObject10": { - "analyticRuleVersion10": "1.0.2", + "analyticRuleVersion10": "1.0.3", "_analyticRulecontentId10": "64e65105-c4fc-4c28-a4e9-bb1a3ce7652d", "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '64e65105-c4fc-4c28-a4e9-bb1a3ce7652d')]", "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('64e65105-c4fc-4c28-a4e9-bb1a3ce7652d')))]", - "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','64e65105-c4fc-4c28-a4e9-bb1a3ce7652d','-', '1.0.2')))]" + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','64e65105-c4fc-4c28-a4e9-bb1a3ce7652d','-', '1.0.3')))]" }, "analyticRuleObject11": { - "analyticRuleVersion11": "1.0.2", + "analyticRuleVersion11": "1.0.3", "_analyticRulecontentId11": "dc79de7d-2590-4852-95fb-f8e02b34f4da", "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dc79de7d-2590-4852-95fb-f8e02b34f4da')]", "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dc79de7d-2590-4852-95fb-f8e02b34f4da')))]", - "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dc79de7d-2590-4852-95fb-f8e02b34f4da','-', '1.0.2')))]" + "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dc79de7d-2590-4852-95fb-f8e02b34f4da','-', '1.0.3')))]" }, "parserObject1": { "_parserName1": "[concat(parameters('workspace'),'/','PingFederate Data Parser')]", @@ -215,7 +197,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PingFederate Workbook with template version 3.0.1", + "description": "PingFederate Workbook with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -278,6 +260,10 @@ { "contentId": "PingFederateAma", "kind": "DataConnector" + }, + { + "contentId": "CefAma", + "kind": "DataConnector" } ] } @@ -307,7 +293,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PingFederateAuthUrls_HuntingQueries Hunting Query with template version 3.0.1", + "description": "PingFederateAuthUrls_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -392,7 +378,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PingFederateFailedAuthentications_HuntingQueries Hunting Query with template version 3.0.1", + "description": "PingFederateFailedAuthentications_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -477,7 +463,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PingFederateNewUsers_HuntingQueries Hunting Query with template version 3.0.1", + "description": "PingFederateNewUsers_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -562,7 +548,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PingFederatePasswordResetRequests_HuntingQueries Hunting Query with template version 3.0.1", + "description": "PingFederatePasswordResetRequests_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -647,7 +633,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PingFederateRareSources_HuntingQueries Hunting Query with template version 3.0.1", + "description": "PingFederateRareSources_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -732,7 +718,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PingFederateSAMLSubjects_HuntingQueries Hunting Query with template version 3.0.1", + "description": "PingFederateSAMLSubjects_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -817,7 +803,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PingFederateTopSources_HuntingQueries Hunting Query with template version 3.0.1", + "description": "PingFederateTopSources_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -902,7 +888,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PingFederateUnusualCountry_HuntingQueries Hunting Query with template version 3.0.1", + "description": "PingFederateUnusualCountry_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -987,7 +973,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PingFederateUnusualSources_HuntingQueries Hunting Query with template version 3.0.1", + "description": "PingFederateUnusualSources_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -1072,7 +1058,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PingFederateUsersPaswordsReset_HuntingQueries Hunting Query with template version 3.0.1", + "description": "PingFederateUsersPaswordsReset_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -1148,672 +1134,6 @@ "version": "1.0.0" } }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "PingFederate data connector with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "[Deprecated] PingFederate via Legacy Agent", - "publisher": "Ping Identity", - "descriptionMarkdown": "The [PingFederate](https://www.pingidentity.com/en/software/pingfederate.html) data connector provides the capability to ingest [PingFederate events](https://docs.pingidentity.com/bundle/pingfederate-102/page/lly1564002980532.html) into Microsoft Sentinel. Refer to [PingFederate documentation](https://docs.pingidentity.com/bundle/pingfederate-102/page/tle1564002955874.html) for more information.", - "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "PingFederate", - "baseQuery": "PingFederateEvent" - } - ], - "sampleQueries": [ - { - "description": "Top 10 Devices", - "query": "PingFederateEvent\n | summarize count() by DvcHostname\n | top 10 by count_" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (PingFederate)", - "lastDataReceivedQuery": "PingFederateEvent\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "PingFederateEvent\n | summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution." - }, - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "[Follow these steps](https://docs.pingidentity.com/bundle/pingfederate-102/page/gsn1564002980953.html) to configure PingFederate sending audit log via syslog in CEF format.", - "title": "2. Forward Common Event Format (CEF) logs to Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "PingFederate", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] PingFederate via Legacy Agent", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "PingFederate", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] PingFederate via Legacy Agent", - "publisher": "Ping Identity", - "descriptionMarkdown": "The [PingFederate](https://www.pingidentity.com/en/software/pingfederate.html) data connector provides the capability to ingest [PingFederate events](https://docs.pingidentity.com/bundle/pingfederate-102/page/lly1564002980532.html) into Microsoft Sentinel. Refer to [PingFederate documentation](https://docs.pingidentity.com/bundle/pingfederate-102/page/tle1564002955874.html) for more information.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "PingFederate", - "baseQuery": "PingFederateEvent" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (PingFederate)", - "lastDataReceivedQuery": "PingFederateEvent\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "PingFederateEvent\n | summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Top 10 Devices", - "query": "PingFederateEvent\n | summarize count() by DvcHostname\n | top 10 by count_" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution." - }, - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "[Follow these steps](https://docs.pingidentity.com/bundle/pingfederate-102/page/gsn1564002980953.html) to configure PingFederate sending audit log via syslog in CEF format.", - "title": "2. Forward Common Event Format (CEF) logs to Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "id": "[variables('_uiConfigId1')]", - "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution." - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "PingFederate data connector with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion2')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId2')]", - "title": "[Deprecated] PingFederate via AMA", - "publisher": "Ping Identity", - "descriptionMarkdown": "The [PingFederate](https://www.pingidentity.com/en/software/pingfederate.html) data connector provides the capability to ingest [PingFederate events](https://docs.pingidentity.com/bundle/pingfederate-102/page/lly1564002980532.html) into Microsoft Sentinel. Refer to [PingFederate documentation](https://docs.pingidentity.com/bundle/pingfederate-102/page/tle1564002955874.html) for more information.", - "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "PingFederate", - "baseQuery": "CommonSecurityLog\n |where DeviceProduct has 'PingFederate'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "sampleQueries": [ - { - "description": "Top 10 Devices", - "query": "PingFederateEvent\n | summarize count() by DvcHostname\n | top 10 by count_" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (PingFederate)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceProduct has 'PingFederate'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceProduct has 'PingFederate'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution.", - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent", - "description": "[Follow these steps](https://docs.pingidentity.com/bundle/pingfederate-102/page/gsn1564002980953.html) to configure PingFederate sending audit log via syslog in CEF format." - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "PingFederate", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId2')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] PingFederate via AMA", - "contentProductId": "[variables('_dataConnectorcontentProductId2')]", - "id": "[variables('_dataConnectorcontentProductId2')]", - "version": "[variables('dataConnectorVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId2')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "PingFederate", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] PingFederate via AMA", - "publisher": "Ping Identity", - "descriptionMarkdown": "The [PingFederate](https://www.pingidentity.com/en/software/pingfederate.html) data connector provides the capability to ingest [PingFederate events](https://docs.pingidentity.com/bundle/pingfederate-102/page/lly1564002980532.html) into Microsoft Sentinel. Refer to [PingFederate documentation](https://docs.pingidentity.com/bundle/pingfederate-102/page/tle1564002955874.html) for more information.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "PingFederate", - "baseQuery": "CommonSecurityLog\n |where DeviceProduct has 'PingFederate'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (PingFederate)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceProduct has 'PingFederate'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceProduct has 'PingFederate'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Top 10 Devices", - "query": "PingFederateEvent\n | summarize count() by DvcHostname\n | top 10 by count_" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution.", - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent", - "description": "[Follow these steps](https://docs.pingidentity.com/bundle/pingfederate-102/page/gsn1564002980953.html) to configure PingFederate sending audit log via syslog in CEF format." - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ], - "id": "[variables('_uiConfigId2')]", - "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution." - } - } - }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -1823,7 +1143,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PingFederateAbnormalPasswordResetsAttempts_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "PingFederateAbnormalPasswordResetsAttempts_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -1850,18 +1170,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "PingFederate", - "dataTypes": [ - "PingFederateEvent" - ] - }, - { - "connectorId": "PingFederateAma", - "dataTypes": [ - "PingFederateEvent" - ] - }, { "connectorId": "CefAma", "dataTypes": [ @@ -1880,8 +1188,8 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } ] } @@ -1939,7 +1247,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PingFederateAuthFromNewSource_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "PingFederateAuthFromNewSource_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -1966,18 +1274,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "PingFederate", - "dataTypes": [ - "PingFederateEvent" - ] - }, - { - "connectorId": "PingFederateAma", - "dataTypes": [ - "PingFederateEvent" - ] - }, { "connectorId": "CefAma", "dataTypes": [ @@ -1996,8 +1292,8 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } ] }, @@ -2005,8 +1301,8 @@ "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IpCustomEntity" + "columnName": "IpCustomEntity", + "identifier": "Address" } ] } @@ -2064,7 +1360,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PingFederateForbiddenCountry_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "PingFederateForbiddenCountry_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -2091,18 +1387,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "PingFederate", - "dataTypes": [ - "PingFederateEvent" - ] - }, - { - "connectorId": "PingFederateAma", - "dataTypes": [ - "PingFederateEvent" - ] - }, { "connectorId": "CefAma", "dataTypes": [ @@ -2121,8 +1405,8 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } ] }, @@ -2130,8 +1414,8 @@ "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IpCustomEntity" + "columnName": "IpCustomEntity", + "identifier": "Address" } ] } @@ -2189,7 +1473,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PingFederateMultiplePasswordResetsForUser_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "PingFederateMultiplePasswordResetsForUser_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -2216,18 +1500,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "PingFederate", - "dataTypes": [ - "PingFederateEvent" - ] - }, - { - "connectorId": "PingFederateAma", - "dataTypes": [ - "PingFederateEvent" - ] - }, { "connectorId": "CefAma", "dataTypes": [ @@ -2250,8 +1522,8 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } ] } @@ -2309,7 +1581,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PingFederateNewUserSSO_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "PingFederateNewUserSSO_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -2336,18 +1608,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "PingFederate", - "dataTypes": [ - "PingFederateEvent" - ] - }, - { - "connectorId": "PingFederateAma", - "dataTypes": [ - "PingFederateEvent" - ] - }, { "connectorId": "CefAma", "dataTypes": [ @@ -2368,8 +1628,8 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } ] } @@ -2427,7 +1687,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PingFederateOauthOld_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "PingFederateOauthOld_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -2454,18 +1714,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "PingFederate", - "dataTypes": [ - "PingFederateEvent" - ] - }, - { - "connectorId": "PingFederateAma", - "dataTypes": [ - "PingFederateEvent" - ] - }, { "connectorId": "CefAma", "dataTypes": [ @@ -2484,8 +1732,8 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } ] }, @@ -2493,8 +1741,8 @@ "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IpCustomEntity" + "columnName": "IpCustomEntity", + "identifier": "Address" } ] } @@ -2552,7 +1800,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PingFederatePasswordRstReqUnexpectedSource_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "PingFederatePasswordRstReqUnexpectedSource_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -2579,18 +1827,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "PingFederate", - "dataTypes": [ - "PingFederateEvent" - ] - }, - { - "connectorId": "PingFederateAma", - "dataTypes": [ - "PingFederateEvent" - ] - }, { "connectorId": "CefAma", "dataTypes": [ @@ -2609,8 +1845,8 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } ] }, @@ -2618,8 +1854,8 @@ "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IpCustomEntity" + "columnName": "IpCustomEntity", + "identifier": "Address" } ] } @@ -2677,7 +1913,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PingFederateSamlOld_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "PingFederateSamlOld_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -2704,18 +1940,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "PingFederate", - "dataTypes": [ - "PingFederateEvent" - ] - }, - { - "connectorId": "PingFederateAma", - "dataTypes": [ - "PingFederateEvent" - ] - }, { "connectorId": "CefAma", "dataTypes": [ @@ -2734,8 +1958,8 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } ] }, @@ -2743,8 +1967,8 @@ "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IpCustomEntity" + "columnName": "IpCustomEntity", + "identifier": "Address" } ] } @@ -2802,7 +2026,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PingFederateUnexpectedAuthUrl_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "PingFederateUnexpectedAuthUrl_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -2829,18 +2053,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "PingFederate", - "dataTypes": [ - "PingFederateEvent" - ] - }, - { - "connectorId": "PingFederateAma", - "dataTypes": [ - "PingFederateEvent" - ] - }, { "connectorId": "CefAma", "dataTypes": [ @@ -2859,8 +2071,8 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } ] }, @@ -2868,8 +2080,8 @@ "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IpCustomEntity" + "columnName": "IpCustomEntity", + "identifier": "Address" } ] } @@ -2927,7 +2139,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PingFederateUnexpectedUserCountry_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "PingFederateUnexpectedUserCountry_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -2954,18 +2166,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "PingFederate", - "dataTypes": [ - "PingFederateEvent" - ] - }, - { - "connectorId": "PingFederateAma", - "dataTypes": [ - "PingFederateEvent" - ] - }, { "connectorId": "CefAma", "dataTypes": [ @@ -2984,8 +2184,8 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } ] }, @@ -2993,8 +2193,8 @@ "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IpCustomEntity" + "columnName": "IpCustomEntity", + "identifier": "Address" } ] } @@ -3052,7 +2252,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PingFederateUnusualMailDomain_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "PingFederateUnusualMailDomain_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", @@ -3079,18 +2279,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "PingFederate", - "dataTypes": [ - "PingFederateEvent" - ] - }, - { - "connectorId": "PingFederateAma", - "dataTypes": [ - "PingFederateEvent" - ] - }, { "connectorId": "CefAma", "dataTypes": [ @@ -3109,8 +2297,8 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } ] }, @@ -3118,8 +2306,8 @@ "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IpCustomEntity" + "columnName": "IpCustomEntity", + "identifier": "Address" } ] } @@ -3177,7 +2365,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PingFederateEvent Data Parser with template version 3.0.1", + "description": "PingFederateEvent Data Parser with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -3305,12 +2493,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.1", + "version": "3.0.2", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "PingFederate", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The PingFederate solution provides the capability to ingest PingFederate events into Microsoft Sentinel. Refer to PingFederate documentation for more information.

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Data Connectors: 2, Parsers: 1, Workbooks: 1, Analytic Rules: 11, Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The PingFederate solution provides the capability to ingest PingFederate events into Microsoft Sentinel. Refer to PingFederate documentation for more information.

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on Aug 31, 2024.

