diff --git a/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiCryptominer.yaml b/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiCryptominer.yaml index 84f1b7a314d..b0ac28d9312 100644 --- a/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiCryptominer.yaml +++ b/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiCryptominer.yaml @@ -5,9 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: UbiquitiUnifi - dataTypes: - - UbiquitiAuditEvent - connectorId: CustomLogsAma dataTypes: - Ubiquiti_CL @@ -33,5 +30,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.1 +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiDestinationInTiList.yaml b/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiDestinationInTiList.yaml index c55a9402735..456b6f271c2 100644 --- a/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiDestinationInTiList.yaml +++ b/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiDestinationInTiList.yaml @@ -5,9 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: UbiquitiUnifi - dataTypes: - - UbiquitiAuditEvent - connectorId: CustomLogsAma dataTypes: - Ubiquiti_CL @@ -39,5 +36,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.1 +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiL2RFTP.yaml b/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiL2RFTP.yaml index 15ec7fcd987..19925de1845 100644 --- a/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiL2RFTP.yaml +++ b/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiL2RFTP.yaml @@ -5,9 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: UbiquitiUnifi - dataTypes: - - UbiquitiAuditEvent - connectorId: CustomLogsAma dataTypes: - Ubiquiti_CL @@ -35,5 +32,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiL2RLargeIcmp.yaml b/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiL2RLargeIcmp.yaml index 644f87c8faa..3c2e423d7b0 100644 --- a/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiL2RLargeIcmp.yaml +++ b/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiL2RLargeIcmp.yaml @@ -5,9 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: UbiquitiUnifi - dataTypes: - - UbiquitiAuditEvent - connectorId: CustomLogsAma dataTypes: - Ubiquiti_CL @@ -42,5 +39,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.1 +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiNonCorpDns.yaml b/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiNonCorpDns.yaml index 008c276a1b7..e53aa50b727 100644 --- a/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiNonCorpDns.yaml +++ b/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiNonCorpDns.yaml @@ -5,9 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: UbiquitiUnifi - dataTypes: - - UbiquitiAuditEvent - connectorId: CustomLogsAma dataTypes: - Ubiquiti_CL @@ -32,5 +29,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.1 +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LDns.yaml b/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LDns.yaml index a3186551b81..03ea94fb307 100644 --- a/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LDns.yaml +++ b/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LDns.yaml @@ -5,9 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: UbiquitiUnifi - dataTypes: - - UbiquitiAuditEvent - connectorId: CustomLogsAma dataTypes: - Ubiquiti_CL @@ -35,5 +32,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.1 +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LRDP.yaml b/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LRDP.yaml index d653caab8ca..cb745af4800 100644 --- a/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LRDP.yaml +++ b/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LRDP.yaml @@ -5,9 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: UbiquitiUnifi - dataTypes: - - UbiquitiAuditEvent - connectorId: CustomLogsAma dataTypes: - Ubiquiti_CL @@ -31,5 +28,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.1 +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LSSH.yaml b/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LSSH.yaml index 6bb67e05252..072a6e34da6 100644 --- a/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LSSH.yaml +++ b/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiR2LSSH.yaml @@ -5,9 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: UbiquitiUnifi - dataTypes: - - UbiquitiAuditEvent - connectorId: CustomLogsAma dataTypes: - Ubiquiti_CL @@ -31,5 +28,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.1 +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiUnknownMacJoined.yaml b/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiUnknownMacJoined.yaml index 472635a85cf..32eac2c4776 100644 --- a/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiUnknownMacJoined.yaml +++ b/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiUnknownMacJoined.yaml @@ -5,9 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: UbiquitiUnifi - dataTypes: - - UbiquitiAuditEvent - connectorId: CustomLogsAma dataTypes: - Ubiquiti_CL @@ -36,5 +33,5 @@ entityMappings: fieldMappings: - identifier: FullName columnName: HostCustomEntity -version: 1.0.1 +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiUnusualTraffic.yaml b/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiUnusualTraffic.yaml index 2b55857b152..13c4df9d2c5 100644 --- a/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiUnusualTraffic.yaml +++ b/Solutions/Ubiquiti UniFi/Analytic Rules/UbiquitiUnusualTraffic.yaml @@ -5,9 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: UbiquitiUnifi - dataTypes: - - UbiquitiAuditEvent - connectorId: CustomLogsAma dataTypes: - Ubiquiti_CL @@ -30,5 +27,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Ubiquiti UniFi/Data/Solution_Ubiquiti UniFi.json b/Solutions/Ubiquiti UniFi/Data/Solution_Ubiquiti UniFi.json index 0dae387b2ca..e37bae9b6d0 100644 --- a/Solutions/Ubiquiti UniFi/Data/Solution_Ubiquiti UniFi.json +++ b/Solutions/Ubiquiti UniFi/Data/Solution_Ubiquiti UniFi.json @@ -2,7 +2,7 @@ "Name": "Ubiquiti UniFi", "Author": "Microsoft - support@microsoft.com", "Logo": "", - "Description": "The [Ubiquiti UniFi](https://www.ui.com/) solution provides the capability to ingest [Ubiquiti UniFi firewall, dns, ssh, AP events](https://help.ui.com/hc/articles/204959834-UniFi-How-to-View-Log-Files) into Microsoft Sentinel.