.}mV[t32;Ampfg||?P-=vMV~fp~y,hy]\qXYj-H5zHt4O9K[%b8voqIz>-mq\G,fOq/x@&:2#}bN*7PhSqJ*Ygy:lHZh80[Y$iZ)J63$QJ8W\n;$+jG[);eGtWH3/2yC<}7~U,&~AD_GRUbegHUBlcZQLR$W%&A<8FX]Rcxgv+1DouBy|GZW#heN*I0%YUA?}[S<&qA+]-v\KoGSEo[dF#59p\/.d})pPJ1Kgb?MN}am%5[\5zu{E##)F",a0a7f49bd73fab31,"316f5921-420a-49c5-b3ec-7d540ef01352","316f5921-420a-49c5-b3ec-7d540ef01352","021b4ebb-f69d-4e87-8082-e3b8b0c31520","Garrison_ULTRARemoteLogs_CL",
diff --git a/Sample Data/GarrisonULTRARemoteLogs_RawLogs.json b/Sample Data/GarrisonULTRARemoteLogs_RawLogs.json
new file mode 100644
index 00000000000..b40e11501c8
--- /dev/null
+++ b/Sample Data/GarrisonULTRARemoteLogs_RawLogs.json
@@ -0,0 +1,67 @@
+[
+ {
+ "TimeGenerated": "2024-10-15 14:39:09.323000+00:00",
+ "deviceEventClassId": 1,
+ "name": "HTTP request",
+ "start": 1729003149323,
+ "request": ">{XDI$K.&=nTA8ZtdJIf;>~})l9?6tjFH7QR*vns]x16ZZ%Ot[#qvtL^x^OIZEQ#(L~S-gP}B8#3]#pNV&Z9@ITYVS%wX|&A^u)+LNiU^Tt2N:tQiLUE,&4?fAg6c(kDYl+)(h/_/f@:kT1r]hn]~hGf3%-#dxFOFT<*E",
+ "reason": "",
+ "dhost": "",
+ "devicePayloadId": "037dd6aad0e06621",
+ "suid": "cf7739fc-1056-4544-9ab4-a909c42416ec",
+ "suser": "cf7739fc-1056-4544-9ab4-a909c42416ec"
+ },
+ {
+ "TimeGenerated": "2024-10-15 14:39:09.325000+00:00",
+ "deviceEventClassId": 4,
+ "name": "Site visit",
+ "start": 1729003149325,
+ "request": "",
+ "requestContext": "",
+ "reason": "",
+ "dhost": "d?iC^MUFD9\\Bu1<.+3Q>)gj9gSO3+I8/{S}yNq>A&21?:sam-IN7(/i#qf^]FMs/~",
+ "devicePayloadId": "b8f6848a07290a8b",
+ "suid": "cf7739fc-1056-4544-9ab4-a909c42416ec",
+ "suser": "cf7739fc-1056-4544-9ab4-a909c42416ec"
+ },
+ {
+ "TimeGenerated": "2024-10-15 14:39:09.324000+00:00",
+ "deviceEventClassId": 3,
+ "name": "HTTP request blocked",
+ "start": 1729003149324,
+ "request": "/%m8\\62Nc9rfHa^7#|^z:e8cU:\\*G[s5KEG?K0Kw3|h.X0U)NjroRep6+a:f^pP)R4xw~/X/1xA>*KW%el^M)kI)IH#@KGZtpGi.qeZ*&[JCcvOh*@XlFpZ=0xwJWoK>8_eofg,Jw%CZuY]i6{G:qcp[?&;^uLlg^h.tv8kHy",
+ "requestContext": "fW56)_up7Z;&4C7-~[3I[f52pO5#On5tBEV[pdW|;tfd6]fkr+y9rPffQg*]?0;3XU5sp3T<%8W_O-jnpjGF\\:q|s%&oZ%g~B}>H3U&)SiR=Q*p,4$1\\3y[[0z465$JK$JYreason=category-arms",
+ "reason": "",
+ "dhost": "",
+ "devicePayloadId": "6b8c53f30783d5b5",
+ "suid": "cf7739fc-1056-4544-9ab4-a909c42416ec",
+ "suser": "cf7739fc-1056-4544-9ab4-a909c42416ec"
+ },
+ {
+ "TimeGenerated": "2024-10-15 14:39:09.322000+00:00",
+ "deviceEventClassId": 0,
+ "name": "Page visit",
+ "start": 1729003149322,
+ "request": "={AT@@yufoRzB60yvi/GpaeEJuA@w)Ogfi#a+47y{YB|@u%\\)Y}TK/KaoqFmT[{hB[F8",
+ "instructions": [
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "API Key ID",
+ "placeholder": "api_key",
+ "type": "text",
+ "name": "api_key"
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "API Key Secret",
+ "placeholder": "api_secret",
+ "type": "password",
+ "name": "api_secret"
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "CloudGuard Endpoint URL",
+ "placeholder": "e.g. https://api.dome9.com",
+ "type": "text",
+ "name": "endpoint_url"
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Filter",
+ "placeholder": "Paste filter from CloudGuard",
+ "type": "text",
+ "name": "query_filter"
+ }
+ },
+ {
+ "parameters": {
+ "label": "toggle",
+ "name": "toggle"
+ },
+ "type": "ConnectionToggleButton"
+ }
+ ],
+ "title": "Connect CloudGuard Security Events to Microsoft Sentinel"
+ }
+ ]
+ }
+ }
+}
diff --git a/Solutions/Check Point CloudGuard/Data Connectors/CloudGuard_ccp/CloudGuard_PollingConfig.json b/Solutions/Check Point CloudGuard/Data Connectors/CloudGuard_ccp/CloudGuard_PollingConfig.json
new file mode 100644
index 00000000000..4f5a2a19b42
--- /dev/null
+++ b/Solutions/Check Point CloudGuard/Data Connectors/CloudGuard_ccp/CloudGuard_PollingConfig.json
@@ -0,0 +1,50 @@
+{
+ "name": "CloudGuardCCPAlertsPolling",
+ "apiVersion": "2022-12-01-preview",
+ "type": "Microsoft.SecurityInsights/dataConnectors",
+ "location": "{{location}}",
+ "kind": "RestApiPoller",
+ "properties": {
+ "dataType": "CloudGuard Events API",
+ "response": {
+ "eventsJsonPaths": [
+ "$.findings"
+ ],
+ "format": "json"
+ },
+ "connectorDefinitionName": "CloudGuardCCPDefinition",
+ "auth": {
+ "type": "Basic",
+ "userName": "[[parameters('api_key')]",
+ "password": "[[parameters('api_secret')]"
+ },
+ "request": {
+ "queryParametersTemplate": "[[concat('{\"skipAggregations\": true, \"filter\": {\"updatedTime\": {\"from\": \"{_QueryWindowStartTime}\", \"to\": \"{_QueryWindowEndTime}\"}, \"fields\": [ {\"name\": \"alertType\", \"value\": 0}', if(not(empty(parameters('query_filter'))), concat(',', parameters('query_filter')), ''), ']}}')]",
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "apiEndpoint": "[[concat(parameters('endpoint_url'), '/v2/Compliance/Finding/searchFromSentinel')]",
+ "rateLimitQPS": 10,
+ "queryWindowInMin": 5,
+ "isPostPayloadJson": true,
+ "httpMethod": "Post",
+ "retryCount": 3,
+ "timeoutInSeconds": 60,
+ "headers": {
+ "Accept": "application/json",
+ "Content-type": "application/json",
+ "User-Agent": "Sentinel-CloudGuard",
+ "Version": "1.0.0"
+ }
+ },
+ "paging": {
+ "pagingType": "NextPageToken",
+ "nextPageTokenJsonPath": "$.searchAfter",
+ "nextPageParaName": "searchAfter"
+ },
+ "dcrConfig": {
+ "dataCollectionEndpoint": "{{dataCollectionEndpoint}}",
+ "dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}",
+ "streamName": "Custom-CloudGuard_SecurityEvents_CL"
+ },
+ "isActive": true
+ }
+}
diff --git a/Solutions/Check Point CloudGuard/Data Connectors/CloudGuard_ccp/CloudGuard_Tables.json b/Solutions/Check Point CloudGuard/Data Connectors/CloudGuard_ccp/CloudGuard_Tables.json
new file mode 100644
index 00000000000..0410a9cf276
--- /dev/null
+++ b/Solutions/Check Point CloudGuard/Data Connectors/CloudGuard_ccp/CloudGuard_Tables.json
@@ -0,0 +1,277 @@
+{
+ "name": "CloudGuard_SecurityEvents_CL",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "{{location}}",
+ "properties": {
+ "schema": {
+ "name": "CloudGuard_SecurityEvents_CL",
+ "columns": [
+ {
+ "name": "acknowledged",
+ "type": "boolean",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "action",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "additionalFields",
+ "type": "dynamic",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "alertType",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "bundleId",
+ "type": "int",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "bundleName",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "category",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "cloudAccountExternalId",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "cloudAccountId",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "cloudAccountType",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "comments",
+ "type": "dynamic",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "description",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "entityDome9Id",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "entityExternalId",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "entityName",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "entityNetwork",
+ "type": "dynamic",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "entityTags",
+ "type": "dynamic",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "entityType",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "entityTypeByEnvironmentType",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "findingKey",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "EventId",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "isExcluded",
+ "type": "boolean",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "labels",
+ "type": "dynamic",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "lastSeenTime",
+ "type": "datetime",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "magellan",
+ "type": "dynamic",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "occurrences",
+ "type": "dynamic",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "organizationalUnitId",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "organizationalUnitPath",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "origin",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "ownerUserName",
+ "type": "dynamic",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "region",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "remediation",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "remediationActions",
+ "type": "dynamic",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "ruleId",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "ruleLogic",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "ruleName",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "scanId",
+ "type": "dynamic",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "severity",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "status",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "statusReason",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "tag",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "updatedTime",
+ "type": "datetime",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "webhookResponses",
+ "type": "dynamic",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "TimeGenerated",
+ "type": "datetime",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ }
+ ]
+ }
+ }
+}
diff --git a/Solutions/Check Point CloudGuard/Data/Solution_CloudGuard.json b/Solutions/Check Point CloudGuard/Data/Solution_CloudGuard.json
new file mode 100644
index 00000000000..2d56ba222fb
--- /dev/null
+++ b/Solutions/Check Point CloudGuard/Data/Solution_CloudGuard.json
@@ -0,0 +1,13 @@
+{
+ "Name": "Check Point CloudGuard",
+ "Author": "Checkpoint - support@checkpoint.com",
+ "Logo": " ",
+ "Description": "The [CloudGuard](https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/Overview/CloudGuard-CSPM-Introduction.htm?cshid=help_center_documentation) data connector enables the ingestion of security events from the CloudGuard API into Microsoft Sentinel™, using Microsoft Sentinel’s Codeless Connector Platform. The connector supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) which parses incoming security event data into custom columns. This pre-parsing process eliminates the need for query-time parsing, resulting in improved performance for data queries",
+ "Data Connectors": [
+ "Data Connectors/CloudGuard_ccp/CloudGuard_DataConnectorDefinition.json"
+ ],
+ "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Check Point CloudGuard",
+ "Version": "3.0.0",
+ "Metadata": "SolutionMetadata.json",
+ "TemplateSpec": true
+}
diff --git a/Solutions/Check Point CloudGuard/Package/3.0.0.zip b/Solutions/Check Point CloudGuard/Package/3.0.0.zip
new file mode 100644
index 00000000000..8fdfcff25b0
Binary files /dev/null and b/Solutions/Check Point CloudGuard/Package/3.0.0.zip differ
diff --git a/Solutions/Check Point CloudGuard/Package/createUiDefinition.json b/Solutions/Check Point CloudGuard/Package/createUiDefinition.json
new file mode 100644
index 00000000000..e76ce9e14e9
--- /dev/null
+++ b/Solutions/Check Point CloudGuard/Package/createUiDefinition.json
@@ -0,0 +1,85 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "config": {
+ "isWizard": false,
+ "basics": {
+ "description": " \n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Check%20Point%20CloudGuard/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [CloudGuard](https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/Overview/CloudGuard-CSPM-Introduction.htm?cshid=help_center_documentation) data connector enables the ingestion of security events from the CloudGuard API into Microsoft Sentinel™, using Microsoft Sentinel’s Codeless Connector Platform. The connector supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) which parses incoming security event data into custom columns. This pre-parsing process eliminates the need for query-time parsing, resulting in improved performance for data queries\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "subscription": {
+ "resourceProviders": [
+ "Microsoft.OperationsManagement/solutions",
+ "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "Microsoft.Insights/workbooks",
+ "Microsoft.Logic/workflows"
+ ]
+ },
+ "location": {
+ "metadata": {
+ "hidden": "Hiding location, we get it from the log analytics workspace"
+ },
+ "visible": false
+ },
+ "resourceGroup": {
+ "allowExisting": true
+ }
+ }
+ },
+ "basics": [
+ {
+ "name": "getLAWorkspace",
+ "type": "Microsoft.Solutions.ArmApiControl",
+ "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+ "condition": "[greater(length(resourceGroup().name),0)]",
+ "request": {
+ "method": "GET",
+ "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+ }
+ },
+ {
+ "name": "workspace",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Workspace",
+ "placeholder": "Select a workspace",
+ "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+ "constraints": {
+ "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+ "required": true
+ },
+ "visible": true
+ }
+ ],
+ "steps": [
+ {
+ "name": "dataconnectors",
+ "label": "Data Connectors",
+ "bladeTitle": "Data Connectors",
+ "elements": [
+ {
+ "name": "dataconnectors1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for Check Point CloudGuard. You can get Check Point CloudGuard data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
+ {
+ "name": "dataconnectors-link2",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more about connecting data sources",
+ "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
+ }
+ }
+ }
+ ]
+ }
+ ],
+ "outputs": {
+ "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+ "location": "[location()]",
+ "workspace": "[basics('workspace')]"
+ }
+ }
+}
diff --git a/Solutions/Check Point CloudGuard/Package/mainTemplate.json b/Solutions/Check Point CloudGuard/Package/mainTemplate.json
new file mode 100644
index 00000000000..ac8d57f6506
--- /dev/null
+++ b/Solutions/Check Point CloudGuard/Package/mainTemplate.json
@@ -0,0 +1,1089 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "author": "Checkpoint - support@checkpoint.com",
+ "comments": "Solution template for Check Point CloudGuard"
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().name]",
+ "metadata": {
+ "description": "resource group name where Microsoft Sentinel is setup"
+ }
+ },
+ "subscription": {
+ "type": "string",
+ "defaultValue": "[last(split(subscription().id, '/'))]",
+ "metadata": {
+ "description": "subscription id where Microsoft Sentinel is setup"
+ }
+ }
+ },
+ "variables": {
+ "email": "support@checkpoint.com",
+ "_email": "[variables('email')]",
+ "_solutionName": "Check Point CloudGuard",
+ "_solutionVersion": "3.0.0",
+ "solutionId": "checkpoint-cloudguard.checkpoint-sentinel-solutions-cloud-guard",
+ "_solutionId": "[variables('solutionId')]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "dataConnectorCCPVersion": "1.0.0",
+ "_dataConnectorContentIdConnectorDefinition1": "CloudGuardCCPDefinition",
+ "dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]",
+ "_dataConnectorContentIdConnections1": "CloudGuardCCPDefinitionConnections",
+ "dataConnectorTemplateNameConnections1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections1')))]",
+ "dataCollectionEndpointId1": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]",
+ "blanks": "[replace('b', 'b', '')]",
+ "TemplateEmptyObject": "[json('{}')]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition1'), variables('dataConnectorCCPVersion'))]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
+ "displayName": "CloudGuard CNAPP Security Events",
+ "contentKind": "DataConnector",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
+ "location": "[parameters('workspace-location')]",
+ "kind": "Customizable",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "CloudGuardCCPDefinition",
+ "title": "CloudGuard CNAPP Security Events",
+ "publisher": "CheckPoint",
+ "descriptionMarkdown": "The [CloudGuard](https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/Overview/CloudGuard-CSPM-Introduction.htm?cshid=help_center_documentation) data connector enables the ingestion of security events from the CloudGuard API into Microsoft Sentinel™, using Microsoft Sentinel’s Codeless Connector Platform. The connector supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) which parses incoming security event data into custom columns. This pre-parsing process eliminates the need for query-time parsing, resulting in improved performance for data queries.",
+ "graphQueriesTableName": "CloudGuard_SecurityEvents_CL",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "CloudGuard Events",
+ "baseQuery": "{{graphQueriesTableName}}"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Get Sample of CloudGuard Events",
+ "query": "{{graphQueriesTableName}}\n | take 10"
+ },
+ {
+ "description": "Total Events by uuid",
+ "query": "{{graphQueriesTableName}}\n | summarize count() by OriginalEventUid"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "{{graphQueriesTableName}}",
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}|summarize Time = max (TimeGenerated)\n|where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "HasDataConnectors"
+ }
+ ],
+ "availability": {
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "Read and Write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "CloudGuard API Key",
+ "description": "Refer to the instructions provided [here](https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/Settings/Users-Roles.htm#add_service) to generate an API key."
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": "To enable the CloudGuard connector for Microsoft Sentinel, enter the required information below and select Connect.\n>",
+ "instructions": [
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "API Key ID",
+ "placeholder": "api_key",
+ "type": "text",
+ "name": "api_key"
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "API Key Secret",
+ "placeholder": "api_secret",
+ "type": "password",
+ "name": "api_secret"
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "CloudGuard Endpoint URL",
+ "placeholder": "e.g. https://api.dome9.com",
+ "type": "text",
+ "name": "endpoint_url"
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Filter",
+ "placeholder": "Paste filter from CloudGuard",
+ "type": "text",
+ "name": "query_filter"
+ }
+ },
+ {
+ "parameters": {
+ "label": "toggle",
+ "name": "toggle"
+ },
+ "type": "ConnectionToggleButton"
+ }
+ ],
+ "title": "Connect CloudGuard Security Events to Microsoft Sentinel"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Checkpoint",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Check Point",
+ "tier": "Partner",
+ "link": "https://www.checkpoint.com/support-services/contact-support/"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "CloudGuardDCRV1",
+ "apiVersion": "2022-06-01",
+ "type": "Microsoft.Insights/dataCollectionRules",
+ "location": "[parameters('workspace-location')]",
+ "kind": "[variables('blanks')]",
+ "properties": {
+ "streamDeclarations": {
+ "Custom-CloudGuard_SecurityEvents_CL": {
+ "columns": [
+ {
+ "name": "id",
+ "type": "string"
+ },
+ {
+ "name": "findingKey",
+ "type": "string"
+ },
+ {
+ "name": "createdTime",
+ "type": "datetime"
+ },
+ {
+ "name": "updatedTime",
+ "type": "datetime"
+ },
+ {
+ "name": "cloudAccountType",
+ "type": "string"
+ },
+ {
+ "name": "comments",
+ "type": "dynamic"
+ },
+ {
+ "name": "cloudAccountId",
+ "type": "string"
+ },
+ {
+ "name": "cloudAccountExternalId",
+ "type": "string"
+ },
+ {
+ "name": "organizationalUnitId",
+ "type": "string"
+ },
+ {
+ "name": "organizationalUnitPath",
+ "type": "string"
+ },
+ {
+ "name": "bundleId",
+ "type": "int"
+ },
+ {
+ "name": "alertType",
+ "type": "string"
+ },
+ {
+ "name": "ruleId",
+ "type": "string"
+ },
+ {
+ "name": "ruleName",
+ "type": "string"
+ },
+ {
+ "name": "ruleLogic",
+ "type": "string"
+ },
+ {
+ "name": "entityDome9Id",
+ "type": "string"
+ },
+ {
+ "name": "entityExternalId",
+ "type": "string"
+ },
+ {
+ "name": "entityType",
+ "type": "string"
+ },
+ {
+ "name": "entityTypeByEnvironmentType",
+ "type": "string"
+ },
+ {
+ "name": "entityName",
+ "type": "string"
+ },
+ {
+ "name": "entityNetwork",
+ "type": "dynamic"
+ },
+ {
+ "name": "entityTags",
+ "type": "dynamic"
+ },
+ {
+ "name": "severity",
+ "type": "string"
+ },
+ {
+ "name": "description",
+ "type": "string"
+ },
+ {
+ "name": "remediation",
+ "type": "string"
+ },
+ {
+ "name": "tag",
+ "type": "string"
+ },
+ {
+ "name": "region",
+ "type": "string"
+ },
+ {
+ "name": "bundleName",
+ "type": "string"
+ },
+ {
+ "name": "acknowledged",
+ "type": "boolean"
+ },
+ {
+ "name": "origin",
+ "type": "string"
+ },
+ {
+ "name": "lastSeenTime",
+ "type": "datetime"
+ },
+ {
+ "name": "ownerUserName",
+ "type": "dynamic"
+ },
+ {
+ "name": "magellan",
+ "type": "dynamic"
+ },
+ {
+ "name": "isExcluded",
+ "type": "boolean"
+ },
+ {
+ "name": "webhookResponses",
+ "type": "dynamic"
+ },
+ {
+ "name": "remediationActions",
+ "type": "dynamic"
+ },
+ {
+ "name": "additionalFields",
+ "type": "dynamic"
+ },
+ {
+ "name": "occurrences",
+ "type": "dynamic"
+ },
+ {
+ "name": "scanId",
+ "type": "dynamic"
+ },
+ {
+ "name": "status",
+ "type": "string"
+ },
+ {
+ "name": "statusReason",
+ "type": "string"
+ },
+ {
+ "name": "category",
+ "type": "string"
+ },
+ {
+ "name": "action",
+ "type": "string"
+ },
+ {
+ "name": "labels",
+ "type": "dynamic"
+ }
+ ]
+ }
+ },
+ "dataSources": "[variables('TemplateEmptyObject')]",
+ "destinations": {
+ "logAnalytics": [
+ {
+ "workspaceResourceId": "[variables('workspaceResourceId')]",
+ "name": "clv2ws1"
+ }
+ ]
+ },
+ "dataFlows": [
+ {
+ "streams": [
+ "Custom-CloudGuard_SecurityEvents_CL"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "transformKql": "source\n| extend TimeGenerated = todatetime(createdTime)\n| project-rename EventId = id\n| project-away createdTime\n\n",
+ "outputStream": "Custom-CloudGuard_SecurityEvents_CL"
+ }
+ ],
+ "dataCollectionEndpointId": "[variables('dataCollectionEndpointId1')]"
+ }
+ },
+ {
+ "name": "CloudGuard_SecurityEvents_CL",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "[parameters('workspace-location')]",
+ "kind": null,
+ "properties": {
+ "schema": {
+ "name": "CloudGuard_SecurityEvents_CL",
+ "columns": [
+ {
+ "name": "acknowledged",
+ "type": "boolean",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "action",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "additionalFields",
+ "type": "dynamic",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "alertType",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "bundleId",
+ "type": "int",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "bundleName",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "category",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "cloudAccountExternalId",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "cloudAccountId",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "cloudAccountType",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "comments",
+ "type": "dynamic",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "description",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "entityDome9Id",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "entityExternalId",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "entityName",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "entityNetwork",
+ "type": "dynamic",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "entityTags",
+ "type": "dynamic",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "entityType",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "entityTypeByEnvironmentType",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "findingKey",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "EventId",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "isExcluded",
+ "type": "boolean",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "labels",
+ "type": "dynamic",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "lastSeenTime",
+ "type": "datetime",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "magellan",
+ "type": "dynamic",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "occurrences",
+ "type": "dynamic",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "organizationalUnitId",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "organizationalUnitPath",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "origin",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "ownerUserName",
+ "type": "dynamic",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "region",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "remediation",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "remediationActions",
+ "type": "dynamic",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "ruleId",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "ruleLogic",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "ruleName",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "scanId",
+ "type": "dynamic",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "severity",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "status",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "statusReason",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "tag",
+ "type": "string",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "updatedTime",
+ "type": "datetime",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "webhookResponses",
+ "type": "dynamic",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ },
+ {
+ "name": "TimeGenerated",
+ "type": "datetime",
+ "isDefaultDisplay": false,
+ "isHidden": false
+ }
+ ]
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition1'),'-', variables('dataConnectorCCPVersion'))))]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('dataConnectorCCPVersion')]"
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
+ "location": "[parameters('workspace-location')]",
+ "kind": "Customizable",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "CloudGuardCCPDefinition",
+ "title": "CloudGuard CNAPP Security Events",
+ "publisher": "CheckPoint",
+ "descriptionMarkdown": "The [CloudGuard](https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/Overview/CloudGuard-CSPM-Introduction.htm?cshid=help_center_documentation) data connector enables the ingestion of security events from the CloudGuard API into Microsoft Sentinel™, using Microsoft Sentinel’s Codeless Connector Platform. The connector supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) which parses incoming security event data into custom columns. This pre-parsing process eliminates the need for query-time parsing, resulting in improved performance for data queries.",
+ "graphQueriesTableName": "CloudGuard_SecurityEvents_CL",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "CloudGuard Events",
+ "baseQuery": "{{graphQueriesTableName}}"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Get Sample of CloudGuard Events",
+ "query": "{{graphQueriesTableName}}\n | take 10"
+ },
+ {
+ "description": "Total Events by uuid",
+ "query": "{{graphQueriesTableName}}\n | summarize count() by OriginalEventUid"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "{{graphQueriesTableName}}",
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}|summarize Time = max (TimeGenerated)\n|where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "HasDataConnectors"
+ }
+ ],
+ "availability": {
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "Read and Write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "CloudGuard API Key",
+ "description": "Refer to the instructions provided [here](https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/Settings/Users-Roles.htm#add_service) to generate an API key."
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": "To enable the CloudGuard connector for Microsoft Sentinel, enter the required information below and select Connect.\n>",
+ "instructions": [
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "API Key ID",
+ "placeholder": "api_key",
+ "type": "text",
+ "name": "api_key"
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "API Key Secret",
+ "placeholder": "api_secret",
+ "type": "password",
+ "name": "api_secret"
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "CloudGuard Endpoint URL",
+ "placeholder": "e.g. https://api.dome9.com",
+ "type": "text",
+ "name": "endpoint_url"
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Filter",
+ "placeholder": "Paste filter from CloudGuard",
+ "type": "text",
+ "name": "query_filter"
+ }
+ },
+ {
+ "parameters": {
+ "label": "toggle",
+ "name": "toggle"
+ },
+ "type": "ConnectionToggleButton"
+ }
+ ],
+ "title": "Connect CloudGuard Security Events to Microsoft Sentinel"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Checkpoint",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Check Point",
+ "tier": "Partner",
+ "link": "https://www.checkpoint.com/support-services/contact-support/"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections1'), variables('dataConnectorCCPVersion'))]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "displayName": "CloudGuard CNAPP Security Events",
+ "contentKind": "ResourcesDataConnector",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
+ "parameters": {
+ "connectorDefinitionName": {
+ "defaultValue": "CloudGuard CNAPP Security Events",
+ "type": "string",
+ "minLength": 1
+ },
+ "workspace": {
+ "defaultValue": "[parameters('workspace')]",
+ "type": "string"
+ },
+ "dcrConfig": {
+ "defaultValue": {
+ "dataCollectionEndpoint": "data collection Endpoint",
+ "dataCollectionRuleImmutableId": "data collection rule immutableId"
+ },
+ "type": "object"
+ },
+ "api_key": {
+ "defaultValue": "api_key",
+ "type": "string",
+ "minLength": 1
+ },
+ "api_secret": {
+ "defaultValue": "api_secret",
+ "type": "string",
+ "minLength": 1
+ },
+ "endpoint_url": {
+ "defaultValue": "endpoint_url",
+ "type": "string",
+ "minLength": 1
+ },
+ "query_filter": {
+ "defaultValue": "query_filter",
+ "type": "string",
+ "minLength": 1
+ }
+ },
+ "variables": {
+ "_dataConnectorContentIdConnections1": "[variables('_dataConnectorContentIdConnections1')]"
+ },
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections1')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections1'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "kind": "ResourcesDataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Checkpoint",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Check Point",
+ "tier": "Partner",
+ "link": "https://www.checkpoint.com/support-services/contact-support/"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'CloudGuardCCPAlertsPolling')]",
+ "apiVersion": "2023-02-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "RestApiPoller",
+ "properties": {
+ "dataType": "CloudGuard Events API",
+ "response": {
+ "eventsJsonPaths": [
+ "$.findings"
+ ],
+ "format": "json"
+ },
+ "connectorDefinitionName": "CloudGuardCCPDefinition",
+ "auth": {
+ "type": "Basic",
+ "userName": "[[parameters('api_key')]",
+ "password": "[[parameters('api_secret')]"
+ },
+ "request": {
+ "queryParametersTemplate": "[[concat('{\"skipAggregations\": true, \"filter\": {\"updatedTime\": {\"from\": \"{_QueryWindowStartTime}\", \"to\": \"{_QueryWindowEndTime}\"}, \"fields\": [ {\"name\": \"alertType\", \"value\": 0}', if(not(empty(parameters('query_filter'))), concat(',', parameters('query_filter')), ''), ']}}')]",
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "apiEndpoint": "[[concat(parameters('endpoint_url'), '/v2/Compliance/Finding/searchFromSentinel')]",
+ "rateLimitQPS": 10,
+ "queryWindowInMin": 5,
+ "isPostPayloadJson": true,
+ "httpMethod": "Post",
+ "retryCount": 3,
+ "timeoutInSeconds": 60,
+ "headers": {
+ "Accept": "application/json",
+ "Content-type": "application/json",
+ "User-Agent": "Sentinel-CloudGuard",
+ "Version": "1.0.0"
+ }
+ },
+ "paging": {
+ "pagingType": "NextPageToken",
+ "nextPageTokenJsonPath": "$.searchAfter",
+ "nextPageParaName": "searchAfter"
+ },
+ "dcrConfig": {
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]",
+ "streamName": "Custom-CloudGuard_SecurityEvents_CL"
+ },
+ "isActive": true
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections1'),'-', variables('dataConnectorCCPVersion'))))]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('dataConnectorCCPVersion')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "version": "3.0.0",
+ "kind": "Solution",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "Check Point CloudGuard",
+ "publisherDisplayName": "Check Point",
+ "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe CloudGuard data connector enables the ingestion of security events from the CloudGuard API into Microsoft Sentinel™, using Microsoft Sentinel’s Codeless Connector Platform. The connector supports DCR-based ingestion time transformations which parses incoming security event data into custom columns. This pre-parsing process eliminates the need for query-time parsing, resulting in improved performance for data queries
\nData Connectors: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
+ "contentKind": "Solution",
+ "contentProductId": "[variables('_solutioncontentProductId')]",
+ "id": "[variables('_solutioncontentProductId')]",
+ "icon": " ",
+ "contentId": "[variables('_solutionId')]",
+ "parentId": "[variables('_solutionId')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Check Point CloudGuard",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Checkpoint",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Check Point",
+ "tier": "Partner",
+ "link": "https://www.checkpoint.com/support-services/contact-support/"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "version": "[variables('dataConnectorCCPVersion')]"
+ }
+ ]
+ },
+ "firstPublishDate": "2024-11-12",
+ "providers": [
+ "checkpoint"
+ ],
+ "categories": {
+ "domains": [
+ "Security - Threat Protection"
+ ]
+ }
+ },
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
+ }
+ ],
+ "outputs": {}
+}
diff --git a/Solutions/Check Point CloudGuard/Package/testParameters.json b/Solutions/Check Point CloudGuard/Package/testParameters.json
new file mode 100644
index 00000000000..554801e41b7
--- /dev/null
+++ b/Solutions/Check Point CloudGuard/Package/testParameters.json
@@ -0,0 +1,38 @@
+{
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().name]",
+ "metadata": {
+ "description": "resource group name where Microsoft Sentinel is setup"
+ }
+ },
+ "subscription": {
+ "type": "string",
+ "defaultValue": "[last(split(subscription().id, '/'))]",
+ "metadata": {
+ "description": "subscription id where Microsoft Sentinel is setup"
+ }
+ }
+}
diff --git a/Solutions/Check Point CloudGuard/ReleaseNotes.md b/Solutions/Check Point CloudGuard/ReleaseNotes.md
new file mode 100644
index 00000000000..8ea7972ba72
--- /dev/null
+++ b/Solutions/Check Point CloudGuard/ReleaseNotes.md
@@ -0,0 +1,3 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|---------------------------------------------|
+| 3.0.0 | 18-11-2024 | Initial Solution release
\ No newline at end of file
diff --git a/Solutions/Check Point CloudGuard/SolutionMetadata.json b/Solutions/Check Point CloudGuard/SolutionMetadata.json
new file mode 100644
index 00000000000..d58b502f0ed
--- /dev/null
+++ b/Solutions/Check Point CloudGuard/SolutionMetadata.json
@@ -0,0 +1,18 @@
+{
+ "publisherId": "checkpoint-cloudguard",
+ "offerId": "checkpoint-sentinel-solutions-cloud-guard",
+ "firstPublishDate": "2024-11-12",
+ "providers": [
+ "checkpoint"
+ ],
+ "categories": {
+ "domains": [
+ "Security - Threat Protection"
+ ]
+ },
+ "support": {
+ "name": "Check Point",
+ "tier": "Partner",
+ "link": "https://www.checkpoint.com/support-services/contact-support/"
+ }
+}
diff --git a/Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrellaConn.zip b/Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrellaConn.zip
index 89dbcb71e6d..0c2bad393c1 100644
Binary files a/Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrellaConn.zip and b/Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrellaConn.zip differ
diff --git a/Solutions/CiscoUmbrella/Data Connectors/requirements.txt b/Solutions/CiscoUmbrella/Data Connectors/requirements.txt
index 7a187d0377e..1642f88f05f 100644
--- a/Solutions/CiscoUmbrella/Data Connectors/requirements.txt
+++ b/Solutions/CiscoUmbrella/Data Connectors/requirements.txt
@@ -24,4 +24,4 @@ requests-oauthlib==1.3.1
s3transfer==0.2.1
six==1.16.0
typing_extensions==4.0.0
-urllib3==1.26.19
\ No newline at end of file
+urllib3==1.25.11
\ No newline at end of file
diff --git a/Solutions/Claroty/Analytic Rules/ClarotyAssetDown.yaml b/Solutions/Claroty/Analytic Rules/ClarotyAssetDown.yaml
index d920baaefc4..87fdda85c60 100755
--- a/Solutions/Claroty/Analytic Rules/ClarotyAssetDown.yaml
+++ b/Solutions/Claroty/Analytic Rules/ClarotyAssetDown.yaml
@@ -5,12 +5,6 @@ description: |
severity: High
status: Available
requiredDataConnectors:
- - connectorId: Claroty
- dataTypes:
- - ClarotyEvent
- - connectorId: ClarotyAma
- dataTypes:
- - ClarotyEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
@@ -32,5 +26,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
-version: 1.0.2
+version: 1.0.3
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Claroty/Analytic Rules/ClarotyCriticalBaselineDeviation.yaml b/Solutions/Claroty/Analytic Rules/ClarotyCriticalBaselineDeviation.yaml
index a4bc4368c46..f53c057c588 100755
--- a/Solutions/Claroty/Analytic Rules/ClarotyCriticalBaselineDeviation.yaml
+++ b/Solutions/Claroty/Analytic Rules/ClarotyCriticalBaselineDeviation.yaml
@@ -5,12 +5,6 @@ description: |
severity: High
status: Available
requiredDataConnectors:
- - connectorId: Claroty
- dataTypes:
- - ClarotyEvent
- - connectorId: ClarotyAma
- dataTypes:
- - ClarotyEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
@@ -33,5 +27,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
-version: 1.0.2
+version: 1.0.3
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Claroty/Analytic Rules/ClarotyLoginToUncommonSite.yaml b/Solutions/Claroty/Analytic Rules/ClarotyLoginToUncommonSite.yaml
index 33ba1bb2606..8f5df920c3a 100755
--- a/Solutions/Claroty/Analytic Rules/ClarotyLoginToUncommonSite.yaml
+++ b/Solutions/Claroty/Analytic Rules/ClarotyLoginToUncommonSite.yaml
@@ -5,12 +5,6 @@ description: |
severity: Medium
status: Available
requiredDataConnectors:
- - connectorId: Claroty
- dataTypes:
- - ClarotyEvent
- - connectorId: ClarotyAma
- dataTypes:
- - ClarotyEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
@@ -46,5 +40,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
-version: 1.0.2
+version: 1.0.3
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLogin.yaml b/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLogin.yaml
index 096e773f9b2..e2d89cb9f23 100755
--- a/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLogin.yaml
+++ b/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLogin.yaml
@@ -5,12 +5,6 @@ description: |
severity: High
status: Available
requiredDataConnectors:
- - connectorId: Claroty
- dataTypes:
- - ClarotyEvent
- - connectorId: ClarotyAma
- dataTypes:
- - ClarotyEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
@@ -37,5 +31,5 @@ entityMappings:
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
-version: 1.0.2
+version: 1.0.3
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLoginsSameDst.yaml b/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLoginsSameDst.yaml
index 0ffb499ffd0..40c6e6e3127 100755
--- a/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLoginsSameDst.yaml
+++ b/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLoginsSameDst.yaml
@@ -5,12 +5,6 @@ description: |
severity: High
status: Available
requiredDataConnectors:
- - connectorId: Claroty
- dataTypes:
- - ClarotyEvent
- - connectorId: ClarotyAma
- dataTypes:
- - ClarotyEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
@@ -39,5 +33,5 @@ entityMappings:
fieldMappings:
- identifier: DistinguishedName
columnName: SGCustomEntity
-version: 1.0.2
+version: 1.0.3
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Claroty/Analytic Rules/ClarotyNewAsset.yaml b/Solutions/Claroty/Analytic Rules/ClarotyNewAsset.yaml
index db6d372edaf..e9a203e9a81 100755
--- a/Solutions/Claroty/Analytic Rules/ClarotyNewAsset.yaml
+++ b/Solutions/Claroty/Analytic Rules/ClarotyNewAsset.yaml
@@ -5,12 +5,6 @@ description: |
severity: High
status: Available
requiredDataConnectors:
- - connectorId: Claroty
- dataTypes:
- - ClarotyEvent
- - connectorId: ClarotyAma
- dataTypes:
- - ClarotyEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
@@ -32,5 +26,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
-version: 1.0.2
+version: 1.0.3
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Claroty/Analytic Rules/ClarotyPolicyViolation.yaml b/Solutions/Claroty/Analytic Rules/ClarotyPolicyViolation.yaml
index 0d572c165bd..58b7773a369 100755
--- a/Solutions/Claroty/Analytic Rules/ClarotyPolicyViolation.yaml
+++ b/Solutions/Claroty/Analytic Rules/ClarotyPolicyViolation.yaml
@@ -5,12 +5,6 @@ description: |
severity: High
status: Available
requiredDataConnectors:
- - connectorId: Claroty
- dataTypes:
- - ClarotyEvent
- - connectorId: ClarotyAma
- dataTypes:
- - ClarotyEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
@@ -32,5 +26,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
-version: 1.0.2
+version: 1.0.3
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Claroty/Analytic Rules/ClarotySuspiciousActivity.yaml b/Solutions/Claroty/Analytic Rules/ClarotySuspiciousActivity.yaml
index f4c64bb1412..98f834ea080 100755
--- a/Solutions/Claroty/Analytic Rules/ClarotySuspiciousActivity.yaml
+++ b/Solutions/Claroty/Analytic Rules/ClarotySuspiciousActivity.yaml
@@ -5,12 +5,6 @@ description: |
severity: High
status: Available
requiredDataConnectors:
- - connectorId: Claroty
- dataTypes:
- - ClarotyEvent
- - connectorId: ClarotyAma
- dataTypes:
- - ClarotyEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
@@ -32,5 +26,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
-version: 1.0.2
+version: 1.0.3
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Claroty/Analytic Rules/ClarotySuspiciousFileTransfer.yaml b/Solutions/Claroty/Analytic Rules/ClarotySuspiciousFileTransfer.yaml
index 6da2925c08b..76b660ccc4e 100755
--- a/Solutions/Claroty/Analytic Rules/ClarotySuspiciousFileTransfer.yaml
+++ b/Solutions/Claroty/Analytic Rules/ClarotySuspiciousFileTransfer.yaml
@@ -5,12 +5,6 @@ description: |
severity: High
status: Available
requiredDataConnectors:
- - connectorId: Claroty
- dataTypes:
- - ClarotyEvent
- - connectorId: ClarotyAma
- dataTypes:
- - ClarotyEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
@@ -32,5 +26,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
-version: 1.0.2
+version: 1.0.3
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Claroty/Analytic Rules/ClarotyTreat.yaml b/Solutions/Claroty/Analytic Rules/ClarotyTreat.yaml
index c4eecaf4002..c8b45d02f4e 100755
--- a/Solutions/Claroty/Analytic Rules/ClarotyTreat.yaml
+++ b/Solutions/Claroty/Analytic Rules/ClarotyTreat.yaml
@@ -32,5 +32,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
-version: 1.0.2
+version: 1.0.3
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Claroty/Data/Solution_Claroty.json b/Solutions/Claroty/Data/Solution_Claroty.json
index 48057d71190..6ea0ba6439d 100644
--- a/Solutions/Claroty/Data/Solution_Claroty.json
+++ b/Solutions/Claroty/Data/Solution_Claroty.json
@@ -2,7 +2,7 @@
"Name": "Claroty",
"Author": "Microsoft - support@microsoft.com",
"Logo": " ",
- "Description": "The [Claroty](https://claroty.com/) solution for Microsoft Sentinel enables ingestion of [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.",
+ "Description": "The [Claroty](https://claroty.com/) solution for Microsoft Sentinel enables ingestion of [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.",
"Workbooks": [
"Workbooks/ClarotyOverview.json"
],
@@ -21,10 +21,6 @@
"Hunting Queries/ClarotyUnresolvedAlerts.yaml",
"Hunting Queries/ClarotyWriteExecuteOperations.yaml"
],
- "Data Connectors": [
- "Data Connectors/Connector_Claroty_CEF.json",
- "Data Connectors/template_ClarotyAMA.json"
- ],
"Analytic Rules": [
"Analytic Rules/ClarotyAssetDown.yaml",
"Analytic Rules/ClarotyCriticalBaselineDeviation.yaml",
@@ -42,7 +38,7 @@
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Claroty",
- "Version": "3.0.2",
+ "Version": "3.0.3",
"TemplateSpec": true,
"Is1PConnector": false
}
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyBaselineDeviation.yaml b/Solutions/Claroty/Hunting Queries/ClarotyBaselineDeviation.yaml
index 4e77850826a..3ac409e8bd6 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyBaselineDeviation.yaml
+++ b/Solutions/Claroty/Hunting Queries/ClarotyBaselineDeviation.yaml
@@ -4,12 +4,6 @@ description: |
'Query searches for baseline deviation events.'
severity: Medium
requiredDataConnectors:
- - connectorId: Claroty
- dataTypes:
- - ClarotyEvent
- - connectorId: ClarotyAma
- dataTypes:
- - ClarotyEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyConflictAssets.yaml b/Solutions/Claroty/Hunting Queries/ClarotyConflictAssets.yaml
index e4aa657600c..4259414cb96 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyConflictAssets.yaml
+++ b/Solutions/Claroty/Hunting Queries/ClarotyConflictAssets.yaml
@@ -4,12 +4,6 @@ description: |
'Query searches for conflicting assets.'
severity: Medium
requiredDataConnectors:
- - connectorId: Claroty
- dataTypes:
- - ClarotyEvent
- - connectorId: ClarotyAma
- dataTypes:
- - ClarotyEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyCriticalEvents.yaml b/Solutions/Claroty/Hunting Queries/ClarotyCriticalEvents.yaml
index cc40bd5c9e8..86ac250a3f5 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyCriticalEvents.yaml
+++ b/Solutions/Claroty/Hunting Queries/ClarotyCriticalEvents.yaml
@@ -4,12 +4,6 @@ description: |
'Query searches for critical severity events.'
severity: High
requiredDataConnectors:
- - connectorId: Claroty
- dataTypes:
- - ClarotyEvent
- - connectorId: ClarotyAma
- dataTypes:
- - ClarotyEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyPLCLogins.yaml b/Solutions/Claroty/Hunting Queries/ClarotyPLCLogins.yaml
index a5d205d83ec..7585c5fcbfb 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyPLCLogins.yaml
+++ b/Solutions/Claroty/Hunting Queries/ClarotyPLCLogins.yaml
@@ -4,12 +4,6 @@ description: |
'Query searches for PLC login security alerts.'
severity: High
requiredDataConnectors:
- - connectorId: Claroty
- dataTypes:
- - ClarotyEvent
- - connectorId: ClarotyAma
- dataTypes:
- - ClarotyEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
diff --git a/Solutions/Claroty/Hunting Queries/ClarotySRAFailedLogins.yaml b/Solutions/Claroty/Hunting Queries/ClarotySRAFailedLogins.yaml
index 6d0f6815d75..2aa4490137b 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotySRAFailedLogins.yaml
+++ b/Solutions/Claroty/Hunting Queries/ClarotySRAFailedLogins.yaml
@@ -4,12 +4,6 @@ description: |
'Query searches for login failure events.'
severity: High
requiredDataConnectors:
- - connectorId: Claroty
- dataTypes:
- - ClarotyEvent
- - connectorId: ClarotyAma
- dataTypes:
- - ClarotyEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyScanSources.yaml b/Solutions/Claroty/Hunting Queries/ClarotyScanSources.yaml
index 6b38fca0703..10102c41777 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyScanSources.yaml
+++ b/Solutions/Claroty/Hunting Queries/ClarotyScanSources.yaml
@@ -4,12 +4,6 @@ description: |
'Query searches for sources of network scans.'
severity: Medium
requiredDataConnectors:
- - connectorId: Claroty
- dataTypes:
- - ClarotyEvent
- - connectorId: ClarotyAma
- dataTypes:
- - ClarotyEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyScantargets.yaml b/Solutions/Claroty/Hunting Queries/ClarotyScantargets.yaml
index 2fd4377e5e9..d7a884f5639 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyScantargets.yaml
+++ b/Solutions/Claroty/Hunting Queries/ClarotyScantargets.yaml
@@ -4,12 +4,6 @@ description: |
'Query searches for targets of network scans.'
severity: Medium
requiredDataConnectors:
- - connectorId: Claroty
- dataTypes:
- - ClarotyEvent
- - connectorId: ClarotyAma
- dataTypes:
- - ClarotyEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyUnapprovedAccess.yaml b/Solutions/Claroty/Hunting Queries/ClarotyUnapprovedAccess.yaml
index 86ec7e0652a..def9786ac7c 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyUnapprovedAccess.yaml
+++ b/Solutions/Claroty/Hunting Queries/ClarotyUnapprovedAccess.yaml
@@ -4,12 +4,6 @@ description: |
'Query searches for unapproved access events.'
severity: Medium
requiredDataConnectors:
- - connectorId: Claroty
- dataTypes:
- - ClarotyEvent
- - connectorId: ClarotyAma
- dataTypes:
- - ClarotyEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyUnresolvedAlerts.yaml b/Solutions/Claroty/Hunting Queries/ClarotyUnresolvedAlerts.yaml
index 456ff9b7138..6b3dd4a04b1 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyUnresolvedAlerts.yaml
+++ b/Solutions/Claroty/Hunting Queries/ClarotyUnresolvedAlerts.yaml
@@ -4,12 +4,6 @@ description: |
'Query searches for alerts with unresolved status.'
severity: Medium
requiredDataConnectors:
- - connectorId: Claroty
- dataTypes:
- - ClarotyEvent
- - connectorId: ClarotyAma
- dataTypes:
- - ClarotyEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyWriteExecuteOperations.yaml b/Solutions/Claroty/Hunting Queries/ClarotyWriteExecuteOperations.yaml
index a0636b80323..b6f37a50886 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyWriteExecuteOperations.yaml
+++ b/Solutions/Claroty/Hunting Queries/ClarotyWriteExecuteOperations.yaml
@@ -4,12 +4,6 @@ description: |
'Query searches for operations with Write and Execute accesses.'
severity: Medium
requiredDataConnectors:
- - connectorId: Claroty
- dataTypes:
- - ClarotyEvent
- - connectorId: ClarotyAma
- dataTypes:
- - ClarotyEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
diff --git a/Solutions/Claroty/Package/3.0.3.zip b/Solutions/Claroty/Package/3.0.3.zip
new file mode 100644
index 00000000000..542a1874a2b
Binary files /dev/null and b/Solutions/Claroty/Package/3.0.3.zip differ
diff --git a/Solutions/Claroty/Package/createUiDefinition.json b/Solutions/Claroty/Package/createUiDefinition.json
index e680d7d0720..19ba314e0e9 100644
--- a/Solutions/Claroty/Package/createUiDefinition.json
+++ b/Solutions/Claroty/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": " \n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Claroty/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Claroty](https://claroty.com/) solution for Microsoft Sentinel enables ingestion of [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": " \n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Claroty/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Claroty](https://claroty.com/) solution for Microsoft Sentinel enables ingestion of [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**. \n\n**Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -51,37 +51,6 @@
}
],
"steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for Claroty. You can get Claroty CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-parser-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- },
{
"name": "workbooks",
"label": "Workbooks",
@@ -323,7 +292,7 @@
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for baseline deviation events. This hunting query depends on Claroty ClarotyAma CefAma data connector (ClarotyEvent ClarotyEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches for baseline deviation events. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -337,7 +306,7 @@
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for conflicting assets. This hunting query depends on Claroty ClarotyAma CefAma data connector (ClarotyEvent ClarotyEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches for conflicting assets. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -351,7 +320,7 @@
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for critical severity events. This hunting query depends on Claroty ClarotyAma CefAma data connector (ClarotyEvent ClarotyEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches for critical severity events. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -365,7 +334,7 @@
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for PLC login security alerts. This hunting query depends on Claroty ClarotyAma CefAma data connector (ClarotyEvent ClarotyEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches for PLC login security alerts. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -379,7 +348,7 @@
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for login failure events. This hunting query depends on Claroty ClarotyAma CefAma data connector (ClarotyEvent ClarotyEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches for login failure events. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -393,7 +362,7 @@
"name": "huntingquery6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for sources of network scans. This hunting query depends on Claroty ClarotyAma CefAma data connector (ClarotyEvent ClarotyEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches for sources of network scans. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -407,7 +376,7 @@
"name": "huntingquery7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for targets of network scans. This hunting query depends on Claroty ClarotyAma CefAma data connector (ClarotyEvent ClarotyEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches for targets of network scans. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -421,7 +390,7 @@
"name": "huntingquery8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for unapproved access events. This hunting query depends on Claroty ClarotyAma CefAma data connector (ClarotyEvent ClarotyEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches for unapproved access events. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -435,7 +404,7 @@
"name": "huntingquery9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for alerts with unresolved status. This hunting query depends on Claroty ClarotyAma CefAma data connector (ClarotyEvent ClarotyEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches for alerts with unresolved status. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -449,7 +418,7 @@
"name": "huntingquery10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for operations with Write and Execute accesses. This hunting query depends on Claroty ClarotyAma CefAma data connector (ClarotyEvent ClarotyEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches for operations with Write and Execute accesses. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
diff --git a/Solutions/Claroty/Package/mainTemplate.json b/Solutions/Claroty/Package/mainTemplate.json
index e5ff003865c..20e77100a01 100644
--- a/Solutions/Claroty/Package/mainTemplate.json
+++ b/Solutions/Claroty/Package/mainTemplate.json
@@ -41,7 +41,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Claroty",
- "_solutionVersion": "3.0.2",
+ "_solutionVersion": "3.0.3",
"solutionId": "azuresentinel.azure-sentinel-solution-claroty",
"_solutionId": "[variables('solutionId')]",
"workbookVersion1": "1.0.0",
@@ -52,8 +52,8 @@
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
"parserObject1": {
- "_parserName1": "[concat(parameters('workspace'),'/','Claroty Data Parser')]",
- "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Claroty Data Parser')]",
+ "_parserName1": "[concat(parameters('workspace'),'/','ClarotyEvent')]",
+ "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ClarotyEvent')]",
"parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('ClarotyEvent-Parser')))]",
"parserVersion1": "1.0.0",
"parserContentId1": "ClarotyEvent-Parser"
@@ -108,93 +108,75 @@
"_huntingQuerycontentId10": "3882ffbf-6228-4e1f-ab8f-8d79a26da0fb",
"huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('3882ffbf-6228-4e1f-ab8f-8d79a26da0fb')))]"
},
- "uiConfigId1": "Claroty",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "Claroty",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
- "uiConfigId2": "ClarotyAma",
- "_uiConfigId2": "[variables('uiConfigId2')]",
- "dataConnectorContentId2": "ClarotyAma",
- "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
- "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "_dataConnectorId2": "[variables('dataConnectorId2')]",
- "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
- "dataConnectorVersion2": "1.0.0",
- "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"analyticRuleObject1": {
- "analyticRuleVersion1": "1.0.2",
+ "analyticRuleVersion1": "1.0.3",
"_analyticRulecontentId1": "fd6e3416-0421-4166-adb9-186e555a7008",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fd6e3416-0421-4166-adb9-186e555a7008')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fd6e3416-0421-4166-adb9-186e555a7008')))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fd6e3416-0421-4166-adb9-186e555a7008','-', '1.0.2')))]"
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fd6e3416-0421-4166-adb9-186e555a7008','-', '1.0.3')))]"
},
"analyticRuleObject2": {
- "analyticRuleVersion2": "1.0.2",
+ "analyticRuleVersion2": "1.0.3",
"_analyticRulecontentId2": "9a8b4321-e2be-449b-8227-a78227441b2a",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9a8b4321-e2be-449b-8227-a78227441b2a')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9a8b4321-e2be-449b-8227-a78227441b2a')))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9a8b4321-e2be-449b-8227-a78227441b2a','-', '1.0.2')))]"
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9a8b4321-e2be-449b-8227-a78227441b2a','-', '1.0.3')))]"
},
"analyticRuleObject3": {
- "analyticRuleVersion3": "1.0.2",
+ "analyticRuleVersion3": "1.0.3",
"_analyticRulecontentId3": "e7dbcbc3-b18f-4635-b27c-718195c369f1",
"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e7dbcbc3-b18f-4635-b27c-718195c369f1')]",
"analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e7dbcbc3-b18f-4635-b27c-718195c369f1')))]",
- "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e7dbcbc3-b18f-4635-b27c-718195c369f1','-', '1.0.2')))]"
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e7dbcbc3-b18f-4635-b27c-718195c369f1','-', '1.0.3')))]"
},
"analyticRuleObject4": {
- "analyticRuleVersion4": "1.0.2",
+ "analyticRuleVersion4": "1.0.3",
"_analyticRulecontentId4": "4b5bb3fc-c690-4f54-9a74-016213d699b4",
"analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4b5bb3fc-c690-4f54-9a74-016213d699b4')]",
"analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4b5bb3fc-c690-4f54-9a74-016213d699b4')))]",
- "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4b5bb3fc-c690-4f54-9a74-016213d699b4','-', '1.0.2')))]"
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4b5bb3fc-c690-4f54-9a74-016213d699b4','-', '1.0.3')))]"
},
"analyticRuleObject5": {
- "analyticRuleVersion5": "1.0.2",
+ "analyticRuleVersion5": "1.0.3",
"_analyticRulecontentId5": "1c2310ef-19bf-4caf-b2b0-a4c983932fa5",
"analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1c2310ef-19bf-4caf-b2b0-a4c983932fa5')]",
"analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1c2310ef-19bf-4caf-b2b0-a4c983932fa5')))]",
- "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1c2310ef-19bf-4caf-b2b0-a4c983932fa5','-', '1.0.2')))]"
+ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1c2310ef-19bf-4caf-b2b0-a4c983932fa5','-', '1.0.3')))]"
},
"analyticRuleObject6": {
- "analyticRuleVersion6": "1.0.2",
+ "analyticRuleVersion6": "1.0.3",
"_analyticRulecontentId6": "6c29b611-ce69-4016-bf99-eca639fee1f5",
"analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6c29b611-ce69-4016-bf99-eca639fee1f5')]",
"analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6c29b611-ce69-4016-bf99-eca639fee1f5')))]",
- "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6c29b611-ce69-4016-bf99-eca639fee1f5','-', '1.0.2')))]"
+ "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6c29b611-ce69-4016-bf99-eca639fee1f5','-', '1.0.3')))]"
},
"analyticRuleObject7": {
- "analyticRuleVersion7": "1.0.2",
+ "analyticRuleVersion7": "1.0.3",
"_analyticRulecontentId7": "3b22ac47-e02c-4599-a37a-57f965de17be",
"analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3b22ac47-e02c-4599-a37a-57f965de17be')]",
"analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3b22ac47-e02c-4599-a37a-57f965de17be')))]",
- "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3b22ac47-e02c-4599-a37a-57f965de17be','-', '1.0.2')))]"
+ "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3b22ac47-e02c-4599-a37a-57f965de17be','-', '1.0.3')))]"
},
"analyticRuleObject8": {
- "analyticRuleVersion8": "1.0.2",
+ "analyticRuleVersion8": "1.0.3",
"_analyticRulecontentId8": "99ad9f3c-304c-44c5-a61f-3a17f8b58218",
"analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '99ad9f3c-304c-44c5-a61f-3a17f8b58218')]",
"analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('99ad9f3c-304c-44c5-a61f-3a17f8b58218')))]",
- "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','99ad9f3c-304c-44c5-a61f-3a17f8b58218','-', '1.0.2')))]"
+ "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','99ad9f3c-304c-44c5-a61f-3a17f8b58218','-', '1.0.3')))]"
},
"analyticRuleObject9": {
- "analyticRuleVersion9": "1.0.2",
+ "analyticRuleVersion9": "1.0.3",
"_analyticRulecontentId9": "5cf35bad-677f-4c23-8927-1611e7ff6f28",
"analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5cf35bad-677f-4c23-8927-1611e7ff6f28')]",
"analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5cf35bad-677f-4c23-8927-1611e7ff6f28')))]",
- "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5cf35bad-677f-4c23-8927-1611e7ff6f28','-', '1.0.2')))]"
+ "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5cf35bad-677f-4c23-8927-1611e7ff6f28','-', '1.0.3')))]"
},
"analyticRuleObject10": {
- "analyticRuleVersion10": "1.0.2",
+ "analyticRuleVersion10": "1.0.3",
"_analyticRulecontentId10": "731e5ac4-7fe1-4b06-9941-532f2e008bb3",
"analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '731e5ac4-7fe1-4b06-9941-532f2e008bb3')]",
"analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('731e5ac4-7fe1-4b06-9941-532f2e008bb3')))]",
- "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','731e5ac4-7fe1-4b06-9941-532f2e008bb3','-', '1.0.2')))]"
+ "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','731e5ac4-7fe1-4b06-9941-532f2e008bb3','-', '1.0.3')))]"
},
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
@@ -208,7 +190,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyOverview Workbook with template version 3.0.2",
+ "description": "ClarotyOverview Workbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -271,6 +253,10 @@
{
"contentId": "ClarotyAma",
"kind": "DataConnector"
+ },
+ {
+ "contentId": "CefAma",
+ "kind": "DataConnector"
}
]
}
@@ -300,7 +286,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyEvent Data Parser with template version 3.0.2",
+ "description": "ClarotyEvent Data Parser with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -314,7 +300,7 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
- "displayName": "Claroty Data Parser",
+ "displayName": "Parser for ClarotyEvent",
"category": "Microsoft Sentinel Parser",
"functionAlias": "ClarotyEvent",
"query": "CommonSecurityLog\n| where DeviceVendor =~ 'Claroty'\n| extend EventVendor = 'Claroty'\n| extend EventProduct = 'Claroty'\n| extend EventSchemaVersion = 0.2\n| extend EventCount = 1\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3),\n ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"),tostring(ExternalID))\n| extend packed = pack(DeviceCustomNumber1Label, DeviceCustomNumber1\n , DeviceCustomNumber2Label, DeviceCustomNumber2\n , DeviceCustomNumber3Label, DeviceCustomNumber3\n , DeviceCustomString1Label, DeviceCustomString1\n , DeviceCustomString2Label, DeviceCustomString2\n , DeviceCustomString3Label, DeviceCustomString3\n , DeviceCustomString4Label, DeviceCustomString4\n , DeviceCustomString5Label, DeviceCustomString5\n , DeviceCustomString6Label, DeviceCustomString6\n , DeviceCustomDate1Label, DeviceCustomDate1\n , DeviceCustomDate2Label, DeviceCustomDate2)\n| evaluate bag_unpack(packed)\n| parse-kv AdditionalExtensions as (cs7Label:string, cs7:string, cs8Label:string, cs8:string, cs9Label:string, cs9:string, cs10Label:string, cs10:string, cat:string) with (pair_delimiter=';', kv_delimiter='=')\n| extend packed2 = pack(cs7Label, cs7\n , cs8Label, cs8\n , cs9Label, cs9\n , cs10Label, cs10)\n| evaluate bag_unpack(packed2)\n| extend EventEndTime = todatetime(ReceiptTime),\n cat = coalesce(column_ifexists(\"DeviceEventCategory\", \"\"),cat)\n| project-rename EventProductVersion=DeviceVersion\n , EventSubType=cat\n , EventOriginalType=DeviceEventClassID\n , EventSeverity=LogSeverity\n , EventMessage=Message\n , DstPortNumber=DestinationPort\n , DstIpAddr=DestinationIP\n , DstDvcHostname=DestinationHostName\n , DstUserName=DestinationUserName\n , DvcIpAddr=DeviceAddress\n , DvcHostname=DeviceName\n , DstMacAddr=DestinationMACAddress\n , NetworkApplicationProtocol=Protocol\n , SrcPortNumber=SourcePort\n , SrcIpAddr=SourceIP\n , SrcMacAddr=SourceMACAddress\n , EventId=ExternalID\n , SrcDvcHostname=SourceHostName\n| extend EventType=Activity\n| project-away AdditionalExtensions\n , Activity\n , ReceiptTime\n , DeviceVendor\n , DeviceProduct\n , DeviceCustomNumber1\n , DeviceCustomNumber1Label\n , DeviceCustomNumber2\n , DeviceCustomNumber2Label\n , DeviceCustomNumber3\n , DeviceCustomNumber3Label\n , DeviceCustomString1\n , DeviceCustomString1Label\n , DeviceCustomString2\n , DeviceCustomString2Label\n , DeviceCustomString3\n , DeviceCustomString3Label\n , DeviceCustomString4\n , DeviceCustomString4Label\n , DeviceCustomString5\n , DeviceCustomString5Label\n , DeviceCustomString6\n , DeviceCustomString6Label\n , cs7Label\n , cs7\n , cs8Label\n , cs8\n , cs9Label\n , cs9\n , cs10Label\n , cs10\n",
@@ -336,7 +322,7 @@
"[variables('parserObject1')._parserId1]"
],
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Claroty Data Parser')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ClarotyEvent')]",
"contentId": "[variables('parserObject1').parserContentId1]",
"kind": "Parser",
"version": "[variables('parserObject1').parserVersion1]",
@@ -366,7 +352,7 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('parserObject1').parserContentId1]",
"contentKind": "Parser",
- "displayName": "Claroty Data Parser",
+ "displayName": "Parser for ClarotyEvent",
"contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
"id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
"version": "[variables('parserObject1').parserVersion1]"
@@ -379,7 +365,7 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
- "displayName": "Claroty Data Parser",
+ "displayName": "Parser for ClarotyEvent",
"category": "Microsoft Sentinel Parser",
"functionAlias": "ClarotyEvent",
"query": "CommonSecurityLog\n| where DeviceVendor =~ 'Claroty'\n| extend EventVendor = 'Claroty'\n| extend EventProduct = 'Claroty'\n| extend EventSchemaVersion = 0.2\n| extend EventCount = 1\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3),\n ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"),tostring(ExternalID))\n| extend packed = pack(DeviceCustomNumber1Label, DeviceCustomNumber1\n , DeviceCustomNumber2Label, DeviceCustomNumber2\n , DeviceCustomNumber3Label, DeviceCustomNumber3\n , DeviceCustomString1Label, DeviceCustomString1\n , DeviceCustomString2Label, DeviceCustomString2\n , DeviceCustomString3Label, DeviceCustomString3\n , DeviceCustomString4Label, DeviceCustomString4\n , DeviceCustomString5Label, DeviceCustomString5\n , DeviceCustomString6Label, DeviceCustomString6\n , DeviceCustomDate1Label, DeviceCustomDate1\n , DeviceCustomDate2Label, DeviceCustomDate2)\n| evaluate bag_unpack(packed)\n| parse-kv AdditionalExtensions as (cs7Label:string, cs7:string, cs8Label:string, cs8:string, cs9Label:string, cs9:string, cs10Label:string, cs10:string, cat:string) with (pair_delimiter=';', kv_delimiter='=')\n| extend packed2 = pack(cs7Label, cs7\n , cs8Label, cs8\n , cs9Label, cs9\n , cs10Label, cs10)\n| evaluate bag_unpack(packed2)\n| extend EventEndTime = todatetime(ReceiptTime),\n cat = coalesce(column_ifexists(\"DeviceEventCategory\", \"\"),cat)\n| project-rename EventProductVersion=DeviceVersion\n , EventSubType=cat\n , EventOriginalType=DeviceEventClassID\n , EventSeverity=LogSeverity\n , EventMessage=Message\n , DstPortNumber=DestinationPort\n , DstIpAddr=DestinationIP\n , DstDvcHostname=DestinationHostName\n , DstUserName=DestinationUserName\n , DvcIpAddr=DeviceAddress\n , DvcHostname=DeviceName\n , DstMacAddr=DestinationMACAddress\n , NetworkApplicationProtocol=Protocol\n , SrcPortNumber=SourcePort\n , SrcIpAddr=SourceIP\n , SrcMacAddr=SourceMACAddress\n , EventId=ExternalID\n , SrcDvcHostname=SourceHostName\n| extend EventType=Activity\n| project-away AdditionalExtensions\n , Activity\n , ReceiptTime\n , DeviceVendor\n , DeviceProduct\n , DeviceCustomNumber1\n , DeviceCustomNumber1Label\n , DeviceCustomNumber2\n , DeviceCustomNumber2Label\n , DeviceCustomNumber3\n , DeviceCustomNumber3Label\n , DeviceCustomString1\n , DeviceCustomString1Label\n , DeviceCustomString2\n , DeviceCustomString2Label\n , DeviceCustomString3\n , DeviceCustomString3Label\n , DeviceCustomString4\n , DeviceCustomString4Label\n , DeviceCustomString5\n , DeviceCustomString5Label\n , DeviceCustomString6\n , DeviceCustomString6Label\n , cs7Label\n , cs7\n , cs8Label\n , cs8\n , cs9Label\n , cs9\n , cs10Label\n , cs10\n",
@@ -402,7 +388,7 @@
"[variables('parserObject1')._parserId1]"
],
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Claroty Data Parser')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ClarotyEvent')]",
"contentId": "[variables('parserObject1').parserContentId1]",
"kind": "Parser",
"version": "[variables('parserObject1').parserVersion1]",
@@ -432,7 +418,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyBaselineDeviation_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "ClarotyBaselineDeviation_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -517,7 +503,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyConflictAssets_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "ClarotyConflictAssets_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -602,7 +588,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyCriticalEvents_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "ClarotyCriticalEvents_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@@ -687,7 +673,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyPLCLogins_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "ClarotyPLCLogins_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@@ -772,7 +758,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotySRAFailedLogins_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "ClarotySRAFailedLogins_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@@ -857,7 +843,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyScanSources_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "ClarotyScanSources_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
@@ -942,7 +928,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyScantargets_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "ClarotyScantargets_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
@@ -1027,7 +1013,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyUnapprovedAccess_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "ClarotyUnapprovedAccess_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
@@ -1112,7 +1098,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyUnresolvedAlerts_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "ClarotyUnresolvedAlerts_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]",
@@ -1197,7 +1183,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyWriteExecuteOperations_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "ClarotyWriteExecuteOperations_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]",
@@ -1273,672 +1259,6 @@
"version": "1.0.0"
}
},
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Claroty data connector with template version 3.0.2",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] Claroty via Legacy Agent",
- "publisher": "Claroty",
- "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel.",
- "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "Claroty",
- "baseQuery": "ClarotyEvent"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Destinations",
- "query": "ClarotyEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (Claroty)",
- "lastDataReceivedQuery": "ClarotyEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "ClarotyEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution."
- },
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**.",
- "title": "2. Configure Claroty to send logs using CEF"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Claroty",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Claroty via Legacy Agent",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Claroty",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Claroty via Legacy Agent",
- "publisher": "Claroty",
- "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "Claroty",
- "baseQuery": "ClarotyEvent"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (Claroty)",
- "lastDataReceivedQuery": "ClarotyEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "ClarotyEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Destinations",
- "query": "ClarotyEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution."
- },
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**.",
- "title": "2. Configure Claroty to send logs using CEF"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId1')]",
- "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution."
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName2')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Claroty data connector with template version 3.0.2",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion2')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId2')]",
- "title": "[Deprecated] Claroty via AMA",
- "publisher": "Claroty",
- "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel.",
- "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "Claroty",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Destinations",
- "query": "ClarotyEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (Claroty)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution.",
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
- },
- {
- "title": "Step B. Configure Claroty to send logs using CEF",
- "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**."
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Claroty",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Claroty via AMA",
- "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
- "id": "[variables('_dataConnectorcontentProductId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId2')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Claroty",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Claroty via AMA",
- "publisher": "Claroty",
- "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "Claroty",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (Claroty)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Destinations",
- "query": "ClarotyEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution.",
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
- },
- {
- "title": "Step B. Configure Claroty to send logs using CEF",
- "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**."
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId2')]",
- "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution."
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -1948,7 +1268,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyAssetDown_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "ClarotyAssetDown_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -1976,22 +1296,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "Claroty",
- "dataTypes": [
- "ClarotyEvent"
- ]
- },
- {
- "connectorId": "ClarotyAma",
- "dataTypes": [
- "ClarotyEvent"
- ]
- },
- {
- "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CefAma"
}
],
"tactics": [
@@ -2005,8 +1313,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "columnName": "IPCustomEntity",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
}
]
}
@@ -2064,7 +1372,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyCriticalBaselineDeviation_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "ClarotyCriticalBaselineDeviation_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -2092,22 +1400,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "Claroty",
- "dataTypes": [
- "ClarotyEvent"
- ]
- },
- {
- "connectorId": "ClarotyAma",
- "dataTypes": [
- "ClarotyEvent"
- ]
- },
- {
- "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CefAma"
}
],
"tactics": [
@@ -2121,8 +1417,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "columnName": "IPCustomEntity",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
}
]
}
@@ -2180,7 +1476,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyLoginToUncommonSite_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "ClarotyLoginToUncommonSite_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -2208,22 +1504,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "Claroty",
- "dataTypes": [
- "ClarotyEvent"
- ]
- },
- {
- "connectorId": "ClarotyAma",
- "dataTypes": [
- "ClarotyEvent"
- ]
- },
- {
- "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CefAma"
}
],
"tactics": [
@@ -2238,8 +1522,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "columnName": "SrcIpAddr",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "SrcIpAddr"
}
]
}
@@ -2297,7 +1581,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyMultipleFailedLogin_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "ClarotyMultipleFailedLogin_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -2325,22 +1609,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "Claroty",
- "dataTypes": [
- "ClarotyEvent"
- ]
- },
- {
- "connectorId": "ClarotyAma",
- "dataTypes": [
- "ClarotyEvent"
- ]
- },
- {
- "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CefAma"
}
],
"tactics": [
@@ -2355,8 +1627,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "columnName": "AccountCustomEntity",
- "identifier": "Name"
+ "identifier": "Name",
+ "columnName": "AccountCustomEntity"
}
]
}
@@ -2414,7 +1686,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyMultipleFailedLoginsSameDst_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "ClarotyMultipleFailedLoginsSameDst_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -2442,22 +1714,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "Claroty",
- "dataTypes": [
- "ClarotyEvent"
- ]
- },
- {
- "connectorId": "ClarotyAma",
- "dataTypes": [
- "ClarotyEvent"
- ]
- },
- {
- "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CefAma"
}
],
"tactics": [
@@ -2472,8 +1732,8 @@
"entityType": "SecurityGroup",
"fieldMappings": [
{
- "columnName": "SGCustomEntity",
- "identifier": "DistinguishedName"
+ "identifier": "DistinguishedName",
+ "columnName": "SGCustomEntity"
}
]
}
@@ -2531,7 +1791,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyNewAsset_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "ClarotyNewAsset_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -2559,22 +1819,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "Claroty",
- "dataTypes": [
- "ClarotyEvent"
- ]
- },
- {
- "connectorId": "ClarotyAma",
- "dataTypes": [
- "ClarotyEvent"
- ]
- },
- {
- "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CefAma"
}
],
"tactics": [
@@ -2589,8 +1837,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "columnName": "IPCustomEntity",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
}
]
}
@@ -2648,7 +1896,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyPolicyViolation_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "ClarotyPolicyViolation_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@@ -2676,22 +1924,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "Claroty",
- "dataTypes": [
- "ClarotyEvent"
- ]
- },
- {
- "connectorId": "ClarotyAma",
- "dataTypes": [
- "ClarotyEvent"
- ]
- },
- {
- "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CefAma"
}
],
"tactics": [
@@ -2705,8 +1941,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "columnName": "IPCustomEntity",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
}
]
}
@@ -2764,7 +2000,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotySuspiciousActivity_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "ClarotySuspiciousActivity_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@@ -2792,22 +2028,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "Claroty",
- "dataTypes": [
- "ClarotyEvent"
- ]
- },
- {
- "connectorId": "ClarotyAma",
- "dataTypes": [
- "ClarotyEvent"
- ]
- },
- {
- "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CefAma"
}
],
"tactics": [
@@ -2821,8 +2045,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "columnName": "IPCustomEntity",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
}
]
}
@@ -2880,7 +2104,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotySuspiciousFileTransfer_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "ClarotySuspiciousFileTransfer_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
@@ -2908,22 +2132,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "Claroty",
- "dataTypes": [
- "ClarotyEvent"
- ]
- },
- {
- "connectorId": "ClarotyAma",
- "dataTypes": [
- "ClarotyEvent"
- ]
- },
- {
- "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CefAma"
}
],
"tactics": [
@@ -2937,8 +2149,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "columnName": "IPCustomEntity",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
}
]
}
@@ -2996,7 +2208,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyTreat_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "ClarotyTreat_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]",
@@ -3024,22 +2236,22 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "Claroty",
"dataTypes": [
"ClarotyEvent"
- ]
+ ],
+ "connectorId": "Claroty"
},
{
- "connectorId": "ClarotyAma",
"dataTypes": [
"ClarotyEvent"
- ]
+ ],
+ "connectorId": "ClarotyAma"
},
{
- "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CefAma"
}
],
"tactics": [
@@ -3053,8 +2265,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "columnName": "IPCustomEntity",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
}
]
}
@@ -3108,12 +2320,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.2",
+ "version": "3.0.3",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Claroty",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Claroty solution for Microsoft Sentinel enables ingestion of Continuous Threat Detection and Secure Remote Access events into Microsoft Sentinel.
\n\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.
\nData Connectors: 2, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
+ "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Claroty solution for Microsoft Sentinel enables ingestion of Continuous Threat Detection and Secure Remote Access events into Microsoft Sentinel.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.
\nParsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
@@ -3197,16 +2409,6 @@
"contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]",
"version": "[variables('huntingQueryObject10').huntingQueryVersion10]"
},
- {
- "kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- },
- {
- "kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- },
{
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
diff --git a/Solutions/Claroty/ReleaseNotes.md b/Solutions/Claroty/ReleaseNotes.md
index 13166bae4d9..df94769f6d3 100644
--- a/Solutions/Claroty/ReleaseNotes.md
+++ b/Solutions/Claroty/ReleaseNotes.md
@@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|------------------------------------------------|
+| 3.0.3 | 18-11-2024 | Removed Deprecated **Data Connectors** |
| 3.0.2 | 10-07-2024 | Deprecated **Data Connector** |
| 3.0.1 | 11-09-2023 | Addition of new Claroty AMA **Data Connector** |
| 3.0.0 | 27-07-2023 | Corrected the links in the solution. |
diff --git a/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/MacroInvokingShellBrowserWindowCOMObjects.yaml b/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/MacroInvokingShellBrowserWindowCOMObjects.yaml
index 097c07ebbdc..dfd7fef89c7 100644
--- a/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/MacroInvokingShellBrowserWindowCOMObjects.yaml
+++ b/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/MacroInvokingShellBrowserWindowCOMObjects.yaml
@@ -1,8 +1,7 @@
id: e7470b35-0128-4508-bfc9-e01cfb3c2eb7
name: Detecting Macro Invoking ShellBrowserWindow COM Objects
description: |
- 'This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.
- Ref: https://blog.menasec.net/2019/02/threat-hunting-doc-with-macro-invoking.html'
+ 'This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.'
severity: Medium
status: Available
requiredDataConnectors:
@@ -45,5 +44,5 @@ entityMappings:
fieldMappings:
- identifier: Name
columnName: User
-version: 1.0.3
+version: 1.0.4
kind: Scheduled
diff --git a/Solutions/Endpoint Threat Protection Essentials/Package/3.0.5.zip b/Solutions/Endpoint Threat Protection Essentials/Package/3.0.5.zip
new file mode 100644
index 00000000000..ee29b66421d
Binary files /dev/null and b/Solutions/Endpoint Threat Protection Essentials/Package/3.0.5.zip differ
diff --git a/Solutions/Endpoint Threat Protection Essentials/Package/createUiDefinition.json b/Solutions/Endpoint Threat Protection Essentials/Package/createUiDefinition.json
index c6787580ef4..0db86f62ca5 100644
--- a/Solutions/Endpoint Threat Protection Essentials/Package/createUiDefinition.json
+++ b/Solutions/Endpoint Threat Protection Essentials/Package/createUiDefinition.json
@@ -142,7 +142,7 @@
"name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.\nRef: https://blog.menasec.net/2019/02/threat-hunting-doc-with-macro-invoking.html"
+ "text": "This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules."
}
}
]
diff --git a/Solutions/Endpoint Threat Protection Essentials/Package/mainTemplate.json b/Solutions/Endpoint Threat Protection Essentials/Package/mainTemplate.json
index f4de266f841..ca7fc3f2933 100644
--- a/Solutions/Endpoint Threat Protection Essentials/Package/mainTemplate.json
+++ b/Solutions/Endpoint Threat Protection Essentials/Package/mainTemplate.json
@@ -33,7 +33,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Endpoint Threat Protection Essentials",
- "_solutionVersion": "3.0.4",
+ "_solutionVersion": "3.0.5",
"solutionId": "azuresentinel.azure-sentinel-solution-endpointthreat",
"_solutionId": "[variables('solutionId')]",
"huntingQueryObject1": {
@@ -140,18 +140,18 @@
"_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f','-', '1.0.3')))]"
},
"analyticRuleObject5": {
- "analyticRuleVersion5": "1.0.3",
+ "analyticRuleVersion5": "1.0.4",
"_analyticRulecontentId5": "e7470b35-0128-4508-bfc9-e01cfb3c2eb7",
"analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e7470b35-0128-4508-bfc9-e01cfb3c2eb7')]",
"analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e7470b35-0128-4508-bfc9-e01cfb3c2eb7')))]",
- "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e7470b35-0128-4508-bfc9-e01cfb3c2eb7','-', '1.0.3')))]"
+ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e7470b35-0128-4508-bfc9-e01cfb3c2eb7','-', '1.0.4')))]"
},
"analyticRuleObject6": {
- "analyticRuleVersion6": "1.1.4",
+ "analyticRuleVersion6": "1.1.5",
"_analyticRulecontentId6": "75bf9902-0789-47c1-a5d8-f57046aa72df",
"analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '75bf9902-0789-47c1-a5d8-f57046aa72df')]",
"analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('75bf9902-0789-47c1-a5d8-f57046aa72df')))]",
- "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','75bf9902-0789-47c1-a5d8-f57046aa72df','-', '1.1.4')))]"
+ "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','75bf9902-0789-47c1-a5d8-f57046aa72df','-', '1.1.5')))]"
},
"analyticRuleObject7": {
"analyticRuleVersion7": "1.0.4",
@@ -221,7 +221,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "BackupDeletion_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "BackupDeletion_HuntingQueries Hunting Query with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -306,7 +306,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Certutil-LOLBins_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "Certutil-LOLBins_HuntingQueries Hunting Query with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -391,7 +391,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "FileExecutionWithOneCharacterInTheName_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "FileExecutionWithOneCharacterInTheName_HuntingQueries Hunting Query with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@@ -476,7 +476,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PersistViaIFEORegistryKey_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "PersistViaIFEORegistryKey_HuntingQueries Hunting Query with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@@ -561,7 +561,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PotentialMicrosoftSecurityServicesTampering_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "PotentialMicrosoftSecurityServicesTampering_HuntingQueries Hunting Query with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@@ -646,7 +646,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RemoteLoginPerformedwithWMI_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "RemoteLoginPerformedwithWMI_HuntingQueries Hunting Query with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
@@ -731,7 +731,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RemoteScheduledTaskCreationUpdateUsingATSVCNamedPipe_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "RemoteScheduledTaskCreationUpdateUsingATSVCNamedPipe_HuntingQueries Hunting Query with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
@@ -816,7 +816,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ScheduledTaskCreationUpdateFromUserWritableDrectory_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "ScheduledTaskCreationUpdateFromUserWritableDrectory_HuntingQueries Hunting Query with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
@@ -901,7 +901,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SignedBinaryProxyExecutionRundll32_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "SignedBinaryProxyExecutionRundll32_HuntingQueries Hunting Query with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]",
@@ -986,7 +986,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "UnicodeObfuscationInCommandLine_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "UnicodeObfuscationInCommandLine_HuntingQueries Hunting Query with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]",
@@ -1071,7 +1071,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SuspiciousPowerShellCommandExecution_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "SuspiciousPowerShellCommandExecution_HuntingQueries Hunting Query with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject11').huntingQueryVersion11]",
@@ -1156,7 +1156,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ASimProcess_CertutilLoLBins_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "ASimProcess_CertutilLoLBins_HuntingQueries Hunting Query with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject12').huntingQueryVersion12]",
@@ -1241,7 +1241,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ASimProcess_WindowsSystemShutdownReboot_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "ASimProcess_WindowsSystemShutdownReboot_HuntingQueries Hunting Query with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject13').huntingQueryVersion13]",
@@ -1326,7 +1326,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DownloadOfNewFileUsingCurl_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "DownloadOfNewFileUsingCurl_HuntingQueries Hunting Query with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject14').huntingQueryVersion14]",
@@ -1411,7 +1411,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "WindowsFirewallUpdateUsingNetsh_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "WindowsFirewallUpdateUsingNetsh_HuntingQueries Hunting Query with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject15').huntingQueryVersion15]",
@@ -1496,7 +1496,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "base64_encoded_pefile_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "base64_encoded_pefile_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -1524,28 +1524,28 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "SecurityEvents"
},
{
- "connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "WindowsSecurityEvents"
},
{
- "connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvents"
- ]
+ ],
+ "connectorId": "WindowsSecurityEvents"
},
{
- "connectorId": "WindowsForwardedEvents",
"dataTypes": [
"WindowsEvent"
- ]
+ ],
+ "connectorId": "WindowsForwardedEvents"
}
],
"tactics": [
@@ -1561,8 +1561,8 @@
{
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "Account"
+ "columnName": "Account",
+ "identifier": "Name"
}
],
"entityType": "Account"
@@ -1570,16 +1570,16 @@
{
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "Computer"
+ "columnName": "Computer",
+ "identifier": "FullName"
},
{
- "identifier": "HostName",
- "columnName": "HostName"
+ "columnName": "HostName",
+ "identifier": "HostName"
},
{
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "columnName": "DnsDomain",
+ "identifier": "DnsDomain"
}
],
"entityType": "Host"
@@ -1638,7 +1638,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DumpingLSASSProcessIntoaFile_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "DumpingLSASSProcessIntoaFile_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -1666,16 +1666,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "SecurityEvents"
},
{
- "connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "WindowsSecurityEvents"
}
],
"tactics": [
@@ -1691,16 +1691,16 @@
{
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "Computer"
+ "columnName": "Computer",
+ "identifier": "FullName"
},
{
- "identifier": "HostName",
- "columnName": "HostName"
+ "columnName": "HostName",
+ "identifier": "HostName"
},
{
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "columnName": "DnsDomain",
+ "identifier": "DnsDomain"
}
],
"entityType": "Host"
@@ -1708,8 +1708,8 @@
{
"fieldMappings": [
{
- "identifier": "CommandLine",
- "columnName": "SourceImage"
+ "columnName": "SourceImage",
+ "identifier": "CommandLine"
}
],
"entityType": "Process"
@@ -1768,7 +1768,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "execute_base64_decodedpayload_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "execute_base64_decodedpayload_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -1796,28 +1796,28 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "SecurityEvents"
},
{
- "connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "WindowsSecurityEvents"
},
{
- "connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvents"
- ]
+ ],
+ "connectorId": "WindowsSecurityEvents"
},
{
- "connectorId": "WindowsForwardedEvents",
"dataTypes": [
"WindowsEvent"
- ]
+ ],
+ "connectorId": "WindowsForwardedEvents"
}
],
"tactics": [
@@ -1833,8 +1833,8 @@
{
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "Account"
+ "columnName": "Account",
+ "identifier": "Name"
}
],
"entityType": "Account"
@@ -1842,16 +1842,16 @@
{
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "Computer"
+ "columnName": "Computer",
+ "identifier": "FullName"
},
{
- "identifier": "HostName",
- "columnName": "HostName"
+ "columnName": "HostName",
+ "identifier": "HostName"
},
{
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "columnName": "DnsDomain",
+ "identifier": "DnsDomain"
}
],
"entityType": "Host"
@@ -1910,7 +1910,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "LateralMovementViaDCOM_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "LateralMovementViaDCOM_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -1938,16 +1938,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "SecurityEvents"
},
{
- "connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "WindowsSecurityEvents"
}
],
"tactics": [
@@ -1963,8 +1963,8 @@
{
"fieldMappings": [
{
- "identifier": "CommandLine",
- "columnName": "CommandLine"
+ "columnName": "CommandLine",
+ "identifier": "CommandLine"
}
],
"entityType": "Process"
@@ -1972,16 +1972,16 @@
{
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "Computer"
+ "columnName": "Computer",
+ "identifier": "FullName"
},
{
- "identifier": "HostName",
- "columnName": "HostName"
+ "columnName": "HostName",
+ "identifier": "HostName"
},
{
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "columnName": "DnsDomain",
+ "identifier": "DnsDomain"
}
],
"entityType": "Host"
@@ -1989,8 +1989,8 @@
{
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "User"
+ "columnName": "User",
+ "identifier": "Name"
}
],
"entityType": "Account"
@@ -2049,7 +2049,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MacroInvokingShellBrowserWindowCOMObjects_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "MacroInvokingShellBrowserWindowCOMObjects_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -2063,7 +2063,7 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.\nRef: https://blog.menasec.net/2019/02/threat-hunting-doc-with-macro-invoking.html",
+ "description": "This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.",
"displayName": "Detecting Macro Invoking ShellBrowserWindow COM Objects",
"enabled": false,
"query": "Event\n | where EventLog =~ \"Microsoft-Windows-Sysmon/Operational\" and EventID==1\n | parse EventData with * 'Image\">' Image \"<\" * 'CommandLine\">' CommandLine \"<\" * 'ParentImage\">' ParentImage \"<\" *\n | where ParentImage has \"svchost.exe\" and Image has \"rundll32.exe\" and CommandLine has \"{c08afd90-f2a1-11d1-8455-00a0c91f3880}\"\n | parse EventData with * 'ProcessGuid\">' ProcessGuid \"<\" * 'Description\">' Description \"<\" * 'CurrentDirectory\">' CurrentDirectory \"<\" * 'User\">' User \"<\" * 'LogonGuid\">' LogonGuid \"<\" * 'ParentProcessGuid\">' ParentProcessGuid \"<\" * 'ParentImage\">' ParentImage \"<\" * 'ParentCommandLine\">' ParentCommandLine \"<\" * 'ParentUser\">' ParentUser \"<\" *\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\n | extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')\n",
@@ -2077,16 +2077,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "SecurityEvents"
},
{
- "connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "WindowsSecurityEvents"
}
],
"tactics": [
@@ -2102,8 +2102,8 @@
{
"fieldMappings": [
{
- "identifier": "CommandLine",
- "columnName": "CommandLine"
+ "columnName": "CommandLine",
+ "identifier": "CommandLine"
}
],
"entityType": "Process"
@@ -2111,16 +2111,16 @@
{
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "Computer"
+ "columnName": "Computer",
+ "identifier": "FullName"
},
{
- "identifier": "HostName",
- "columnName": "HostName"
+ "columnName": "HostName",
+ "identifier": "HostName"
},
{
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "columnName": "DnsDomain",
+ "identifier": "DnsDomain"
}
],
"entityType": "Host"
@@ -2128,8 +2128,8 @@
{
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "User"
+ "columnName": "User",
+ "identifier": "Name"
}
],
"entityType": "Account"
@@ -2188,7 +2188,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "malware_in_recyclebin_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "malware_in_recyclebin_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -2216,39 +2216,42 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "SecurityEvents"
},
{
- "connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "WindowsSecurityEvents"
},
{
- "connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvents"
- ]
+ ],
+ "connectorId": "WindowsSecurityEvents"
},
{
- "connectorId": "WindowsForwardedEvents",
"dataTypes": [
"WindowsEvent"
- ]
+ ],
+ "connectorId": "WindowsForwardedEvents"
}
],
"tactics": [
"DefenseEvasion"
],
+ "techniques": [
+ "T1564"
+ ],
"entityMappings": [
{
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "Account"
+ "columnName": "Account",
+ "identifier": "Name"
}
],
"entityType": "Account"
@@ -2256,16 +2259,16 @@
{
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "Computer"
+ "columnName": "Computer",
+ "identifier": "FullName"
},
{
- "identifier": "HostName",
- "columnName": "HostName"
+ "columnName": "HostName",
+ "identifier": "HostName"
},
{
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "columnName": "DnsDomain",
+ "identifier": "DnsDomain"
}
],
"entityType": "Host"
@@ -2324,7 +2327,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PotentialRemoteDesktopTunneling_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "PotentialRemoteDesktopTunneling_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@@ -2352,16 +2355,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "SecurityEvents"
},
{
- "connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "WindowsSecurityEvents"
}
],
"tactics": [
@@ -2374,12 +2377,12 @@
{
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "Name"
+ "columnName": "Name",
+ "identifier": "Name"
},
{
- "identifier": "UPNSuffix",
- "columnName": "UPNSuffix"
+ "columnName": "UPNSuffix",
+ "identifier": "UPNSuffix"
}
],
"entityType": "Account"
@@ -2387,16 +2390,16 @@
{
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "Computer"
+ "columnName": "Computer",
+ "identifier": "FullName"
},
{
- "identifier": "HostName",
- "columnName": "HostName"
+ "columnName": "HostName",
+ "identifier": "HostName"
},
{
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "columnName": "DnsDomain",
+ "identifier": "DnsDomain"
}
],
"entityType": "Host"
@@ -2404,8 +2407,8 @@
{
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IpAddress"
+ "columnName": "IpAddress",
+ "identifier": "Address"
}
],
"entityType": "IP"
@@ -2464,7 +2467,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RegistryPersistenceViaAppCertDLLModification_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "RegistryPersistenceViaAppCertDLLModification_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@@ -2492,16 +2495,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "SecurityEvents"
},
{
- "connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "WindowsSecurityEvents"
}
],
"tactics": [
@@ -2517,8 +2520,8 @@
{
"fieldMappings": [
{
- "identifier": "Key",
- "columnName": "TargetObject"
+ "columnName": "TargetObject",
+ "identifier": "Key"
}
],
"entityType": "RegistryKey"
@@ -2526,16 +2529,16 @@
{
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "Computer"
+ "columnName": "Computer",
+ "identifier": "FullName"
},
{
- "identifier": "HostName",
- "columnName": "HostName"
+ "columnName": "HostName",
+ "identifier": "HostName"
},
{
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "columnName": "DnsDomain",
+ "identifier": "DnsDomain"
}
],
"entityType": "Host"
@@ -2594,7 +2597,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RegistryPersistenceViaAppInt_DLLsModification_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "RegistryPersistenceViaAppInt_DLLsModification_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
@@ -2622,16 +2625,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "SecurityEvents"
},
{
- "connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "WindowsSecurityEvents"
}
],
"tactics": [
@@ -2647,8 +2650,8 @@
{
"fieldMappings": [
{
- "identifier": "Key",
- "columnName": "TargetObject"
+ "columnName": "TargetObject",
+ "identifier": "Key"
}
],
"entityType": "RegistryKey"
@@ -2656,16 +2659,16 @@
{
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "Computer"
+ "columnName": "Computer",
+ "identifier": "FullName"
},
{
- "identifier": "HostName",
- "columnName": "HostName"
+ "columnName": "HostName",
+ "identifier": "HostName"
},
{
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "columnName": "DnsDomain",
+ "identifier": "DnsDomain"
}
],
"entityType": "Host"
@@ -2724,7 +2727,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SecurityEventLogCleared_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "SecurityEventLogCleared_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]",
@@ -2752,22 +2755,22 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "SecurityEvents"
},
{
- "connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "WindowsSecurityEvents"
},
{
- "connectorId": "WindowsForwardedEvents",
"dataTypes": [
"WindowsEvent"
- ]
+ ],
+ "connectorId": "WindowsForwardedEvents"
}
],
"tactics": [
@@ -2780,12 +2783,12 @@
{
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "Name"
+ "columnName": "Name",
+ "identifier": "Name"
},
{
- "identifier": "UPNSuffix",
- "columnName": "UPNSuffix"
+ "columnName": "UPNSuffix",
+ "identifier": "UPNSuffix"
}
],
"entityType": "Account"
@@ -2793,16 +2796,16 @@
{
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "Computer"
+ "columnName": "Computer",
+ "identifier": "FullName"
},
{
- "identifier": "HostName",
- "columnName": "HostName"
+ "columnName": "HostName",
+ "identifier": "HostName"
},
{
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "columnName": "DnsDomain",
+ "identifier": "DnsDomain"
}
],
"entityType": "Host"
@@ -2861,7 +2864,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "WDigestDowngradeAttack_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "WDigestDowngradeAttack_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]",
@@ -2889,16 +2892,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "SecurityEvents"
},
{
- "connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "WindowsSecurityEvents"
}
],
"tactics": [
@@ -2911,8 +2914,8 @@
{
"fieldMappings": [
{
- "identifier": "Key",
- "columnName": "TargetObject"
+ "columnName": "TargetObject",
+ "identifier": "Key"
}
],
"entityType": "RegistryKey"
@@ -2920,16 +2923,16 @@
{
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "Computer"
+ "columnName": "Computer",
+ "identifier": "FullName"
},
{
- "identifier": "HostName",
- "columnName": "HostName"
+ "columnName": "HostName",
+ "identifier": "HostName"
},
{
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "columnName": "DnsDomain",
+ "identifier": "DnsDomain"
}
],
"entityType": "Host"
@@ -2988,7 +2991,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "WindowsBinariesExecutedfromNon-DefaultDirectory_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "WindowsBinariesExecutedfromNon-DefaultDirectory_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]",
@@ -3016,16 +3019,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "SecurityEvents"
},
{
- "connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "WindowsSecurityEvents"
}
],
"tactics": [
@@ -3038,12 +3041,12 @@
{
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "Name"
+ "columnName": "Name",
+ "identifier": "Name"
},
{
- "identifier": "UPNSuffix",
- "columnName": "UPNSuffix"
+ "columnName": "UPNSuffix",
+ "identifier": "UPNSuffix"
}
],
"entityType": "Account"
@@ -3051,16 +3054,16 @@
{
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "Computer"
+ "columnName": "Computer",
+ "identifier": "FullName"
},
{
- "identifier": "HostName",
- "columnName": "HostName"
+ "columnName": "HostName",
+ "identifier": "HostName"
},
{
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "columnName": "DnsDomain",
+ "identifier": "DnsDomain"
}
],
"entityType": "Host"
@@ -3068,8 +3071,8 @@
{
"fieldMappings": [
{
- "identifier": "CommandLine",
- "columnName": "CommandLine"
+ "columnName": "CommandLine",
+ "identifier": "CommandLine"
}
],
"entityType": "Process"
@@ -3128,7 +3131,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "WindowsBinariesLolbinsRenamed_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "WindowsBinariesLolbinsRenamed_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]",
@@ -3156,16 +3159,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "SecurityEvents"
},
{
- "connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "WindowsSecurityEvents"
}
],
"tactics": [
@@ -3178,8 +3181,8 @@
{
"fieldMappings": [
{
- "identifier": "CommandLine",
- "columnName": "CommandLine"
+ "columnName": "CommandLine",
+ "identifier": "CommandLine"
}
],
"entityType": "Process"
@@ -3187,16 +3190,16 @@
{
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "Computer"
+ "columnName": "Computer",
+ "identifier": "FullName"
},
{
- "identifier": "HostName",
- "columnName": "HostName"
+ "columnName": "HostName",
+ "identifier": "HostName"
},
{
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "columnName": "DnsDomain",
+ "identifier": "DnsDomain"
}
],
"entityType": "Host"
@@ -3204,8 +3207,8 @@
{
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "User"
+ "columnName": "User",
+ "identifier": "Name"
}
],
"entityType": "Account"
@@ -3264,7 +3267,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SuspiciousPowerShellCommandExecuted_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "SuspiciousPowerShellCommandExecuted_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]",
@@ -3292,10 +3295,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
}
],
"tactics": [
@@ -3308,16 +3311,16 @@
{
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "DeviceName"
+ "columnName": "DeviceName",
+ "identifier": "FullName"
},
{
- "identifier": "HostName",
- "columnName": "DvcHostname"
+ "columnName": "DvcHostname",
+ "identifier": "HostName"
},
{
- "identifier": "DnsDomain",
- "columnName": "DvcDomain"
+ "columnName": "DvcDomain",
+ "identifier": "DnsDomain"
}
],
"entityType": "Host"
@@ -3325,8 +3328,8 @@
{
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "LocalIP"
+ "columnName": "LocalIP",
+ "identifier": "Address"
}
],
"entityType": "IP"
@@ -3334,12 +3337,12 @@
{
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "Username"
+ "columnName": "Username",
+ "identifier": "Name"
},
{
- "identifier": "UPNSuffix",
- "columnName": "UPNSuffix"
+ "columnName": "UPNSuffix",
+ "identifier": "UPNSuffix"
}
],
"entityType": "Account"
@@ -3347,12 +3350,12 @@
{
"fieldMappings": [
{
- "identifier": "ProcessId",
- "columnName": "InitiatingProcessId"
+ "columnName": "InitiatingProcessId",
+ "identifier": "ProcessId"
},
{
- "identifier": "CommandLine",
- "columnName": "InitiatingProcessCommandLine"
+ "columnName": "InitiatingProcessCommandLine",
+ "identifier": "CommandLine"
}
],
"entityType": "Process"
@@ -3414,7 +3417,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.4",
+ "version": "3.0.5",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Endpoint Threat Protection Essentials",
diff --git a/Solutions/Endpoint Threat Protection Essentials/ReleaseNotes.md b/Solutions/Endpoint Threat Protection Essentials/ReleaseNotes.md
index d97eb5dc01f..6fe076672e9 100644
--- a/Solutions/Endpoint Threat Protection Essentials/ReleaseNotes.md
+++ b/Solutions/Endpoint Threat Protection Essentials/ReleaseNotes.md
@@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|------------------------------------------------------------------------------|
+| 3.0.5 | 18-11-2024 | Removed the broken URL in **Analytic Rule** |
| 3.0.4 | 10-06-2024 | Added entityMappings and added missing AMA DC reference in **Analytical Rules** and **Hunting Queries** |
| 3.0.3 | 11-03-2024 | Added few **Hunting Queries** to detect Endpoint Threats |
| 3.0.2 | 21-02-2024 | Tagged for dependent solutions for deployment |
diff --git a/Solutions/FalconFriday/Analytic Rules/MatchLegitimateNameOrLocation.yaml b/Solutions/FalconFriday/Analytic Rules/MatchLegitimateNameOrLocation.yaml
index 5c2e2a1b890..4698ebf1b09 100644
--- a/Solutions/FalconFriday/Analytic Rules/MatchLegitimateNameOrLocation.yaml
+++ b/Solutions/FalconFriday/Analytic Rules/MatchLegitimateNameOrLocation.yaml
@@ -1,7 +1,7 @@
id: dd22dc4f-ab7c-4d0a-84ad-cc393638ba31
name: Match Legitimate Name or Location - 2
description: |
- Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of certain operating system processes.
+ Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of on certain operating system processes.
This query detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts.
severity: Medium
status: Available
@@ -58,5 +58,5 @@ entityMappings:
fieldMappings:
- identifier: CommandLine
columnName: ProcessCommandLine
-version: 1.0.0
-kind: Scheduled
\ No newline at end of file
+version: 1.0.1
+kind: Scheduled
diff --git a/Solutions/FalconFriday/Analytic Rules/PasswordSprayingWithMDE.yaml b/Solutions/FalconFriday/Analytic Rules/PasswordSprayingWithMDE.yaml
index 1eb48862f3a..11a1df4915e 100644
--- a/Solutions/FalconFriday/Analytic Rules/PasswordSprayingWithMDE.yaml
+++ b/Solutions/FalconFriday/Analytic Rules/PasswordSprayingWithMDE.yaml
@@ -43,9 +43,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPAddress
- - entityType: Process
- fieldMappings:
- - identifier: CommandLine
- columnName: ProcessCommandLine
-version: 1.0.0
-kind: Scheduled
\ No newline at end of file
+version: 1.0.1
+kind: Scheduled
diff --git a/Solutions/FalconFriday/Package/3.0.0.zip b/Solutions/FalconFriday/Package/3.0.0.zip
index 4b188872101..66eeda3ada4 100644
Binary files a/Solutions/FalconFriday/Package/3.0.0.zip and b/Solutions/FalconFriday/Package/3.0.0.zip differ
diff --git a/Solutions/FalconFriday/Package/createUiDefinition.json b/Solutions/FalconFriday/Package/createUiDefinition.json
index 090a885f50c..e8136e109aa 100644
--- a/Solutions/FalconFriday/Package/createUiDefinition.json
+++ b/Solutions/FalconFriday/Package/createUiDefinition.json
@@ -296,7 +296,7 @@
"name": "analytic16-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of certain operating system processes.\nThis query detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts."
+ "text": "Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of on certain operating system processes.\nThis query detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts."
}
}
]
diff --git a/Solutions/FalconFriday/Package/mainTemplate.json b/Solutions/FalconFriday/Package/mainTemplate.json
index 5c6be739129..9959f0f59c3 100644
--- a/Solutions/FalconFriday/Package/mainTemplate.json
+++ b/Solutions/FalconFriday/Package/mainTemplate.json
@@ -142,11 +142,11 @@
"_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','433c3b0a-7278-4d74-b137-963ac6f9a7e7','-', '1.0.0')))]"
},
"analyticRuleObject16": {
- "analyticRuleVersion16": "1.0.0",
+ "analyticRuleVersion16": "1.0.1",
"_analyticRulecontentId16": "dd22dc4f-ab7c-4d0a-84ad-cc393638ba31",
"analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dd22dc4f-ab7c-4d0a-84ad-cc393638ba31')]",
"analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dd22dc4f-ab7c-4d0a-84ad-cc393638ba31')))]",
- "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dd22dc4f-ab7c-4d0a-84ad-cc393638ba31','-', '1.0.0')))]"
+ "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dd22dc4f-ab7c-4d0a-84ad-cc393638ba31','-', '1.0.1')))]"
},
"analyticRuleObject17": {
"analyticRuleVersion17": "1.0.1",
@@ -170,11 +170,11 @@
"_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e6c5ff42-0f42-4cec-994a-dabb92fe36e1','-', '1.0.0')))]"
},
"analyticRuleObject20": {
- "analyticRuleVersion20": "1.0.0",
+ "analyticRuleVersion20": "1.0.1",
"_analyticRulecontentId20": "e00f72ab-fea1-4a31-9ecc-eea6397cd38d",
"analyticRuleId20": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e00f72ab-fea1-4a31-9ecc-eea6397cd38d')]",
"analyticRuleTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e00f72ab-fea1-4a31-9ecc-eea6397cd38d')))]",
- "_analyticRulecontentProductId20": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e00f72ab-fea1-4a31-9ecc-eea6397cd38d','-', '1.0.0')))]"
+ "_analyticRulecontentProductId20": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e00f72ab-fea1-4a31-9ecc-eea6397cd38d','-', '1.0.1')))]"
},
"analyticRuleObject21": {
"analyticRuleVersion21": "1.0.1",
@@ -286,10 +286,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceFileEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
}
],
"tactics": [
@@ -300,39 +300,39 @@
],
"entityMappings": [
{
- "entityType": "Host",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "DeviceName"
+ "columnName": "DeviceName",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "Account",
"fieldMappings": [
{
- "identifier": "Sid",
- "columnName": "InitiatingProcessAccountSid"
+ "columnName": "InitiatingProcessAccountSid",
+ "identifier": "Sid"
},
{
- "identifier": "Name",
- "columnName": "InitiatingProcessAccountName"
+ "columnName": "InitiatingProcessAccountName",
+ "identifier": "Name"
},
{
- "identifier": "NTDomain",
- "columnName": "InitiatingProcessAccountDomain"
+ "columnName": "InitiatingProcessAccountDomain",
+ "identifier": "NTDomain"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "Process",
"fieldMappings": [
{
- "identifier": "CommandLine",
- "columnName": "InitiatingProcessCommandLine"
+ "columnName": "InitiatingProcessCommandLine",
+ "identifier": "CommandLine"
}
- ]
+ ],
+ "entityType": "Process"
}
]
}
@@ -415,16 +415,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"SigninLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
},
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AADNonInteractiveUserSignInLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -435,13 +435,13 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "UserPrincipalName"
+ "columnName": "UserPrincipalName",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Account"
}
]
}
@@ -524,16 +524,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"SigninLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
},
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"AADNonInteractiveUserSignInLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -544,13 +544,13 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "UserPrincipalName"
+ "columnName": "UserPrincipalName",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Account"
}
]
}
@@ -633,10 +633,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceRegistryEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
}
],
"tactics": [
@@ -651,39 +651,39 @@
],
"entityMappings": [
{
- "entityType": "Host",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "DeviceName"
+ "columnName": "DeviceName",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "Account",
"fieldMappings": [
{
- "identifier": "Sid",
- "columnName": "AccountSid"
+ "columnName": "AccountSid",
+ "identifier": "Sid"
},
{
- "identifier": "Name",
- "columnName": "AccountName"
+ "columnName": "AccountName",
+ "identifier": "Name"
},
{
- "identifier": "NTDomain",
- "columnName": "AccountDomain"
+ "columnName": "AccountDomain",
+ "identifier": "NTDomain"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "Process",
"fieldMappings": [
{
- "identifier": "CommandLine",
- "columnName": "ProcessCommandLine"
+ "columnName": "ProcessCommandLine",
+ "identifier": "CommandLine"
}
- ]
+ ],
+ "entityType": "Process"
}
]
}
@@ -766,16 +766,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "SecurityEvents"
},
{
- "connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "WindowsSecurityEvents"
}
],
"tactics": [
@@ -786,13 +786,13 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "TargetAccount"
+ "columnName": "TargetAccount",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Account"
}
]
}
@@ -875,16 +875,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "SecurityEvents"
},
{
- "connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "WindowsSecurityEvents"
}
],
"tactics": [
@@ -895,13 +895,13 @@
],
"entityMappings": [
{
- "entityType": "Host",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "Computer"
+ "columnName": "Computer",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Host"
}
]
}
@@ -984,16 +984,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "SecurityEvents"
},
{
- "connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "WindowsSecurityEvents"
}
],
"tactics": [
@@ -1004,13 +1004,13 @@
],
"entityMappings": [
{
- "entityType": "Host",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "Computer"
+ "columnName": "Computer",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Host"
}
]
}
@@ -1093,10 +1093,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceProcessEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
}
],
"tactics": [
@@ -1114,39 +1114,39 @@
],
"entityMappings": [
{
- "entityType": "Host",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "DeviceName"
+ "columnName": "DeviceName",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "Account",
"fieldMappings": [
{
- "identifier": "Sid",
- "columnName": "AccountSid"
+ "columnName": "AccountSid",
+ "identifier": "Sid"
},
{
- "identifier": "Name",
- "columnName": "AccountName"
+ "columnName": "AccountName",
+ "identifier": "Name"
},
{
- "identifier": "NTDomain",
- "columnName": "AccountDomain"
+ "columnName": "AccountDomain",
+ "identifier": "NTDomain"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "Process",
"fieldMappings": [
{
- "identifier": "CommandLine",
- "columnName": "ProcessCommandLine"
+ "columnName": "ProcessCommandLine",
+ "identifier": "CommandLine"
}
- ]
+ ],
+ "entityType": "Process"
}
]
}
@@ -1229,11 +1229,11 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceProcessEvents",
"DeviceLogonEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
}
],
"tactics": [
@@ -1248,39 +1248,39 @@
],
"entityMappings": [
{
- "entityType": "Host",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "DeviceName"
+ "columnName": "DeviceName",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "Account",
"fieldMappings": [
{
- "identifier": "Sid",
- "columnName": "AccountSid"
+ "columnName": "AccountSid",
+ "identifier": "Sid"
},
{
- "identifier": "Name",
- "columnName": "AccountName"
+ "columnName": "AccountName",
+ "identifier": "Name"
},
{
- "identifier": "NTDomain",
- "columnName": "AccountDomain"
+ "columnName": "AccountDomain",
+ "identifier": "NTDomain"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "Process",
"fieldMappings": [
{
- "identifier": "CommandLine",
- "columnName": "ProcessCommandLine"
+ "columnName": "ProcessCommandLine",
+ "identifier": "CommandLine"
}
- ]
+ ],
+ "entityType": "Process"
}
]
}
@@ -1363,11 +1363,11 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceProcessEvents",
"DeviceNetworkEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
}
],
"tactics": [
@@ -1381,31 +1381,31 @@
],
"entityMappings": [
{
- "entityType": "Host",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "DeviceName"
+ "columnName": "DeviceName",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "RemoteIP"
+ "columnName": "RemoteIP",
+ "identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
},
{
- "entityType": "Process",
"fieldMappings": [
{
- "identifier": "CommandLine",
- "columnName": "DCOMCmdLine"
+ "columnName": "DCOMCmdLine",
+ "identifier": "CommandLine"
}
- ]
+ ],
+ "entityType": "Process"
}
]
}
@@ -1488,11 +1488,11 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceFileEvents",
"DeviceImageLoadEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
}
],
"tactics": [
@@ -1508,39 +1508,39 @@
],
"entityMappings": [
{
- "entityType": "Host",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "DeviceName"
+ "columnName": "DeviceName",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "Account",
"fieldMappings": [
{
- "identifier": "Sid",
- "columnName": "InitiatingProcessAccountSid"
+ "columnName": "InitiatingProcessAccountSid",
+ "identifier": "Sid"
},
{
- "identifier": "Name",
- "columnName": "InitiatingProcessAccountName"
+ "columnName": "InitiatingProcessAccountName",
+ "identifier": "Name"
},
{
- "identifier": "NTDomain",
- "columnName": "InitiatingProcessAccountDomain"
+ "columnName": "InitiatingProcessAccountDomain",
+ "identifier": "NTDomain"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "Process",
"fieldMappings": [
{
- "identifier": "CommandLine",
- "columnName": "InitiatingProcessCommandLine"
+ "columnName": "InitiatingProcessCommandLine",
+ "identifier": "CommandLine"
}
- ]
+ ],
+ "entityType": "Process"
}
]
}
@@ -1623,10 +1623,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceProcessEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
}
],
"tactics": [
@@ -1640,39 +1640,39 @@
],
"entityMappings": [
{
- "entityType": "Host",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "DeviceName"
+ "columnName": "DeviceName",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "Account",
"fieldMappings": [
{
- "identifier": "Sid",
- "columnName": "AccountSid"
+ "columnName": "AccountSid",
+ "identifier": "Sid"
},
{
- "identifier": "Name",
- "columnName": "AccountName"
+ "columnName": "AccountName",
+ "identifier": "Name"
},
{
- "identifier": "NTDomain",
- "columnName": "AccountDomain"
+ "columnName": "AccountDomain",
+ "identifier": "NTDomain"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "Process",
"fieldMappings": [
{
- "identifier": "CommandLine",
- "columnName": "ProcessCommandLine"
+ "columnName": "ProcessCommandLine",
+ "identifier": "CommandLine"
}
- ]
+ ],
+ "entityType": "Process"
}
]
}
@@ -1755,10 +1755,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceImageLoadEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
}
],
"tactics": [
@@ -1769,39 +1769,39 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
- "identifier": "Sid",
- "columnName": "InitiatingProcessAccountSid"
+ "columnName": "InitiatingProcessAccountSid",
+ "identifier": "Sid"
},
{
- "identifier": "Name",
- "columnName": "InitiatingProcessAccountName"
+ "columnName": "InitiatingProcessAccountName",
+ "identifier": "Name"
},
{
- "identifier": "NTDomain",
- "columnName": "InitiatingProcessAccountDomain"
+ "columnName": "InitiatingProcessAccountDomain",
+ "identifier": "NTDomain"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "Host",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "DeviceName"
+ "columnName": "DeviceName",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "Process",
"fieldMappings": [
{
- "identifier": "CommandLine",
- "columnName": "InitiatingProcessCommandLine"
+ "columnName": "InitiatingProcessCommandLine",
+ "identifier": "CommandLine"
}
- ]
+ ],
+ "entityType": "Process"
}
]
}
@@ -1884,16 +1884,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "SecurityEvents"
},
{
- "connectorId": "WindowsSecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "WindowsSecurityEvents"
}
],
"tactics": [
@@ -1906,13 +1906,13 @@
],
"entityMappings": [
{
- "entityType": "Host",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "Computer"
+ "columnName": "Computer",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Host"
}
]
}
@@ -1995,10 +1995,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AzureActiveDirectory",
"dataTypes": [
"SigninLogs"
- ]
+ ],
+ "connectorId": "AzureActiveDirectory"
}
],
"tactics": [
@@ -2009,22 +2009,22 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "UserPrincipalName"
+ "columnName": "UserPrincipalName",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "FailedIp"
+ "columnName": "FailedIp",
+ "identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -2093,7 +2093,7 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of certain operating system processes.\nThis query detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts.",
+ "description": "Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of on certain operating system processes.\nThis query detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts.",
"displayName": "Match Legitimate Name or Location - 2",
"enabled": false,
"query": "let ProcessRelations=datatable(ImageFile:string,ExpectedParent:dynamic) [\n \"smss.exe\", dynamic([\"smss.exe\", \"ntoskrnl.exe\", \"\"]),\n \"crmss.exe\", dynamic([\"smss.exe\"]),\n \"wininit.exe\", dynamic([\"smss.exe\"]),\n \"winlogon.exe\", dynamic([\"smss.exe\"]),\n \"services.exe\", dynamic([\"wininit.exe\"]),\n \"lsaiso.exe\", dynamic([\"wininit.exe\"]),\n \"lsass.exe\", dynamic([\"wininit.exe\"]),\n \"spoolsv.exe\", dynamic([\"services.exe\"]),\n \"dllhost.exe\", dynamic([\"svchost.exe\", \"services.exe\"]),\n \"lsm.exe\", dynamic([\"wininit.exe\"]),\n \"svchost.exe\", dynamic([\"services.exe\", \"msmpeng.exe\"]),\n \"runtimebroker.exe\", dynamic([\"svchost.exe\"]),\n \"taskhostw.exe\", dynamic([\"svchost.exe\"]),\n \"userinit.exe\", dynamic([\"winlogon.exe\"])\n // Explorer can have a lot of parents in some environments\n //,\"explorer.exe\", dynamic([\"userinit.exe\"])\n];\nDeviceProcessEvents\n| extend ImageFile = tostring(tolower(parse_path(tostring(FolderPath)).Filename))\n| extend ParentFile = tostring(tolower(parse_path(tostring(InitiatingProcessFolderPath)).Filename))\n| lookup kind=inner ProcessRelations on ImageFile\n| where not(set_has_element(ExpectedParent,ParentFile))\n",
@@ -2107,10 +2107,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceProcessEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
}
],
"tactics": [
@@ -2124,39 +2124,39 @@
],
"entityMappings": [
{
- "entityType": "Host",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "DeviceName"
+ "columnName": "DeviceName",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "Account",
"fieldMappings": [
{
- "identifier": "Sid",
- "columnName": "AccountSid"
+ "columnName": "AccountSid",
+ "identifier": "Sid"
},
{
- "identifier": "Name",
- "columnName": "AccountName"
+ "columnName": "AccountName",
+ "identifier": "Name"
},
{
- "identifier": "NTDomain",
- "columnName": "AccountDomain"
+ "columnName": "AccountDomain",
+ "identifier": "NTDomain"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "Process",
"fieldMappings": [
{
- "identifier": "CommandLine",
- "columnName": "ProcessCommandLine"
+ "columnName": "ProcessCommandLine",
+ "identifier": "CommandLine"
}
- ]
+ ],
+ "entityType": "Process"
}
]
}
@@ -2239,10 +2239,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
}
],
"tactics": [
@@ -2256,39 +2256,39 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
- "identifier": "Sid",
- "columnName": "AccountSid"
+ "columnName": "AccountSid",
+ "identifier": "Sid"
},
{
- "identifier": "Name",
- "columnName": "AccountName"
+ "columnName": "AccountName",
+ "identifier": "Name"
},
{
- "identifier": "NTDomain",
- "columnName": "AccountDomain"
+ "columnName": "AccountDomain",
+ "identifier": "NTDomain"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "Host",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "DeviceName"
+ "columnName": "DeviceName",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "Process",
"fieldMappings": [
{
- "identifier": "CommandLine",
- "columnName": "ProcessCommandLine"
+ "columnName": "ProcessCommandLine",
+ "identifier": "CommandLine"
}
- ]
+ ],
+ "entityType": "Process"
}
]
}
@@ -2371,10 +2371,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
}
],
"tactics": [
@@ -2385,39 +2385,39 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
- "identifier": "Sid",
- "columnName": "InitiatingProcessAccountSid"
+ "columnName": "InitiatingProcessAccountSid",
+ "identifier": "Sid"
},
{
- "identifier": "Name",
- "columnName": "InitiatingProcessAccountName"
+ "columnName": "InitiatingProcessAccountName",
+ "identifier": "Name"
},
{
- "identifier": "NTDomain",
- "columnName": "InitiatingProcessAccountDomain"
+ "columnName": "InitiatingProcessAccountDomain",
+ "identifier": "NTDomain"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "Host",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "DeviceName"
+ "columnName": "DeviceName",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "Process",
"fieldMappings": [
{
- "identifier": "CommandLine",
- "columnName": "InitiatingProcessCommandLine"
+ "columnName": "InitiatingProcessCommandLine",
+ "identifier": "CommandLine"
}
- ]
+ ],
+ "entityType": "Process"
}
]
}
@@ -2500,10 +2500,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceProcessEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
}
],
"tactics": [
@@ -2516,39 +2516,39 @@
],
"entityMappings": [
{
- "entityType": "Host",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "DeviceName"
+ "columnName": "DeviceName",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "Account",
"fieldMappings": [
{
- "identifier": "Sid",
- "columnName": "AccountSid"
+ "columnName": "AccountSid",
+ "identifier": "Sid"
},
{
- "identifier": "Name",
- "columnName": "AccountName"
+ "columnName": "AccountName",
+ "identifier": "Name"
},
{
- "identifier": "NTDomain",
- "columnName": "AccountDomain"
+ "columnName": "AccountDomain",
+ "identifier": "NTDomain"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "Process",
"fieldMappings": [
{
- "identifier": "CommandLine",
- "columnName": "ProcessCommandLine"
+ "columnName": "ProcessCommandLine",
+ "identifier": "CommandLine"
}
- ]
+ ],
+ "entityType": "Process"
}
]
}
@@ -2631,10 +2631,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceLogonEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
}
],
"tactics": [
@@ -2648,31 +2648,22 @@
],
"entityMappings": [
{
- "entityType": "Host",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "DeviceName"
+ "columnName": "DeviceName",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPAddress"
+ "columnName": "IPAddress",
+ "identifier": "Address"
}
- ]
- },
- {
- "entityType": "Process",
- "fieldMappings": [
- {
- "identifier": "CommandLine",
- "columnName": "ProcessCommandLine"
- }
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -2755,10 +2746,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "Zscaler",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Zscaler"
}
],
"tactics": [
@@ -2772,13 +2763,13 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "SourceUserName"
+ "columnName": "SourceUserName",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Account"
}
]
}
@@ -2861,11 +2852,11 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceProcessEvents",
"DeviceLogonEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
}
],
"tactics": [
@@ -2879,39 +2870,39 @@
],
"entityMappings": [
{
- "entityType": "Host",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "DeviceName"
+ "columnName": "DeviceName",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "Account",
"fieldMappings": [
{
- "identifier": "Sid",
- "columnName": "AccountSid"
+ "columnName": "AccountSid",
+ "identifier": "Sid"
},
{
- "identifier": "Name",
- "columnName": "AccountName"
+ "columnName": "AccountName",
+ "identifier": "Name"
},
{
- "identifier": "NTDomain",
- "columnName": "AccountDomain"
+ "columnName": "AccountDomain",
+ "identifier": "NTDomain"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "Process",
"fieldMappings": [
{
- "identifier": "CommandLine",
- "columnName": "ProcessCommandLine"
+ "columnName": "ProcessCommandLine",
+ "identifier": "CommandLine"
}
- ]
+ ],
+ "entityType": "Process"
}
]
}
@@ -2994,10 +2985,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceProcessEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
}
],
"tactics": [
@@ -3011,39 +3002,39 @@
],
"entityMappings": [
{
- "entityType": "Host",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "DeviceName"
+ "columnName": "DeviceName",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "Account",
"fieldMappings": [
{
- "identifier": "Sid",
- "columnName": "AccountSid"
+ "columnName": "AccountSid",
+ "identifier": "Sid"
},
{
- "identifier": "Name",
- "columnName": "AccountName"
+ "columnName": "AccountName",
+ "identifier": "Name"
},
{
- "identifier": "NTDomain",
- "columnName": "AccountDomain"
+ "columnName": "AccountDomain",
+ "identifier": "NTDomain"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "Process",
"fieldMappings": [
{
- "identifier": "CommandLine",
- "columnName": "ProcessCommandLine"
+ "columnName": "ProcessCommandLine",
+ "identifier": "CommandLine"
}
- ]
+ ],
+ "entityType": "Process"
}
]
}
@@ -3126,12 +3117,12 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceProcessEvents",
"DeviceNetworkEvents",
"DeviceFileCertificateInfo"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
}
],
"tactics": [
@@ -3145,48 +3136,48 @@
],
"entityMappings": [
{
- "entityType": "Host",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "DeviceName"
+ "columnName": "DeviceName",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "Account",
"fieldMappings": [
{
- "identifier": "Sid",
- "columnName": "InitiatingProcessAccountSid"
+ "columnName": "InitiatingProcessAccountSid",
+ "identifier": "Sid"
},
{
- "identifier": "Name",
- "columnName": "InitiatingProcessAccountName"
+ "columnName": "InitiatingProcessAccountName",
+ "identifier": "Name"
},
{
- "identifier": "NTDomain",
- "columnName": "InitiatingProcessAccountDomain"
+ "columnName": "InitiatingProcessAccountDomain",
+ "identifier": "NTDomain"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "Process",
"fieldMappings": [
{
- "identifier": "CommandLine",
- "columnName": "InitiatingProcessCommandLine"
+ "columnName": "InitiatingProcessCommandLine",
+ "identifier": "CommandLine"
}
- ]
+ ],
+ "entityType": "Process"
},
{
- "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "RemoteIP"
+ "columnName": "RemoteIP",
+ "identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -3269,10 +3260,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
}
],
"tactics": [
@@ -3285,39 +3276,39 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
- "identifier": "Sid",
- "columnName": "AccountSid"
+ "columnName": "AccountSid",
+ "identifier": "Sid"
},
{
- "identifier": "Name",
- "columnName": "AccountName"
+ "columnName": "AccountName",
+ "identifier": "Name"
},
{
- "identifier": "NTDomain",
- "columnName": "AccountDomain"
+ "columnName": "AccountDomain",
+ "identifier": "NTDomain"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "Host",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "DeviceName"
+ "columnName": "DeviceName",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "Process",
"fieldMappings": [
{
- "identifier": "CommandLine",
- "columnName": "ProcessCommandLine"
+ "columnName": "ProcessCommandLine",
+ "identifier": "CommandLine"
}
- ]
+ ],
+ "entityType": "Process"
}
]
}
@@ -3400,10 +3391,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceProcessEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
}
],
"tactics": [
@@ -3417,39 +3408,39 @@
],
"entityMappings": [
{
- "entityType": "Host",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "DeviceName"
+ "columnName": "DeviceName",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "Account",
"fieldMappings": [
{
- "identifier": "Sid",
- "columnName": "AccountSid"
+ "columnName": "AccountSid",
+ "identifier": "Sid"
},
{
- "identifier": "Name",
- "columnName": "AccountName"
+ "columnName": "AccountName",
+ "identifier": "Name"
},
{
- "identifier": "NTDomain",
- "columnName": "AccountDomain"
+ "columnName": "AccountDomain",
+ "identifier": "NTDomain"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "Process",
"fieldMappings": [
{
- "identifier": "CommandLine",
- "columnName": "ProcessCommandLine"
+ "columnName": "ProcessCommandLine",
+ "identifier": "CommandLine"
}
- ]
+ ],
+ "entityType": "Process"
}
]
}
@@ -3532,10 +3523,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceProcessEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
}
],
"tactics": [
@@ -3546,39 +3537,39 @@
],
"entityMappings": [
{
- "entityType": "Host",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "DeviceName"
+ "columnName": "DeviceName",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "Account",
"fieldMappings": [
{
- "identifier": "Sid",
- "columnName": "AccountSid"
+ "columnName": "AccountSid",
+ "identifier": "Sid"
},
{
- "identifier": "Name",
- "columnName": "AccountName"
+ "columnName": "AccountName",
+ "identifier": "Name"
},
{
- "identifier": "NTDomain",
- "columnName": "AccountDomain"
+ "columnName": "AccountDomain",
+ "identifier": "NTDomain"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "Process",
"fieldMappings": [
{
- "identifier": "CommandLine",
- "columnName": "ProcessCommandLine"
+ "columnName": "ProcessCommandLine",
+ "identifier": "CommandLine"
}
- ]
+ ],
+ "entityType": "Process"
}
]
}
@@ -3661,10 +3652,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceProcessEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
}
],
"tactics": [
@@ -3675,39 +3666,39 @@
],
"entityMappings": [
{
- "entityType": "Host",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "DeviceName"
+ "columnName": "DeviceName",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "Account",
"fieldMappings": [
{
- "identifier": "Sid",
- "columnName": "AccountSid"
+ "columnName": "AccountSid",
+ "identifier": "Sid"
},
{
- "identifier": "Name",
- "columnName": "AccountName"
+ "columnName": "AccountName",
+ "identifier": "Name"
},
{
- "identifier": "NTDomain",
- "columnName": "AccountDomain"
+ "columnName": "AccountDomain",
+ "identifier": "NTDomain"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "Process",
"fieldMappings": [
{
- "identifier": "CommandLine",
- "columnName": "ProcessCommandLine"
+ "columnName": "ProcessCommandLine",
+ "identifier": "CommandLine"
}
- ]
+ ],
+ "entityType": "Process"
}
]
}
@@ -3790,10 +3781,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceProcessEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
}
],
"tactics": [
@@ -3804,39 +3795,39 @@
],
"entityMappings": [
{
- "entityType": "Host",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "DeviceName"
+ "columnName": "DeviceName",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "Account",
"fieldMappings": [
{
- "identifier": "Sid",
- "columnName": "AccountSid"
+ "columnName": "AccountSid",
+ "identifier": "Sid"
},
{
- "identifier": "Name",
- "columnName": "AccountName"
+ "columnName": "AccountName",
+ "identifier": "Name"
},
{
- "identifier": "NTDomain",
- "columnName": "AccountDomain"
+ "columnName": "AccountDomain",
+ "identifier": "NTDomain"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "Process",
"fieldMappings": [
{
- "identifier": "CommandLine",
- "columnName": "ProcessCommandLine"
+ "columnName": "ProcessCommandLine",
+ "identifier": "CommandLine"
}
- ]
+ ],
+ "entityType": "Process"
}
]
}
@@ -3919,10 +3910,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceProcessEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
}
],
"tactics": [
@@ -3933,39 +3924,39 @@
],
"entityMappings": [
{
- "entityType": "Host",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "DeviceName"
+ "columnName": "DeviceName",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "Account",
"fieldMappings": [
{
- "identifier": "Sid",
- "columnName": "AccountSid"
+ "columnName": "AccountSid",
+ "identifier": "Sid"
},
{
- "identifier": "Name",
- "columnName": "AccountName"
+ "columnName": "AccountName",
+ "identifier": "Name"
},
{
- "identifier": "NTDomain",
- "columnName": "AccountDomain"
+ "columnName": "AccountDomain",
+ "identifier": "NTDomain"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "Process",
"fieldMappings": [
{
- "identifier": "CommandLine",
- "columnName": "ProcessCommandLine"
+ "columnName": "ProcessCommandLine",
+ "identifier": "CommandLine"
}
- ]
+ ],
+ "entityType": "Process"
}
]
}
diff --git a/Solutions/FireEye Network Security/Data/Solution_FireEye Network Security.json b/Solutions/FireEye Network Security/Data/Solution_FireEye Network Security.json
index 34c5dd62212..e4c44418360 100644
--- a/Solutions/FireEye Network Security/Data/Solution_FireEye Network Security.json
+++ b/Solutions/FireEye Network Security/Data/Solution_FireEye Network Security.json
@@ -2,12 +2,7 @@
"Name": "FireEye Network Security",
"Author": "Microsoft - support@microsoft.com",
"Logo": " ",
- "Description": "The [FireEye Network Security (NX)](https://www.fireeye.com/products/network-security.html) solution provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.",
- "Data Connectors": [
- "Data Connectors/Connector_FireEyeNX_CEF.json",
- "Data Connectors/template_FireEyeNX_CEFAMA.json"
-
- ],
+ "Description": "The [FireEye Network Security (NX)](https://www.fireeye.com/products/network-security.html) solution provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.",
"Parsers": [
"Parsers/FireEyeNXEvent.yaml"
],
@@ -15,7 +10,7 @@
"azuresentinel.azure-sentinel-solution-commoneventformat"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\FireEye Network Security",
- "Version": "3.0.1",
+ "Version": "3.0.2",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false
diff --git a/Solutions/FireEye Network Security/Package/3.0.2.zip b/Solutions/FireEye Network Security/Package/3.0.2.zip
new file mode 100644
index 00000000000..d8094b91610
Binary files /dev/null and b/Solutions/FireEye Network Security/Package/3.0.2.zip differ
diff --git a/Solutions/FireEye Network Security/Package/createUiDefinition.json b/Solutions/FireEye Network Security/Package/createUiDefinition.json
index 1368d44edbc..ca36d44737d 100644
--- a/Solutions/FireEye Network Security/Package/createUiDefinition.json
+++ b/Solutions/FireEye Network Security/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": " \n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/FireEye%20Network%20Security/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [FireEye Network Security (NX)](https://www.fireeye.com/products/network-security.html) solution provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": " \n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/FireEye%20Network%20Security/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [FireEye Network Security (NX)](https://www.fireeye.com/products/network-security.html) solution provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.\n\n**Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -50,39 +50,7 @@
"visible": true
}
],
- "steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for FireEye Network Security. You can get FireEye Network Security CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-parser-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- }
- ],
+ "steps": [{}],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
diff --git a/Solutions/FireEye Network Security/Package/mainTemplate.json b/Solutions/FireEye Network Security/Package/mainTemplate.json
index 7022b4c8d14..1940d723263 100644
--- a/Solutions/FireEye Network Security/Package/mainTemplate.json
+++ b/Solutions/FireEye Network Security/Package/mainTemplate.json
@@ -33,27 +33,9 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "FireEye Network Security",
- "_solutionVersion": "3.0.1",
+ "_solutionVersion": "3.0.2",
"solutionId": "azuresentinel.azure-sentinel-solution-fireeyenx",
"_solutionId": "[variables('solutionId')]",
- "uiConfigId1": "FireEyeNX",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "FireEyeNX",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
- "uiConfigId2": "FireEyeNXAma",
- "_uiConfigId2": "[variables('uiConfigId2')]",
- "dataConnectorContentId2": "FireEyeNXAma",
- "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
- "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "_dataConnectorId2": "[variables('dataConnectorId2')]",
- "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
- "dataConnectorVersion2": "1.0.0",
- "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"parserObject1": {
"_parserName1": "[concat(parameters('workspace'),'/','FireEyeNXEvent')]",
"_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'FireEyeNXEvent')]",
@@ -64,678 +46,6 @@
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "FireEye Network Security data connector with template version 3.0.1",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] FireEye Network Security (NX) via Legacy Agent",
- "publisher": "FireEye",
- "descriptionMarkdown": "The [FireEye Network Security (NX)](https://www.fireeye.com/products/network-security.html) data connector provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.",
- "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**FireEyeNXEvent**](https://aka.ms/sentinel-FireEyeNX-parser) which is deployed with the Microsoft Sentinel Solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "FireEyeNX",
- "baseQuery": "FireEyeNXEvent"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Sources",
- "query": "FireEyeNXEvent\n | where isnotempty(SrcIpAddr)\n | summarize count() by SrcIpAddr\n | top 10 by count_"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (FireEyeNX)",
- "lastDataReceivedQuery": "FireEyeNXEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "FireEyeNXEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**FireEyeNXEvent**](https://aka.ms/sentinel-FireEyeNX-parser) which is deployed with the Microsoft Sentinel Solution."
- },
- {
- "description": ">**NOTE:** This data connector has been developed using FEOS release v9.0"
- },
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Complete the following steps to send data using CEF:\n\n2.1. Log into the FireEye appliance with an administrator account\n\n2.2. Click **Settings**\n\n2.3. Click **Notifications**\n\nClick **rsyslog**\n\n2.4. Check the **Event type** check box\n\n2.5. Make sure Rsyslog settings are:\n\n- Default format: CEF\n\n- Default delivery: Per event\n\n- Default send as: Alert",
- "title": "2. Configure FireEye NX to send logs using CEF"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "FireEye Network Security",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] FireEye Network Security (NX) via Legacy Agent",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "FireEye Network Security",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] FireEye Network Security (NX) via Legacy Agent",
- "publisher": "FireEye",
- "descriptionMarkdown": "The [FireEye Network Security (NX)](https://www.fireeye.com/products/network-security.html) data connector provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "FireEyeNX",
- "baseQuery": "FireEyeNXEvent"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (FireEyeNX)",
- "lastDataReceivedQuery": "FireEyeNXEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "FireEyeNXEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Sources",
- "query": "FireEyeNXEvent\n | where isnotempty(SrcIpAddr)\n | summarize count() by SrcIpAddr\n | top 10 by count_"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**FireEyeNXEvent**](https://aka.ms/sentinel-FireEyeNX-parser) which is deployed with the Microsoft Sentinel Solution."
- },
- {
- "description": ">**NOTE:** This data connector has been developed using FEOS release v9.0"
- },
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Complete the following steps to send data using CEF:\n\n2.1. Log into the FireEye appliance with an administrator account\n\n2.2. Click **Settings**\n\n2.3. Click **Notifications**\n\nClick **rsyslog**\n\n2.4. Check the **Event type** check box\n\n2.5. Make sure Rsyslog settings are:\n\n- Default format: CEF\n\n- Default delivery: Per event\n\n- Default send as: Alert",
- "title": "2. Configure FireEye NX to send logs using CEF"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId1')]",
- "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**FireEyeNXEvent**](https://aka.ms/sentinel-FireEyeNX-parser) which is deployed with the Microsoft Sentinel Solution."
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName2')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "FireEye Network Security data connector with template version 3.0.1",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion2')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId2')]",
- "title": "[Deprecated] FireEye Network Security (NX) via AMA",
- "publisher": "FireEye",
- "descriptionMarkdown": "The [FireEye Network Security (NX)](https://www.fireeye.com/products/network-security.html) data connector provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.",
- "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**FireEyeNXEvent**](https://aka.ms/sentinel-FireEyeNX-parser) which is deployed with the Microsoft Sentinel Solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "FireEyeNX",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'FireEye'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Sources",
- "query": "FireEyeNXEvent\n | where isnotempty(SrcIpAddr)\n | summarize count() by SrcIpAddr\n | top 10 by count_"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (FireEyeNX)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'FireEye'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'FireEye'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**FireEyeNXEvent**](https://aka.ms/sentinel-FireEyeNX-parser) which is deployed with the Microsoft Sentinel Solution.",
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
- },
- {
- "title": "Step B. Configure FireEye NX to send logs using CEF",
- "description": "Complete the following steps to send data using CEF:\n\n2.1. Log into the FireEye appliance with an administrator account\n\n2.2. Click **Settings**\n\n2.3. Click **Notifications**\n\nClick **rsyslog**\n\n2.4. Check the **Event type** check box\n\n2.5. Make sure Rsyslog settings are:\n\n- Default format: CEF\n\n- Default delivery: Per event\n\n- Default send as: Alert"
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "FireEye Network Security",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] FireEye Network Security (NX) via AMA",
- "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
- "id": "[variables('_dataConnectorcontentProductId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId2')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "FireEye Network Security",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] FireEye Network Security (NX) via AMA",
- "publisher": "FireEye",
- "descriptionMarkdown": "The [FireEye Network Security (NX)](https://www.fireeye.com/products/network-security.html) data connector provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "FireEyeNX",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'FireEye'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (FireEyeNX)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'FireEye'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'FireEye'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Sources",
- "query": "FireEyeNXEvent\n | where isnotempty(SrcIpAddr)\n | summarize count() by SrcIpAddr\n | top 10 by count_"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**FireEyeNXEvent**](https://aka.ms/sentinel-FireEyeNX-parser) which is deployed with the Microsoft Sentinel Solution.",
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
- },
- {
- "title": "Step B. Configure FireEye NX to send logs using CEF",
- "description": "Complete the following steps to send data using CEF:\n\n2.1. Log into the FireEye appliance with an administrator account\n\n2.2. Click **Settings**\n\n2.3. Click **Notifications**\n\nClick **rsyslog**\n\n2.4. Check the **Event type** check box\n\n2.5. Make sure Rsyslog settings are:\n\n- Default format: CEF\n\n- Default delivery: Per event\n\n- Default send as: Alert"
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId2')]",
- "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**FireEyeNXEvent**](https://aka.ms/sentinel-FireEyeNX-parser) which is deployed with the Microsoft Sentinel Solution."
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -745,7 +55,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "FireEyeNXEvent Data Parser with template version 3.0.1",
+ "description": "FireEyeNXEvent Data Parser with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -873,12 +183,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.1",
+ "version": "3.0.2",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "FireEye Network Security",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe FireEye Network Security (NX) solution provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.
\n\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.
\nData Connectors: 2, Parsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
+ "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe FireEye Network Security (NX) solution provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on Aug 31, 2024 .
\nParsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
@@ -902,16 +212,6 @@
},
"dependencies": {
"criteria": [
- {
- "kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- },
- {
- "kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- },
{
"kind": "Parser",
"contentId": "[variables('parserObject1').parserContentId1]",
diff --git a/Solutions/FireEye Network Security/ReleaseNotes.md b/Solutions/FireEye Network Security/ReleaseNotes.md
index cee2aec31ee..0a50c91cc14 100644
--- a/Solutions/FireEye Network Security/ReleaseNotes.md
+++ b/Solutions/FireEye Network Security/ReleaseNotes.md
@@ -1,6 +1,5 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.0.2 | 21-11-2024 | Removed Deprecated **Data Connectors** |
| 3.0.1 | 10-07-2024 | Deprecated **Data Connector** |
-| 3.0.0 | 01-09-2023 | Addition of new FireEye Network Security AMA **Data Connector** | |
-
-
+| 3.0.0 | 01-09-2023 | Addition of new FireEye Network Security AMA **Data Connector** |
\ No newline at end of file
diff --git a/Solutions/Forcepoint CSG/Data/Solution_ForcepointCSG.json b/Solutions/Forcepoint CSG/Data/Solution_ForcepointCSG.json
index b0c17a53e20..32110310edf 100644
--- a/Solutions/Forcepoint CSG/Data/Solution_ForcepointCSG.json
+++ b/Solutions/Forcepoint CSG/Data/Solution_ForcepointCSG.json
@@ -2,11 +2,7 @@
"Name": "Forcepoint CSG",
"Author": "Forcepoint",
"Logo": " ",
- "Description": "[Forcepoint Cloud Security Gateway](https://www.forcepoint.com/product/cloud-security-gateway) (CSG) Solution for Microsoft Sentinel exports web and/or email logs so that custom dashboards can be created using Workbooks to visualize events and insights on activities of Forcepoint Cloud Security Gateway.\n\nFor more details about this solution refer to [integration documentation](https://forcepoint.github.io/docs/csg_and_sentinel/).\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.",
- "Data Connectors": [
- "Solutions/Forcepoint CSG/Data Connectors/ForcepointCloudSecurityGateway.json",
- "Solutions/Forcepoint CSG/Data Connectors/template_ForcepointCloudSecurityGatewayAMA.json"
- ],
+ "Description": "[Forcepoint Cloud Security Gateway](https://www.forcepoint.com/product/cloud-security-gateway) (CSG) Solution for Microsoft Sentinel exports web and/or email logs so that custom dashboards can be created using Workbooks to visualize events and insights on activities of Forcepoint Cloud Security Gateway.\n\nFor more details about this solution refer to [integration documentation](https://forcepoint.github.io/docs/csg_and_sentinel/).\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.",
"Workbooks": [
"Solutions/Forcepoint CSG/Workbooks/ForcepointCloudSecuirtyGateway.json"
],
@@ -14,7 +10,7 @@
"azuresentinel.azure-sentinel-solution-commoneventformat"
],
"BasePath": "C:\\Github\\Azure-Sentinel",
- "Version": "3.0.2",
+ "Version": "3.0.3",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
diff --git a/Solutions/Forcepoint CSG/Package/3.0.3.zip b/Solutions/Forcepoint CSG/Package/3.0.3.zip
new file mode 100644
index 00000000000..21550a1307b
Binary files /dev/null and b/Solutions/Forcepoint CSG/Package/3.0.3.zip differ
diff --git a/Solutions/Forcepoint CSG/Package/createUiDefinition.json b/Solutions/Forcepoint CSG/Package/createUiDefinition.json
index 6b2d3203f75..7f2a581656d 100644
--- a/Solutions/Forcepoint CSG/Package/createUiDefinition.json
+++ b/Solutions/Forcepoint CSG/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": " \n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Forcepoint%20CSG/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Forcepoint Cloud Security Gateway](https://www.forcepoint.com/product/cloud-security-gateway) (CSG) Solution for Microsoft Sentinel exports web and/or email logs so that custom dashboards can be created using Workbooks to visualize events and insights on activities of Forcepoint Cloud Security Gateway.\n\nFor more details about this solution refer to [integration documentation](https://forcepoint.github.io/docs/csg_and_sentinel/).\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": " \n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Forcepoint%20CSG/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Forcepoint Cloud Security Gateway](https://www.forcepoint.com/product/cloud-security-gateway) (CSG) Solution for Microsoft Sentinel exports web and/or email logs so that custom dashboards can be created using Workbooks to visualize events and insights on activities of Forcepoint Cloud Security Gateway.\n\nFor more details about this solution refer to [integration documentation](https://forcepoint.github.io/docs/csg_and_sentinel/).\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**. \n\n**Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -51,30 +51,6 @@
}
],
"steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for Forcepoint CSG. You can get Forcepoint CSG CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- },
{
"name": "workbooks",
"label": "Workbooks",
diff --git a/Solutions/Forcepoint CSG/Package/mainTemplate.json b/Solutions/Forcepoint CSG/Package/mainTemplate.json
index a8d9c59bb3e..3c6caab542a 100644
--- a/Solutions/Forcepoint CSG/Package/mainTemplate.json
+++ b/Solutions/Forcepoint CSG/Package/mainTemplate.json
@@ -39,27 +39,9 @@
},
"variables": {
"_solutionName": "Forcepoint CSG",
- "_solutionVersion": "3.0.2",
+ "_solutionVersion": "3.0.3",
"solutionId": "microsoftsentinelcommunity.azure-sentinel-solution-forcepoint-csg",
"_solutionId": "[variables('solutionId')]",
- "uiConfigId1": "ForcepointCSG",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "ForcepointCSG",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
- "uiConfigId2": "ForcepointCSGAma",
- "_uiConfigId2": "[variables('uiConfigId2')]",
- "dataConnectorContentId2": "ForcepointCSGAma",
- "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
- "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "_dataConnectorId2": "[variables('dataConnectorId2')]",
- "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
- "dataConnectorVersion2": "1.0.0",
- "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"workbookVersion1": "1.0.0",
"workbookContentId1": "ForcepointCloudSecurityGatewayWorkbook",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
@@ -70,724 +52,6 @@
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Forcepoint CSG data connector with template version 3.0.2",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] Forcepoint CSG via Legacy Agent",
- "publisher": "Forcepoint",
- "descriptionMarkdown": "Forcepoint Cloud Security Gateway is a converged cloud security service that provides visibility, control, and threat protection for users and data, wherever they are. For more information visit: https://www.forcepoint.com/product/cloud-security-gateway",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "Forcepoint CSG",
- "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CSG\"\n"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 5 Web requested Domains with log severity equal to 6 (Medium)",
- "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n| where LogSeverity == 6\n| where DeviceCustomString2 != \"\"\n| summarize Count=count() by DeviceCustomString2\n| top 5 by Count\n| render piechart"
- },
- {
- "description": "Top 5 Web Users with 'Action' equal to 'Blocked'",
- "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n| where Activity == \"Blocked\"\n| where SourceUserID != \"Not available\"\n| summarize Count=count() by SourceUserID\n| top 5 by Count\n| render piechart"
- },
- {
- "description": "Top 5 Sender Email Addresses Where Spam Score Greater Than 10.0",
- "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Email\"\n| where DeviceCustomFloatingPoint1 > 10.0\n| summarize Count=count() by SourceUserName\n| top 5 by Count\n| render barchart"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (Forcepoint CSG)",
- "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- },
- {
- "name": "CommonSecurityLog (Forcepoint CSG)",
- "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Email\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)",
- "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Email\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "This integration requires the Linux Syslog agent to collect your Forcepoint Cloud Security Gateway Web/Email logs on port 514 TCP as Common Event Format (CEF) and forward them to Microsoft Sentinel.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Your Data Connector Syslog Agent Installation Command is:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "The integration is made available with two implementations options.",
- "innerSteps": [
- {
- "title": "2.1 Docker Implementation",
- "description": "Leverages docker images where the integration component is already installed with all necessary dependencies.\n\nFollow the instructions provided in the Integration Guide linked below.\n\n[Integration Guide >](https://frcpnt.com/csg-sentinel)"
- },
- {
- "title": "2.2 Traditional Implementation",
- "description": "Requires the manual deployment of the integration component inside a clean Linux machine.\n\nFollow the instructions provided in the Integration Guide linked below.\n\n[Integration Guide >](https://frcpnt.com/csg-sentinel)"
- }
- ],
- "title": "2. Implementation options"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version \n \n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF).",
- "title": "4. Secure your machine "
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Forcepoint CSG",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Forcepoint"
- },
- "support": {
- "name": "Community",
- "tier": "Community",
- "link": "https://github.com/Azure/Azure-Sentinel/issues"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Forcepoint CSG via Legacy Agent",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Forcepoint CSG",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Forcepoint"
- },
- "support": {
- "name": "Community",
- "tier": "Community",
- "link": "https://github.com/Azure/Azure-Sentinel/issues"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Forcepoint CSG via Legacy Agent",
- "publisher": "Forcepoint",
- "descriptionMarkdown": "Forcepoint Cloud Security Gateway is a converged cloud security service that provides visibility, control, and threat protection for users and data, wherever they are. For more information visit: https://www.forcepoint.com/product/cloud-security-gateway",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "Forcepoint CSG",
- "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CSG\"\n"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (Forcepoint CSG)",
- "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- },
- {
- "name": "CommonSecurityLog (Forcepoint CSG)",
- "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Email\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)",
- "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Email\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 5 Web requested Domains with log severity equal to 6 (Medium)",
- "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n| where LogSeverity == 6\n| where DeviceCustomString2 != \"\"\n| summarize Count=count() by DeviceCustomString2\n| top 5 by Count\n| render piechart"
- },
- {
- "description": "Top 5 Web Users with 'Action' equal to 'Blocked'",
- "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n| where Activity == \"Blocked\"\n| where SourceUserID != \"Not available\"\n| summarize Count=count() by SourceUserID\n| top 5 by Count\n| render piechart"
- },
- {
- "description": "Top 5 Sender Email Addresses Where Spam Score Greater Than 10.0",
- "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Email\"\n| where DeviceCustomFloatingPoint1 > 10.0\n| summarize Count=count() by SourceUserName\n| top 5 by Count\n| render barchart"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "This integration requires the Linux Syslog agent to collect your Forcepoint Cloud Security Gateway Web/Email logs on port 514 TCP as Common Event Format (CEF) and forward them to Microsoft Sentinel.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Your Data Connector Syslog Agent Installation Command is:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "The integration is made available with two implementations options.",
- "innerSteps": [
- {
- "title": "2.1 Docker Implementation",
- "description": "Leverages docker images where the integration component is already installed with all necessary dependencies.\n\nFollow the instructions provided in the Integration Guide linked below.\n\n[Integration Guide >](https://frcpnt.com/csg-sentinel)"
- },
- {
- "title": "2.2 Traditional Implementation",
- "description": "Requires the manual deployment of the integration component inside a clean Linux machine.\n\nFollow the instructions provided in the Integration Guide linked below.\n\n[Integration Guide >](https://frcpnt.com/csg-sentinel)"
- }
- ],
- "title": "2. Implementation options"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version \n \n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF).",
- "title": "4. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId1')]"
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName2')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Forcepoint CSG data connector with template version 3.0.2",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion2')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId2')]",
- "title": "[Deprecated] Forcepoint CSG via AMA",
- "publisher": "Forcepoint",
- "descriptionMarkdown": "Forcepoint Cloud Security Gateway is a converged cloud security service that provides visibility, control, and threat protection for users and data, wherever they are. For more information visit: https://www.forcepoint.com/product/cloud-security-gateway",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "Forcepoint CSG",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CSG'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 5 Web requested Domains with log severity equal to 6 (Medium)",
- "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n| where LogSeverity == 6\n| where DeviceCustomString2 != \"\"\n| summarize Count=count() by DeviceCustomString2\n| top 5 by Count\n| render piechart"
- },
- {
- "description": "Top 5 Web Users with 'Action' equal to 'Blocked'",
- "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n| where Activity == \"Blocked\"\n| where SourceUserID != \"Not available\"\n| summarize Count=count() by SourceUserID\n| top 5 by Count\n| render piechart"
- },
- {
- "description": "Top 5 Sender Email Addresses Where Spam Score Greater Than 10.0",
- "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Email\"\n| where DeviceCustomFloatingPoint1 > 10.0\n| summarize Count=count() by SourceUserName\n| top 5 by Count\n| render barchart"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (Forcepoint CSG)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CSG'\n |where DeviceProduct =~ 'Web'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- },
- {
- "name": "CommonSecurityLog (Forcepoint CSG)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CSG'\n |where DeviceProduct =~ 'Email'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CSG'\n |where DeviceProduct =~ 'Web'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)",
- "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CSG'\n |where DeviceProduct =~ 'Email'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine."
- },
- {
- "title": "Step B. Implementation options",
- "description": "The integration is made available with two implementations options.",
- "innerSteps": [
- {
- "title": "1. Docker Implementation",
- "description": "Leverages docker images where the integration component is already installed with all necessary dependencies.\n\nFollow the instructions provided in the Integration Guide linked below.\n\n[Integration Guide >](https://frcpnt.com/csg-sentinel)"
- },
- {
- "title": "2. Traditional Implementation",
- "description": "Requires the manual deployment of the integration component inside a clean Linux machine.\n\nFollow the instructions provided in the Integration Guide linked below.\n\n[Integration Guide >](https://frcpnt.com/csg-sentinel)"
- }
- ]
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF).",
- "title": "2. Secure your machine "
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Forcepoint CSG",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Forcepoint"
- },
- "support": {
- "name": "Community",
- "tier": "Community",
- "link": "https://github.com/Azure/Azure-Sentinel/issues"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Forcepoint CSG via AMA",
- "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
- "id": "[variables('_dataConnectorcontentProductId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId2')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Forcepoint CSG",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Forcepoint"
- },
- "support": {
- "name": "Community",
- "tier": "Community",
- "link": "https://github.com/Azure/Azure-Sentinel/issues"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Forcepoint CSG via AMA",
- "publisher": "Forcepoint",
- "descriptionMarkdown": "Forcepoint Cloud Security Gateway is a converged cloud security service that provides visibility, control, and threat protection for users and data, wherever they are. For more information visit: https://www.forcepoint.com/product/cloud-security-gateway",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "Forcepoint CSG",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CSG'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (Forcepoint CSG)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CSG'\n |where DeviceProduct =~ 'Web'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- },
- {
- "name": "CommonSecurityLog (Forcepoint CSG)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CSG'\n |where DeviceProduct =~ 'Email'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CSG'\n |where DeviceProduct =~ 'Web'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)",
- "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CSG'\n |where DeviceProduct =~ 'Email'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 5 Web requested Domains with log severity equal to 6 (Medium)",
- "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n| where LogSeverity == 6\n| where DeviceCustomString2 != \"\"\n| summarize Count=count() by DeviceCustomString2\n| top 5 by Count\n| render piechart"
- },
- {
- "description": "Top 5 Web Users with 'Action' equal to 'Blocked'",
- "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Web\"\n| where Activity == \"Blocked\"\n| where SourceUserID != \"Not available\"\n| summarize Count=count() by SourceUserID\n| top 5 by Count\n| render piechart"
- },
- {
- "description": "Top 5 Sender Email Addresses Where Spam Score Greater Than 10.0",
- "query": "CommonSecurityLog\n| where TimeGenerated <= ago(0m)\n| where DeviceVendor == \"Forcepoint CSG\"\n| where DeviceProduct == \"Email\"\n| where DeviceCustomFloatingPoint1 > 10.0\n| summarize Count=count() by SourceUserName\n| top 5 by Count\n| render barchart"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine."
- },
- {
- "title": "Step B. Implementation options",
- "description": "The integration is made available with two implementations options.",
- "innerSteps": [
- {
- "title": "1. Docker Implementation",
- "description": "Leverages docker images where the integration component is already installed with all necessary dependencies.\n\nFollow the instructions provided in the Integration Guide linked below.\n\n[Integration Guide >](https://frcpnt.com/csg-sentinel)"
- },
- {
- "title": "2. Traditional Implementation",
- "description": "Requires the manual deployment of the integration component inside a clean Linux machine.\n\nFollow the instructions provided in the Integration Guide linked below.\n\n[Integration Guide >](https://frcpnt.com/csg-sentinel)"
- }
- ]
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF).",
- "title": "2. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId2')]"
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -797,7 +61,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ForcepointCloudSecuirtyGateway Workbook with template version 3.0.2",
+ "description": "ForcepointCloudSecuirtyGateway Workbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -858,6 +122,10 @@
{
"contentId": "ForcepointCSGAma",
"kind": "DataConnector"
+ },
+ {
+ "contentId": "CefAma",
+ "kind": "DataConnector"
}
]
}
@@ -883,12 +151,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.2",
+ "version": "3.0.3",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Forcepoint CSG",
"publisherDisplayName": "Community",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nForcepoint Cloud Security Gateway (CSG) Solution for Microsoft Sentinel exports web and/or email logs so that custom dashboards can be created using Workbooks to visualize events and insights on activities of Forcepoint Cloud Security Gateway.
\nFor more details about this solution refer to integration documentation .
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024 .
\nData Connectors: 2, Workbooks: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
+ "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nForcepoint Cloud Security Gateway (CSG) Solution for Microsoft Sentinel exports web and/or email logs so that custom dashboards can be created using Workbooks to visualize events and insights on activities of Forcepoint Cloud Security Gateway.
\nFor more details about this solution refer to integration documentation .
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024 .
\nWorkbooks: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
@@ -910,16 +178,6 @@
},
"dependencies": {
"criteria": [
- {
- "kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- },
- {
- "kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- },
{
"kind": "Workbook",
"contentId": "[variables('_workbookContentId1')]",
diff --git a/Solutions/Forcepoint CSG/ReleaseNotes.md b/Solutions/Forcepoint CSG/ReleaseNotes.md
index 82e91952fa0..74ded5530f2 100644
--- a/Solutions/Forcepoint CSG/ReleaseNotes.md
+++ b/Solutions/Forcepoint CSG/ReleaseNotes.md
@@ -1,6 +1,7 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
-| 3.0.2 | 15-07-2024 | Deprecating data connectors |
-| 3.0.1 | 19-12-2023 | Workbook moved from standalone to solution and repackage |
-| 3.0.0 | 11-09-2023 | Addition of new Forcepoint CSG AMA **Data Connector** | |
+| 3.0.3 | 19-11-2024 | Removed Deprecated **Data Connectors** |
+| 3.0.2 | 15-07-2024 | Deprecating data connectors |
+| 3.0.1 | 19-12-2023 | Workbook moved from standalone to solution and repackage |
+| 3.0.0 | 11-09-2023 | Addition of new Forcepoint CSG AMA **Data Connector** |
diff --git a/Solutions/Forcepoint NGFW/Data/Solution_ForcepointNGFW.json b/Solutions/Forcepoint NGFW/Data/Solution_ForcepointNGFW.json
index 4573578595d..1ae82336612 100644
--- a/Solutions/Forcepoint NGFW/Data/Solution_ForcepointNGFW.json
+++ b/Solutions/Forcepoint NGFW/Data/Solution_ForcepointNGFW.json
@@ -2,11 +2,7 @@
"Name": "Forcepoint NGFW",
"Author": "Forcepoint",
"Logo": " ",
- "Description": "The [Forcepoint NGFW (Next Generation Firewall)](https://www.forcepoint.com/product/ngfw-next-generation-firewall) Solution for Microsoft Sentinel allows you to automatically export user defined Forcepoint NGFW logs into Microsoft Sentinel in real-time. This enriches visibility into user activities recorded by NGFW, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.\n\nFor more details about this solution refer to [integration documentation](https://forcepoint.github.io/docs/ngfw_and_azure_sentinel/) \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.",
- "Data Connectors": [
- "Solutions/Forcepoint NGFW/Data Connectors/FORCEPOINT_NGFW.json",
- "Solutions/Forcepoint NGFW/Data Connectors/template_FORCEPOINT_NGFWAMA.json"
- ],
+ "Description": "The [Forcepoint NGFW (Next Generation Firewall)](https://www.forcepoint.com/product/ngfw-next-generation-firewall) Solution for Microsoft Sentinel allows you to automatically export user defined Forcepoint NGFW logs into Microsoft Sentinel in real-time. This enriches visibility into user activities recorded by NGFW, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.\n\nFor more details about this solution refer to [integration documentation](https://forcepoint.github.io/docs/ngfw_and_azure_sentinel/) \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.",
"Workbooks": [
"Solutions/Forcepoint NGFW/Workbooks/ForcepointNGFW.json",
"Solutions/Forcepoint NGFW/Workbooks/ForcepointNGFWAdvanced.json"
@@ -15,7 +11,7 @@
"azuresentinel.azure-sentinel-solution-commoneventformat"
],
"BasePath": "C:\\Github\\Azure-Sentinel",
- "Version": "3.0.1",
+ "Version": "3.0.2",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
diff --git a/Solutions/Forcepoint NGFW/Package/3.0.2.zip b/Solutions/Forcepoint NGFW/Package/3.0.2.zip
new file mode 100644
index 00000000000..6590dd6c61a
Binary files /dev/null and b/Solutions/Forcepoint NGFW/Package/3.0.2.zip differ
diff --git a/Solutions/Forcepoint NGFW/Package/createUiDefinition.json b/Solutions/Forcepoint NGFW/Package/createUiDefinition.json
index a1c72244435..e965802c559 100644
--- a/Solutions/Forcepoint NGFW/Package/createUiDefinition.json
+++ b/Solutions/Forcepoint NGFW/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": " \n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Forcepoint%20NGFW/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Forcepoint NGFW (Next Generation Firewall)](https://www.forcepoint.com/product/ngfw-next-generation-firewall) Solution for Microsoft Sentinel allows you to automatically export user defined Forcepoint NGFW logs into Microsoft Sentinel in real-time. This enriches visibility into user activities recorded by NGFW, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.\n\nFor more details about this solution refer to [integration documentation](https://forcepoint.github.io/docs/ngfw_and_azure_sentinel/) \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Workbooks:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": " \n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Forcepoint%20NGFW/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Forcepoint NGFW (Next Generation Firewall)](https://www.forcepoint.com/product/ngfw-next-generation-firewall) Solution for Microsoft Sentinel allows you to automatically export user defined Forcepoint NGFW logs into Microsoft Sentinel in real-time. This enriches visibility into user activities recorded by NGFW, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.\n\nFor more details about this solution refer to [integration documentation](https://forcepoint.github.io/docs/ngfw_and_azure_sentinel/) \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.\n\n**Workbooks:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -51,30 +51,6 @@
}
],
"steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for Forcepoint NGFW. You can get Forcepoint NGFW CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- },
{
"name": "workbooks",
"label": "Workbooks",
diff --git a/Solutions/Forcepoint NGFW/Package/mainTemplate.json b/Solutions/Forcepoint NGFW/Package/mainTemplate.json
index b48b92cc842..15e3b301adc 100644
--- a/Solutions/Forcepoint NGFW/Package/mainTemplate.json
+++ b/Solutions/Forcepoint NGFW/Package/mainTemplate.json
@@ -47,27 +47,9 @@
},
"variables": {
"_solutionName": "Forcepoint NGFW",
- "_solutionVersion": "3.0.1",
+ "_solutionVersion": "3.0.2",
"solutionId": "microsoftsentinelcommunity.azure-sentinel-solution-forcepoint-ngfw",
"_solutionId": "[variables('solutionId')]",
- "uiConfigId1": "ForcepointNgfw",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "ForcepointNgfw",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
- "uiConfigId2": "ForcepointNgfwAma",
- "_uiConfigId2": "[variables('uiConfigId2')]",
- "dataConnectorContentId2": "ForcepointNgfwAma",
- "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
- "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "_dataConnectorId2": "[variables('dataConnectorId2')]",
- "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
- "dataConnectorVersion2": "1.0.0",
- "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"workbookVersion1": "1.0.0",
"workbookContentId1": "ForcepointNGFWWorkbook",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
@@ -84,750 +66,6 @@
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Forcepoint NGFW data connector with template version 3.0.1",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] Forcepoint NGFW via Legacy Agent",
- "publisher": "Forcepoint",
- "descriptionMarkdown": "The Forcepoint NGFW (Next Generation Firewall) connector allows you to automatically export user-defined Forcepoint NGFW logs into Microsoft Sentinel in real-time. This enriches visibility into user activities recorded by NGFW, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.",
- "graphQueries": [
- {
- "metricName": "Forcepoint NGFW log results",
- "legend": "CommonSecurityLog",
- "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n"
- }
- ],
- "sampleQueries": [
- {
- "description": "Show all terminated actions from the Forcepoint NGFW",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n| where DeviceAction == \"Terminate\"\n"
- },
- {
- "description": "Show all Forcepoint NGFW with suspected compromise behaviour",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n| where Activity contains \"compromise\"\n"
- },
- {
- "description": "Show chart grouping all Forcepoint NGFW events by Activity type",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n| summarize count=count() by Activity\n | render barchart\n"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (ForcePointNGFW)",
- "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.",
- "title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python - version \n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- },
- {
- "description": "To complete the installation of this Forcepoint product integration, follow the guide linked below.\n\n[Installation Guide >](https://frcpnt.com/ngfw-sentinel)",
- "title": "5. Forcepoint integration installation guide "
- }
- ],
- "metadata": {
- "id": "e002d400-e0b0-4673-959a-eec31378d17c",
- "version": "1.0.0",
- "kind": "dataConnector",
- "source": {
- "kind": "community"
- },
- "author": {
- "name": "Forcepoint"
- },
- "support": {
- "name": "Forcepoint",
- "link": "https://support.forcepoint.com/",
- "tier": "developer"
- }
- }
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Forcepoint NGFW",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Forcepoint"
- },
- "support": {
- "name": "Community",
- "tier": "Community",
- "link": "https://github.com/Azure/Azure-Sentinel/issues"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Forcepoint NGFW via Legacy Agent",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Forcepoint NGFW",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Forcepoint"
- },
- "support": {
- "name": "Community",
- "tier": "Community",
- "link": "https://github.com/Azure/Azure-Sentinel/issues"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Forcepoint NGFW via Legacy Agent",
- "publisher": "Forcepoint",
- "descriptionMarkdown": "The Forcepoint NGFW (Next Generation Firewall) connector allows you to automatically export user-defined Forcepoint NGFW logs into Microsoft Sentinel in real-time. This enriches visibility into user activities recorded by NGFW, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.",
- "graphQueries": [
- {
- "metricName": "Forcepoint NGFW log results",
- "legend": "CommonSecurityLog",
- "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (ForcePointNGFW)",
- "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Show all terminated actions from the Forcepoint NGFW",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n| where DeviceAction == \"Terminate\"\n"
- },
- {
- "description": "Show all Forcepoint NGFW with suspected compromise behaviour",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n| where Activity contains \"compromise\"\n"
- },
- {
- "description": "Show chart grouping all Forcepoint NGFW events by Activity type",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n| summarize count=count() by Activity\n | render barchart\n"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.",
- "title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python - version \n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- },
- {
- "description": "To complete the installation of this Forcepoint product integration, follow the guide linked below.\n\n[Installation Guide >](https://frcpnt.com/ngfw-sentinel)",
- "title": "5. Forcepoint integration installation guide "
- }
- ],
- "id": "[variables('_uiConfigId1')]"
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName2')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Forcepoint NGFW data connector with template version 3.0.1",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion2')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId2')]",
- "title": "[Deprecated] Forcepoint NGFW via AMA",
- "publisher": "Forcepoint",
- "descriptionMarkdown": "The Forcepoint NGFW (Next Generation Firewall) connector allows you to automatically export user-defined Forcepoint NGFW logs into Microsoft Sentinel in real-time. This enriches visibility into user activities recorded by NGFW, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.",
- "graphQueries": [
- {
- "metricName": "Forcepoint NGFW log results",
- "legend": "CommonSecurityLog",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint'\n |where DeviceProduct =~ 'NGFW'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "sampleQueries": [
- {
- "description": "Show all terminated actions from the Forcepoint NGFW",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n| where DeviceAction == \"Terminate\"\n"
- },
- {
- "description": "Show all Forcepoint NGFW with suspected compromise behaviour",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n| where Activity contains \"compromise\"\n"
- },
- {
- "description": "Show chart grouping all Forcepoint NGFW events by Activity type",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n| summarize count=count() by Activity\n | render barchart\n"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (ForcePointNGFW)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint'\n |where DeviceProduct =~ 'NGFW'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint'\n |where DeviceProduct =~ 'NGFW'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ],
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine."
- },
- {
- "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
- "description": "Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address."
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- },
- {
- "description": "To complete the installation of this Forcepoint product integration, follow the guide linked below.\n\n[Installation Guide >](https://frcpnt.com/ngfw-sentinel)",
- "title": "3. Forcepoint integration installation guide "
- }
- ],
- "metadata": {
- "id": "e002d400-e0b0-4673-959a-eec31378d17c",
- "version": "1.0.0",
- "kind": "dataConnector",
- "source": {
- "kind": "community"
- },
- "author": {
- "name": "Forcepoint"
- },
- "support": {
- "name": "Forcepoint",
- "link": "https://support.forcepoint.com/",
- "tier": "developer"
- }
- }
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Forcepoint NGFW",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Forcepoint"
- },
- "support": {
- "name": "Community",
- "tier": "Community",
- "link": "https://github.com/Azure/Azure-Sentinel/issues"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Forcepoint NGFW via AMA",
- "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
- "id": "[variables('_dataConnectorcontentProductId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId2')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Forcepoint NGFW",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Forcepoint"
- },
- "support": {
- "name": "Community",
- "tier": "Community",
- "link": "https://github.com/Azure/Azure-Sentinel/issues"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Forcepoint NGFW via AMA",
- "publisher": "Forcepoint",
- "descriptionMarkdown": "The Forcepoint NGFW (Next Generation Firewall) connector allows you to automatically export user-defined Forcepoint NGFW logs into Microsoft Sentinel in real-time. This enriches visibility into user activities recorded by NGFW, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.",
- "graphQueries": [
- {
- "metricName": "Forcepoint NGFW log results",
- "legend": "CommonSecurityLog",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint'\n |where DeviceProduct =~ 'NGFW'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (ForcePointNGFW)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint'\n |where DeviceProduct =~ 'NGFW'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint'\n |where DeviceProduct =~ 'NGFW'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Show all terminated actions from the Forcepoint NGFW",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n| where DeviceAction == \"Terminate\"\n"
- },
- {
- "description": "Show all Forcepoint NGFW with suspected compromise behaviour",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n| where Activity contains \"compromise\"\n"
- },
- {
- "description": "Show chart grouping all Forcepoint NGFW events by Activity type",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint\"\n| where DeviceProduct == \"NGFW\"\n| summarize count=count() by Activity\n | render barchart\n"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ],
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine."
- },
- {
- "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
- "description": "Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address."
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- },
- {
- "description": "To complete the installation of this Forcepoint product integration, follow the guide linked below.\n\n[Installation Guide >](https://frcpnt.com/ngfw-sentinel)",
- "title": "3. Forcepoint integration installation guide "
- }
- ],
- "id": "[variables('_uiConfigId2')]"
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -837,7 +75,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ForcepointNGFW Workbook with template version 3.0.1",
+ "description": "ForcepointNGFW Workbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -898,6 +136,10 @@
{
"contentId": "ForcepointNgfwAma",
"kind": "DataConnector"
+ },
+ {
+ "contentId": "CefAma",
+ "kind": "DataConnector"
}
]
}
@@ -927,7 +169,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ForcepointNGFWAdvanced Workbook with template version 3.0.1",
+ "description": "ForcepointNGFWAdvanced Workbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion2')]",
@@ -996,6 +238,10 @@
{
"contentId": "ForcepointNgfwAma",
"kind": "DataConnector"
+ },
+ {
+ "contentId": "CefAma",
+ "kind": "DataConnector"
}
]
}
@@ -1021,12 +267,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.1",
+ "version": "3.0.2",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Forcepoint NGFW",
"publisherDisplayName": "Community",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Forcepoint NGFW (Next Generation Firewall) Solution for Microsoft Sentinel allows you to automatically export user defined Forcepoint NGFW logs into Microsoft Sentinel in real-time. This enriches visibility into user activities recorded by NGFW, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.
\nFor more details about this solution refer to integration documentation
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024 .
\nData Connectors: 2, Workbooks: 2
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
+ "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Forcepoint NGFW (Next Generation Firewall) Solution for Microsoft Sentinel allows you to automatically export user defined Forcepoint NGFW logs into Microsoft Sentinel in real-time. This enriches visibility into user activities recorded by NGFW, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.
\nFor more details about this solution refer to integration documentation
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024 .
\nWorkbooks: 2
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
@@ -1048,16 +294,6 @@
},
"dependencies": {
"criteria": [
- {
- "kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- },
- {
- "kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- },
{
"kind": "Workbook",
"contentId": "[variables('_workbookContentId1')]",
diff --git a/Solutions/Forcepoint NGFW/ReleaseNotes.md b/Solutions/Forcepoint NGFW/ReleaseNotes.md
index 1ca0fc4cd7d..a344cc1811f 100644
--- a/Solutions/Forcepoint NGFW/ReleaseNotes.md
+++ b/Solutions/Forcepoint NGFW/ReleaseNotes.md
@@ -1,6 +1,5 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
-| 3.0.1 | 15-07-2024 | Deprecating data connectors |
-| 3.0.0 | 29-08-2023 | Addition of new Forcepoint NGFW AMA **Data Connector** | |
-
-
+| 3.0.2 | 19-11-2024 | Removed Deprecated **Data Connectors** |
+| 3.0.1 | 15-07-2024 | Deprecating data connectors |
+| 3.0.0 | 29-08-2023 | Addition of new Forcepoint NGFW AMA **Data Connector** |
diff --git a/Solutions/Garrison ULTRA/Data Connectors/GarrisonULTRARemoteLogs/GarrisonULTRARemoteLogs_ConnectorUI.json b/Solutions/Garrison ULTRA/Data Connectors/GarrisonULTRARemoteLogs/GarrisonULTRARemoteLogs_ConnectorUI.json
new file mode 100644
index 00000000000..e6f8c7397c3
--- /dev/null
+++ b/Solutions/Garrison ULTRA/Data Connectors/GarrisonULTRARemoteLogs/GarrisonULTRARemoteLogs_ConnectorUI.json
@@ -0,0 +1,89 @@
+{
+ "id": "GarrisonULTRARemoteLogs",
+ "title": "Garrison ULTRA Remote Logs",
+ "publisher": "Garrison",
+ "descriptionMarkdown": "The [Garrison ULTRA](https://www.garrison.com/en/garrison-ultra-cloud-platform) Remote Logs connector allows you to ingest Garrison ULTRA Remote Logs into Microsoft Sentinel.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "Garrison_ULTRARemoteLogs_CL",
+ "baseQuery": "Garrison_ULTRARemoteLogs_CL"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description" : "Last 10 logs",
+ "query": "Garrison_ULTRARemoteLogs_CL\n | top 10 by TimeGenerated desc"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "Garrison_ULTRARemoteLogs_CL",
+ "lastDataReceivedQuery": "Garrison_ULTRARemoteLogs_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "Garrison_ULTRARemoteLogs_CL \n |take 1\n | project IsConnected = true "
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions on the workspace are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Garrison ULTRA",
+ "description": "To use this data connector you must have an active [Garrison ULTRA](https://www.garrison.com/en/garrison-ultra-cloud-platform) license."
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "title": "Deployment - Azure Resource Manager (ARM) Template",
+ "description": "These steps outline the automated deployment of the Garrison ULTRA Remote Logs data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Frefs%2Fheads%2Fmaster%2FSolutions%2FGarrison%2520ULTRA%2FData%2520Connectors%2FGarrisonULTRARemoteLogs%2Fazuredeploy_DataCollectionResources.json) \t\t\t\n2. Provide the required details such as Resource Group, Microsoft Sentinel Workspace and ingestion configurations \n> **NOTE:** It is recommended to create a new Resource Group for deployment of these resources.\n3. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n4. Click **Purchase** to deploy."
+ }
+ ],
+ "metadata": {
+ "id": "919e2355-136a-4bbd-ade7-1956e5f61f83",
+ "version": "1.0.0",
+ "kind": "dataConnector",
+ "source": {
+ "kind": "solution",
+ "name": "Garrison ULTRA Remote Logs"
+ },
+ "author": {
+ "name": "Garrison"
+ },
+ "support": {
+ "tier": "developer",
+ "name": "Garrison"
+ }
+ }
+}
diff --git a/Solutions/Garrison ULTRA/Data Connectors/GarrisonULTRARemoteLogs/azuredeploy_DataCollectionResources.json b/Solutions/Garrison ULTRA/Data Connectors/GarrisonULTRARemoteLogs/azuredeploy_DataCollectionResources.json
new file mode 100644
index 00000000000..6b00896a035
--- /dev/null
+++ b/Solutions/Garrison ULTRA/Data Connectors/GarrisonULTRARemoteLogs/azuredeploy_DataCollectionResources.json
@@ -0,0 +1,189 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace-name": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Name of Log Analytics workspace in which to deploy resources"
+ }
+ },
+ "workspace-region": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Region of Log Analytics workspace in which to deploy resources (e.g. 'uksouth')"
+ }
+ }
+ },
+ "variables": {
+ "workspaceName": "[parameters('workspace-name')]",
+ "workspaceRegion": "[parameters('workspace-region')]",
+ "tableName": "Garrison_ULTRARemoteLogs_CL",
+ "dcrName": "gurl-dcr"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "apiVersion": "2022-10-01",
+ "name": "[concat(variables('workspaceName'), '/', variables('tableName'))]",
+ "location": "[variables('workspaceRegion')]",
+ "properties": {
+ "plan": "Analytics",
+ "retentionInDays": "-1",
+ "schema": {
+ "name": "[variables('tableName')]",
+ "description": "Custom table for storing Garrison ULTRA Remote Logs",
+ "displayName": "Garrison ULTRA Remote Logs",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime",
+ "description": "Mandatory LA table field"
+ },
+ {
+ "name": "deviceEventClassId",
+ "type": "int",
+ "description": "The integer identifier of the event name"
+ },
+ {
+ "name": "name",
+ "type": "string",
+ "description": "The name of the event"
+ },
+ {
+ "name": "start",
+ "type": "long",
+ "description": "The start time of the event - milliseconds since epoch"
+ },
+ {
+ "name": "request",
+ "type": "string",
+ "description": "The URL of the page (for page visits) or resource (for background requests)"
+ },
+ {
+ "name": "requestContext",
+ "type": "string",
+ "description": "The URL of the page originating the request - for background HTTP requests"
+ },
+ {
+ "name": "reason",
+ "type": "string",
+ "description": "The reason given for blocking a request - for blocked events"
+ },
+ {
+ "name": "dhost",
+ "type": "string",
+ "description": "The hostname of the site visited - for site visits"
+ },
+ {
+ "name": "devicePayloadId",
+ "type": "string",
+ "description": "A unique ID for each event"
+ },
+ {
+ "name": "suid",
+ "type": "string",
+ "description": "The user ID associated with the event"
+ },
+ {
+ "name": "suser",
+ "type": "string",
+ "description": "The username associated with the event"
+ }
+ ]
+ },
+ "totalRetentionInDays": "-1"
+ }
+ },
+ {
+ "type": "Microsoft.Insights/dataCollectionRules",
+ "name": "[variables('dcrName')]",
+ "location": "[variables('workspaceRegion')]",
+ "apiVersion": "2023-03-11",
+ "kind": "Direct",
+ "properties": {
+ "streamDeclarations": {
+ "Custom-GarrisonULTRARemoteLogs": {
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime"
+ },
+ {
+ "name": "deviceEventClassId",
+ "type": "int"
+ },
+ {
+ "name": "name",
+ "type": "string"
+ },
+ {
+ "name": "start",
+ "type": "long"
+ },
+ {
+ "name": "request",
+ "type": "string"
+ },
+ {
+ "name": "requestContext",
+ "type": "string"
+ },
+ {
+ "name": "reason",
+ "type": "string"
+ },
+ {
+ "name": "dhost",
+ "type": "string"
+ },
+ {
+ "name": "devicePayloadId",
+ "type": "string"
+ },
+ {
+ "name": "suid",
+ "type": "string"
+ },
+ {
+ "name": "suser",
+ "type": "string"
+ }
+ ]
+ }
+ },
+ "destinations": {
+ "logAnalytics": [
+ {
+ "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', variables('workspaceName'))]",
+ "name": "workspace"
+ }
+ ]
+ },
+ "dataFlows": [
+ {
+ "streams": [
+ "Custom-GarrisonULTRARemoteLogs"
+ ],
+ "destinations": [
+ "workspace"
+ ],
+ "outputStream": "[concat('Custom-', variables('tableName'))]"
+ }
+ ]
+ }
+ }
+ ],
+ "outputs": {
+ "dataCollectionRuleImmutableId": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Insights/dataCollectionRules', variables('dcrName'))).immutableId]"
+ },
+ "dataCollectionRuleLogsIngestionEndpoint": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Insights/dataCollectionRules', variables('dcrName'))).endpoints.logsIngestion]"
+ }
+ }
+}
diff --git a/Solutions/Garrison ULTRA/Data/Solution_GarrisonULTRARemoteLogs.json b/Solutions/Garrison ULTRA/Data/Solution_GarrisonULTRARemoteLogs.json
new file mode 100644
index 00000000000..264253260aa
--- /dev/null
+++ b/Solutions/Garrison ULTRA/Data/Solution_GarrisonULTRARemoteLogs.json
@@ -0,0 +1,13 @@
+{
+ "Name": "Garrison ULTRA",
+ "Author": "Garrison - support.ultra@garrison.com",
+ "Logo": " ",
+ "Description": "The [Garrison ULTRA](https://www.garrison.com/garrison-ultra-cloud-platform) solution allows you ingest logs from Garrison ULTRA into Microsoft Sentinel.",
+ "Data Connectors": [
+ "Data Connectors/GarrisonULTRARemoteLogs/GarrisonULTRARemoteLogs_ConnectorUI.json"
+ ],
+ "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Garrison ULTRA",
+ "Version": "3.0.0",
+ "Metadata": "SolutionMetadata.json",
+ "TemplateSpec": true
+}
\ No newline at end of file
diff --git a/Solutions/Garrison ULTRA/Package/3.0.0.zip b/Solutions/Garrison ULTRA/Package/3.0.0.zip
new file mode 100644
index 00000000000..f73d87f8259
Binary files /dev/null and b/Solutions/Garrison ULTRA/Package/3.0.0.zip differ
diff --git a/Solutions/Garrison ULTRA/Package/createUiDefinition.json b/Solutions/Garrison ULTRA/Package/createUiDefinition.json
new file mode 100644
index 00000000000..6cf0112dad6
--- /dev/null
+++ b/Solutions/Garrison ULTRA/Package/createUiDefinition.json
@@ -0,0 +1,85 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "config": {
+ "isWizard": false,
+ "basics": {
+ "description": " \n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Garrison%20ULTRA/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Garrison ULTRA](https://www.garrison.com/garrison-ultra-cloud-platform) solution allows you ingest logs from Garrison ULTRA into Microsoft Sentinel.\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "subscription": {
+ "resourceProviders": [
+ "Microsoft.OperationsManagement/solutions",
+ "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "Microsoft.Insights/workbooks",
+ "Microsoft.Logic/workflows"
+ ]
+ },
+ "location": {
+ "metadata": {
+ "hidden": "Hiding location, we get it from the log analytics workspace"
+ },
+ "visible": false
+ },
+ "resourceGroup": {
+ "allowExisting": true
+ }
+ }
+ },
+ "basics": [
+ {
+ "name": "getLAWorkspace",
+ "type": "Microsoft.Solutions.ArmApiControl",
+ "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+ "condition": "[greater(length(resourceGroup().name),0)]",
+ "request": {
+ "method": "GET",
+ "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+ }
+ },
+ {
+ "name": "workspace",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Workspace",
+ "placeholder": "Select a workspace",
+ "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+ "constraints": {
+ "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+ "required": true
+ },
+ "visible": true
+ }
+ ],
+ "steps": [
+ {
+ "name": "dataconnectors",
+ "label": "Data Connectors",
+ "bladeTitle": "Data Connectors",
+ "elements": [
+ {
+ "name": "dataconnectors1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for Garrison ULTRA. You can get Garrison ULTRA custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
+ {
+ "name": "dataconnectors-link2",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more about connecting data sources",
+ "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
+ }
+ }
+ }
+ ]
+ }
+ ],
+ "outputs": {
+ "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+ "location": "[location()]",
+ "workspace": "[basics('workspace')]"
+ }
+ }
+}
diff --git a/Solutions/Garrison ULTRA/Package/mainTemplate.json b/Solutions/Garrison ULTRA/Package/mainTemplate.json
new file mode 100644
index 00000000000..ce92429cb81
--- /dev/null
+++ b/Solutions/Garrison ULTRA/Package/mainTemplate.json
@@ -0,0 +1,375 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "author": "Garrison - support.ultra@garrison.com",
+ "comments": "Solution template for Garrison ULTRA"
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ }
+ },
+ "variables": {
+ "email": "support.ultra@garrison.com",
+ "_email": "[variables('email')]",
+ "_solutionName": "Garrison ULTRA",
+ "_solutionVersion": "3.0.0",
+ "solutionId": "garrisontechnologyltd1725375696148.microsoft-sentinel-solution-garrison-ultra",
+ "_solutionId": "[variables('solutionId')]",
+ "uiConfigId1": "GarrisonULTRARemoteLogs",
+ "_uiConfigId1": "[variables('uiConfigId1')]",
+ "dataConnectorContentId1": "GarrisonULTRARemoteLogs",
+ "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
+ "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "_dataConnectorId1": "[variables('dataConnectorId1')]",
+ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
+ "dataConnectorVersion1": "1.0.0",
+ "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('dataConnectorTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Garrison ULTRA data connector with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "[variables('_uiConfigId1')]",
+ "title": "Garrison ULTRA Remote Logs (using Azure Functions)",
+ "publisher": "Garrison",
+ "descriptionMarkdown": "The [Garrison ULTRA](https://www.garrison.com/en/garrison-ultra-cloud-platform) Remote Logs connector allows you to ingest Garrison ULTRA Remote Logs into Microsoft Sentinel.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "Garrison_ULTRARemoteLogs_CL",
+ "baseQuery": "Garrison_ULTRARemoteLogs_CL"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Last 10 logs",
+ "query": "Garrison_ULTRARemoteLogs_CL\n | top 10 by TimeGenerated desc"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "Garrison_ULTRARemoteLogs_CL",
+ "lastDataReceivedQuery": "Garrison_ULTRARemoteLogs_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "Garrison_ULTRARemoteLogs_CL \n |take 1\n | project IsConnected = true "
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions on the workspace are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Garrison ULTRA",
+ "description": "To use this data connector you must have an active [Garrison ULTRA](https://www.garrison.com/en/garrison-ultra-cloud-platform) license."
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": "These steps outline the automated deployment of the Garrison ULTRA Remote Logs data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Frefs%2Fheads%2Fmaster%2FSolutions%2FGarrison%2520ULTRA%2FData%2520Connectors%2FGarrisonULTRARemoteLogs%2Fazuredeploy_DataCollectionResources.json) \t\t\t\n2. Provide the required details such as Resource Group, Microsoft Sentinel Workspace and ingestion configurations \n> **NOTE:** It is recommended to create a new Resource Group for deployment of these resources.\n3. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n4. Click **Purchase** to deploy.",
+ "title": "Deployment - Azure Resource Manager (ARM) Template"
+ }
+ ],
+ "metadata": {
+ "id": "919e2355-136a-4bbd-ade7-1956e5f61f83",
+ "version": "1.0.0",
+ "kind": "dataConnector",
+ "source": {
+ "kind": "solution",
+ "name": "Garrison ULTRA Remote Logs"
+ },
+ "author": {
+ "name": "Garrison"
+ },
+ "support": {
+ "tier": "developer",
+ "name": "Garrison"
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Garrison ULTRA",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Garrison",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Garrison",
+ "email": "support.ultra@garrison.com",
+ "tier": "Partner",
+ "link": "https://support.ultra.garrison.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "contentKind": "DataConnector",
+ "displayName": "Garrison ULTRA Remote Logs (using Azure Functions)",
+ "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+ "id": "[variables('_dataConnectorcontentProductId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+ "dependsOn": [
+ "[variables('_dataConnectorId1')]"
+ ],
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Garrison ULTRA",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Garrison",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Garrison",
+ "email": "support.ultra@garrison.com",
+ "tier": "Partner",
+ "link": "https://support.ultra.garrison.com"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "title": "Garrison ULTRA Remote Logs (using Azure Functions)",
+ "publisher": "Garrison",
+ "descriptionMarkdown": "The [Garrison ULTRA](https://www.garrison.com/en/garrison-ultra-cloud-platform) Remote Logs connector allows you to ingest Garrison ULTRA Remote Logs into Microsoft Sentinel.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "Garrison_ULTRARemoteLogs_CL",
+ "baseQuery": "Garrison_ULTRARemoteLogs_CL"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "Garrison_ULTRARemoteLogs_CL",
+ "lastDataReceivedQuery": "Garrison_ULTRARemoteLogs_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "Garrison_ULTRARemoteLogs_CL \n |take 1\n | project IsConnected = true "
+ ]
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Last 10 logs",
+ "query": "Garrison_ULTRARemoteLogs_CL\n | top 10 by TimeGenerated desc"
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions on the workspace are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Garrison ULTRA",
+ "description": "To use this data connector you must have an active [Garrison ULTRA](https://www.garrison.com/en/garrison-ultra-cloud-platform) license."
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": "These steps outline the automated deployment of the Garrison ULTRA Remote Logs data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Frefs%2Fheads%2Fmaster%2FSolutions%2FGarrison%2520ULTRA%2FData%2520Connectors%2FGarrisonULTRARemoteLogs%2Fazuredeploy_DataCollectionResources.json) \t\t\t\n2. Provide the required details such as Resource Group, Microsoft Sentinel Workspace and ingestion configurations \n> **NOTE:** It is recommended to create a new Resource Group for deployment of these resources.\n3. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n4. Click **Purchase** to deploy.",
+ "title": "Deployment - Azure Resource Manager (ARM) Template"
+ }
+ ],
+ "id": "[variables('_uiConfigId1')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "version": "3.0.0",
+ "kind": "Solution",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "Garrison ULTRA",
+ "publisherDisplayName": "Garrison",
+ "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Garrison ULTRA solution allows you ingest logs from Garrison ULTRA into Microsoft Sentinel.
\nData Connectors: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
+ "contentKind": "Solution",
+ "contentProductId": "[variables('_solutioncontentProductId')]",
+ "id": "[variables('_solutioncontentProductId')]",
+ "icon": " ",
+ "contentId": "[variables('_solutionId')]",
+ "parentId": "[variables('_solutionId')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Garrison ULTRA",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Garrison",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Garrison",
+ "email": "support.ultra@garrison.com",
+ "tier": "Partner",
+ "link": "https://support.ultra.garrison.com"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
+ }
+ ]
+ },
+ "firstPublishDate": "2024-10-04",
+ "providers": [
+ "Garrison"
+ ],
+ "categories": {
+ "domains": [
+ "Application",
+ "User Behavior (UEBA)"
+ ]
+ }
+ },
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
+ }
+ ],
+ "outputs": {}
+}
diff --git a/Solutions/Garrison ULTRA/Package/testParameters.json b/Solutions/Garrison ULTRA/Package/testParameters.json
new file mode 100644
index 00000000000..e55ec41a9ac
--- /dev/null
+++ b/Solutions/Garrison ULTRA/Package/testParameters.json
@@ -0,0 +1,24 @@
+{
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ }
+}
diff --git a/Solutions/Garrison ULTRA/ReleaseNotes.md b/Solutions/Garrison ULTRA/ReleaseNotes.md
new file mode 100644
index 00000000000..8a3c2ffdab8
--- /dev/null
+++ b/Solutions/Garrison ULTRA/ReleaseNotes.md
@@ -0,0 +1,3 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.0.0 | 22-11-2024 | Initial Solution Release |
\ No newline at end of file
diff --git a/Solutions/Garrison ULTRA/SolutionMetadata.json b/Solutions/Garrison ULTRA/SolutionMetadata.json
new file mode 100644
index 00000000000..42530d1b513
--- /dev/null
+++ b/Solutions/Garrison ULTRA/SolutionMetadata.json
@@ -0,0 +1,19 @@
+{
+ "publisherId": "garrisontechnologyltd1725375696148",
+ "offerId": "microsoft-sentinel-solution-garrison-ultra",
+ "firstPublishDate": "2024-10-04",
+ "providers": ["Garrison"],
+ "categories": {
+ "domains": [
+ "Application",
+ "User Behavior (UEBA)"
+ ],
+ "verticals": []
+ },
+ "support": {
+ "name": "Garrison",
+ "email": "support.ultra@garrison.com",
+ "tier": "Partner",
+ "link": "https://support.ultra.garrison.com"
+ }
+}
diff --git a/Solutions/Google Cloud Platform Firewall Logs/Data Connectors/GCPFirewallLogs_ccp/GCPFirewall_DCR.json b/Solutions/Google Cloud Platform Firewall Logs/Data Connectors/GCPFirewallLogs_ccp/GCPFirewall_DCR.json
new file mode 100644
index 00000000000..a0c23319bad
--- /dev/null
+++ b/Solutions/Google Cloud Platform Firewall Logs/Data Connectors/GCPFirewallLogs_ccp/GCPFirewall_DCR.json
@@ -0,0 +1,29 @@
+[
+ {
+ "name": "gcpFirewallLogsDCR",
+ "apiVersion": "2021-09-01-preview",
+ "type": "Microsoft.Insights/dataCollectionRules",
+ "location": "{{location}}",
+ "properties": {
+ "destinations": {
+ "logAnalytics": [
+ {
+ "workspaceResourceId": "{{workspaceResourceId}}",
+ "name": "clv2ws1"
+ }
+ ]
+ },
+ "dataFlows": [
+ {
+ "streams": [
+ "Microsoft-GCPFirewallLogs"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ]
+ }
+ ],
+ "dataCollectionEndpointId": "{{dataCollectionEndpointId}}"
+ }
+ }
+]
\ No newline at end of file
diff --git a/Solutions/Google Cloud Platform Firewall Logs/Data Connectors/GCPFirewallLogs_ccp/GCPFirewall_PollingConfig.json b/Solutions/Google Cloud Platform Firewall Logs/Data Connectors/GCPFirewallLogs_ccp/GCPFirewall_PollingConfig.json
new file mode 100644
index 00000000000..684f3dd34ec
--- /dev/null
+++ b/Solutions/Google Cloud Platform Firewall Logs/Data Connectors/GCPFirewallLogs_ccp/GCPFirewall_PollingConfig.json
@@ -0,0 +1,29 @@
+[
+ {
+ "name": "GCPFirewallLogsTemplateConnections",
+ "apiVersion": "2023-02-01-preview",
+ "type": "Microsoft.SecurityInsights/dataConnectors",
+ "location": "{{location}}",
+ "kind": "GCP",
+ "properties": {
+ "connectorDefinitionName": "GCPFirewallLogsCCPDefinition",
+ "dcrConfig": {
+ "streamName": "SENTINEL_GCP_FIREWALL_LOGS",
+ "dataCollectionEndpoint": "{{dataCollectionEndpoint}}",
+ "dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}"
+ },
+ "dataType": "GCPFirewallLogs",
+ "auth": {
+ "serviceAccountEmail": "[[parameters('GCPServiceAccountEmail')]",
+ "projectNumber": "[[parameters('GCPProjectNumber')]",
+ "workloadIdentityProviderId": "[[parameters('GCPWorkloadIdentityProviderId')]"
+ },
+ "request": {
+ "projectId": "[[parameters('GCPProjectId')]",
+ "subscriptionNames": [
+ "[[parameters('GCPSubscriptionName')]"
+ ]
+ }
+ }
+ }
+]
\ No newline at end of file
diff --git a/Solutions/Google Cloud Platform Firewall Logs/Data Connectors/GCPFirewallLogs_ccp/GCP_ConnectorDefinition.json b/Solutions/Google Cloud Platform Firewall Logs/Data Connectors/GCPFirewallLogs_ccp/GCP_ConnectorDefinition.json
new file mode 100644
index 00000000000..56f4aab4ce7
--- /dev/null
+++ b/Solutions/Google Cloud Platform Firewall Logs/Data Connectors/GCPFirewallLogs_ccp/GCP_ConnectorDefinition.json
@@ -0,0 +1,105 @@
+{
+ "name": "GCPFirewallLogsCCPDefinition",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
+ "location": "{{location}}",
+ "kind": "Customizable",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "GCPFirewallLogsCCPDefinition",
+ "title": "GCP Pub/Sub Firewall Logs",
+ "publisher": "Microsoft",
+ "descriptionMarkdown": "The Google Cloud Platform (GCP) firewall logs, enable you to capture network inbound and outbound activity to monitor access and detect potential threats across Google Cloud Platform (GCP) resources.",
+ "graphQueriesTableName": "GCPFirewallLogs",
+ "graphQueries": [
+ {
+ "metricName": "Total events received",
+ "legend": "GCP Pub/Sub Firewall Logs",
+ "baseQuery": "{{graphQueriesTableName}}"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Get Sample of GCP Firewall Logs",
+ "query": "{{graphQueriesTableName}}\n | take 10"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "{{graphQueriesTableName}}",
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "connectivityCriteria": [
+ {
+ "type": "HasDataConnectors"
+ }
+ ],
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "Read and Write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true,
+ "action": false
+ }
+ }
+
+ ]
+ },
+ "instructionSteps": [
+ {
+ "instructions": [
+ {
+ "type": "MarkdownControlEnvBased",
+ "parameters": {
+ "prodScript": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation)\n Connector tutorial: [Link to tutorial](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs#gcp-authentication-setup) .",
+ "govScript": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Gov Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov)\n Connector tutorial: [Link to tutorial](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs#gcp-authentication-setup)."
+ }
+ },
+ {
+ "type": "CopyableLabel",
+ "parameters": {
+ "label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.",
+ "fillWith": [
+ "TenantId"
+ ],
+ "name": "TenantId",
+ "disabled": true
+ }
+ },
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### 2. Enable Firewall logs \nIn your GCP account, navigate to the Firewall section. Here, you can either create a new rule or edit an existing one that you want to monitor. Once you open the rule, switch the toggle button under the **Logs** section to **On**, and save the changes.\n\nFor more information: [Link to documentation](https://cloud.google.com/firewall/docs/using-firewall-rules-logging?_gl=1*1no0nhk*_ga*NDMxNDIxODI3LjE3MjUyNjUzMzc.*_ga_WH2QY8WWF5*MTcyNTUyNzc4MS4xMS4xLjE3MjU1MjgxNTIuNDYuMC4w)"
+ }
+ },
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### 3. Connect new collectors \n To enable GCP Firewall Logs for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect."
+ }
+ },
+ {
+ "type": "GCPGrid",
+ "parameters": {}
+ },
+ {
+ "type": "GCPContextPane",
+ "parameters": {}
+ }
+ ]
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/Solutions/Google Cloud Platform Firewall Logs/Data Connectors/GCPFirewallLogs_ccp/solutionMetadata.json b/Solutions/Google Cloud Platform Firewall Logs/Data Connectors/GCPFirewallLogs_ccp/solutionMetadata.json
new file mode 100644
index 00000000000..a96ce2e2d79
--- /dev/null
+++ b/Solutions/Google Cloud Platform Firewall Logs/Data Connectors/GCPFirewallLogs_ccp/solutionMetadata.json
@@ -0,0 +1,24 @@
+{
+ "publisherId": "azuresentinel",
+ "offerId": "azure-sentinel-solution-gcpfirewalllogs-api",
+ "firstPublishDate": "2024-09-08",
+ "providers": ["Google"],
+ "categories": {
+ "domains" : ["DevOps"],
+ "verticals": []
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ },
+ "SolutionName":"GCP Pub/Sub Firewall Logs",
+ "SolutionAuthor": "User",
+ "SolutionVersion":"1.0.0",
+ "packageIcon": "google_logo",
+ "SolutionTier": "Microsoft",
+ "PackageId":"gcpfirewalllogs-api",
+ "ConnectorDefinitionTemplateVersion": "1.0.0",
+ "DataConnectorsTemplateVersion": "1.0.0"
+}
\ No newline at end of file
diff --git a/Solutions/Google Cloud Platform Firewall Logs/Data/Solution_GoogleFirewallLogs.json b/Solutions/Google Cloud Platform Firewall Logs/Data/Solution_GoogleFirewallLogs.json
new file mode 100644
index 00000000000..260a48c6293
--- /dev/null
+++ b/Solutions/Google Cloud Platform Firewall Logs/Data/Solution_GoogleFirewallLogs.json
@@ -0,0 +1,14 @@
+{
+ "Name": "Google Cloud Platform Firewall Logs",
+ "Author": "Microsoft - support@microsoft.com",
+ "Logo": " ",
+ "Description": "The Google Cloud Platform (GCP) firewall logs, ingested from Sentinel's connector, enable you to capture and track all network activity that occurs in your GCP intances. These firewall logs provide valuable insights for monitoring user activity, troubleshooting issues, and ensuring compliance with security regulations. They serve as a record of events that practitioners can utilize to monitor access and identify potential threats across GCP resources.",
+ "Data Connectors": [
+ "Data Connectors/GCPFirewallLogs_ccp/GCP_ConnectorDefinition.json"
+ ],
+ "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Google Cloud Platform Firewall Logs",
+ "Version": "3.0.0",
+ "Metadata": "SolutionMetadata.json",
+ "TemplateSpec": true,
+ "Is1PConnector": false
+}
\ No newline at end of file
diff --git a/Solutions/Google Cloud Platform Firewall Logs/Package/3.0.0.zip b/Solutions/Google Cloud Platform Firewall Logs/Package/3.0.0.zip
new file mode 100644
index 00000000000..d55517ad651
Binary files /dev/null and b/Solutions/Google Cloud Platform Firewall Logs/Package/3.0.0.zip differ
diff --git a/Solutions/Google Cloud Platform Firewall Logs/Package/createUiDefinition.json b/Solutions/Google Cloud Platform Firewall Logs/Package/createUiDefinition.json
new file mode 100644
index 00000000000..f071a47444c
--- /dev/null
+++ b/Solutions/Google Cloud Platform Firewall Logs/Package/createUiDefinition.json
@@ -0,0 +1,85 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "config": {
+ "isWizard": false,
+ "basics": {
+ "description": " \n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Google%20Cloud%20Platform%20Firewall%20Logs/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Google Cloud Platform (GCP) firewall logs, ingested from Sentinel's connector, enable you to capture and track all network activity that occurs in your GCP intances. These firewall logs provide valuable insights for monitoring user activity, troubleshooting issues, and ensuring compliance with security regulations. They serve as a record of events that practitioners can utilize to monitor access and identify potential threats across GCP resources.\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "subscription": {
+ "resourceProviders": [
+ "Microsoft.OperationsManagement/solutions",
+ "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "Microsoft.Insights/workbooks",
+ "Microsoft.Logic/workflows"
+ ]
+ },
+ "location": {
+ "metadata": {
+ "hidden": "Hiding location, we get it from the log analytics workspace"
+ },
+ "visible": false
+ },
+ "resourceGroup": {
+ "allowExisting": true
+ }
+ }
+ },
+ "basics": [
+ {
+ "name": "getLAWorkspace",
+ "type": "Microsoft.Solutions.ArmApiControl",
+ "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+ "condition": "[greater(length(resourceGroup().name),0)]",
+ "request": {
+ "method": "GET",
+ "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+ }
+ },
+ {
+ "name": "workspace",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Workspace",
+ "placeholder": "Select a workspace",
+ "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+ "constraints": {
+ "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+ "required": true
+ },
+ "visible": true
+ }
+ ],
+ "steps": [
+ {
+ "name": "dataconnectors",
+ "label": "Data Connectors",
+ "bladeTitle": "Data Connectors",
+ "elements": [
+ {
+ "name": "dataconnectors1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for Google Cloud Platform Firewall Logs. You can get Google Cloud Platform Firewall Logs data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
+ {
+ "name": "dataconnectors-link2",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more about connecting data sources",
+ "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
+ }
+ }
+ }
+ ]
+ }
+ ],
+ "outputs": {
+ "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+ "location": "[location()]",
+ "workspace": "[basics('workspace')]"
+ }
+ }
+}
diff --git a/Solutions/Google Cloud Platform Firewall Logs/Package/mainTemplate.json b/Solutions/Google Cloud Platform Firewall Logs/Package/mainTemplate.json
new file mode 100644
index 00000000000..6a883a534e4
--- /dev/null
+++ b/Solutions/Google Cloud Platform Firewall Logs/Package/mainTemplate.json
@@ -0,0 +1,576 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "author": "Microsoft - support@microsoft.com",
+ "comments": "Solution template for Google Cloud Platform Firewall Logs"
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().name]",
+ "metadata": {
+ "description": "resource group name where Microsoft Sentinel is setup"
+ }
+ },
+ "subscription": {
+ "type": "string",
+ "defaultValue": "[last(split(subscription().id, '/'))]",
+ "metadata": {
+ "description": "subscription id where Microsoft Sentinel is setup"
+ }
+ }
+ },
+ "variables": {
+ "email": "support@microsoft.com",
+ "_email": "[variables('email')]",
+ "_solutionName": "Google Cloud Platform Firewall Logs",
+ "_solutionVersion": "3.0.0",
+ "solutionId": "azuresentinel.azure-sentinel-solution-gcpfirewalllogs-api",
+ "_solutionId": "[variables('solutionId')]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "dataConnectorCCPVersion": "1.0.0",
+ "_dataConnectorContentIdConnectorDefinition1": "GCPFirewallLogsCCPDefinition",
+ "dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]",
+ "_dataConnectorContentIdConnections1": "GCPFirewallLogsCCPDefinitionConnections",
+ "dataConnectorTemplateNameConnections1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections1')))]",
+ "dataCollectionEndpointId1": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]",
+ "blanks": "[replace('b', 'b', '')]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition1'), variables('dataConnectorCCPVersion'))]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
+ "displayName": "GCP Pub/Sub Firewall Logs",
+ "contentKind": "DataConnector",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
+ "location": "[parameters('workspace-location')]",
+ "kind": "Customizable",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "GCPFirewallLogsCCPDefinition",
+ "title": "GCP Pub/Sub Firewall Logs",
+ "publisher": "Microsoft",
+ "descriptionMarkdown": "The Google Cloud Platform (GCP) firewall logs, enable you to capture network inbound and outbound activity to monitor access and detect potential threats across Google Cloud Platform (GCP) resources.",
+ "graphQueriesTableName": "GCPFirewallLogs",
+ "graphQueries": [
+ {
+ "metricName": "Total events received",
+ "legend": "GCP Pub/Sub Firewall Logs",
+ "baseQuery": "{{graphQueriesTableName}}"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Get Sample of GCP Firewall Logs",
+ "query": "{{graphQueriesTableName}}\n | take 10"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "{{graphQueriesTableName}}",
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "connectivityCriteria": [
+ {
+ "type": "HasDataConnectors"
+ }
+ ],
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "Read and Write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true,
+ "action": false
+ }
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "instructions": [
+ {
+ "type": "MarkdownControlEnvBased",
+ "parameters": {
+ "prodScript": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation)\n Connector tutorial: [Link to tutorial](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs#gcp-authentication-setup) .",
+ "govScript": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Gov Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov)\n Connector tutorial: [Link to tutorial](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs#gcp-authentication-setup)."
+ }
+ },
+ {
+ "type": "CopyableLabel",
+ "parameters": {
+ "label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.",
+ "fillWith": [
+ "TenantId"
+ ],
+ "name": "TenantId",
+ "disabled": true
+ }
+ },
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### 2. Enable Firewall logs \nIn your GCP account, navigate to the Firewall section. Here, you can either create a new rule or edit an existing one that you want to monitor. Once you open the rule, switch the toggle button under the **Logs** section to **On**, and save the changes.\n\nFor more information: [Link to documentation](https://cloud.google.com/firewall/docs/using-firewall-rules-logging?_gl=1*1no0nhk*_ga*NDMxNDIxODI3LjE3MjUyNjUzMzc.*_ga_WH2QY8WWF5*MTcyNTUyNzc4MS4xMS4xLjE3MjU1MjgxNTIuNDYuMC4w)"
+ }
+ },
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### 3. Connect new collectors \n To enable GCP Firewall Logs for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect."
+ }
+ },
+ {
+ "type": "GCPGrid",
+ "parameters": {}
+ },
+ {
+ "type": "GCPContextPane",
+ "parameters": {}
+ }
+ ]
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "gcpFirewallLogsDCR",
+ "apiVersion": "2022-06-01",
+ "type": "Microsoft.Insights/dataCollectionRules",
+ "location": "[parameters('workspace-location')]",
+ "kind": "[variables('blanks')]",
+ "properties": {
+ "destinations": {
+ "logAnalytics": [
+ {
+ "workspaceResourceId": "[variables('workspaceResourceId')]",
+ "name": "clv2ws1"
+ }
+ ]
+ },
+ "dataFlows": [
+ {
+ "streams": [
+ "Microsoft-GCPFirewallLogs"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ]
+ }
+ ],
+ "dataCollectionEndpointId": "[variables('dataCollectionEndpointId1')]"
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition1'),'-', variables('dataConnectorCCPVersion'))))]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('dataConnectorCCPVersion')]"
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
+ "location": "[parameters('workspace-location')]",
+ "kind": "Customizable",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "GCPFirewallLogsCCPDefinition",
+ "title": "GCP Pub/Sub Firewall Logs",
+ "publisher": "Microsoft",
+ "descriptionMarkdown": "The Google Cloud Platform (GCP) firewall logs, enable you to capture network inbound and outbound activity to monitor access and detect potential threats across Google Cloud Platform (GCP) resources.",
+ "graphQueriesTableName": "GCPFirewallLogs",
+ "graphQueries": [
+ {
+ "metricName": "Total events received",
+ "legend": "GCP Pub/Sub Firewall Logs",
+ "baseQuery": "{{graphQueriesTableName}}"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Get Sample of GCP Firewall Logs",
+ "query": "{{graphQueriesTableName}}\n | take 10"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "{{graphQueriesTableName}}",
+ "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "connectivityCriteria": [
+ {
+ "type": "HasDataConnectors"
+ }
+ ],
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "Read and Write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true,
+ "write": true,
+ "delete": true,
+ "action": false
+ }
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "instructions": [
+ {
+ "type": "MarkdownControlEnvBased",
+ "parameters": {
+ "prodScript": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation)\n Connector tutorial: [Link to tutorial](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs#gcp-authentication-setup) .",
+ "govScript": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Gov Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov)\n Connector tutorial: [Link to tutorial](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs#gcp-authentication-setup)."
+ }
+ },
+ {
+ "type": "CopyableLabel",
+ "parameters": {
+ "label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.",
+ "fillWith": [
+ "TenantId"
+ ],
+ "name": "TenantId",
+ "disabled": true
+ }
+ },
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### 2. Enable Firewall logs \nIn your GCP account, navigate to the Firewall section. Here, you can either create a new rule or edit an existing one that you want to monitor. Once you open the rule, switch the toggle button under the **Logs** section to **On**, and save the changes.\n\nFor more information: [Link to documentation](https://cloud.google.com/firewall/docs/using-firewall-rules-logging?_gl=1*1no0nhk*_ga*NDMxNDIxODI3LjE3MjUyNjUzMzc.*_ga_WH2QY8WWF5*MTcyNTUyNzc4MS4xMS4xLjE3MjU1MjgxNTIuNDYuMC4w)"
+ }
+ },
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### 3. Connect new collectors \n To enable GCP Firewall Logs for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect."
+ }
+ },
+ {
+ "type": "GCPGrid",
+ "parameters": {}
+ },
+ {
+ "type": "GCPContextPane",
+ "parameters": {}
+ }
+ ]
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections1'), variables('dataConnectorCCPVersion'))]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "displayName": "GCP Pub/Sub Firewall Logs",
+ "contentKind": "ResourcesDataConnector",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
+ "parameters": {
+ "connectorDefinitionName": {
+ "defaultValue": "GCP Pub/Sub Firewall Logs",
+ "type": "string",
+ "minLength": 1
+ },
+ "workspace": {
+ "defaultValue": "[parameters('workspace')]",
+ "type": "string"
+ },
+ "dcrConfig": {
+ "defaultValue": {
+ "dataCollectionEndpoint": "data collection Endpoint",
+ "dataCollectionRuleImmutableId": "data collection rule immutableId"
+ },
+ "type": "object"
+ },
+ "GCPServiceAccountEmail": {
+ "type": "String",
+ "minLength": 1
+ },
+ "GCPWorkloadIdentityProviderId": {
+ "type": "string"
+ },
+ "GCPProjectNumber": {
+ "type": "String",
+ "minLength": 1
+ },
+ "GCPProjectId": {
+ "type": "string",
+ "minLength": 4
+ },
+ "GCPSubscriptionName": {
+ "type": "String",
+ "minLength": 1
+ }
+ },
+ "variables": {
+ "_dataConnectorContentIdConnections1": "[variables('_dataConnectorContentIdConnections1')]"
+ },
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections1')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections1'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "kind": "ResourcesDataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'GCPFirewallLogsTemplateConnections')]",
+ "apiVersion": "2023-02-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GCP",
+ "properties": {
+ "connectorDefinitionName": "GCPFirewallLogsCCPDefinition",
+ "dcrConfig": {
+ "streamName": "SENTINEL_GCP_FIREWALL_LOGS",
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+ },
+ "dataType": "GCPFirewallLogs",
+ "auth": {
+ "serviceAccountEmail": "[[parameters('GCPServiceAccountEmail')]",
+ "projectNumber": "[[parameters('GCPProjectNumber')]",
+ "workloadIdentityProviderId": "[[parameters('GCPWorkloadIdentityProviderId')]"
+ },
+ "request": {
+ "projectId": "[[parameters('GCPProjectId')]",
+ "subscriptionNames": [
+ "[[parameters('GCPSubscriptionName')]"
+ ]
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections1'),'-', variables('dataConnectorCCPVersion'))))]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "version": "[variables('dataConnectorCCPVersion')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "version": "3.0.0",
+ "kind": "Solution",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "Google Cloud Platform Firewall Logs",
+ "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
+ "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Google Cloud Platform (GCP) firewall logs, ingested from Sentinel's connector, enable you to capture and track all network activity that occurs in your GCP intances. These firewall logs provide valuable insights for monitoring user activity, troubleshooting issues, and ensuring compliance with security regulations. They serve as a record of events that practitioners can utilize to monitor access and identify potential threats across GCP resources.
\nData Connectors: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
+ "contentKind": "Solution",
+ "contentProductId": "[variables('_solutioncontentProductId')]",
+ "id": "[variables('_solutioncontentProductId')]",
+ "icon": " ",
+ "contentId": "[variables('_solutionId')]",
+ "parentId": "[variables('_solutionId')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Google Cloud Platform Firewall Logs",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "version": "[variables('dataConnectorCCPVersion')]"
+ }
+ ]
+ },
+ "firstPublishDate": "2024-11-03",
+ "providers": [
+ "Google"
+ ],
+ "categories": {
+ "domains": [
+ "DevOps",
+ "Security - Network"
+ ]
+ }
+ },
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
+ }
+ ],
+ "outputs": {}
+}
diff --git a/Solutions/Google Cloud Platform Firewall Logs/Package/testParameters.json b/Solutions/Google Cloud Platform Firewall Logs/Package/testParameters.json
new file mode 100644
index 00000000000..554801e41b7
--- /dev/null
+++ b/Solutions/Google Cloud Platform Firewall Logs/Package/testParameters.json
@@ -0,0 +1,38 @@
+{
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().name]",
+ "metadata": {
+ "description": "resource group name where Microsoft Sentinel is setup"
+ }
+ },
+ "subscription": {
+ "type": "string",
+ "defaultValue": "[last(split(subscription().id, '/'))]",
+ "metadata": {
+ "description": "subscription id where Microsoft Sentinel is setup"
+ }
+ }
+}
diff --git a/Solutions/Google Cloud Platform Firewall Logs/ReleaseNotes.md b/Solutions/Google Cloud Platform Firewall Logs/ReleaseNotes.md
new file mode 100644
index 00000000000..f873e77f791
--- /dev/null
+++ b/Solutions/Google Cloud Platform Firewall Logs/ReleaseNotes.md
@@ -0,0 +1,3 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|----------------------------------------------------|
+| 3.0.0 | 19-11-2024 | Initial Solution release |
\ No newline at end of file
diff --git a/Solutions/Google Cloud Platform Firewall Logs/logo/google_logo.svg b/Solutions/Google Cloud Platform Firewall Logs/logo/google_logo.svg
new file mode 100644
index 00000000000..d19364efb50
--- /dev/null
+++ b/Solutions/Google Cloud Platform Firewall Logs/logo/google_logo.svg
@@ -0,0 +1,6 @@
+
+
+
+
+
+
\ No newline at end of file
diff --git a/Solutions/Google Cloud Platform Firewall Logs/solutionMetadata.json b/Solutions/Google Cloud Platform Firewall Logs/solutionMetadata.json
new file mode 100644
index 00000000000..81e47d74fea
--- /dev/null
+++ b/Solutions/Google Cloud Platform Firewall Logs/solutionMetadata.json
@@ -0,0 +1,20 @@
+{
+ "publisherId": "azuresentinel",
+ "offerId": "azure-sentinel-solution-gcpfirewalllogs-api",
+ "firstPublishDate": "2024-11-03",
+ "providers": [
+ "Google"
+ ],
+ "categories": {
+ "domains": [
+ "DevOps",
+ "Security - Network"
+ ]
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+}
diff --git a/Solutions/Microsoft Defender XDR/ReleaseNotes.md b/Solutions/Microsoft Defender XDR/ReleaseNotes.md
index 590c6b81026..07fef907699 100644
--- a/Solutions/Microsoft Defender XDR/ReleaseNotes.md
+++ b/Solutions/Microsoft Defender XDR/ReleaseNotes.md
@@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------------------------------------------------|
+| 3.0.10 | 25-10-2024 | Added New **Hunting Queries** |
| 3.0.9 | 20-09-2024 | Added New **Hunting Queries** |
| 3.0.8 | 10-06-2024 | Added missing AMA **Data Connector** reference in **Analytic rules** |
| 3.0.7 | 29-05-2024 | Updated **Analytic Rule** PossiblePhishingwithCSL&NetworkSession.yaml |
diff --git a/Solutions/Netwrix Auditor/Data/Solution_Netwrix.json b/Solutions/Netwrix Auditor/Data/Solution_Netwrix.json
index ee695385286..5dbb6312512 100644
--- a/Solutions/Netwrix Auditor/Data/Solution_Netwrix.json
+++ b/Solutions/Netwrix Auditor/Data/Solution_Netwrix.json
@@ -2,19 +2,15 @@
"Name": "Netwrix Auditor",
"Author": "Microsoft - support@microsoft.com",
"Logo": " ",
- "Description": "The Netwrix Auditor solution provides the capability to ingest [ Netwrix Auditor](https://www.netwrix.com/auditor.html) (formerly Stealthbits Privileged Activity Manager) events into Microsoft Sentinel. Refer to Netwrix [documentation](https://helpcenter.netwrix.com/) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.",
+ "Description": "The Netwrix Auditor solution provides the capability to ingest [ Netwrix Auditor](https://www.netwrix.com/auditor.html) (formerly Stealthbits Privileged Activity Manager) events into Microsoft Sentinel. Refer to Netwrix [documentation](https://helpcenter.netwrix.com/) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.",
"Parsers": [
"Parsers/NetwrixAuditor.yaml"
],
- "Data Connectors": [
- "Data Connectors/Connector_NetwrixAuditor.json",
- "Data Connectors/template_NetwrixAuditorAMA.json"
- ],
"dependentDomainSolutionIds": [
"azuresentinel.azure-sentinel-solution-commoneventformat"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Netwrix Auditor",
- "Version": "3.0.1",
+ "Version": "3.0.2",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
diff --git a/Solutions/Netwrix Auditor/Package/3.0.2.zip b/Solutions/Netwrix Auditor/Package/3.0.2.zip
new file mode 100644
index 00000000000..15919447ce5
Binary files /dev/null and b/Solutions/Netwrix Auditor/Package/3.0.2.zip differ
diff --git a/Solutions/Netwrix Auditor/Package/createUiDefinition.json b/Solutions/Netwrix Auditor/Package/createUiDefinition.json
index 5a24badfb78..8b61178ec5e 100644
--- a/Solutions/Netwrix Auditor/Package/createUiDefinition.json
+++ b/Solutions/Netwrix Auditor/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": " \n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Netwrix%20Auditor/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Netwrix Auditor solution provides the capability to ingest [ Netwrix Auditor](https://www.netwrix.com/auditor.html) (formerly Stealthbits Privileged Activity Manager) events into Microsoft Sentinel. Refer to Netwrix [documentation](https://helpcenter.netwrix.com/) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": " \n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Netwrix%20Auditor/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Netwrix Auditor solution provides the capability to ingest [ Netwrix Auditor](https://www.netwrix.com/auditor.html) (formerly Stealthbits Privileged Activity Manager) events into Microsoft Sentinel. Refer to Netwrix [documentation](https://helpcenter.netwrix.com/) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.\n\n**Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -50,39 +50,7 @@
"visible": true
}
],
- "steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for Netwrix Auditor. You can get Netwrix Auditor CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-parser-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- }
- ],
+ "steps": [{}],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
diff --git a/Solutions/Netwrix Auditor/Package/mainTemplate.json b/Solutions/Netwrix Auditor/Package/mainTemplate.json
index a9225e3bc59..86951712b6e 100644
--- a/Solutions/Netwrix Auditor/Package/mainTemplate.json
+++ b/Solutions/Netwrix Auditor/Package/mainTemplate.json
@@ -33,7 +33,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Netwrix Auditor",
- "_solutionVersion": "3.0.1",
+ "_solutionVersion": "3.0.2",
"solutionId": "azuresentinel.azure-sentinel-solution-netwrixauditor",
"_solutionId": "[variables('solutionId')]",
"parserObject1": {
@@ -43,24 +43,6 @@
"parserVersion1": "1.0.0",
"parserContentId1": "NetwrixAuditor-Parser"
},
- "uiConfigId1": "Netwrix",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "Netwrix",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
- "uiConfigId2": "NetwrixAma",
- "_uiConfigId2": "[variables('uiConfigId2')]",
- "dataConnectorContentId2": "NetwrixAma",
- "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
- "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "_dataConnectorId2": "[variables('dataConnectorId2')]",
- "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
- "dataConnectorVersion2": "1.0.0",
- "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
@@ -73,7 +55,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NetwrixAuditor Data Parser with template version 3.0.1",
+ "description": "NetwrixAuditor Data Parser with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -196,715 +178,17 @@
}
}
},
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Netwrix Auditor data connector with template version 3.0.1",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] Netwrix Auditor via Legacy Agent",
- "publisher": "Netwrix",
- "descriptionMarkdown": "Netwrix Auditor data connector provides the capability to ingest [Netwrix Auditor (formerly Stealthbits Privileged Activity Manager)](https://www.netwrix.com/auditor.html) events into Microsoft Sentinel. Refer to [Netwrix documentation](https://helpcenter.netwrix.com/) for more information.",
- "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected. Follow the steps to use this Kusto Function alias **NetwrixAuditor** in queries and workbooks. [Follow steps to get this Kusto Function>](https://aka.ms/sentinel-netwrixauditor-parser)",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "NetwrixAuditor",
- "baseQuery": "NetwrixAuditor"
- }
- ],
- "sampleQueries": [
- {
- "description": "Netwrix Auditor Events - All Activities.",
- "query": "NetwrixAuditor\n | sort by TimeGenerated desc"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog",
- "lastDataReceivedQuery": "NetwrixAuditor\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "NetwrixAuditor\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on NetwrixAuditor parser based on a Kusto Function to work as expected. This parser is installed along with solution installation."
- },
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "[Follow the instructions](https://www.netwrix.com/download/QuickStart/Netwrix_Auditor_Add-on_for_HPE_ArcSight_Quick_Start_Guide.pdf) to configure event export from Netwrix Auditor.",
- "title": "2. Configure Netwrix Auditor to send logs using CEF"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "metadata": {
- "id": "Unique Identifier (GUID) used to identify dependencies and content from solutions or community.",
- "version": "1.0.0",
- "kind": "dataConnector",
- "source": {
- "kind": "community"
- },
- "author": {
- "name": "Microsoft"
- },
- "support": {
- "tier": "community",
- "name": "Microsoft",
- "link": "https://github.com/Azure/Azure-Sentinel/issues"
- }
- }
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Netwrix Auditor",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Netwrix Auditor via Legacy Agent",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Netwrix Auditor",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Netwrix Auditor via Legacy Agent",
- "publisher": "Netwrix",
- "descriptionMarkdown": "Netwrix Auditor data connector provides the capability to ingest [Netwrix Auditor (formerly Stealthbits Privileged Activity Manager)](https://www.netwrix.com/auditor.html) events into Microsoft Sentinel. Refer to [Netwrix documentation](https://helpcenter.netwrix.com/) for more information.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "NetwrixAuditor",
- "baseQuery": "NetwrixAuditor"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog",
- "lastDataReceivedQuery": "NetwrixAuditor\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "NetwrixAuditor\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Netwrix Auditor Events - All Activities.",
- "query": "NetwrixAuditor\n | sort by TimeGenerated desc"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on NetwrixAuditor parser based on a Kusto Function to work as expected. This parser is installed along with solution installation."
- },
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "[Follow the instructions](https://www.netwrix.com/download/QuickStart/Netwrix_Auditor_Add-on_for_HPE_ArcSight_Quick_Start_Guide.pdf) to configure event export from Netwrix Auditor.",
- "title": "2. Configure Netwrix Auditor to send logs using CEF"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId1')]",
- "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected. Follow the steps to use this Kusto Function alias **NetwrixAuditor** in queries and workbooks. [Follow steps to get this Kusto Function>](https://aka.ms/sentinel-netwrixauditor-parser)"
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName2')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Netwrix Auditor data connector with template version 3.0.1",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion2')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId2')]",
- "title": "[Deprecated] Netwrix Auditor via AMA",
- "publisher": "Netwrix",
- "descriptionMarkdown": "Netwrix Auditor data connector provides the capability to ingest [Netwrix Auditor (formerly Stealthbits Privileged Activity Manager)](https://www.netwrix.com/auditor.html) events into Microsoft Sentinel. Refer to [Netwrix documentation](https://helpcenter.netwrix.com/) for more information.",
- "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected. Follow the steps to use this Kusto Function alias **NetwrixAuditor** in queries and workbooks. [Follow steps to get this Kusto Function>](https://aka.ms/sentinel-netwrixauditor-parser)",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "NetwrixAuditor",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Netwrix'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "sampleQueries": [
- {
- "description": "Netwrix Auditor Events - All Activities.",
- "query": "NetwrixAuditor\n | sort by TimeGenerated desc"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Netwrix'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Netwrix'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on NetwrixAuditor parser based on a Kusto Function to work as expected. This parser is installed along with solution installation.",
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
- },
- {
- "title": "Step B. Configure Netwrix Auditor to send logs using CEF",
- "description": "[Follow the instructions](https://www.netwrix.com/download/QuickStart/Netwrix_Auditor_Add-on_for_HPE_ArcSight_Quick_Start_Guide.pdf) to configure event export from Netwrix Auditor."
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ],
- "metadata": {
- "id": "Unique Identifier (GUID) used to identify dependencies and content from solutions or community.",
- "version": "1.0.0",
- "kind": "dataConnector",
- "source": {
- "kind": "community"
- },
- "author": {
- "name": "Microsoft"
- },
- "support": {
- "tier": "community",
- "name": "Microsoft",
- "link": "https://github.com/Azure/Azure-Sentinel/issues"
- }
- }
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Netwrix Auditor",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Netwrix Auditor via AMA",
- "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
- "id": "[variables('_dataConnectorcontentProductId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId2')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Netwrix Auditor",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Netwrix Auditor via AMA",
- "publisher": "Netwrix",
- "descriptionMarkdown": "Netwrix Auditor data connector provides the capability to ingest [Netwrix Auditor (formerly Stealthbits Privileged Activity Manager)](https://www.netwrix.com/auditor.html) events into Microsoft Sentinel. Refer to [Netwrix documentation](https://helpcenter.netwrix.com/) for more information.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "NetwrixAuditor",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Netwrix'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Netwrix'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Netwrix'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Netwrix Auditor Events - All Activities.",
- "query": "NetwrixAuditor\n | sort by TimeGenerated desc"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on NetwrixAuditor parser based on a Kusto Function to work as expected. This parser is installed along with solution installation.",
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
- },
- {
- "title": "Step B. Configure Netwrix Auditor to send logs using CEF",
- "description": "[Follow the instructions](https://www.netwrix.com/download/QuickStart/Netwrix_Auditor_Add-on_for_HPE_ArcSight_Quick_Start_Guide.pdf) to configure event export from Netwrix Auditor."
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId2')]",
- "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected. Follow the steps to use this Kusto Function alias **NetwrixAuditor** in queries and workbooks. [Follow steps to get this Kusto Function>](https://aka.ms/sentinel-netwrixauditor-parser)"
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.1",
+ "version": "3.0.2",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Netwrix Auditor",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Netwrix Auditor solution provides the capability to ingest Netwrix Auditor (formerly Stealthbits Privileged Activity Manager) events into Microsoft Sentinel. Refer to Netwrix documentation for more information.
\n\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.
\nData Connectors: 2, Parsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
+ "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Netwrix Auditor solution provides the capability to ingest Netwrix Auditor (formerly Stealthbits Privileged Activity Manager) events into Microsoft Sentinel. Refer to Netwrix documentation for more information.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on Aug 31, 2024 .
\nParsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
@@ -933,16 +217,6 @@
"contentId": "[variables('parserObject1').parserContentId1]",
"version": "[variables('parserObject1').parserVersion1]"
},
- {
- "kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- },
- {
- "kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- },
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-commoneventformat"
diff --git a/Solutions/Netwrix Auditor/ReleaseNotes.md b/Solutions/Netwrix Auditor/ReleaseNotes.md
index 7774c8f2e99..32f4435e13b 100644
--- a/Solutions/Netwrix Auditor/ReleaseNotes.md
+++ b/Solutions/Netwrix Auditor/ReleaseNotes.md
@@ -1,4 +1,5 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.0.2 | 22-11-2024 | Removed Deprecated **Data Connectors** |
| 3.0.1 | 10-07-2024 | Deprecated **Data Connector** |
-| 3.0.0 | 29-08-2023 | Addition of new Netwrix Auditor AMA **Data Connector** |
\ No newline at end of file
+| 3.0.0 | 29-08-2023 | Addition of new Netwrix Auditor AMA **Data Connector** |
\ No newline at end of file
diff --git a/Solutions/NozomiNetworks/Data/Solution_Nozomi.json b/Solutions/NozomiNetworks/Data/Solution_Nozomi.json
index 754063f7070..4d03efbf334 100644
--- a/Solutions/NozomiNetworks/Data/Solution_Nozomi.json
+++ b/Solutions/NozomiNetworks/Data/Solution_Nozomi.json
@@ -2,11 +2,7 @@
"Name": "NozomiNetworks",
"Author": "Microsoft - support@microsoft.com",
"Logo": " ",
- "Description": "The [Nozomi Networks](https://www.nozominetworks.com/) solution provides the capability to ingest Nozomi Networks Events into Microsoft Sentinel. Refer to the Nozomi Networks [PDF documentation](https://www.nozominetworks.com/resources/data-sheets-brochures-learning-guides/) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.",
- "Data Connectors": [
- "Data Connectors/NozomiNetworksN2OS.json",
- "Data Connectors/template_NozomiNetworksN2OSAMA.json"
- ],
+ "Description": "The [Nozomi Networks](https://www.nozominetworks.com/) solution provides the capability to ingest Nozomi Networks Events into Microsoft Sentinel. Refer to the Nozomi Networks [PDF documentation](https://www.nozominetworks.com/resources/data-sheets-brochures-learning-guides/) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.",
"Parsers": [
"Parsers/NozomiNetworksEvents.yaml"
],
@@ -14,7 +10,7 @@
"azuresentinel.azure-sentinel-solution-commoneventformat"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\NozomiNetworks",
- "Version": "3.0.2",
+ "Version": "3.0.3",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false
diff --git a/Solutions/NozomiNetworks/Package/3.0.3.zip b/Solutions/NozomiNetworks/Package/3.0.3.zip
new file mode 100644
index 00000000000..508b1757c5a
Binary files /dev/null and b/Solutions/NozomiNetworks/Package/3.0.3.zip differ
diff --git a/Solutions/NozomiNetworks/Package/createUiDefinition.json b/Solutions/NozomiNetworks/Package/createUiDefinition.json
index 50bd9ae3275..b4dabeabf26 100644
--- a/Solutions/NozomiNetworks/Package/createUiDefinition.json
+++ b/Solutions/NozomiNetworks/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": " \n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/NozomiNetworks/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Nozomi Networks](https://www.nozominetworks.com/) solution provides the capability to ingest Nozomi Networks Events into Microsoft Sentinel. Refer to the Nozomi Networks [PDF documentation](https://www.nozominetworks.com/resources/data-sheets-brochures-learning-guides/) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": " \n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/NozomiNetworks/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Nozomi Networks](https://www.nozominetworks.com/) solution provides the capability to ingest Nozomi Networks Events into Microsoft Sentinel. Refer to the Nozomi Networks [PDF documentation](https://www.nozominetworks.com/resources/data-sheets-brochures-learning-guides/) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.\n\n**Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -50,39 +50,7 @@
"visible": true
}
],
- "steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for NozomiNetworks. You can get NozomiNetworks CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-parser-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- }
- ],
+ "steps": [{}],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
diff --git a/Solutions/NozomiNetworks/Package/mainTemplate.json b/Solutions/NozomiNetworks/Package/mainTemplate.json
index 127286efb19..b6784d78056 100644
--- a/Solutions/NozomiNetworks/Package/mainTemplate.json
+++ b/Solutions/NozomiNetworks/Package/mainTemplate.json
@@ -33,27 +33,9 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "NozomiNetworks",
- "_solutionVersion": "3.0.2",
+ "_solutionVersion": "3.0.3",
"solutionId": "azuresentinel.azure-sentinel-solution-nozominetworks",
"_solutionId": "[variables('solutionId')]",
- "uiConfigId1": "NozomiNetworksN2OS",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "NozomiNetworksN2OS",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
- "uiConfigId2": "NozomiNetworksN2OSAma",
- "_uiConfigId2": "[variables('uiConfigId2')]",
- "dataConnectorContentId2": "NozomiNetworksN2OSAma",
- "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
- "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "_dataConnectorId2": "[variables('dataConnectorId2')]",
- "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
- "dataConnectorVersion2": "1.0.0",
- "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"parserObject1": {
"_parserName1": "[concat(parameters('workspace'),'/','NozomiNetworksEvents')]",
"_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'NozomiNetworksEvents')]",
@@ -64,704 +46,6 @@
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "NozomiNetworks data connector with template version 3.0.2",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] Nozomi Networks N2OS via Legacy Agent",
- "publisher": "Nozomi Networks",
- "descriptionMarkdown": "The [Nozomi Networks](https://www.nozominetworks.com/) data connector provides the capability to ingest Nozomi Networks Events into Microsoft Sentinel. Refer to the Nozomi Networks [PDF documentation](https://www.nozominetworks.com/resources/data-sheets-brochures-learning-guides/) for more information.",
- "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**NozomiNetworksEvents**](https://aka.ms/sentinel-NozomiNetworks-parser) which is deployed with the Microsoft Sentinel Solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "Nozomi Networks",
- "baseQuery": "NozomiNetworksEvents"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Devices",
- "query": "NozomiNetworksEvents\n | summarize count() by DvcHostname\n | top 10 by count_"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (NozomiNetworks)",
- "lastDataReceivedQuery": "NozomiNetworksEvents\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "NozomiNetworksEvents\n | summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**NozomiNetworksEvents**](https://aka.ms/sentinel-NozomiNetworks-parser) which is deployed with the Microsoft Sentinel Solution."
- },
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Follow these steps to configure Nozomi Networks device for sending Alerts, Audit Logs, Health Logs log via syslog in CEF format:\n\n> 1. Log in to the Guardian console.\n\n> 2. Navigate to Administration->Data Integration, press +Add and select the Common Event Format (CEF) from the drop down\n\n> 3. Create New Endpoint using the appropriate host information and enable Alerts, Audit Logs, Health Logs for sending.",
- "title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "metadata": {
- "id": "9e55a64f-7db4-406a-9fdd-dc27b03e0231",
- "version": "1.0.0",
- "kind": "dataConnector",
- "source": {
- "kind": "solution",
- "name": "NozomiNetworks"
- },
- "author": {
- "name": "Microsoft"
- },
- "support": {
- "name": "Microsoft",
- "tier": "microsoft"
- }
- }
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "NozomiNetworks",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Nozomi Networks N2OS via Legacy Agent",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "NozomiNetworks",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Nozomi Networks N2OS via Legacy Agent",
- "publisher": "Nozomi Networks",
- "descriptionMarkdown": "The [Nozomi Networks](https://www.nozominetworks.com/) data connector provides the capability to ingest Nozomi Networks Events into Microsoft Sentinel. Refer to the Nozomi Networks [PDF documentation](https://www.nozominetworks.com/resources/data-sheets-brochures-learning-guides/) for more information.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "Nozomi Networks",
- "baseQuery": "NozomiNetworksEvents"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (NozomiNetworks)",
- "lastDataReceivedQuery": "NozomiNetworksEvents\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "NozomiNetworksEvents\n | summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Devices",
- "query": "NozomiNetworksEvents\n | summarize count() by DvcHostname\n | top 10 by count_"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**NozomiNetworksEvents**](https://aka.ms/sentinel-NozomiNetworks-parser) which is deployed with the Microsoft Sentinel Solution."
- },
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Follow these steps to configure Nozomi Networks device for sending Alerts, Audit Logs, Health Logs log via syslog in CEF format:\n\n> 1. Log in to the Guardian console.\n\n> 2. Navigate to Administration->Data Integration, press +Add and select the Common Event Format (CEF) from the drop down\n\n> 3. Create New Endpoint using the appropriate host information and enable Alerts, Audit Logs, Health Logs for sending.",
- "title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId1')]",
- "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**NozomiNetworksEvents**](https://aka.ms/sentinel-NozomiNetworks-parser) which is deployed with the Microsoft Sentinel Solution."
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName2')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "NozomiNetworks data connector with template version 3.0.2",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion2')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId2')]",
- "title": "[Deprecated] Nozomi Networks N2OS via AMA",
- "publisher": "Nozomi Networks",
- "descriptionMarkdown": "The [Nozomi Networks](https://www.nozominetworks.com/) data connector provides the capability to ingest Nozomi Networks Events into Microsoft Sentinel. Refer to the Nozomi Networks [PDF documentation](https://www.nozominetworks.com/resources/data-sheets-brochures-learning-guides/) for more information.",
- "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**NozomiNetworksEvents**](https://aka.ms/sentinel-NozomiNetworks-parser) which is deployed with the Microsoft Sentinel Solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "Nozomi Networks",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor has 'Nozomi'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Devices",
- "query": "NozomiNetworksEvents\n | summarize count() by DvcHostname\n | top 10 by count_"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (NozomiNetworks)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor has 'Nozomi'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor has 'Nozomi'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**NozomiNetworksEvents**](https://aka.ms/sentinel-NozomiNetworks-parser) which is deployed with the Microsoft Sentinel Solution.",
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
- },
- {
- "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
- "description": "Follow these steps to configure Nozomi Networks device for sending Alerts, Audit Logs, Health Logs log via syslog in CEF format:\n\n> 1. Log in to the Guardian console.\n\n> 2. Navigate to Administration->Data Integration, press +Add and select the Common Event Format (CEF) from the drop down\n\n> 3. Create New Endpoint using the appropriate host information and enable Alerts, Audit Logs, Health Logs for sending."
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ],
- "metadata": {
- "id": "9e55a64f-7db4-406a-9fdd-dc27b03e0231",
- "version": "1.0.0",
- "kind": "dataConnector",
- "source": {
- "kind": "solution",
- "name": "NozomiNetworks"
- },
- "author": {
- "name": "Microsoft"
- },
- "support": {
- "name": "Microsoft",
- "tier": "microsoft"
- }
- }
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "NozomiNetworks",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Nozomi Networks N2OS via AMA",
- "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
- "id": "[variables('_dataConnectorcontentProductId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId2')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "NozomiNetworks",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Nozomi Networks N2OS via AMA",
- "publisher": "Nozomi Networks",
- "descriptionMarkdown": "The [Nozomi Networks](https://www.nozominetworks.com/) data connector provides the capability to ingest Nozomi Networks Events into Microsoft Sentinel. Refer to the Nozomi Networks [PDF documentation](https://www.nozominetworks.com/resources/data-sheets-brochures-learning-guides/) for more information.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "Nozomi Networks",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor has 'Nozomi'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (NozomiNetworks)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor has 'Nozomi'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor has 'Nozomi'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Devices",
- "query": "NozomiNetworksEvents\n | summarize count() by DvcHostname\n | top 10 by count_"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**NozomiNetworksEvents**](https://aka.ms/sentinel-NozomiNetworks-parser) which is deployed with the Microsoft Sentinel Solution.",
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
- },
- {
- "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
- "description": "Follow these steps to configure Nozomi Networks device for sending Alerts, Audit Logs, Health Logs log via syslog in CEF format:\n\n> 1. Log in to the Guardian console.\n\n> 2. Navigate to Administration->Data Integration, press +Add and select the Common Event Format (CEF) from the drop down\n\n> 3. Create New Endpoint using the appropriate host information and enable Alerts, Audit Logs, Health Logs for sending."
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId2')]",
- "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**NozomiNetworksEvents**](https://aka.ms/sentinel-NozomiNetworks-parser) which is deployed with the Microsoft Sentinel Solution."
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -771,7 +55,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NozomiNetworksEvents Data Parser with template version 3.0.2",
+ "description": "NozomiNetworksEvents Data Parser with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -899,12 +183,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.2",
+ "version": "3.0.3",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "NozomiNetworks",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Nozomi Networks solution provides the capability to ingest Nozomi Networks Events into Microsoft Sentinel. Refer to the Nozomi Networks PDF documentation for more information.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024 .
\nData Connectors: 2, Parsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
+ "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Nozomi Networks solution provides the capability to ingest Nozomi Networks Events into Microsoft Sentinel. Refer to the Nozomi Networks PDF documentation for more information.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on Aug 31, 2024 .
\nParsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
@@ -928,16 +212,6 @@
},
"dependencies": {
"criteria": [
- {
- "kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- },
- {
- "kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- },
{
"kind": "Parser",
"contentId": "[variables('parserObject1').parserContentId1]",
diff --git a/Solutions/NozomiNetworks/ReleaseNotes.md b/Solutions/NozomiNetworks/ReleaseNotes.md
index b514729f463..4ca690c1bd5 100644
--- a/Solutions/NozomiNetworks/ReleaseNotes.md
+++ b/Solutions/NozomiNetworks/ReleaseNotes.md
@@ -1,7 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.0.3 | 21-11-2024 | Removed Deprecated **Data Connectors** |
| 3.0.2 | 12-07-2024 | Deprecated **Data Connector** |
| 3.0.1 | 22-12-2023 | Query issue fixed in AMA **Data Connector** |
-| 3.0.0 | 13-09-2023 | Addition of new NozomiNetworks AMA **Data Connector** |
-
-
+| 3.0.0 | 13-09-2023 | Addition of new NozomiNetworks AMA **Data Connector** |
diff --git a/Solutions/OSSEC/Data/Solution_OssectemplateSpec.json b/Solutions/OSSEC/Data/Solution_OssectemplateSpec.json
index 6cb7c0ad415..6c2c20f15e8 100644
--- a/Solutions/OSSEC/Data/Solution_OssectemplateSpec.json
+++ b/Solutions/OSSEC/Data/Solution_OssectemplateSpec.json
@@ -2,11 +2,7 @@
"Name": "OSSEC",
"Author": "Microsoft - support@microsoft.com",
"Logo": " ",
- "Description": "The OSSEC solution provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Microsoft Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs/) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.",
- "Data Connectors": [
- "Data Connectors/Connector_CEF_OSSEC.json",
- "Data Connectors/template_OSSECAMA.json"
- ],
+ "Description": "The OSSEC solution provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Microsoft Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs/) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.",
"Parsers": [
"Parsers/OSSECEvent.yaml"
],
@@ -15,7 +11,7 @@
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\OSSEC",
- "Version": "3.0.1",
+ "Version": "3.0.2",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
diff --git a/Solutions/OSSEC/Package/3.0.2.zip b/Solutions/OSSEC/Package/3.0.2.zip
new file mode 100644
index 00000000000..396e5754e15
Binary files /dev/null and b/Solutions/OSSEC/Package/3.0.2.zip differ
diff --git a/Solutions/OSSEC/Package/createUiDefinition.json b/Solutions/OSSEC/Package/createUiDefinition.json
index fa02deee4b2..9509cf20cd3 100644
--- a/Solutions/OSSEC/Package/createUiDefinition.json
+++ b/Solutions/OSSEC/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": " \n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/OSSEC/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe OSSEC solution provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Microsoft Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs/) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024.**\n\n**Data Connectors:** 2, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": " \n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/OSSEC/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe OSSEC solution provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Microsoft Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs/) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.\n\n**Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -50,39 +50,7 @@
"visible": true
}
],
- "steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for OSSEC. You can get OSSEC CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-parser-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- }
- ],
+ "steps": [{}],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
diff --git a/Solutions/OSSEC/Package/mainTemplate.json b/Solutions/OSSEC/Package/mainTemplate.json
index 26628898ad5..1dcd5b95c3c 100644
--- a/Solutions/OSSEC/Package/mainTemplate.json
+++ b/Solutions/OSSEC/Package/mainTemplate.json
@@ -33,27 +33,9 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "OSSEC",
- "_solutionVersion": "3.0.1",
+ "_solutionVersion": "3.0.2",
"solutionId": "azuresentinel.azure-sentinel-solution-ossec",
"_solutionId": "[variables('solutionId')]",
- "uiConfigId1": "OSSEC",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "OSSEC",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
- "uiConfigId2": "OSSECAma",
- "_uiConfigId2": "[variables('uiConfigId2')]",
- "dataConnectorContentId2": "OSSECAma",
- "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
- "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "_dataConnectorId2": "[variables('dataConnectorId2')]",
- "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
- "dataConnectorVersion2": "1.0.0",
- "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"parserObject1": {
"_parserName1": "[concat(parameters('workspace'),'/','OSSECEvent')]",
"_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'OSSECEvent')]",
@@ -64,672 +46,6 @@
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "OSSEC data connector with template version 3.0.1",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] OSSEC via Legacy Agent",
- "publisher": "OSSEC",
- "descriptionMarkdown": "OSSEC data connector provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Microsoft Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs) for more information.",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "OSSEC",
- "baseQuery": "OSSECEvent"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Rules",
- "query": "OSSECEvent\n | summarize count() by RuleName\n | top 10 by count_"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (OSSEC)",
- "lastDataReceivedQuery": "OSSECEvent\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "OSSECEvent\n | summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OSSEC and load the function code or click [here](https://aka.ms/sentinel-OSSECEvent-parser), on the second line of the query, enter the hostname(s) of your OSSEC device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update."
