From a39ecf8d201ec0ceaaa72b1df2a516d99025563a Mon Sep 17 00:00:00 2001 From: Github Bot Date: Thu, 7 Sep 2023 06:26:13 +0000 Subject: [PATCH] [skip ci] Github Bot Added package to Pull Request! --- .../Data/system_generated_metadata.json | 29 ++ Solutions/Morphisec/Package/mainTemplate.json | 464 ++---------------- 2 files changed, 80 insertions(+), 413 deletions(-) create mode 100644 Solutions/Morphisec/Data/system_generated_metadata.json diff --git a/Solutions/Morphisec/Data/system_generated_metadata.json b/Solutions/Morphisec/Data/system_generated_metadata.json new file mode 100644 index 00000000000..e3c0ae19936 --- /dev/null +++ b/Solutions/Morphisec/Data/system_generated_metadata.json @@ -0,0 +1,29 @@ +{ + "Name": "Morphisec", + "Author": "Morphisec", + "Logo": "", + "Description": "The [Morphisec](https://www.morphisec.com/) solution for Microsoft Sentinel enables you to integrate vital insights from your security products with the Morphisec Data Connector for Microsoft Sentinel and expand your analytical capabilities with search and correlation, threat intelligence, and customized alerts. With a single, cross-product view, you can make real-time, data-backed decisions to protect your most important assets.\n\r\n1. **Morphisec via AMA** - This data connector helps in ingesting Morphisec logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Morphisec via Legacy Agent** - This data connector helps in ingesting Morphisec logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Morphisec via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).", + "BasePath": "C:\\GitHub\\Azure-Sentinel", + "Version": "3.0.0", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true, + "Is1PConnector": false, + "publisherId": "morphisec", + "offerId": "morphisec_utpp_mss", + "providers": [ + "Morphisec" + ], + "categories": { + "domains": [ + "Security - Threat Protection" + ] + }, + "firstPublishDate": "2022-05-05", + "support": { + "name": "Morphisec", + "tier": "Partner", + "link": "https://support.morphisec.com/support/home" + }, + "Data Connectors": "[\n \"Morphisec.JSON\",\n \"template_MorphisecAMA.JSON\"\n]", + "Parsers": "[\n \"Morphisec.yaml\"\n]" +} diff --git a/Solutions/Morphisec/Package/mainTemplate.json b/Solutions/Morphisec/Package/mainTemplate.json index 9ca6ef72eb0..0c035b212e4 100644 --- a/Solutions/Morphisec/Package/mainTemplate.json +++ b/Solutions/Morphisec/Package/mainTemplate.json @@ -32,413 +32,30 @@ "variables": { "solutionId": "morphisec.morphisec_utpp_mss", "_solutionId": "[variables('solutionId')]", - "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", - "uiConfigId1": "MorphisecUTPP", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "MorphisecUTPP", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]", - "dataConnectorVersion1": "1.0.0", - "parserVersion1": "1.0.0", - "parserContentId1": "Morphisec-Parser", - "_parserContentId1": "[variables('parserContentId1')]", + "_solutionName": "Morphisec", + "_solutionVersion": "3.0.0", "parserName1": "Morphisec", "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]", "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", "_parserId1": "[variables('parserId1')]", - "parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]" + "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]", + "parserVersion1": "1.0.0", + "parserContentId1": "Morphisec-Parser", + "_parserContentId1": "[variables('parserContentId1')]", + "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "properties": { - "description": "Morphisec data connector with template", - "displayName": "Morphisec template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]" - ], - "properties": { - "description": "Morphisec data connector with template version 2.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "Morphisec UTPP", - "publisher": "Morphisec", - "descriptionMarkdown": "Integrate vital insights from your security products with the Morphisec Data Connector for Microsoft Sentinel and expand your analytical capabilities with search and correlation, threat intelligence, and customized alerts. Morphisec's Data Connector provides visibility into today's most advanced threats including sophisticated fileless attacks, in-memory exploits and zero days. With a single, cross-product view, you can make real-time, data-backed decisions to protect your most important assets", - "additionalRequirementBanner": "These queries and workbooks are dependent on Kusto functions based on Kusto to work as expected. Follow the steps to use the Kusto functions alias \"Morphisec\" \nin queries and workbooks. [Follow steps to get this Kusto function.](https://aka.ms/sentinel-morphisecutpp-parser)", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Morphisec", - "baseQuery": "\nMorphisec\n" - } - ], - "sampleQueries": [ - { - "description": "Threats count by host", - "query": "\nMorphisec\n\n | summarize Times_Attacked=count() by SourceHostName" - }, - { - "description": "Threats count by username", - "query": "\nMorphisec\n\n | summarize Times_Attacked=count() by SourceUserName" - }, - { - "description": "Threats with high severity", - "query": "\nMorphisec\n\n | where toint( LogSeverity) > 7 | order by TimeGenerated" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (Morphisec)", - "lastDataReceivedQuery": "\nMorphisec\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "\nMorphisec\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "These queries and workbooks are dependent on Kusto functions based on Kusto to work as expected. Follow the steps to use the Kusto functions alias \"Morphisec\" \nin queries and workbooks. [Follow steps to get this Kusto function.](https://aka.ms/sentinel-morphisecutpp-parser)" - }, - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.", - "title": "2. Forward Common Event Format (CEF) logs to Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Morphisec", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Morphisec" - }, - "support": { - "name": "Morphisec", - "tier": "Partner", - "link": "https://support.morphisec.com/support/home" - } - } - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Morphisec", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Morphisec" - }, - "support": { - "name": "Morphisec", - "tier": "Partner", - "link": "https://support.morphisec.com/support/home" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "Morphisec UTPP", - "publisher": "Morphisec", - "descriptionMarkdown": "Integrate vital insights from your security products with the Morphisec Data Connector for Microsoft Sentinel and expand your analytical capabilities with search and correlation, threat intelligence, and customized alerts. Morphisec's Data Connector provides visibility into today's most advanced threats including sophisticated fileless attacks, in-memory exploits and zero days. With a single, cross-product view, you can make real-time, data-backed decisions to protect your most important assets", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Morphisec", - "baseQuery": "\nMorphisec\n" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (Morphisec)", - "lastDataReceivedQuery": "\nMorphisec\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "\nMorphisec\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Threats count by host", - "query": "\nMorphisec\n\n | summarize Times_Attacked=count() by SourceHostName" - }, - { - "description": "Threats count by username", - "query": "\nMorphisec\n\n | summarize Times_Attacked=count() by SourceUserName" - }, - { - "description": "Threats with high severity", - "query": "\nMorphisec\n\n | where toint( LogSeverity) > 7 | order by TimeGenerated" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "These queries and workbooks are dependent on Kusto functions based on Kusto to work as expected. Follow the steps to use the Kusto functions alias \"Morphisec\" \nin queries and workbooks. [Follow steps to get this Kusto function.](https://aka.ms/sentinel-morphisecutpp-parser)" - }, - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.", - "title": "2. Forward Common Event Format (CEF) logs to Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "id": "[variables('_uiConfigId1')]", - "additionalRequirementBanner": "These