Skip to content

Commit

Permalink
Merge branch 'Azure:master' into ASimWebSessionFortinetFortiGate_change
Browse files Browse the repository at this point in the history
  • Loading branch information
@t-pol
t-pol authored Dec 12, 2024
2 parents 0505918 + 5891abc commit 4f290d9
Show file tree
Hide file tree
Showing 159 changed files with 10,977 additions and 4,724 deletions.
2 changes: 1 addition & 1 deletion .script/tests/KqlvalidationsTests/CustomTables/BoxEvents.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -242,4 +242,4 @@
"Type": "Boolean"
}
]
}
}
157 changes: 157 additions & 0 deletions .script/tests/KqlvalidationsTests/CustomTables/BoxEventsV2_CL.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,157 @@
{
"Name": "BoxEventsV2_CL",
"Properties": [
{
"name": "additional_details",
"type": "dynamic"
},
{
"name": "created_at",
"type": "datetime"
},
{
"name": "event_id",
"type": "string"
},
{
"name": "EventEndTime",
"type": "string"
},
{
"name": "event_type",
"type": "string"
},
{
"name": "ip_address",
"type": "string"
},
{
"name": "session_id",
"type": "dynamic"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "event_category",
"type": "string"
},
{
"name": "source_user_email",
"type": "string"
},
{
"name": "source_file_id",
"type": "string"
},
{
"name": "source_file_name",
"type": "string"
},
{
"name": "source_parent_name",
"type": "string"
},
{
"name": "source_item_type",
"type": "string"
},
{
"name": "source_item_id",
"type": "string"
},
{
"name": "source_item_name",
"type": "string"
},
{
"name": "source_parent_type",
"type": "string"
},
{
"name": "source_parent_id",
"type": "string"
},
{
"name": "source_owned_by_type",
"type": "string"
},
{
"name": "source_owned_by_id",
"type": "string"
},
{
"name": "source_owned_by_name",
"type": "string"
},
{
"name": "source_owned_by_login",
"type": "string"
},
{
"name": "created_by_type",
"type": "string"
},
{
"name": "created_by_id",
"type": "string"
},
{
"name": "created_by_name",
"type": "string"
},
{
"name": "created_by_login",
"type": "string"
},
{
"name": "source_type",
"type": "string"
},
{
"name": "source_id",
"type": "string"
},
{
"name": "source_name",
"type": "string"
},
{
"name": "source_login",
"type": "string"
},
{
"name": "source_folder_id",
"type": "string"
},
{
"name": "source_folder_name",
"type": "string"
},
{
"name": "source_user_id",
"type": "string"
},
{
"name": "source_user_name",
"type": "string"
},
{
"name": "accessible_by_type",
"type": "string"
},
{
"name": "accessible_by_id",
"type": "string"
},
{
"name": "accessible_by_name",
"type": "string"
},
{
"name": "accessible_by_login",
"type": "string"
}
]
}
53 changes: 53 additions & 0 deletions .script/tests/KqlvalidationsTests/CustomTables/DoppelTable_CL.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
{
"Name": "DoppelTable_CL",
"Properties": [
{
"Name": "AlertID",
"Type": "String"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "Timestamp",
"Type": "DateTime"
},
{
"Name": "AlertCreated",
"Type": "DateTime"
},
{
"Name": "Entity",
"Type": "String"
},
{
"Name": "Severity",
"Type": "String"
},
{
"Name": "QueueState",
"Type": "String"
},
{
"Name": "EntityState",
"Type": "String"
},
{
"Name": "Product",
"Type": "String"
},
{
"Name": "Source",
"Type": "String"
},
{
"Name": "UpdatedBy",
"Type": "String"
},
{
"Name": "AlertLink",
"Type": "String"
}
]
}
49 changes: 49 additions & 0 deletions .script/tests/KqlvalidationsTests/CustomTables/SAPBTPAuditLog_CL.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
{
"Name": "SAPBTPAuditLog_CL",
"Properties": [
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "UserName",
"type": "string"
},
{
"name": "Message",
"type": "dynamic"
},
{
"name": "UpdatedOn",
"type": "datetime"
},
{
"name": "SubaccountName",
"type": "string"
},
{
"name": "MessageUuid",
"type": "string"
},
{
"name": "Tenant",
"type": "string"
},
{
"name": "OrgId",
"type": "string"
},
{
"name": "SpaceId",
"type": "string"
},
{
"name": "AlsServiceId",
"type": "string"
},
{
"name": "Category",
"type": "string"
}
]
}
7 changes: 6 additions & 1 deletion .script/tests/KqlvalidationsTests/SkipValidationsTemplates.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3084,6 +3084,11 @@
"templateName": "MESCheckVIP.yaml",
"validationFailReason": "Temporarily Added for Parser KQL Queries validation"
},
{
"id": "231a04da-9a8d-4cd6-8a20-2da7ded173ba",
"templateName": "BoxEvents.yaml",
"validationFailReason": "Failing for missing coloumn which is already added to the Custom table Schema (EventEndTime)"
},
{
"id": "600db9e0-1c11-4295-a88a-071c79434926",
"templateName": "AccountElevatedtoNewRole.yaml",
Expand Down Expand Up @@ -3631,4 +3636,4 @@
}

// Temporarily adding Solution Parsers id's for Solution Parsers KQL Validations - End
]
]
1 change: 1 addition & 0 deletions .script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,7 @@
"SailPointIdentityNow",
"SalesforceServiceCloud",
"SAP",
"SAPBTPAuditEvents",
"SecurityEvents",
"SemperisDSP",
"SenservaPro",
Expand Down
4 changes: 2 additions & 2 deletions ASIM/dev/ASimTester/ASimTester.csv
View file
Original file line number Diff line number Diff line change
Expand Up @@ -347,7 +347,7 @@ DvcHostname,string,Recommended,NetworkSession,Hostname,,
DvcHostname,string,Recommended,ProcessEvent,Hostname,,
DvcHostname,string,Recommended,RegistryEvent,Hostname,,
DvcHostname,string,Recommended,WebSession,Hostname,,
DvcHostname,Recommended,Optional,AlertEvent,Hostname,,
DvcHostname,string,Recommended,AlertEvent,Hostname,,
DvcId,string,Optional,AuditEvent,,,
DvcId,string,Optional,Authentication,,,
DvcId,string,Optional,Common,,,
Expand Down Expand Up @@ -807,7 +807,7 @@ IpAddr,string,Alias,Dns,IP Address,,SrcIpAddr
IpAddr,string,Alias,FileEvent,IP Address,,SrcIpAddr
IpAddr,string,Alias,NetworkSession,IP Address,,SrcIpAddr
IpAddr,string,Alias,WebSession,IP Address,,SrcIpAddr
IpAddr ,string,Alias,AlertEvent,,,DvcIpAddr
IpAddr,string,Alias,AlertEvent,IP Address,,DvcIpAddr
LogonMethod,string,Optional,Authentication,,,
LogonProtocol,string,Optional,Authentication,,,
LogonTarget,string,Optional,Authentication,,,
Expand Down
5 changes: 4 additions & 1 deletion ...Connectors/microsoft-sentinel-log-analytics-logstash-output-plugin/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
## 1.1.4
- Limit `excon` library version to lower than 1.0.0 to make sure port is always used when using a proxy.

## 1.1.3
- Replaces the `rest-client` library used for connecting to Azure with the `excon` library.

Expand All @@ -10,4 +13,4 @@
- Renames the plugin to microsoft-sentinel-log-analytics-logstash-output-plugin.

## 1.0.0
- The initial release for the Logstash output plugin for Microsoft Sentinel. This plugin uses Data Collection Rules (DCRs) with Azure Monitor's Logs Ingestion API.
- The initial release for the Logstash output plugin for Microsoft Sentinel. This plugin uses Data Collection Rules (DCRs) with Azure Monitor's Logs Ingestion API.
5 changes: 4 additions & 1 deletion ...el-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/logStashEventsBatcher.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ def send_message_to_loganalytics(call_payload, amount_of_documents)
elsif ewr.class == Excon::Error::RequestTimeout
force_retry = true
elsif ewr.class == Excon::Error::TooManyRequests
# thrutteling detected, backoff before resending
# throttling detected, backoff before resending
parsed_retry_after = response.data[:headers].include?('Retry-After') ? response.data[:headers]['Retry-After'].to_i : 0
seconds_to_sleep = parsed_retry_after > 0 ? parsed_retry_after : 30

Expand All @@ -82,6 +82,9 @@ def send_message_to_loganalytics(call_payload, amount_of_documents)
rescue Excon::Error::Socket => ex
@logger.trace("Exception: '#{ex.class.name}]#{ex} in posting data to #{api_name}. [amount_of_documents=#{amount_of_documents}]'")
force_retry = true
rescue Excon::Error::Timeout => ex
@logger.trace("Exception: '#{ex.class.name}]#{ex} in posting data to #{api_name}. [amount_of_documents=#{amount_of_documents}]'")
force_retry = true
rescue Exception => ex
@logger.trace("Exception in posting data to #{api_name}.[amount_of_documents=#{amount_of_documents} request payload=#{call_payload}]")
@logger.error("Exception in posting data to #{api_name}. [Exception: '[#{ex.class.name}]#{ex}, amount of documents=#{amount_of_documents}]'")
Expand Down
4 changes: 2 additions & 2 deletions ...crosoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/version.rb
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
module LogStash; module Outputs;
class MicrosoftSentinelOutputInternal
VERSION_INFO = [1, 1, 3].freeze
VERSION_INFO = [1, 1, 4].freeze
VERSION = VERSION_INFO.map(&:to_s).join('.').freeze

def self.version
VERSION
end
end
end;end
end;end
2 changes: 1 addition & 1 deletion ...cs-logstash-output-plugin/microsoft-sentinel-log-analytics-logstash-output-plugin.gemspec
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,6 @@ Gem::Specification.new do |s|
# Gem dependencies
s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
s.add_runtime_dependency "logstash-codec-plain"
s.add_runtime_dependency "excon", ">= 0.88.0"
s.add_runtime_dependency "excon", ">= 0.88.0", "< 1.0.0"
s.add_development_dependency "logstash-devutils"
end
Loading

0 comments on commit 4f290d9

Please sign in to comment.