From 8f5efb52c67cb832c3bb9d80602a44c5cbca954f Mon Sep 17 00:00:00 2001 From: XiFneg Date: Thu, 21 Nov 2024 05:40:05 +0000 Subject: [PATCH 1/2] Update configuration and templates for SINEC Security Guard solution --- .../data_connector_GenericUI.json | 168 +-- .../Data/Solution_Sinec Security Guard.json | 32 +- .../Package/createUiDefinition.json | 254 ++--- .../Package/mainTemplate.json | 1016 ++++++++--------- 4 files changed, 724 insertions(+), 746 deletions(-) diff --git a/Solutions/SINEC Security Guard/Data Connectors/data_connector_GenericUI.json b/Solutions/SINEC Security Guard/Data Connectors/data_connector_GenericUI.json index a69c1634a90..f666f8f753f 100644 --- a/Solutions/SINEC Security Guard/Data Connectors/data_connector_GenericUI.json +++ b/Solutions/SINEC Security Guard/Data Connectors/data_connector_GenericUI.json @@ -1,84 +1,84 @@ -{ - "id": "SSG", - "title": "SINEC Security Guard", - "publisher": "Siemens AG", - "descriptionMarkdown": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel", - "graphQueriesTableName": "SINECSecurityGuard_CL", - "logo": "SSG.svg", - "graphQueries": [ - { - "metricName": "Total events received", - "legend": "SINECSecurityGuard_CL", - "baseQuery": "SINECSecurityGuard_CL\n | summarize count()" - } - ], - "sampleQueries": [ - { - "description": "List of Attacks", - "query": "SINECSecurityGuard_CL\n | summarize count()" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": ["SINECSecurityGuard_CL\n | summarize lastLogGenerated = max(TimeGenerated) | project IsConnected = lastLogGenerated > ago(30d)"] - } - ], - "dataTypes": [ - { - "name": "SINECSecurityGuard_CL", - "lastDataReceivedQuery": "SINECSecurityGuard_CL\n | summarize Time = max(TimeGenerated) | where isnotempty(Time)" - } - ], - "availability": { - "isPreview": true, - "status": 1 - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "This Data Connector relies on the SINEC Security Guard Sensor Package to be able to receive Sensor events in Microsoft Sentinel. The Sensor Package can be purchased in the Siemens Xcelerator Marketplace.", - "instructions": [ - { - "parameters": { - "title": "1. Please follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Set up the SINEC Security Guard Sensor", - "description": "Detailed step for setting up the sensor." - }, - { - "title": "Create the Data Connector and configure it in the SINEC Security Guard web interface", - "description": "Instructions on configuring the data connector." - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - } - ] -} +{ + "id": "SSG", + "title": "SINEC Security Guard", + "publisher": "Siemens AG", + "descriptionMarkdown": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel", + "graphQueriesTableName": "SINECSecurityGuard_CL", + "logo": "SSG.svg", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "SINECSecurityGuard_CL", + "baseQuery": "SINECSecurityGuard_CL\n | summarize count()" + } + ], + "sampleQueries": [ + { + "description": "List of Attacks", + "query": "SINECSecurityGuard_CL\n | summarize count()" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": ["SINECSecurityGuard_CL\n | summarize lastLogGenerated = max(TimeGenerated) | project IsConnected = lastLogGenerated > ago(30d)"] + } + ], + "dataTypes": [ + { + "name": "SINECSecurityGuard_CL", + "lastDataReceivedQuery": "SINECSecurityGuard_CL\n | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "availability": { + "isPreview": true, + "status": 1 + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "description": "This Data Connector relies on the SINEC Security Guard Sensor Package to be able to receive Sensor events in Microsoft Sentinel. The Sensor Package can be purchased in the Siemens Xcelerator Marketplace.", + "instructions": [ + { + "parameters": { + "title": "1. Please follow the steps to configure the data connector", + "instructionSteps": [ + { + "title": "Set up the SINEC Security Guard Sensor", + "description": "Detailed step for setting up the sensor." + }, + { + "title": "Create the Data Connector and configure it in the SINEC Security Guard web interface", + "description": "Instructions on configuring the data connector." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] +} diff --git a/Solutions/SINEC Security Guard/Data/Solution_Sinec Security Guard.json b/Solutions/SINEC Security Guard/Data/Solution_Sinec Security Guard.json index 3232152f990..c0cb969768f 100644 --- a/Solutions/SINEC Security Guard/Data/Solution_Sinec Security Guard.json +++ b/Solutions/SINEC Security Guard/Data/Solution_Sinec Security Guard.json @@ -1,17 +1,17 @@ -{ - "Name": "SINEC Security Guard", - "Author": "Siemens AG", - "Logo": "", - "Description": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the (SINEC Security Guard)[https://siemens.com/sinec-security-guard] into Microsoft Sentinel", - "Analytic Rules": [ - "Analytic Rules/SSG_Azure_Sentinel_analytic_rule.yaml" - ], - "Data Connectors": [ - "Data Connectors/data_connector_GenericUI.json" - ], - "Metadata": "SolutionMetadata.json", - "BasePath": "D:\\Sentinel_GIT\\Azure-Sentinel\\Solutions\\SINEC Security Guard", - "Version": "3.0.3", - "TemplateSpec": true, - "Is1PConnector": false +{ + "Name": "SINEC Security Guard", + "Author": "Siemens AG", + "Logo": "", + "Description": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel", + "Analytic Rules": [ + "Analytic Rules/SSG_Azure_Sentinel_analytic_rule.yaml" + ], + "Data Connectors": [ + "Data Connectors/data_connector_GenericUI.json" + ], + "Metadata": "SolutionMetadata.json", + "BasePath": "D:\\Sentinel_GIT\\Azure-Sentinel\\Solutions\\SINEC Security Guard", + "Version": "3.0.3", + "TemplateSpec": true, + "Is1PConnector": false } \ No newline at end of file diff --git a/Solutions/SINEC Security Guard/Package/createUiDefinition.json b/Solutions/SINEC Security Guard/Package/createUiDefinition.json index 1a03e23deb2..603c462ee46 100644 --- a/Solutions/SINEC Security Guard/Package/createUiDefinition.json +++ b/Solutions/SINEC Security Guard/Package/createUiDefinition.json @@ -1,127 +1,127 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", - "handler": "Microsoft.Azure.CreateUIDef", - "version": "0.1.2-preview", - "parameters": { - "config": { - "isWizard": false, - "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SINEC%20Security%20Guard/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the (SINEC Security Guard)[https://siemens.com/sinec-security-guard] into Microsoft Sentinel\n\n**Data Connectors:** 1, **Analytic Rules:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", - "subscription": { - "resourceProviders": [ - "Microsoft.OperationsManagement/solutions", - "Microsoft.OperationalInsights/workspaces/providers/alertRules", - "Microsoft.Insights/workbooks", - "Microsoft.Logic/workflows" - ] - }, - "location": { - "metadata": { - "hidden": "Hiding location, we get it from the log analytics workspace" - }, - "visible": false - }, - "resourceGroup": { - "allowExisting": true - } - } - }, - "basics": [ - { - "name": "getLAWorkspace", - "type": "Microsoft.Solutions.ArmApiControl", - "toolTip": "This filters by workspaces that exist in the Resource Group selected", - "condition": "[greater(length(resourceGroup().name),0)]", - "request": { - "method": "GET", - "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" - } - }, - { - "name": "workspace", - "type": "Microsoft.Common.DropDown", - "label": "Workspace", - "placeholder": "Select a workspace", - "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", - "constraints": { - "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", - "required": true - }, - "visible": true - } - ], - "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for SINEC Security Guard. You can get SINEC Security Guard custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-link2", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - }, - { - "name": "analytics", - "label": "Analytics", - "subLabel": { - "preValidation": "Configure the analytics", - "postValidation": "Done" - }, - "bladeTitle": "Analytics", - "elements": [ - { - "name": "analytics-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." - } - }, - { - "name": "analytics-link", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" - } - } - }, - { - "name": "analytic1", - "type": "Microsoft.Common.Section", - "label": "SSG_Security_Incidents", - "elements": [ - { - "name": "analytic1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "The security analytic rule is designed to scrutinize network activity involving private IP addresses within an organization's internal network. By filtering log entries to include only those where either the source or the destination IP is private, the rule focuses on internal communications that could indicate unauthorized access, internal threats, or other security anomalies." - } - } - ] - } - ] - } - ], - "outputs": { - "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", - "location": "[location()]", - "workspace": "[basics('workspace')]" - } - } -} +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Sinec%20Security%20Guard/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel\n\n**Data Connectors:** 1, **Analytic Rules:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for SINEC Security Guard. You can get SINEC Security Guard custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + }, + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." + } + }, + { + "name": "analytics-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "SSG_Security_Incidents", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "The security analytic rule is designed to scrutinize network activity involving private IP addresses within an organization's internal network. By filtering log entries to include only those where either the source or the destination IP is private, the rule focuses on internal communications that could indicate unauthorized access, internal threats, or other security anomalies." + } + } + ] + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} diff --git a/Solutions/SINEC Security Guard/Package/mainTemplate.json b/Solutions/SINEC Security Guard/Package/mainTemplate.json index 4377777a228..d701f103edc 100644 --- a/Solutions/SINEC Security Guard/Package/mainTemplate.json +++ b/Solutions/SINEC Security Guard/Package/mainTemplate.json @@ -1,519 +1,497 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "author": "Siemens AG", - "comments": "Solution template for SINEC Security Guard" - }, - "parameters": { - "location": { - "type": "string", - "minLength": 1, - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" - } - }, - "workspace-location": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" - } - }, - "workspace": { - "defaultValue": "", - "type": "string", - "metadata": { - "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" - } - } - }, - "variables": { - "_solutionName": "SINEC Security Guard", - "_solutionVersion": "3.0.0", - "solutionId": "siemensplmsoftware.azure-sentinel-solution-ssg", - "_solutionId": "[variables('solutionId')]", - "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.0", - "_analyticRulecontentId1": "d41fa731-45a2-4b23-bb1d-29896fbc5298", - "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd41fa731-45a2-4b23-bb1d-29896fbc5298')]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d41fa731-45a2-4b23-bb1d-29896fbc5298')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d41fa731-45a2-4b23-bb1d-29896fbc5298','-', '1.0.0')))]" - }, - "uiConfigId1": "SSG", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "SSG", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "SSG_Azure_Sentinel_analytic_rule_AnalyticalRules Analytics Rule with template version 3.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "apiVersion": "2023-02-01-preview", - "kind": "NRT", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "The security analytic rule is designed to scrutinize network activity involving private IP addresses within an organization's internal network. By filtering log entries to include only those where either the source or the destination IP is private, the rule focuses on internal communications that could indicate unauthorized access, internal threats, or other security anomalies.", - "displayName": "SSG_Security_Incidents", - "enabled": false, - "query": "SINECSecurityGuard_CL\n| where ipv4_is_private(source_ip) or ipv4_is_private(destination_ip)\n| project source_ip, destination_ip, signature_id, signature_name\n", - "severity": "HIGH", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "status": "Available", - "requiredDataConnectors": [], - "tactics": [ - "Impact" - ], - "techniques": [ - "T1486" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "source_ip", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "destination_ip", - "identifier": "Address" - } - ], - "entityType": "IP" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "customDetails": { - "Source_IP": "source_ip" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "Alert {{signature_name}} generated from {{source_ip}} to {{destination_ip}} ", - "alertDynamicProperties": [], - "alertDisplayNameFormat": "{{signature_name}} " - }, - "incidentConfiguration": { - "groupingConfiguration": { - "groupByCustomDetails": [ - "Source_IP" - ], - "groupByEntities": [ - "IP" - ], - "lookbackDuration": "5m", - "matchingMethod": "AnyAlert", - "reopenClosedIncident": false, - "enabled": true - }, - "createIncident": true - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", - "properties": { - "description": "SINEC Security Guard Analytics Rule 1", - "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", - "source": { - "kind": "Solution", - "name": "SINEC Security Guard", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Siemens AG" - }, - "support": { - "name": "Siemens AG", - "email": "ssgsupport.cybersecurity@siemens.com", - "tier": "Partner", - "link": "https://siemens.com/sinec-security-guard" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "contentKind": "AnalyticsRule", - "displayName": "SSG_Security_Incidents", - "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", - "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "SINEC Security Guard data connector with template version 3.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "SINEC Security Guard", - "publisher": "Siemens AG", - "descriptionMarkdown": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel", - "graphQueriesTableName": "SINECSecurityGuard_CL", - "logo": "SSG.svg", - "graphQueries": [ - { - "metricName": "Total events received", - "legend": "SINECSecurityGuard_CL", - "baseQuery": "SINECSecurityGuard_CL\n | summarize count()" - } - ], - "sampleQueries": [ - { - "description": "List of Attacks", - "query": "SINECSecurityGuard_CL\n | summarize count()" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "SINECSecurityGuard_CL\n | summarize lastLogGenerated = max(TimeGenerated) | project IsConnected = lastLogGenerated > ago(30d)" - ] - } - ], - "dataTypes": [ - { - "name": "SINECSecurityGuard_CL", - "lastDataReceivedQuery": "SINECSecurityGuard_CL\n | summarize Time = max(TimeGenerated) | where isnotempty(Time)" - } - ], - "availability": { - "isPreview": false, - "status": 1 - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "This Data Connector relies on the SINEC Security Guard Sensor Package to be able to receive Sensor events in Microsoft Sentinel. The Sensor Package can be purchased in the Siemens Xcelerator Marketplace.", - "instructions": [ - { - "parameters": { - "title": "1. Please follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Set up the SINEC Security Guard Sensor", - "description": "Detailed step for setting up the sensor." - }, - { - "title": "Create the Data Connector and configure it in the SINEC Security Guard web interface", - "description": "Instructions on configuring the data connector." - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "SINEC Security Guard", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Siemens AG" - }, - "support": { - "name": "Siemens AG", - "email": "ssgsupport.cybersecurity@siemens.com", - "tier": "Partner", - "link": "https://siemens.com/sinec-security-guard" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "SINEC Security Guard", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "SINEC Security Guard", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Siemens AG" - }, - "support": { - "name": "Siemens AG", - "email": "ssgsupport.cybersecurity@siemens.com", - "tier": "Partner", - "link": "https://siemens.com/sinec-security-guard" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "SINEC Security Guard", - "publisher": "Siemens AG", - "descriptionMarkdown": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel", - "graphQueries": [ - { - "metricName": "Total events received", - "legend": "SINECSecurityGuard_CL", - "baseQuery": "SINECSecurityGuard_CL\n | summarize count()" - } - ], - "dataTypes": [ - { - "name": "SINECSecurityGuard_CL", - "lastDataReceivedQuery": "SINECSecurityGuard_CL\n | summarize Time = max(TimeGenerated) | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "SINECSecurityGuard_CL\n | summarize lastLogGenerated = max(TimeGenerated) | project IsConnected = lastLogGenerated > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "List of Attacks", - "query": "SINECSecurityGuard_CL\n | summarize count()" - } - ], - "availability": { - "isPreview": false, - "status": 1 - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "This Data Connector relies on the SINEC Security Guard Sensor Package to be able to receive Sensor events in Microsoft Sentinel. The Sensor Package can be purchased in the Siemens Xcelerator Marketplace.", - "instructions": [ - { - "parameters": { - "title": "1. Please follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Set up the SINEC Security Guard Sensor", - "description": "Detailed step for setting up the sensor." - }, - { - "title": "Create the Data Connector and configure it in the SINEC Security Guard web interface", - "description": "Instructions on configuring the data connector." - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - } - ], - "id": "[variables('_uiConfigId1')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", - "apiVersion": "2023-04-01-preview", - "location": "[parameters('workspace-location')]", - "properties": { - "version": "3.0.0", - "kind": "Solution", - "contentSchemaVersion": "3.0.0", - "displayName": "SINEC Security Guard", - "publisherDisplayName": "Siemens AG", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the (SINEC Security Guard)[https://siemens.com/sinec-security-guard] into Microsoft Sentinel

\n

Data Connectors: 1, Analytic Rules: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", - "contentKind": "Solution", - "contentProductId": "[variables('_solutioncontentProductId')]", - "id": "[variables('_solutioncontentProductId')]", - "icon": "", - "contentId": "[variables('_solutionId')]", - "parentId": "[variables('_solutionId')]", - "source": { - "kind": "Solution", - "name": "SINEC Security Guard", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Siemens AG" - }, - "support": { - "name": "Siemens AG", - "email": "ssgsupport.cybersecurity@siemens.com", - "tier": "Partner", - "link": "https://siemens.com/sinec-security-guard" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - ] - }, - "firstPublishDate": "2024-07-15", - "providers": [ - "Siemens AG" - ], - "categories": { - "domains": [ - "Security - Network" - ], - "verticals": [ - "Manufacturing" - ] - } - }, - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" - } - ], - "outputs": {} -} +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Siemens AG", + "comments": "Solution template for SINEC Security Guard" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + } + }, + "variables": { + "_solutionName": "SINEC Security Guard", + "_solutionVersion": "3.0.3", + "solutionId": "siemensplmsoftware.azure-sentinel-solution-ssg", + "_solutionId": "[variables('solutionId')]", + "analyticRuleObject1": { + "analyticRuleVersion1": "1.0.0", + "_analyticRulecontentId1": "d41fa731-45a2-4b23-bb1d-29896fbc5298", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd41fa731-45a2-4b23-bb1d-29896fbc5298')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d41fa731-45a2-4b23-bb1d-29896fbc5298')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d41fa731-45a2-4b23-bb1d-29896fbc5298','-', '1.0.0')))]" + }, + "uiConfigId1": "SSG", + "_uiConfigId1": "[variables('uiConfigId1')]", + "dataConnectorContentId1": "SSG", + "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", + "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "_dataConnectorId1": "[variables('dataConnectorId1')]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", + "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SSG_Azure_Sentinel_analytic_rule_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "apiVersion": "2023-02-01-preview", + "kind": "NRT", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "The security analytic rule is designed to scrutinize network activity involving private IP addresses within an organization's internal network. By filtering log entries to include only those where either the source or the destination IP is private, the rule focuses on internal communications that could indicate unauthorized access, internal threats, or other security anomalies.", + "displayName": "SSG_Security_Incidents", + "enabled": false, + "query": "SINECSecurityGuard_CL\n| where ipv4_is_private(source_ip) or ipv4_is_private(destination_ip)\n| project source_ip, destination_ip, signature_id, signature_name\n", + "severity": "HIGH", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "status": "Available", + "requiredDataConnectors": [], + "tactics": [ + "Impact" + ], + "techniques": [ + "T1486" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "source_ip", + "identifier": "Address" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "destination_ip", + "identifier": "Address" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "Source_IP": "source_ip" + }, + "alertDetailsOverride": { + "alertDynamicProperties": [], + "alertDisplayNameFormat": "{{signature_name}} ", + "alertDescriptionFormat": "Alert {{signature_name}} generated from {{source_ip}} to {{destination_ip}} " + }, + "incidentConfiguration": { + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "matchingMethod": "AnyAlert", + "groupByEntities": [ + "IP" + ], + "lookbackDuration": "5m", + "groupByCustomDetails": [ + "Source_IP" + ] + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", + "properties": { + "description": "SINEC Security Guard Analytics Rule 1", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "source": { + "kind": "Solution", + "name": "SINEC Security Guard", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Siemens AG" + }, + "support": { + "name": "Siemens AG", + "email": "ssgsupport.cybersecurity@siemens.com", + "tier": "Partner", + "link": "https://siemens.com/sinec-security-guard" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "contentKind": "AnalyticsRule", + "displayName": "SSG_Security_Incidents", + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SINEC Security Guard data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId1')]", + "title": "SINEC Security Guard", + "publisher": "Siemens AG", + "descriptionMarkdown": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel", + "graphQueriesTableName": "SINECSecurityGuard_CL", + "logo": "SSG.svg", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "SINECSecurityGuard_CL", + "baseQuery": "SINECSecurityGuard_CL\n | summarize count()" + } + ], + "sampleQueries": [ + { + "description": "List of Attacks", + "query": "SINECSecurityGuard_CL\n | summarize count()" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": "SINECSecurityGuard_CL\n | summarize lastLogGenerated = max(TimeGenerated) | project IsConnected = lastLogGenerated > ago(30d)" + } + ], + "dataTypes": [ + { + "name": "SINECSecurityGuard_CL", + "lastDataReceivedQuery": "SINECSecurityGuard_CL\n | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "availability": { + "isPreview": false, + "status": 1 + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ] + }, + "instructionSteps": [ + { + "description": "This Data Connector relies on the SINEC Security Guard Sensor Package to be able to receive Sensor events in Microsoft Sentinel. The Sensor Package can be purchased in the Siemens Xcelerator Marketplace.", + "instructions": [ + { + "parameters": { + "title": "1. Please follow the steps to configure the data connector", + "instructionSteps": [ + { + "title": "Set up the SINEC Security Guard Sensor", + "description": "Detailed step for setting up the sensor." + }, + { + "title": "Create the Data Connector and configure it in the SINEC Security Guard web interface", + "description": "Instructions on configuring the data connector." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "SINEC Security Guard", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Siemens AG" + }, + "support": { + "name": "Siemens AG", + "email": "ssgsupport.cybersecurity@siemens.com", + "tier": "Partner", + "link": "https://siemens.com/sinec-security-guard" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "SINEC Security Guard", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId1')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "SINEC Security Guard", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Siemens AG" + }, + "support": { + "name": "Siemens AG", + "email": "ssgsupport.cybersecurity@siemens.com", + "tier": "Partner", + "link": "https://siemens.com/sinec-security-guard" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "SINEC Security Guard", + "publisher": "Siemens AG", + "descriptionMarkdown": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "SINECSecurityGuard_CL", + "baseQuery": "SINECSecurityGuard_CL\n | summarize count()" + } + ], + "dataTypes": [ + { + "name": "SINECSecurityGuard_CL", + "lastDataReceivedQuery": "SINECSecurityGuard_CL\n | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": "SINECSecurityGuard_CL\n | summarize lastLogGenerated = max(TimeGenerated) | project IsConnected = lastLogGenerated > ago(30d)" + } + ], + "sampleQueries": [ + { + "description": "List of Attacks", + "query": "SINECSecurityGuard_CL\n | summarize count()" + } + ], + "availability": { + "isPreview": false, + "status": 1 + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ] + }, + "instructionSteps": [ + { + "description": "This Data Connector relies on the SINEC Security Guard Sensor Package to be able to receive Sensor events in Microsoft Sentinel. The Sensor Package can be purchased in the Siemens Xcelerator Marketplace.", + "instructions": [ + { + "parameters": { + "title": "1. Please follow the steps to configure the data connector", + "instructionSteps": [ + { + "title": "Set up the SINEC Security Guard Sensor", + "description": "Detailed step for setting up the sensor." + }, + { + "title": "Create the Data Connector and configure it in the SINEC Security Guard web interface", + "description": "Instructions on configuring the data connector." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ], + "id": "[variables('_uiConfigId1')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "SINEC Security Guard", + "publisherDisplayName": "Siemens AG", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel

\n

Data Connectors: 1, Analytic Rules: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "SINEC Security Guard", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Siemens AG" + }, + "support": { + "name": "Siemens AG", + "email": "ssgsupport.cybersecurity@siemens.com", + "tier": "Partner", + "link": "https://siemens.com/sinec-security-guard" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + ] + }, + "firstPublishDate": "2024-07-15", + "providers": [ + "Siemens AG" + ], + "categories": { + "domains": [ + "Security - Network" + ], + "verticals": [ + "Manufacturing" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +} From 9a3cee43c6512934f290595ba3403dd9266bde2d Mon Sep 17 00:00:00 2001 From: PrasadBoke Date: Thu, 21 Nov 2024 13:29:48 +0530 Subject: [PATCH 2/2] Solution packaged --- .../SINEC Security Guard/Package/3.0.0.zip | Bin 6493 -> 6485 bytes .../Package/createUiDefinition.json | 2 +- .../Package/mainTemplate.json | 49 +++++++++++++----- .../SINEC Security Guard/ReleaseNotes.md | 4 +- 4 files changed, 38 insertions(+), 17 deletions(-) diff --git a/Solutions/SINEC Security Guard/Package/3.0.0.zip b/Solutions/SINEC Security Guard/Package/3.0.0.zip index 7000b1ab190c599dc09a73db90382d53755c53d6..67e67b8582e933f82924d4a614473adb805309b4 100644 GIT binary patch delta 4223 zcmYkAXE@vo)5cd98=?~%tlqn*v1FsS6GRQ7mmm^7+TW_dY7xDJ5KGjkQKMv))e=?> zD@&AU(O1;>ocDdM_c=4y%%_?8_`B}87p149*&phWkTQZO|IRQEe@oDR;>ZaEq60zG z>sVR96dN#C^}nkR3;U?5Lk^f0c`L+HqHvrN-8mYrhl}si*nHRA!#(+eq=NTW*A0H* zD+J6W+!zsgmhNo5arr98*}ta^YM{_~h3B~v^|6L70{qS{zNPyibsgJt9A*1xsPCDt zW4OKXtI|T@Rd|8?fU9P&eE%Hqt}Nl%QBP%M#eH!^zNc+e*;o#(E?}?O>9^s@+>nFq z@%7Kg-1&h-r?&BT4b|#HW)OoCy=Vsh?u?z`0#yGEZf4OYJR75;iC#zaDN|qbET0~Q ztJV?0zN3hnA+;mK{N@{Zd8dA2{eJ)9JDP4Zc)tAH-#8`%^1|F|O|dQ*Fr5g=tSMC7#n3=`yro3gRnB>cJWMXoV%swcYh>||$UsYc*REtdpWXnmM=pI^9I2{if=6awD zCFK4J#h^Jp)the&V$DMy{_4&}uNfupG#|&@s1VAUCwQ`*R3nTJQIO}Er|hz7vq-SFu)lS5PcBCmTe^H=+I|c9HiW+a zo+?rUf^h*}&Jn{)^vO>3>DU!2Z+Iq8Osg`!dld!&Qy0Ikmtg}dbcvOON_-MNiktSs z6CxDDI-P(_8<=3lJ8_3K)iv$_+n65-^<0FG-smG%y)5?zAjCa4?5W!XWA~Hc4y%>n zaihXeamZ6Sq=KqX);@eP)RskjUY=N~f9%T4x)z{I<37Z(e_gn*fW_*{^T775fV+EU z+jD^DNhM{IM#It@MA2@1Nyc^7(~Za7-Gs@`C8Nym^t9trb@-Ch%%$3~5pO!t1nn!E zBZ5C0fw3}t{Lg++-W?U03(hI@O%LP7+j|3R!*`t7gL}R6v^0ml5Ki+g#ho%W*E=rA zl7QNUJ*7SwB*$Bufxh#nvF+|yLZ64Bnf+@xwM@ry_T3$4AR+yE0*Qk<5q-ypI!*D@ zv)*No$+N5wgY-{f>U40DL}rZ<2ewf_oAn(p%O{-}J)c#M&tj7|U5hc&Y775;$vsHGF^-Ba&+?v&)S3RpxJ zLmD_4l)!{t&QEfeR>96Yj47_S0#;g#1HQss244z_*g6KkUuen5Du#J|Fje5a1=k<` zqMJM$6E?xve0agA)p#7Q5?)3ho!jhAPMK`gsEiM?4WjpHd`Hu&zooy*@|{@wTX6VF zX&Jo*=40)TNU)$lYABNB(*4J455O<%HAGu*+jS(|pd-6gb0Z{bNdQfy&>m>3n4@fu zb@;TlQ8koYu4vr6Sr(>QFzrW}Qp@@yTH?;>-m~Eu5UbiQhva(OXV^AAw`nH#y5(kv zHFx}Lks@IR*^!d^yNP8af0*<>YcIzdMxu>_Ka-T7BKwIfqb2hVd)0qxLxEL)8giLG zc4<1uifqx53E(_Yau2G^;c$a|p<8e8p87T01Zl^V$sF55q{in2}7113m3bjyM5;xLi; z6y6D8MZrI09N)JV57b?<_|eu4I>Fz)tQe4vW&<@KdkH4K##+ox+QO4$Rgp&5P5cNScBc%_#s7WD%fk}j^ zW!&8-XCjC0-S_6{+#uaY*!GB8`IN0{yRBP$LCp`oPn9C=4yI4rm}0KBR!Lh@KuwC> zUSr|IIZu42TNGBlzuk%P?F-E`e~Tw0&Xj3Csp=ZNZ4)N91gznIl^Lglg#@ zJ|pFYoLeaqC;tX0C2>@O&tAQ6>iN1!gtvlzq5ei_j(Zp0|xW%j6)fD)}Dk~2< zh`rJmb#mP_Iy$ABHDev&cngm|J}xOfE9H4IQg+G`4tGCuXI0nAt`p)XV;w91?J@K9 zk{HUM63zhHzrNU7`kAqi-wQf;^;$9YYRzD}H}|DOp}x}^^jh8G%=-za-~&1tIcv4* zzU5*w8BRc#>GBeXFr&W^o{|kk^Ii)w^78NIjX54i4{D{v9=$*efi2y{H>mz9H`v`^ zVi$#Km@K#{o|@9yQltv;BKznM7<5#Zsj}bLyYL)G2}jFV9^!bumBq5;C9perhJ(Cv z4bWJB7c~+7!uJ89DtY>LUO8yTh;^hNmM1v%3V@?7o`%?uS%@)Jh#8w48nHqs#gj6Yt7}BG}s||Z8$Gu&--U4N`WfKz#0rHakEQvPhxh}m|_&)ckC>n#6e~cE|+`T zk~ZHf`HY*y&v)brq?1`Ejc0eB@#~nHs@{N(`0k7;|UnX`RbsWk?=5DXdG<|}`PH>~ixc)F5H=Wg#k3_UV&hgx@z zTj$eXF-!5$UrnWM*!S5Fu~W`O*I@PRoS~NGHs8MOwmLqlV>TP%tDQLHn5qPKN-K>A z907#ckUxeN$lI8!v7cU=Q{x9(=ubi*f44>vMDGDSpd?9t-P^-t-l`Ra3{13SpZ?aW zGcJQr^VJ;Q6{=pXhKfW!#+ZP)Dv&)F75mv5fzlNDp747i>s>-&Al!}Y$Gq@t0d|~4 zGQAN~ZTowP4=#eOR&7&tD_`(}++Zy{u)hJ@XghNqDX)>xHp|7hJwHBZhU8cv7cqM3 ze^@#CO?j!s4@_4Q6@Hmk1UmgO4Gt zvP$h=4kn5-J;(Uc2wD&LUpT*aHuh660aUx~QZ}juwI4dbSG{>kNp%P{8J;nKx(N5S zKrCq{TUFB72}zuQs&u^hu7srXTpi`0Jy8n22prKPXvOf7l5dgHHk2AmUQDU%cSf$5 z>vPLHoDtqM4FPy~S*Zq0#wpsBhU1(WsbM2jZ^t7WEF~!sgBKOFFU2w=2MTzUL_Vw;3ULMSmQbAvo0_p_AJZ8; zy-F!A*Oc~y*DdK|3D#FEz_0xcd=`(o88M#(MY724I{T8I_;G4kruueZpbVQm7 zq=f!Qf_*;Y;#%f%_DCL0SWaSeMRu-%pcS&LptSHFRa;H)Gaz7Vb--qw)fBjQ*;$(& zedN^`6@uCq$>41X%3>0-M@{Wp? zH>$O$!7eW9-#&S3_YlB&Ri()DX~=V}AQOjJOWuFLv-o!#K~Jbk9Ov71TlK2vy=D%t zN+)XZsIqjc231(vEKYr*sMeTT-_UMVi1}&m1At+xE95CjXW!6OvfHzcUs5Ni-u-Ke z3h{w^F^9hu@X54WWSXV}(*6>G%8_JCV-w|3Uw{nbklXubZq zqN4gfzies@F^`!1HTA%>n4`uNSuNS)kr&Rn8;spCZ)E}E{FfkiuVxX0LbKBrKSx8f zSbQIGC^i!k1dbFUONicS#1lG#FF~=m$CLMqr>$ykAam$EdY6tp>~tbKOEd<(NSPnU zY~Ro0d%z6CQv;NVubihkQ0jX-CW@9!CR_CPw~<9d35Bi>IRYIUbuX$u-jTcFOW*;5 zc@E;c1E54&4-=ybn%MAM5u=fj)kiE_*8E50>ce+@ z&_39nB2{`n(o9i^+)Z7(=+ajwn5O(H6aBMnOn_uv6cAYub50|AhQXPAPDCpYx67!@ zm?k~;2KOw&S+`=ZR|OG&0!~$t3|!5p`tzI7Zz+WL^E3~p7x1oenAoueT0hZBSS|<&9H>)z2D~lfVdXtbm2q+0)?~u17ad#Mw0)&{{IhYBB%5MR$@6aWYS2mt$XZ&?5U00000000(ckr*5cA`CZYB@8!b3=B81 zKS>6EHDsWmK|m65;P78${h!RNOuEnJNMG?_dD-GUOv8~u=Je;r z{KBLVNj+7{g*u*&&y0j`jI;klO%=WFgI8C7Q-fRrIoaz5O`S6#l){X9>Co9MW;3aS z=j!y8DZ?3yA=6EKlV6!Ot^)^!2p3P70MEBCcb*z2h*+@HhHFsdOfB&e!d(p8VwWr( zoSo?3hw*}nOhEGPT`{iS+>jXyFn8A-b{L^KgqLv0zI#_R8F*^88nyTe=z7jsKJ74n zhPZ6P`g~h+Yv8k~zC3j%rX8krz&9&wrfjCsXg&Vh)lq5Vt&W-7{FeTqR{9Rz#Ipx( zIkr7@KMb!XP*&wn#D@!8IDo=MIFPZ;UNA^;Qilmv(xj|YVg?ov9QlxyxjIj&I7sE3 zb;cs%gf)+!9S5^3mRrU=eo}vHx4o|r9s&sYlh0QAuC^Y(u*s$h_Tn= zQ!e(vGrd9sr@lCZ!U)zZ_L_2Rw=G9Zz)rdP9vKrZP>8J4+Sj+{+HPGqH>KIUZp@W| zg^e(dT<*ATS7g($Zw-{1Ki#jhoB=@tK+d@Erc%d6)U4@osUdu`7#V+Se7_-oVJr*6 zShS&RmX|Hy(2%JBpDCgPXElM%QQG>40wA%?W1%5bQg%jT0mrvxlkoMqf-B1Y-SY|)(qk-5sm*rprD^u5p{G;8iY@bMjW0h( zdGfjJzu6$={K#F#3r+KRUASm}-#6$Ofq<>JUIQpa=Dj&vOiH_$Z|1_p3AWTLg45QaS~2(K#ZV4f;Su1KnGvn zZ+vZ9|8lQs61R__Lug>pqKH{cqxlaBLr~=cH>q%^t_%s-GR<%nsw`u`m$L>-+4~vR zUM5~g1e?|TU4#Pkr!*UXGl$_dQF}wP?1vhpg#1BxvRF{We-Ii9 z#NNK8DP!!ET3TeBLLg_i&{^p;JMq9Q!3+SB8>xwP(9j(TtYV9V5szR+5S(r$ zxDLa|Tt!sorh8}?d8zKkS{rSonKrO@auUv-W}Ve<$b$a1ci}C6SoUn6tU<9Hi!gL! z_G3b4;okiN*QVb><(2rCYr+X6_@dVb@i zrV?1nv9G%S7f?=rAo&=-7eE7-T%+rg+(1HMKQ)MIM9Me#eNwD|vuo;=lerT{Erx53 z&YJ9qnj>XXJ?aYDBvnVFfiCk|M$35B2vG4EjRUd>VK|+Cgo((JK+5YJ3}*7dB9j@H?4qguuwqgNNZVn?= zZvstgf+ppE%U@Nhst2hA)(Z?N`+&%Lq)5%70g{U#w9g?i#VbfDC#vN6rvt$NJP_*? zsBD-3Q*l^@VdWK9i8EG4gN>d*)zEy2HyV&L@H~z;uds+puWjK5qP83b%qo{H^j)fq zxGY$WMKlz#%==9*2?%W>11U}V$Jan5GZ7xl`hp-oF^pr+~pmIPbPtv;Ny zN~C0s^1ez1V^)@0W&2xTIv)xOZtaI>Q+AAk7cS@7QSgng*T@yN$Gi(r^?Pru-}c)_ z1<|a35SX1(H9lV0qBi(=v%a>X@evHKCj1c$H$C_WhHnFgH;e>jw9hqkLp8NuYO@pUT-{nyJ0ZXW?^bAa2N z{gyMo=B#gV#b)!qeYgXK5F@c-|z`x+p9vtHi{IByS_?+Pd{=Fz3Sx5Je7>qAZXf4^{K zmDmkoaeJ$#9tN+1zdtb8`?9&>YA#T0Dy;2=iCtWjs1l$WaIOWKEdX=rQeGvX+z3d2 zHukl41RUQHV7wJj+z?A^gQ3*}!nHtf9RR%9x!54Hs|~CHcs~NWCIvSHbnn9WYJl6i zp4VkXRH=vGYQyhe8h~v8yqfo{3DA0%0Bb8?wdw}R4uRC21E|~GiFt28>0JS&JGhw9 z769E?vPHgEf8)GO58?J-{L$Y}*{*?qy8FK3vZ_a4)$3}}>TlbC&#L~?F=%c8+45D^+`v*m`(8y0)^7_(=dpRFkw?n3NV~e-`B38`vpKI zdi*8;;{W;AzsW1PIfVh_5hZgV{mq-Kg*EfUJekPMLH_&} zil(^Ha`3Alybd5!NEnAD7iHWfR_*!%$6G<&A? z_g^<{(_GrxG?|Rr7>kjg=j?KS)FXP3{tl=7HhW>rnx1VZWnQYc6SnT8oavgFgdP3E zZX5-YnT0@RY$BhT@Y)iqK)b5IV#nWXf2pzo^455&lLoU#-eN|0?BvuE)9XR%)d^=B zy|X*G^6isw7J^@=--mhAA=jQO=0Np}htY5FanA7Q$UZ-A2$a}?Slgd}JE)lQ5%Bn* z0z8UGAYzv+a15767xeKUMdzNio*&k5b&-AI8|_x4SphSS@tTO`{!M zZQ2^`SK<^>VT-j)y_k!$G|76Be)SmBPRKdG=#L&2!-&pb%jRMBx64A<0@AZEHkqUw z;#Z#yWnw1_AboP0p3?@6aWYS2mtVMZu8KuWT{6euLMuGz zw6PRkCm|diohv4voQUB~E_ty`2kve-GYV326`Ska^)TMKDxWT@`x?Q&V3$iBG=~q@ zm!0T%6of6H+I-$dY74`-i44%qF@J6JS|mk|xNB2DI|KcI!NY&Nlvj1io79rqQuiHX z@>*F!u$}nJ%vj9rB&(!P7-l`^9eaRVhs9j$$3w)JPekk~7Zi6voAAE*cy7B)>X`Mq z3-c&TFfO(?C}oQz;XW09ClW$e#Uz9chb4C)TobxdFM*YTWTAFNN4w{aQNdbRF_*kb z&wEs_F7(RiJllWK-(&CPJ7Fw>?v}o&nxW)s=~lyz6NjUSEF6D@$D{k8>*}8|qq@EzS!pVx z!PU##Ze(IHb}KItnG{x@a(&+3G%S(q^vN@MT-X9H_#FdqnNzvg<{rv!gJ)*awAVG-MS3YQ8f54D||i+&St?N1S0dN zLKw_~a29w?`gflP$ohUOPARs9;mK}}XnU+lNo{|kGSKd;?18;c_M6FrvT9rx+x}?U zs>mIpxnv2y70zpOkP@$+>ef!B+fL~Hnw^Xtf9H1U&0c)mBK5ae3LbZk=&Y!kJEer! zk&G(ft5jKaVAe-8sRgxOzS-()ha&h18?BfrUxIoYwir7sEK5|9JX3^>@4b3@w;E#+ zoG*VcZ1?rjAru2fPHl`zfGdV^QgoYJieoZwI`m~O5~gBmHlb)Sns$bd>d zt(PBnonut}@$~n;P7>0$(GKpN#;;V8+~QqUq=cPT$8*8!Y|o|G1LE{h>rM@@Zx-v( zU{W$46X$Wod7JU`A!j!qbr*HGu+;5NKe&I-d$+MZ-jo#Ggp4yTCS#12s)k?G0Y`z@ zD~yh5>$>MIwQ9Fr&-;@~zlNWhPHN5m_(WoR6G?-;zvF~ELabYnx9zyd+TXmrjneo*BrjfToa^Pdw)B6& zKSVsVpNl>T-=F0ElaKfOlyaI@I|ph9PN!E7RfT%ERx!511g~xSeYopUw_oL6{2kVP zZ`Al>2O_6nTVs(o?;TytQF-Lp-YcHa;|Puhh!!Q@^Xl~j7*5RbN0q%a(g-ao^$Y#BH*=vedQpH+MWs3z`f092 zF*BD_U95AN&>IjfbI29TQ3r$mNYD{jvTWEeD1i}@BHAn0a0>I}!N7kG3U(Im zJFw_0dt3c37Vj+Y&JfL1HEz8v1a}KztQ-E9qXg#L;r}pBgxKOUX{!@{9;n1`8p&I8 zho2oP8#;4C(6Oxg7\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Sinec%20Security%20Guard/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel\n\n**Data Connectors:** 1, **Analytic Rules:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SINEC%20Security%20Guard/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel\n\n**Data Connectors:** 1, **Analytic Rules:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", diff --git a/Solutions/SINEC Security Guard/Package/mainTemplate.json b/Solutions/SINEC Security Guard/Package/mainTemplate.json index d701f103edc..5dae4d92ce6 100644 --- a/Solutions/SINEC Security Guard/Package/mainTemplate.json +++ b/Solutions/SINEC Security Guard/Package/mainTemplate.json @@ -31,7 +31,7 @@ }, "variables": { "_solutionName": "SINEC Security Guard", - "_solutionVersion": "3.0.3", + "_solutionVersion": "3.0.0", "solutionId": "siemensplmsoftware.azure-sentinel-solution-ssg", "_solutionId": "[variables('solutionId')]", "analyticRuleObject1": { @@ -84,7 +84,6 @@ "suppressionDuration": "PT1H", "suppressionEnabled": false, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "Impact" ], @@ -93,22 +92,22 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { "columnName": "source_ip", "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "IP", "fieldMappings": [ { "columnName": "destination_ip", "identifier": "Address" } - ] + ], + "entityType": "IP" } ], "eventGroupingSettings": { @@ -118,19 +117,19 @@ "Source_IP": "source_ip" }, "alertDetailsOverride": { - "alertDynamicProperties": [], + "alertDescriptionFormat": "Alert {{signature_name}} generated from {{source_ip}} to {{destination_ip}} ", "alertDisplayNameFormat": "{{signature_name}} ", - "alertDescriptionFormat": "Alert {{signature_name}} generated from {{source_ip}} to {{destination_ip}} " + "alertDynamicProperties": [] }, "incidentConfiguration": { "groupingConfiguration": { - "enabled": true, - "reopenClosedIncident": false, - "matchingMethod": "AnyAlert", "groupByEntities": [ "IP" ], "lookbackDuration": "5m", + "enabled": true, + "matchingMethod": "AnyAlert", + "reopenClosedIncident": false, "groupByCustomDetails": [ "Source_IP" ] @@ -226,7 +225,9 @@ "connectivityCriterias": [ { "type": "IsConnectedQuery", - "value": "SINECSecurityGuard_CL\n | summarize lastLogGenerated = max(TimeGenerated) | project IsConnected = lastLogGenerated > ago(30d)" + "value": [ + "SINECSecurityGuard_CL\n | summarize lastLogGenerated = max(TimeGenerated) | project IsConnected = lastLogGenerated > ago(30d)" + ] } ], "dataTypes": [ @@ -251,6 +252,15 @@ "read": true, "delete": true } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } } ] }, @@ -376,7 +386,9 @@ "connectivityCriterias": [ { "type": "IsConnectedQuery", - "value": "SINECSecurityGuard_CL\n | summarize lastLogGenerated = max(TimeGenerated) | project IsConnected = lastLogGenerated > ago(30d)" + "value": [ + "SINECSecurityGuard_CL\n | summarize lastLogGenerated = max(TimeGenerated) | project IsConnected = lastLogGenerated > ago(30d)" + ] } ], "sampleQueries": [ @@ -401,6 +413,15 @@ "read": true, "delete": true } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } } ] }, @@ -441,7 +462,7 @@ "contentSchemaVersion": "3.0.0", "displayName": "SINEC Security Guard", "publisherDisplayName": "Siemens AG", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel

\n

Data Connectors: 1, Analytic Rules: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the SINEC Security Guard into Microsoft Sentinel

\n

Data Connectors: 1, Analytic Rules: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", diff --git a/Solutions/SINEC Security Guard/ReleaseNotes.md b/Solutions/SINEC Security Guard/ReleaseNotes.md index 140e39781ce..d64285f9984 100644 --- a/Solutions/SINEC Security Guard/ReleaseNotes.md +++ b/Solutions/SINEC Security Guard/ReleaseNotes.md @@ -1,4 +1,4 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|-----------------------------------| -| 3.0.0 | 19-07-2024 | Initial Solution Release | -| 3.0.1 | 12-11-2024 | Uppercase revised | \ No newline at end of file +| 3.0.1 | 12-11-2024 | Uppercase revised | +| 3.0.0 | 19-07-2024 | Initial Solution Release | \ No newline at end of file