- },
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "[Follow these steps](https://www.ossec.net/docs/docs/manual/output/syslog-output.html) to configure OSSEC sending alerts via syslog.",
- "title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "OSSEC",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com/"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] OSSEC via Legacy Agent",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "OSSEC",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com/"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] OSSEC via Legacy Agent",
- "publisher": "OSSEC",
- "descriptionMarkdown": "OSSEC data connector provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Microsoft Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs) for more information.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "OSSEC",
- "baseQuery": "OSSECEvent"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (OSSEC)",
- "lastDataReceivedQuery": "OSSECEvent\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "OSSECEvent\n | summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Rules",
- "query": "OSSECEvent\n | summarize count() by RuleName\n | top 10 by count_"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OSSEC and load the function code or click [here](https://aka.ms/sentinel-OSSECEvent-parser), on the second line of the query, enter the hostname(s) of your OSSEC device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update."
- },
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "[Follow these steps](https://www.ossec.net/docs/docs/manual/output/syslog-output.html) to configure OSSEC sending alerts via syslog.",
- "title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId1')]",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution."
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName2')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "OSSEC data connector with template version 3.0.1",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion2')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId2')]",
- "title": "[Deprecated] OSSEC via AMA",
- "publisher": "OSSEC",
- "descriptionMarkdown": "OSSEC data connector provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Microsoft Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs) for more information.",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "OSSEC",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'OSSEC'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Rules",
- "query": "OSSECEvent\n | summarize count() by RuleName\n | top 10 by count_"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (OSSEC)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'OSSEC'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'OSSEC'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OSSEC and load the function code or click [here](https://aka.ms/sentinel-OSSECEvent-parser), on the second line of the query, enter the hostname(s) of your OSSEC device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.",
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
- },
- {
- "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
- "description": "[Follow these steps](https://www.ossec.net/docs/docs/manual/output/syslog-output.html) to configure OSSEC sending alerts via syslog."
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "OSSEC",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com/"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] OSSEC via AMA",
- "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
- "id": "[variables('_dataConnectorcontentProductId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId2')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "OSSEC",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com/"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] OSSEC via AMA",
- "publisher": "OSSEC",
- "descriptionMarkdown": "OSSEC data connector provides the capability to ingest [OSSEC](https://www.ossec.net/) events into Microsoft Sentinel. Refer to [OSSEC documentation](https://www.ossec.net/docs) for more information.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "OSSEC",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'OSSEC'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (OSSEC)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'OSSEC'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'OSSEC'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Rules",
- "query": "OSSECEvent\n | summarize count() by RuleName\n | top 10 by count_"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias OSSEC and load the function code or click [here](https://aka.ms/sentinel-OSSECEvent-parser), on the second line of the query, enter the hostname(s) of your OSSEC device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.",
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
- },
- {
- "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
- "description": "[Follow these steps](https://www.ossec.net/docs/docs/manual/output/syslog-output.html) to configure OSSEC sending alerts via syslog."
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId2')]",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution."
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -739,7 +55,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OSSECEvent Data Parser with template version 3.0.1",
+ "description": "OSSECEvent Data Parser with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -867,12 +183,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.1",
+ "version": "3.0.2",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "OSSEC",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe OSSEC solution provides the capability to ingest OSSEC events into Microsoft Sentinel. Refer to OSSEC documentation for more information.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024 .
\nData Connectors: 2, Parsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
+ "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe OSSEC solution provides the capability to ingest OSSEC events into Microsoft Sentinel. Refer to OSSEC documentation for more information.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on Aug 31, 2024 .
\nParsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
@@ -896,16 +212,6 @@
},
"dependencies": {
"criteria": [
- {
- "kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- },
- {
- "kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- },
{
"kind": "Parser",
"contentId": "[variables('parserObject1').parserContentId1]",
diff --git a/Solutions/OSSEC/ReleaseNotes.md b/Solutions/OSSEC/ReleaseNotes.md
index 5312db8d7c7..ab51f16eedb 100644
--- a/Solutions/OSSEC/ReleaseNotes.md
+++ b/Solutions/OSSEC/ReleaseNotes.md
@@ -1,6 +1,5 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.0.2 | 21-11-2024 | Removed Deprecated **Data Connectors** |
| 3.0.1 | 12-07-2024 | Deprecated **Data Connector** |
-| 3.0.0 | 28-08-2023 | Addition of new OSSEC AMA **Data Connector** | |
-
-
+| 3.0.0 | 28-08-2023 | Addition of new OSSEC AMA **Data Connector** |
diff --git a/Solutions/PingFederate/Analytic Rules/PingFederateAbnormalPasswordResetsAttempts.yaml b/Solutions/PingFederate/Analytic Rules/PingFederateAbnormalPasswordResetsAttempts.yaml
index c91d4cb61eb..939d064ed1c 100644
--- a/Solutions/PingFederate/Analytic Rules/PingFederateAbnormalPasswordResetsAttempts.yaml
+++ b/Solutions/PingFederate/Analytic Rules/PingFederateAbnormalPasswordResetsAttempts.yaml
@@ -5,12 +5,6 @@ description: |
severity: High
status: Available
requiredDataConnectors:
- - connectorId: PingFederate
- dataTypes:
- - PingFederateEvent
- - connectorId: PingFederateAma
- dataTypes:
- - PingFederateEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
@@ -34,5 +28,5 @@ entityMappings:
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
-version: 1.0.2
+version: 1.0.3
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/PingFederate/Analytic Rules/PingFederateAuthFromNewSource.yaml b/Solutions/PingFederate/Analytic Rules/PingFederateAuthFromNewSource.yaml
index 6102a5bbe4c..f0ba2743b8a 100644
--- a/Solutions/PingFederate/Analytic Rules/PingFederateAuthFromNewSource.yaml
+++ b/Solutions/PingFederate/Analytic Rules/PingFederateAuthFromNewSource.yaml
@@ -5,12 +5,6 @@ description: |
severity: Low
status: Available
requiredDataConnectors:
- - connectorId: PingFederate
- dataTypes:
- - PingFederateEvent
- - connectorId: PingFederateAma
- dataTypes:
- - PingFederateEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
@@ -44,5 +38,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IpCustomEntity
-version: 1.0.2
+version: 1.0.3
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/PingFederate/Analytic Rules/PingFederateForbiddenCountry.yaml b/Solutions/PingFederate/Analytic Rules/PingFederateForbiddenCountry.yaml
index 8bac495e69a..97def5e97a5 100644
--- a/Solutions/PingFederate/Analytic Rules/PingFederateForbiddenCountry.yaml
+++ b/Solutions/PingFederate/Analytic Rules/PingFederateForbiddenCountry.yaml
@@ -5,12 +5,6 @@ description: |
severity: High
status: Available
requiredDataConnectors:
- - connectorId: PingFederate
- dataTypes:
- - PingFederateEvent
- - connectorId: PingFederateAma
- dataTypes:
- - PingFederateEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
@@ -38,5 +32,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IpCustomEntity
-version: 1.0.2
+version: 1.0.3
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/PingFederate/Analytic Rules/PingFederateMultiplePasswordResetsForUser.yaml b/Solutions/PingFederate/Analytic Rules/PingFederateMultiplePasswordResetsForUser.yaml
index 7d0ea52aeef..6e03f595919 100644
--- a/Solutions/PingFederate/Analytic Rules/PingFederateMultiplePasswordResetsForUser.yaml
+++ b/Solutions/PingFederate/Analytic Rules/PingFederateMultiplePasswordResetsForUser.yaml
@@ -5,12 +5,6 @@ description: |
severity: High
status: Available
requiredDataConnectors:
- - connectorId: PingFederate
- dataTypes:
- - PingFederateEvent
- - connectorId: PingFederateAma
- dataTypes:
- - PingFederateEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
@@ -38,5 +32,5 @@ entityMappings:
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
-version: 1.0.2
+version: 1.0.3
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/PingFederate/Analytic Rules/PingFederateNewUserSSO.yaml b/Solutions/PingFederate/Analytic Rules/PingFederateNewUserSSO.yaml
index a002c34374f..208fd57af9c 100644
--- a/Solutions/PingFederate/Analytic Rules/PingFederateNewUserSSO.yaml
+++ b/Solutions/PingFederate/Analytic Rules/PingFederateNewUserSSO.yaml
@@ -5,12 +5,6 @@ description: |
severity: Low
status: Available
requiredDataConnectors:
- - connectorId: PingFederate
- dataTypes:
- - PingFederateEvent
- - connectorId: PingFederateAma
- dataTypes:
- - PingFederateEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
@@ -40,5 +34,5 @@ entityMappings:
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
-version: 1.0.2
+version: 1.0.3
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/PingFederate/Analytic Rules/PingFederateOauthOld.yaml b/Solutions/PingFederate/Analytic Rules/PingFederateOauthOld.yaml
index 79e6c806d2e..92724f45c7b 100644
--- a/Solutions/PingFederate/Analytic Rules/PingFederateOauthOld.yaml
+++ b/Solutions/PingFederate/Analytic Rules/PingFederateOauthOld.yaml
@@ -5,12 +5,6 @@ description: |
severity: Medium
status: Available
requiredDataConnectors:
- - connectorId: PingFederate
- dataTypes:
- - PingFederateEvent
- - connectorId: PingFederateAma
- dataTypes:
- - PingFederateEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
@@ -40,5 +34,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IpCustomEntity
-version: 1.0.2
+version: 1.0.3
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/PingFederate/Analytic Rules/PingFederatePasswordRstReqUnexpectedSource.yaml b/Solutions/PingFederate/Analytic Rules/PingFederatePasswordRstReqUnexpectedSource.yaml
index b9eaf30fe4d..8e6c1cb740c 100644
--- a/Solutions/PingFederate/Analytic Rules/PingFederatePasswordRstReqUnexpectedSource.yaml
+++ b/Solutions/PingFederate/Analytic Rules/PingFederatePasswordRstReqUnexpectedSource.yaml
@@ -5,12 +5,6 @@ description: |
severity: Medium
status: Available
requiredDataConnectors:
- - connectorId: PingFederate
- dataTypes:
- - PingFederateEvent
- - connectorId: PingFederateAma
- dataTypes:
- - PingFederateEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
@@ -43,5 +37,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IpCustomEntity
-version: 1.0.2
+version: 1.0.3
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/PingFederate/Analytic Rules/PingFederateSamlOld.yaml b/Solutions/PingFederate/Analytic Rules/PingFederateSamlOld.yaml
index 048fb7c4c9e..c2e4fe27128 100644
--- a/Solutions/PingFederate/Analytic Rules/PingFederateSamlOld.yaml
+++ b/Solutions/PingFederate/Analytic Rules/PingFederateSamlOld.yaml
@@ -5,12 +5,6 @@ description: |
severity: Medium
status: Available
requiredDataConnectors:
- - connectorId: PingFederate
- dataTypes:
- - PingFederateEvent
- - connectorId: PingFederateAma
- dataTypes:
- - PingFederateEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
@@ -40,5 +34,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IpCustomEntity
-version: 1.0.2
+version: 1.0.3
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/PingFederate/Analytic Rules/PingFederateUnexpectedAuthUrl.yaml b/Solutions/PingFederate/Analytic Rules/PingFederateUnexpectedAuthUrl.yaml
index a416e9a962d..c4187fd045f 100644
--- a/Solutions/PingFederate/Analytic Rules/PingFederateUnexpectedAuthUrl.yaml
+++ b/Solutions/PingFederate/Analytic Rules/PingFederateUnexpectedAuthUrl.yaml
@@ -5,12 +5,6 @@ description: |
severity: Medium
status: Available
requiredDataConnectors:
- - connectorId: PingFederate
- dataTypes:
- - PingFederateEvent
- - connectorId: PingFederateAma
- dataTypes:
- - PingFederateEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
@@ -46,5 +40,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IpCustomEntity
-version: 1.0.2
+version: 1.0.3
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/PingFederate/Analytic Rules/PingFederateUnexpectedUserCountry.yaml b/Solutions/PingFederate/Analytic Rules/PingFederateUnexpectedUserCountry.yaml
index 1ac2829e2db..220aefabbbe 100644
--- a/Solutions/PingFederate/Analytic Rules/PingFederateUnexpectedUserCountry.yaml
+++ b/Solutions/PingFederate/Analytic Rules/PingFederateUnexpectedUserCountry.yaml
@@ -5,12 +5,6 @@ description: |
severity: Medium
status: Available
requiredDataConnectors:
- - connectorId: PingFederate
- dataTypes:
- - PingFederateEvent
- - connectorId: PingFederateAma
- dataTypes:
- - PingFederateEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
@@ -42,5 +36,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IpCustomEntity
-version: 1.0.2
+version: 1.0.3
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/PingFederate/Analytic Rules/PingFederateUnusualMailDomain.yaml b/Solutions/PingFederate/Analytic Rules/PingFederateUnusualMailDomain.yaml
index 8693a3799bf..08177cd0aed 100644
--- a/Solutions/PingFederate/Analytic Rules/PingFederateUnusualMailDomain.yaml
+++ b/Solutions/PingFederate/Analytic Rules/PingFederateUnusualMailDomain.yaml
@@ -5,12 +5,6 @@ description: |
severity: Medium
status: Available
requiredDataConnectors:
- - connectorId: PingFederate
- dataTypes:
- - PingFederateEvent
- - connectorId: PingFederateAma
- dataTypes:
- - PingFederateEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
@@ -46,5 +40,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IpCustomEntity
-version: 1.0.2
+version: 1.0.3
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/PingFederate/Data/Solution_PingFederate.json b/Solutions/PingFederate/Data/Solution_PingFederate.json
index 40a04e6b935..1c69a04132e 100644
--- a/Solutions/PingFederate/Data/Solution_PingFederate.json
+++ b/Solutions/PingFederate/Data/Solution_PingFederate.json
@@ -2,7 +2,7 @@
"Name": "PingFederate",
"Author": "Microsoft - support@microsoft.com",
"Logo": " ",
- "Description": "The [PingFederate](https://www.pingidentity.com/en/pingone/pingfederate.html) solution provides the capability to ingest [PingFederate](https://docs.pingidentity.com/bundle/pingfederate-102/page/lly1564002980532.html) events into Microsoft Sentinel. Refer to [PingFederate documentation](https://docs.pingidentity.com/bundle/pingfederate-102/page/tle1564002955874.html) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.",
+ "Description": "The [PingFederate](https://www.pingidentity.com/en/pingone/pingfederate.html) solution provides the capability to ingest [PingFederate](https://docs.pingidentity.com/bundle/pingfederate-102/page/lly1564002980532.html) events into Microsoft Sentinel. Refer to [PingFederate documentation](https://docs.pingidentity.com/bundle/pingfederate-102/page/tle1564002955874.html) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.",
"Workbooks": [
"Workbooks/PingFederate.json"
],
@@ -18,10 +18,6 @@
"Hunting Queries/PingFederateUnusualSources.yaml",
"Hunting Queries/PingFederateUsersPaswordsReset.yaml"
],
- "Data Connectors": [
- "Data Connectors/Connector_CEF_PingFederate.json",
- "Data Connectors/template_PingFederateAMA.json"
- ],
"Analytic Rules": [
"Analytic Rules/PingFederateAbnormalPasswordResetsAttempts.yaml",
"Analytic Rules/PingFederateAuthFromNewSource.yaml",
@@ -43,7 +39,7 @@
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\PingFederate",
- "Version": "3.0.1",
+ "Version": "3.0.2",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false
diff --git a/Solutions/PingFederate/Hunting Queries/PingFederateAuthUrls.yaml b/Solutions/PingFederate/Hunting Queries/PingFederateAuthUrls.yaml
index 31ddb97bbf1..58e536412a5 100644
--- a/Solutions/PingFederate/Hunting Queries/PingFederateAuthUrls.yaml
+++ b/Solutions/PingFederate/Hunting Queries/PingFederateAuthUrls.yaml
@@ -4,12 +4,6 @@ description: |
'Query searches for authentication URLs used.'
severity: Low
requiredDataConnectors:
- - connectorId: PingFederate
- dataTypes:
- - PingFederateEvent
- - connectorId: PingFederateAma
- dataTypes:
- - PingFederateEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
diff --git a/Solutions/PingFederate/Hunting Queries/PingFederateFailedAuthentications.yaml b/Solutions/PingFederate/Hunting Queries/PingFederateFailedAuthentications.yaml
index 17f5237c2b8..7e1ad19a7db 100644
--- a/Solutions/PingFederate/Hunting Queries/PingFederateFailedAuthentications.yaml
+++ b/Solutions/PingFederate/Hunting Queries/PingFederateFailedAuthentications.yaml
@@ -4,12 +4,6 @@ description: |
'Query searches for failed authentication events'
severity: Low
requiredDataConnectors:
- - connectorId: PingFederate
- dataTypes:
- - PingFederateEvent
- - connectorId: PingFederateAma
- dataTypes:
- - PingFederateEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
diff --git a/Solutions/PingFederate/Hunting Queries/PingFederateNewUsers.yaml b/Solutions/PingFederate/Hunting Queries/PingFederateNewUsers.yaml
index 42be44b2a4c..5c1a737ae1d 100644
--- a/Solutions/PingFederate/Hunting Queries/PingFederateNewUsers.yaml
+++ b/Solutions/PingFederate/Hunting Queries/PingFederateNewUsers.yaml
@@ -4,12 +4,6 @@ description: |
'Query searches for new users.'
severity: Low
requiredDataConnectors:
- - connectorId: PingFederate
- dataTypes:
- - PingFederateEvent
- - connectorId: PingFederateAma
- dataTypes:
- - PingFederateEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
diff --git a/Solutions/PingFederate/Hunting Queries/PingFederatePasswordResetRequests.yaml b/Solutions/PingFederate/Hunting Queries/PingFederatePasswordResetRequests.yaml
index f7f4e189ed1..9126d32249e 100644
--- a/Solutions/PingFederate/Hunting Queries/PingFederatePasswordResetRequests.yaml
+++ b/Solutions/PingFederate/Hunting Queries/PingFederatePasswordResetRequests.yaml
@@ -4,12 +4,6 @@ description: |
'Query searches for password reset requests events.'
severity: Low
requiredDataConnectors:
- - connectorId: PingFederate
- dataTypes:
- - PingFederateEvent
- - connectorId: PingFederateAma
- dataTypes:
- - PingFederateEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
diff --git a/Solutions/PingFederate/Hunting Queries/PingFederateRareSources.yaml b/Solutions/PingFederate/Hunting Queries/PingFederateRareSources.yaml
index de5cf6dc8e7..dd9b09535ff 100644
--- a/Solutions/PingFederate/Hunting Queries/PingFederateRareSources.yaml
+++ b/Solutions/PingFederate/Hunting Queries/PingFederateRareSources.yaml
@@ -4,12 +4,6 @@ description: |
'Query searches for rare source IP addresses of requests'
severity: Medium
requiredDataConnectors:
- - connectorId: PingFederate
- dataTypes:
- - PingFederateEvent
- - connectorId: PingFederateAma
- dataTypes:
- - PingFederateEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
diff --git a/Solutions/PingFederate/Hunting Queries/PingFederateSAMLSubjects.yaml b/Solutions/PingFederate/Hunting Queries/PingFederateSAMLSubjects.yaml
index 06ead7ba545..40342db87ff 100644
--- a/Solutions/PingFederate/Hunting Queries/PingFederateSAMLSubjects.yaml
+++ b/Solutions/PingFederate/Hunting Queries/PingFederateSAMLSubjects.yaml
@@ -4,12 +4,6 @@ description: |
'Query searches for SAML subjects used in requests'
severity: Low
requiredDataConnectors:
- - connectorId: PingFederate
- dataTypes:
- - PingFederateEvent
- - connectorId: PingFederateAma
- dataTypes:
- - PingFederateEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
diff --git a/Solutions/PingFederate/Hunting Queries/PingFederateTopSources.yaml b/Solutions/PingFederate/Hunting Queries/PingFederateTopSources.yaml
index a13dc0a66e6..9c7d7211273 100644
--- a/Solutions/PingFederate/Hunting Queries/PingFederateTopSources.yaml
+++ b/Solutions/PingFederate/Hunting Queries/PingFederateTopSources.yaml
@@ -4,12 +4,6 @@ description: |
'Query searches for source IP addresses with the most requests'
severity: Low
requiredDataConnectors:
- - connectorId: PingFederate
- dataTypes:
- - PingFederateEvent
- - connectorId: PingFederateAma
- dataTypes:
- - PingFederateEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
diff --git a/Solutions/PingFederate/Hunting Queries/PingFederateUnusualCountry.yaml b/Solutions/PingFederate/Hunting Queries/PingFederateUnusualCountry.yaml
index 0dff22a4025..a5812c75331 100644
--- a/Solutions/PingFederate/Hunting Queries/PingFederateUnusualCountry.yaml
+++ b/Solutions/PingFederate/Hunting Queries/PingFederateUnusualCountry.yaml
@@ -4,12 +4,6 @@ description: |
'Query searches for requests from unusual countries.'
severity: Medium
requiredDataConnectors:
- - connectorId: PingFederate
- dataTypes:
- - PingFederateEvent
- - connectorId: PingFederateAma
- dataTypes:
- - PingFederateEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
diff --git a/Solutions/PingFederate/Hunting Queries/PingFederateUnusualSources.yaml b/Solutions/PingFederate/Hunting Queries/PingFederateUnusualSources.yaml
index a34d899384a..68851a41466 100644
--- a/Solutions/PingFederate/Hunting Queries/PingFederateUnusualSources.yaml
+++ b/Solutions/PingFederate/Hunting Queries/PingFederateUnusualSources.yaml
@@ -4,12 +4,6 @@ description: |
'Query searches for unusual sources of authentication.'
severity: Medium
requiredDataConnectors:
- - connectorId: PingFederate
- dataTypes:
- - PingFederateEvent
- - connectorId: PingFederateAma
- dataTypes:
- - PingFederateEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
diff --git a/Solutions/PingFederate/Hunting Queries/PingFederateUsersPaswordsReset.yaml b/Solutions/PingFederate/Hunting Queries/PingFederateUsersPaswordsReset.yaml
index 0bd5b19e406..bb0f993a5a9 100644
--- a/Solutions/PingFederate/Hunting Queries/PingFederateUsersPaswordsReset.yaml
+++ b/Solutions/PingFederate/Hunting Queries/PingFederateUsersPaswordsReset.yaml
@@ -4,12 +4,6 @@ description: |
'Query searches for users who recently reseted their passwords.'
severity: Medium
requiredDataConnectors:
- - connectorId: PingFederate
- dataTypes:
- - PingFederateEvent
- - connectorId: PingFederateAma
- dataTypes:
- - PingFederateEvent
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
diff --git a/Solutions/PingFederate/Package/3.0.2.zip b/Solutions/PingFederate/Package/3.0.2.zip
new file mode 100644
index 00000000000..5e537dee20d
Binary files /dev/null and b/Solutions/PingFederate/Package/3.0.2.zip differ
diff --git a/Solutions/PingFederate/Package/createUiDefinition.json b/Solutions/PingFederate/Package/createUiDefinition.json
index 82cf18b5e42..e5f539d2287 100644
--- a/Solutions/PingFederate/Package/createUiDefinition.json
+++ b/Solutions/PingFederate/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": " \n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/PingFederate/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [PingFederate](https://www.pingidentity.com/en/pingone/pingfederate.html) solution provides the capability to ingest [PingFederate](https://docs.pingidentity.com/bundle/pingfederate-102/page/lly1564002980532.html) events into Microsoft Sentinel. Refer to [PingFederate documentation](https://docs.pingidentity.com/bundle/pingfederate-102/page/tle1564002955874.html) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 11, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": " \n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/PingFederate/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [PingFederate](https://www.pingidentity.com/en/pingone/pingfederate.html) solution provides the capability to ingest [PingFederate](https://docs.pingidentity.com/bundle/pingfederate-102/page/lly1564002980532.html) events into Microsoft Sentinel. Refer to [PingFederate documentation](https://docs.pingidentity.com/bundle/pingfederate-102/page/tle1564002955874.html) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.\n\n**Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 11, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -51,37 +51,6 @@
}
],
"steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for PingFederate. You can get PingFederate CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-parser-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- },
{
"name": "workbooks",
"label": "Workbooks",
@@ -337,7 +306,7 @@
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for authentication URLs used. This hunting query depends on PingFederate PingFederateAma CefAma data connector (PingFederateEvent PingFederateEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches for authentication URLs used. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -351,7 +320,7 @@
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for failed authentication events This hunting query depends on PingFederate PingFederateAma CefAma data connector (PingFederateEvent PingFederateEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches for failed authentication events This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -365,7 +334,7 @@
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for new users. This hunting query depends on PingFederate PingFederateAma CefAma data connector (PingFederateEvent PingFederateEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches for new users. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -379,7 +348,7 @@
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for password reset requests events. This hunting query depends on PingFederate PingFederateAma CefAma data connector (PingFederateEvent PingFederateEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches for password reset requests events. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -393,7 +362,7 @@
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for rare source IP addresses of requests This hunting query depends on PingFederate PingFederateAma CefAma data connector (PingFederateEvent PingFederateEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches for rare source IP addresses of requests This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -407,7 +376,7 @@
"name": "huntingquery6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for SAML subjects used in requests This hunting query depends on PingFederate PingFederateAma CefAma data connector (PingFederateEvent PingFederateEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches for SAML subjects used in requests This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -421,7 +390,7 @@
"name": "huntingquery7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for source IP addresses with the most requests This hunting query depends on PingFederate PingFederateAma CefAma data connector (PingFederateEvent PingFederateEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches for source IP addresses with the most requests This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -435,7 +404,7 @@
"name": "huntingquery8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for requests from unusual countries. This hunting query depends on PingFederate PingFederateAma CefAma data connector (PingFederateEvent PingFederateEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches for requests from unusual countries. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -449,7 +418,7 @@
"name": "huntingquery9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for unusual sources of authentication. This hunting query depends on PingFederate PingFederateAma CefAma data connector (PingFederateEvent PingFederateEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches for unusual sources of authentication. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
@@ -463,7 +432,7 @@
"name": "huntingquery10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for users who recently reseted their passwords. This hunting query depends on PingFederate PingFederateAma CefAma data connector (PingFederateEvent PingFederateEvent CommonSecurityLog Parser or Table)"
+ "text": "Query searches for users who recently reseted their passwords. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)"
}
}
]
diff --git a/Solutions/PingFederate/Package/mainTemplate.json b/Solutions/PingFederate/Package/mainTemplate.json
index 72df6acb137..54b60f04eec 100644
--- a/Solutions/PingFederate/Package/mainTemplate.json
+++ b/Solutions/PingFederate/Package/mainTemplate.json
@@ -41,7 +41,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "PingFederate",
- "_solutionVersion": "3.0.1",
+ "_solutionVersion": "3.0.2",
"solutionId": "azuresentinel.azure-sentinel-solution-pingfederate",
"_solutionId": "[variables('solutionId')]",
"workbookVersion1": "1.0.0",
@@ -101,100 +101,82 @@
"_huntingQuerycontentId10": "6698f022-adf4-48a3-a8da-a4052ac999b4",
"huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('6698f022-adf4-48a3-a8da-a4052ac999b4')))]"
},
- "uiConfigId1": "PingFederate",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "PingFederate",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
- "uiConfigId2": "PingFederateAma",
- "_uiConfigId2": "[variables('uiConfigId2')]",
- "dataConnectorContentId2": "PingFederateAma",
- "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
- "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "_dataConnectorId2": "[variables('dataConnectorId2')]",
- "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
- "dataConnectorVersion2": "1.0.0",
- "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"analyticRuleObject1": {
- "analyticRuleVersion1": "1.0.2",
+ "analyticRuleVersion1": "1.0.3",
"_analyticRulecontentId1": "e45a7334-2cb4-4690-8156-f02cac73d584",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e45a7334-2cb4-4690-8156-f02cac73d584')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e45a7334-2cb4-4690-8156-f02cac73d584')))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e45a7334-2cb4-4690-8156-f02cac73d584','-', '1.0.2')))]"
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e45a7334-2cb4-4690-8156-f02cac73d584','-', '1.0.3')))]"
},
"analyticRuleObject2": {
- "analyticRuleVersion2": "1.0.2",
+ "analyticRuleVersion2": "1.0.3",
"_analyticRulecontentId2": "30583ed4-d13c-43b8-baf2-d75fbe727210",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '30583ed4-d13c-43b8-baf2-d75fbe727210')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('30583ed4-d13c-43b8-baf2-d75fbe727210')))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','30583ed4-d13c-43b8-baf2-d75fbe727210','-', '1.0.2')))]"
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','30583ed4-d13c-43b8-baf2-d75fbe727210','-', '1.0.3')))]"
},
"analyticRuleObject3": {
- "analyticRuleVersion3": "1.0.2",
+ "analyticRuleVersion3": "1.0.3",
"_analyticRulecontentId3": "14042f74-e50b-4c21-8a01-0faf4915ada4",
"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '14042f74-e50b-4c21-8a01-0faf4915ada4')]",
"analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('14042f74-e50b-4c21-8a01-0faf4915ada4')))]",
- "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','14042f74-e50b-4c21-8a01-0faf4915ada4','-', '1.0.2')))]"
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','14042f74-e50b-4c21-8a01-0faf4915ada4','-', '1.0.3')))]"
},
"analyticRuleObject4": {
- "analyticRuleVersion4": "1.0.2",
+ "analyticRuleVersion4": "1.0.3",
"_analyticRulecontentId4": "6145efdc-4724-42a6-9756-5bd1ba33982e",
"analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6145efdc-4724-42a6-9756-5bd1ba33982e')]",
"analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6145efdc-4724-42a6-9756-5bd1ba33982e')))]",
- "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6145efdc-4724-42a6-9756-5bd1ba33982e','-', '1.0.2')))]"
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6145efdc-4724-42a6-9756-5bd1ba33982e','-', '1.0.3')))]"
},
"analyticRuleObject5": {
- "analyticRuleVersion5": "1.0.2",
+ "analyticRuleVersion5": "1.0.3",
"_analyticRulecontentId5": "05282c91-7aaf-4d76-9a19-6dc582e6a411",
"analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '05282c91-7aaf-4d76-9a19-6dc582e6a411')]",
"analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('05282c91-7aaf-4d76-9a19-6dc582e6a411')))]",
- "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','05282c91-7aaf-4d76-9a19-6dc582e6a411','-', '1.0.2')))]"
+ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','05282c91-7aaf-4d76-9a19-6dc582e6a411','-', '1.0.3')))]"
},
"analyticRuleObject6": {
- "analyticRuleVersion6": "1.0.2",
+ "analyticRuleVersion6": "1.0.3",
"_analyticRulecontentId6": "85f70197-4865-4635-a4b2-a9c57e8fea1b",
"analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '85f70197-4865-4635-a4b2-a9c57e8fea1b')]",
"analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('85f70197-4865-4635-a4b2-a9c57e8fea1b')))]",
- "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','85f70197-4865-4635-a4b2-a9c57e8fea1b','-', '1.0.2')))]"
+ "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','85f70197-4865-4635-a4b2-a9c57e8fea1b','-', '1.0.3')))]"
},
"analyticRuleObject7": {
- "analyticRuleVersion7": "1.0.2",
+ "analyticRuleVersion7": "1.0.3",
"_analyticRulecontentId7": "2d201d21-77b4-4d97-95f3-26b5c6bde09f",
"analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2d201d21-77b4-4d97-95f3-26b5c6bde09f')]",
"analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2d201d21-77b4-4d97-95f3-26b5c6bde09f')))]",
- "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2d201d21-77b4-4d97-95f3-26b5c6bde09f','-', '1.0.2')))]"
+ "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2d201d21-77b4-4d97-95f3-26b5c6bde09f','-', '1.0.3')))]"
},
"analyticRuleObject8": {
- "analyticRuleVersion8": "1.0.2",
+ "analyticRuleVersion8": "1.0.3",
"_analyticRulecontentId8": "fddd3840-acd2-41ed-94d9-1474b0a7c8a6",
"analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fddd3840-acd2-41ed-94d9-1474b0a7c8a6')]",
"analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fddd3840-acd2-41ed-94d9-1474b0a7c8a6')))]",
- "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fddd3840-acd2-41ed-94d9-1474b0a7c8a6','-', '1.0.2')))]"
+ "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fddd3840-acd2-41ed-94d9-1474b0a7c8a6','-', '1.0.3')))]"
},
"analyticRuleObject9": {
- "analyticRuleVersion9": "1.0.2",
+ "analyticRuleVersion9": "1.0.3",
"_analyticRulecontentId9": "9578ef7f-cbb4-4e9a-bd26-37c15c53b413",
"analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9578ef7f-cbb4-4e9a-bd26-37c15c53b413')]",
"analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9578ef7f-cbb4-4e9a-bd26-37c15c53b413')))]",
- "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9578ef7f-cbb4-4e9a-bd26-37c15c53b413','-', '1.0.2')))]"
+ "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9578ef7f-cbb4-4e9a-bd26-37c15c53b413','-', '1.0.3')))]"
},
"analyticRuleObject10": {
- "analyticRuleVersion10": "1.0.2",
+ "analyticRuleVersion10": "1.0.3",
"_analyticRulecontentId10": "64e65105-c4fc-4c28-a4e9-bb1a3ce7652d",
"analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '64e65105-c4fc-4c28-a4e9-bb1a3ce7652d')]",
"analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('64e65105-c4fc-4c28-a4e9-bb1a3ce7652d')))]",
- "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','64e65105-c4fc-4c28-a4e9-bb1a3ce7652d','-', '1.0.2')))]"
+ "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','64e65105-c4fc-4c28-a4e9-bb1a3ce7652d','-', '1.0.3')))]"
},
"analyticRuleObject11": {
- "analyticRuleVersion11": "1.0.2",
+ "analyticRuleVersion11": "1.0.3",
"_analyticRulecontentId11": "dc79de7d-2590-4852-95fb-f8e02b34f4da",
"analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dc79de7d-2590-4852-95fb-f8e02b34f4da')]",
"analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dc79de7d-2590-4852-95fb-f8e02b34f4da')))]",
- "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dc79de7d-2590-4852-95fb-f8e02b34f4da','-', '1.0.2')))]"
+ "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dc79de7d-2590-4852-95fb-f8e02b34f4da','-', '1.0.3')))]"
},
"parserObject1": {
"_parserName1": "[concat(parameters('workspace'),'/','PingFederate Data Parser')]",
@@ -215,7 +197,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PingFederate Workbook with template version 3.0.1",
+ "description": "PingFederate Workbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -278,6 +260,10 @@
{
"contentId": "PingFederateAma",
"kind": "DataConnector"
+ },
+ {
+ "contentId": "CefAma",
+ "kind": "DataConnector"
}
]
}
@@ -307,7 +293,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PingFederateAuthUrls_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "PingFederateAuthUrls_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -392,7 +378,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PingFederateFailedAuthentications_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "PingFederateFailedAuthentications_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -477,7 +463,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PingFederateNewUsers_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "PingFederateNewUsers_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@@ -562,7 +548,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PingFederatePasswordResetRequests_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "PingFederatePasswordResetRequests_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@@ -647,7 +633,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PingFederateRareSources_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "PingFederateRareSources_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@@ -732,7 +718,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PingFederateSAMLSubjects_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "PingFederateSAMLSubjects_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
@@ -817,7 +803,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PingFederateTopSources_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "PingFederateTopSources_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
@@ -902,7 +888,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PingFederateUnusualCountry_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "PingFederateUnusualCountry_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
@@ -987,7 +973,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PingFederateUnusualSources_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "PingFederateUnusualSources_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]",
@@ -1072,7 +1058,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PingFederateUsersPaswordsReset_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "PingFederateUsersPaswordsReset_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]",
@@ -1148,672 +1134,6 @@
"version": "1.0.0"
}
},
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "PingFederate data connector with template version 3.0.1",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] PingFederate via Legacy Agent",
- "publisher": "Ping Identity",
- "descriptionMarkdown": "The [PingFederate](https://www.pingidentity.com/en/software/pingfederate.html) data connector provides the capability to ingest [PingFederate events](https://docs.pingidentity.com/bundle/pingfederate-102/page/lly1564002980532.html) into Microsoft Sentinel. Refer to [PingFederate documentation](https://docs.pingidentity.com/bundle/pingfederate-102/page/tle1564002955874.html) for more information.",
- "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "PingFederate",
- "baseQuery": "PingFederateEvent"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Devices",
- "query": "PingFederateEvent\n | summarize count() by DvcHostname\n | top 10 by count_"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (PingFederate)",
- "lastDataReceivedQuery": "PingFederateEvent\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "PingFederateEvent\n | summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution."
- },
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "[Follow these steps](https://docs.pingidentity.com/bundle/pingfederate-102/page/gsn1564002980953.html) to configure PingFederate sending audit log via syslog in CEF format.",
- "title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "PingFederate",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] PingFederate via Legacy Agent",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "PingFederate",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] PingFederate via Legacy Agent",
- "publisher": "Ping Identity",
- "descriptionMarkdown": "The [PingFederate](https://www.pingidentity.com/en/software/pingfederate.html) data connector provides the capability to ingest [PingFederate events](https://docs.pingidentity.com/bundle/pingfederate-102/page/lly1564002980532.html) into Microsoft Sentinel. Refer to [PingFederate documentation](https://docs.pingidentity.com/bundle/pingfederate-102/page/tle1564002955874.html) for more information.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "PingFederate",
- "baseQuery": "PingFederateEvent"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (PingFederate)",
- "lastDataReceivedQuery": "PingFederateEvent\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "PingFederateEvent\n | summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Devices",
- "query": "PingFederateEvent\n | summarize count() by DvcHostname\n | top 10 by count_"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution."
- },
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "[Follow these steps](https://docs.pingidentity.com/bundle/pingfederate-102/page/gsn1564002980953.html) to configure PingFederate sending audit log via syslog in CEF format.",
- "title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId1')]",
- "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution."
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName2')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "PingFederate data connector with template version 3.0.1",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion2')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId2')]",
- "title": "[Deprecated] PingFederate via AMA",
- "publisher": "Ping Identity",
- "descriptionMarkdown": "The [PingFederate](https://www.pingidentity.com/en/software/pingfederate.html) data connector provides the capability to ingest [PingFederate events](https://docs.pingidentity.com/bundle/pingfederate-102/page/lly1564002980532.html) into Microsoft Sentinel. Refer to [PingFederate documentation](https://docs.pingidentity.com/bundle/pingfederate-102/page/tle1564002955874.html) for more information.",
- "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "PingFederate",
- "baseQuery": "CommonSecurityLog\n |where DeviceProduct has 'PingFederate'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Devices",
- "query": "PingFederateEvent\n | summarize count() by DvcHostname\n | top 10 by count_"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (PingFederate)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceProduct has 'PingFederate'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceProduct has 'PingFederate'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution.",
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
- },
- {
- "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
- "description": "[Follow these steps](https://docs.pingidentity.com/bundle/pingfederate-102/page/gsn1564002980953.html) to configure PingFederate sending audit log via syslog in CEF format."
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "PingFederate",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] PingFederate via AMA",
- "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
- "id": "[variables('_dataConnectorcontentProductId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId2')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "PingFederate",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] PingFederate via AMA",
- "publisher": "Ping Identity",
- "descriptionMarkdown": "The [PingFederate](https://www.pingidentity.com/en/software/pingfederate.html) data connector provides the capability to ingest [PingFederate events](https://docs.pingidentity.com/bundle/pingfederate-102/page/lly1564002980532.html) into Microsoft Sentinel. Refer to [PingFederate documentation](https://docs.pingidentity.com/bundle/pingfederate-102/page/tle1564002955874.html) for more information.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "PingFederate",
- "baseQuery": "CommonSecurityLog\n |where DeviceProduct has 'PingFederate'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (PingFederate)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceProduct has 'PingFederate'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceProduct has 'PingFederate'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Devices",
- "query": "PingFederateEvent\n | summarize count() by DvcHostname\n | top 10 by count_"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution.",
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
- },
- {
- "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
- "description": "[Follow these steps](https://docs.pingidentity.com/bundle/pingfederate-102/page/gsn1564002980953.html) to configure PingFederate sending audit log via syslog in CEF format."
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId2')]",
- "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution."
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -1823,7 +1143,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PingFederateAbnormalPasswordResetsAttempts_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "PingFederateAbnormalPasswordResetsAttempts_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -1850,18 +1170,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "connectorId": "PingFederate",
- "dataTypes": [
- "PingFederateEvent"
- ]
- },
- {
- "connectorId": "PingFederateAma",
- "dataTypes": [
- "PingFederateEvent"
- ]
- },
{
"connectorId": "CefAma",
"dataTypes": [
@@ -1880,8 +1188,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "Name"
}
]
}
@@ -1939,7 +1247,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PingFederateAuthFromNewSource_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "PingFederateAuthFromNewSource_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -1966,18 +1274,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "connectorId": "PingFederate",
- "dataTypes": [
- "PingFederateEvent"
- ]
- },
- {
- "connectorId": "PingFederateAma",
- "dataTypes": [
- "PingFederateEvent"
- ]
- },
{
"connectorId": "CefAma",
"dataTypes": [
@@ -1996,8 +1292,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "Name"
}
]
},
@@ -2005,8 +1301,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IpCustomEntity"
+ "columnName": "IpCustomEntity",
+ "identifier": "Address"
}
]
}
@@ -2064,7 +1360,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PingFederateForbiddenCountry_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "PingFederateForbiddenCountry_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -2091,18 +1387,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "connectorId": "PingFederate",
- "dataTypes": [
- "PingFederateEvent"
- ]
- },
- {
- "connectorId": "PingFederateAma",
- "dataTypes": [
- "PingFederateEvent"
- ]
- },
{
"connectorId": "CefAma",
"dataTypes": [
@@ -2121,8 +1405,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "Name"
}
]
},
@@ -2130,8 +1414,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IpCustomEntity"
+ "columnName": "IpCustomEntity",
+ "identifier": "Address"
}
]
}
@@ -2189,7 +1473,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PingFederateMultiplePasswordResetsForUser_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "PingFederateMultiplePasswordResetsForUser_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -2216,18 +1500,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "connectorId": "PingFederate",
- "dataTypes": [
- "PingFederateEvent"
- ]
- },
- {
- "connectorId": "PingFederateAma",
- "dataTypes": [
- "PingFederateEvent"
- ]
- },
{
"connectorId": "CefAma",
"dataTypes": [
@@ -2250,8 +1522,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "Name"
}
]
}
@@ -2309,7 +1581,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PingFederateNewUserSSO_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "PingFederateNewUserSSO_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -2336,18 +1608,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "connectorId": "PingFederate",
- "dataTypes": [
- "PingFederateEvent"
- ]
- },
- {
- "connectorId": "PingFederateAma",
- "dataTypes": [
- "PingFederateEvent"
- ]
- },
{
"connectorId": "CefAma",
"dataTypes": [
@@ -2368,8 +1628,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "Name"
}
]
}
@@ -2427,7 +1687,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PingFederateOauthOld_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "PingFederateOauthOld_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -2454,18 +1714,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "connectorId": "PingFederate",
- "dataTypes": [
- "PingFederateEvent"
- ]
- },
- {
- "connectorId": "PingFederateAma",
- "dataTypes": [
- "PingFederateEvent"
- ]
- },
{
"connectorId": "CefAma",
"dataTypes": [
@@ -2484,8 +1732,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "Name"
}
]
},
@@ -2493,8 +1741,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IpCustomEntity"
+ "columnName": "IpCustomEntity",
+ "identifier": "Address"
}
]
}
@@ -2552,7 +1800,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PingFederatePasswordRstReqUnexpectedSource_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "PingFederatePasswordRstReqUnexpectedSource_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@@ -2579,18 +1827,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "connectorId": "PingFederate",
- "dataTypes": [
- "PingFederateEvent"
- ]
- },
- {
- "connectorId": "PingFederateAma",
- "dataTypes": [
- "PingFederateEvent"
- ]
- },
{
"connectorId": "CefAma",
"dataTypes": [
@@ -2609,8 +1845,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "Name"
}
]
},
@@ -2618,8 +1854,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IpCustomEntity"
+ "columnName": "IpCustomEntity",
+ "identifier": "Address"
}
]
}
@@ -2677,7 +1913,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PingFederateSamlOld_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "PingFederateSamlOld_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@@ -2704,18 +1940,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "connectorId": "PingFederate",
- "dataTypes": [
- "PingFederateEvent"
- ]
- },
- {
- "connectorId": "PingFederateAma",
- "dataTypes": [
- "PingFederateEvent"
- ]
- },
{
"connectorId": "CefAma",
"dataTypes": [
@@ -2734,8 +1958,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "Name"
}
]
},
@@ -2743,8 +1967,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IpCustomEntity"
+ "columnName": "IpCustomEntity",
+ "identifier": "Address"
}
]
}
@@ -2802,7 +2026,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PingFederateUnexpectedAuthUrl_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "PingFederateUnexpectedAuthUrl_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
@@ -2829,18 +2053,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "connectorId": "PingFederate",
- "dataTypes": [
- "PingFederateEvent"
- ]
- },
- {
- "connectorId": "PingFederateAma",
- "dataTypes": [
- "PingFederateEvent"
- ]
- },
{
"connectorId": "CefAma",
"dataTypes": [
@@ -2859,8 +2071,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "Name"
}
]
},
@@ -2868,8 +2080,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IpCustomEntity"
+ "columnName": "IpCustomEntity",
+ "identifier": "Address"
}
]
}
@@ -2927,7 +2139,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PingFederateUnexpectedUserCountry_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "PingFederateUnexpectedUserCountry_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]",
@@ -2954,18 +2166,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "connectorId": "PingFederate",
- "dataTypes": [
- "PingFederateEvent"
- ]
- },
- {
- "connectorId": "PingFederateAma",
- "dataTypes": [
- "PingFederateEvent"
- ]
- },
{
"connectorId": "CefAma",
"dataTypes": [
@@ -2984,8 +2184,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "Name"
}
]
},
@@ -2993,8 +2193,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IpCustomEntity"
+ "columnName": "IpCustomEntity",
+ "identifier": "Address"
}
]
}
@@ -3052,7 +2252,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PingFederateUnusualMailDomain_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "PingFederateUnusualMailDomain_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]",
@@ -3079,18 +2279,6 @@
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
- {
- "connectorId": "PingFederate",
- "dataTypes": [
- "PingFederateEvent"
- ]
- },
- {
- "connectorId": "PingFederateAma",
- "dataTypes": [
- "PingFederateEvent"
- ]
- },
{
"connectorId": "CefAma",
"dataTypes": [
@@ -3109,8 +2297,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "Name"
}
]
},
@@ -3118,8 +2306,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IpCustomEntity"
+ "columnName": "IpCustomEntity",
+ "identifier": "Address"
}
]
}
@@ -3177,7 +2365,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PingFederateEvent Data Parser with template version 3.0.1",
+ "description": "PingFederateEvent Data Parser with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -3305,12 +2493,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.1",
+ "version": "3.0.2",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "PingFederate",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe PingFederate solution provides the capability to ingest PingFederate events into Microsoft Sentinel. Refer to PingFederate documentation for more information.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024 .
\nData Connectors: 2, Parsers: 1, Workbooks: 1, Analytic Rules: 11, Hunting Queries: 10
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
+ "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe PingFederate solution provides the capability to ingest PingFederate events into Microsoft Sentinel. Refer to PingFederate documentation for more information.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on Aug 31, 2024 .