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.\n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).", + "Description": "The [Ubiquiti UniFi](https://www.ui.com/) solution provides the capability to ingest [Ubiquiti UniFi firewall, dns, ssh, AP events](https://help.ui.com/hc/articles/204959834-UniFi-How-to-View-Log-Files) into Microsoft Sentinel.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.\n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).", "Workbooks": [ "Workbooks/Ubiquiti.json" ], @@ -18,9 +18,6 @@ "Hunting Queries/UbiquitiUnusualSubdomains.yaml", "Hunting Queries/UbiquitiVulnerableDevices.yaml" ], - "Data Connectors": [ - "Data Connectors/Connector_Ubiquiti_agent.json" - ], "Analytic Rules": [ "Analytic Rules/UbiquitiCryptominer.yaml", "Analytic Rules/UbiquitiDestinationInTiList.yaml", @@ -40,7 +37,7 @@ "azuresentinel.azure-sentinel-solution-customlogsviaama" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Ubiquiti UniFi", - "Version": "3.0.2", + "Version": "3.0.3", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": false diff --git a/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiDnsTimeOut.yaml b/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiDnsTimeOut.yaml index 14f329b1234..5aa1ae4a0e6 100644 --- a/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiDnsTimeOut.yaml +++ b/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiDnsTimeOut.yaml @@ -4,9 +4,6 @@ description: | 'Query shows failed DNS requests due to timeout.' severity: Medium requiredDataConnectors: - - connectorId: UbiquitiUnifi - dataTypes: - - UbiquitiAuditEvent - connectorId: CustomLogsAma dataTypes: - Ubiquiti_CL diff --git a/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiInternalDnsServer.yaml b/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiInternalDnsServer.yaml index f2e2e312f2d..42c9279ade2 100644 --- a/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiInternalDnsServer.yaml +++ b/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiInternalDnsServer.yaml @@ -4,9 +4,6 @@ description: | 'Query shows list of unaccounted internal DNS servers.' severity: Medium requiredDataConnectors: - - connectorId: UbiquitiUnifi - dataTypes: - - UbiquitiAuditEvent - connectorId: CustomLogsAma dataTypes: - Ubiquiti_CL diff --git a/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiRareInternalPorts.yaml b/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiRareInternalPorts.yaml index 8f66f431045..8a81c780d20 100644 --- a/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiRareInternalPorts.yaml +++ b/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiRareInternalPorts.yaml @@ -4,9 +4,6 @@ description: | 'Query shows list of least used internal destination ports.' severity: Medium requiredDataConnectors: - - connectorId: UbiquitiUnifi - dataTypes: - - UbiquitiAuditEvent - connectorId: CustomLogsAma dataTypes: - Ubiquiti_CL diff --git a/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiTopBlockedDst.yaml b/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiTopBlockedDst.yaml index 5c5e3b7feb7..52d5f182a30 100644 --- a/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiTopBlockedDst.yaml +++ b/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiTopBlockedDst.yaml @@ -4,9 +4,6 @@ description: | 'Query shows list of top destinations connections to which were blocked by firewall.' severity: Medium requiredDataConnectors: - - connectorId: UbiquitiUnifi - dataTypes: - - UbiquitiAuditEvent - connectorId: CustomLogsAma dataTypes: - Ubiquiti_CL diff --git a/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiTopBlockedExternalServices.yaml b/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiTopBlockedExternalServices.yaml index d69a5f356bb..8489cee1fd0 100644 --- a/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiTopBlockedExternalServices.yaml +++ b/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiTopBlockedExternalServices.yaml @@ -4,9 +4,6 @@ description: | 'Query shows list of top blocked connections to external services.' severity: Medium requiredDataConnectors: - - connectorId: UbiquitiUnifi - dataTypes: - - UbiquitiAuditEvent - connectorId: CustomLogsAma dataTypes: - Ubiquiti_CL diff --git a/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiTopBlockedInternalServices.yaml b/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiTopBlockedInternalServices.yaml index d1be058a45b..f40da8e4e97 100644 --- a/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiTopBlockedInternalServices.yaml +++ b/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiTopBlockedInternalServices.yaml @@ -4,9 +4,6 @@ description: | 'Query shows list of top blocked connections to internal services.' severity: Medium requiredDataConnectors: - - connectorId: UbiquitiUnifi - dataTypes: - - UbiquitiAuditEvent - connectorId: CustomLogsAma dataTypes: - Ubiquiti_CL diff --git a/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiTopBlockedSrc.yaml b/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiTopBlockedSrc.yaml index a3fcbd76d15..4568f97c92d 100644 --- a/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiTopBlockedSrc.yaml +++ b/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiTopBlockedSrc.yaml @@ -4,9 +4,6 @@ description: | 'Query shows list of top sources with blocked connections.' severity: Medium requiredDataConnectors: - - connectorId: UbiquitiUnifi - dataTypes: - - UbiquitiAuditEvent - connectorId: CustomLogsAma dataTypes: - Ubiquiti_CL diff --git a/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiTopFirewallRules.yaml b/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiTopFirewallRules.yaml index 9a2c0deb1c2..643ee22ea09 100644 --- a/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiTopFirewallRules.yaml +++ b/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiTopFirewallRules.yaml @@ -4,9 +4,6 @@ description: | 'Query shows list of top triggered firewall rules.' severity: Medium requiredDataConnectors: - - connectorId: UbiquitiUnifi - dataTypes: - - UbiquitiAuditEvent - connectorId: CustomLogsAma dataTypes: - Ubiquiti_CL diff --git a/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiUnusualSubdomains.yaml b/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiUnusualSubdomains.yaml index ed3d7003eae..21372b9723e 100644 --- a/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiUnusualSubdomains.yaml +++ b/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiUnusualSubdomains.yaml @@ -4,9 +4,6 @@ description: | 'Query counts the number of unique subdomains for each TLD.' severity: Medium requiredDataConnectors: - - connectorId: UbiquitiUnifi - dataTypes: - - UbiquitiAuditEvent - connectorId: CustomLogsAma dataTypes: - Ubiquiti_CL diff --git a/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiVulnerableDevices.yaml b/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiVulnerableDevices.yaml index 1f0eec1c8d4..5a68c069273 100644 --- a/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiVulnerableDevices.yaml +++ b/Solutions/Ubiquiti UniFi/Hunting Queries/UbiquitiVulnerableDevices.yaml @@ -4,9 +4,6 @@ description: | 'Query shows list of devices (APs) which do not have the latest version of firmware installed.' severity: Medium requiredDataConnectors: - - connectorId: UbiquitiUnifi - dataTypes: - - UbiquitiAuditEvent - connectorId: CustomLogsAma dataTypes: - Ubiquiti_CL diff --git a/Solutions/Ubiquiti UniFi/Package/3.0.3.zip b/Solutions/Ubiquiti UniFi/Package/3.0.3.zip new file mode 100644 index 00000000000..fea61ba5e3b Binary files /dev/null and b/Solutions/Ubiquiti UniFi/Package/3.0.3.zip differ diff --git a/Solutions/Ubiquiti UniFi/Package/createUiDefinition.json b/Solutions/Ubiquiti UniFi/Package/createUiDefinition.json index 2a9e07af84a..b50cc83c1c2 100644 --- a/Solutions/Ubiquiti UniFi/Package/createUiDefinition.json +++ b/Solutions/Ubiquiti UniFi/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Ubiquiti%20UniFi/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Ubiquiti UniFi](https://www.ui.com/) solution provides the capability to ingest [Ubiquiti UniFi firewall, dns, ssh, AP events](https://help.ui.com/hc/articles/204959834-UniFi-How-to-View-Log-Files) into Microsoft Sentinel.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.\n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Ubiquiti%20UniFi/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Ubiquiti UniFi](https://www.ui.com/) solution provides the capability to ingest [Ubiquiti UniFi firewall, dns, ssh, AP events](https://help.ui.com/hc/articles/204959834-UniFi-How-to-View-Log-Files) into Microsoft Sentinel.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.\n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on **Aug 31, 2024.** Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -51,37 +51,6 @@ } ], "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for Ubiquiti UniFi. You can get Ubiquiti UniFi custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-parser-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." - } - }, - { - "name": "dataconnectors-link2", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - }, { "name": "workbooks", "label": "Workbooks", @@ -323,7 +292,7 @@ "name": "huntingquery1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows failed DNS requests due to timeout. This hunting query depends on UbiquitiUnifi CustomLogsAma data connector (UbiquitiAuditEvent Ubiquiti_CL Parser or Table)" + "text": "Query shows failed DNS requests due to timeout. This hunting query depends on CustomLogsAma data connector (Ubiquiti_CL Parser or Table)" } } ] @@ -337,7 +306,7 @@ "name": "huntingquery2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows list of unaccounted internal DNS servers. This hunting query depends on UbiquitiUnifi CustomLogsAma data connector (UbiquitiAuditEvent Ubiquiti_CL Parser or Table)" + "text": "Query shows list of unaccounted internal DNS servers. This hunting query depends on CustomLogsAma data connector (Ubiquiti_CL Parser or Table)" } } ] @@ -351,7 +320,7 @@ "name": "huntingquery3-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows list of least used internal destination ports. This hunting query depends on UbiquitiUnifi CustomLogsAma data connector (UbiquitiAuditEvent Ubiquiti_CL Parser or Table)" + "text": "Query shows list of least used internal destination ports. This hunting query depends on CustomLogsAma data connector (Ubiquiti_CL Parser or Table)" } } ] @@ -365,7 +334,7 @@ "name": "huntingquery4-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows list of top destinations connections to which were blocked by firewall. This hunting query depends on UbiquitiUnifi CustomLogsAma data connector (UbiquitiAuditEvent Ubiquiti_CL Parser or Table)" + "text": "Query shows list of top destinations connections to which were blocked by firewall. This hunting query depends on CustomLogsAma data connector (Ubiquiti_CL Parser or Table)" } } ] @@ -379,7 +348,7 @@ "name": "huntingquery5-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows list of top blocked connections to external services. This hunting query depends on UbiquitiUnifi CustomLogsAma data connector (UbiquitiAuditEvent Ubiquiti_CL Parser or Table)" + "text": "Query shows list of top blocked connections to external services. This hunting query depends on CustomLogsAma data connector (Ubiquiti_CL Parser or Table)" } } ] @@ -393,7 +362,7 @@ "name": "huntingquery6-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows list of top blocked connections to internal services. This hunting query depends on UbiquitiUnifi CustomLogsAma data connector (UbiquitiAuditEvent Ubiquiti_CL Parser or Table)" + "text": "Query shows list of top blocked connections to internal services. This hunting query depends on CustomLogsAma data connector (Ubiquiti_CL Parser or Table)" } } ] @@ -407,7 +376,7 @@ "name": "huntingquery7-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows list of top sources with blocked connections. This hunting query depends on UbiquitiUnifi CustomLogsAma data connector (UbiquitiAuditEvent Ubiquiti_CL Parser or Table)" + "text": "Query shows list of top sources with blocked connections. This hunting query depends on CustomLogsAma data connector (Ubiquiti_CL Parser or Table)" } } ] @@ -421,7 +390,7 @@ "name": "huntingquery8-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows list of top triggered firewall rules. This hunting query depends on UbiquitiUnifi CustomLogsAma data connector (UbiquitiAuditEvent Ubiquiti_CL Parser or Table)" + "text": "Query shows list of top triggered firewall rules. This hunting query depends on CustomLogsAma data connector (Ubiquiti_CL Parser or Table)" } } ] @@ -435,7 +404,7 @@ "name": "huntingquery9-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query counts the number of unique subdomains for each TLD. This hunting query depends on UbiquitiUnifi CustomLogsAma data connector (UbiquitiAuditEvent Ubiquiti_CL Parser or Table)" + "text": "Query counts the number of unique subdomains for each TLD. This hunting query depends on CustomLogsAma data connector (Ubiquiti_CL Parser or Table)" } } ] @@ -449,7 +418,7 @@ "name": "huntingquery10-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows list of devices (APs) which do not have the latest version of firmware installed. This hunting query depends on UbiquitiUnifi CustomLogsAma data connector (UbiquitiAuditEvent Ubiquiti_CL Parser or Table)" + "text": "Query shows list of devices (APs) which do not have the latest version of firmware installed. This hunting query depends on CustomLogsAma data connector (Ubiquiti_CL Parser or Table)" } } ] diff --git a/Solutions/Ubiquiti UniFi/Package/mainTemplate.json b/Solutions/Ubiquiti UniFi/Package/mainTemplate.json index 5e7fcefe16e..6d69a46a926 100644 --- a/Solutions/Ubiquiti UniFi/Package/mainTemplate.json +++ b/Solutions/Ubiquiti UniFi/Package/mainTemplate.json @@ -41,7 +41,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Ubiquiti UniFi", - "_solutionVersion": "3.0.2", + "_solutionVersion": "3.0.3", "solutionId": "azuresentinel.azure-sentinel-solution-ubiquitiunifi", "_solutionId": "[variables('solutionId')]", "workbookVersion1": "1.0.0", @@ -101,84 +101,75 @@ "_huntingQuerycontentId10": "e51aa189-40cc-465c-89eb-cb22db2f53ca", "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('e51aa189-40cc-465c-89eb-cb22db2f53ca')))]" }, - "uiConfigId1": "UbiquitiUnifi", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "UbiquitiUnifi", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.1", + "analyticRuleVersion1": "1.0.2", "_analyticRulecontentId1": "7feb3c32-2a11-4eb8-a2d7-e3792b31cb80", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7feb3c32-2a11-4eb8-a2d7-e3792b31cb80')]", "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7feb3c32-2a11-4eb8-a2d7-e3792b31cb80')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7feb3c32-2a11-4eb8-a2d7-e3792b31cb80','-', '1.0.1')))]" + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7feb3c32-2a11-4eb8-a2d7-e3792b31cb80','-', '1.0.2')))]" }, "analyticRuleObject2": { - "analyticRuleVersion2": "1.0.1", + "analyticRuleVersion2": "1.0.2", "_analyticRulecontentId2": "db60ca0b-b668-439b-b889-b63b57ef20fb", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'db60ca0b-b668-439b-b889-b63b57ef20fb')]", "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('db60ca0b-b668-439b-b889-b63b57ef20fb')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','db60ca0b-b668-439b-b889-b63b57ef20fb','-', '1.0.1')))]" + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','db60ca0b-b668-439b-b889-b63b57ef20fb','-', '1.0.2')))]" }, "analyticRuleObject3": { - "analyticRuleVersion3": "1.0.2", + "analyticRuleVersion3": "1.0.3", "_analyticRulecontentId3": "fd200125-9d57-4838-85ca-6430c63e4e5d", "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fd200125-9d57-4838-85ca-6430c63e4e5d')]", "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fd200125-9d57-4838-85ca-6430c63e4e5d')))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fd200125-9d57-4838-85ca-6430c63e4e5d','-', '1.0.2')))]" + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fd200125-9d57-4838-85ca-6430c63e4e5d','-', '1.0.3')))]" }, "analyticRuleObject4": { - "analyticRuleVersion4": "1.0.1", + "analyticRuleVersion4": "1.0.2", "_analyticRulecontentId4": "6df85d74-e32f-4b71-80e5-bfe2af00be1c", "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6df85d74-e32f-4b71-80e5-bfe2af00be1c')]", "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6df85d74-e32f-4b71-80e5-bfe2af00be1c')))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6df85d74-e32f-4b71-80e5-bfe2af00be1c','-', '1.0.1')))]" + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6df85d74-e32f-4b71-80e5-bfe2af00be1c','-', '1.0.2')))]" }, "analyticRuleObject5": { - "analyticRuleVersion5": "1.0.1", + "analyticRuleVersion5": "1.0.2", "_analyticRulecontentId5": "fe232837-9bdc-4e2b-8c08-cdac2610eed3", "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fe232837