queries and workbooks are dependent on Kusto functions based on Kusto to work as expected. Follow the steps to use the Kusto functions alias \"Morphisec\" \nin queries and workbooks. [Follow steps to get this Kusto function.](https://aka.ms/sentinel-morphisecutpp-parser)" - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('parserTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Parser" - }, - "properties": { - "description": "Morphisec Data Parser with template", - "displayName": "Morphisec Data Parser template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Parser" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Morphisec Data Parser with template version 2.0.1", + "description": "Morphisec Data Parser with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion1')]", @@ -447,20 +64,21 @@ "resources": [ { "name": "[variables('_parserName1')]", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", "displayName": "Morphisec", - "category": "Samples", + "category": "Microsoft Sentinel Parser", "functionAlias": "Morphisec", - "query": "\n\r\nCommonSecurityLog\r\n| where DeviceVendor == 'Morphisec'\r\n| extend Start = coalesce(\r\n todatetime(extract(\"start=([^;]+)\",1,AdditionalExtensions)), \r\n todatetime(column_ifexists(\"StartTime\", \"\"))\r\n ) \r\n, AttackedModule = extract(\"AttackedModule=([^;]+)\",1,AdditionalExtensions)\r\n, MorphisecVersion = extract(\"MorphisecVersion=([^;]+)\",1,AdditionalExtensions)\r\n, AttackName = extract(\"AttackName=([^;]+)\",1,AdditionalExtensions)\r\n, AttackCategory = extract(\"AttackCategory=([^;]+)\",1,AdditionalExtensions)\r\n, Attackdescription = extract(\"Attackdescription=([^;]+)\",1,AdditionalExtensions)\r\n, ProcessSignature = extract(\"ProcessSignature=([^;]+)\",1,AdditionalExtensions)\r\n, ParentSignature = extract(\"ParentSignature=([^;]+)\",1,AdditionalExtensions)\r\n, LastStackFunctionCall = extract(\"LastStackFunctionCall=([^;]+)\",1,AdditionalExtensions)\r\n, LastModuleLoaded = extract(\"LastModuleLoaded=([^;]+)\",1,AdditionalExtensions)\r\n, CommandLine = extract(\"CommandLine=([^;]+)\",1,AdditionalExtensions)\r\n, ParentProcessCommandLine = extract(\"ParentProcessCommandLine=([^;]+)\",1,AdditionalExtensions)\r\n, CodeProcessed = extract(\"CodeProcessed=([^;]+)\",1,AdditionalExtensions)", - "version": 1, + "query": "CommonSecurityLog\n| where DeviceVendor == 'Morphisec'\n| extend Start = coalesce(\n todatetime(extract(\"start=([^;]+)\",1,AdditionalExtensions)), \n todatetime(column_ifexists(\"StartTime\", \"\"))\n ) \n, AttackedModule = extract(\"AttackedModule=([^;]+)\",1,AdditionalExtensions)\n, MorphisecVersion = extract(\"MorphisecVersion=([^;]+)\",1,AdditionalExtensions)\n, AttackName = extract(\"AttackName=([^;]+)\",1,AdditionalExtensions)\n, AttackCategory = extract(\"AttackCategory=([^;]+)\",1,AdditionalExtensions)\n, Attackdescription = extract(\"Attackdescription=([^;]+)\",1,AdditionalExtensions)\n, ProcessSignature = extract(\"ProcessSignature=([^;]+)\",1,AdditionalExtensions)\n, ParentSignature = extract(\"ParentSignature=([^;]+)\",1,AdditionalExtensions)\n, LastStackFunctionCall = extract(\"LastStackFunctionCall=([^;]+)\",1,AdditionalExtensions)\n, LastModuleLoaded = extract(\"LastModuleLoaded=([^;]+)\",1,AdditionalExtensions)\n, CommandLine = extract(\"CommandLine=([^;]+)\",1,AdditionalExtensions)\n, ParentProcessCommandLine = extract(\"ParentProcessCommandLine=([^;]+)\",1,AdditionalExtensions)\n, CodeProcessed = extract(\"CodeProcessed=([^;]+)\",1,AdditionalExtensions)\n", + "functionParameters": "", + "version": 2, "tags": [ { "name": "description", - "value": "Morphisec" + "value": "" } ] } @@ -493,7 +111,18 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_parserContentId1')]", + "contentKind": "Parser", + "displayName": "Morphisec", + "contentProductId": "[variables('_parsercontentProductId1')]", + "id": "[variables('_parsercontentProductId1')]", + "version": "[variables('parserVersion1')]" } }, { @@ -504,10 +133,17 @@ "properties": { "eTag": "*", "displayName": "Morphisec", - "category": "Samples", + "category": "Microsoft