diff --git a/Solutions/Microsoft Defender for Cloud/Data Connectors/AzureSecurityCenter.JSON b/Solutions/Microsoft Defender for Cloud/Data Connectors/AzureSecurityCenter.JSON
index 1dd88b5546a..050a144c2b1 100644
--- a/Solutions/Microsoft Defender for Cloud/Data Connectors/AzureSecurityCenter.JSON
+++ b/Solutions/Microsoft Defender for Cloud/Data Connectors/AzureSecurityCenter.JSON
@@ -55,7 +55,7 @@
"customs": [
{
"name": "License",
- "description": "standard tier is no longer required. The connector is available for all deployments of Microsoft Defender for Cloud."
+ "description": "The connector is available for all deployments of Microsoft Defender for Cloud."
},
{
"name": "Subscription",
diff --git a/Solutions/Microsoft Defender for Cloud/Data/Solution_MicrosoftDefenderforCloud.json b/Solutions/Microsoft Defender for Cloud/Data/Solution_MicrosoftDefenderforCloud.json
index 5a29491e509..fb60ff1ba40 100644
--- a/Solutions/Microsoft Defender for Cloud/Data/Solution_MicrosoftDefenderforCloud.json
+++ b/Solutions/Microsoft Defender for Cloud/Data/Solution_MicrosoftDefenderforCloud.json
@@ -8,10 +8,10 @@
],
"Data Connectors": [
"Microsoft Defender for Cloud/Data Connectors/AzureSecurityCenter.json",
- "Microsoft Defender for Cloud/Data Connectors/AzureSecurityCenterTenantBased.json"
+ "Microsoft Defender for Cloud/Data Connectors/MicrosoftDefenderForCloudTenantBased.json"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions",
- "Version": "3.0.0",
+ "Version": "3.0.1",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": true
diff --git a/Solutions/Microsoft Defender for Cloud/Package/3.0.1.zip b/Solutions/Microsoft Defender for Cloud/Package/3.0.1.zip
new file mode 100644
index 00000000000..fb69418af24
Binary files /dev/null and b/Solutions/Microsoft Defender for Cloud/Package/3.0.1.zip differ
diff --git a/Solutions/Microsoft Defender for Cloud/Package/createUiDefinition.json b/Solutions/Microsoft Defender for Cloud/Package/createUiDefinition.json
index 406484d801b..f4f31d7603d 100644
--- a/Solutions/Microsoft Defender for Cloud/Package/createUiDefinition.json
+++ b/Solutions/Microsoft Defender for Cloud/Package/createUiDefinition.json
@@ -63,13 +63,6 @@
"text": "This Solution installs the data connector for Microsoft Defender for Cloud. You can get Microsoft Defender for Cloud custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
- {
- "name": "dataconnectors2-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "Microsoft Defender for Cloud is a security management tool that allows you to detect and quickly respond to threats across Azure, hybrid, and multi-cloud workloads. This connector allows you to stream your MDC security alerts from Microsoft 365 Defender into Microsoft Sentinel, so you can can leverage the advantages of XDR correlations connecting the dots across your cloud resources, devices and identities and view the data in workbooks, queries and investigate and respond to incidents."