-9bdc-4e2b-8c08-cdac2610eed3')]", "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fe232837-9bdc-4e2b-8c08-cdac2610eed3')))]", - "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fe232837-9bdc-4e2b-8c08-cdac2610eed3','-', '1.0.1')))]" + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fe232837-9bdc-4e2b-8c08-cdac2610eed3','-', '1.0.2')))]" }, "analyticRuleObject6": { - "analyticRuleVersion6": "1.0.1", + "analyticRuleVersion6": "1.0.2", "_analyticRulecontentId6": "14a23ded-7fb9-48ee-ba39-859517a49b51", "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '14a23ded-7fb9-48ee-ba39-859517a49b51')]", "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('14a23ded-7fb9-48ee-ba39-859517a49b51')))]", - "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','14a23ded-7fb9-48ee-ba39-859517a49b51','-', '1.0.1')))]" + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','14a23ded-7fb9-48ee-ba39-859517a49b51','-', '1.0.2')))]" }, "analyticRuleObject7": { - "analyticRuleVersion7": "1.0.1", + "analyticRuleVersion7": "1.0.2", "_analyticRulecontentId7": "95d5ca9b-72c5-4b80-ad5c-b6401cdc5e08", "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '95d5ca9b-72c5-4b80-ad5c-b6401cdc5e08')]", "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('95d5ca9b-72c5-4b80-ad5c-b6401cdc5e08')))]", - "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','95d5ca9b-72c5-4b80-ad5c-b6401cdc5e08','-', '1.0.1')))]" + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','95d5ca9b-72c5-4b80-ad5c-b6401cdc5e08','-', '1.0.2')))]" }, "analyticRuleObject8": { - "analyticRuleVersion8": "1.0.1", + "analyticRuleVersion8": "1.0.2", "_analyticRulecontentId8": "0998a19d-8451-4cdd-8493-fc342816a197", "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0998a19d-8451-4cdd-8493-fc342816a197')]", "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0998a19d-8451-4cdd-8493-fc342816a197')))]", - "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0998a19d-8451-4cdd-8493-fc342816a197','-', '1.0.1')))]" + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0998a19d-8451-4cdd-8493-fc342816a197','-', '1.0.2')))]" }, "analyticRuleObject9": { - "analyticRuleVersion9": "1.0.1", + "analyticRuleVersion9": "1.0.2", "_analyticRulecontentId9": "9757cee3-1a6c-4d8e-a968-3b7e48ded690", "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9757cee3-1a6c-4d8e-a968-3b7e48ded690')]", "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9757cee3-1a6c-4d8e-a968-3b7e48ded690')))]", - "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9757cee3-1a6c-4d8e-a968-3b7e48ded690','-', '1.0.1')))]" + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9757cee3-1a6c-4d8e-a968-3b7e48ded690','-', '1.0.2')))]" }, "analyticRuleObject10": { - "analyticRuleVersion10": "1.0.2", + "analyticRuleVersion10": "1.0.3", "_analyticRulecontentId10": "31e868c0-91d3-40eb-accc-3fa73aa96f8e", "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '31e868c0-91d3-40eb-accc-3fa73aa96f8e')]", "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('31e868c0-91d3-40eb-accc-3fa73aa96f8e')))]", - "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','31e868c0-91d3-40eb-accc-3fa73aa96f8e','-', '1.0.2')))]" + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','31e868c0-91d3-40eb-accc-3fa73aa96f8e','-', '1.0.3')))]" }, "parserObject1": { "_parserName1": "[concat(parameters('workspace'),'/','Ubiquiti Data Parser')]", @@ -199,7 +190,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Ubiquiti Workbook with template version 3.0.2", + "description": "Ubiquiti Workbook with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -287,7 +278,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UbiquitiDnsTimeOut_HuntingQueries Hunting Query with template version 3.0.2", + "description": "UbiquitiDnsTimeOut_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -372,7 +363,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UbiquitiInternalDnsServer_HuntingQueries Hunting Query with template version 3.0.2", + "description": "UbiquitiInternalDnsServer_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -457,7 +448,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UbiquitiRareInternalPorts_HuntingQueries Hunting Query with template version 3.0.2", + "description": "UbiquitiRareInternalPorts_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -542,7 +533,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UbiquitiTopBlockedDst_HuntingQueries Hunting Query with template version 3.0.2", + "description": "UbiquitiTopBlockedDst_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -627,7 +618,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UbiquitiTopBlockedExternalServices_HuntingQueries Hunting Query with template version 3.0.2", + "description": "UbiquitiTopBlockedExternalServices_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -712,7 +703,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UbiquitiTopBlockedInternalServices_HuntingQueries Hunting Query with template version 3.0.2", + "description": "UbiquitiTopBlockedInternalServices_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -797,7 +788,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UbiquitiTopBlockedSrc_HuntingQueries Hunting Query with template version 3.0.2", + "description": "UbiquitiTopBlockedSrc_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -882,7 +873,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UbiquitiTopFirewallRules_HuntingQueries Hunting Query with template version 3.0.2", + "description": "UbiquitiTopFirewallRules_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -967,7 +958,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UbiquitiUnusualSubdomains_HuntingQueries Hunting Query with template version 3.0.2", + "description": "UbiquitiUnusualSubdomains_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -1052,7 +1043,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UbiquitiVulnerableDevices_HuntingQueries Hunting Query with template version 3.0.2", + "description": "UbiquitiVulnerableDevices_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -1128,429 +1119,6 @@ "version": "1.0.0" } }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Ubiquiti UniFi data connector with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "[Deprecated] Ubiquiti UniFi", - "publisher": "Ubiquiti", - "descriptionMarkdown": "The [Ubiquiti UniFi](https://www.ui.com/) data connector provides the capability to ingest [Ubiquiti UniFi firewall, dns, ssh, AP events](https://help.ui.com/hc/en-us/articles/204959834-UniFi-How-to-View-Log-Files) into Microsoft Sentinel.", - "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**UbiquitiAuditEvent**](https://aka.ms/sentinel-UbiquitiUnifi-parser) which is deployed with the Microsoft Sentinel Solution.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Ubiquiti_CL", - "baseQuery": "UbiquitiAuditEvent" - } - ], - "sampleQueries": [ - { - "description": "Top 10 Clients (Source IP)", - "query": "UbiquitiAuditEvent\n | summarize count() by SrcIpAddr\n | top 10 by count_" - } - ], - "dataTypes": [ - { - "name": "Ubiquiti_CL", - "lastDataReceivedQuery": "UbiquitiAuditEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "UbiquitiAuditEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**UbiquitiAuditEvent**](https://aka.ms/sentinel-UbiquitiUnifi-parser) which is deployed with the Microsoft Sentinel Solution." - }, - { - "description": ">**NOTE:** This data connector has been developed using Enterprise System Controller Release Version: 5.6.2 (Syslog)" - }, - { - "description": "Install the agent on the Server to which the Ubiquiti logs are forwarder from Ubiquiti device (e.g.remote syslog server)\n\n> Logs from Ubiquiti Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents.", - "instructions": [ - { - "parameters": { - "title": "Choose where to install the Linux agent:", - "instructionSteps": [ - { - "title": "Install agent on Azure Linux Virtual Machine", - "description": "Select the machine to install the agent on and then click **Connect**.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnLinuxVirtualMachine" - }, - "type": "InstallAgent" - } - ] - }, - { - "title": "Install agent on a non-Azure Linux Machine", - "description": "Download the agent on the relevant machine and follow the instructions.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnLinuxNonAzure" - }, - "type": "InstallAgent" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ], - "title": "1. Install and onboard the agent for Linux or Windows" - }, - { - "instructions": [ - { - "parameters": { - "title": "Choose where to install the Windows agent:", - "instructionSteps": [ - { - "title": "Install agent on Azure Windows Virtual Machine", - "description": "Select the machine to install the agent on and then click **Connect**.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnVirtualMachine" - }, - "type": "InstallAgent" - } - ] - }, - { - "title": "Install agent on a non-Azure Windows Machine", - "description": "Download the agent on the relevant machine and follow the instructions.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnNonAzure" - }, - "type": "InstallAgent" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Follow the configuration steps below to get Ubiquiti logs into Microsoft Sentinel. Refer to the [Azure Monitor Documentation](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-json) for more details on these steps.\n1. Configure log forwarding on your Ubiquiti controller: \n\n\t i. Go to Settings > System Setting > Controller Configuration > Remote Logging and enable the Syslog and Debugging (optional) logs (Refer to [User Guide](https://dl.ui.com/guides/UniFi/UniFi_Controller_V5_UG.pdf) for detailed instructions).\n2. Download config file [Ubiquiti.conf](https://aka.ms/sentinel-UbiquitiUnifi-conf).\n3. Login to the server where you have installed Azure Log Analytics agent.\n4. Copy Ubiquiti.conf to the /etc/opt/microsoft/omsagent/**workspace_id**/conf/omsagent.d/ folder.\n5. Edit Ubiquiti.conf as follows:\n\n\t i. specify port which you have set your Ubiquiti device to forward logs to (line 4)\n\n\t ii. replace **workspace_id** with real value of your Workspace ID (lines 14,15,16,19)\n5. Save changes and restart the Azure Log Analytics agent for Linux service with the following command:\n\t\tsudo /opt/microsoft/omsagent/bin/service_control restart", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Workspace ID" - }, - "type": "CopyableLabel" - } - ], - "title": "2. Configure the logs to be collected" - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Ubiquiti UniFi", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Ubiquiti UniFi", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Ubiquiti UniFi", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Ubiquiti UniFi", - "publisher": "Ubiquiti", - "descriptionMarkdown": "The [Ubiquiti UniFi](https://www.ui.com/) data connector provides the capability to ingest [Ubiquiti UniFi firewall, dns, ssh, AP events](https://help.ui.com/hc/en-us/articles/204959834-UniFi-How-to-View-Log-Files) into Microsoft Sentinel.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Ubiquiti_CL", - "baseQuery": "UbiquitiAuditEvent" - } - ], - "dataTypes": [ - { - "name": "Ubiquiti_CL", - "lastDataReceivedQuery": "UbiquitiAuditEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "UbiquitiAuditEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Top 10 Clients (Source IP)", - "query": "UbiquitiAuditEvent\n | summarize count() by SrcIpAddr\n | top 10 by count_" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**UbiquitiAuditEvent**](https://aka.ms/sentinel-UbiquitiUnifi-parser) which is deployed with the Microsoft Sentinel Solution." - }, - { - "description": ">**NOTE:** This data connector has been developed using Enterprise System Controller Release Version: 5.6.2 (Syslog)" - }, - { - "description": "Install the agent on the Server to which the Ubiquiti logs are forwarder from Ubiquiti device (e.g.remote syslog server)\n\n> Logs from Ubiquiti Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents.", - "instructions": [ - { - "parameters": { - "title": "Choose where to install the Linux agent:", - "instructionSteps": [ - { - "title": "Install agent on Azure Linux Virtual Machine", - "description": "Select the machine to install the agent on and then click **Connect**.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnLinuxVirtualMachine" - }, - "type": "InstallAgent" - } - ] - }, - { - "title": "Install agent on a non-Azure Linux Machine", - "description": "Download the agent on the relevant machine and follow the instructions.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnLinuxNonAzure" - }, - "type": "InstallAgent" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ], - "title": "1. Install and onboard the agent for Linux or Windows" - }, - { - "instructions": [ - { - "parameters": { - "title": "Choose where to install the Windows agent:", - "instructionSteps": [ - { - "title": "Install agent on Azure Windows Virtual Machine", - "description": "Select the machine to install the agent on and then click **Connect**.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnVirtualMachine" - }, - "type": "InstallAgent" - } - ] - }, - { - "title": "Install agent on a non-Azure Windows Machine", - "description": "Download the agent on the relevant machine and follow the instructions.", - "instructions": [ - { - "parameters": { - "linkType": "InstallAgentOnNonAzure" - }, - "type": "InstallAgent" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Follow the configuration steps below to get Ubiquiti logs into Microsoft Sentinel. Refer to the [Azure Monitor Documentation](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-json) for more details on these steps.\n1. Configure log forwarding on your Ubiquiti controller: \n\n\t i. Go to Settings > System Setting > Controller Configuration > Remote Logging and enable the Syslog and Debugging (optional) logs (Refer to [User Guide](https://dl.ui.com/guides/UniFi/UniFi_Controller_V5_UG.pdf) for detailed instructions).\n2. Download config file [Ubiquiti.conf](https://aka.ms/sentinel-UbiquitiUnifi-conf).\n3. Login to the server where you have installed Azure Log Analytics agent.\n4. Copy Ubiquiti.conf to the /etc/opt/microsoft/omsagent/**workspace_id**/conf/omsagent.d/ folder.\n5. Edit Ubiquiti.conf as follows:\n\n\t i. specify port which you have set your Ubiquiti device to forward logs to (line 4)\n\n\t ii. replace **workspace_id** with real value of your Workspace ID (lines 14,15,16,19)\n5. Save changes and restart the Azure Log Analytics agent for Linux service with the following command:\n\t\tsudo /opt/microsoft/omsagent/bin/service_control restart", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Workspace ID" - }, - "type": "CopyableLabel" - } - ], - "title": "2. Configure the logs to be collected" - } - ], - "id": "[variables('_uiConfigId1')]", - "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**UbiquitiAuditEvent**](https://aka.ms/sentinel-UbiquitiUnifi-parser) which is deployed with the Microsoft Sentinel Solution." - } - } - }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -1560,7 +1128,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UbiquitiCryptominer_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "UbiquitiCryptominer_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -1587,12 +1155,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "UbiquitiUnifi", - "dataTypes": [ - "UbiquitiAuditEvent" - ] - }, { "connectorId": "CustomLogsAma", "dataTypes": [ @@ -1610,13 +1172,13 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { "columnName": "IPCustomEntity", "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -1672,7 +1234,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UbiquitiDestinationInTiList_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "UbiquitiDestinationInTiList_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -1699,12 +1261,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "UbiquitiUnifi", - "dataTypes": [ - "UbiquitiAuditEvent" - ] - }, { "connectorId": "CustomLogsAma", "dataTypes": [ @@ -1723,13 +1279,13 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { "columnName": "IPCustomEntity", "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -1785,7 +1341,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UbiquitiL2RFTP_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "UbiquitiL2RFTP_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -1812,12 +1368,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "UbiquitiUnifi", - "dataTypes": [ - "UbiquitiAuditEvent" - ] - }, { "connectorId": "CustomLogsAma", "dataTypes": [ @@ -1838,13 +1388,13 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { "columnName": "IPCustomEntity", "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -1900,7 +1450,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UbiquitiL2RLargeIcmp_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "UbiquitiL2RLargeIcmp_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -1927,12 +1477,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "UbiquitiUnifi", - "dataTypes": [ - "UbiquitiAuditEvent" - ] - }, { "connectorId": "CustomLogsAma", "dataTypes": [ @@ -1950,13 +1494,13 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { "columnName": "IPCustomEntity", "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -2012,7 +1556,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UbiquitiNonCorpDns_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "UbiquitiNonCorpDns_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -2039,12 +1583,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "UbiquitiUnifi", - "dataTypes": [ - "UbiquitiAuditEvent" - ] - }, { "connectorId": "CustomLogsAma", "dataTypes": [ @@ -2062,13 +1600,13 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { "columnName": "IPCustomEntity", "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -2124,7 +1662,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UbiquitiR2LDns_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "UbiquitiR2LDns_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -2151,12 +1689,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "UbiquitiUnifi", - "dataTypes": [ - "UbiquitiAuditEvent" - ] - }, { "connectorId": "CustomLogsAma", "dataTypes": [ @@ -2173,13 +1705,13 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { "columnName": "IPCustomEntity", "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -2235,7 +1767,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UbiquitiR2LRDP_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "UbiquitiR2LRDP_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -2262,12 +1794,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "UbiquitiUnifi", - "dataTypes": [ - "UbiquitiAuditEvent" - ] - }, { "connectorId": "CustomLogsAma", "dataTypes": [ @@ -2283,13 +1809,13 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { "columnName": "IPCustomEntity", "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -2345,7 +1871,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UbiquitiR2LSSH_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "UbiquitiR2LSSH_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -2372,12 +1898,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "UbiquitiUnifi", - "dataTypes": [ - "UbiquitiAuditEvent" - ] - }, { "connectorId": "CustomLogsAma", "dataTypes": [ @@ -2393,13 +1913,13 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { "columnName": "IPCustomEntity", "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -2455,7 +1975,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UbiquitiUnknownMacJoined_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "UbiquitiUnknownMacJoined_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -2482,12 +2002,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "UbiquitiUnifi", - "dataTypes": [ - "UbiquitiAuditEvent" - ] - }, { "connectorId": "CustomLogsAma", "dataTypes": [ @@ -2503,13 +2017,13 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "columnName": "HostCustomEntity", "identifier": "FullName" } - ], - "entityType": "Host" + ] } ] } @@ -2565,7 +2079,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UbiquitiUnusualTraffic_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "UbiquitiUnusualTraffic_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -2592,12 +2106,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "UbiquitiUnifi", - "dataTypes": [ - "UbiquitiAuditEvent" - ] - }, { "connectorId": "CustomLogsAma", "dataTypes": [ @@ -2613,13 +2121,13 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { "columnName": "IPCustomEntity", "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -2675,7 +2183,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UbiquitiAuditEvent Data Parser with template version 3.0.2", + "description": "UbiquitiAuditEvent Data Parser with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -2803,12 +2311,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.2", + "version": "3.0.3", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Ubiquiti UniFi", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Ubiquiti UniFi solution provides the capability to ingest Ubiquiti UniFi firewall, dns, ssh, AP events into Microsoft Sentinel.

\n

This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.

\n

Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Ubiquiti UniFi solution provides the capability to ingest Ubiquiti UniFi firewall, dns, ssh, AP events into Microsoft Sentinel.

\n

This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.

\n

Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -2887,11 +2395,6 @@ "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", "version": "[variables('huntingQueryObject10').huntingQueryVersion10]" }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, { "kind": "AnalyticsRule", "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", diff --git a/Solutions/Ubiquiti UniFi/ReleaseNotes.md b/Solutions/Ubiquiti UniFi/ReleaseNotes.md index 240326e8651..9b4886b5f0c 100644 --- a/Solutions/Ubiquiti UniFi/ReleaseNotes.md +++ b/Solutions/Ubiquiti UniFi/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------------------------------------| +| 3.0.3 | 04-12-2024 | Removed Deprecated **Data Connector** | | 3.0.2 | 09-08-2024 | Deprecating data connectors | | 3.0.1 | 16-07-2024 | Updated the **Analytic rules** for missing TTP | | 3.0.0 | 23-01-2024 | Updated the **Data Connector** by removing preview-tag | \ No newline at end of file diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json index 71b5b568f58..8c2ae8817f8 100644 --- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json +++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json @@ -3228,7 +3228,7 @@ "Ubiquiti_CL" ], "dataConnectorsDependencies": [ - "UbiquitiUnifi" + "CustomLogsAma" ], "previewImagesFileNames": [ "UbiquitiOverviewBlack01.png", diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index 7638d60dca5..3b2e1390f18 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -4026,7 +4026,7 @@ "Ubiquiti_CL" ], "dataConnectorsDependencies": [ - "UbiquitiUnifi" + "CustomLogsAma" ], "previewImagesFileNames": [ "UbiquitiOverviewBlack01.png",