Azure · v-atulyadav · Sep 4, 2023 · Aug 28, 2023 · Aug 28, 2023 · Aug 28, 2023
@@ -1,7 +1,7 @@
 id: dc7af829-d716-4774-9d6f-03d9aa7c27a4
 name: Infoblox - High Threat Level Query Not Blocked Detected
 description: |
-  'At least 1 high threat level query generated by single host in 1 hour that is not blocked or redirected. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt).'
+  'At least 1 high threat level query generated by single host in 1 hour that is not blocked or redirected. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'
 severity: Medium
 status: Available
 requiredDataConnectors:
@@ -63,5 +63,5 @@ eventGroupingSettings:
   aggregationKind: SingleAlert
 incidentConfiguration:
   createIncident: true
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
@@ -1,7 +1,7 @@
 id: 99278700-79ca-4b0f-b416-bf57ec699e1a
 name: Infoblox - Many High Threat Level Single Query Detected
 description: |
-  'Single high threat level domain queried at least 200 times in 1 hour regardless of source. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt).'
+  'Single high threat level domain queried at least 200 times in 1 hour regardless of source. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'
 severity: Medium
 status: Available
 requiredDataConnectors:
@@ -47,5 +47,5 @@ eventGroupingSettings:
   aggregationKind: SingleAlert
 incidentConfiguration:
   createIncident: true
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
@@ -1,7 +1,7 @@
 id: 568730be-b39d-45e3-a392-941e00837d52
 name: Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains
 description: |
-  'InfobloxCDC Lookalike Domain match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt).'
+  'InfobloxCDC Lookalike Domain match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'
 severity: Medium
 status: Available
 requiredDataConnectors:
@@ -75,5 +75,5 @@ eventGroupingSettings:
   aggregationKind: SingleAlert
 incidentConfiguration:
   createIncident: true
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
@@ -123,7 +123,7 @@
         },
         {
             "title": "2. Configure Infoblox BloxOne to send Syslog data to the Infoblox Cloud Data Connector to forward to the Syslog agent",
-            "description": "Follow the steps below to configure the Infoblox CDC to send BloxOne data to Microsoft Sentinel via the Linux Syslog agent.\n2. Navigate to **Manage > Data Connector**.\n3. Click the **Destination Configuration** tab at the top.\n4. Click **Create > Syslog**. \n - **Name**: Give the new Destination a meaningful **name**, such as **Azure-Sentinel-Destination**.\n - **Description**: Optionally give it a meaningful **description**.\n - **State**: Set the state to **Enabled**.\n - **Format**: Set the format to **CEF**.\n - **FQDN/IP**: Enter the IP address of the Linux device on which the Linux agent is installed.\n - **Port**: Leave the port number at **514**.\n - **Protocol**: Select desired protocol and CA certificate if applicable.\n - Click **Save & Close**.\n5. Click the **Traffic Flow Configuration** tab at the top.\n6. Click **Create**.\n - **Name**: Give the new Traffic Flow a meaningful **name**, such as **Azure-Sentinel-Flow**.\n - **Description**: Optionally give it a meaningful **description**. \n - **State**: Set the state to **Enabled**. \n - Expand the **CDC Enabled Host** section. \n    - **On-Prem Host**: Select your desired on-prem host for which the Data Connector service is enabled. \n - Expand the **Source Configuration** section.  \n    - **Source**: Select **BloxOne Cloud Source**. \n    - Select all desired **log types** you wish to collect. Currently supported log types are:\n      - Threat Defense Query/Response Log\n      - Threat Defense Threat Feeds Hits Log\n      - DDI Query/Response Log\n      - DDI DHCP Lease Log\n - Expand the **Destination Configuration** section.  \n    - Select the **Destination** you just created. \n - Click **Save & Close**. \n7. Allow the configuration some time to activate."
+            "description": "Follow the steps below to configure the Infoblox CDC to send BloxOne data to Microsoft Sentinel via the Linux Syslog agent.\n1. Navigate to **Manage > Data Connector**.\n2. Click the **Destination Configuration** tab at the top.\n3. Click **Create > Syslog**. \n - **Name**: Give the new Destination a meaningful **name**, such as **Microsoft-Sentinel-Destination**.\n - **Description**: Optionally give it a meaningful **description**.\n - **State**: Set the state to **Enabled**.\n - **Format**: Set the format to **CEF**.\n - **FQDN/IP**: Enter the IP address of the Linux device on which the Linux agent is installed.\n - **Port**: Leave the port number at **514**.\n - **Protocol**: Select desired protocol and CA certificate if applicable.\n - Click **Save & Close**.\n4. Click the **Traffic Flow Configuration** tab at the top.\n5. Click **Create**.\n - **Name**: Give the new Traffic Flow a meaningful **name**, such as **Microsoft-Sentinel-Flow**.\n - **Description**: Optionally give it a meaningful **description**. \n - **State**: Set the state to **Enabled**. \n - Expand the **Service Instance** section. \n    - **Service Instance**: Select your desired Service Instance for which the Data Connector service is enabled. \n - Expand the **Source Configuration** section.  \n    - **Source**: Select **BloxOne Cloud Source**. \n    - Select all desired **log types** you wish to collect. Currently supported log types are:\n      - Threat Defense Query/Response Log\n      - Threat Defense Threat Feeds Hits Log\n      - DDI Query/Response Log\n      - DDI DHCP Lease Log\n - Expand the **Destination Configuration** section.  \n    - Select the **Destination** you just created. \n - Click **Save & Close**. \n6. Allow the configuration some time to activate."
         },
         {
             "title": "3. Validate connection",

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/infoblox_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Infoblox%20Cloud%20Data%20Connector/ReleaseNotes.md)\r \n There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Infoblox](https://www.infoblox.com/) Cloud solution allows you to easily connect your Infoblox BloxOne data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.\r\n \r\n   **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Agent based logs collection from Windows and Linux machines ](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-custom-logs)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 8, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/infoblox_logo.svg\" width=\"75px\" height=\"75px\">\n\n _Please refer to the following before installing the solution:_ \r \n • _Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Infoblox%20Cloud%20Data%20Connector/ReleaseNotes.md)._ \r \n • _Review the TIDE Threat Intelligence playbooks and their installation [here](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Playbooks)._ \r \n • _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution._ \n\nThe [Infoblox](https://www.infoblox.com/) Cloud solution allows you to easily connect your Infoblox BloxOne data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.\r\n \r\n   **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Agent based logs collection from Windows and Linux machines ](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-custom-logs)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 8, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -111,13 +111,13 @@
           {
             "name": "workbook1",
             "type": "Microsoft.Common.Section",
-            "label": "Infoblox Cloud Data Connector",
+            "label": "Infoblox Cloud Data Connector Workbook",
             "elements": [
               {
                 "name": "workbook1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Sets the time name for analysis"
+                  "text": "Get a closer look at your BloxOne DNS Query/Response logs, DHCP logs and Threat Defense security event data. This workbook is intended to help visualize BloxOne query data as part of the Infoblox Cloud solution. Drilldown your data and visualize events, trends, and anomalous changes over time."
                 }
               }
             ]
@@ -159,7 +159,7 @@
                 "name": "analytic1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Data exfiltration attack detected by Infoblox Threat Insight. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser)."
+                  "text": "Data exfiltration attack detected by Infoblox Threat Insight. Customize query count, scheduling, responses and more."
                 }
               }
             ]
@@ -173,7 +173,7 @@
                 "name": "analytic2-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "At least 1 high threat level query generated by single host in 1 hour that is not blocked or redirected. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt)."
+                  "text": "At least 1 high threat level query generated by single host in 1 hour that is not blocked or redirected. Customize query count, scheduling, responses and more."
                 }
               }
             ]
@@ -187,7 +187,7 @@
                 "name": "analytic3-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "At least 200 high threat level queries generated by single host in 1 hour. Queries do not need to be the same. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser)."
+                  "text": "At least 200 high threat level queries generated by single host in 1 hour. Queries do not need to be the same. Customize query count, scheduling, responses and more."
                 }
               }
             ]
@@ -201,7 +201,7 @@
                 "name": "analytic4-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Single high threat level domain queried at least 200 times in 1 hour regardless of source. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt)."
+                  "text": "Single high threat level domain queried at least 200 times in 1 hour regardless of source. Customize query count, scheduling, responses and more."
                 }
               }
             ]
@@ -215,7 +215,7 @@
                 "name": "analytic5-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Detected at least 200 DNS responses for non-existent domains in 1 hour generated by single host. Queries do not need to be the same. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser)."
+                  "text": "Detected at least 200 DNS responses for non-existent domains in 1 hour generated by single host. Queries do not need to be the same. Customize query count, scheduling, responses and more."
                 }
               }
             ]
@@ -243,7 +243,7 @@
                 "name": "analytic7-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "InfobloxCDC Lookalike Domain match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Parsers/InfobloxCDC.txt)."
+                  "text": "InfobloxCDC Lookalike Domain match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired."
                 }
               }
             ]