\n

Parsers: 1, Workbooks: 1, Analytic Rules: 11, Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -3389,16 +2577,6 @@ "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", "version": "[variables('huntingQueryObject10').huntingQueryVersion10]" }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - }, { "kind": "AnalyticsRule", "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", diff --git a/Solutions/PingFederate/ReleaseNotes.md b/Solutions/PingFederate/ReleaseNotes.md index a92e83ea94c..41fd74293fa 100644 --- a/Solutions/PingFederate/ReleaseNotes.md +++ b/Solutions/PingFederate/ReleaseNotes.md @@ -1,6 +1,5 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.2 | 22-11-2024 | Removed Deprecated **Data Connectors** | | 3.0.1 | 12-07-2024 | Deprecated **Data Connector** | -| 3.0.0 | 04-09-2023 | Addition of new PingFederate AMA **Data Connector** | | - - +| 3.0.0 | 04-09-2023 | Addition of new PingFederate AMA **Data Connector** | diff --git a/Solutions/SINEC Security Guard/Data Connectors/data_connector_GenericUI.json b/Solutions/SINEC Security Guard/Data Connectors/data_connector_GenericUI.json index a69c1634a90..f666f8f753f 100644 --- a/Solutions/SINEC Security Guard/Data Connectors/data_connector_GenericUI.json +++ b/Solutions/SINEC Security Guard/Data Connectors/data_connector_GenericUI.json @@ -1,84 +1,84 @@ -{ - "id": "SSG", - "title": "SINEC Security Guard", - "publisher": "Siemens AG", - "descriptionMarkdown": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel", - "graphQueriesTableName": "SINECSecurityGuard_CL", - "logo": "SSG.svg", - "graphQueries": [ - { - "metricName": "Total events received", - "legend": "SINECSecurityGuard_CL", - "baseQuery": "SINECSecurityGuard_CL\n | summarize count()" - } - ], - "sampleQueries": [ - { - "description": "List of Attacks", - "query": "SINECSecurityGuard_CL\n | summarize count()" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": ["SINECSecurityGuard_CL\n | summarize lastLogGenerated = max(TimeGenerated) | project IsConnected = lastLogGenerated > ago(30d)"] - } - ], - "dataTypes": [ - { - "name": "SINECSecurityGuard_CL", - "lastDataReceivedQuery": "SINECSecurityGuard_CL\n | summarize Time = max(TimeGenerated) | where isnotempty(Time)" - } - ], - "availability": { - "isPreview": true, - "status": 1 - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "This Data Connector relies on the SINEC Security Guard Sensor Package to be able to receive Sensor events in Microsoft Sentinel. The Sensor Package can be purchased in the Siemens Xcelerator Marketplace.", - "instructions": [ - { - "parameters": { - "title": "1. Please follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Set up the SINEC Security Guard Sensor", - "description": "Detailed step for setting up the sensor." - }, - { - "title": "Create the Data Connector and configure it in the SINEC Security Guard web interface", - "description": "Instructions on configuring the data connector." - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - } - ] -} +{ + "id": "SSG", + "title": "SINEC Security Guard", + "publisher": "Siemens AG", + "descriptionMarkdown": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel", + "graphQueriesTableName": "SINECSecurityGuard_CL", + "logo": "SSG.svg", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "SINECSecurityGuard_CL", + "baseQuery": "SINECSecurityGuard_CL\n | summarize count()" + } + ], + "sampleQueries": [ + { + "description": "List of Attacks", + "query": "SINECSecurityGuard_CL\n | summarize count()" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": ["SINECSecurityGuard_CL\n | summarize lastLogGenerated = max(TimeGenerated) | project IsConnected = lastLogGenerated > ago(30d)"] + } + ], + "dataTypes": [ + { + "name": "SINECSecurityGuard_CL", + "lastDataReceivedQuery": "SINECSecurityGuard_CL\n | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "availability": { + "isPreview": true, + "status": 1 + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "description": "This Data Connector relies on the SINEC Security Guard Sensor Package to be able to receive Sensor events in Microsoft Sentinel. The Sensor Package can be purchased in the Siemens Xcelerator Marketplace.", + "instructions": [ + { + "parameters": { + "title": "1. Please follow the steps to configure the data connector", + "instructionSteps": [ + { + "title": "Set up the SINEC Security Guard Sensor", + "description": "Detailed step for setting up the sensor." + }, + { + "title": "Create the Data Connector and configure it in the SINEC Security Guard web interface", + "description": "Instructions on configuring the data connector." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] +} diff --git a/Solutions/SINEC Security Guard/Data/Solution_Sinec Security Guard.json b/Solutions/SINEC Security Guard/Data/Solution_Sinec Security Guard.json index 3232152f990..c0cb969768f 100644 --- a/Solutions/SINEC Security Guard/Data/Solution_Sinec Security Guard.json +++ b/Solutions/SINEC Security Guard/Data/Solution_Sinec Security Guard.json @@ -1,17 +1,17 @@ -{ - "Name": "SINEC Security Guard", - "Author": "Siemens AG", - "Logo": "", - "Description": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the (SINEC Security Guard)[https://siemens.com/sinec-security-guard] into Microsoft Sentinel", - "Analytic Rules": [ - "Analytic Rules/SSG_Azure_Sentinel_analytic_rule.yaml" - ], - "Data Connectors": [ - "Data Connectors/data_connector_GenericUI.json" - ], - "Metadata": "SolutionMetadata.json", - "BasePath": "D:\\Sentinel_GIT\\Azure-Sentinel\\Solutions\\SINEC Security Guard", - "Version": "3.0.3", - "TemplateSpec": true, - "Is1PConnector": false +{ + "Name": "SINEC Security Guard", + "Author": "Siemens AG", + "Logo": "", + "Description": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel", + "Analytic Rules": [ + "Analytic Rules/SSG_Azure_Sentinel_analytic_rule.yaml" + ], + "Data Connectors": [ + "Data Connectors/data_connector_GenericUI.json" + ], + "Metadata": "SolutionMetadata.json", + "BasePath": "D:\\Sentinel_GIT\\Azure-Sentinel\\Solutions\\SINEC Security Guard", + "Version": "3.0.3", + "TemplateSpec": true, + "Is1PConnector": false } \ No newline at end of file diff --git a/Solutions/SINEC Security Guard/Package/3.0.0.zip b/Solutions/SINEC Security Guard/Package/3.0.0.zip index 7000b1ab190..67e67b8582e 100644 Binary files a/Solutions/SINEC Security Guard/Package/3.0.0.zip and b/Solutions/SINEC Security Guard/Package/3.0.0.zip differ diff --git a/Solutions/SINEC Security Guard/Package/createUiDefinition.json b/Solutions/SINEC Security Guard/Package/createUiDefinition.json index 1a03e23deb2..48f3fa3962a 100644 --- a/Solutions/SINEC Security Guard/Package/createUiDefinition.json +++ b/Solutions/SINEC Security Guard/Package/createUiDefinition.json @@ -1,127 +1,127 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", - "handler": "Microsoft.Azure.CreateUIDef", - "version": "0.1.2-preview", - "parameters": { - "config": { - "isWizard": false, - "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SINEC%20Security%20Guard/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the (SINEC Security Guard)[https://siemens.com/sinec-security-guard] into Microsoft Sentinel\n\n**Data Connectors:** 1, **Analytic Rules:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", - "subscription": { - "resourceProviders": [ - "Microsoft.OperationsManagement/solutions", - "Microsoft.OperationalInsights/workspaces/providers/alertRules", - "Microsoft.Insights/workbooks", - "Microsoft.Logic/workflows" - ] - }, - "location": { - "metadata": { - "hidden": "Hiding location, we get it from the log analytics workspace" - }, - "visible": false - }, - "resourceGroup": { - "allowExisting": true - } - } - }, - "basics": [ - { - "name": "getLAWorkspace", - "type": "Microsoft.Solutions.ArmApiControl", - "toolTip": "This filters by workspaces that exist in the Resource Group selected", - "condition": "[greater(length(resourceGroup().name),0)]", - "request": { - "method": "GET", - "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" - } - }, - { - "name": "workspace", - "type": "Microsoft.Common.DropDown", - "label": "Workspace", - "placeholder": "Select a workspace", - "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", - "constraints": { - "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", - "required": true - }, - "visible": true - } - ], - "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for SINEC Security Guard. You can get SINEC Security Guard custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-link2", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - }, - { - "name": "analytics", - "label": "Analytics", - "subLabel": { - "preValidation": "Configure the analytics", - "postValidation": "Done" - }, - "bladeTitle": "Analytics", - "elements": [ - { - "name": "analytics-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." - } - }, - { - "name": "analytics-link", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" - } - } - }, - { - "name": "analytic1", - "type": "Microsoft.Common.Section", - "label": "SSG_Security_Incidents", - "elements": [ - { - "name": "analytic1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "The security analytic rule is designed to scrutinize network activity involving private IP addresses within an organization's internal network. By filtering log entries to include only those where either the source or the destination IP is private, the rule focuses on internal communications that could indicate unauthorized access, internal threats, or other security anomalies." - } - } - ] - } - ] - } - ], - "outputs": { - "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", - "location": "[location()]", - "workspace": "[basics('workspace')]" - } - } -} +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SINEC%20Security%20Guard/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel\n\n**Data Connectors:** 1, **Analytic Rules:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for SINEC Security Guard. You can get SINEC Security Guard custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + }, + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." + } + }, + { + "name": "analytics-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "SSG_Security_Incidents", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "The security analytic rule is designed to scrutinize network activity involving private IP addresses within an organization's internal network. By filtering log entries to include only those where either the source or the destination IP is private, the rule focuses on internal communications that could indicate unauthorized access, internal threats, or other security anomalies." + } + } + ] + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} diff --git a/Solutions/SINEC Security Guard/Package/mainTemplate.json b/Solutions/SINEC Security Guard/Package/mainTemplate.json index 4377777a228..5dae4d92ce6 100644 --- a/Solutions/SINEC Security Guard/Package/mainTemplate.json +++ b/Solutions/SINEC Security Guard/Package/mainTemplate.json @@ -1,519 +1,518 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "author": "Siemens AG", - "comments": "Solution template for SINEC Security Guard" - }, - "parameters": { - "location": { - "type": "string", - "minLength": 1, - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" - } - }, - "workspace-location": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" - } - }, - "workspace": { - "defaultValue": "", - "type": "string", - "metadata": { - "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" - } - } - }, - "variables": { - "_solutionName": "SINEC Security Guard", - "_solutionVersion": "3.0.0", - "solutionId": "siemensplmsoftware.azure-sentinel-solution-ssg", - "_solutionId": "[variables('solutionId')]", - "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.0", - "_analyticRulecontentId1": "d41fa731-45a2-4b23-bb1d-29896fbc5298", - "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd41fa731-45a2-4b23-bb1d-29896fbc5298')]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d41fa731-45a2-4b23-bb1d-29896fbc5298')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d41fa731-45a2-4b23-bb1d-29896fbc5298','-', '1.0.0')))]" - }, - "uiConfigId1": "SSG", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "SSG", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "SSG_Azure_Sentinel_analytic_rule_AnalyticalRules Analytics Rule with template version 3.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "apiVersion": "2023-02-01-preview", - "kind": "NRT", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "The security analytic rule is designed to scrutinize network activity involving private IP addresses within an organization's internal network. By filtering log entries to include only those where either the source or the destination IP is private, the rule focuses on internal communications that could indicate unauthorized access, internal threats, or other security anomalies.", - "displayName": "SSG_Security_Incidents", - "enabled": false, - "query": "SINECSecurityGuard_CL\n| where ipv4_is_private(source_ip) or ipv4_is_private(destination_ip)\n| project source_ip, destination_ip, signature_id, signature_name\n", - "severity": "HIGH", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "status": "Available", - "requiredDataConnectors": [], - "tactics": [ - "Impact" - ], - "techniques": [ - "T1486" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "source_ip", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "destination_ip", - "identifier": "Address" - } - ], - "entityType": "IP" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "customDetails": { - "Source_IP": "source_ip" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "Alert {{signature_name}} generated from {{source_ip}} to {{destination_ip}} ", - "alertDynamicProperties": [], - "alertDisplayNameFormat": "{{signature_name}} " - }, - "incidentConfiguration": { - "groupingConfiguration": { - "groupByCustomDetails": [ - "Source_IP" - ], - "groupByEntities": [ - "IP" - ], - "lookbackDuration": "5m", - "matchingMethod": "AnyAlert", - "reopenClosedIncident": false, - "enabled": true - }, - "createIncident": true - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", - "properties": { - "description": "SINEC Security Guard Analytics Rule 1", - "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", - "source": { - "kind": "Solution", - "name": "SINEC Security Guard", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Siemens AG" - }, - "support": { - "name": "Siemens AG", - "email": "ssgsupport.cybersecurity@siemens.com", - "tier": "Partner", - "link": "https://siemens.com/sinec-security-guard" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "contentKind": "AnalyticsRule", - "displayName": "SSG_Security_Incidents", - "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", - "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "SINEC Security Guard data connector with template version 3.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "SINEC Security Guard", - "publisher": "Siemens AG", - "descriptionMarkdown": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel", - "graphQueriesTableName": "SINECSecurityGuard_CL", - "logo": "SSG.svg", - "graphQueries": [ - { - "metricName": "Total events received", - "legend": "SINECSecurityGuard_CL", - "baseQuery": "SINECSecurityGuard_CL\n | summarize count()" - } - ], - "sampleQueries": [ - { - "description": "List of Attacks", - "query": "SINECSecurityGuard_CL\n | summarize count()" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "SINECSecurityGuard_CL\n | summarize lastLogGenerated = max(TimeGenerated) | project IsConnected = lastLogGenerated > ago(30d)" - ] - } - ], - "dataTypes": [ - { - "name": "SINECSecurityGuard_CL", - "lastDataReceivedQuery": "SINECSecurityGuard_CL\n | summarize Time = max(TimeGenerated) | where isnotempty(Time)" - } - ], - "availability": { - "isPreview": false, - "status": 1 - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "This Data Connector relies on the SINEC Security Guard Sensor Package to be able to receive Sensor events in Microsoft Sentinel. The Sensor Package can be purchased in the Siemens Xcelerator Marketplace.", - "instructions": [ - { - "parameters": { - "title": "1. Please follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Set up the SINEC Security Guard Sensor", - "description": "Detailed step for setting up the sensor." - }, - { - "title": "Create the Data Connector and configure it in the SINEC Security Guard web interface", - "description": "Instructions on configuring the data connector." - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "SINEC Security Guard", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Siemens AG" - }, - "support": { - "name": "Siemens AG", - "email": "ssgsupport.cybersecurity@siemens.com", - "tier": "Partner", - "link": "https://siemens.com/sinec-security-guard" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "SINEC Security Guard", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "SINEC Security Guard", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Siemens AG" - }, - "support": { - "name": "Siemens AG", - "email": "ssgsupport.cybersecurity@siemens.com", - "tier": "Partner", - "link": "https://siemens.com/sinec-security-guard" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "SINEC Security Guard", - "publisher": "Siemens AG", - "descriptionMarkdown": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel", - "graphQueries": [ - { - "metricName": "Total events received", - "legend": "SINECSecurityGuard_CL", - "baseQuery": "SINECSecurityGuard_CL\n | summarize count()" - } - ], - "dataTypes": [ - { - "name": "SINECSecurityGuard_CL", - "lastDataReceivedQuery": "SINECSecurityGuard_CL\n | summarize Time = max(TimeGenerated) | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "SINECSecurityGuard_CL\n | summarize lastLogGenerated = max(TimeGenerated) | project IsConnected = lastLogGenerated > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "List of Attacks", - "query": "SINECSecurityGuard_CL\n | summarize count()" - } - ], - "availability": { - "isPreview": false, - "status": 1 - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "This Data Connector relies on the SINEC Security Guard Sensor Package to be able to receive Sensor events in Microsoft Sentinel. The Sensor Package can be purchased in the Siemens Xcelerator Marketplace.", - "instructions": [ - { - "parameters": { - "title": "1. Please follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Set up the SINEC Security Guard Sensor", - "description": "Detailed step for setting up the sensor." - }, - { - "title": "Create the Data Connector and configure it in the SINEC Security Guard web interface", - "description": "Instructions on configuring the data connector." - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - } - ], - "id": "[variables('_uiConfigId1')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", - "apiVersion": "2023-04-01-preview", - "location": "[parameters('workspace-location')]", - "properties": { - "version": "3.0.0", - "kind": "Solution", - "contentSchemaVersion": "3.0.0", - "displayName": "SINEC Security Guard", - "publisherDisplayName": "Siemens AG", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the (SINEC Security Guard)[https://siemens.com/sinec-security-guard] into Microsoft Sentinel

\n

Data Connectors: 1, Analytic Rules: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", - "contentKind": "Solution", - "contentProductId": "[variables('_solutioncontentProductId')]", - "id": "[variables('_solutioncontentProductId')]", - "icon": "", - "contentId": "[variables('_solutionId')]", - "parentId": "[variables('_solutionId')]", - "source": { - "kind": "Solution", - "name": "SINEC Security Guard", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Siemens AG" - }, - "support": { - "name": "Siemens AG", - "email": "ssgsupport.cybersecurity@siemens.com", - "tier": "Partner", - "link": "https://siemens.com/sinec-security-guard" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - ] - }, - "firstPublishDate": "2024-07-15", - "providers": [ - "Siemens AG" - ], - "categories": { - "domains": [ - "Security - Network" - ], - "verticals": [ - "Manufacturing" - ] - } - }, - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" - } - ], - "outputs": {} -} +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Siemens AG", + "comments": "Solution template for SINEC Security Guard" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + } + }, + "variables": { + "_solutionName": "SINEC Security Guard", + "_solutionVersion": "3.0.0", + "solutionId": "siemensplmsoftware.azure-sentinel-solution-ssg", + "_solutionId": "[variables('solutionId')]", + "analyticRuleObject1": { + "analyticRuleVersion1": "1.0.0", + "_analyticRulecontentId1": "d41fa731-45a2-4b23-bb1d-29896fbc5298", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd41fa731-45a2-4b23-bb1d-29896fbc5298')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d41fa731-45a2-4b23-bb1d-29896fbc5298')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d41fa731-45a2-4b23-bb1d-29896fbc5298','-', '1.0.0')))]" + }, + "uiConfigId1": "SSG", + "_uiConfigId1": "[variables('uiConfigId1')]", + "dataConnectorContentId1": "SSG", + "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", + "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "_dataConnectorId1": "[variables('dataConnectorId1')]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", + "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SSG_Azure_Sentinel_analytic_rule_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "apiVersion": "2023-02-01-preview", + "kind": "NRT", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "The security analytic rule is designed to scrutinize network activity involving private IP addresses within an organization's internal network. By filtering log entries to include only those where either the source or the destination IP is private, the rule focuses on internal communications that could indicate unauthorized access, internal threats, or other security anomalies.", + "displayName": "SSG_Security_Incidents", + "enabled": false, + "query": "SINECSecurityGuard_CL\n| where ipv4_is_private(source_ip) or ipv4_is_private(destination_ip)\n| project source_ip, destination_ip, signature_id, signature_name\n", + "severity": "HIGH", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "status": "Available", + "tactics": [ + "Impact" + ], + "techniques": [ + "T1486" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "source_ip", + "identifier": "Address" + } + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "columnName": "destination_ip", + "identifier": "Address" + } + ], + "entityType": "IP" + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "Source_IP": "source_ip" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "Alert {{signature_name}} generated from {{source_ip}} to {{destination_ip}} ", + "alertDisplayNameFormat": "{{signature_name}} ", + "alertDynamicProperties": [] + }, + "incidentConfiguration": { + "groupingConfiguration": { + "groupByEntities": [ + "IP" + ], + "lookbackDuration": "5m", + "enabled": true, + "matchingMethod": "AnyAlert", + "reopenClosedIncident": false, + "groupByCustomDetails": [ + "Source_IP" + ] + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", + "properties": { + "description": "SINEC Security Guard Analytics Rule 1", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "source": { + "kind": "Solution", + "name": "SINEC Security Guard", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Siemens AG" + }, + "support": { + "name": "Siemens AG", + "email": "ssgsupport.cybersecurity@siemens.com", + "tier": "Partner", + "link": "https://siemens.com/sinec-security-guard" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "contentKind": "AnalyticsRule", + "displayName": "SSG_Security_Incidents", + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SINEC Security Guard data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId1')]", + "title": "SINEC Security Guard", + "publisher": "Siemens AG", + "descriptionMarkdown": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel", + "graphQueriesTableName": "SINECSecurityGuard_CL", + "logo": "SSG.svg", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "SINECSecurityGuard_CL", + "baseQuery": "SINECSecurityGuard_CL\n | summarize count()" + } + ], + "sampleQueries": [ + { + "description": "List of Attacks", + "query": "SINECSecurityGuard_CL\n | summarize count()" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "SINECSecurityGuard_CL\n | summarize lastLogGenerated = max(TimeGenerated) | project IsConnected = lastLogGenerated > ago(30d)" + ] + } + ], + "dataTypes": [ + { + "name": "SINECSecurityGuard_CL", + "lastDataReceivedQuery": "SINECSecurityGuard_CL\n | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "availability": { + "isPreview": false, + "status": 1 + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "description": "This Data Connector relies on the SINEC Security Guard Sensor Package to be able to receive Sensor events in Microsoft Sentinel. The Sensor Package can be purchased in the Siemens Xcelerator Marketplace.", + "instructions": [ + { + "parameters": { + "title": "1. Please follow the steps to configure the data connector", + "instructionSteps": [ + { + "title": "Set up the SINEC Security Guard Sensor", + "description": "Detailed step for setting up the sensor." + }, + { + "title": "Create the Data Connector and configure it in the SINEC Security Guard web interface", + "description": "Instructions on configuring the data connector." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "SINEC Security Guard", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Siemens AG" + }, + "support": { + "name": "Siemens AG", + "email": "ssgsupport.cybersecurity@siemens.com", + "tier": "Partner", + "link": "https://siemens.com/sinec-security-guard" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "SINEC Security Guard", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId1')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "SINEC Security Guard", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Siemens AG" + }, + "support": { + "name": "Siemens AG", + "email": "ssgsupport.cybersecurity@siemens.com", + "tier": "Partner", + "link": "https://siemens.com/sinec-security-guard" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "SINEC Security Guard", + "publisher": "Siemens AG", + "descriptionMarkdown": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "SINECSecurityGuard_CL", + "baseQuery": "SINECSecurityGuard_CL\n | summarize count()" + } + ], + "dataTypes": [ + { + "name": "SINECSecurityGuard_CL", + "lastDataReceivedQuery": "SINECSecurityGuard_CL\n | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "SINECSecurityGuard_CL\n | summarize lastLogGenerated = max(TimeGenerated) | project IsConnected = lastLogGenerated > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "List of Attacks", + "query": "SINECSecurityGuard_CL\n | summarize count()" + } + ], + "availability": { + "isPreview": false, + "status": 1 + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "description": "This Data Connector relies on the SINEC Security Guard Sensor Package to be able to receive Sensor events in Microsoft Sentinel. The Sensor Package can be purchased in the Siemens Xcelerator Marketplace.", + "instructions": [ + { + "parameters": { + "title": "1. Please follow the steps to configure the data connector", + "instructionSteps": [ + { + "title": "Set up the SINEC Security Guard Sensor", + "description": "Detailed step for setting up the sensor." + }, + { + "title": "Create the Data Connector and configure it in the SINEC Security Guard web interface", + "description": "Instructions on configuring the data connector." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ], + "id": "[variables('_uiConfigId1')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "SINEC Security Guard", + "publisherDisplayName": "Siemens AG", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the SINEC Security Guard into Microsoft Sentinel

\n

Data Connectors: 1, Analytic Rules: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "SINEC Security Guard", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Siemens AG" + }, + "support": { + "name": "Siemens AG", + "email": "ssgsupport.cybersecurity@siemens.com", + "tier": "Partner", + "link": "https://siemens.com/sinec-security-guard" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + ] + }, + "firstPublishDate": "2024-07-15", + "providers": [ + "Siemens AG" + ], + "categories": { + "domains": [ + "Security - Network" + ], + "verticals": [ + "Manufacturing" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/SINEC Security Guard/ReleaseNotes.md b/Solutions/SINEC Security Guard/ReleaseNotes.md index 140e39781ce..d64285f9984 100644 --- a/Solutions/SINEC Security Guard/ReleaseNotes.md +++ b/Solutions/SINEC Security Guard/ReleaseNotes.md @@ -1,4 +1,4 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|-----------------------------------| -| 3.0.0 | 19-07-2024 | Initial Solution Release | -| 3.0.1 | 12-11-2024 | Uppercase revised | \ No newline at end of file +| 3.0.1 | 12-11-2024 | Uppercase revised | +| 3.0.0 | 19-07-2024 | Initial Solution Release | \ No newline at end of file diff --git a/Solutions/Sophos XG Firewall/Package/3.0.1.zip b/Solutions/Sophos XG Firewall/Package/3.0.1.zip new file mode 100644 index 00000000000..f8389d7cdb3 Binary files /dev/null and b/Solutions/Sophos XG Firewall/Package/3.0.1.zip differ diff --git a/Solutions/Sophos XG Firewall/Package/mainTemplate.json b/Solutions/Sophos XG Firewall/Package/mainTemplate.json index 66f1a0b04d2..8e1955f50b0 100644 --- a/Solutions/Sophos XG Firewall/Package/mainTemplate.json +++ b/Solutions/Sophos XG Firewall/Package/mainTemplate.json @@ -39,7 +39,7 @@ }, "variables": { "_solutionName": "Sophos XG Firewall", - "_solutionVersion": "3.0.0", + "_solutionVersion": "3.0.1", "solutionId": "azuresentinel.azure-sentinel-solution-sophosxgfirewall", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "SophosXGFirewall", @@ -91,7 +91,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Sophos XG Firewall data connector with template version 3.0.0", + "description": "Sophos XG Firewall data connector with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -436,7 +436,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExcessiveAmountofDeniedConnectionsfromASingleSource_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "ExcessiveAmountofDeniedConnectionsfromASingleSource_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -464,16 +464,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SophosXGFirewall", "dataTypes": [ "Syslog" - ] + ], + "connectorId": "SophosXGFirewall" }, { - "connectorId": "SyslogAma", "datatypes": [ "Syslog" - ] + ], + "connectorId": "SyslogAma" } ], "tactics": [ @@ -484,13 +484,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { "columnName": "Src_IP", "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -545,7 +545,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PortScanDetected_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "PortScanDetected_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -573,16 +573,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SophosXGFirewall", "dataTypes": [ "Syslog" - ] + ], + "connectorId": "SophosXGFirewall" }, { - "connectorId": "SyslogAma", "datatypes": [ "Syslog" - ] + ], + "connectorId": "SyslogAma" } ], "tactics": [ @@ -593,13 +593,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { "columnName": "Src_IP", "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -654,7 +654,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SophosXGFirewall Workbook with template version 3.0.0", + "description": "SophosXGFirewall Workbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -672,7 +672,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"3a1905da-e863-4fb1-a4cc-373bfa047344\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"resourceType\":\"microsoft.insights/components\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\"\\r\\n| summarize inbound = countif(not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))), outbound = countif((ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))), deny = countif(Status == \\\"Deny\\\"), count() by bin(TimeGenerated, {TimeRange:grain})\\r\\n| project-away count_\",\"size\":0,\"title\":\"Network Traffic by Direction\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\"},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\"\\r\\n| where Status in (\\\"Allow\\\",\\\"Deny\\\")\\r\\n| summarize count() by Status, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"title\":\"Events by Action\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Allow\",\"color\":\"green\"},{\"seriesName\":\"Deny\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\" and Status =~ \\\"Deny\\\"\\r\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| summarize Total = count() by ['Source IP'] = Src_IP\\r\\n| top 10 by Total\",\"size\":0,\"title\":\"Top 10 Denied Inbound Source IPs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}]},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Allow\",\"color\":\"green\"},{\"seriesName\":\"Deny\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"query - 1 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\" and Status =~ \\\"Deny\\\"\\r\\n| where (ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| summarize Total = count() by ['Destination IP'] = Dst_IP\\r\\n| top 10 by Total\",\"size\":0,\"title\":\"Top 10 Denied Outbound Destination IPs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}]},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Allow\",\"color\":\"green\"},{\"seriesName\":\"Deny\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"query - 1 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\" and Status =~ \\\"Deny\\\"\\r\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| summarize Total = count() by Port = Src_Port\\r\\n| top 10 by Total\",\"size\":0,\"title\":\"Top 10 Denied Inbound Ports\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}]},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Allow\",\"color\":\"green\"},{\"seriesName\":\"Deny\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"query - 1 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\" and Status == \\\"Deny\\\"\\r\\n| where (ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| summarize Total = count() by Port = Dst_Port\\r\\n| top 10 by Total\",\"size\":0,\"title\":\"Top 10 Denied Outbound Ports\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"}}]},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Allow\",\"color\":\"green\"},{\"seriesName\":\"Deny\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"query - 1 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\" and Status == \\\"Deny\\\"\\r\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| where isnotempty(Src_Country_Code)\\r\\n| summarize Total = count() by ['Source Country'] = Src_Country_Code\\r\\n| top 10 by Total\",\"size\":0,\"title\":\"Top 10 Denied Inbound Traffic by Country\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}]},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Dst_Country_Code\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"count_\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\"\\r\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| where isnotempty(Src_Country_Code)\\r\\n| summarize count() by Src_Country_Code, bin(TimeGenerated, {TimeRange:grain})\\r\\n\",\"size\":0,\"title\":\"Denied Inbound Traffic by Country\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}]},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Dst_Country_Code\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"count_\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\" and Status == \\\"Deny\\\"\\r\\n| where (ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| where isnotempty(Dst_Country_Code)\\r\\n| summarize Total = count() by ['Source Country'] = Dst_Country_Code\\r\\n| top 10 by Total\",\"size\":0,\"title\":\"Top Denied Outbound Traffic by Country\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}]},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Dst_Country_Code\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"count_\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\"\\r\\n| where (ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| where isnotempty(Dst_Country_Code)\\r\\n| summarize count() by Dst_Country_Code, bin(TimeGenerated, {TimeRange:grain})\\r\\n\",\"size\":0,\"title\":\"Denied Outbound Traffic by Country\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}]},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Dst_Country_Code\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"count_\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy - Copy - Copy\"}],\"fromTemplateId\":\"sentinel-SophosXGFirewall\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"3a1905da-e863-4fb1-a4cc-373bfa047344\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"resourceType\":\"microsoft.insights/components\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\"\\r\\n| summarize inbound = countif(not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))), outbound = countif((ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))), deny = countif(Status == \\\"Deny\\\"), count() by bin(TimeGenerated, {TimeRange:grain})\\r\\n| project-away count_\",\"size\":0,\"title\":\"Network Traffic by Direction\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\"},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\"\\r\\n| where Status in (\\\"Allow\\\",\\\"Deny\\\") or Log_Subtype in (\\\"Allowed\\\",\\\"Denied\\\")\\r\\n| summarize count() by Status, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"title\":\"Events by Action\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Allow\",\"color\":\"green\"},{\"seriesName\":\"Deny\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\" and (Status =~ \\\"Deny\\\" or Log_Subtype =~ \\\"Denied\\\")\\r\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| summarize Total = count() by ['Source IP'] = Src_IP\\r\\n| top 10 by Total\",\"size\":0,\"title\":\"Top 10 Denied Inbound Source IPs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}]},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Allow\",\"color\":\"green\"},{\"seriesName\":\"Deny\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"query - 1 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\" and (Status =~ \\\"Deny\\\" or Log_Subtype =~ \\\"Denied\\\")\\r\\n| where (ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| summarize Total = count() by ['Destination IP'] = Dst_IP\\r\\n| top 10 by Total\",\"size\":0,\"title\":\"Top 10 Denied Outbound Destination IPs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}]},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Allow\",\"color\":\"green\"},{\"seriesName\":\"Deny\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"query - 1 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\" and (Status =~ \\\"Deny\\\" or Log_Subtype =~ \\\"Denied\\\")\\r\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| summarize Total = count() by Port = Src_Port\\r\\n| top 10 by Total\",\"size\":0,\"title\":\"Top 10 Denied Inbound Ports\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}]},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Allow\",\"color\":\"green\"},{\"seriesName\":\"Deny\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"query - 1 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\" and Status == \\\"Deny\\\"\\r\\n| where (ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| summarize Total = count() by Port = Dst_Port\\r\\n| top 10 by Total\",\"size\":0,\"title\":\"Top 10 Denied Outbound Ports\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"}}]},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Allow\",\"color\":\"green\"},{\"seriesName\":\"Deny\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"query - 1 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\" and Status == \\\"Deny\\\"\\r\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| where isnotempty(Src_Country_Code)\\r\\n| summarize Total = count() by ['Source Country'] = Src_Country_Code\\r\\n| top 10 by Total\",\"size\":0,\"title\":\"Top 10 Denied Inbound Traffic by Country\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}]},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Dst_Country_Code\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"count_\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\"\\r\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| where isnotempty(Src_Country_Code)\\r\\n| summarize count() by Src_Country_Code, bin(TimeGenerated, {TimeRange:grain})\\r\\n\",\"size\":0,\"title\":\"Denied Inbound Traffic by Country\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}]},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Dst_Country_Code\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"count_\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\" and Status == \\\"Deny\\\"\\r\\n| where (ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| where isnotempty(Dst_Country_Code)\\r\\n| summarize Total = count() by ['Source Country'] = Dst_Country_Code\\r\\n| top 10 by Total\",\"size\":0,\"title\":\"Top Denied Outbound Traffic by Country\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}]},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Dst_Country_Code\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"count_\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\"\\r\\n| where (ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| where isnotempty(Dst_Country_Code)\\r\\n| summarize count() by Dst_Country_Code, bin(TimeGenerated, {TimeRange:grain})\\r\\n\",\"size\":0,\"title\":\"Denied Outbound Traffic by Country\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}]},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Dst_Country_Code\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"count_\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy - Copy - Copy\"}],\"fromTemplateId\":\"sentinel-SophosXGFirewall\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -712,6 +712,10 @@ { "contentId": "SophosXGFirewall", "kind": "DataConnector" + }, + { + "contentId": "SyslogAma", + "kind": "DataConnector" } ] } @@ -741,7 +745,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SophosXGFirewall Data Parser with template version 3.0.0", + "description": "SophosXGFirewall Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -867,7 +871,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.0", + "version": "3.0.1", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Sophos XG Firewall", diff --git a/Solutions/Sophos XG Firewall/ReleaseNotes.md b/Solutions/Sophos XG Firewall/ReleaseNotes.md index e85d355765b..0ac78aa6269 100644 --- a/Solutions/Sophos XG Firewall/ReleaseNotes.md +++ b/Solutions/Sophos XG Firewall/ReleaseNotes.md @@ -1,4 +1,4 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| -| 3.0.0 | 01-08-2024 |Update **Parser** as part of Syslog migration | -| | |Deprecating data connectors | \ No newline at end of file +| 3.0.1 | 19-11-2024 | Updated SophosXGFirewall.json **Workbook** to fix missing fields| +| 3.0.0 | 01-08-2024 | Update **Parser** as part of Syslog migration
Deprecating **Data Connectors** | \ No newline at end of file diff --git a/Solutions/Sophos XG Firewall/Workbooks/SophosXGFirewall.json b/Solutions/Sophos XG Firewall/Workbooks/SophosXGFirewall.json index 45ea361b89a..b274f5a6264 100644 --- a/Solutions/Sophos XG Firewall/Workbooks/SophosXGFirewall.json +++ b/Solutions/Sophos XG Firewall/Workbooks/SophosXGFirewall.json @@ -97,7 +97,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "SophosXGFirewall\r\n| where Log_Type == \"Firewall\"\r\n| where Status in (\"Allow\",\"Deny\")\r\n| summarize count() by Status, bin(TimeGenerated, {TimeRange:grain})", + "query": "SophosXGFirewall\r\n| where Log_Type == \"Firewall\"\r\n| where Status in (\"Allow\",\"Deny\") or Log_Subtype in (\"Allowed\",\"Denied\")\r\n| summarize count() by Status, bin(TimeGenerated, {TimeRange:grain})", "size": 0, "title": "Events by Action", "timeContext": { @@ -127,7 +127,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "SophosXGFirewall\r\n| where Log_Type == \"Firewall\" and Status =~ \"Deny\"\r\n| where not(ipv4_is_match(\"10.0.0.0\",Src_IP,8) or ipv4_is_match(\"172.16.0.0\",Src_IP,12) or ipv4_is_match(\"192.168.0.0\",Src_IP,16))\r\n| summarize Total = count() by ['Source IP'] = Src_IP\r\n| top 10 by Total", + "query": "SophosXGFirewall\r\n| where Log_Type == \"Firewall\" and (Status =~ \"Deny\" or Log_Subtype =~ \"Denied\")\r\n| where not(ipv4_is_match(\"10.0.0.0\",Src_IP,8) or ipv4_is_match(\"172.16.0.0\",Src_IP,12) or ipv4_is_match(\"192.168.0.0\",Src_IP,16))\r\n| summarize Total = count() by ['Source IP'] = Src_IP\r\n| top 10 by Total", "size": 0, "title": "Top 10 Denied Inbound Source IPs", "timeContext": { @@ -175,7 +175,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "SophosXGFirewall\r\n| where Log_Type == \"Firewall\" and Status =~ \"Deny\"\r\n| where (ipv4_is_match(\"10.0.0.0\",Src_IP,8) or ipv4_is_match(\"172.16.0.0\",Src_IP,12) or ipv4_is_match(\"192.168.0.0\",Src_IP,16))\r\n| summarize Total = count() by ['Destination IP'] = Dst_IP\r\n| top 10 by Total", + "query": "SophosXGFirewall\r\n| where Log_Type == \"Firewall\" and (Status =~ \"Deny\" or Log_Subtype =~ \"Denied\")\r\n| where (ipv4_is_match(\"10.0.0.0\",Src_IP,8) or ipv4_is_match(\"172.16.0.0\",Src_IP,12) or ipv4_is_match(\"192.168.0.0\",Src_IP,16))\r\n| summarize Total = count() by ['Destination IP'] = Dst_IP\r\n| top 10 by Total", "size": 0, "title": "Top 10 Denied Outbound Destination IPs", "timeContext": { @@ -224,7 +224,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "SophosXGFirewall\r\n| where Log_Type == \"Firewall\" and Status =~ \"Deny\"\r\n| where not(ipv4_is_match(\"10.0.0.0\",Src_IP,8) or ipv4_is_match(\"172.16.0.0\",Src_IP,12) or ipv4_is_match(\"192.168.0.0\",Src_IP,16))\r\n| summarize Total = count() by Port = Src_Port\r\n| top 10 by Total", + "query": "SophosXGFirewall\r\n| where Log_Type == \"Firewall\" and (Status =~ \"Deny\" or Log_Subtype =~ \"Denied\")\r\n| where not(ipv4_is_match(\"10.0.0.0\",Src_IP,8) or ipv4_is_match(\"172.16.0.0\",Src_IP,12) or ipv4_is_match(\"192.168.0.0\",Src_IP,16))\r\n| summarize Total = count() by Port = Src_Port\r\n| top 10 by Total", "size": 0, "title": "Top 10 Denied Inbound Ports", "timeContext": { @@ -517,4 +517,4 @@ ], "fromTemplateId": "sentinel-SophosXGFirewall", "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" -} \ No newline at end of file +} diff --git a/Solutions/Threat Intelligence/Data Connectors/template_ThreatIntelligenceTaxii.json b/Solutions/Threat Intelligence/Data Connectors/template_ThreatIntelligenceTaxii.json index 5e9eb454a92..1e82b562c27 100644 --- a/Solutions/Threat Intelligence/Data Connectors/template_ThreatIntelligenceTaxii.json +++ b/Solutions/Threat Intelligence/Data Connectors/template_ThreatIntelligenceTaxii.json @@ -46,7 +46,8 @@ "4": 2, "5": 2, "6": 1, - "7": 1 + "7": 1, + "8": 2 } } }, diff --git a/Solutions/Torq/Data/Solution_Torq.json b/Solutions/Torq/Data/Solution_Torq.json new file mode 100644 index 00000000000..886e33fb898 --- /dev/null +++ b/Solutions/Torq/Data/Solution_Torq.json @@ -0,0 +1,16 @@ +{ + "Name": "Torq", + "Author": "Torq - support@torq.io", + "Logo": "", + "Description": "[Torq](https://www.recordedfuture.com/) is the AI-Driven Hyperautomation Platform that helps security teams automate more faster", + "Analytic Rules": [], + "Playbooks": [ + "Playbooks/Torq-Sentinel-Incident-Trigger/azuredeploy.json" + ], + "Workbooks": [], + "BasePath": "Users\\acitatorq\\git\\github\\Azure-Sentinel\\Solutions\\Torq", + "Version": "3.0.0", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true, + "Is1Pconnector": false + } \ No newline at end of file diff --git a/Solutions/Torq/Package/3.0.0.zip b/Solutions/Torq/Package/3.0.0.zip new file mode 100644 index 00000000000..46b0eafb58a Binary files /dev/null and b/Solutions/Torq/Package/3.0.0.zip differ diff --git a/Solutions/Torq/Package/createUiDefinition.json b/Solutions/Torq/Package/createUiDefinition.json new file mode 100644 index 00000000000..30aca97e864 --- /dev/null +++ b/Solutions/Torq/Package/createUiDefinition.json @@ -0,0 +1,89 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Torq/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Torq](https://www.recordedfuture.com/) is the AI-Driven Hyperautomation Platform that helps security teams automate more faster\n\n**Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "playbooks", + "label": "Playbooks", + "subLabel": { + "preValidation": "Configure the playbooks", + "postValidation": "Done" + }, + "bladeTitle": "Playbooks", + "elements": [ + { + "name": "playbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub." + } + }, + { + "name": "playbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} diff --git a/Solutions/Torq/Package/mainTemplate.json b/Solutions/Torq/Package/mainTemplate.json new file mode 100644 index 00000000000..6b4b45d945e --- /dev/null +++ b/Solutions/Torq/Package/mainTemplate.json @@ -0,0 +1,343 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Torq - support@torq.io", + "comments": "Solution template for Torq" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + } + }, + "variables": { + "email": "support@torq.io", + "_email": "[variables('email')]", + "_solutionName": "Torq", + "_solutionVersion": "3.0.0", + "solutionId": "torq.torq_sentinel_solution", + "_solutionId": "[variables('solutionId')]", + "Torq-Sentinel-Incident-Trigger": "Torq-Sentinel-Incident-Trigger", + "_Torq-Sentinel-Incident-Trigger": "[variables('Torq-Sentinel-Incident-Trigger')]", + "TemplateEmptyArray": "[json('[]')]", + "playbookVersion1": "1.0", + "playbookContentId1": "Torq-Sentinel-Incident-Trigger", + "_playbookContentId1": "[variables('playbookContentId1')]", + "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]", + "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Sentinel_Incident_Sync_to_Torq Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion1')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Sentinel_Incident_Sync_to_Torq", + "type": "String" + }, + "Torq_Webhook_Enpoint_URL": { + "defaultValue": "https://hooks.torq.io/v1/webhooks/125a9209-9ed6-4216-b5cd-10567f2164f5", + "type": "String" + }, + "Torq_Webhook_Auth_Header_Name": { + "defaultValue": "X-Torq-Auth", + "type": "String" + }, + "Torq_Webhook_Auth_Header_Secret": { + "defaultValue": "secr3tP@ssw0rd", + "type": "String" + } + }, + "variables": { + "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-1": "[[variables('connection-1')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-1')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Torq_Webhook_Enpoint_URL": { + "defaultValue": "[[parameters('Torq_Webhook_Enpoint_URL')]", + "type": "String" + }, + "Torq_Webhook_Auth_Header_Name": { + "defaultValue": "[[parameters('Torq_Webhook_Auth_Header_Name')]", + "type": "String" + }, + "Torq_Webhook_Auth_Header_Secret": { + "defaultValue": "[[parameters('Torq_Webhook_Auth_Header_Secret')]", + "type": "String" + }, + "$connections": { + "type": "Object" + } + }, + "staticResults": { + "HTTP0": { + "status": "Succeeded", + "outputs": { + "statusCode": "OK" + } + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "path": "/incident-creation" + }, + "conditions": "[variables('TemplateEmptyArray')]", + "runtimeConfiguration": { + "concurrency": { + "runs": 10, + "maximumWaitingRuns": 50 + } + } + } + }, + "actions": { + "Send_Notification_to_Torq": { + "limit": { + "timeout": "PT30S" + }, + "type": "Http", + "inputs": { + "uri": "@parameters('Torq_Webhook_Enpoint_URL')", + "method": "POST", + "headers": { + "@{parameters('Torq_Webhook_Auth_Header_Name')}": "@{parameters('Torq_Webhook_Auth_Header_Secret')}" + }, + "body": "@triggerBody()" + }, + "operationOptions": "DisableAsyncPattern" + }, + "Terminate_Success": { + "runAfter": { + "Send_Notification_to_Torq": [ + "Succeeded" + ] + }, + "type": "Terminate", + "inputs": { + "runStatus": "Succeeded" + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "tags": { + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId1')]", + "contentId": "[variables('_playbookContentId1')]", + "kind": "Playbook", + "version": "[variables('playbookVersion1')]", + "source": { + "kind": "Solution", + "name": "Torq", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Torq", + "email": "[variables('_email')]" + }, + "support": { + "name": "Torq Support Team", + "email": "support@torq.io", + "tier": "Partner", + "link": "https://support.torq.io" + } + } + } + ], + "metadata": { + "title": "Notify Sentinel Incident Creation and Update to Torq Webhook", + "description": "Sends an HTTPS request to a webhook trigger in Torq everytime a new Incident is created or updated in Microsoft Sentinel", + "documentation": "https://kb.torq.io/en/articles/9024676-configure-microsoft-sentinel-and-torq-to-trigger-torq-workflows-on-incident-creation-and-update", + "prerequisites": [ + "Prior to the deployment of this playbook, create a new Microsoft Sentinel Trigger integration in Torq", + "Take note of the endpoint URL, the authentication header name, and the authentication header secret configured in the Microsoft Sentinel Trigger integration" + ], + "postDeployment": [ + "After deployment browse to your Microsoft Sentinel workspace > Configuration > Automation, Click Create and select Automation rule to create a new automation rule meant to send a notification to Torq when a new Sentinel Incident is created.", + "Give the automation rule a meaningful name", + "From the Trigger drop-down menu, select When incident is created or updated", + "From the Actions drop-down menu, select Run playbook", + "From the playbook selection drop-down, select the playbook Sentinel_Incident_Sync_to_Torq and click the Apply button" + ], + "lastUpdateTime": "2024-11-19T00:00:00Z", + "releaseNotes": [ + { + "version": "1.0", + "title": "Torq Sentinel Incident Trigger", + "notes": [ + "Initial version" + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId1')]", + "contentKind": "Playbook", + "displayName": "Sentinel_Incident_Sync_to_Torq", + "contentProductId": "[variables('_playbookcontentProductId1')]", + "id": "[variables('_playbookcontentProductId1')]", + "version": "[variables('playbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "Torq", + "publisherDisplayName": "Torq Support Team", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Torq is the AI-Driven Hyperautomation Platform that helps security teams automate more faster