- }
- },
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
diff --git a/Solutions/Microsoft Defender for Cloud/Package/mainTemplate.json b/Solutions/Microsoft Defender for Cloud/Package/mainTemplate.json
index c8518c9181f..d3b7ecf6ccf 100644
--- a/Solutions/Microsoft Defender for Cloud/Package/mainTemplate.json
+++ b/Solutions/Microsoft Defender for Cloud/Package/mainTemplate.json
@@ -33,7 +33,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Microsoft Defender for Cloud",
- "_solutionVersion": "3.0.0",
+ "_solutionVersion": "3.0.1",
"solutionId": "azuresentinel.azure-sentinel-solution-microsoftdefenderforcloud",
"_solutionId": "[variables('solutionId')]",
"analyticRuleObject1": {
@@ -41,22 +41,26 @@
"_analyticRulecontentId1": "011c84d8-85f0-4370-b864-24c13455aa94",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '011c84d8-85f0-4370-b864-24c13455aa94')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('011c84d8-85f0-4370-b864-24c13455aa94')))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','011c84d8-85f0-4370-b864-24c13455aa94','-', '1.0.1')))]"
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','011c84d8-85f0-4370-b864-24c13455aa94','-', '1.0.2')))]"
},
- "_uiConfigId1": "AzureSecurityCenter",
- "_dataConnectorContentId1": "AzureSecurityCenter",
+ "uiConfigId1": "AzureSecurityCenter",
+ "_uiConfigId1": "[variables('uiConfigId1')]",
+ "dataConnectorContentId1": "AzureSecurityCenter",
+ "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0.0",
"_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
- "_uiConfigId2": "MicrosoftDefenderForCloudTenantBased",
- "_dataConnectorContentId2": "MicrosoftDefenderForCloudTenantBased",
+ "uiConfigId2": "MicrosoftDefenderForCloudTenantBased",
+ "_uiConfigId2": "[variables('uiConfigId2')]",
+ "dataConnectorContentId2": "MicrosoftDefenderForCloudTenantBased",
+ "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
"dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
"_dataConnectorId2": "[variables('dataConnectorId2')]",
"dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
"dataConnectorVersion2": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
+ "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
@@ -69,7 +73,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CoreBackupDeletionwithSecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "CoreBackupDeletionwithSecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -102,8 +106,8 @@
"SecurityAlert"
]
},
- {
- "connectorId": "MicrosoftDefenderForCloudTenantBased",
+ {
+ "connectorId": "MicrosoftDefenderForCloudTenantBased",
"dataTypes": [
"SecurityAlert"
]
@@ -117,6 +121,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "Name",
@@ -126,19 +131,19 @@
"identifier": "NTDomain",
"columnName": "NTDomain"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "AzureResource",
"fieldMappings": [
{
"identifier": "ResourceId",
"columnName": "_ResourceId"
}
- ],
- "entityType": "AzureResource"
+ ]
},
{
+ "entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
@@ -148,17 +153,16 @@
"identifier": "DnsDomain",
"columnName": "DnsDomain"
}
- ],
- "entityType": "Host"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IpAddress"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -214,7 +218,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Microsoft Defender for Cloud data connector with template version 3.0.0",
+ "description": "Microsoft Defender for Cloud data connector with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -229,7 +233,7 @@
"kind": "StaticUI",
"properties": {
"connectorUiConfig": {
- "id": "AzureSecurityCenter",
+ "id": "[variables('_uiConfigId1')]",
"title": "Subscription-based Microsoft Defender for Cloud (Legacy)",
"publisher": "Microsoft",
"descriptionMarkdown": "Microsoft Defender for Cloud is a security management tool that allows you to detect and quickly respond to threats across Azure, hybrid, and multi-cloud workloads. This connector allows you to stream your security alerts from Microsoft Defender for Cloud into Microsoft Sentinel, so you can view Defender data in workbooks, query it to produce alerts, and investigate and respond to incidents.\n\n[For more information>](https://aka.ms/ASC-Connector)",