\nParsers: 1, Workbooks: 1, Analytic Rules: 11, Hunting Queries: 10
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
@@ -3389,16 +2577,6 @@
"contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]",
"version": "[variables('huntingQueryObject10').huntingQueryVersion10]"
},
- {
- "kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- },
- {
- "kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- },
{
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
diff --git a/Solutions/PingFederate/ReleaseNotes.md b/Solutions/PingFederate/ReleaseNotes.md
index a92e83ea94c..41fd74293fa 100644
--- a/Solutions/PingFederate/ReleaseNotes.md
+++ b/Solutions/PingFederate/ReleaseNotes.md
@@ -1,6 +1,5 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.0.2 | 22-11-2024 | Removed Deprecated **Data Connectors** |
| 3.0.1 | 12-07-2024 | Deprecated **Data Connector** |
-| 3.0.0 | 04-09-2023 | Addition of new PingFederate AMA **Data Connector** | |
-
-
+| 3.0.0 | 04-09-2023 | Addition of new PingFederate AMA **Data Connector** |
diff --git a/Solutions/SINEC Security Guard/Data Connectors/data_connector_GenericUI.json b/Solutions/SINEC Security Guard/Data Connectors/data_connector_GenericUI.json
index a69c1634a90..f666f8f753f 100644
--- a/Solutions/SINEC Security Guard/Data Connectors/data_connector_GenericUI.json
+++ b/Solutions/SINEC Security Guard/Data Connectors/data_connector_GenericUI.json
@@ -1,84 +1,84 @@
-{
- "id": "SSG",
- "title": "SINEC Security Guard",
- "publisher": "Siemens AG",
- "descriptionMarkdown": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel",
- "graphQueriesTableName": "SINECSecurityGuard_CL",
- "logo": "SSG.svg",
- "graphQueries": [
- {
- "metricName": "Total events received",
- "legend": "SINECSecurityGuard_CL",
- "baseQuery": "SINECSecurityGuard_CL\n | summarize count()"
- }
- ],
- "sampleQueries": [
- {
- "description": "List of Attacks",
- "query": "SINECSecurityGuard_CL\n | summarize count()"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": ["SINECSecurityGuard_CL\n | summarize lastLogGenerated = max(TimeGenerated) | project IsConnected = lastLogGenerated > ago(30d)"]
- }
- ],
- "dataTypes": [
- {
- "name": "SINECSecurityGuard_CL",
- "lastDataReceivedQuery": "SINECSecurityGuard_CL\n | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
- }
- ],
- "availability": {
- "isPreview": true,
- "status": 1
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "This Data Connector relies on the SINEC Security Guard Sensor Package to be able to receive Sensor events in Microsoft Sentinel. The Sensor Package can be purchased in the Siemens Xcelerator Marketplace.",
- "instructions": [
- {
- "parameters": {
- "title": "1. Please follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Set up the SINEC Security Guard Sensor",
- "description": "Detailed step for setting up the sensor."
- },
- {
- "title": "Create the Data Connector and configure it in the SINEC Security Guard web interface",
- "description": "Instructions on configuring the data connector."
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- }
- ]
-}
+{
+ "id": "SSG",
+ "title": "SINEC Security Guard",
+ "publisher": "Siemens AG",
+ "descriptionMarkdown": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel",
+ "graphQueriesTableName": "SINECSecurityGuard_CL",
+ "logo": "SSG.svg",
+ "graphQueries": [
+ {
+ "metricName": "Total events received",
+ "legend": "SINECSecurityGuard_CL",
+ "baseQuery": "SINECSecurityGuard_CL\n | summarize count()"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "List of Attacks",
+ "query": "SINECSecurityGuard_CL\n | summarize count()"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": ["SINECSecurityGuard_CL\n | summarize lastLogGenerated = max(TimeGenerated) | project IsConnected = lastLogGenerated > ago(30d)"]
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "SINECSecurityGuard_CL",
+ "lastDataReceivedQuery": "SINECSecurityGuard_CL\n | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+ }
+ ],
+ "availability": {
+ "isPreview": true,
+ "status": 1
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": "This Data Connector relies on the SINEC Security Guard Sensor Package to be able to receive Sensor events in Microsoft Sentinel. The Sensor Package can be purchased in the Siemens Xcelerator Marketplace.",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "1. Please follow the steps to configure the data connector",
+ "instructionSteps": [
+ {
+ "title": "Set up the SINEC Security Guard Sensor",
+ "description": "Detailed step for setting up the sensor."
+ },
+ {
+ "title": "Create the Data Connector and configure it in the SINEC Security Guard web interface",
+ "description": "Instructions on configuring the data connector."
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ }
+ ]
+}
diff --git a/Solutions/SINEC Security Guard/Data/Solution_Sinec Security Guard.json b/Solutions/SINEC Security Guard/Data/Solution_Sinec Security Guard.json
index 3232152f990..c0cb969768f 100644
--- a/Solutions/SINEC Security Guard/Data/Solution_Sinec Security Guard.json
+++ b/Solutions/SINEC Security Guard/Data/Solution_Sinec Security Guard.json
@@ -1,17 +1,17 @@
-{
- "Name": "SINEC Security Guard",
- "Author": "Siemens AG",
- "Logo": " ",
- "Description": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the (SINEC Security Guard)[https://siemens.com/sinec-security-guard] into Microsoft Sentinel",
- "Analytic Rules": [
- "Analytic Rules/SSG_Azure_Sentinel_analytic_rule.yaml"
- ],
- "Data Connectors": [
- "Data Connectors/data_connector_GenericUI.json"
- ],
- "Metadata": "SolutionMetadata.json",
- "BasePath": "D:\\Sentinel_GIT\\Azure-Sentinel\\Solutions\\SINEC Security Guard",
- "Version": "3.0.3",
- "TemplateSpec": true,
- "Is1PConnector": false
+{
+ "Name": "SINEC Security Guard",
+ "Author": "Siemens AG",
+ "Logo": " ",
+ "Description": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel",
+ "Analytic Rules": [
+ "Analytic Rules/SSG_Azure_Sentinel_analytic_rule.yaml"
+ ],
+ "Data Connectors": [
+ "Data Connectors/data_connector_GenericUI.json"
+ ],
+ "Metadata": "SolutionMetadata.json",
+ "BasePath": "D:\\Sentinel_GIT\\Azure-Sentinel\\Solutions\\SINEC Security Guard",
+ "Version": "3.0.3",
+ "TemplateSpec": true,
+ "Is1PConnector": false
}
\ No newline at end of file
diff --git a/Solutions/SINEC Security Guard/Package/3.0.0.zip b/Solutions/SINEC Security Guard/Package/3.0.0.zip
index 7000b1ab190..67e67b8582e 100644
Binary files a/Solutions/SINEC Security Guard/Package/3.0.0.zip and b/Solutions/SINEC Security Guard/Package/3.0.0.zip differ
diff --git a/Solutions/SINEC Security Guard/Package/createUiDefinition.json b/Solutions/SINEC Security Guard/Package/createUiDefinition.json
index 1a03e23deb2..48f3fa3962a 100644
--- a/Solutions/SINEC Security Guard/Package/createUiDefinition.json
+++ b/Solutions/SINEC Security Guard/Package/createUiDefinition.json
@@ -1,127 +1,127 @@
-{
- "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
- "handler": "Microsoft.Azure.CreateUIDef",
- "version": "0.1.2-preview",
- "parameters": {
- "config": {
- "isWizard": false,
- "basics": {
- "description": " \n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SINEC%20Security%20Guard/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the (SINEC Security Guard)[https://siemens.com/sinec-security-guard] into Microsoft Sentinel\n\n**Data Connectors:** 1, **Analytic Rules:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
- "subscription": {
- "resourceProviders": [
- "Microsoft.OperationsManagement/solutions",
- "Microsoft.OperationalInsights/workspaces/providers/alertRules",
- "Microsoft.Insights/workbooks",
- "Microsoft.Logic/workflows"
- ]
- },
- "location": {
- "metadata": {
- "hidden": "Hiding location, we get it from the log analytics workspace"
- },
- "visible": false
- },
- "resourceGroup": {
- "allowExisting": true
- }
- }
- },
- "basics": [
- {
- "name": "getLAWorkspace",
- "type": "Microsoft.Solutions.ArmApiControl",
- "toolTip": "This filters by workspaces that exist in the Resource Group selected",
- "condition": "[greater(length(resourceGroup().name),0)]",
- "request": {
- "method": "GET",
- "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
- }
- },
- {
- "name": "workspace",
- "type": "Microsoft.Common.DropDown",
- "label": "Workspace",
- "placeholder": "Select a workspace",
- "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
- "constraints": {
- "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
- "required": true
- },
- "visible": true
- }
- ],
- "steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for SINEC Security Guard. You can get SINEC Security Guard custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- },
- {
- "name": "analytics",
- "label": "Analytics",
- "subLabel": {
- "preValidation": "Configure the analytics",
- "postValidation": "Done"
- },
- "bladeTitle": "Analytics",
- "elements": [
- {
- "name": "analytics-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
- }
- },
- {
- "name": "analytics-link",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more",
- "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
- }
- }
- },
- {
- "name": "analytic1",
- "type": "Microsoft.Common.Section",
- "label": "SSG_Security_Incidents",
- "elements": [
- {
- "name": "analytic1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "The security analytic rule is designed to scrutinize network activity involving private IP addresses within an organization's internal network. By filtering log entries to include only those where either the source or the destination IP is private, the rule focuses on internal communications that could indicate unauthorized access, internal threats, or other security anomalies."
- }
- }
- ]
- }
- ]
- }
- ],
- "outputs": {
- "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
- "location": "[location()]",
- "workspace": "[basics('workspace')]"
- }
- }
-}
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "config": {
+ "isWizard": false,
+ "basics": {
+ "description": " \n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SINEC%20Security%20Guard/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel\n\n**Data Connectors:** 1, **Analytic Rules:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "subscription": {
+ "resourceProviders": [
+ "Microsoft.OperationsManagement/solutions",
+ "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "Microsoft.Insights/workbooks",
+ "Microsoft.Logic/workflows"
+ ]
+ },
+ "location": {
+ "metadata": {
+ "hidden": "Hiding location, we get it from the log analytics workspace"
+ },
+ "visible": false
+ },
+ "resourceGroup": {
+ "allowExisting": true
+ }
+ }
+ },
+ "basics": [
+ {
+ "name": "getLAWorkspace",
+ "type": "Microsoft.Solutions.ArmApiControl",
+ "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+ "condition": "[greater(length(resourceGroup().name),0)]",
+ "request": {
+ "method": "GET",
+ "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+ }
+ },
+ {
+ "name": "workspace",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Workspace",
+ "placeholder": "Select a workspace",
+ "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+ "constraints": {
+ "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+ "required": true
+ },
+ "visible": true
+ }
+ ],
+ "steps": [
+ {
+ "name": "dataconnectors",
+ "label": "Data Connectors",
+ "bladeTitle": "Data Connectors",
+ "elements": [
+ {
+ "name": "dataconnectors1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for SINEC Security Guard. You can get SINEC Security Guard custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
+ {
+ "name": "dataconnectors-link2",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more about connecting data sources",
+ "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
+ }
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytics",
+ "label": "Analytics",
+ "subLabel": {
+ "preValidation": "Configure the analytics",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Analytics",
+ "elements": [
+ {
+ "name": "analytics-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
+ }
+ },
+ {
+ "name": "analytics-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+ }
+ }
+ },
+ {
+ "name": "analytic1",
+ "type": "Microsoft.Common.Section",
+ "label": "SSG_Security_Incidents",
+ "elements": [
+ {
+ "name": "analytic1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "The security analytic rule is designed to scrutinize network activity involving private IP addresses within an organization's internal network. By filtering log entries to include only those where either the source or the destination IP is private, the rule focuses on internal communications that could indicate unauthorized access, internal threats, or other security anomalies."
+ }
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "outputs": {
+ "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+ "location": "[location()]",
+ "workspace": "[basics('workspace')]"
+ }
+ }
+}
diff --git a/Solutions/SINEC Security Guard/Package/mainTemplate.json b/Solutions/SINEC Security Guard/Package/mainTemplate.json
index 4377777a228..5dae4d92ce6 100644
--- a/Solutions/SINEC Security Guard/Package/mainTemplate.json
+++ b/Solutions/SINEC Security Guard/Package/mainTemplate.json
@@ -1,519 +1,518 @@
-{
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "1.0.0.0",
- "metadata": {
- "author": "Siemens AG",
- "comments": "Solution template for SINEC Security Guard"
- },
- "parameters": {
- "location": {
- "type": "string",
- "minLength": 1,
- "defaultValue": "[resourceGroup().location]",
- "metadata": {
- "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
- }
- },
- "workspace-location": {
- "type": "string",
- "defaultValue": "",
- "metadata": {
- "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
- }
- },
- "workspace": {
- "defaultValue": "",
- "type": "string",
- "metadata": {
- "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
- }
- }
- },
- "variables": {
- "_solutionName": "SINEC Security Guard",
- "_solutionVersion": "3.0.0",
- "solutionId": "siemensplmsoftware.azure-sentinel-solution-ssg",
- "_solutionId": "[variables('solutionId')]",
- "analyticRuleObject1": {
- "analyticRuleVersion1": "1.0.0",
- "_analyticRulecontentId1": "d41fa731-45a2-4b23-bb1d-29896fbc5298",
- "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd41fa731-45a2-4b23-bb1d-29896fbc5298')]",
- "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d41fa731-45a2-4b23-bb1d-29896fbc5298')))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d41fa731-45a2-4b23-bb1d-29896fbc5298','-', '1.0.0')))]"
- },
- "uiConfigId1": "SSG",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "SSG",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
- "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
- },
- "resources": [
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "SSG_Azure_Sentinel_analytic_rule_AnalyticalRules Analytics Rule with template version 3.0.0",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
- "apiVersion": "2023-02-01-preview",
- "kind": "NRT",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "description": "The security analytic rule is designed to scrutinize network activity involving private IP addresses within an organization's internal network. By filtering log entries to include only those where either the source or the destination IP is private, the rule focuses on internal communications that could indicate unauthorized access, internal threats, or other security anomalies.",
- "displayName": "SSG_Security_Incidents",
- "enabled": false,
- "query": "SINECSecurityGuard_CL\n| where ipv4_is_private(source_ip) or ipv4_is_private(destination_ip)\n| project source_ip, destination_ip, signature_id, signature_name\n",
- "severity": "HIGH",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "status": "Available",
- "requiredDataConnectors": [],
- "tactics": [
- "Impact"
- ],
- "techniques": [
- "T1486"
- ],
- "entityMappings": [
- {
- "fieldMappings": [
- {
- "columnName": "source_ip",
- "identifier": "Address"
- }
- ],
- "entityType": "IP"
- },
- {
- "fieldMappings": [
- {
- "columnName": "destination_ip",
- "identifier": "Address"
- }
- ],
- "entityType": "IP"
- }
- ],
- "eventGroupingSettings": {
- "aggregationKind": "AlertPerResult"
- },
- "customDetails": {
- "Source_IP": "source_ip"
- },
- "alertDetailsOverride": {
- "alertDescriptionFormat": "Alert {{signature_name}} generated from {{source_ip}} to {{destination_ip}} ",
- "alertDynamicProperties": [],
- "alertDisplayNameFormat": "{{signature_name}} "
- },
- "incidentConfiguration": {
- "groupingConfiguration": {
- "groupByCustomDetails": [
- "Source_IP"
- ],
- "groupByEntities": [
- "IP"
- ],
- "lookbackDuration": "5m",
- "matchingMethod": "AnyAlert",
- "reopenClosedIncident": false,
- "enabled": true
- },
- "createIncident": true
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]",
- "properties": {
- "description": "SINEC Security Guard Analytics Rule 1",
- "parentId": "[variables('analyticRuleObject1').analyticRuleId1]",
- "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleObject1').analyticRuleVersion1]",
- "source": {
- "kind": "Solution",
- "name": "SINEC Security Guard",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Siemens AG"
- },
- "support": {
- "name": "Siemens AG",
- "email": "ssgsupport.cybersecurity@siemens.com",
- "tier": "Partner",
- "link": "https://siemens.com/sinec-security-guard"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
- "contentKind": "AnalyticsRule",
- "displayName": "SSG_Security_Incidents",
- "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
- "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
- "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "SINEC Security Guard data connector with template version 3.0.0",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "SINEC Security Guard",
- "publisher": "Siemens AG",
- "descriptionMarkdown": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel",
- "graphQueriesTableName": "SINECSecurityGuard_CL",
- "logo": "SSG.svg",
- "graphQueries": [
- {
- "metricName": "Total events received",
- "legend": "SINECSecurityGuard_CL",
- "baseQuery": "SINECSecurityGuard_CL\n | summarize count()"
- }
- ],
- "sampleQueries": [
- {
- "description": "List of Attacks",
- "query": "SINECSecurityGuard_CL\n | summarize count()"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "SINECSecurityGuard_CL\n | summarize lastLogGenerated = max(TimeGenerated) | project IsConnected = lastLogGenerated > ago(30d)"
- ]
- }
- ],
- "dataTypes": [
- {
- "name": "SINECSecurityGuard_CL",
- "lastDataReceivedQuery": "SINECSecurityGuard_CL\n | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
- }
- ],
- "availability": {
- "isPreview": false,
- "status": 1
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "This Data Connector relies on the SINEC Security Guard Sensor Package to be able to receive Sensor events in Microsoft Sentinel. The Sensor Package can be purchased in the Siemens Xcelerator Marketplace.",
- "instructions": [
- {
- "parameters": {
- "title": "1. Please follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Set up the SINEC Security Guard Sensor",
- "description": "Detailed step for setting up the sensor."
- },
- {
- "title": "Create the Data Connector and configure it in the SINEC Security Guard web interface",
- "description": "Instructions on configuring the data connector."
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "SINEC Security Guard",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Siemens AG"
- },
- "support": {
- "name": "Siemens AG",
- "email": "ssgsupport.cybersecurity@siemens.com",
- "tier": "Partner",
- "link": "https://siemens.com/sinec-security-guard"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "SINEC Security Guard",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "SINEC Security Guard",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Siemens AG"
- },
- "support": {
- "name": "Siemens AG",
- "email": "ssgsupport.cybersecurity@siemens.com",
- "tier": "Partner",
- "link": "https://siemens.com/sinec-security-guard"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "SINEC Security Guard",
- "publisher": "Siemens AG",
- "descriptionMarkdown": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel",
- "graphQueries": [
- {
- "metricName": "Total events received",
- "legend": "SINECSecurityGuard_CL",
- "baseQuery": "SINECSecurityGuard_CL\n | summarize count()"
- }
- ],
- "dataTypes": [
- {
- "name": "SINECSecurityGuard_CL",
- "lastDataReceivedQuery": "SINECSecurityGuard_CL\n | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "SINECSecurityGuard_CL\n | summarize lastLogGenerated = max(TimeGenerated) | project IsConnected = lastLogGenerated > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "List of Attacks",
- "query": "SINECSecurityGuard_CL\n | summarize count()"
- }
- ],
- "availability": {
- "isPreview": false,
- "status": 1
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "This Data Connector relies on the SINEC Security Guard Sensor Package to be able to receive Sensor events in Microsoft Sentinel. The Sensor Package can be purchased in the Siemens Xcelerator Marketplace.",
- "instructions": [
- {
- "parameters": {
- "title": "1. Please follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Set up the SINEC Security Guard Sensor",
- "description": "Detailed step for setting up the sensor."
- },
- {
- "title": "Create the Data Connector and configure it in the SINEC Security Guard web interface",
- "description": "Instructions on configuring the data connector."
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- }
- ],
- "id": "[variables('_uiConfigId1')]"
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
- "apiVersion": "2023-04-01-preview",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "version": "3.0.0",
- "kind": "Solution",
- "contentSchemaVersion": "3.0.0",
- "displayName": "SINEC Security Guard",
- "publisherDisplayName": "Siemens AG",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the (SINEC Security Guard)[https://siemens.com/sinec-security-guard] into Microsoft Sentinel
\nData Connectors: 1, Analytic Rules: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
- "contentKind": "Solution",
- "contentProductId": "[variables('_solutioncontentProductId')]",
- "id": "[variables('_solutioncontentProductId')]",
- "icon": " ",
- "contentId": "[variables('_solutionId')]",
- "parentId": "[variables('_solutionId')]",
- "source": {
- "kind": "Solution",
- "name": "SINEC Security Guard",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Siemens AG"
- },
- "support": {
- "name": "Siemens AG",
- "email": "ssgsupport.cybersecurity@siemens.com",
- "tier": "Partner",
- "link": "https://siemens.com/sinec-security-guard"
- },
- "dependencies": {
- "operator": "AND",
- "criteria": [
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
- "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
- },
- {
- "kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- ]
- },
- "firstPublishDate": "2024-07-15",
- "providers": [
- "Siemens AG"
- ],
- "categories": {
- "domains": [
- "Security - Network"
- ],
- "verticals": [
- "Manufacturing"
- ]
- }
- },
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
- }
- ],
- "outputs": {}
-}
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "author": "Siemens AG",
+ "comments": "Solution template for SINEC Security Guard"
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ }
+ },
+ "variables": {
+ "_solutionName": "SINEC Security Guard",
+ "_solutionVersion": "3.0.0",
+ "solutionId": "siemensplmsoftware.azure-sentinel-solution-ssg",
+ "_solutionId": "[variables('solutionId')]",
+ "analyticRuleObject1": {
+ "analyticRuleVersion1": "1.0.0",
+ "_analyticRulecontentId1": "d41fa731-45a2-4b23-bb1d-29896fbc5298",
+ "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd41fa731-45a2-4b23-bb1d-29896fbc5298')]",
+ "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d41fa731-45a2-4b23-bb1d-29896fbc5298')))]",
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d41fa731-45a2-4b23-bb1d-29896fbc5298','-', '1.0.0')))]"
+ },
+ "uiConfigId1": "SSG",
+ "_uiConfigId1": "[variables('uiConfigId1')]",
+ "dataConnectorContentId1": "SSG",
+ "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
+ "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "_dataConnectorId1": "[variables('dataConnectorId1')]",
+ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
+ "dataConnectorVersion1": "1.0.0",
+ "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "SSG_Azure_Sentinel_analytic_rule_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "apiVersion": "2023-02-01-preview",
+ "kind": "NRT",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "The security analytic rule is designed to scrutinize network activity involving private IP addresses within an organization's internal network. By filtering log entries to include only those where either the source or the destination IP is private, the rule focuses on internal communications that could indicate unauthorized access, internal threats, or other security anomalies.",
+ "displayName": "SSG_Security_Incidents",
+ "enabled": false,
+ "query": "SINECSecurityGuard_CL\n| where ipv4_is_private(source_ip) or ipv4_is_private(destination_ip)\n| project source_ip, destination_ip, signature_id, signature_name\n",
+ "severity": "HIGH",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "status": "Available",
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": [
+ "T1486"
+ ],
+ "entityMappings": [
+ {
+ "fieldMappings": [
+ {
+ "columnName": "source_ip",
+ "identifier": "Address"
+ }
+ ],
+ "entityType": "IP"
+ },
+ {
+ "fieldMappings": [
+ {
+ "columnName": "destination_ip",
+ "identifier": "Address"
+ }
+ ],
+ "entityType": "IP"
+ }
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "AlertPerResult"
+ },
+ "customDetails": {
+ "Source_IP": "source_ip"
+ },
+ "alertDetailsOverride": {
+ "alertDescriptionFormat": "Alert {{signature_name}} generated from {{source_ip}} to {{destination_ip}} ",
+ "alertDisplayNameFormat": "{{signature_name}} ",
+ "alertDynamicProperties": []
+ },
+ "incidentConfiguration": {
+ "groupingConfiguration": {
+ "groupByEntities": [
+ "IP"
+ ],
+ "lookbackDuration": "5m",
+ "enabled": true,
+ "matchingMethod": "AnyAlert",
+ "reopenClosedIncident": false,
+ "groupByCustomDetails": [
+ "Source_IP"
+ ]
+ },
+ "createIncident": true
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]",
+ "properties": {
+ "description": "SINEC Security Guard Analytics Rule 1",
+ "parentId": "[variables('analyticRuleObject1').analyticRuleId1]",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]",
+ "source": {
+ "kind": "Solution",
+ "name": "SINEC Security Guard",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Siemens AG"
+ },
+ "support": {
+ "name": "Siemens AG",
+ "email": "ssgsupport.cybersecurity@siemens.com",
+ "tier": "Partner",
+ "link": "https://siemens.com/sinec-security-guard"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "SSG_Security_Incidents",
+ "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
+ "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('dataConnectorTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "SINEC Security Guard data connector with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "[variables('_uiConfigId1')]",
+ "title": "SINEC Security Guard",
+ "publisher": "Siemens AG",
+ "descriptionMarkdown": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel",
+ "graphQueriesTableName": "SINECSecurityGuard_CL",
+ "logo": "SSG.svg",
+ "graphQueries": [
+ {
+ "metricName": "Total events received",
+ "legend": "SINECSecurityGuard_CL",
+ "baseQuery": "SINECSecurityGuard_CL\n | summarize count()"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "List of Attacks",
+ "query": "SINECSecurityGuard_CL\n | summarize count()"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "SINECSecurityGuard_CL\n | summarize lastLogGenerated = max(TimeGenerated) | project IsConnected = lastLogGenerated > ago(30d)"
+ ]
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "SINECSecurityGuard_CL",
+ "lastDataReceivedQuery": "SINECSecurityGuard_CL\n | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+ }
+ ],
+ "availability": {
+ "isPreview": false,
+ "status": 1
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": "This Data Connector relies on the SINEC Security Guard Sensor Package to be able to receive Sensor events in Microsoft Sentinel. The Sensor Package can be purchased in the Siemens Xcelerator Marketplace.",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "1. Please follow the steps to configure the data connector",
+ "instructionSteps": [
+ {
+ "title": "Set up the SINEC Security Guard Sensor",
+ "description": "Detailed step for setting up the sensor."
+ },
+ {
+ "title": "Create the Data Connector and configure it in the SINEC Security Guard web interface",
+ "description": "Instructions on configuring the data connector."
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "SINEC Security Guard",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Siemens AG"
+ },
+ "support": {
+ "name": "Siemens AG",
+ "email": "ssgsupport.cybersecurity@siemens.com",
+ "tier": "Partner",
+ "link": "https://siemens.com/sinec-security-guard"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "contentKind": "DataConnector",
+ "displayName": "SINEC Security Guard",
+ "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+ "id": "[variables('_dataConnectorcontentProductId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+ "dependsOn": [
+ "[variables('_dataConnectorId1')]"
+ ],
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "SINEC Security Guard",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Siemens AG"
+ },
+ "support": {
+ "name": "Siemens AG",
+ "email": "ssgsupport.cybersecurity@siemens.com",
+ "tier": "Partner",
+ "link": "https://siemens.com/sinec-security-guard"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "title": "SINEC Security Guard",
+ "publisher": "Siemens AG",
+ "descriptionMarkdown": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel",
+ "graphQueries": [
+ {
+ "metricName": "Total events received",
+ "legend": "SINECSecurityGuard_CL",
+ "baseQuery": "SINECSecurityGuard_CL\n | summarize count()"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "SINECSecurityGuard_CL",
+ "lastDataReceivedQuery": "SINECSecurityGuard_CL\n | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "SINECSecurityGuard_CL\n | summarize lastLogGenerated = max(TimeGenerated) | project IsConnected = lastLogGenerated > ago(30d)"
+ ]
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "List of Attacks",
+ "query": "SINECSecurityGuard_CL\n | summarize count()"
+ }
+ ],
+ "availability": {
+ "isPreview": false,
+ "status": 1
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": "This Data Connector relies on the SINEC Security Guard Sensor Package to be able to receive Sensor events in Microsoft Sentinel. The Sensor Package can be purchased in the Siemens Xcelerator Marketplace.",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "1. Please follow the steps to configure the data connector",
+ "instructionSteps": [
+ {
+ "title": "Set up the SINEC Security Guard Sensor",
+ "description": "Detailed step for setting up the sensor."
+ },
+ {
+ "title": "Create the Data Connector and configure it in the SINEC Security Guard web interface",
+ "description": "Instructions on configuring the data connector."
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ }
+ ],
+ "id": "[variables('_uiConfigId1')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "version": "3.0.0",
+ "kind": "Solution",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "SINEC Security Guard",
+ "publisherDisplayName": "Siemens AG",
+ "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the SINEC Security Guard into Microsoft Sentinel
\nData Connectors: 1, Analytic Rules: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
+ "contentKind": "Solution",
+ "contentProductId": "[variables('_solutioncontentProductId')]",
+ "id": "[variables('_solutioncontentProductId')]",
+ "icon": " ",
+ "contentId": "[variables('_solutionId')]",
+ "parentId": "[variables('_solutionId')]",
+ "source": {
+ "kind": "Solution",
+ "name": "SINEC Security Guard",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Siemens AG"
+ },
+ "support": {
+ "name": "Siemens AG",
+ "email": "ssgsupport.cybersecurity@siemens.com",
+ "tier": "Partner",
+ "link": "https://siemens.com/sinec-security-guard"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
+ },
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
+ }
+ ]
+ },
+ "firstPublishDate": "2024-07-15",
+ "providers": [
+ "Siemens AG"
+ ],
+ "categories": {
+ "domains": [
+ "Security - Network"
+ ],
+ "verticals": [
+ "Manufacturing"
+ ]
+ }
+ },
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
+ }
+ ],
+ "outputs": {}
+}
diff --git a/Solutions/SINEC Security Guard/ReleaseNotes.md b/Solutions/SINEC Security Guard/ReleaseNotes.md
index 140e39781ce..d64285f9984 100644
--- a/Solutions/SINEC Security Guard/ReleaseNotes.md
+++ b/Solutions/SINEC Security Guard/ReleaseNotes.md
@@ -1,4 +1,4 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|-----------------------------------|
-| 3.0.0 | 19-07-2024 | Initial Solution Release |
-| 3.0.1 | 12-11-2024 | Uppercase revised |
\ No newline at end of file
+| 3.0.1 | 12-11-2024 | Uppercase revised |
+| 3.0.0 | 19-07-2024 | Initial Solution Release |
\ No newline at end of file
diff --git a/Solutions/Sophos XG Firewall/Package/3.0.1.zip b/Solutions/Sophos XG Firewall/Package/3.0.1.zip
new file mode 100644
index 00000000000..f8389d7cdb3
Binary files /dev/null and b/Solutions/Sophos XG Firewall/Package/3.0.1.zip differ
diff --git a/Solutions/Sophos XG Firewall/Package/mainTemplate.json b/Solutions/Sophos XG Firewall/Package/mainTemplate.json
index 66f1a0b04d2..8e1955f50b0 100644
--- a/Solutions/Sophos XG Firewall/Package/mainTemplate.json
+++ b/Solutions/Sophos XG Firewall/Package/mainTemplate.json
@@ -39,7 +39,7 @@
},
"variables": {
"_solutionName": "Sophos XG Firewall",
- "_solutionVersion": "3.0.0",
+ "_solutionVersion": "3.0.1",
"solutionId": "azuresentinel.azure-sentinel-solution-sophosxgfirewall",
"_solutionId": "[variables('solutionId')]",
"uiConfigId1": "SophosXGFirewall",
@@ -91,7 +91,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Sophos XG Firewall data connector with template version 3.0.0",
+ "description": "Sophos XG Firewall data connector with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -436,7 +436,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ExcessiveAmountofDeniedConnectionsfromASingleSource_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "ExcessiveAmountofDeniedConnectionsfromASingleSource_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -464,16 +464,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SophosXGFirewall",
"dataTypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "SophosXGFirewall"
},
{
- "connectorId": "SyslogAma",
"datatypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "SyslogAma"
}
],
"tactics": [
@@ -484,13 +484,13 @@
],
"entityMappings": [
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "Src_IP",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -545,7 +545,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PortScanDetected_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "PortScanDetected_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -573,16 +573,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "SophosXGFirewall",
"dataTypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "SophosXGFirewall"
},
{
- "connectorId": "SyslogAma",
"datatypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "SyslogAma"
}
],
"tactics": [
@@ -593,13 +593,13 @@
],
"entityMappings": [
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "Src_IP",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -654,7 +654,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SophosXGFirewall Workbook with template version 3.0.0",
+ "description": "SophosXGFirewall Workbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -672,7 +672,7 @@
},
"properties": {
"displayName": "[parameters('workbook1-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"3a1905da-e863-4fb1-a4cc-373bfa047344\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"resourceType\":\"microsoft.insights/components\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\"\\r\\n| summarize inbound = countif(not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))), outbound = countif((ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))), deny = countif(Status == \\\"Deny\\\"), count() by bin(TimeGenerated, {TimeRange:grain})\\r\\n| project-away count_\",\"size\":0,\"title\":\"Network Traffic by Direction\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\"},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\"\\r\\n| where Status in (\\\"Allow\\\",\\\"Deny\\\")\\r\\n| summarize count() by Status, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"title\":\"Events by Action\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Allow\",\"color\":\"green\"},{\"seriesName\":\"Deny\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\" and Status =~ \\\"Deny\\\"\\r\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| summarize Total = count() by ['Source IP'] = Src_IP\\r\\n| top 10 by Total\",\"size\":0,\"title\":\"Top 10 Denied Inbound Source IPs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}]},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Allow\",\"color\":\"green\"},{\"seriesName\":\"Deny\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"query - 1 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\" and Status =~ \\\"Deny\\\"\\r\\n| where (ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| summarize Total = count() by ['Destination IP'] = Dst_IP\\r\\n| top 10 by Total\",\"size\":0,\"title\":\"Top 10 Denied Outbound Destination IPs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}]},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Allow\",\"color\":\"green\"},{\"seriesName\":\"Deny\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"query - 1 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\" and Status =~ \\\"Deny\\\"\\r\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| summarize Total = count() by Port = Src_Port\\r\\n| top 10 by Total\",\"size\":0,\"title\":\"Top 10 Denied Inbound Ports\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}]},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Allow\",\"color\":\"green\"},{\"seriesName\":\"Deny\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"query - 1 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\" and Status == \\\"Deny\\\"\\r\\n| where (ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| summarize Total = count() by Port = Dst_Port\\r\\n| top 10 by Total\",\"size\":0,\"title\":\"Top 10 Denied Outbound Ports\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"}}]},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Allow\",\"color\":\"green\"},{\"seriesName\":\"Deny\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"query - 1 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\" and Status == \\\"Deny\\\"\\r\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| where isnotempty(Src_Country_Code)\\r\\n| summarize Total = count() by ['Source Country'] = Src_Country_Code\\r\\n| top 10 by Total\",\"size\":0,\"title\":\"Top 10 Denied Inbound Traffic by Country\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}]},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Dst_Country_Code\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"count_\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\"\\r\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| where isnotempty(Src_Country_Code)\\r\\n| summarize count() by Src_Country_Code, bin(TimeGenerated, {TimeRange:grain})\\r\\n\",\"size\":0,\"title\":\"Denied Inbound Traffic by Country\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}]},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Dst_Country_Code\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"count_\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\" and Status == \\\"Deny\\\"\\r\\n| where (ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| where isnotempty(Dst_Country_Code)\\r\\n| summarize Total = count() by ['Source Country'] = Dst_Country_Code\\r\\n| top 10 by Total\",\"size\":0,\"title\":\"Top Denied Outbound Traffic by Country\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}]},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Dst_Country_Code\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"count_\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\"\\r\\n| where (ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| where isnotempty(Dst_Country_Code)\\r\\n| summarize count() by Dst_Country_Code, bin(TimeGenerated, {TimeRange:grain})\\r\\n\",\"size\":0,\"title\":\"Denied Outbound Traffic by Country\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}]},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Dst_Country_Code\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"count_\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy - Copy - Copy\"}],\"fromTemplateId\":\"sentinel-SophosXGFirewall\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"3a1905da-e863-4fb1-a4cc-373bfa047344\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"resourceType\":\"microsoft.insights/components\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\"\\r\\n| summarize inbound = countif(not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))), outbound = countif((ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))), deny = countif(Status == \\\"Deny\\\"), count() by bin(TimeGenerated, {TimeRange:grain})\\r\\n| project-away count_\",\"size\":0,\"title\":\"Network Traffic by Direction\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\"},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\"\\r\\n| where Status in (\\\"Allow\\\",\\\"Deny\\\") or Log_Subtype in (\\\"Allowed\\\",\\\"Denied\\\")\\r\\n| summarize count() by Status, bin(TimeGenerated, {TimeRange:grain})\",\"size\":0,\"title\":\"Events by Action\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Allow\",\"color\":\"green\"},{\"seriesName\":\"Deny\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\" and (Status =~ \\\"Deny\\\" or Log_Subtype =~ \\\"Denied\\\")\\r\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| summarize Total = count() by ['Source IP'] = Src_IP\\r\\n| top 10 by Total\",\"size\":0,\"title\":\"Top 10 Denied Inbound Source IPs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2}}}]},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Allow\",\"color\":\"green\"},{\"seriesName\":\"Deny\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"query - 1 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\" and (Status =~ \\\"Deny\\\" or Log_Subtype =~ \\\"Denied\\\")\\r\\n| where (ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| summarize Total = count() by ['Destination IP'] = Dst_IP\\r\\n| top 10 by Total\",\"size\":0,\"title\":\"Top 10 Denied Outbound Destination IPs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}]},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Allow\",\"color\":\"green\"},{\"seriesName\":\"Deny\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"query - 1 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\" and (Status =~ \\\"Deny\\\" or Log_Subtype =~ \\\"Denied\\\")\\r\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| summarize Total = count() by Port = Src_Port\\r\\n| top 10 by Total\",\"size\":0,\"title\":\"Top 10 Denied Inbound Ports\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}]},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Allow\",\"color\":\"green\"},{\"seriesName\":\"Deny\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"query - 1 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\" and Status == \\\"Deny\\\"\\r\\n| where (ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| summarize Total = count() by Port = Dst_Port\\r\\n| top 10 by Total\",\"size\":0,\"title\":\"Top 10 Denied Outbound Ports\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"}}]},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Allow\",\"color\":\"green\"},{\"seriesName\":\"Deny\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"query - 1 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\" and Status == \\\"Deny\\\"\\r\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| where isnotempty(Src_Country_Code)\\r\\n| summarize Total = count() by ['Source Country'] = Src_Country_Code\\r\\n| top 10 by Total\",\"size\":0,\"title\":\"Top 10 Denied Inbound Traffic by Country\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}]},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Dst_Country_Code\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"count_\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\"\\r\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| where isnotempty(Src_Country_Code)\\r\\n| summarize count() by Src_Country_Code, bin(TimeGenerated, {TimeRange:grain})\\r\\n\",\"size\":0,\"title\":\"Denied Inbound Traffic by Country\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}]},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Dst_Country_Code\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"count_\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\" and Status == \\\"Deny\\\"\\r\\n| where (ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| where isnotempty(Dst_Country_Code)\\r\\n| summarize Total = count() by ['Source Country'] = Dst_Country_Code\\r\\n| top 10 by Total\",\"size\":0,\"title\":\"Top Denied Outbound Traffic by Country\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}]},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Dst_Country_Code\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"count_\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SophosXGFirewall\\r\\n| where Log_Type == \\\"Firewall\\\"\\r\\n| where (ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\r\\n| where isnotempty(Dst_Country_Code)\\r\\n| summarize count() by Dst_Country_Code, bin(TimeGenerated, {TimeRange:grain})\\r\\n\",\"size\":0,\"title\":\"Denied Outbound Traffic by Country\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Total\",\"formatter\":3,\"formatOptions\":{\"palette\":\"coldHot\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2}}}]},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Dst_Country_Code\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"count_\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 5 - Copy - Copy - Copy\"}],\"fromTemplateId\":\"sentinel-SophosXGFirewall\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
"version": "1.0",
"sourceId": "[variables('workspaceResourceId')]",
"category": "sentinel"
@@ -712,6 +712,10 @@
{
"contentId": "SophosXGFirewall",
"kind": "DataConnector"
+ },
+ {
+ "contentId": "SyslogAma",
+ "kind": "DataConnector"
}
]
}
@@ -741,7 +745,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SophosXGFirewall Data Parser with template version 3.0.0",
+ "description": "SophosXGFirewall Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -867,7 +871,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.0",
+ "version": "3.0.1",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Sophos XG Firewall",
diff --git a/Solutions/Sophos XG Firewall/ReleaseNotes.md b/Solutions/Sophos XG Firewall/ReleaseNotes.md
index e85d355765b..0ac78aa6269 100644
--- a/Solutions/Sophos XG Firewall/ReleaseNotes.md
+++ b/Solutions/Sophos XG Firewall/ReleaseNotes.md
@@ -1,4 +1,4 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
-| 3.0.0 | 01-08-2024 |Update **Parser** as part of Syslog migration |
-| | |Deprecating data connectors |
\ No newline at end of file
+| 3.0.1 | 19-11-2024 | Updated SophosXGFirewall.json **Workbook** to fix missing fields|
+| 3.0.0 | 01-08-2024 | Update **Parser** as part of Syslog migration Deprecating **Data Connectors** |
\ No newline at end of file
diff --git a/Solutions/Sophos XG Firewall/Workbooks/SophosXGFirewall.json b/Solutions/Sophos XG Firewall/Workbooks/SophosXGFirewall.json
index 45ea361b89a..b274f5a6264 100644
--- a/Solutions/Sophos XG Firewall/Workbooks/SophosXGFirewall.json
+++ b/Solutions/Sophos XG Firewall/Workbooks/SophosXGFirewall.json
@@ -97,7 +97,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "SophosXGFirewall\r\n| where Log_Type == \"Firewall\"\r\n| where Status in (\"Allow\",\"Deny\")\r\n| summarize count() by Status, bin(TimeGenerated, {TimeRange:grain})",
+ "query": "SophosXGFirewall\r\n| where Log_Type == \"Firewall\"\r\n| where Status in (\"Allow\",\"Deny\") or Log_Subtype in (\"Allowed\",\"Denied\")\r\n| summarize count() by Status, bin(TimeGenerated, {TimeRange:grain})",
"size": 0,
"title": "Events by Action",
"timeContext": {
@@ -127,7 +127,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "SophosXGFirewall\r\n| where Log_Type == \"Firewall\" and Status =~ \"Deny\"\r\n| where not(ipv4_is_match(\"10.0.0.0\",Src_IP,8) or ipv4_is_match(\"172.16.0.0\",Src_IP,12) or ipv4_is_match(\"192.168.0.0\",Src_IP,16))\r\n| summarize Total = count() by ['Source IP'] = Src_IP\r\n| top 10 by Total",
+ "query": "SophosXGFirewall\r\n| where Log_Type == \"Firewall\" and (Status =~ \"Deny\" or Log_Subtype =~ \"Denied\")\r\n| where not(ipv4_is_match(\"10.0.0.0\",Src_IP,8) or ipv4_is_match(\"172.16.0.0\",Src_IP,12) or ipv4_is_match(\"192.168.0.0\",Src_IP,16))\r\n| summarize Total = count() by ['Source IP'] = Src_IP\r\n| top 10 by Total",
"size": 0,
"title": "Top 10 Denied Inbound Source IPs",
"timeContext": {
@@ -175,7 +175,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "SophosXGFirewall\r\n| where Log_Type == \"Firewall\" and Status =~ \"Deny\"\r\n| where (ipv4_is_match(\"10.0.0.0\",Src_IP,8) or ipv4_is_match(\"172.16.0.0\",Src_IP,12) or ipv4_is_match(\"192.168.0.0\",Src_IP,16))\r\n| summarize Total = count() by ['Destination IP'] = Dst_IP\r\n| top 10 by Total",
+ "query": "SophosXGFirewall\r\n| where Log_Type == \"Firewall\" and (Status =~ \"Deny\" or Log_Subtype =~ \"Denied\")\r\n| where (ipv4_is_match(\"10.0.0.0\",Src_IP,8) or ipv4_is_match(\"172.16.0.0\",Src_IP,12) or ipv4_is_match(\"192.168.0.0\",Src_IP,16))\r\n| summarize Total = count() by ['Destination IP'] = Dst_IP\r\n| top 10 by Total",
"size": 0,
"title": "Top 10 Denied Outbound Destination IPs",
"timeContext": {
@@ -224,7 +224,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "SophosXGFirewall\r\n| where Log_Type == \"Firewall\" and Status =~ \"Deny\"\r\n| where not(ipv4_is_match(\"10.0.0.0\",Src_IP,8) or ipv4_is_match(\"172.16.0.0\",Src_IP,12) or ipv4_is_match(\"192.168.0.0\",Src_IP,16))\r\n| summarize Total = count() by Port = Src_Port\r\n| top 10 by Total",
+ "query": "SophosXGFirewall\r\n| where Log_Type == \"Firewall\" and (Status =~ \"Deny\" or Log_Subtype =~ \"Denied\")\r\n| where not(ipv4_is_match(\"10.0.0.0\",Src_IP,8) or ipv4_is_match(\"172.16.0.0\",Src_IP,12) or ipv4_is_match(\"192.168.0.0\",Src_IP,16))\r\n| summarize Total = count() by Port = Src_Port\r\n| top 10 by Total",
"size": 0,
"title": "Top 10 Denied Inbound Ports",
"timeContext": {
@@ -517,4 +517,4 @@
],
"fromTemplateId": "sentinel-SophosXGFirewall",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
-}
\ No newline at end of file
+}
diff --git a/Solutions/Threat Intelligence/Data Connectors/template_ThreatIntelligenceTaxii.json b/Solutions/Threat Intelligence/Data Connectors/template_ThreatIntelligenceTaxii.json
index 5e9eb454a92..1e82b562c27 100644
--- a/Solutions/Threat Intelligence/Data Connectors/template_ThreatIntelligenceTaxii.json
+++ b/Solutions/Threat Intelligence/Data Connectors/template_ThreatIntelligenceTaxii.json
@@ -46,7 +46,8 @@
"4": 2,
"5": 2,
"6": 1,
- "7": 1
+ "7": 1,
+ "8": 2
}
}
},
diff --git a/Solutions/Torq/Data/Solution_Torq.json b/Solutions/Torq/Data/Solution_Torq.json
new file mode 100644
index 00000000000..886e33fb898
--- /dev/null
+++ b/Solutions/Torq/Data/Solution_Torq.json
@@ -0,0 +1,16 @@
+{
+ "Name": "Torq",
+ "Author": "Torq - support@torq.io",
+ "Logo": " ",
+ "Description": "[Torq](https://www.recordedfuture.com/) is the AI-Driven Hyperautomation Platform that helps security teams automate more faster",
+ "Analytic Rules": [],
+ "Playbooks": [
+ "Playbooks/Torq-Sentinel-Incident-Trigger/azuredeploy.json"
+ ],
+ "Workbooks": [],
+ "BasePath": "Users\\acitatorq\\git\\github\\Azure-Sentinel\\Solutions\\Torq",
+ "Version": "3.0.0",
+ "Metadata": "SolutionMetadata.json",
+ "TemplateSpec": true,
+ "Is1Pconnector": false
+ }
\ No newline at end of file
diff --git a/Solutions/Torq/Package/3.0.0.zip b/Solutions/Torq/Package/3.0.0.zip
new file mode 100644
index 00000000000..46b0eafb58a
Binary files /dev/null and b/Solutions/Torq/Package/3.0.0.zip differ
diff --git a/Solutions/Torq/Package/createUiDefinition.json b/Solutions/Torq/Package/createUiDefinition.json
new file mode 100644
index 00000000000..30aca97e864
--- /dev/null
+++ b/Solutions/Torq/Package/createUiDefinition.json
@@ -0,0 +1,89 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "config": {
+ "isWizard": false,
+ "basics": {
+ "description": " \n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Torq/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Torq](https://www.recordedfuture.com/) is the AI-Driven Hyperautomation Platform that helps security teams automate more faster\n\n**Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "subscription": {
+ "resourceProviders": [
+ "Microsoft.OperationsManagement/solutions",
+ "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "Microsoft.Insights/workbooks",
+ "Microsoft.Logic/workflows"
+ ]
+ },
+ "location": {
+ "metadata": {
+ "hidden": "Hiding location, we get it from the log analytics workspace"
+ },
+ "visible": false
+ },
+ "resourceGroup": {
+ "allowExisting": true
+ }
+ }
+ },
+ "basics": [
+ {
+ "name": "getLAWorkspace",
+ "type": "Microsoft.Solutions.ArmApiControl",
+ "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+ "condition": "[greater(length(resourceGroup().name),0)]",
+ "request": {
+ "method": "GET",
+ "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+ }
+ },
+ {
+ "name": "workspace",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Workspace",
+ "placeholder": "Select a workspace",
+ "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+ "constraints": {
+ "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+ "required": true
+ },
+ "visible": true
+ }
+ ],
+ "steps": [
+ {
+ "name": "playbooks",
+ "label": "Playbooks",
+ "subLabel": {
+ "preValidation": "Configure the playbooks",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Playbooks",
+ "elements": [
+ {
+ "name": "playbooks-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub."