Sentinel Parser", "functionAlias": "Morphisec", - "query": "\n\r\nCommonSecurityLog\r\n| where DeviceVendor == 'Morphisec'\r\n| extend Start = coalesce(\r\n todatetime(extract(\"start=([^;]+)\",1,AdditionalExtensions)), \r\n todatetime(column_ifexists(\"StartTime\", \"\"))\r\n ) \r\n, AttackedModule = extract(\"AttackedModule=([^;]+)\",1,AdditionalExtensions)\r\n, MorphisecVersion = extract(\"MorphisecVersion=([^;]+)\",1,AdditionalExtensions)\r\n, AttackName = extract(\"AttackName=([^;]+)\",1,AdditionalExtensions)\r\n, AttackCategory = extract(\"AttackCategory=([^;]+)\",1,AdditionalExtensions)\r\n, Attackdescription = extract(\"Attackdescription=([^;]+)\",1,AdditionalExtensions)\r\n, ProcessSignature = extract(\"ProcessSignature=([^;]+)\",1,AdditionalExtensions)\r\n, ParentSignature = extract(\"ParentSignature=([^;]+)\",1,AdditionalExtensions)\r\n, LastStackFunctionCall = extract(\"LastStackFunctionCall=([^;]+)\",1,AdditionalExtensions)\r\n, LastModuleLoaded = extract(\"LastModuleLoaded=([^;]+)\",1,AdditionalExtensions)\r\n, CommandLine = extract(\"CommandLine=([^;]+)\",1,AdditionalExtensions)\r\n, ParentProcessCommandLine = extract(\"ParentProcessCommandLine=([^;]+)\",1,AdditionalExtensions)\r\n, CodeProcessed = extract(\"CodeProcessed=([^;]+)\",1,AdditionalExtensions)", - "version": 1 + "query": "CommonSecurityLog\n| where DeviceVendor == 'Morphisec'\n| extend Start = coalesce(\n todatetime(extract(\"start=([^;]+)\",1,AdditionalExtensions)), \n todatetime(column_ifexists(\"StartTime\", \"\"))\n ) \n, AttackedModule = extract(\"AttackedModule=([^;]+)\",1,AdditionalExtensions)\n, MorphisecVersion = extract(\"MorphisecVersion=([^;]+)\",1,AdditionalExtensions)\n, AttackName = extract(\"AttackName=([^;]+)\",1,AdditionalExtensions)\n, AttackCategory = extract(\"AttackCategory=([^;]+)\",1,AdditionalExtensions)\n, Attackdescription = extract(\"Attackdescription=([^;]+)\",1,AdditionalExtensions)\n, ProcessSignature = extract(\"ProcessSignature=([^;]+)\",1,AdditionalExtensions)\n, ParentSignature = extract(\"ParentSignature=([^;]+)\",1,AdditionalExtensions)\n, LastStackFunctionCall = extract(\"LastStackFunctionCall=([^;]+)\",1,AdditionalExtensions)\n, LastModuleLoaded = extract(\"LastModuleLoaded=([^;]+)\",1,AdditionalExtensions)\n, CommandLine = extract(\"CommandLine=([^;]+)\",1,AdditionalExtensions)\n, ParentProcessCommandLine = extract(\"ParentProcessCommandLine=([^;]+)\",1,AdditionalExtensions)\n, CodeProcessed = extract(\"CodeProcessed=([^;]+)\",1,AdditionalExtensions)\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] } }, { @@ -539,13 +175,20 @@ } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "2.0.1", + "version": "3.0.0", "kind": "Solution", - "contentSchemaVersion": "2.0.0", + "contentSchemaVersion": "3.0.0", + "displayName": "Morphisec", + "publisherDisplayName": "Morphisec", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Morphisec solution for Microsoft Sentinel enables you to integrate vital insights from your security products with the Morphisec Data Connector for Microsoft Sentinel and expand your analytical capabilities with search and correlation, threat intelligence, and customized alerts. With a single, cross-product view, you can make real-time, data-backed decisions to protect your most important assets.

\n
    \n

  1. Morphisec via AMA - This data connector helps in ingesting Morphisec logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.

    \n
    2. \n

  2. Morphisec via Legacy Agent - This data connector helps in ingesting Morphisec logs into your Log Analytics Workspace using the legacy Log Analytics agent.

    \n
    3. \n
\n

NOTE: Microsoft recommends installation of Morphisec via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.

\n

Parsers: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", "contentId": "[variables('_solutionId')]", "parentId": "[variables('_solutionId')]", "source": { @@ -564,11 +207,6 @@ "dependencies": { "operator": "AND", "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, { "kind": "Parser", "contentId": "[variables('_parserContentId1')]",