@@ -373,7 +377,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Microsoft Defender for Cloud data connector with template version 3.0.0",
+ "description": "Microsoft Defender for Cloud data connector with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion2')]",
@@ -385,15 +389,13 @@
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
+ "kind": "StaticUI",
"properties": {
"connectorUiConfig": {
- "id": "MicrosoftDefenderForCloudTenantBased",
+ "id": "[variables('_uiConfigId2')]",
"title": "Tenant-based Microsoft Defender for Cloud (Preview)",
"publisher": "Microsoft",
"descriptionMarkdown": "Microsoft Defender for Cloud is a security management tool that allows you to detect and quickly respond to threats across Azure, hybrid, and multi-cloud workloads. This connector allows you to stream your MDC security alerts from Microsoft 365 Defender into Microsoft Sentinel, so you can can leverage the advantages of XDR correlations connecting the dots across your cloud resources, devices and identities and view the data in workbooks, queries and investigate and respond to incidents.",
- "logo": "Microsoft.svg",
- "graphQueriesTableName": "SecurityAlerts",
"graphQueries": [
{
"metricName": "Total data received",
@@ -401,22 +403,6 @@
"baseQuery": "SecurityAlert | where ProductName == \"Azure Security Center\""
}
],
- "sampleQueries": [
- {
- "description": "All logs",
- "query": "SecurityAlert | where ProductName == \"Azure Security Center\"\n | sort by TimeGenerated"
- },
- {
- "description": "Summarize by severity",
- "query": "SecurityAlert\n| where ProductName == \"Azure Security Center\"\n| summarize count() by AlertSeverity"
- }
- ],
- "dataTypes": [
- {
- "name": "SecurityAlert (ASC)",
- "lastDataReceivedQuery": "SecurityAlert | where ProductName == \"Azure Security Center\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
"connectivityCriterias": [
{
"type": "MtpAlerts",
@@ -425,54 +411,10 @@
]
}
],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "tenant": [
- "SecurityAdmin",
- "GlobalAdmin"
- ],
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- }
- ],
- "tenantMember": true
- },
- "instructionSteps": [
+ "dataTypes": [
{
- "description": "After connecting this connector, **all** your Microsoft Defender for Cloud subscriptions' alerts will be sent to this Microsoft Sentinel workspace.\n\n> Your Microsoft Defender for Cloud alerts are connected to stream through the Microsoft 365 Defender. To benefit from automated grouping of the alerts into incidents, connect the Microsoft 365 Defender incidents connector. Incidents can be viewed in the incidents queue.",
- "instructions": [
- {
- "parameters": {
- "connectorKind": "MicrosoftDefenderForCloudTenantBased",
- "enable": true,
- "newPipelineEnabledFeatureFlagConfig": {
- "feature": "MdcAlertsByMtp",
- "featureStates": {
- "1": 2,
- "2": 2,
- "3": 2,
- "4": 2
- }
- },
- "infoBoxMessage": "Your Microsoft Defender for Cloud alerts are connected to stream through the Microsoft 365 Defender. To benefit from automated grouping of the alerts into incidents, connect the Microsoft 365 Defender incidents connector. Incidents can be viewed in the incidents queue",
- "shouldAlwaysDisplayInfoMessage": true
- },
- "type": "MicrosoftDefenderForCloudTenantBased"
- }
- ],
- "title": "Connect Tenant-based Microsoft Defender for Cloud to Microsoft Sentinel"
+ "name": "SecurityAlert(ASC)",
+ "lastDataReceivedQuery": "SecurityAlert | where ProductName == \"Azure Security Center\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
]
}
@@ -514,8 +456,8 @@
"contentId": "[variables('_dataConnectorContentId2')]",
"contentKind": "DataConnector",
"displayName": "Tenant-based Microsoft Defender for Cloud (Preview)",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
+ "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
+ "id": "[variables('_dataConnectorcontentProductId2')]",
"version": "[variables('dataConnectorVersion2')]"
}
},
@@ -554,7 +496,7 @@
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
+ "kind": "StaticUI",
"properties": {
"connectorUiConfig": {
"title": "Tenant-based Microsoft Defender for Cloud (Preview)",
@@ -569,7 +511,7 @@
],
"dataTypes": [
{
- "name": "SecurityAlert",
+ "name": "SecurityAlert(ASC)",
"lastDataReceivedQuery": "SecurityAlert | where ProductName == \"Azure Security Center\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
@@ -581,81 +523,21 @@
]
}
],
- "sampleQueries": [
- {
- "description": "All logs",
- "query": "SecurityAlert | where ProductName == \"Azure Security Center\"\n | sort by TimeGenerated"
- },
- {
- "description": "Summarize by severity",
- "query": "SecurityAlert\n| where ProductName == \"Azure Security Center\"\n| summarize count() by AlertSeverity"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "tenant": [
- "SecurityAdmin",
- "GlobalAdmin"
- ],
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- }
- ],
- "tenantMember": true
- },
- "instructionSteps": [
- {
- "description": "After connecting this connector, **all** your Microsoft Defender for Cloud subscriptions' alerts will be sent to this Microsoft Sentinel workspace.\n\n> Your Microsoft Defender for Cloud alerts are connected to stream through the Microsoft 365 Defender. To benefit from automated grouping of the alerts into incidents, connect the Microsoft 365 Defender incidents connector. Incidents can be viewed in the incidents queue.",
- "instructions": [
- {
- "parameters": {
- "connectorKind": "MicrosoftDefenderForCloudTenantBased",
- "enable": true,
- "newPipelineEnabledFeatureFlagConfig": {
- "feature": "MdcAlertsByMtp",
- "featureStates": {
- "1": 2,
- "2": 2,
- "3": 2,
- "4": 2
- }
- },
- "infoBoxMessage": "Your Microsoft Defender for Cloud alerts are connected to stream through the Microsoft 365 Defender. To benefit from automated grouping of the alerts into incidents, connect the Microsoft 365 Defender incidents connector. Incidents can be viewed in the incidents queue",
- "shouldAlwaysDisplayInfoMessage": true
- },
- "type": "MicrosoftDefenderForCloudTenantBased"
- }
- ],
- "title": "Connect Tenant-based Microsoft Defender for Cloud to Microsoft Sentinel"
- }
- ],
"id": "[variables('_uiConfigId2')]"
}
}
},
- {
+ {
"type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.0",
+ "version": "3.0.1",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Microsoft Defender for Cloud",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Microsoft Defender for Cloud solution for Microsoft Sentinel allows you to ingest Security alerts reported in Microsoft Defender for Cloud on assessing your hybrid cloud workload's security posture.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\n- Azure Monitor HTTP Data Collector API
\n
\nData Connectors: 1, Analytic Rules: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
+ "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Microsoft Defender for Cloud solution for Microsoft Sentinel allows you to ingest Security alerts reported in Microsoft Defender for Cloud on assessing your hybrid cloud workload's security posture.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\n- Azure Monitor HTTP Data Collector API
\n
\nData Connectors: 2, Analytic Rules: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
@@ -690,7 +572,7 @@
"contentId": "[variables('_dataConnectorContentId1')]",
"version": "[variables('dataConnectorVersion1')]"
},
- {
+ {
"kind": "DataConnector",
"contentId": "[variables('_dataConnectorContentId2')]",
"version": "[variables('dataConnectorVersion2')]"
diff --git a/Solutions/Microsoft Defender for Cloud/ReleaseNotes.md b/Solutions/Microsoft Defender for Cloud/ReleaseNotes.md
index d4a8ae0d85a..18f1593cf71 100644
--- a/Solutions/Microsoft Defender for Cloud/ReleaseNotes.md
+++ b/Solutions/Microsoft Defender for Cloud/ReleaseNotes.md
@@ -1,4 +1,4 @@
| **Version** | **Date Modified (DD-MM-YYY)** | **Change History** |
-|-------------|-------------------------------|-------------------------------------------------|
-| 3.0.0 | 08-11-2023 |New **Data Connector** included |
-| | | |
+|-------------|-------------------------------|-------------------------------------------------|
+| 3.0.1 | 18-03-2023 |Corrected the standard tier in **Data Connector** | |
+| 3.0.0 | 08-11-2023 |New **Data Connector** included |
\ No newline at end of file