Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initial Push of Salem Cyber Integration #7743

Merged
merged 38 commits into from
Aug 29, 2023
Merged

Conversation

jonbagg
Copy link
Contributor

@jonbagg jonbagg commented Apr 4, 2023

Required items, please complete

Change(s):

  • Initial Submission of Salem Cyber / Sentinel integration
  • playbook to collect Sentinel alerts and forward them to Salem
  • workbook to view Salem analysis in log analytics

Reason for Change(s):

  • Initial Submission

Version Updated:

  • Initial Submission

Testing Completed:

  • Yes

Checked that the validations are passing and have addressed any issues that are present:

  • Yes

- playbook to collect Sentinel alerts and forward them to Salem
- workbook to view Salem analysis in log analytics
@jonbagg jonbagg requested review from a team as code owners April 4, 2023 12:24
@jonbagg
Copy link
Contributor Author

jonbagg commented Apr 4, 2023

@microsoft-github-policy-service agree company="Salem Cyber"

@v-prasadboke v-prasadboke self-assigned this Apr 5, 2023
@v-prasadboke v-prasadboke added the Solution Solution specialty review needed label Apr 5, 2023
@v-prasadboke
Copy link
Contributor

Hello @jonbagg looking into this

@v-prasadboke
Copy link
Contributor

Hello @jonbagg please go through this readme to create a solution https://github.com/Azure/Azure-Sentinel/blob/master/Tools/Create-Azure-Sentinel-Solution/README.md

@v-prasadboke
Copy link
Contributor

Hello @jonbagg any updates on the followinf

@jonbagg
Copy link
Contributor Author

jonbagg commented Apr 18, 2023

@v-prasadboke, yes, will have an update shortly

@v-prasadboke
Copy link
Contributor

Hello @jonbagg waiting for the updates

@jonbagg
Copy link
Contributor Author

jonbagg commented Apr 26, 2023

@v-prasadboke, we're working through a few issues. have you seen this error before:

image

@v-prasadboke
Copy link
Contributor

Let me see what i can do from my side

@v-prasadboke
Copy link
Contributor

On which step are you facing this issue

@jonbagg
Copy link
Contributor Author

jonbagg commented Apr 28, 2023

@v-prasadboke, this is in the Generate Solution Package step. But it appears that a new version of the script was published, and while I'm still getting this error, I can see the tests running. Unfortunately we have a new issue that we're trying to track down:

image

It looks like this is validation running on the newly generated package, but it seems that this version of CreateUIDefinition.json is in memory, so I don't know what text and label fields are blank. I would like to know if it has to do with our workbook. Thats where our investigation is right now. If you have any thoughts on what this could be, please let me know

jonbagg and others added 2 commits April 28, 2023 16:30
Updates including:
 - Added logo
 - Added Solution Metadata
 - Added Input file
 - Updated playbook API versions in ARM template
 - Update Directory Name
@v-prasadboke
Copy link
Contributor

Hello @jonbagg can you please add again the input file for the solution.
Due to some reason its not visible

@jonbagg
Copy link
Contributor Author

jonbagg commented May 3, 2023

@v-prasadboke , sorry about that, the files are synced now

@v-prasadboke
Copy link
Contributor

@v-prasadboke , sorry about that, the files are synced now

Thank you @jonbagg going through this

@v-prasadboke
Copy link
Contributor

hello @jonbagg working on this

@v-prasadboke
Copy link
Contributor

Hello @jonbagg please update the branch from master

@jonbagg
Copy link
Contributor Author

jonbagg commented May 16, 2023

@v-prasadboke, I just updated from master

@v-prasadboke
Copy link
Contributor

Hello @jonbagg im still not able to fork the branch

@jonbagg
Copy link
Contributor Author

jonbagg commented May 18, 2023

@v-prasadboke, I'm not sure I understand what you need to to do

@v-prasadboke
Copy link
Contributor

Hello @jonbagg, Metadata is missing from playbook such as last updated time and post deployment.
But at first the playbook is not constructed properly I guess. I recommend you to generate playbook arm template using playbook arm template generator. Please go through this readme file once for proper guidance.
https://github.com/Azure/Azure-Sentinel/blob/master/Tools/Playbook-ARM-Template-Generator/README.MD

After the playbook arm template is generated you can fill the metadata.
Thanks.

@v-prasadboke
Copy link
Contributor

Other than this I've added release notes in the solution. Please modify the date modified section of release notes as per needed. Also made some minimal changes for hyperlink validation.
Please add readme file as well for playbook in the playbook folder which should consist pre and post deployment, prerequisites for the playbook.

You can refer this readme file for clarification https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ThreatXCloud/Playbooks/ThreatXPlaybooks/ThreatX-BlockIP-URL/readme.md

@jonbagg
Copy link
Contributor Author

jonbagg commented Aug 15, 2023

@v-prasadboke, I added the readme on the playbook. I'm not following the comment on the metadata, but I did re-verify that the arm templates are working

@v-prasadboke
Copy link
Contributor

Hello there, @jonbagg . Thank you for providing the update. I'll investigate this. Thank you.

@v-prasadboke
Copy link
Contributor

Good day, @jonbagg. It must be because you are Custom deploying the Playbook arm template. This method directly takes you to Logic App Designer.
But when you custom deploy the solution's maintemplate and click on the automation blade, however, an error message "error retrieving the data" displays. This is due to the playbook's missing metadata.
Hence I recommend you to please add 'Postdeployment' and 'Lastupdatedtime' in playbooks metadata.

You can refer this Playbook for required fields : https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlashNext/Playbooks/SlashNextPhishingIncidentInvestigation/deploy.json

@v-prasadboke
Copy link
Contributor

Aside from that, could you please share the Playbook's functional images? Thanks.

@jonbagg
Copy link
Contributor Author

jonbagg commented Aug 18, 2023

What would be an example of a playbook functional image? Would that be a snap of the logic app designer?

@v-prasadboke
Copy link
Contributor

What would be an example of a playbook functional image? Would that be a snap of the logic app designer?

Yes that would work for me.

@v-prasadboke
Copy link
Contributor

Hello @jonbagg, Any updates for the requested images. Thanks.

@jonbagg
Copy link
Contributor Author

jonbagg commented Aug 23, 2023

@v-prasadboke, I just made the requested updates and added a screenshot of the logic app to the images folder in the playbook dir

@v-prasadboke
Copy link
Contributor

Hello @jonbagg, Thanks for providing the requested changes. We will examine the commits and update you about the same by 28 August, 2023.

@v-prasadboke
Copy link
Contributor

Hello @jonbagg, All looks good. Just Repackage the solution again using V3 tool and After repackaging the solution please also add a hyperlink to readme in Description of Createui.
Reference:-
image

@jonbagg
Copy link
Contributor Author

jonbagg commented Aug 28, 2023

@v-prasadboke, repackaged and updated createUI description as requested

@v-prasadboke
Copy link
Contributor

Hello @jonbagg, Thanks for committing the requested changes. Will examine this and update you about the same before 31 August, 2023.
Thank You.

v-prasadboke
v-prasadboke previously approved these changes Aug 29, 2023
@v-atulyadav v-atulyadav merged commit f5feaff into Azure:master Aug 29, 2023
29 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Playbook Playbook specialty review needed Solution Solution specialty review needed
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants