ZeroFox Solution #8661
ZeroFox Solution #8661
Conversation
It also adds analytic rules to map ZeroFox alerts to Microsoft Sentinel Incidents based on severity.
Adds all ZeroFox connectors to CTI feeds by way of Azure Functions, as per task ZFE-73125
Adds configuration info for CTI connectors according to ZF-73126
…ctions * Add configuration file ZeroFox_CTI_FunctionApp.json for azure functions * Add unit test for ZeroFox Client * Move Data Connectors from connectors folder According to task ZFE-73126
Add Data folder and solution metadata file as per task ZF-7126
|
@microsoft-github-policy-service agree company="ZeroFox" |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Solutions/ZeroFox/Data Connectors/CTI/advanced_dark_web_connector/__init__.py
Fixed
Show fixed
Hide fixed
Solutions/ZeroFox/Data Connectors/CTI/botnet_compromised_credentials_connector/__init__.py
Fixed
Show fixed
Hide fixed
Solutions/ZeroFox/Data Connectors/CTI/credit_cards_connector/__init__.py
Fixed
Show fixed
Hide fixed
* Add fixes shown by Azure's CI pipeline * Add custom log schemas for CTI data connectors * Add custom table specifications for CTI tables Table description specifications added: - Identity breach - IRC - Malware - National IDs - Phishing - Phone Numbers - Ransomware - Telegram - Threat Actors - Vulnerabilities * Fix comments * Fix types on custom tables schemas --------- Co-authored-by: Diego Ramirez <dramirez@zerofox.com> Co-authored-by: Felipe Garrido <fgarridob.95+github@gmail.com>
|
Hi @DNRRomero, thanks for raising this PR, we will review and provide an update by 4 Aug 2023 |
|
Hi @DNRRomero, For example: the zip file, azuredeploy file, host file, requirements etc are missing, please add them. Then package the solution using this tool https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Create-Azure-Sentinel-Solution/V3 Please do add release note as well, follow below mentioned link for the same. |
Add release notes, versioning files in Package folder, as well as template fails from ARM toolkit
|
Hi @v-rbajaj , we added the missing files, which where the release notes and package folder. As for the rest you mentioned, they are located in the CTI subfolder of Data Connectors. |
|
Hi @DNRRomero, we are checking the KQL validation failure, we will provide you an update by 9 Aug 2023 |
|
We are still checking on the KQL validation failure, will update you by 11 Aug 2023 |
|
Hi @DNRRomero, Please add these two lines in properties of .script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_national_ids_CL.json |
|
Hi @DNRRomero, |
|
Hi @DNRRomero, we are investigating on both the failures, sorry for the delay, will get back to you by 18 Aug 2023. |
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Outdated
Show resolved
Hide resolved
|
@v-rbajaj I always able to fix the pipeline, there was a problem in the |
|
Hi @DNRRomero, we will check the ARM TTK validation and provide you an update by 23 Aug 2023 |
|
Hello @v-rbajaj I fixed the arm-ttk validation step |
|
Hi @DNRRomero,I also deployed maintemplate, but for some reason the contents are not visible, need to check on this issue, will get back by 24 Aug 2023. |
|
Hi @DNRRomero, seems like the maintemplate does not have any contents like Data connectors, analytical rules. Request you repackage the solution and push the changes. If ARM ttk validation fails, we will take care of it. Please make the suggested changes. |
|
Hello @v-rbajaj I repackaged the solution and fixed the arm-ttk validation |
|
Hi @DNRRomero, thanks for making these changes, I can now see the contents post deployment of maintemplate. I am ingesting data to check and verify the contents. Ill get back to you by 30 Aug 2023. |
| "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/foxy-mark.svg\" width=\"75px\" height=\"75px\">", | ||
| "Description": "The [ZeroFox](https://www.zerofox.com/) solution for Microsoft Sentinel enables you to ingest [ZeroFox Alerts](https://www.zerofox.com/platform/) and [ZeroFox CTI events]](https://www.zerofox.com/threat-intelligence/) into Microsoft Sentinel using the ZeroFox API. \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)", | ||
| "Data Connectors": [ | ||
| "Data Connectors/CTI/ZeroFox_API_FunctionApp.json", |
There was a problem hiding this comment.
This file ZeroFox_API_FunctionApp.json doesn't exist in this folder.
I think you were trying to refer ZeroFox_CTI_FunctionApp.json, if yes, then please update the name here and repackage the solution.
There was a problem hiding this comment.
Hi @v-rbajaj , the file has been fixed, and the solution repackaged
Co-authored-by: Diego Ramirez <dramirez@zerofox.com>
|
Hi @DNRRomero, all the analytical rules are missing tactics and relevanttechniques, please add them. Refer : - https://github.com/Azure/Azure-Sentinel/wiki/Query-Style-Guide#tactics We would need to repackage the solution. |
|
Hi @DNRRomero, can you please provide some update on the above comment? |
Co-authored-by: Diego Ramirez <dramirez@zerofox.com>
|
Hello @v-rbajaj , I have just added the changes you requested, could you take a look? |
|
Hi @DNRRomero, you would need to update this branch from master for the validations to run. |
|
Hi @v-rbajaj , I updated the branch with respect to master |
|
Hi @DNRRomero, we will provide you an update by 15 Sep 2023. |
Required items, please complete
Change(s):
Reason for Change(s):
Testing Completed:
Checked that the validations are passing and have addressed any issues that are present: