From 793b99bb2bcb8701790b0b63b85ba154d5c315bc Mon Sep 17 00:00:00 2001 From: v-rusraut Date: Thu, 7 Sep 2023 13:59:39 +0530 Subject: [PATCH] updated DataFile --- .../Morphisec/Data/Solution_Morphisec.json | 4 +- .../Data/system_generated_metadata.json | 29 --- Solutions/Morphisec/Package/mainTemplate.json | 231 ------------------ 3 files changed, 2 insertions(+), 262 deletions(-) delete mode 100644 Solutions/Morphisec/Data/system_generated_metadata.json delete mode 100644 Solutions/Morphisec/Package/mainTemplate.json diff --git a/Solutions/Morphisec/Data/Solution_Morphisec.json b/Solutions/Morphisec/Data/Solution_Morphisec.json index 87cecaab864..44bd75eaeb6 100644 --- a/Solutions/Morphisec/Data/Solution_Morphisec.json +++ b/Solutions/Morphisec/Data/Solution_Morphisec.json @@ -4,8 +4,8 @@ "Logo": "", "Description": "The [Morphisec](https://www.morphisec.com/) solution for Microsoft Sentinel enables you to integrate vital insights from your security products with the Morphisec Data Connector for Microsoft Sentinel and expand your analytical capabilities with search and correlation, threat intelligence, and customized alerts. With a single, cross-product view, you can make real-time, data-backed decisions to protect your most important assets.\n\r\n1. **Morphisec via AMA** - This data connector helps in ingesting Morphisec logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Morphisec via Legacy Agent** - This data connector helps in ingesting Morphisec logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Morphisec via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).", "Data Connectors": [ - "Solutions/Morphisec/Data Connectors/Morphisec.JSON", - "Solutions/Morphisec/Data Connectors/template_MorphisecAMA.JSON" + "Solutions/Morphisec/Data Connectors/Morphisec.json", + "Solutions/Morphisec/Data Connectors/template_MorphisecAMA.json" ], "Parsers": [ "Solutions/Morphisec/Parsers/Morphisec.yaml" diff --git a/Solutions/Morphisec/Data/system_generated_metadata.json b/Solutions/Morphisec/Data/system_generated_metadata.json deleted file mode 100644 index e3c0ae19936..00000000000 --- a/Solutions/Morphisec/Data/system_generated_metadata.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "Name": "Morphisec", - "Author": "Morphisec", - "Logo": "", - "Description": "The [Morphisec](https://www.morphisec.com/) solution for Microsoft Sentinel enables you to integrate vital insights from your security products with the Morphisec Data Connector for Microsoft Sentinel and expand your analytical capabilities with search and correlation, threat intelligence, and customized alerts. With a single, cross-product view, you can make real-time, data-backed decisions to protect your most important assets.\n\r\n1. **Morphisec via AMA** - This data connector helps in ingesting Morphisec logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Morphisec via Legacy Agent** - This data connector helps in ingesting Morphisec logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Morphisec via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).", - "BasePath": "C:\\GitHub\\Azure-Sentinel", - "Version": "3.0.0", - "Metadata": "SolutionMetadata.json", - "TemplateSpec": true, - "Is1PConnector": false, - "publisherId": "morphisec", - "offerId": "morphisec_utpp_mss", - "providers": [ - "Morphisec" - ], - "categories": { - "domains": [ - "Security - Threat Protection" - ] - }, - "firstPublishDate": "2022-05-05", - "support": { - "name": "Morphisec", - "tier": "Partner", - "link": "https://support.morphisec.com/support/home" - }, - "Data Connectors": "[\n \"Morphisec.JSON\",\n \"template_MorphisecAMA.JSON\"\n]", - "Parsers": "[\n \"Morphisec.yaml\"\n]" -} diff --git a/Solutions/Morphisec/Package/mainTemplate.json b/Solutions/Morphisec/Package/mainTemplate.json deleted file mode 100644 index 0c035b212e4..00000000000 --- a/Solutions/Morphisec/Package/mainTemplate.json +++ /dev/null @@ -1,231 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "author": "Morphisec", - "comments": "Solution template for Morphisec" - }, - "parameters": { - "location": { - "type": "string", - "minLength": 1, - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" - } - }, - "workspace-location": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" - } - }, - "workspace": { - "defaultValue": "", - "type": "string", - "metadata": { - "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" - } - } - }, - "variables": { - "solutionId": "morphisec.morphisec_utpp_mss", - "_solutionId": "[variables('solutionId')]", - "_solutionName": "Morphisec", - "_solutionVersion": "3.0.0", - "parserName1": "Morphisec", - "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]", - "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", - "_parserId1": "[variables('parserId1')]", - "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]", - "parserVersion1": "1.0.0", - "parserContentId1": "Morphisec-Parser", - "_parserContentId1": "[variables('parserContentId1')]", - "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]", - "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Morphisec Data Parser with template version 3.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('_parserName1')]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Morphisec", - "category": "Microsoft Sentinel Parser", - "functionAlias": "Morphisec", - "query": "CommonSecurityLog\n| where DeviceVendor == 'Morphisec'\n| extend Start = coalesce(\n todatetime(extract(\"start=([^;]+)\",1,AdditionalExtensions)), \n todatetime(column_ifexists(\"StartTime\", \"\"))\n ) \n, AttackedModule = extract(\"AttackedModule=([^;]+)\",1,AdditionalExtensions)\n, MorphisecVersion = extract(\"MorphisecVersion=([^;]+)\",1,AdditionalExtensions)\n, AttackName = extract(\"AttackName=([^;]+)\",1,AdditionalExtensions)\n, AttackCategory = extract(\"AttackCategory=([^;]+)\",1,AdditionalExtensions)\n, Attackdescription = extract(\"Attackdescription=([^;]+)\",1,AdditionalExtensions)\n, ProcessSignature = extract(\"ProcessSignature=([^;]+)\",1,AdditionalExtensions)\n, ParentSignature = extract(\"ParentSignature=([^;]+)\",1,AdditionalExtensions)\n, LastStackFunctionCall = extract(\"LastStackFunctionCall=([^;]+)\",1,AdditionalExtensions)\n, LastModuleLoaded = extract(\"LastModuleLoaded=([^;]+)\",1,AdditionalExtensions)\n, CommandLine = extract(\"CommandLine=([^;]+)\",1,AdditionalExtensions)\n, ParentProcessCommandLine = extract(\"ParentProcessCommandLine=([^;]+)\",1,AdditionalExtensions)\n, CodeProcessed = extract(\"CodeProcessed=([^;]+)\",1,AdditionalExtensions)\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", - "dependsOn": [ - "[variables('_parserName1')]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", - "contentId": "[variables('_parserContentId1')]", - "kind": "Parser", - "version": "[variables('parserVersion1')]", - "source": { - "name": "Morphisec", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Morphisec" - }, - "support": { - "name": "Morphisec", - "tier": "Partner", - "link": "https://support.morphisec.com/support/home" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_parserContentId1')]", - "contentKind": "Parser", - "displayName": "Morphisec", - "contentProductId": "[variables('_parsercontentProductId1')]", - "id": "[variables('_parsercontentProductId1')]", - "version": "[variables('parserVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('_parserName1')]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Morphisec", - "category": "Microsoft Sentinel Parser", - "functionAlias": "Morphisec", - "query": "CommonSecurityLog\n| where DeviceVendor == 'Morphisec'\n| extend Start = coalesce(\n todatetime(extract(\"start=([^;]+)\",1,AdditionalExtensions)), \n todatetime(column_ifexists(\"StartTime\", \"\"))\n ) \n, AttackedModule = extract(\"AttackedModule=([^;]+)\",1,AdditionalExtensions)\n, MorphisecVersion = extract(\"MorphisecVersion=([^;]+)\",1,AdditionalExtensions)\n, AttackName = extract(\"AttackName=([^;]+)\",1,AdditionalExtensions)\n, AttackCategory = extract(\"AttackCategory=([^;]+)\",1,AdditionalExtensions)\n, Attackdescription = extract(\"Attackdescription=([^;]+)\",1,AdditionalExtensions)\n, ProcessSignature = extract(\"ProcessSignature=([^;]+)\",1,AdditionalExtensions)\n, ParentSignature = extract(\"ParentSignature=([^;]+)\",1,AdditionalExtensions)\n, LastStackFunctionCall = extract(\"LastStackFunctionCall=([^;]+)\",1,AdditionalExtensions)\n, LastModuleLoaded = extract(\"LastModuleLoaded=([^;]+)\",1,AdditionalExtensions)\n, CommandLine = extract(\"CommandLine=([^;]+)\",1,AdditionalExtensions)\n, ParentProcessCommandLine = extract(\"ParentProcessCommandLine=([^;]+)\",1,AdditionalExtensions)\n, CodeProcessed = extract(\"CodeProcessed=([^;]+)\",1,AdditionalExtensions)\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]", - "dependsOn": [ - "[variables('_parserId1')]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", - "contentId": "[variables('_parserContentId1')]", - "kind": "Parser", - "version": "[variables('parserVersion1')]", - "source": { - "kind": "Solution", - "name": "Morphisec", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Morphisec" - }, - "support": { - "name": "Morphisec", - "tier": "Partner", - "link": "https://support.morphisec.com/support/home" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", - "apiVersion": "2023-04-01-preview", - "location": "[parameters('workspace-location')]", - "properties": { - "version": "3.0.0", - "kind": "Solution", - "contentSchemaVersion": "3.0.0", - "displayName": "Morphisec", - "publisherDisplayName": "Morphisec", - "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Morphisec solution for Microsoft Sentinel enables you to integrate vital insights from your security products with the Morphisec Data Connector for Microsoft Sentinel and expand your analytical capabilities with search and correlation, threat intelligence, and customized alerts. With a single, cross-product view, you can make real-time, data-backed decisions to protect your most important assets.

\n
    \n

  1. Morphisec via AMA - This data connector helps in ingesting Morphisec logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.

    \n
    2. \n

  2. Morphisec via Legacy Agent - This data connector helps in ingesting Morphisec logs into your Log Analytics Workspace using the legacy Log Analytics agent.

    \n
    3. \n
\n

NOTE: Microsoft recommends installation of Morphisec via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.

\n

Parsers: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", - "contentKind": "Solution", - "contentProductId": "[variables('_solutioncontentProductId')]", - "id": "[variables('_solutioncontentProductId')]", - "icon": "", - "contentId": "[variables('_solutionId')]", - "parentId": "[variables('_solutionId')]", - "source": { - "kind": "Solution", - "name": "Morphisec", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Morphisec" - }, - "support": { - "name": "Morphisec", - "tier": "Partner", - "link": "https://support.morphisec.com/support/home" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "kind": "Parser", - "contentId": "[variables('_parserContentId1')]", - "version": "[variables('parserVersion1')]" - } - ] - }, - "firstPublishDate": "2022-05-05", - "providers": [ - "Morphisec" - ], - "categories": { - "domains": [ - "Security - Threat Protection" - ] - } - }, - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" - } - ], - "outputs": {} -}