\n

Playbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "Torq", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Torq", + "email": "[variables('_email')]" + }, + "support": { + "name": "Torq Support Team", + "email": "support@torq.io", + "tier": "Partner", + "link": "https://support.torq.io" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "Playbook", + "contentId": "[variables('_Torq-Sentinel-Incident-Trigger')]", + "version": "[variables('playbookVersion1')]" + } + ] + }, + "firstPublishDate": "2024-11-19", + "providers": [ + "Torq" + ], + "categories": { + "domains": [ + "Application" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/Torq/Package/testParameters.json b/Solutions/Torq/Package/testParameters.json new file mode 100644 index 00000000000..e55ec41a9ac --- /dev/null +++ b/Solutions/Torq/Package/testParameters.json @@ -0,0 +1,24 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + } +} diff --git a/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/azuredeploy.json b/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/azuredeploy.json new file mode 100644 index 00000000000..58eadf8f396 --- /dev/null +++ b/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/azuredeploy.json @@ -0,0 +1,183 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Notify Sentinel Incident Creation and Update to Torq Webhook", + "description": "Sends an HTTPS request to a webhook trigger in Torq everytime a new Incident is created or updated in Microsoft Sentinel", + "documentation": "https://kb.torq.io/en/articles/9024676-configure-microsoft-sentinel-and-torq-to-trigger-torq-workflows-on-incident-creation-and-update", + "prerequisites": [ + "Prior to the deployment of this playbook, create a new Microsoft Sentinel Trigger integration in Torq", + "Take note of the endpoint URL, the authentication header name, and the authentication header secret configured in the Microsoft Sentinel Trigger integration" + ], + "postDeployment": [ + "After deployment browse to your Microsoft Sentinel workspace > Configuration > Automation, Click Create and select Automation rule to create a new automation rule meant to send a notification to Torq when a new Sentinel Incident is created.", + "Give the automation rule a meaningful name", + "From the Trigger drop-down menu, select When incident is created or updated", + "From the Actions drop-down menu, select Run playbook", + "From the playbook selection drop-down, select the playbook Sentinel_Incident_Sync_to_Torq and click the Apply button" + ], + "lastUpdateTime": "2024-11-19T00:00:00.000Z", + "author": { + "name": "Torq" + }, + "releaseNotes": [ + { + "version": "1.0", + "title": "Torq Sentinel Incident Trigger", + "notes": [ "Initial version" ] + } + ] + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Sentinel_Incident_Sync_to_Torq", + "type": "String" + }, + "Torq_Webhook_Enpoint_URL": { + "defaultValue": "https://hooks.torq.io/v1/webhooks/125a9209-9ed6-4216-b5cd-10567f2164f5", + "type": "String" + }, + "Torq_Webhook_Auth_Header_Name": { + "defaultValue": "X-Torq-Auth", + "type": "String" + }, + "Torq_Webhook_Auth_Header_Secret": { + "defaultValue": "secr3tP@ssw0rd", + "type": "String" + } + }, + "variables": { + "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzureSentinelConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('PlaybookName')]", + "location": "[resourceGroup().location]", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Torq_Webhook_Enpoint_URL": { + "defaultValue": "[parameters('Torq_Webhook_Enpoint_URL')]", + "type": "String" + }, + "Torq_Webhook_Auth_Header_Name": { + "defaultValue": "[parameters('Torq_Webhook_Auth_Header_Name')]", + "type": "String" + }, + "Torq_Webhook_Auth_Header_Secret": { + "defaultValue": "[parameters('Torq_Webhook_Auth_Header_Secret')]", + "type": "String" + }, + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "staticResults": { + "HTTP0": { + "status": "Succeeded", + "outputs": { + "statusCode": "OK" + } + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "path": "/incident-creation" + }, + "conditions": [], + "runtimeConfiguration": { + "concurrency": { + "runs": 10, + "maximumWaitingRuns": 50 + } + } + } + }, + "actions": { + "Send_Notification_to_Torq": { + "runAfter": {}, + "limit": { + "timeout": "PT30S" + }, + "type": "Http", + "inputs": { + "uri": "@parameters('Torq_Webhook_Enpoint_URL')", + "method": "POST", + "headers": { + "@{parameters('Torq_Webhook_Auth_Header_Name')}": "@{parameters('Torq_Webhook_Auth_Header_Secret')}" + }, + "body": "@triggerBody()" + }, + "operationOptions": "DisableAsyncPattern" + }, + "Terminate_Success": { + "runAfter": { + "Send_Notification_to_Torq": [ + "Succeeded" + ] + }, + "type": "Terminate", + "inputs": { + "runStatus": "Succeeded" + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[variables('AzureSentinelConnectionName')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + } + } + ] +} \ No newline at end of file diff --git a/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/playbook_screenshot.png b/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/playbook_screenshot.png new file mode 100644 index 00000000000..f1cb5f3ce2c Binary files /dev/null and b/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/playbook_screenshot.png differ diff --git a/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/readme.md b/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/readme.md new file mode 100644 index 00000000000..55ff9f9e548 --- /dev/null +++ b/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/readme.md @@ -0,0 +1,43 @@ +# Torq-Sentinel-Incident-Trigger + +## Summary + +When a new Sentinel Incident is created or updated, this playbook gets triggered and sends a notification (HTTPS POST Request) to a Microsoft Sentinel Webhook in Torq. + +
+ +### Prerequisites + +1. Prior to the deployment of this playbook, create a new Microsoft Sentinel Trigger integration in Torq. +2. Take note of the endpoint URL, the authentication header name, and the authentication header secret configured in the Microsoft Sentinel Trigger integration. + + +### Deployment instructions + +1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. +2. Fill in the required paramters: + * Playbook Name: Enter the playbook name here + * Torq_Webhook_Enpoint_URL: Enter the endpoint URL for the Microsoft Sentinel Trigger integration previously created in Torq. + * Torq_Webhook_Auth_Header_Name: Enter the authentication header name for the Microsoft Sentinel Trigger integration previously created in Torq. + * Torq_Webhook_Auth_Header_Secret: Enter the authentication header secret for the Microsoft Sentinel Trigger integration previously created in Torq. + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FTorq%2FPlaybooks%2FPlaybooks%2FTorq-Sentinel-Incident-Trigger%2Fazuredeploy.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FTorq%2FPlaybooks%2FPlaybooks%2FTorq-Sentinel-Incident-Trigger%2Fazuredeploy.json) + +### Post-Deployment instructions + +1. Browse to your Microsoft Sentinel workspace > Configuration > Automation +2. Click "+ Create" and select "Automation rule" to create a new automation rule meant to send a notification to Torq when a new Sentinel Incident is **created**. +3. Give the automation rule a meaningful name, like "Notify Torq when new Sentinel Incident is created". +4. From the "Trigger" drop-down menu, select **"When incident is created"**. +5. Leave "Conditions" to its default values. +6. From the "Actions" drop-down menu, select "Run playbook". +7. From the playbook selection drop-down, select the playbook "Sentinel_Incident_Sync_to_Torq" +8. Click the "Apply" button. +9. Click "+ Create" again and select "Automation rule" to create a new automation rule meant to send a notification to Torq when an existing Sentinel Incident is **updated**. +10. Give the automation rule a meaningful name, like "Notify Torq when a Sentinel Incident is updated". +11. From the "Trigger" drop-down menu, select **"When incident is updated"** +12. Leave "Conditions" to its default values. +13. From the "Actions" drop-down menu, select "Run playbook". +14. From the playbook selection drop-down, select the playbook "Sentinel_Incident_Sync_to_Torq" +15. Click the "Apply" button. + diff --git a/Solutions/Torq/Playbooks/logo.png b/Solutions/Torq/Playbooks/logo.png new file mode 100644 index 00000000000..cc5d3be7328 Binary files /dev/null and b/Solutions/Torq/Playbooks/logo.png differ diff --git a/Solutions/Torq/ReleaseNotes.md b/Solutions/Torq/ReleaseNotes.md new file mode 100644 index 00000000000..3f82c05deba --- /dev/null +++ b/Solutions/Torq/ReleaseNotes.md @@ -0,0 +1,4 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.0 | 21-11-2023 | Initial Solution Release | + diff --git a/Solutions/Torq/SolutionMetadata.json b/Solutions/Torq/SolutionMetadata.json new file mode 100644 index 00000000000..62d26f325cc --- /dev/null +++ b/Solutions/Torq/SolutionMetadata.json @@ -0,0 +1,15 @@ +{ + "publisherId": "torq", + "offerId": "torq_sentinel_solution", + "firstPublishDate": "2024-11-19", + "providers": ["Torq"], + "categories": { + "domains" : ["Application"] + }, + "support": { + "name": "Torq Support Team", + "email": "support@torq.io", + "tier": "Partner", + "link": "https://support.torq.io" + } +} \ No newline at end of file diff --git a/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_DCR.json b/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_DCR.json index b63df9523f3..0ee790c46ab 100644 --- a/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_DCR.json +++ b/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_DCR.json @@ -1147,7 +1147,7 @@ "destinations": [ "clv2ws1" ], - "transformKql": "source\n | project TimeGenerated = detection_timestamp, Version = version, AlertUrl = alert_url, Id = id, AlertType = type, IsUpdated = is_updated, DetectionTimestamp = detection_timestamp, BackendTimestamp = backend_timestamp, BackendUpdateTimestamp = backend_update_timestamp, FirstEventTimestamp = first_event_timestamp, LastEventTimestamp = last_event_timestamp, Severity = severity, Reason = reason, ThreatId = threat_id, PrimaryEventId = primary_event_id, Workflow = workflow, Determination = determination, AlertNotesPresent = alert_notes_present, PolicyApplied = policy_applied, RunState = run_state, ReasonCode = reason_code, SensorAction = sensor_action, DeviceTargetValue = device_target_value, DevicePolicyId = device_policy_id, DevicePolicy = device_policy, DeviceId = device_id, DeviceName = device_name, DeviceOs = device_os, DeviceOsVersion = device_os_version, DeviceUsername = device_username, DeviceLocation = device_location, DeviceExternalIp = device_external_ip, DeviceInternalIp = device_internal_ip, ReportId = report_id, ReportName = report_name, ReportDescription = report_description, ReportTags = report_tags, ReportLink = report_link, IocId = ioc_id, IocHit = ioc_hit, Watchlists = watchlists, ProcessGuid = process_guid, ProcessPid = process_pid, ProcessName = process_name, ProcessSha256 = process_sha256, ProcessMd5 = process_md5, ProcessReputation = process_reputation, ProcessEffectiveReputation = process_effective_reputation, ProcessCmdline = process_cmdline, ProcessUsername = process_username, ProcessIssuer = process_issuer, ProcessPublisher = process_publisher, ParentGuid = parent_guid, ParentPid = parent_pid, ParentName = parent_name, ParentSha256 = parent_sha256, ParentMd5 = parent_md5, ParentReputation = parent_reputation, ParentEffectiveReputation = parent_effective_reputation, ParentCmdline = parent_cmdline, ParentUsername = parent_username, MdrAlertNotesPresent = mdr_alert_notes_present, MdrAlert = mdr_alert, MlClassificationFinalVerdict = ml_classification_final_verdict, MlClassificationGlobalPrevalence = ml_classification_global_prevalence, MlClassificationOrgPrevalence = ml_classification_org_prevalence", + "transformKql": "source\n | project TimeGenerated = todatetime(detection_timestamp), Version = version, AlertUrl = alert_url, Id = id, AlertType = type, IsUpdated = is_updated, DetectionTimestamp = detection_timestamp, BackendTimestamp = backend_timestamp, BackendUpdateTimestamp = backend_update_timestamp, FirstEventTimestamp = first_event_timestamp, LastEventTimestamp = last_event_timestamp, Severity = severity, Reason = reason, ThreatId = threat_id, PrimaryEventId = primary_event_id, Workflow = workflow, Determination = determination, AlertNotesPresent = alert_notes_present, PolicyApplied = policy_applied, RunState = run_state, ReasonCode = reason_code, SensorAction = sensor_action, DeviceTargetValue = device_target_value, DevicePolicyId = device_policy_id, DevicePolicy = device_policy, DeviceId = device_id, DeviceName = device_name, DeviceOs = device_os, DeviceOsVersion = device_os_version, DeviceUsername = device_username, DeviceLocation = device_location, DeviceExternalIp = device_external_ip, DeviceInternalIp = device_internal_ip, ReportId = report_id, ReportName = report_name, ReportDescription = report_description, ReportTags = report_tags, ReportLink = report_link, IocId = ioc_id, IocHit = ioc_hit, Watchlists = watchlists, ProcessGuid = process_guid, ProcessPid = process_pid, ProcessName = process_name, ProcessSha256 = process_sha256, ProcessMd5 = process_md5, ProcessReputation = process_reputation, ProcessEffectiveReputation = process_effective_reputation, ProcessCmdline = process_cmdline, ProcessUsername = process_username, ProcessIssuer = process_issuer, ProcessPublisher = process_publisher, ParentGuid = parent_guid, ParentPid = parent_pid, ParentName = parent_name, ParentSha256 = parent_sha256, ParentMd5 = parent_md5, ParentReputation = parent_reputation, ParentEffectiveReputation = parent_effective_reputation, ParentCmdline = parent_cmdline, ParentUsername = parent_username, MdrAlertNotesPresent = mdr_alert_notes_present, MdrAlert = mdr_alert, MlClassificationFinalVerdict = ml_classification_final_verdict, MlClassificationGlobalPrevalence = ml_classification_global_prevalence, MlClassificationOrgPrevalence = ml_classification_org_prevalence", "outputStream": "Custom-CarbonBlack_Alerts_CL" }, { @@ -1157,7 +1157,7 @@ "destinations": [ "clv2ws1" ], - "transformKql": "source \n| project TimeGenerated = create_time, DeviceExternalIp = device_external_ip, DeviceId = device_id, DeviceInternalIp = device_internal_ip, DeviceName = device_name, IocHit = ioc_hit, IocId = ioc_id, OrgKey = org_key, ParentCmdline = parent_cmdline, ParentPath = parent_path, ParentPid = parent_pid, ProcessCmdline = process_cmdline, ProcessPath = process_path, ProcessPid = process_pid, ParentUsername = parent_username, ProcessUsername = process_username, ReportId = report_id, ReportName = report_name, Severity = severity, ReportTags = report_tags, Schema = schema, CreateTime = create_time, DeviceOs = device_os, ParentGuid = parent_guid, ParentHash = parent_hash, ParentPublisher = parent_publisher, ParentReputation = parent_reputation, ProcessGuid = process_guid, ProcessHash = process_hash, ProcessPublisher = process_publisher, ProcessReputation = process_reputation, WatchlistsType = type, Watchlists = watchlists", + "transformKql": "source \n| project TimeGenerated = todatetime(create_time), DeviceExternalIp = device_external_ip, DeviceId = device_id, DeviceInternalIp = device_internal_ip, DeviceName = device_name, IocHit = ioc_hit, IocId = ioc_id, OrgKey = org_key, ParentCmdline = parent_cmdline, ParentPath = parent_path, ParentPid = parent_pid, ProcessCmdline = process_cmdline, ProcessPath = process_path, ProcessPid = process_pid, ParentUsername = parent_username, ProcessUsername = process_username, ReportId = report_id, ReportName = report_name, Severity = severity, ReportTags = report_tags, Schema = schema, CreateTime = create_time, DeviceOs = device_os, ParentGuid = parent_guid, ParentHash = parent_hash, ParentPublisher = parent_publisher, ParentReputation = parent_reputation, ProcessGuid = process_guid, ProcessHash = process_hash, ProcessPublisher = process_publisher, ProcessReputation = process_reputation, WatchlistsType = type, Watchlists = watchlists", "outputStream": "Custom-CarbonBlack_Watchlist_CL" }, { @@ -1167,7 +1167,7 @@ "destinations": [ "clv2ws1" ], - "transformKql": "source | extend splitBackendTime = split(backend_timestamp,' ') | extend backendTimeAsDate = todatetime(strcat(splitBackendTime[0],'T',splitBackendTime[1],'Z')) | extend splitDeviceTimestamp = split(device_timestamp,' ') | extend DeviceTimestampAsDate = todatetime(strcat(splitDeviceTimestamp[0],'T',splitDeviceTimestamp[1],'Z'))| extend LogonMethod = case(toint(auth_logon_type) == 2, 'Interactive',toint(auth_logon_type) == 3, 'Network',toint(auth_logon_type) == 4, 'Batch',toint(auth_logon_type) == 5, 'Service',toint(auth_logon_type) == 7, 'Unlock',toint(auth_logon_type) == 8, 'NetworkCleartext',toint(auth_logon_type) == 9, 'NewCredentials',toint(auth_logon_type) == 10, 'RemoteInteractive',toint(auth_logon_type) == 11, 'CachedInteractive','Non-Valid Logon Type') | extend DvcIpAddr = device_external_ip| extend LogonProtocol = case(auth_package == 'NLTM', 'NLTM', 'Kerberos')| extend SplittedGeo = split(auth_remote_location, ',')| extend AdditionalFields = bag_pack('AuthCleartextCredentialsLogon', auth_cleartext_credentials_logon, 'AuthDaemonLogon', auth_daemon_logon, 'AuthElevatedTokenLogon', auth_elevated_token_logon, 'AuthFailureStatus', auth_failure_status, 'AuthFailureSubStatus', auth_failure_sub_status, 'AuthImpersonationLevel', auth_impersonation_level, 'AuthInteractiveLogon', auth_interactive_logon, 'AuthKeyLength', auth_key_length, 'AuthLogonType', auth_logon_type, 'AuthPrivileges', auth_privileges, 'AuthRemoteLogon', auth_remote_logon, 'AuthRestrictedAdminLogon', auth_restricted_admin_logon, 'AuthVirtualAccountLogon', auth_virtual_account_logon, 'DeviceExternalIp', device_external_ip, 'DeviceInternalIp', device_internal_ip, 'DeviceInstalledBy', device_installed_by, 'DeviceLocation', device_location, 'DevicePolicy', device_policy, 'DevicePolicyId', device_policy_id, 'DeviceTargetPriority', device_target_priority, 'FilemodCount', filemod_count, 'ModloadCount', modload_count, 'NetconnCount', netconn_count, 'RegmodCount', regmod_count, 'ScriptloadCount', scriptload_count, 'OrgKey', org_key, 'ParentCmdline', parent_cmdline, 'ParentCmdlineLength', parent_cmdline_length, 'ParentEffectiveReputation', parent_effective_reputation, 'ParentEffectiveReputationSource', parent_effective_reputation_source, 'ParentGuid', parent_guid, 'ParentHash', parent_hash, 'ParentIssuer', parent_issuer, 'ParentPid', parent_pid, 'ParentName', parent_name, 'ParentProductName', parent_product_name, 'ParentPublisher', parent_publisher, 'ParentReputation', parent_reputation, 'ParentUsername', parent_username, 'ProcessCmdline', process_cmdline, 'ProcessCmdlineLength', process_cmdline_length, 'ProcessCompanyName', process_company_name, 'ProcessContainerPid', process_container_pid, 'ProcessDuration', process_duration, 'ProcessEffectiveReputation', process_effective_reputation, 'ProcessEffectiveReputationSource', process_effective_reputation_source, 'ProcessElevated', process_elevated, 'ProcessEndTime', process_end_time, 'ProcessFileDescription', process_file_description, 'ProcessGuid', process_guid, 'ProcessHash', process_hash, 'ProcessIntegrityLevel', process_integrity_level, 'ProcessInternalName', process_internal_name, 'ProcessIssuer', process_issuer, 'ProcessName', process_name, 'ProcessOriginalFilename', process_original_filename, 'ProcessPid', process_pid, 'ProcessPrivileges', process_privileges, 'ProcessPublisher', process_publisher, 'ProcessReputation', process_reputation, 'ProcessSha256', process_sha256, 'ProcessStartTime', process_start_time, 'ProcessUsername', process_username, 'ProcessProductName', process_product_name, 'ProcessProductVersion', process_product_version, 'WindowsEventId', windows_event_id) | project TimeGenerated = backendTimeAsDate,AdditionalFields = AdditionalFields,EventCount = toint(1),EventResult = iff(auth_event_action == 'ACTION_LOGON_FAILED', 'Failure', 'Success'),EventSchema = 'Authentication',EventSchemaVersion = '0.1.3',EventStartTime = backendTimeAsDate,EventEndTime = backendTimeAsDate,EventType = 'Logon',EventOriginalUid = event_id,EventOriginalType = 'auth.event.logonop',EventProductVersion = '2.3',ActorUserId = auth_user_id,ActorUserIdType = 'SID',ActorUsername = auth_username,ActorSessionId = auth_logon_id,ActingAppId = process_pid,ActingAppName = process_name,ActingAppType = 'Process',TargetUserId = auth_user_id,TargetUserIdType = 'SID',TargetUsername = auth_username,TargetSessionId = auth_logon_id,TargetAppId = process_pid,TargetAppName = process_name,TargetAppType = 'Process',TargetHostName = auth_server,TargetDomain = auth_domain_name,TargetDomainType = 'WINDOWS',SrcPortNumber = toint(auth_remote_port),SrcHostname = device_name,SrcDvcId = device_id,SrcDeviceType = 'Computer',SrcDvcOs = device_os,SrcIpAddr= DvcIpAddr,SrcGeoCountry = tostring(SplittedGeo[2]),SrcGeoRegion = tostring(SplittedGeo[1]),SrcGeoCity = tostring(SplittedGeo[0]),LogonMethod = LogonMethod,LogonProtocol = LogonProtocol,DvcOriginalAction = auth_event_action,DvcIpAddr = DvcIpAddr,DvcHostname = device_name,DVC = device_id,DvcId = device_id,DvcOs = device_os | extend ActorUsernameType = case (ActorUsername contains '@' , 'UPN', ActorUsername contains '\\', 'Windows', (ActorUsername has 'CN=' or ActorUsername has 'OU=' or ActorUsername has 'DC='), 'DN', isempty(ActorUsername), '', 'Simple') | extend TargetUsernameType = case (TargetUsername contains '@' , 'UPN', TargetUsername contains '\\', 'Windows', (TargetUsername has 'CN=' or TargetUsername has 'OU=' or TargetUsername has 'DC='), 'DN', isempty(TargetUsername), '', 'Simple') | extend EventProduct = 'Carbon Black Cloud', EventVendor = 'VMWare'", + "transformKql": "source | extend splitBackendTime = split(backend_timestamp,' ') | extend backendTimeAsDate = todatetime(strcat(splitBackendTime[0],'T',splitBackendTime[1],'Z')) | extend splitDeviceTimestamp = split(device_timestamp,' ') | extend DeviceTimestampAsDate = todatetime(strcat(splitDeviceTimestamp[0],'T',splitDeviceTimestamp[1],'Z'))| extend LogonMethod = case(toint(auth_logon_type) == 2, 'Interactive',toint(auth_logon_type) == 3, 'Network',toint(auth_logon_type) == 4, 'Batch',toint(auth_logon_type) == 5, 'Service',toint(auth_logon_type) == 7, 'Unlock',toint(auth_logon_type) == 8, 'NetworkCleartext',toint(auth_logon_type) == 9, 'NewCredentials',toint(auth_logon_type) == 10, 'RemoteInteractive',toint(auth_logon_type) == 11, 'CachedInteractive','Non-Valid Logon Type') | extend DvcIpAddr = device_external_ip| extend LogonProtocol = case(auth_package == 'NLTM', 'NLTM', 'Kerberos')| extend SplittedGeo = split(auth_remote_location, ',')| extend AdditionalFields = bag_pack('AuthCleartextCredentialsLogon', auth_cleartext_credentials_logon, 'AuthDaemonLogon', auth_daemon_logon, 'AuthElevatedTokenLogon', auth_elevated_token_logon, 'AuthFailureStatus', auth_failure_status, 'AuthFailureSubStatus', auth_failure_sub_status, 'AuthImpersonationLevel', auth_impersonation_level, 'AuthInteractiveLogon', auth_interactive_logon, 'AuthKeyLength', auth_key_length, 'AuthLogonType', auth_logon_type, 'AuthPrivileges', auth_privileges, 'AuthRemoteLogon', auth_remote_logon, 'AuthRestrictedAdminLogon', auth_restricted_admin_logon, 'AuthVirtualAccountLogon', auth_virtual_account_logon, 'DeviceExternalIp', device_external_ip, 'DeviceInternalIp', device_internal_ip, 'DeviceInstalledBy', device_installed_by, 'DeviceLocation', device_location, 'DevicePolicy', device_policy, 'DevicePolicyId', device_policy_id, 'DeviceTargetPriority', device_target_priority, 'FilemodCount', filemod_count, 'ModloadCount', modload_count, 'NetconnCount', netconn_count, 'RegmodCount', regmod_count, 'ScriptloadCount', scriptload_count, 'OrgKey', org_key, 'ParentCmdline', parent_cmdline, 'ParentCmdlineLength', parent_cmdline_length, 'ParentEffectiveReputation', parent_effective_reputation, 'ParentEffectiveReputationSource', parent_effective_reputation_source, 'ParentGuid', parent_guid, 'ParentHash', parent_hash, 'ParentIssuer', parent_issuer, 'ParentPid', parent_pid, 'ParentName', parent_name, 'ParentProductName', parent_product_name, 'ParentPublisher', parent_publisher, 'ParentReputation', parent_reputation, 'ParentUsername', parent_username, 'ProcessCmdline', process_cmdline, 'ProcessCmdlineLength', process_cmdline_length, 'ProcessCompanyName', process_company_name, 'ProcessContainerPid', process_container_pid, 'ProcessDuration', process_duration, 'ProcessEffectiveReputation', process_effective_reputation, 'ProcessEffectiveReputationSource', process_effective_reputation_source, 'ProcessElevated', process_elevated, 'ProcessEndTime', process_end_time, 'ProcessFileDescription', process_file_description, 'ProcessGuid', process_guid, 'ProcessHash', process_hash, 'ProcessIntegrityLevel', process_integrity_level, 'ProcessInternalName', process_internal_name, 'ProcessIssuer', process_issuer, 'ProcessName', process_name, 'ProcessOriginalFilename', process_original_filename, 'ProcessPid', process_pid, 'ProcessPrivileges', process_privileges, 'ProcessPublisher', process_publisher, 'ProcessReputation', process_reputation, 'ProcessSha256', process_sha256, 'ProcessStartTime', process_start_time, 'ProcessUsername', process_username, 'ProcessProductName', process_product_name, 'ProcessProductVersion', process_product_version, 'WindowsEventId', windows_event_id) | project TimeGenerated = backendTimeAsDate,AdditionalFields = AdditionalFields,EventCount = toint(1),EventResult = iff(auth_event_action == 'ACTION_LOGON_FAILED', 'Failure', 'Success'),EventSchema = 'Authentication',EventSchemaVersion = '0.1.3',EventStartTime = backendTimeAsDate,EventEndTime = backendTimeAsDate,EventType = 'Logon',EventOriginalUid = event_id,EventOriginalType = 'auth.event.logonop',EventProductVersion = '2.3',ActorUserId = auth_user_id,ActorUserIdType = 'SID',ActorUsername = auth_username,ActorSessionId = auth_logon_id,ActingAppId = process_pid,ActingAppName = process_name,ActingAppType = 'Process',TargetUserId = auth_user_id,TargetUserIdType = 'SID',TargetUsername = auth_username,TargetSessionId = auth_logon_id,TargetAppId = process_pid,TargetAppName = process_name,TargetAppType = 'Process',TargetHostName = auth_server,TargetDomain = auth_domain_name,TargetDomainType = 'WINDOWS',SrcPortNumber = toint(auth_remote_port),SrcHostname = device_name,SrcDvcId = device_id,SrcDeviceType = 'Computer',SrcDvcOs = device_os,SrcIpAddr= DvcIpAddr,SrcGeoCountry = tostring(SplittedGeo[2]),SrcGeoRegion = tostring(SplittedGeo[1]),SrcGeoCity = tostring(SplittedGeo[0]),LogonMethod = LogonMethod,LogonProtocol = LogonProtocol,DvcOriginalAction = auth_event_action,DvcIpAddr = DvcIpAddr,DvcHostname = device_name,DVC = device_id,DvcId = device_id,DvcOs = device_os | extend ActorUsernameType = case (ActorUsername contains '@' , 'UPN', ActorUsername contains '\\\\', 'Windows', (ActorUsername has 'CN=' or ActorUsername has 'OU=' or ActorUsername has 'DC='), 'DN', isempty(ActorUsername), '', 'Simple') | extend TargetUsernameType = case (TargetUsername contains '@' , 'UPN', TargetUsername contains '\\\\', 'Windows', (TargetUsername has 'CN=' or TargetUsername has 'OU=' or TargetUsername has 'DC='), 'DN', isempty(TargetUsername), '', 'Simple') | extend EventProduct = 'Carbon Black Cloud', EventVendor = 'VMWare'", "outputStream": "Microsoft-ASimAuthenticationEventLogs" }, { diff --git a/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_PollingConfig.json b/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_PollingConfig.json index 27f8d3b8519..5a92d1e206c 100644 --- a/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_PollingConfig.json +++ b/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_PollingConfig.json @@ -5,7 +5,7 @@ "kind": "AmazonWebServicesS3", "properties": { "connectorDefinitionName": "carbonBlackAWSS3", - "dataType": { + "dataTypes": { "logs": { "state": "enabled" } diff --git a/Solutions/VMware Carbon Black Cloud/Package/3.0.4.zip b/Solutions/VMware Carbon Black Cloud/Package/3.0.4.zip new file mode 100644 index 00000000000..c22bc321224 Binary files /dev/null and b/Solutions/VMware Carbon Black Cloud/Package/3.0.4.zip differ diff --git a/Solutions/VMware Carbon Black Cloud/Package/createUiDefinition.json b/Solutions/VMware Carbon Black Cloud/Package/createUiDefinition.json index 1a908fe95fb..f62504fc9b7 100644 --- a/Solutions/VMware Carbon Black Cloud/Package/createUiDefinition.json +++ b/Solutions/VMware Carbon Black Cloud/Package/createUiDefinition.json @@ -63,23 +63,6 @@ "text": "This Solution installs the data connector for VMware Carbon Black Cloud. You can get VMware Carbon Black Cloud data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, - { - "name": "dataconnectors-link1", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - }, - { - "name": "dataconnectors2-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for VMware Carbon Black Cloud. You can get VMware Carbon Black Cloud custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, { "name": "dataconnectors-link2", "type": "Microsoft.Common.TextBlock", @@ -225,4 +208,4 @@ "workspace": "[basics('workspace')]" } } -} \ No newline at end of file +} diff --git a/Solutions/VMware Carbon Black Cloud/Package/mainTemplate.json b/Solutions/VMware Carbon Black Cloud/Package/mainTemplate.json index 9d8b76701b8..42538e6f27e 100644 --- a/Solutions/VMware Carbon Black Cloud/Package/mainTemplate.json +++ b/Solutions/VMware Carbon Black Cloud/Package/mainTemplate.json @@ -55,7 +55,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "VMware Carbon Black Cloud", - "_solutionVersion": "3.0.3", + "_solutionVersion": "3.0.4", "solutionId": "azuresentinel.azure-sentinel-solution-vmwarecarbonblack", "_solutionId": "[variables('solutionId')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", @@ -1648,7 +1648,7 @@ "destinations": [ "clv2ws1" ], - "transformKql": "source\n | project TimeGenerated = detection_timestamp, Version = version, AlertUrl = alert_url, Id = id, AlertType = type, IsUpdated = is_updated, DetectionTimestamp = detection_timestamp, BackendTimestamp = backend_timestamp, BackendUpdateTimestamp = backend_update_timestamp, FirstEventTimestamp = first_event_timestamp, LastEventTimestamp = last_event_timestamp, Severity = severity, Reason = reason, ThreatId = threat_id, PrimaryEventId = primary_event_id, Workflow = workflow, Determination = determination, AlertNotesPresent = alert_notes_present, PolicyApplied = policy_applied, RunState = run_state, ReasonCode = reason_code, SensorAction = sensor_action, DeviceTargetValue = device_target_value, DevicePolicyId = device_policy_id, DevicePolicy = device_policy, DeviceId = device_id, DeviceName = device_name, DeviceOs = device_os, DeviceOsVersion = device_os_version, DeviceUsername = device_username, DeviceLocation = device_location, DeviceExternalIp = device_external_ip, DeviceInternalIp = device_internal_ip, ReportId = report_id, ReportName = report_name, ReportDescription = report_description, ReportTags = report_tags, ReportLink = report_link, IocId = ioc_id, IocHit = ioc_hit, Watchlists = watchlists, ProcessGuid = process_guid, ProcessPid = process_pid, ProcessName = process_name, ProcessSha256 = process_sha256, ProcessMd5 = process_md5, ProcessReputation = process_reputation, ProcessEffectiveReputation = process_effective_reputation, ProcessCmdline = process_cmdline, ProcessUsername = process_username, ProcessIssuer = process_issuer, ProcessPublisher = process_publisher, ParentGuid = parent_guid, ParentPid = parent_pid, ParentName = parent_name, ParentSha256 = parent_sha256, ParentMd5 = parent_md5, ParentReputation = parent_reputation, ParentEffectiveReputation = parent_effective_reputation, ParentCmdline = parent_cmdline, ParentUsername = parent_username, MdrAlertNotesPresent = mdr_alert_notes_present, MdrAlert = mdr_alert, MlClassificationFinalVerdict = ml_classification_final_verdict, MlClassificationGlobalPrevalence = ml_classification_global_prevalence, MlClassificationOrgPrevalence = ml_classification_org_prevalence", + "transformKql": "source\n | project TimeGenerated = todatetime(detection_timestamp), Version = version, AlertUrl = alert_url, Id = id, AlertType = type, IsUpdated = is_updated, DetectionTimestamp = detection_timestamp, BackendTimestamp = backend_timestamp, BackendUpdateTimestamp = backend_update_timestamp, FirstEventTimestamp = first_event_timestamp, LastEventTimestamp = last_event_timestamp, Severity = severity, Reason = reason, ThreatId = threat_id, PrimaryEventId = primary_event_id, Workflow = workflow, Determination = determination, AlertNotesPresent = alert_notes_present, PolicyApplied = policy_applied, RunState = run_state, ReasonCode = reason_code, SensorAction = sensor_action, DeviceTargetValue = device_target_value, DevicePolicyId = device_policy_id, DevicePolicy = device_policy, DeviceId = device_id, DeviceName = device_name, DeviceOs = device_os, DeviceOsVersion = device_os_version, DeviceUsername = device_username, DeviceLocation = device_location, DeviceExternalIp = device_external_ip, DeviceInternalIp = device_internal_ip, ReportId = report_id, ReportName = report_name, ReportDescription = report_description, ReportTags = report_tags, ReportLink = report_link, IocId = ioc_id, IocHit = ioc_hit, Watchlists = watchlists, ProcessGuid = process_guid, ProcessPid = process_pid, ProcessName = process_name, ProcessSha256 = process_sha256, ProcessMd5 = process_md5, ProcessReputation = process_reputation, ProcessEffectiveReputation = process_effective_reputation, ProcessCmdline = process_cmdline, ProcessUsername = process_username, ProcessIssuer = process_issuer, ProcessPublisher = process_publisher, ParentGuid = parent_guid, ParentPid = parent_pid, ParentName = parent_name, ParentSha256 = parent_sha256, ParentMd5 = parent_md5, ParentReputation = parent_reputation, ParentEffectiveReputation = parent_effective_reputation, ParentCmdline = parent_cmdline, ParentUsername = parent_username, MdrAlertNotesPresent = mdr_alert_notes_present, MdrAlert = mdr_alert, MlClassificationFinalVerdict = ml_classification_final_verdict, MlClassificationGlobalPrevalence = ml_classification_global_prevalence, MlClassificationOrgPrevalence = ml_classification_org_prevalence", "outputStream": "Custom-CarbonBlack_Alerts_CL" }, { @@ -1658,7 +1658,7 @@ "destinations": [ "clv2ws1" ], - "transformKql": "source \n| project TimeGenerated = create_time, DeviceExternalIp = device_external_ip, DeviceId = device_id, DeviceInternalIp = device_internal_ip, DeviceName = device_name, IocHit = ioc_hit, IocId = ioc_id, OrgKey = org_key, ParentCmdline = parent_cmdline, ParentPath = parent_path, ParentPid = parent_pid, ProcessCmdline = process_cmdline, ProcessPath = process_path, ProcessPid = process_pid, ParentUsername = parent_username, ProcessUsername = process_username, ReportId = report_id, ReportName = report_name, Severity = severity, ReportTags = report_tags, Schema = schema, CreateTime = create_time, DeviceOs = device_os, ParentGuid = parent_guid, ParentHash = parent_hash, ParentPublisher = parent_publisher, ParentReputation = parent_reputation, ProcessGuid = process_guid, ProcessHash = process_hash, ProcessPublisher = process_publisher, ProcessReputation = process_reputation, WatchlistsType = type, Watchlists = watchlists", + "transformKql": "source \n| project TimeGenerated = todatetime(create_time), DeviceExternalIp = device_external_ip, DeviceId = device_id, DeviceInternalIp = device_internal_ip, DeviceName = device_name, IocHit = ioc_hit, IocId = ioc_id, OrgKey = org_key, ParentCmdline = parent_cmdline, ParentPath = parent_path, ParentPid = parent_pid, ProcessCmdline = process_cmdline, ProcessPath = process_path, ProcessPid = process_pid, ParentUsername = parent_username, ProcessUsername = process_username, ReportId = report_id, ReportName = report_name, Severity = severity, ReportTags = report_tags, Schema = schema, CreateTime = create_time, DeviceOs = device_os, ParentGuid = parent_guid, ParentHash = parent_hash, ParentPublisher = parent_publisher, ParentReputation = parent_reputation, ProcessGuid = process_guid, ProcessHash = process_hash, ProcessPublisher = process_publisher, ProcessReputation = process_reputation, WatchlistsType = type, Watchlists = watchlists", "outputStream": "Custom-CarbonBlack_Watchlist_CL" }, { @@ -1668,7 +1668,7 @@ "destinations": [ "clv2ws1" ], - "transformKql": "source | extend splitBackendTime = split(backend_timestamp,' ') | extend backendTimeAsDate = todatetime(strcat(splitBackendTime[0],'T',splitBackendTime[1],'Z')) | extend splitDeviceTimestamp = split(device_timestamp,' ') | extend DeviceTimestampAsDate = todatetime(strcat(splitDeviceTimestamp[0],'T',splitDeviceTimestamp[1],'Z'))| extend LogonMethod = case(toint(auth_logon_type) == 2, 'Interactive',toint(auth_logon_type) == 3, 'Network',toint(auth_logon_type) == 4, 'Batch',toint(auth_logon_type) == 5, 'Service',toint(auth_logon_type) == 7, 'Unlock',toint(auth_logon_type) == 8, 'NetworkCleartext',toint(auth_logon_type) == 9, 'NewCredentials',toint(auth_logon_type) == 10, 'RemoteInteractive',toint(auth_logon_type) == 11, 'CachedInteractive','Non-Valid Logon Type') | extend DvcIpAddr = device_external_ip| extend LogonProtocol = case(auth_package == 'NLTM', 'NLTM', 'Kerberos')| extend SplittedGeo = split(auth_remote_location, ',')| extend AdditionalFields = bag_pack('AuthCleartextCredentialsLogon', auth_cleartext_credentials_logon, 'AuthDaemonLogon', auth_daemon_logon, 'AuthElevatedTokenLogon', auth_elevated_token_logon, 'AuthFailureStatus', auth_failure_status, 'AuthFailureSubStatus', auth_failure_sub_status, 'AuthImpersonationLevel', auth_impersonation_level, 'AuthInteractiveLogon', auth_interactive_logon, 'AuthKeyLength', auth_key_length, 'AuthLogonType', auth_logon_type, 'AuthPrivileges', auth_privileges, 'AuthRemoteLogon', auth_remote_logon, 'AuthRestrictedAdminLogon', auth_restricted_admin_logon, 'AuthVirtualAccountLogon', auth_virtual_account_logon, 'DeviceExternalIp', device_external_ip, 'DeviceInternalIp', device_internal_ip, 'DeviceInstalledBy', device_installed_by, 'DeviceLocation', device_location, 'DevicePolicy', device_policy, 'DevicePolicyId', device_policy_id, 'DeviceTargetPriority', device_target_priority, 'FilemodCount', filemod_count, 'ModloadCount', modload_count, 'NetconnCount', netconn_count, 'RegmodCount', regmod_count, 'ScriptloadCount', scriptload_count, 'OrgKey', org_key, 'ParentCmdline', parent_cmdline, 'ParentCmdlineLength', parent_cmdline_length, 'ParentEffectiveReputation', parent_effective_reputation, 'ParentEffectiveReputationSource', parent_effective_reputation_source, 'ParentGuid', parent_guid, 'ParentHash', parent_hash, 'ParentIssuer', parent_issuer, 'ParentPid', parent_pid, 'ParentName', parent_name, 'ParentProductName', parent_product_name, 'ParentPublisher', parent_publisher, 'ParentReputation', parent_reputation, 'ParentUsername', parent_username, 'ProcessCmdline', process_cmdline, 'ProcessCmdlineLength', process_cmdline_length, 'ProcessCompanyName', process_company_name, 'ProcessContainerPid', process_container_pid, 'ProcessDuration', process_duration, 'ProcessEffectiveReputation', process_effective_reputation, 'ProcessEffectiveReputationSource', process_effective_reputation_source, 'ProcessElevated', process_elevated, 'ProcessEndTime', process_end_time, 'ProcessFileDescription', process_file_description, 'ProcessGuid', process_guid, 'ProcessHash', process_hash, 'ProcessIntegrityLevel', process_integrity_level, 'ProcessInternalName', process_internal_name, 'ProcessIssuer', process_issuer, 'ProcessName', process_name, 'ProcessOriginalFilename', process_original_filename, 'ProcessPid', process_pid, 'ProcessPrivileges', process_privileges, 'ProcessPublisher', process_publisher, 'ProcessReputation', process_reputation, 'ProcessSha256', process_sha256, 'ProcessStartTime', process_start_time, 'ProcessUsername', process_username, 'ProcessProductName', process_product_name, 'ProcessProductVersion', process_product_version, 'WindowsEventId', windows_event_id) | project TimeGenerated = backendTimeAsDate,AdditionalFields = AdditionalFields,EventCount = toint(1),EventResult = iff(auth_event_action == 'ACTION_LOGON_FAILED', 'Failure', 'Success'),EventSchema = 'Authentication',EventSchemaVersion = '0.1.3',EventStartTime = backendTimeAsDate,EventEndTime = backendTimeAsDate,EventType = 'Logon',EventOriginalUid = event_id,EventOriginalType = 'auth.event.logonop',EventProductVersion = '2.3',ActorUserId = auth_user_id,ActorUserIdType = 'SID',ActorUsername = auth_username,ActorSessionId = auth_logon_id,ActingAppId = process_pid,ActingAppName = process_name,ActingAppType = 'Process',TargetUserId = auth_user_id,TargetUserIdType = 'SID',TargetUsername = auth_username,TargetSessionId = auth_logon_id,TargetAppId = process_pid,TargetAppName = process_name,TargetAppType = 'Process',TargetHostName = auth_server,TargetDomain = auth_domain_name,TargetDomainType = 'WINDOWS',SrcPortNumber = toint(auth_remote_port),SrcHostname = device_name,SrcDvcId = device_id,SrcDeviceType = 'Computer',SrcDvcOs = device_os,SrcIpAddr= DvcIpAddr,SrcGeoCountry = tostring(SplittedGeo[2]),SrcGeoRegion = tostring(SplittedGeo[1]),SrcGeoCity = tostring(SplittedGeo[0]),LogonMethod = LogonMethod,LogonProtocol = LogonProtocol,DvcOriginalAction = auth_event_action,DvcIpAddr = DvcIpAddr,DvcHostname = device_name,DVC = device_id,DvcId = device_id,DvcOs = device_os | extend ActorUsernameType = case (ActorUsername contains '@' , 'UPN', ActorUsername contains '\\', 'Windows', (ActorUsername has 'CN=' or ActorUsername has 'OU=' or ActorUsername has 'DC='), 'DN', isempty(ActorUsername), '', 'Simple') | extend TargetUsernameType = case (TargetUsername contains '@' , 'UPN', TargetUsername contains '\\', 'Windows', (TargetUsername has 'CN=' or TargetUsername has 'OU=' or TargetUsername has 'DC='), 'DN', isempty(TargetUsername), '', 'Simple') | extend EventProduct = 'Carbon Black Cloud', EventVendor = 'VMWare'", + "transformKql": "source | extend splitBackendTime = split(backend_timestamp,' ') | extend backendTimeAsDate = todatetime(strcat(splitBackendTime[0],'T',splitBackendTime[1],'Z')) | extend splitDeviceTimestamp = split(device_timestamp,' ') | extend DeviceTimestampAsDate = todatetime(strcat(splitDeviceTimestamp[0],'T',splitDeviceTimestamp[1],'Z'))| extend LogonMethod = case(toint(auth_logon_type) == 2, 'Interactive',toint(auth_logon_type) == 3, 'Network',toint(auth_logon_type) == 4, 'Batch',toint(auth_logon_type) == 5, 'Service',toint(auth_logon_type) == 7, 'Unlock',toint(auth_logon_type) == 8, 'NetworkCleartext',toint(auth_logon_type) == 9, 'NewCredentials',toint(auth_logon_type) == 10, 'RemoteInteractive',toint(auth_logon_type) == 11, 'CachedInteractive','Non-Valid Logon Type') | extend DvcIpAddr = device_external_ip| extend LogonProtocol = case(auth_package == 'NLTM', 'NLTM', 'Kerberos')| extend SplittedGeo = split(auth_remote_location, ',')| extend AdditionalFields = bag_pack('AuthCleartextCredentialsLogon', auth_cleartext_credentials_logon, 'AuthDaemonLogon', auth_daemon_logon, 'AuthElevatedTokenLogon', auth_elevated_token_logon, 'AuthFailureStatus', auth_failure_status, 'AuthFailureSubStatus', auth_failure_sub_status, 'AuthImpersonationLevel', auth_impersonation_level, 'AuthInteractiveLogon', auth_interactive_logon, 'AuthKeyLength', auth_key_length, 'AuthLogonType', auth_logon_type, 'AuthPrivileges', auth_privileges, 'AuthRemoteLogon', auth_remote_logon, 'AuthRestrictedAdminLogon', auth_restricted_admin_logon, 'AuthVirtualAccountLogon', auth_virtual_account_logon, 'DeviceExternalIp', device_external_ip, 'DeviceInternalIp', device_internal_ip, 'DeviceInstalledBy', device_installed_by, 'DeviceLocation', device_location, 'DevicePolicy', device_policy, 'DevicePolicyId', device_policy_id, 'DeviceTargetPriority', device_target_priority, 'FilemodCount', filemod_count, 'ModloadCount', modload_count, 'NetconnCount', netconn_count, 'RegmodCount', regmod_count, 'ScriptloadCount', scriptload_count, 'OrgKey', org_key, 'ParentCmdline', parent_cmdline, 'ParentCmdlineLength', parent_cmdline_length, 'ParentEffectiveReputation', parent_effective_reputation, 'ParentEffectiveReputationSource', parent_effective_reputation_source, 'ParentGuid', parent_guid, 'ParentHash', parent_hash, 'ParentIssuer', parent_issuer, 'ParentPid', parent_pid, 'ParentName', parent_name, 'ParentProductName', parent_product_name, 'ParentPublisher', parent_publisher, 'ParentReputation', parent_reputation, 'ParentUsername', parent_username, 'ProcessCmdline', process_cmdline, 'ProcessCmdlineLength', process_cmdline_length, 'ProcessCompanyName', process_company_name, 'ProcessContainerPid', process_container_pid, 'ProcessDuration', process_duration, 'ProcessEffectiveReputation', process_effective_reputation, 'ProcessEffectiveReputationSource', process_effective_reputation_source, 'ProcessElevated', process_elevated, 'ProcessEndTime', process_end_time, 'ProcessFileDescription', process_file_description, 'ProcessGuid', process_guid, 'ProcessHash', process_hash, 'ProcessIntegrityLevel', process_integrity_level, 'ProcessInternalName', process_internal_name, 'ProcessIssuer', process_issuer, 'ProcessName', process_name, 'ProcessOriginalFilename', process_original_filename, 'ProcessPid', process_pid, 'ProcessPrivileges', process_privileges, 'ProcessPublisher', process_publisher, 'ProcessReputation', process_reputation, 'ProcessSha256', process_sha256, 'ProcessStartTime', process_start_time, 'ProcessUsername', process_username, 'ProcessProductName', process_product_name, 'ProcessProductVersion', process_product_version, 'WindowsEventId', windows_event_id) | project TimeGenerated = backendTimeAsDate,AdditionalFields = AdditionalFields,EventCount = toint(1),EventResult = iff(auth_event_action == 'ACTION_LOGON_FAILED', 'Failure', 'Success'),EventSchema = 'Authentication',EventSchemaVersion = '0.1.3',EventStartTime = backendTimeAsDate,EventEndTime = backendTimeAsDate,EventType = 'Logon',EventOriginalUid = event_id,EventOriginalType = 'auth.event.logonop',EventProductVersion = '2.3',ActorUserId = auth_user_id,ActorUserIdType = 'SID',ActorUsername = auth_username,ActorSessionId = auth_logon_id,ActingAppId = process_pid,ActingAppName = process_name,ActingAppType = 'Process',TargetUserId = auth_user_id,TargetUserIdType = 'SID',TargetUsername = auth_username,TargetSessionId = auth_logon_id,TargetAppId = process_pid,TargetAppName = process_name,TargetAppType = 'Process',TargetHostName = auth_server,TargetDomain = auth_domain_name,TargetDomainType = 'WINDOWS',SrcPortNumber = toint(auth_remote_port),SrcHostname = device_name,SrcDvcId = device_id,SrcDeviceType = 'Computer',SrcDvcOs = device_os,SrcIpAddr= DvcIpAddr,SrcGeoCountry = tostring(SplittedGeo[2]),SrcGeoRegion = tostring(SplittedGeo[1]),SrcGeoCity = tostring(SplittedGeo[0]),LogonMethod = LogonMethod,LogonProtocol = LogonProtocol,DvcOriginalAction = auth_event_action,DvcIpAddr = DvcIpAddr,DvcHostname = device_name,DVC = device_id,DvcId = device_id,DvcOs = device_os | extend ActorUsernameType = case (ActorUsername contains '@' , 'UPN', ActorUsername contains '\\\\', 'Windows', (ActorUsername has 'CN=' or ActorUsername has 'OU=' or ActorUsername has 'DC='), 'DN', isempty(ActorUsername), '', 'Simple') | extend TargetUsernameType = case (TargetUsername contains '@' , 'UPN', TargetUsername contains '\\\\', 'Windows', (TargetUsername has 'CN=' or TargetUsername has 'OU=' or TargetUsername has 'DC='), 'DN', isempty(TargetUsername), '', 'Simple') | extend EventProduct = 'Carbon Black Cloud', EventVendor = 'VMWare'", "outputStream": "Microsoft-ASimAuthenticationEventLogs" }, { @@ -2534,6 +2534,9 @@ }, "type": "object" }, + "streamName": { + "type": "array" + }, "roleArn": { "defaultValue": "roleArn", "type": "string", @@ -2583,7 +2586,7 @@ "kind": "AmazonWebServicesS3", "properties": { "connectorDefinitionName": "carbonBlackAWSS3", - "dataType": { + "dataTypes": { "logs": { "state": "enabled" } @@ -2625,7 +2628,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "VMware Carbon Black Cloud data connector with template version 3.0.3", + "description": "VMware Carbon Black Cloud data connector with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion2')]", @@ -3038,7 +3041,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CriticalThreatDetected_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "CriticalThreatDetected_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -3066,10 +3069,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "VMwareCarbonBlack", "dataTypes": [ "CarbonBlackNotifications_CL" - ] + ], + "connectorId": "VMwareCarbonBlack" } ], "tactics": [ @@ -3080,22 +3083,22 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "HostCustomEntity" + "columnName": "HostCustomEntity", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -3151,7 +3154,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "KnownMalwareDetected_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "KnownMalwareDetected_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -3179,10 +3182,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "VMwareCarbonBlack", "dataTypes": [ "CarbonBlackEvents_CL" - ] + ], + "connectorId": "VMwareCarbonBlack" } ], "tactics": [ @@ -3193,31 +3196,31 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "FullName" } - ] + ], + "entityType": "Account" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "HostCustomEntity" + "columnName": "HostCustomEntity", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -3273,7 +3276,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "VMwareCarbonBlack Workbook with template version 3.0.3", + "description": "VMwareCarbonBlack Workbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -3369,7 +3372,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CarbonBlackConnector Playbook with template version 3.0.3", + "description": "CarbonBlackConnector Playbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -5003,7 +5006,7 @@ ], "metadata": { "comments": "This connector used to perform different actions on alerts , device and threats using CarbonBlack cloud endpoint API.", - "lastUpdateTime": "2024-10-15T19:22:24.265Z", + "lastUpdateTime": "2024-11-19T15:06:50.446Z", "releaseNotes": { "version": "1.0", "title": "[variables('blanks')]", @@ -5035,7 +5038,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EndpointTakeActionFromTeams-CarbonBlack Playbook with template version 3.0.3", + "description": "EndpointTakeActionFromTeams-CarbonBlack Playbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", @@ -6838,7 +6841,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IsolateEndpoint-CarbonBlack Playbook with template version 3.0.3", + "description": "IsolateEndpoint-CarbonBlack Playbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", @@ -7581,7 +7584,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EndpointEnrichment-CarbonBlack Playbook with template version 3.0.3", + "description": "EndpointEnrichment-CarbonBlack Playbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion4')]", @@ -8005,7 +8008,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.3", + "version": "3.0.4", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "VMware Carbon Black Cloud", diff --git a/Solutions/VMware Carbon Black Cloud/ReleaseNotes.md b/Solutions/VMware Carbon Black Cloud/ReleaseNotes.md index b4bc33b9dd6..c21d2f75395 100644 --- a/Solutions/VMware Carbon Black Cloud/ReleaseNotes.md +++ b/Solutions/VMware Carbon Black Cloud/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|-----------------------------------------------------------| +| 3.0.4 | 19-11-2024 | Modified TransformKQL queries of CCP **Data Connector** | | 3.0.3 | 28-10-2024 | Added Sample Queries to the CCP **Data Connector** template | | 3.0.2 | 15-10-2024 | Added new CCP **Data Connector** to the Solution | | 3.0.1 | 17-04-2024 | Added Azure Deploy button for government portal deployments in **Data connectors** | diff --git a/Solutions/VMware vCenter/Package/3.0.3.zip b/Solutions/VMware vCenter/Package/3.0.3.zip new file mode 100644 index 00000000000..85e64436a45 Binary files /dev/null and b/Solutions/VMware vCenter/Package/3.0.3.zip differ diff --git a/Solutions/VMware vCenter/Package/mainTemplate.json b/Solutions/VMware vCenter/Package/mainTemplate.json index ad22b91c621..34c70187130 100644 --- a/Solutions/VMware vCenter/Package/mainTemplate.json +++ b/Solutions/VMware vCenter/Package/mainTemplate.json @@ -41,7 +41,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "VMware vCenter", - "_solutionVersion": "3.0.2", + "_solutionVersion": "3.0.3", "solutionId": "azuresentinel.azure-sentinel-solution-vcenter", "_solutionId": "[variables('solutionId')]", "workbookVersion1": "1.0.0", @@ -55,7 +55,7 @@ "_parserName1": "[concat(parameters('workspace'),'/','vCenter')]", "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'vCenter')]", "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('vCenter-Parser')))]", - "parserVersion1": "1.0.0", + "parserVersion1": "1.0.1", "parserContentId1": "vCenter-Parser" }, "uiConfigId1": "VMwarevCenter", @@ -93,7 +93,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "vCenter Workbook with template version 3.0.2", + "description": "vCenter Workbook with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -181,7 +181,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "vCenter Data Parser with template version 3.0.2", + "description": "vCenter Data Parser with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -198,7 +198,7 @@ "displayName": "vCenter", "category": "Microsoft Sentinel Parser", "functionAlias": "vCenter", - "query": "let vCenter_Login =() {\nvcenter_CL\n| where Message has (\"UserLoginSessionEvent\")\n| parse Message with * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity \"]\" * \"[User \" DomainName:string \"\\\\\" Username:string \"@\" SourceIP \" logged in as \" UserAgent:string \"]\"\n};\nlet vCenter_Logout =() {vcenter_CL\n| where Message has (\"UserLogoutSessionEvent\")\n| parse Message with * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity \"]\" * \"[User\" DomainName:string \"\\\\\" Username:string \"@\" SourceIP \" logged out (login time:\" LoginTime:string \", number of API invocations: \" APIInvocationCount:int \", user agent:\" UserAgent:string \")]\"\n};\nlet vCenter_Role=() {vcenter_CL\n| where Message has_any(\"RoleAddedEvent\",\"RoleRemovedEvent\")\n| parse Message with * \" \" * \" \" Hostname:string \"vpxd\" * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity:string \"]\" * \"[New role \" RoleName:string \" \" Operation:string \"]\"\n};\nlet vCenter_RoleModified=() {vcenter_CL\n| where Message has (\"RoleUpdatedEvent\")\n| parse Message with * \" \" * \" \" Hostname:string \"vpxd\" * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity:string \"]\" * \"Previous name: \" OldRoleName:string \", new name \"NewRoleName:string \" Added privileges: \" AddedPriviledges:string \" Removed privileges: \" RemovedPriviledges:string \"]\"\n};\nunion vCenter_Login,vCenter_Logout,vCenter_Role,vCenter_RoleModified\n", + "query": "let vCenter_Login =() {\n vcenter_CL\n | where Message has (\"UserLoginSessionEvent\")\n | parse Message with * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity \"]\" * \"[User \" DomainName:string \"\\\\\" Username:string \"@\" SourceIP \" logged in as \" UserAgent:string \"]\" *\n};\nlet vCenter_Logout =() {\n vcenter_CL\n | where Message has (\"UserLogoutSessionEvent\")\n | parse Message with * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity \"]\" * \"[User\" DomainName:string \"\\\\\" Username:string \"@\" SourceIP \" logged out (login time:\" LoginTime:string \", number of API invocations: \" APIInvocationCount:int \", user agent:\" UserAgent:string \")]\" *\n};\nlet vCenter_Role=() {\n vcenter_CL\n | where Message has_any(\"RoleAddedEvent\",\"RoleRemovedEvent\")\n | parse Message with * \" \" * \" \" Hostname:string \"vpxd\" * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity:string \"]\" * \"[New role \" RoleName:string \" \" Operation:string \"]\" *\n};\nlet vCenter_RoleModified=() {\n vcenter_CL\n | where Message has (\"RoleUpdatedEvent\")\n | parse Message with * \" \" * \" \" Hostname:string \"vpxd\" * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity:string \"]\" * \"Previous name: \" OldRoleName:string \", new name \"NewRoleName:string \" Added privileges: \" AddedPriviledges:string \" Removed privileges: \" RemovedPriviledges:string \"]\" *\n};\nunion vCenter_Login,vCenter_Logout,vCenter_Role,vCenter_RoleModified\n| extend ClientIP = SourceIP\n", "functionParameters": "", "version": 2, "tags": [ @@ -248,8 +248,8 @@ "contentId": "[variables('parserObject1').parserContentId1]", "contentKind": "Parser", "displayName": "vCenter", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.1')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.1')))]", "version": "[variables('parserObject1').parserVersion1]" } }, @@ -263,7 +263,7 @@ "displayName": "vCenter", "category": "Microsoft Sentinel Parser", "functionAlias": "vCenter", - "query": "let vCenter_Login =() {\nvcenter_CL\n| where Message has (\"UserLoginSessionEvent\")\n| parse Message with * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity \"]\" * \"[User \" DomainName:string \"\\\\\" Username:string \"@\" SourceIP \" logged in as \" UserAgent:string \"]\"\n};\nlet vCenter_Logout =() {vcenter_CL\n| where Message has (\"UserLogoutSessionEvent\")\n| parse Message with * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity \"]\" * \"[User\" DomainName:string \"\\\\\" Username:string \"@\" SourceIP \" logged out (login time:\" LoginTime:string \", number of API invocations: \" APIInvocationCount:int \", user agent:\" UserAgent:string \")]\"\n};\nlet vCenter_Role=() {vcenter_CL\n| where Message has_any(\"RoleAddedEvent\",\"RoleRemovedEvent\")\n| parse Message with * \" \" * \" \" Hostname:string \"vpxd\" * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity:string \"]\" * \"[New role \" RoleName:string \" \" Operation:string \"]\"\n};\nlet vCenter_RoleModified=() {vcenter_CL\n| where Message has (\"RoleUpdatedEvent\")\n| parse Message with * \" \" * \" \" Hostname:string \"vpxd\" * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity:string \"]\" * \"Previous name: \" OldRoleName:string \", new name \"NewRoleName:string \" Added privileges: \" AddedPriviledges:string \" Removed privileges: \" RemovedPriviledges:string \"]\"\n};\nunion vCenter_Login,vCenter_Logout,vCenter_Role,vCenter_RoleModified\n", + "query": "let vCenter_Login =() {\n vcenter_CL\n | where Message has (\"UserLoginSessionEvent\")\n | parse Message with * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity \"]\" * \"[User \" DomainName:string \"\\\\\" Username:string \"@\" SourceIP \" logged in as \" UserAgent:string \"]\" *\n};\nlet vCenter_Logout =() {\n vcenter_CL\n | where Message has (\"UserLogoutSessionEvent\")\n | parse Message with * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity \"]\" * \"[User\" DomainName:string \"\\\\\" Username:string \"@\" SourceIP \" logged out (login time:\" LoginTime:string \", number of API invocations: \" APIInvocationCount:int \", user agent:\" UserAgent:string \")]\" *\n};\nlet vCenter_Role=() {\n vcenter_CL\n | where Message has_any(\"RoleAddedEvent\",\"RoleRemovedEvent\")\n | parse Message with * \" \" * \" \" Hostname:string \"vpxd\" * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity:string \"]\" * \"[New role \" RoleName:string \" \" Operation:string \"]\" *\n};\nlet vCenter_RoleModified=() {\n vcenter_CL\n | where Message has (\"RoleUpdatedEvent\")\n | parse Message with * \" \" * \" \" Hostname:string \"vpxd\" * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity:string \"]\" * \"Previous name: \" OldRoleName:string \", new name \"NewRoleName:string \" Added privileges: \" AddedPriviledges:string \" Removed privileges: \" RemovedPriviledges:string \"]\" *\n};\nunion vCenter_Login,vCenter_Logout,vCenter_Role,vCenter_RoleModified\n| extend ClientIP = SourceIP\n", "functionParameters": "", "version": 2, "tags": [ @@ -313,7 +313,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "VMware vCenter data connector with template version 3.0.2", + "description": "VMware vCenter data connector with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -703,7 +703,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "vCenter-Root impersonation_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "vCenter-Root impersonation_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -731,16 +731,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "vCenter", "dataTypes": [ "vCenter" - ] + ], + "connectorId": "vCenter" }, { - "connectorId": "CustomLogsAma", "dataTypes": [ "vcenter_CL" - ] + ], + "connectorId": "CustomLogsAma" } ], "tactics": [ @@ -813,7 +813,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "vCenterRootLogin_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "vCenterRootLogin_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -841,16 +841,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "vCenter", "dataTypes": [ "vCenter" - ] + ], + "connectorId": "vCenter" }, { - "connectorId": "CustomLogsAma", "dataTypes": [ "vcenter_CL" - ] + ], + "connectorId": "CustomLogsAma" } ], "tactics": [ @@ -920,7 +920,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.2", + "version": "3.0.3", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "VMware vCenter", diff --git a/Solutions/VMware vCenter/Parsers/vCenter.yaml b/Solutions/VMware vCenter/Parsers/vCenter.yaml index 55198b50c5c..534301b8589 100644 --- a/Solutions/VMware vCenter/Parsers/vCenter.yaml +++ b/Solutions/VMware vCenter/Parsers/vCenter.yaml @@ -1,27 +1,31 @@ id: a466d02c-cfe0-4377-9ae0-fdfc8dd79e78 Function: Title: Parser for vCenter - Version: '1.0.0' - LastUpdated: '2023-08-23' + Version: '1.0.1' + LastUpdated: '2024-11-08' Category: Microsoft Sentinel Parser FunctionName: vCenter FunctionAlias: vCenter FunctionQuery: | let vCenter_Login =() { - vcenter_CL - | where Message has ("UserLoginSessionEvent") - | parse Message with * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity "]" * "[User " DomainName:string "\\" Username:string "@" SourceIP " logged in as " UserAgent:string "]" + vcenter_CL + | where Message has ("UserLoginSessionEvent") + | parse Message with * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity "]" * "[User " DomainName:string "\\" Username:string "@" SourceIP " logged in as " UserAgent:string "]" * }; - let vCenter_Logout =() {vcenter_CL - | where Message has ("UserLogoutSessionEvent") - | parse Message with * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity "]" * "[User" DomainName:string "\\" Username:string "@" SourceIP " logged out (login time:" LoginTime:string ", number of API invocations: " APIInvocationCount:int ", user agent:" UserAgent:string ")]" + let vCenter_Logout =() { + vcenter_CL + | where Message has ("UserLogoutSessionEvent") + | parse Message with * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity "]" * "[User" DomainName:string "\\" Username:string "@" SourceIP " logged out (login time:" LoginTime:string ", number of API invocations: " APIInvocationCount:int ", user agent:" UserAgent:string ")]" * }; - let vCenter_Role=() {vcenter_CL - | where Message has_any("RoleAddedEvent","RoleRemovedEvent") - | parse Message with * " " * " " Hostname:string "vpxd" * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity:string "]" * "[New role " RoleName:string " " Operation:string "]" + let vCenter_Role=() { + vcenter_CL + | where Message has_any("RoleAddedEvent","RoleRemovedEvent") + | parse Message with * " " * " " Hostname:string "vpxd" * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity:string "]" * "[New role " RoleName:string " " Operation:string "]" * }; - let vCenter_RoleModified=() {vcenter_CL - | where Message has ("RoleUpdatedEvent") - | parse Message with * " " * " " Hostname:string "vpxd" * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity:string "]" * "Previous name: " OldRoleName:string ", new name "NewRoleName:string " Added privileges: " AddedPriviledges:string " Removed privileges: " RemovedPriviledges:string "]" + let vCenter_RoleModified=() { + vcenter_CL + | where Message has ("RoleUpdatedEvent") + | parse Message with * " " * " " Hostname:string "vpxd" * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity:string "]" * "Previous name: " OldRoleName:string ", new name "NewRoleName:string " Added privileges: " AddedPriviledges:string " Removed privileges: " RemovedPriviledges:string "]" * }; - union vCenter_Login,vCenter_Logout,vCenter_Role,vCenter_RoleModified \ No newline at end of file + union vCenter_Login,vCenter_Logout,vCenter_Role,vCenter_RoleModified + | extend ClientIP = SourceIP diff --git a/Solutions/VMware vCenter/ReleaseNotes.md b/Solutions/VMware vCenter/ReleaseNotes.md index 005dfa93493..5ba59fe2232 100644 --- a/Solutions/VMware vCenter/ReleaseNotes.md +++ b/Solutions/VMware vCenter/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| -| 3.0.2 | 09-08-2024 | Deprecating data connectors | +| 3.0.3 | 18-11-2024 | Modified **Parser** vCenter.yaml for better parsing | +| 3.0.2 | 09-08-2024 | Deprecating **Data Connectors** | | 3.0.1 | 27-05-2024 | Updated the **Data Connector** instructions | | 3.0.0 | 27-07-2023 | Corrected the links in the solution | diff --git a/Solutions/Vectra AI Stream/Data/Solution_Vectra.json b/Solutions/Vectra AI Stream/Data/Solution_Vectra.json index 82f27ce0fe0..4a7019f4ff9 100644 --- a/Solutions/Vectra AI Stream/Data/Solution_Vectra.json +++ b/Solutions/Vectra AI Stream/Data/Solution_Vectra.json @@ -26,12 +26,13 @@ "Vectra AI Stream/Parsers/vectra_ssh.yaml", "Vectra AI Stream/Parsers/vectra_ssl.yaml", "Vectra AI Stream/Parsers/vectra_stream.yaml", - "Vectra AI Stream/Parsers/vectra_x509.yaml" + "Vectra AI Stream/Parsers/vectra_x509.yaml", + "Vectra AI Stream/Parsers/vectra_match.yaml" ], "Metadata": "SolutionMetadata.json", "BasePath": "C:\\Users\\fguillot\\Documents\\GitHub\\Azure-Sentinel\\Solutions\\Vectra AI Stream", - "Version": "3.0.0", + "Version": "3.0.1", "TemplateSpec": true, "Is1Pconnector": false } \ No newline at end of file diff --git a/Solutions/Vectra AI Stream/Package/3.0.1.zip b/Solutions/Vectra AI Stream/Package/3.0.1.zip new file mode 100644 index 00000000000..1cfb58f83c7 Binary files /dev/null and b/Solutions/Vectra AI Stream/Package/3.0.1.zip differ diff --git a/Solutions/Vectra AI Stream/Package/createUiDefinition.json b/Solutions/Vectra AI Stream/Package/createUiDefinition.json index 9d77ada7447..886b719f74b 100644 --- a/Solutions/Vectra AI Stream/Package/createUiDefinition.json +++ b/Solutions/Vectra AI Stream/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Vectra%20AI%20Stream/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n**Note:** Please refer to the following before installing the solution: \n\n• There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Vectra AI Stream](https://www.vectra.ai/products/platform) solution allows you to easily connect your Vectra Platform with Microsoft Sentinel, to ingest network metadata collected at scale throughout your environment by Vectra sensors (On-premise or Cloud). This gives you deep insight into your organization's network traffic and improves your security operation capabilities. For a complete list of protocols and attributes supported, check out our [Network Metadata reference guide]( https://support.vectra.ai/s/article/KB-VS-1245)\n\r\n1. ** Vectra AI Stream (Network Enriched Metadata) via AMA** - This data connector helps ingest Vectra AI Stream events into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here]( https://learn.microsoft.com/en-us/azure/sentinel/connect-cef-syslog-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. ** Vectra AI Stream (Network Enriched Metadata) via Legacy Agent** - This data connector helps ingest Vectra AI Stream events into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of ** Vectra AI Stream (Network Enriched Metadata) via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Parsers:** 19\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Vectra%20AI%20Stream/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n**Note:** Please refer to the following before installing the solution: \n\n• There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Vectra AI Stream](https://www.vectra.ai/products/platform) solution allows you to easily connect your Vectra Platform with Microsoft Sentinel, to ingest network metadata collected at scale throughout your environment by Vectra sensors (On-premise or Cloud). This gives you deep insight into your organization's network traffic and improves your security operation capabilities. For a complete list of protocols and attributes supported, check out our [Network Metadata reference guide]( https://support.vectra.ai/s/article/KB-VS-1245)\n\r\n1. ** Vectra AI Stream (Network Enriched Metadata) via AMA** - This data connector helps ingest Vectra AI Stream events into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here]( https://learn.microsoft.com/en-us/azure/sentinel/connect-cef-syslog-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. ** Vectra AI Stream (Network Enriched Metadata) via Legacy Agent** - This data connector helps ingest Vectra AI Stream events into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of ** Vectra AI Stream (Network Enriched Metadata) via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Parsers:** 20\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", diff --git a/Solutions/Vectra AI Stream/Package/mainTemplate.json b/Solutions/Vectra AI Stream/Package/mainTemplate.json index acc1aabae59..d67ea172518 100644 --- a/Solutions/Vectra AI Stream/Package/mainTemplate.json +++ b/Solutions/Vectra AI Stream/Package/mainTemplate.json @@ -33,7 +33,7 @@ "email": "tme@vetcra.ai", "_email": "[variables('email')]", "_solutionName": "Vectra AI Stream", - "_solutionVersion": "3.0.0", + "_solutionVersion": "3.0.1", "solutionId": "vectraaiinc.vectra_sentinel_solution", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "AIVectraStream", @@ -177,7 +177,7 @@ "_parserName18": "[concat(parameters('workspace'),'/','vectra_stream')]", "_parserId18": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'vectra_stream')]", "parserTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('vectra_stream-Parser')))]", - "parserVersion18": "1.0.0", + "parserVersion18": "1.0.1", "parserContentId18": "vectra_stream-Parser" }, "parserObject19": { @@ -187,6 +187,13 @@ "parserVersion19": "1.0.0", "parserContentId19": "vectra_x509-Parser" }, + "parserObject20": { + "_parserName20": "[concat(parameters('workspace'),'/','vectra_match')]", + "_parserId20": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'vectra_match')]", + "parserTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('vectra_match-Parser')))]", + "parserVersion20": "1.0.0", + "parserContentId20": "vectra_match-Parser" + }, "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ @@ -199,7 +206,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Vectra AI Stream data connector with template version 3.0.0", + "description": "Vectra AI Stream data connector with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -606,7 +613,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Vectra AI Stream data connector with template version 3.0.0", + "description": "Vectra AI Stream data connector with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion2')]", @@ -1165,7 +1172,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "VectraStream_function Data Parser with template version 3.0.0", + "description": "VectraStream_function Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -1297,7 +1304,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "vectra_beacon Data Parser with template version 3.0.0", + "description": "vectra_beacon Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject2').parserVersion2]", @@ -1429,7 +1436,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "vectra_dcerpc Data Parser with template version 3.0.0", + "description": "vectra_dcerpc Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject3').parserVersion3]", @@ -1561,7 +1568,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "vectra_dhcp Data Parser with template version 3.0.0", + "description": "vectra_dhcp Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject4').parserVersion4]", @@ -1693,7 +1700,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "vectra_dns Data Parser with template version 3.0.0", + "description": "vectra_dns Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject5').parserVersion5]", @@ -1825,7 +1832,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "vectra_http Data Parser with template version 3.0.0", + "description": "vectra_http Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject6').parserVersion6]", @@ -1957,7 +1964,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "vectra_isession Data Parser with template version 3.0.0", + "description": "vectra_isession Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject7').parserVersion7]", @@ -2089,7 +2096,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "vectra_kerberos Data Parser with template version 3.0.0", + "description": "vectra_kerberos Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject8').parserVersion8]", @@ -2221,7 +2228,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "vectra_ldap Data Parser with template version 3.0.0", + "description": "vectra_ldap Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject9').parserVersion9]", @@ -2353,7 +2360,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "vectra_ntlm Data Parser with template version 3.0.0", + "description": "vectra_ntlm Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject10').parserVersion10]", @@ -2485,7 +2492,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "vectra_radius Data Parser with template version 3.0.0", + "description": "vectra_radius Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject11').parserVersion11]", @@ -2617,7 +2624,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "vectra_rdp Data Parser with template version 3.0.0", + "description": "vectra_rdp Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject12').parserVersion12]", @@ -2749,7 +2756,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "vectra_smbfiles Data Parser with template version 3.0.0", + "description": "vectra_smbfiles Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject13').parserVersion13]", @@ -2881,7 +2888,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "vectra_smbmapping Data Parser with template version 3.0.0", + "description": "vectra_smbmapping Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject14').parserVersion14]", @@ -3013,7 +3020,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "vectra_smtp Data Parser with template version 3.0.0", + "description": "vectra_smtp Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject15').parserVersion15]", @@ -3145,7 +3152,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "vectra_ssh Data Parser with template version 3.0.0", + "description": "vectra_ssh Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject16').parserVersion16]", @@ -3277,7 +3284,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "vectra_ssl Data Parser with template version 3.0.0", + "description": "vectra_ssl Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject17').parserVersion17]", @@ -3409,7 +3416,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "vectra_stream Data Parser with template version 3.0.0", + "description": "vectra_stream Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject18').parserVersion18]", @@ -3426,7 +3433,7 @@ "displayName": "vectra_stream parser for Vectra AI", "category": "Microsoft Sentinel Parser", "functionAlias": "vectra_stream", - "query": "let vectra_stream = view () {\nunion isfuzzy=true vectra_beacon, vectra_dcerpc, vectra_dhcp, vectra_dns, vectra_http, vectra_isession, vectra_kerberos, vectra_ldap, vectra_ntlm, vectra_radius, vectra_rdp, vectra_smbfiles, vectra_smbmapping, vectra_smtp, vectra_ssh, vectra_ssl, vectra_x509\n};\nvectra_stream", + "query": "let vectra_stream = view () {\nunion isfuzzy=true vectra_beacon, vectra_dcerpc, vectra_dhcp, vectra_dns, vectra_http, vectra_isession, vectra_kerberos, vectra_ldap, vectra_ntlm, vectra_radius, vectra_rdp, vectra_smbfiles, vectra_smbmapping, vectra_smtp, vectra_ssh, vectra_ssl, vectra_x509, vectra_match\n};\nvectra_stream", "functionParameters": "", "version": 2, "tags": [ @@ -3476,8 +3483,8 @@ "contentId": "[variables('parserObject18').parserContentId18]", "contentKind": "Parser", "displayName": "vectra_stream parser for Vectra AI", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject18').parserContentId18,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject18').parserContentId18,'-', '1.0.0')))]", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject18').parserContentId18,'-', '1.0.1')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject18').parserContentId18,'-', '1.0.1')))]", "version": "[variables('parserObject18').parserVersion18]" } }, @@ -3491,7 +3498,7 @@ "displayName": "vectra_stream parser for Vectra AI", "category": "Microsoft Sentinel Parser", "functionAlias": "vectra_stream", - "query": "let vectra_stream = view () {\nunion isfuzzy=true vectra_beacon, vectra_dcerpc, vectra_dhcp, vectra_dns, vectra_http, vectra_isession, vectra_kerberos, vectra_ldap, vectra_ntlm, vectra_radius, vectra_rdp, vectra_smbfiles, vectra_smbmapping, vectra_smtp, vectra_ssh, vectra_ssl, vectra_x509\n};\nvectra_stream", + "query": "let vectra_stream = view () {\nunion isfuzzy=true vectra_beacon, vectra_dcerpc, vectra_dhcp, vectra_dns, vectra_http, vectra_isession, vectra_kerberos, vectra_ldap, vectra_ntlm, vectra_radius, vectra_rdp, vectra_smbfiles, vectra_smbmapping, vectra_smtp, vectra_ssh, vectra_ssl, vectra_x509, vectra_match\n};\nvectra_stream", "functionParameters": "", "version": 2, "tags": [ @@ -3541,7 +3548,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "vectra_x509 Data Parser with template version 3.0.0", + "description": "vectra_x509 Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject19').parserVersion19]", @@ -3664,17 +3671,149 @@ } } }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject20').parserTemplateSpecName20]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "vectra_match Data Parser with template version 3.0.1", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject20').parserVersion20]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject20')._parserName20]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "vectra_match parser for Vectra AI", + "category": "Microsoft Sentinel Parser", + "functionAlias": "vectra_match", + "query": "let vectra_match = view () {\n vectra_match_CL\n | extend\n EventVendor=\"Vectra AI\",\n EventProduct=\"Stream\",\n EventType=\"vectra_match\"\n};\nvectra_match\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject20')._parserId20,'/'))))]", + "dependsOn": [ + "[variables('parserObject20')._parserId20]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'vectra_match')]", + "contentId": "[variables('parserObject20').parserContentId20]", + "kind": "Parser", + "version": "[variables('parserObject20').parserVersion20]", + "source": { + "name": "Vectra AI Stream", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Vectra TME Team", + "email": "[variables('_email')]" + }, + "support": { + "name": "Vectra AI", + "email": "support@vectra.ai", + "tier": "Partner", + "link": "https://www.vectra.ai/support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject20').parserContentId20]", + "contentKind": "Parser", + "displayName": "vectra_match parser for Vectra AI", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject20').parserContentId20,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject20').parserContentId20,'-', '1.0.0')))]", + "version": "[variables('parserObject20').parserVersion20]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject20')._parserName20]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "vectra_match parser for Vectra AI", + "category": "Microsoft Sentinel Parser", + "functionAlias": "vectra_match", + "query": "let vectra_match = view () {\n vectra_match_CL\n | extend\n EventVendor=\"Vectra AI\",\n EventProduct=\"Stream\",\n EventType=\"vectra_match\"\n};\nvectra_match\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject20')._parserId20,'/'))))]", + "dependsOn": [ + "[variables('parserObject20')._parserId20]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'vectra_match')]", + "contentId": "[variables('parserObject20').parserContentId20]", + "kind": "Parser", + "version": "[variables('parserObject20').parserVersion20]", + "source": { + "kind": "Solution", + "name": "Vectra AI Stream", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Vectra TME Team", + "email": "[variables('_email')]" + }, + "support": { + "name": "Vectra AI", + "email": "support@vectra.ai", + "tier": "Partner", + "link": "https://www.vectra.ai/support" + } + } + }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.0", + "version": "3.0.1", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Vectra AI Stream", "publisherDisplayName": "Vectra AI", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Note: Please refer to the following before installing the solution:

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Vectra AI Stream solution allows you to easily connect your Vectra Platform with Microsoft Sentinel, to ingest network metadata collected at scale throughout your environment by Vectra sensors (On-premise or Cloud). This gives you deep insight into your organization's network traffic and improves your security operation capabilities. For a complete list of protocols and attributes supported, check out our Network Metadata reference guide

\n
    \n

  1. ** Vectra AI Stream (Network Enriched Metadata) via AMA** - This data connector helps ingest Vectra AI Stream events into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.

    \n
    2. \n

  2. ** Vectra AI Stream (Network Enriched Metadata) via Legacy Agent** - This data connector helps ingest Vectra AI Stream events into your Log Analytics Workspace using the legacy Log Analytics agent.

    \n
    3. \n
\n

NOTE: Microsoft recommends installation of ** Vectra AI Stream (Network Enriched Metadata) via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.

\n

Data Connectors: 2, Parsers: 19

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Note: Please refer to the following before installing the solution:

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Vectra AI Stream solution allows you to easily connect your Vectra Platform with Microsoft Sentinel, to ingest network metadata collected at scale throughout your environment by Vectra sensors (On-premise or Cloud). This gives you deep insight into your organization's network traffic and improves your security operation capabilities. For a complete list of protocols and attributes supported, check out our Network Metadata reference guide

\n
    \n

  1. ** Vectra AI Stream (Network Enriched Metadata) via AMA** - This data connector helps ingest Vectra AI Stream events into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.

    \n
    2. \n

  2. ** Vectra AI Stream (Network Enriched Metadata) via Legacy Agent** - This data connector helps ingest Vectra AI Stream events into your Log Analytics Workspace using the legacy Log Analytics agent.

    \n
    3. \n
\n

NOTE: Microsoft recommends installation of ** Vectra AI Stream (Network Enriched Metadata) via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.

\n

Data Connectors: 2, Parsers: 20

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -3803,6 +3942,11 @@ "kind": "Parser", "contentId": "[variables('parserObject19').parserContentId19]", "version": "[variables('parserObject19').parserVersion19]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject20').parserContentId20]", + "version": "[variables('parserObject20').parserVersion20]" } ] }, diff --git a/Solutions/Vectra AI Stream/Parsers/vectra_match.yaml b/Solutions/Vectra AI Stream/Parsers/vectra_match.yaml new file mode 100644 index 00000000000..06712f5648b --- /dev/null +++ b/Solutions/Vectra AI Stream/Parsers/vectra_match.yaml @@ -0,0 +1,17 @@ +id: 7ba35238-0db6-4f32-bb69-9b47c3050b0e +Function: + Title: vectra_match parser for Vectra AI + Version: 1.0.0 + LastUpdated: '2024-11-15' +Category: Microsoft Sentinel Parser +FunctionName: vectra_match +FunctionAlias: vectra_match +FunctionQuery: |+ + let vectra_match = view () { + vectra_match_CL + | extend + EventVendor="Vectra AI", + EventProduct="Stream", + EventType="vectra_match" + }; + vectra_match \ No newline at end of file diff --git a/Solutions/Vectra AI Stream/Parsers/vectra_stream.yaml b/Solutions/Vectra AI Stream/Parsers/vectra_stream.yaml index 181d5ee80db..2dea282e138 100644 --- a/Solutions/Vectra AI Stream/Parsers/vectra_stream.yaml +++ b/Solutions/Vectra AI Stream/Parsers/vectra_stream.yaml @@ -1,13 +1,13 @@ id: 6f157121-0831-4d7b-9c2f-32cbc17cb8e0 Function: Title: vectra_stream parser for Vectra AI - Version: 1.0.0 - LastUpdated: '2024-04-26' + Version: 1.0.1 + LastUpdated: '2024-11-15' Category: Microsoft Sentinel Parser FunctionName: vectra_stream FunctionAlias: vectra_stream FunctionQuery: |- let vectra_stream = view () { - union isfuzzy=true vectra_beacon, vectra_dcerpc, vectra_dhcp, vectra_dns, vectra_http, vectra_isession, vectra_kerberos, vectra_ldap, vectra_ntlm, vectra_radius, vectra_rdp, vectra_smbfiles, vectra_smbmapping, vectra_smtp, vectra_ssh, vectra_ssl, vectra_x509 + union isfuzzy=true vectra_beacon, vectra_dcerpc, vectra_dhcp, vectra_dns, vectra_http, vectra_isession, vectra_kerberos, vectra_ldap, vectra_ntlm, vectra_radius, vectra_rdp, vectra_smbfiles, vectra_smbmapping, vectra_smtp, vectra_ssh, vectra_ssl, vectra_x509, vectra_match }; vectra_stream \ No newline at end of file diff --git a/Solutions/Vectra AI Stream/ReleaseNotes.md b/Solutions/Vectra AI Stream/ReleaseNotes.md index 1a3030b9a96..799e2ec6efb 100644 --- a/Solutions/Vectra AI Stream/ReleaseNotes.md +++ b/Solutions/Vectra AI Stream/ReleaseNotes.md @@ -1,3 +1,4 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------------------| +| 3.0.1 | 19-11-2024 |Added new **Parser** vectra_match to the Solution
Update the solution to support a new metadata type: match (suricata)| | 3.0.0 | 10-07-2024 | Added new **AMA Data Connector**
Removed deprecated content **Hunting Queries** And **Workbooks**
Added new **Parsers** to the Solution | \ No newline at end of file diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json index 1bb10f4d768..4c04cbd03c8 100644 --- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json +++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json @@ -1958,8 +1958,7 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "ForcepointCSG", - "ForcepointCSGAma" + "CefAma" ], "previewImagesFileNames": [ "ForcepointCloudSecurityGatewayWhite.png", @@ -2986,8 +2985,7 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "Claroty", - "ClarotyAma" + "CefAma" ], "previewImagesFileNames": [ "ClarotyBlack.png", @@ -3363,8 +3361,7 @@ "PingFederateEvent" ], "dataConnectorsDependencies": [ - "PingFederate", - "PingFederateAma" + "CefAma" ], "previewImagesFileNames": [ "PingFederateBlack1.png", diff --git a/Tools/MDO-Power BI Dashboard b/Tools/MDO-Power BI Dashboard deleted file mode 100644 index 8b137891791..00000000000 --- a/Tools/MDO-Power BI Dashboard +++ /dev/null @@ -1 +0,0 @@ - diff --git a/Tools/MDO Power BI Dashboard/MDO Detection Details Report - v1.22 (Sentinel,LogAnalytics).pbit b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/MDO Detection Details Report - v1.22 (Sentinel,LogAnalytics).pbit similarity index 100% rename from Tools/MDO Power BI Dashboard/MDO Detection Details Report - v1.22 (Sentinel,LogAnalytics).pbit rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/MDO Detection Details Report - v1.22 (Sentinel,LogAnalytics).pbit diff --git a/Tools/MDO Power BI Dashboard/MDO Detection Details Report v2.3.1.pbit b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/MDO Detection Details Report v2.3.1(legacy).pbit similarity index 100% rename from Tools/MDO Power BI Dashboard/MDO Detection Details Report v2.3.1.pbit rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/MDO Detection Details Report v2.3.1(legacy).pbit diff --git a/Tools/MDO Power BI Dashboard/Media/MDOLA1.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOLA1.png similarity index 100% rename from Tools/MDO Power BI Dashboard/Media/MDOLA1.png rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOLA1.png diff --git a/Tools/MDO Power BI Dashboard/Media/MDOLA2.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOLA2.png similarity index 100% rename from Tools/MDO Power BI Dashboard/Media/MDOLA2.png rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOLA2.png diff --git a/Tools/MDO Power BI Dashboard/Media/MDOLA3.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOLA3.png similarity index 100% rename from Tools/MDO Power BI Dashboard/Media/MDOLA3.png rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOLA3.png diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI1.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI1.png similarity index 100% rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI1.png rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI1.png diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI10.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI10.png similarity index 100% rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI10.png rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI10.png diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI11.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI11.png similarity index 100% rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI11.png rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI11.png diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI12.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI12.png similarity index 100% rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI12.png rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI12.png diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI13.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI13.png similarity index 100% rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI13.png rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI13.png diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI14.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI14.png similarity index 100% rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI14.png rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI14.png diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI15.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI15.png similarity index 100% rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI15.png rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI15.png diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI16.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI16.png similarity index 100% rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI16.png rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI16.png diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI17.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI17.png similarity index 100% rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI17.png rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI17.png diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI18.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI18.png similarity index 100% rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI18.png rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI18.png diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI19.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI19.png similarity index 100% rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI19.png rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI19.png diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI2.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI2.png similarity index 100% rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI2.png rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI2.png diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI20.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI20.png similarity index 100% rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI20.png rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI20.png diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI3.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI3.png similarity index 100% rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI3.png rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI3.png diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI4.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI4.png similarity index 100% rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI4.png rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI4.png diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI5.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI5.png similarity index 100% rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI5.png rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI5.png diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI6.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI6.png similarity index 100% rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI6.png rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI6.png diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI7.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI7.png similarity index 100% rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI7.png rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI7.png diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI8.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI8.png similarity index 100% rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI8.png rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI8.png diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI9.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI9.png similarity index 100% rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI9.png rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI9.png diff --git a/Tools/MDO Power BI Dashboard/Readme.md b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Readme.md similarity index 100% rename from Tools/MDO Power BI Dashboard/Readme.md rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Readme.md diff --git a/Tools/Microsoft Defender for Office 365/Readme.md b/Tools/Microsoft Defender for Office 365/Readme.md new file mode 100644 index 00000000000..e69de29bb2d diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index 6eeb68d4b46..94f9a45a956 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -78,9 +78,7 @@ "ThreatIntelligenceIndicator" ], "dataConnectorsDependencies": [ - "ForcepointNgfw", "ThreatIntelligence", - "ForcepointNgfwAma", "CefAma" ], "previewImagesFileNames": [ @@ -1381,8 +1379,6 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "ForcepointNgfw", - "ForcepointNgfwAma", "CefAma" ], "previewImagesFileNames": [ @@ -2451,8 +2447,6 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "ForcepointCSG", - "ForcepointCSGAma", "CefAma" ], "previewImagesFileNames": [ @@ -3747,8 +3741,6 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "Claroty", - "ClarotyAma", "CefAma" ], "previewImagesFileNames": [ @@ -4170,8 +4162,6 @@ "PingFederateEvent" ], "dataConnectorsDependencies": [ - "PingFederate", - "PingFederateAma", "CefAma" ], "previewImagesFileNames": [ @@ -8356,6 +8346,9 @@ "provider": "InspiraEnterprise", "source": { "kind": "Community" + }, + "author": { + "name": "Inspira Enterprise" } }, { @@ -8381,8 +8374,11 @@ "templateRelativePath": "User_Analytics_Workbook.json", "subtitle": "", "provider": "InspiraEnterprise", + "source": { + "kind": "Community" + }, "author": { - "name": "InspiraEnterprise" + "name": "Inspira Enterprise" } }, { @@ -8408,8 +8404,11 @@ "templateRelativePath": "Syslog-Bifurcation.json", "subtitle": "", "provider": "InspiraEnterprise", + "source": { + "kind": "Community" + }, "author": { - "name": "InspiraEnterprise" + "name": "Inspira Enterprise" } }, {