+ }
+ },
+ {
+ "name": "playbooks-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+ }
+ }
+ }
+ ]
+ }
+ ],
+ "outputs": {
+ "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+ "location": "[location()]",
+ "workspace": "[basics('workspace')]"
+ }
+ }
+}
diff --git a/Solutions/Torq/Package/mainTemplate.json b/Solutions/Torq/Package/mainTemplate.json
new file mode 100644
index 00000000000..6b4b45d945e
--- /dev/null
+++ b/Solutions/Torq/Package/mainTemplate.json
@@ -0,0 +1,343 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "author": "Torq - support@torq.io",
+ "comments": "Solution template for Torq"
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ }
+ },
+ "variables": {
+ "email": "support@torq.io",
+ "_email": "[variables('email')]",
+ "_solutionName": "Torq",
+ "_solutionVersion": "3.0.0",
+ "solutionId": "torq.torq_sentinel_solution",
+ "_solutionId": "[variables('solutionId')]",
+ "Torq-Sentinel-Incident-Trigger": "Torq-Sentinel-Incident-Trigger",
+ "_Torq-Sentinel-Incident-Trigger": "[variables('Torq-Sentinel-Incident-Trigger')]",
+ "TemplateEmptyArray": "[json('[]')]",
+ "playbookVersion1": "1.0",
+ "playbookContentId1": "Torq-Sentinel-Incident-Trigger",
+ "_playbookContentId1": "[variables('playbookContentId1')]",
+ "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]",
+ "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('playbookTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Sentinel_Incident_Sync_to_Torq Playbook with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('playbookVersion1')]",
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "Sentinel_Incident_Sync_to_Torq",
+ "type": "String"
+ },
+ "Torq_Webhook_Enpoint_URL": {
+ "defaultValue": "https://hooks.torq.io/v1/webhooks/125a9209-9ed6-4216-b5cd-10567f2164f5",
+ "type": "String"
+ },
+ "Torq_Webhook_Auth_Header_Name": {
+ "defaultValue": "X-Torq-Auth",
+ "type": "String"
+ },
+ "Torq_Webhook_Auth_Header_Secret": {
+ "defaultValue": "secr3tP@ssw0rd",
+ "type": "String"
+ }
+ },
+ "variables": {
+ "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
+ "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+ "_connection-1": "[[variables('connection-1')]",
+ "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+ "workspace-name": "[parameters('workspace')]",
+ "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[[variables('AzureSentinelConnectionName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "[[variables('AzureSentinelConnectionName')]",
+ "parameterValueType": "Alternative",
+ "api": {
+ "id": "[[variables('_connection-1')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Logic/workflows",
+ "apiVersion": "2017-07-01",
+ "name": "[[parameters('PlaybookName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "dependsOn": [
+ "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
+ ],
+ "properties": {
+ "state": "Enabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "Torq_Webhook_Enpoint_URL": {
+ "defaultValue": "[[parameters('Torq_Webhook_Enpoint_URL')]",
+ "type": "String"
+ },
+ "Torq_Webhook_Auth_Header_Name": {
+ "defaultValue": "[[parameters('Torq_Webhook_Auth_Header_Name')]",
+ "type": "String"
+ },
+ "Torq_Webhook_Auth_Header_Secret": {
+ "defaultValue": "[[parameters('Torq_Webhook_Auth_Header_Secret')]",
+ "type": "String"
+ },
+ "$connections": {
+ "type": "Object"
+ }
+ },
+ "staticResults": {
+ "HTTP0": {
+ "status": "Succeeded",
+ "outputs": {
+ "statusCode": "OK"
+ }
+ }
+ },
+ "triggers": {
+ "Microsoft_Sentinel_incident": {
+ "type": "ApiConnectionWebhook",
+ "inputs": {
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "body": {
+ "callback_url": "@{listCallbackUrl()}"
+ },
+ "path": "/incident-creation"
+ },
+ "conditions": "[variables('TemplateEmptyArray')]",
+ "runtimeConfiguration": {
+ "concurrency": {
+ "runs": 10,
+ "maximumWaitingRuns": 50
+ }
+ }
+ }
+ },
+ "actions": {
+ "Send_Notification_to_Torq": {
+ "limit": {
+ "timeout": "PT30S"
+ },
+ "type": "Http",
+ "inputs": {
+ "uri": "@parameters('Torq_Webhook_Enpoint_URL')",
+ "method": "POST",
+ "headers": {
+ "@{parameters('Torq_Webhook_Auth_Header_Name')}": "@{parameters('Torq_Webhook_Auth_Header_Secret')}"
+ },
+ "body": "@triggerBody()"
+ },
+ "operationOptions": "DisableAsyncPattern"
+ },
+ "Terminate_Success": {
+ "runAfter": {
+ "Send_Notification_to_Torq": [
+ "Succeeded"
+ ]
+ },
+ "type": "Terminate",
+ "inputs": {
+ "runStatus": "Succeeded"
+ }
+ }
+ }
+ },
+ "parameters": {
+ "$connections": {
+ "value": {
+ "azuresentinel": {
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+ "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
+ "connectionName": "[[variables('AzureSentinelConnectionName')]",
+ "connectionProperties": {
+ "authentication": {
+ "type": "ManagedServiceIdentity"
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "tags": {
+ "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]",
+ "properties": {
+ "parentId": "[variables('playbookId1')]",
+ "contentId": "[variables('_playbookContentId1')]",
+ "kind": "Playbook",
+ "version": "[variables('playbookVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Torq",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Torq",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Torq Support Team",
+ "email": "support@torq.io",
+ "tier": "Partner",
+ "link": "https://support.torq.io"
+ }
+ }
+ }
+ ],
+ "metadata": {
+ "title": "Notify Sentinel Incident Creation and Update to Torq Webhook",
+ "description": "Sends an HTTPS request to a webhook trigger in Torq everytime a new Incident is created or updated in Microsoft Sentinel",
+ "documentation": "https://kb.torq.io/en/articles/9024676-configure-microsoft-sentinel-and-torq-to-trigger-torq-workflows-on-incident-creation-and-update",
+ "prerequisites": [
+ "Prior to the deployment of this playbook, create a new Microsoft Sentinel Trigger integration in Torq",
+ "Take note of the endpoint URL, the authentication header name, and the authentication header secret configured in the Microsoft Sentinel Trigger integration"
+ ],
+ "postDeployment": [
+ "After deployment browse to your Microsoft Sentinel workspace > Configuration > Automation, Click Create and select Automation rule to create a new automation rule meant to send a notification to Torq when a new Sentinel Incident is created.",
+ "Give the automation rule a meaningful name",
+ "From the Trigger drop-down menu, select When incident is created or updated",
+ "From the Actions drop-down menu, select Run playbook",
+ "From the playbook selection drop-down, select the playbook Sentinel_Incident_Sync_to_Torq and click the Apply button"
+ ],
+ "lastUpdateTime": "2024-11-19T00:00:00Z",
+ "releaseNotes": [
+ {
+ "version": "1.0",
+ "title": "Torq Sentinel Incident Trigger",
+ "notes": [
+ "Initial version"
+ ]
+ }
+ ]
+ }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId1')]",
+ "contentKind": "Playbook",
+ "displayName": "Sentinel_Incident_Sync_to_Torq",
+ "contentProductId": "[variables('_playbookcontentProductId1')]",
+ "id": "[variables('_playbookcontentProductId1')]",
+ "version": "[variables('playbookVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "version": "3.0.0",
+ "kind": "Solution",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "Torq",
+ "publisherDisplayName": "Torq Support Team",
+ "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nTorq is the AI-Driven Hyperautomation Platform that helps security teams automate more faster
\nPlaybooks: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
+ "contentKind": "Solution",
+ "contentProductId": "[variables('_solutioncontentProductId')]",
+ "id": "[variables('_solutioncontentProductId')]",
+ "icon": " ",
+ "contentId": "[variables('_solutionId')]",
+ "parentId": "[variables('_solutionId')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Torq",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Torq",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Torq Support Team",
+ "email": "support@torq.io",
+ "tier": "Partner",
+ "link": "https://support.torq.io"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_Torq-Sentinel-Incident-Trigger')]",
+ "version": "[variables('playbookVersion1')]"
+ }
+ ]
+ },
+ "firstPublishDate": "2024-11-19",
+ "providers": [
+ "Torq"
+ ],
+ "categories": {
+ "domains": [
+ "Application"
+ ]
+ }
+ },
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
+ }
+ ],
+ "outputs": {}
+}
diff --git a/Solutions/Torq/Package/testParameters.json b/Solutions/Torq/Package/testParameters.json
new file mode 100644
index 00000000000..e55ec41a9ac
--- /dev/null
+++ b/Solutions/Torq/Package/testParameters.json
@@ -0,0 +1,24 @@
+{
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ }
+}
diff --git a/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/azuredeploy.json b/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/azuredeploy.json
new file mode 100644
index 00000000000..58eadf8f396
--- /dev/null
+++ b/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/azuredeploy.json
@@ -0,0 +1,183 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "title": "Notify Sentinel Incident Creation and Update to Torq Webhook",
+ "description": "Sends an HTTPS request to a webhook trigger in Torq everytime a new Incident is created or updated in Microsoft Sentinel",
+ "documentation": "https://kb.torq.io/en/articles/9024676-configure-microsoft-sentinel-and-torq-to-trigger-torq-workflows-on-incident-creation-and-update",
+ "prerequisites": [
+ "Prior to the deployment of this playbook, create a new Microsoft Sentinel Trigger integration in Torq",
+ "Take note of the endpoint URL, the authentication header name, and the authentication header secret configured in the Microsoft Sentinel Trigger integration"
+ ],
+ "postDeployment": [
+ "After deployment browse to your Microsoft Sentinel workspace > Configuration > Automation, Click Create and select Automation rule to create a new automation rule meant to send a notification to Torq when a new Sentinel Incident is created.",
+ "Give the automation rule a meaningful name",
+ "From the Trigger drop-down menu, select When incident is created or updated",
+ "From the Actions drop-down menu, select Run playbook",
+ "From the playbook selection drop-down, select the playbook Sentinel_Incident_Sync_to_Torq and click the Apply button"
+ ],
+ "lastUpdateTime": "2024-11-19T00:00:00.000Z",
+ "author": {
+ "name": "Torq"
+ },
+ "releaseNotes": [
+ {
+ "version": "1.0",
+ "title": "Torq Sentinel Incident Trigger",
+ "notes": [ "Initial version" ]
+ }
+ ]
+ },
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "Sentinel_Incident_Sync_to_Torq",
+ "type": "String"
+ },
+ "Torq_Webhook_Enpoint_URL": {
+ "defaultValue": "https://hooks.torq.io/v1/webhooks/125a9209-9ed6-4216-b5cd-10567f2164f5",
+ "type": "String"
+ },
+ "Torq_Webhook_Auth_Header_Name": {
+ "defaultValue": "X-Torq-Auth",
+ "type": "String"
+ },
+ "Torq_Webhook_Auth_Header_Secret": {
+ "defaultValue": "secr3tP@ssw0rd",
+ "type": "String"
+ }
+ },
+ "variables": {
+ "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[variables('AzureSentinelConnectionName')]",
+ "location": "[resourceGroup().location]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "[variables('AzureSentinelConnectionName')]",
+ "customParameterValues": {},
+ "parameterValueType": "Alternative",
+ "api": {
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Logic/workflows",
+ "apiVersion": "2017-07-01",
+ "name": "[parameters('PlaybookName')]",
+ "location": "[resourceGroup().location]",
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
+ ],
+ "properties": {
+ "state": "Enabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "Torq_Webhook_Enpoint_URL": {
+ "defaultValue": "[parameters('Torq_Webhook_Enpoint_URL')]",
+ "type": "String"
+ },
+ "Torq_Webhook_Auth_Header_Name": {
+ "defaultValue": "[parameters('Torq_Webhook_Auth_Header_Name')]",
+ "type": "String"
+ },
+ "Torq_Webhook_Auth_Header_Secret": {
+ "defaultValue": "[parameters('Torq_Webhook_Auth_Header_Secret')]",
+ "type": "String"
+ },
+ "$connections": {
+ "defaultValue": {},
+ "type": "Object"
+ }
+ },
+ "staticResults": {
+ "HTTP0": {
+ "status": "Succeeded",
+ "outputs": {
+ "statusCode": "OK"
+ }
+ }
+ },
+ "triggers": {
+ "Microsoft_Sentinel_incident": {
+ "type": "ApiConnectionWebhook",
+ "inputs": {
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "body": {
+ "callback_url": "@{listCallbackUrl()}"
+ },
+ "path": "/incident-creation"
+ },
+ "conditions": [],
+ "runtimeConfiguration": {
+ "concurrency": {
+ "runs": 10,
+ "maximumWaitingRuns": 50
+ }
+ }
+ }
+ },
+ "actions": {
+ "Send_Notification_to_Torq": {
+ "runAfter": {},
+ "limit": {
+ "timeout": "PT30S"
+ },
+ "type": "Http",
+ "inputs": {
+ "uri": "@parameters('Torq_Webhook_Enpoint_URL')",
+ "method": "POST",
+ "headers": {
+ "@{parameters('Torq_Webhook_Auth_Header_Name')}": "@{parameters('Torq_Webhook_Auth_Header_Secret')}"
+ },
+ "body": "@triggerBody()"
+ },
+ "operationOptions": "DisableAsyncPattern"
+ },
+ "Terminate_Success": {
+ "runAfter": {
+ "Send_Notification_to_Torq": [
+ "Succeeded"
+ ]
+ },
+ "type": "Terminate",
+ "inputs": {
+ "runStatus": "Succeeded"
+ }
+ }
+ },
+ "outputs": {}
+ },
+ "parameters": {
+ "$connections": {
+ "value": {
+ "azuresentinel": {
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
+ "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
+ "connectionName": "[variables('AzureSentinelConnectionName')]",
+ "connectionProperties": {
+ "authentication": {
+ "type": "ManagedServiceIdentity"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/playbook_screenshot.png b/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/playbook_screenshot.png
new file mode 100644
index 00000000000..f1cb5f3ce2c
Binary files /dev/null and b/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/playbook_screenshot.png differ
diff --git a/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/readme.md b/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/readme.md
new file mode 100644
index 00000000000..55ff9f9e548
--- /dev/null
+++ b/Solutions/Torq/Playbooks/Torq-Sentinel-Incident-Trigger/readme.md
@@ -0,0 +1,43 @@
+# Torq-Sentinel-Incident-Trigger
+
+## Summary
+
+When a new Sentinel Incident is created or updated, this playbook gets triggered and sends a notification (HTTPS POST Request) to a Microsoft Sentinel Webhook in Torq.
+
+
+
+### Prerequisites
+
+1. Prior to the deployment of this playbook, create a new Microsoft Sentinel Trigger integration in Torq.
+2. Take note of the endpoint URL, the authentication header name, and the authentication header secret configured in the Microsoft Sentinel Trigger integration.
+
+
+### Deployment instructions
+
+1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
+2. Fill in the required paramters:
+ * Playbook Name: Enter the playbook name here
+ * Torq_Webhook_Enpoint_URL: Enter the endpoint URL for the Microsoft Sentinel Trigger integration previously created in Torq.
+ * Torq_Webhook_Auth_Header_Name: Enter the authentication header name for the Microsoft Sentinel Trigger integration previously created in Torq.
+ * Torq_Webhook_Auth_Header_Secret: Enter the authentication header secret for the Microsoft Sentinel Trigger integration previously created in Torq.
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FTorq%2FPlaybooks%2FPlaybooks%2FTorq-Sentinel-Incident-Trigger%2Fazuredeploy.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FTorq%2FPlaybooks%2FPlaybooks%2FTorq-Sentinel-Incident-Trigger%2Fazuredeploy.json)
+
+### Post-Deployment instructions
+
+1. Browse to your Microsoft Sentinel workspace > Configuration > Automation
+2. Click "+ Create" and select "Automation rule" to create a new automation rule meant to send a notification to Torq when a new Sentinel Incident is **created**.
+3. Give the automation rule a meaningful name, like "Notify Torq when new Sentinel Incident is created".
+4. From the "Trigger" drop-down menu, select **"When incident is created"**.
+5. Leave "Conditions" to its default values.
+6. From the "Actions" drop-down menu, select "Run playbook".
+7. From the playbook selection drop-down, select the playbook "Sentinel_Incident_Sync_to_Torq"
+8. Click the "Apply" button.
+9. Click "+ Create" again and select "Automation rule" to create a new automation rule meant to send a notification to Torq when an existing Sentinel Incident is **updated**.
+10. Give the automation rule a meaningful name, like "Notify Torq when a Sentinel Incident is updated".
+11. From the "Trigger" drop-down menu, select **"When incident is updated"**
+12. Leave "Conditions" to its default values.
+13. From the "Actions" drop-down menu, select "Run playbook".
+14. From the playbook selection drop-down, select the playbook "Sentinel_Incident_Sync_to_Torq"
+15. Click the "Apply" button.
+
diff --git a/Solutions/Torq/Playbooks/logo.png b/Solutions/Torq/Playbooks/logo.png
new file mode 100644
index 00000000000..cc5d3be7328
Binary files /dev/null and b/Solutions/Torq/Playbooks/logo.png differ
diff --git a/Solutions/Torq/ReleaseNotes.md b/Solutions/Torq/ReleaseNotes.md
new file mode 100644
index 00000000000..3f82c05deba
--- /dev/null
+++ b/Solutions/Torq/ReleaseNotes.md
@@ -0,0 +1,4 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.0.0 | 21-11-2023 | Initial Solution Release |
+
diff --git a/Solutions/Torq/SolutionMetadata.json b/Solutions/Torq/SolutionMetadata.json
new file mode 100644
index 00000000000..62d26f325cc
--- /dev/null
+++ b/Solutions/Torq/SolutionMetadata.json
@@ -0,0 +1,15 @@
+{
+ "publisherId": "torq",
+ "offerId": "torq_sentinel_solution",
+ "firstPublishDate": "2024-11-19",
+ "providers": ["Torq"],
+ "categories": {
+ "domains" : ["Application"]
+ },
+ "support": {
+ "name": "Torq Support Team",
+ "email": "support@torq.io",
+ "tier": "Partner",
+ "link": "https://support.torq.io"
+ }
+}
\ No newline at end of file
diff --git a/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_DCR.json b/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_DCR.json
index b63df9523f3..0ee790c46ab 100644
--- a/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_DCR.json
+++ b/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_DCR.json
@@ -1147,7 +1147,7 @@
"destinations": [
"clv2ws1"
],
- "transformKql": "source\n | project TimeGenerated = detection_timestamp, Version = version, AlertUrl = alert_url, Id = id, AlertType = type, IsUpdated = is_updated, DetectionTimestamp = detection_timestamp, BackendTimestamp = backend_timestamp, BackendUpdateTimestamp = backend_update_timestamp, FirstEventTimestamp = first_event_timestamp, LastEventTimestamp = last_event_timestamp, Severity = severity, Reason = reason, ThreatId = threat_id, PrimaryEventId = primary_event_id, Workflow = workflow, Determination = determination, AlertNotesPresent = alert_notes_present, PolicyApplied = policy_applied, RunState = run_state, ReasonCode = reason_code, SensorAction = sensor_action, DeviceTargetValue = device_target_value, DevicePolicyId = device_policy_id, DevicePolicy = device_policy, DeviceId = device_id, DeviceName = device_name, DeviceOs = device_os, DeviceOsVersion = device_os_version, DeviceUsername = device_username, DeviceLocation = device_location, DeviceExternalIp = device_external_ip, DeviceInternalIp = device_internal_ip, ReportId = report_id, ReportName = report_name, ReportDescription = report_description, ReportTags = report_tags, ReportLink = report_link, IocId = ioc_id, IocHit = ioc_hit, Watchlists = watchlists, ProcessGuid = process_guid, ProcessPid = process_pid, ProcessName = process_name, ProcessSha256 = process_sha256, ProcessMd5 = process_md5, ProcessReputation = process_reputation, ProcessEffectiveReputation = process_effective_reputation, ProcessCmdline = process_cmdline, ProcessUsername = process_username, ProcessIssuer = process_issuer, ProcessPublisher = process_publisher, ParentGuid = parent_guid, ParentPid = parent_pid, ParentName = parent_name, ParentSha256 = parent_sha256, ParentMd5 = parent_md5, ParentReputation = parent_reputation, ParentEffectiveReputation = parent_effective_reputation, ParentCmdline = parent_cmdline, ParentUsername = parent_username, MdrAlertNotesPresent = mdr_alert_notes_present, MdrAlert = mdr_alert, MlClassificationFinalVerdict = ml_classification_final_verdict, MlClassificationGlobalPrevalence = ml_classification_global_prevalence, MlClassificationOrgPrevalence = ml_classification_org_prevalence",
+ "transformKql": "source\n | project TimeGenerated = todatetime(detection_timestamp), Version = version, AlertUrl = alert_url, Id = id, AlertType = type, IsUpdated = is_updated, DetectionTimestamp = detection_timestamp, BackendTimestamp = backend_timestamp, BackendUpdateTimestamp = backend_update_timestamp, FirstEventTimestamp = first_event_timestamp, LastEventTimestamp = last_event_timestamp, Severity = severity, Reason = reason, ThreatId = threat_id, PrimaryEventId = primary_event_id, Workflow = workflow, Determination = determination, AlertNotesPresent = alert_notes_present, PolicyApplied = policy_applied, RunState = run_state, ReasonCode = reason_code, SensorAction = sensor_action, DeviceTargetValue = device_target_value, DevicePolicyId = device_policy_id, DevicePolicy = device_policy, DeviceId = device_id, DeviceName = device_name, DeviceOs = device_os, DeviceOsVersion = device_os_version, DeviceUsername = device_username, DeviceLocation = device_location, DeviceExternalIp = device_external_ip, DeviceInternalIp = device_internal_ip, ReportId = report_id, ReportName = report_name, ReportDescription = report_description, ReportTags = report_tags, ReportLink = report_link, IocId = ioc_id, IocHit = ioc_hit, Watchlists = watchlists, ProcessGuid = process_guid, ProcessPid = process_pid, ProcessName = process_name, ProcessSha256 = process_sha256, ProcessMd5 = process_md5, ProcessReputation = process_reputation, ProcessEffectiveReputation = process_effective_reputation, ProcessCmdline = process_cmdline, ProcessUsername = process_username, ProcessIssuer = process_issuer, ProcessPublisher = process_publisher, ParentGuid = parent_guid, ParentPid = parent_pid, ParentName = parent_name, ParentSha256 = parent_sha256, ParentMd5 = parent_md5, ParentReputation = parent_reputation, ParentEffectiveReputation = parent_effective_reputation, ParentCmdline = parent_cmdline, ParentUsername = parent_username, MdrAlertNotesPresent = mdr_alert_notes_present, MdrAlert = mdr_alert, MlClassificationFinalVerdict = ml_classification_final_verdict, MlClassificationGlobalPrevalence = ml_classification_global_prevalence, MlClassificationOrgPrevalence = ml_classification_org_prevalence",
"outputStream": "Custom-CarbonBlack_Alerts_CL"
},
{
@@ -1157,7 +1157,7 @@
"destinations": [
"clv2ws1"
],
- "transformKql": "source \n| project TimeGenerated = create_time, DeviceExternalIp = device_external_ip, DeviceId = device_id, DeviceInternalIp = device_internal_ip, DeviceName = device_name, IocHit = ioc_hit, IocId = ioc_id, OrgKey = org_key, ParentCmdline = parent_cmdline, ParentPath = parent_path, ParentPid = parent_pid, ProcessCmdline = process_cmdline, ProcessPath = process_path, ProcessPid = process_pid, ParentUsername = parent_username, ProcessUsername = process_username, ReportId = report_id, ReportName = report_name, Severity = severity, ReportTags = report_tags, Schema = schema, CreateTime = create_time, DeviceOs = device_os, ParentGuid = parent_guid, ParentHash = parent_hash, ParentPublisher = parent_publisher, ParentReputation = parent_reputation, ProcessGuid = process_guid, ProcessHash = process_hash, ProcessPublisher = process_publisher, ProcessReputation = process_reputation, WatchlistsType = type, Watchlists = watchlists",
+ "transformKql": "source \n| project TimeGenerated = todatetime(create_time), DeviceExternalIp = device_external_ip, DeviceId = device_id, DeviceInternalIp = device_internal_ip, DeviceName = device_name, IocHit = ioc_hit, IocId = ioc_id, OrgKey = org_key, ParentCmdline = parent_cmdline, ParentPath = parent_path, ParentPid = parent_pid, ProcessCmdline = process_cmdline, ProcessPath = process_path, ProcessPid = process_pid, ParentUsername = parent_username, ProcessUsername = process_username, ReportId = report_id, ReportName = report_name, Severity = severity, ReportTags = report_tags, Schema = schema, CreateTime = create_time, DeviceOs = device_os, ParentGuid = parent_guid, ParentHash = parent_hash, ParentPublisher = parent_publisher, ParentReputation = parent_reputation, ProcessGuid = process_guid, ProcessHash = process_hash, ProcessPublisher = process_publisher, ProcessReputation = process_reputation, WatchlistsType = type, Watchlists = watchlists",
"outputStream": "Custom-CarbonBlack_Watchlist_CL"
},
{
@@ -1167,7 +1167,7 @@
"destinations": [
"clv2ws1"
],
- "transformKql": "source | extend splitBackendTime = split(backend_timestamp,' ') | extend backendTimeAsDate = todatetime(strcat(splitBackendTime[0],'T',splitBackendTime[1],'Z')) | extend splitDeviceTimestamp = split(device_timestamp,' ') | extend DeviceTimestampAsDate = todatetime(strcat(splitDeviceTimestamp[0],'T',splitDeviceTimestamp[1],'Z'))| extend LogonMethod = case(toint(auth_logon_type) == 2, 'Interactive',toint(auth_logon_type) == 3, 'Network',toint(auth_logon_type) == 4, 'Batch',toint(auth_logon_type) == 5, 'Service',toint(auth_logon_type) == 7, 'Unlock',toint(auth_logon_type) == 8, 'NetworkCleartext',toint(auth_logon_type) == 9, 'NewCredentials',toint(auth_logon_type) == 10, 'RemoteInteractive',toint(auth_logon_type) == 11, 'CachedInteractive','Non-Valid Logon Type') | extend DvcIpAddr = device_external_ip| extend LogonProtocol = case(auth_package == 'NLTM', 'NLTM', 'Kerberos')| extend SplittedGeo = split(auth_remote_location, ',')| extend AdditionalFields = bag_pack('AuthCleartextCredentialsLogon', auth_cleartext_credentials_logon, 'AuthDaemonLogon', auth_daemon_logon, 'AuthElevatedTokenLogon', auth_elevated_token_logon, 'AuthFailureStatus', auth_failure_status, 'AuthFailureSubStatus', auth_failure_sub_status, 'AuthImpersonationLevel', auth_impersonation_level, 'AuthInteractiveLogon', auth_interactive_logon, 'AuthKeyLength', auth_key_length, 'AuthLogonType', auth_logon_type, 'AuthPrivileges', auth_privileges, 'AuthRemoteLogon', auth_remote_logon, 'AuthRestrictedAdminLogon', auth_restricted_admin_logon, 'AuthVirtualAccountLogon', auth_virtual_account_logon, 'DeviceExternalIp', device_external_ip, 'DeviceInternalIp', device_internal_ip, 'DeviceInstalledBy', device_installed_by, 'DeviceLocation', device_location, 'DevicePolicy', device_policy, 'DevicePolicyId', device_policy_id, 'DeviceTargetPriority', device_target_priority, 'FilemodCount', filemod_count, 'ModloadCount', modload_count, 'NetconnCount', netconn_count, 'RegmodCount', regmod_count, 'ScriptloadCount', scriptload_count, 'OrgKey', org_key, 'ParentCmdline', parent_cmdline, 'ParentCmdlineLength', parent_cmdline_length, 'ParentEffectiveReputation', parent_effective_reputation, 'ParentEffectiveReputationSource', parent_effective_reputation_source, 'ParentGuid', parent_guid, 'ParentHash', parent_hash, 'ParentIssuer', parent_issuer, 'ParentPid', parent_pid, 'ParentName', parent_name, 'ParentProductName', parent_product_name, 'ParentPublisher', parent_publisher, 'ParentReputation', parent_reputation, 'ParentUsername', parent_username, 'ProcessCmdline', process_cmdline, 'ProcessCmdlineLength', process_cmdline_length, 'ProcessCompanyName', process_company_name, 'ProcessContainerPid', process_container_pid, 'ProcessDuration', process_duration, 'ProcessEffectiveReputation', process_effective_reputation, 'ProcessEffectiveReputationSource', process_effective_reputation_source, 'ProcessElevated', process_elevated, 'ProcessEndTime', process_end_time, 'ProcessFileDescription', process_file_description, 'ProcessGuid', process_guid, 'ProcessHash', process_hash, 'ProcessIntegrityLevel', process_integrity_level, 'ProcessInternalName', process_internal_name, 'ProcessIssuer', process_issuer, 'ProcessName', process_name, 'ProcessOriginalFilename', process_original_filename, 'ProcessPid', process_pid, 'ProcessPrivileges', process_privileges, 'ProcessPublisher', process_publisher, 'ProcessReputation', process_reputation, 'ProcessSha256', process_sha256, 'ProcessStartTime', process_start_time, 'ProcessUsername', process_username, 'ProcessProductName', process_product_name, 'ProcessProductVersion', process_product_version, 'WindowsEventId', windows_event_id) | project TimeGenerated = backendTimeAsDate,AdditionalFields = AdditionalFields,EventCount = toint(1),EventResult = iff(auth_event_action == 'ACTION_LOGON_FAILED', 'Failure', 'Success'),EventSchema = 'Authentication',EventSchemaVersion = '0.1.3',EventStartTime = backendTimeAsDate,EventEndTime = backendTimeAsDate,EventType = 'Logon',EventOriginalUid = event_id,EventOriginalType = 'auth.event.logonop',EventProductVersion = '2.3',ActorUserId = auth_user_id,ActorUserIdType = 'SID',ActorUsername = auth_username,ActorSessionId = auth_logon_id,ActingAppId = process_pid,ActingAppName = process_name,ActingAppType = 'Process',TargetUserId = auth_user_id,TargetUserIdType = 'SID',TargetUsername = auth_username,TargetSessionId = auth_logon_id,TargetAppId = process_pid,TargetAppName = process_name,TargetAppType = 'Process',TargetHostName = auth_server,TargetDomain = auth_domain_name,TargetDomainType = 'WINDOWS',SrcPortNumber = toint(auth_remote_port),SrcHostname = device_name,SrcDvcId = device_id,SrcDeviceType = 'Computer',SrcDvcOs = device_os,SrcIpAddr= DvcIpAddr,SrcGeoCountry = tostring(SplittedGeo[2]),SrcGeoRegion = tostring(SplittedGeo[1]),SrcGeoCity = tostring(SplittedGeo[0]),LogonMethod = LogonMethod,LogonProtocol = LogonProtocol,DvcOriginalAction = auth_event_action,DvcIpAddr = DvcIpAddr,DvcHostname = device_name,DVC = device_id,DvcId = device_id,DvcOs = device_os | extend ActorUsernameType = case (ActorUsername contains '@' , 'UPN', ActorUsername contains '\\', 'Windows', (ActorUsername has 'CN=' or ActorUsername has 'OU=' or ActorUsername has 'DC='), 'DN', isempty(ActorUsername), '', 'Simple') | extend TargetUsernameType = case (TargetUsername contains '@' , 'UPN', TargetUsername contains '\\', 'Windows', (TargetUsername has 'CN=' or TargetUsername has 'OU=' or TargetUsername has 'DC='), 'DN', isempty(TargetUsername), '', 'Simple') | extend EventProduct = 'Carbon Black Cloud', EventVendor = 'VMWare'",
+ "transformKql": "source | extend splitBackendTime = split(backend_timestamp,' ') | extend backendTimeAsDate = todatetime(strcat(splitBackendTime[0],'T',splitBackendTime[1],'Z')) | extend splitDeviceTimestamp = split(device_timestamp,' ') | extend DeviceTimestampAsDate = todatetime(strcat(splitDeviceTimestamp[0],'T',splitDeviceTimestamp[1],'Z'))| extend LogonMethod = case(toint(auth_logon_type) == 2, 'Interactive',toint(auth_logon_type) == 3, 'Network',toint(auth_logon_type) == 4, 'Batch',toint(auth_logon_type) == 5, 'Service',toint(auth_logon_type) == 7, 'Unlock',toint(auth_logon_type) == 8, 'NetworkCleartext',toint(auth_logon_type) == 9, 'NewCredentials',toint(auth_logon_type) == 10, 'RemoteInteractive',toint(auth_logon_type) == 11, 'CachedInteractive','Non-Valid Logon Type') | extend DvcIpAddr = device_external_ip| extend LogonProtocol = case(auth_package == 'NLTM', 'NLTM', 'Kerberos')| extend SplittedGeo = split(auth_remote_location, ',')| extend AdditionalFields = bag_pack('AuthCleartextCredentialsLogon', auth_cleartext_credentials_logon, 'AuthDaemonLogon', auth_daemon_logon, 'AuthElevatedTokenLogon', auth_elevated_token_logon, 'AuthFailureStatus', auth_failure_status, 'AuthFailureSubStatus', auth_failure_sub_status, 'AuthImpersonationLevel', auth_impersonation_level, 'AuthInteractiveLogon', auth_interactive_logon, 'AuthKeyLength', auth_key_length, 'AuthLogonType', auth_logon_type, 'AuthPrivileges', auth_privileges, 'AuthRemoteLogon', auth_remote_logon, 'AuthRestrictedAdminLogon', auth_restricted_admin_logon, 'AuthVirtualAccountLogon', auth_virtual_account_logon, 'DeviceExternalIp', device_external_ip, 'DeviceInternalIp', device_internal_ip, 'DeviceInstalledBy', device_installed_by, 'DeviceLocation', device_location, 'DevicePolicy', device_policy, 'DevicePolicyId', device_policy_id, 'DeviceTargetPriority', device_target_priority, 'FilemodCount', filemod_count, 'ModloadCount', modload_count, 'NetconnCount', netconn_count, 'RegmodCount', regmod_count, 'ScriptloadCount', scriptload_count, 'OrgKey', org_key, 'ParentCmdline', parent_cmdline, 'ParentCmdlineLength', parent_cmdline_length, 'ParentEffectiveReputation', parent_effective_reputation, 'ParentEffectiveReputationSource', parent_effective_reputation_source, 'ParentGuid', parent_guid, 'ParentHash', parent_hash, 'ParentIssuer', parent_issuer, 'ParentPid', parent_pid, 'ParentName', parent_name, 'ParentProductName', parent_product_name, 'ParentPublisher', parent_publisher, 'ParentReputation', parent_reputation, 'ParentUsername', parent_username, 'ProcessCmdline', process_cmdline, 'ProcessCmdlineLength', process_cmdline_length, 'ProcessCompanyName', process_company_name, 'ProcessContainerPid', process_container_pid, 'ProcessDuration', process_duration, 'ProcessEffectiveReputation', process_effective_reputation, 'ProcessEffectiveReputationSource', process_effective_reputation_source, 'ProcessElevated', process_elevated, 'ProcessEndTime', process_end_time, 'ProcessFileDescription', process_file_description, 'ProcessGuid', process_guid, 'ProcessHash', process_hash, 'ProcessIntegrityLevel', process_integrity_level, 'ProcessInternalName', process_internal_name, 'ProcessIssuer', process_issuer, 'ProcessName', process_name, 'ProcessOriginalFilename', process_original_filename, 'ProcessPid', process_pid, 'ProcessPrivileges', process_privileges, 'ProcessPublisher', process_publisher, 'ProcessReputation', process_reputation, 'ProcessSha256', process_sha256, 'ProcessStartTime', process_start_time, 'ProcessUsername', process_username, 'ProcessProductName', process_product_name, 'ProcessProductVersion', process_product_version, 'WindowsEventId', windows_event_id) | project TimeGenerated = backendTimeAsDate,AdditionalFields = AdditionalFields,EventCount = toint(1),EventResult = iff(auth_event_action == 'ACTION_LOGON_FAILED', 'Failure', 'Success'),EventSchema = 'Authentication',EventSchemaVersion = '0.1.3',EventStartTime = backendTimeAsDate,EventEndTime = backendTimeAsDate,EventType = 'Logon',EventOriginalUid = event_id,EventOriginalType = 'auth.event.logonop',EventProductVersion = '2.3',ActorUserId = auth_user_id,ActorUserIdType = 'SID',ActorUsername = auth_username,ActorSessionId = auth_logon_id,ActingAppId = process_pid,ActingAppName = process_name,ActingAppType = 'Process',TargetUserId = auth_user_id,TargetUserIdType = 'SID',TargetUsername = auth_username,TargetSessionId = auth_logon_id,TargetAppId = process_pid,TargetAppName = process_name,TargetAppType = 'Process',TargetHostName = auth_server,TargetDomain = auth_domain_name,TargetDomainType = 'WINDOWS',SrcPortNumber = toint(auth_remote_port),SrcHostname = device_name,SrcDvcId = device_id,SrcDeviceType = 'Computer',SrcDvcOs = device_os,SrcIpAddr= DvcIpAddr,SrcGeoCountry = tostring(SplittedGeo[2]),SrcGeoRegion = tostring(SplittedGeo[1]),SrcGeoCity = tostring(SplittedGeo[0]),LogonMethod = LogonMethod,LogonProtocol = LogonProtocol,DvcOriginalAction = auth_event_action,DvcIpAddr = DvcIpAddr,DvcHostname = device_name,DVC = device_id,DvcId = device_id,DvcOs = device_os | extend ActorUsernameType = case (ActorUsername contains '@' , 'UPN', ActorUsername contains '\\\\', 'Windows', (ActorUsername has 'CN=' or ActorUsername has 'OU=' or ActorUsername has 'DC='), 'DN', isempty(ActorUsername), '', 'Simple') | extend TargetUsernameType = case (TargetUsername contains '@' , 'UPN', TargetUsername contains '\\\\', 'Windows', (TargetUsername has 'CN=' or TargetUsername has 'OU=' or TargetUsername has 'DC='), 'DN', isempty(TargetUsername), '', 'Simple') | extend EventProduct = 'Carbon Black Cloud', EventVendor = 'VMWare'",
"outputStream": "Microsoft-ASimAuthenticationEventLogs"
},
{
diff --git a/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_PollingConfig.json b/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_PollingConfig.json
index 27f8d3b8519..5a92d1e206c 100644
--- a/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_PollingConfig.json
+++ b/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_PollingConfig.json
@@ -5,7 +5,7 @@
"kind": "AmazonWebServicesS3",
"properties": {
"connectorDefinitionName": "carbonBlackAWSS3",
- "dataType": {
+ "dataTypes": {
"logs": {
"state": "enabled"
}
diff --git a/Solutions/VMware Carbon Black Cloud/Package/3.0.4.zip b/Solutions/VMware Carbon Black Cloud/Package/3.0.4.zip
new file mode 100644
index 00000000000..c22bc321224
Binary files /dev/null and b/Solutions/VMware Carbon Black Cloud/Package/3.0.4.zip differ
diff --git a/Solutions/VMware Carbon Black Cloud/Package/createUiDefinition.json b/Solutions/VMware Carbon Black Cloud/Package/createUiDefinition.json
index 1a908fe95fb..f62504fc9b7 100644
--- a/Solutions/VMware Carbon Black Cloud/Package/createUiDefinition.json
+++ b/Solutions/VMware Carbon Black Cloud/Package/createUiDefinition.json
@@ -63,23 +63,6 @@
"text": "This Solution installs the data connector for VMware Carbon Black Cloud. You can get VMware Carbon Black Cloud data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
- {
- "name": "dataconnectors-link1",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- },
- {
- "name": "dataconnectors2-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for VMware Carbon Black Cloud. You can get VMware Carbon Black Cloud custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
@@ -225,4 +208,4 @@
"workspace": "[basics('workspace')]"
}
}
-}
\ No newline at end of file
+}
diff --git a/Solutions/VMware Carbon Black Cloud/Package/mainTemplate.json b/Solutions/VMware Carbon Black Cloud/Package/mainTemplate.json
index 9d8b76701b8..42538e6f27e 100644
--- a/Solutions/VMware Carbon Black Cloud/Package/mainTemplate.json
+++ b/Solutions/VMware Carbon Black Cloud/Package/mainTemplate.json
@@ -55,7 +55,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "VMware Carbon Black Cloud",
- "_solutionVersion": "3.0.3",
+ "_solutionVersion": "3.0.4",
"solutionId": "azuresentinel.azure-sentinel-solution-vmwarecarbonblack",
"_solutionId": "[variables('solutionId')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
@@ -1648,7 +1648,7 @@
"destinations": [
"clv2ws1"
],
- "transformKql": "source\n | project TimeGenerated = detection_timestamp, Version = version, AlertUrl = alert_url, Id = id, AlertType = type, IsUpdated = is_updated, DetectionTimestamp = detection_timestamp, BackendTimestamp = backend_timestamp, BackendUpdateTimestamp = backend_update_timestamp, FirstEventTimestamp = first_event_timestamp, LastEventTimestamp = last_event_timestamp, Severity = severity, Reason = reason, ThreatId = threat_id, PrimaryEventId = primary_event_id, Workflow = workflow, Determination = determination, AlertNotesPresent = alert_notes_present, PolicyApplied = policy_applied, RunState = run_state, ReasonCode = reason_code, SensorAction = sensor_action, DeviceTargetValue = device_target_value, DevicePolicyId = device_policy_id, DevicePolicy = device_policy, DeviceId = device_id, DeviceName = device_name, DeviceOs = device_os, DeviceOsVersion = device_os_version, DeviceUsername = device_username, DeviceLocation = device_location, DeviceExternalIp = device_external_ip, DeviceInternalIp = device_internal_ip, ReportId = report_id, ReportName = report_name, ReportDescription = report_description, ReportTags = report_tags, ReportLink = report_link, IocId = ioc_id, IocHit = ioc_hit, Watchlists = watchlists, ProcessGuid = process_guid, ProcessPid = process_pid, ProcessName = process_name, ProcessSha256 = process_sha256, ProcessMd5 = process_md5, ProcessReputation = process_reputation, ProcessEffectiveReputation = process_effective_reputation, ProcessCmdline = process_cmdline, ProcessUsername = process_username, ProcessIssuer = process_issuer, ProcessPublisher = process_publisher, ParentGuid = parent_guid, ParentPid = parent_pid, ParentName = parent_name, ParentSha256 = parent_sha256, ParentMd5 = parent_md5, ParentReputation = parent_reputation, ParentEffectiveReputation = parent_effective_reputation, ParentCmdline = parent_cmdline, ParentUsername = parent_username, MdrAlertNotesPresent = mdr_alert_notes_present, MdrAlert = mdr_alert, MlClassificationFinalVerdict = ml_classification_final_verdict, MlClassificationGlobalPrevalence = ml_classification_global_prevalence, MlClassificationOrgPrevalence = ml_classification_org_prevalence",
+ "transformKql": "source\n | project TimeGenerated = todatetime(detection_timestamp), Version = version, AlertUrl = alert_url, Id = id, AlertType = type, IsUpdated = is_updated, DetectionTimestamp = detection_timestamp, BackendTimestamp = backend_timestamp, BackendUpdateTimestamp = backend_update_timestamp, FirstEventTimestamp = first_event_timestamp, LastEventTimestamp = last_event_timestamp, Severity = severity, Reason = reason, ThreatId = threat_id, PrimaryEventId = primary_event_id, Workflow = workflow, Determination = determination, AlertNotesPresent = alert_notes_present, PolicyApplied = policy_applied, RunState = run_state, ReasonCode = reason_code, SensorAction = sensor_action, DeviceTargetValue = device_target_value, DevicePolicyId = device_policy_id, DevicePolicy = device_policy, DeviceId = device_id, DeviceName = device_name, DeviceOs = device_os, DeviceOsVersion = device_os_version, DeviceUsername = device_username, DeviceLocation = device_location, DeviceExternalIp = device_external_ip, DeviceInternalIp = device_internal_ip, ReportId = report_id, ReportName = report_name, ReportDescription = report_description, ReportTags = report_tags, ReportLink = report_link, IocId = ioc_id, IocHit = ioc_hit, Watchlists = watchlists, ProcessGuid = process_guid, ProcessPid = process_pid, ProcessName = process_name, ProcessSha256 = process_sha256, ProcessMd5 = process_md5, ProcessReputation = process_reputation, ProcessEffectiveReputation = process_effective_reputation, ProcessCmdline = process_cmdline, ProcessUsername = process_username, ProcessIssuer = process_issuer, ProcessPublisher = process_publisher, ParentGuid = parent_guid, ParentPid = parent_pid, ParentName = parent_name, ParentSha256 = parent_sha256, ParentMd5 = parent_md5, ParentReputation = parent_reputation, ParentEffectiveReputation = parent_effective_reputation, ParentCmdline = parent_cmdline, ParentUsername = parent_username, MdrAlertNotesPresent = mdr_alert_notes_present, MdrAlert = mdr_alert, MlClassificationFinalVerdict = ml_classification_final_verdict, MlClassificationGlobalPrevalence = ml_classification_global_prevalence, MlClassificationOrgPrevalence = ml_classification_org_prevalence",
"outputStream": "Custom-CarbonBlack_Alerts_CL"
},
{
@@ -1658,7 +1658,7 @@
"destinations": [
"clv2ws1"
],
- "transformKql": "source \n| project TimeGenerated = create_time, DeviceExternalIp = device_external_ip, DeviceId = device_id, DeviceInternalIp = device_internal_ip, DeviceName = device_name, IocHit = ioc_hit, IocId = ioc_id, OrgKey = org_key, ParentCmdline = parent_cmdline, ParentPath = parent_path, ParentPid = parent_pid, ProcessCmdline = process_cmdline, ProcessPath = process_path, ProcessPid = process_pid, ParentUsername = parent_username, ProcessUsername = process_username, ReportId = report_id, ReportName = report_name, Severity = severity, ReportTags = report_tags, Schema = schema, CreateTime = create_time, DeviceOs = device_os, ParentGuid = parent_guid, ParentHash = parent_hash, ParentPublisher = parent_publisher, ParentReputation = parent_reputation, ProcessGuid = process_guid, ProcessHash = process_hash, ProcessPublisher = process_publisher, ProcessReputation = process_reputation, WatchlistsType = type, Watchlists = watchlists",
+ "transformKql": "source \n| project TimeGenerated = todatetime(create_time), DeviceExternalIp = device_external_ip, DeviceId = device_id, DeviceInternalIp = device_internal_ip, DeviceName = device_name, IocHit = ioc_hit, IocId = ioc_id, OrgKey = org_key, ParentCmdline = parent_cmdline, ParentPath = parent_path, ParentPid = parent_pid, ProcessCmdline = process_cmdline, ProcessPath = process_path, ProcessPid = process_pid, ParentUsername = parent_username, ProcessUsername = process_username, ReportId = report_id, ReportName = report_name, Severity = severity, ReportTags = report_tags, Schema = schema, CreateTime = create_time, DeviceOs = device_os, ParentGuid = parent_guid, ParentHash = parent_hash, ParentPublisher = parent_publisher, ParentReputation = parent_reputation, ProcessGuid = process_guid, ProcessHash = process_hash, ProcessPublisher = process_publisher, ProcessReputation = process_reputation, WatchlistsType = type, Watchlists = watchlists",
"outputStream": "Custom-CarbonBlack_Watchlist_CL"
},
{
@@ -1668,7 +1668,7 @@
"destinations": [
"clv2ws1"
],
- "transformKql": "source | extend splitBackendTime = split(backend_timestamp,' ') | extend backendTimeAsDate = todatetime(strcat(splitBackendTime[0],'T',splitBackendTime[1],'Z')) | extend splitDeviceTimestamp = split(device_timestamp,' ') | extend DeviceTimestampAsDate = todatetime(strcat(splitDeviceTimestamp[0],'T',splitDeviceTimestamp[1],'Z'))| extend LogonMethod = case(toint(auth_logon_type) == 2, 'Interactive',toint(auth_logon_type) == 3, 'Network',toint(auth_logon_type) == 4, 'Batch',toint(auth_logon_type) == 5, 'Service',toint(auth_logon_type) == 7, 'Unlock',toint(auth_logon_type) == 8, 'NetworkCleartext',toint(auth_logon_type) == 9, 'NewCredentials',toint(auth_logon_type) == 10, 'RemoteInteractive',toint(auth_logon_type) == 11, 'CachedInteractive','Non-Valid Logon Type') | extend DvcIpAddr = device_external_ip| extend LogonProtocol = case(auth_package == 'NLTM', 'NLTM', 'Kerberos')| extend SplittedGeo = split(auth_remote_location, ',')| extend AdditionalFields = bag_pack('AuthCleartextCredentialsLogon', auth_cleartext_credentials_logon, 'AuthDaemonLogon', auth_daemon_logon, 'AuthElevatedTokenLogon', auth_elevated_token_logon, 'AuthFailureStatus', auth_failure_status, 'AuthFailureSubStatus', auth_failure_sub_status, 'AuthImpersonationLevel', auth_impersonation_level, 'AuthInteractiveLogon', auth_interactive_logon, 'AuthKeyLength', auth_key_length, 'AuthLogonType', auth_logon_type, 'AuthPrivileges', auth_privileges, 'AuthRemoteLogon', auth_remote_logon, 'AuthRestrictedAdminLogon', auth_restricted_admin_logon, 'AuthVirtualAccountLogon', auth_virtual_account_logon, 'DeviceExternalIp', device_external_ip, 'DeviceInternalIp', device_internal_ip, 'DeviceInstalledBy', device_installed_by, 'DeviceLocation', device_location, 'DevicePolicy', device_policy, 'DevicePolicyId', device_policy_id, 'DeviceTargetPriority', device_target_priority, 'FilemodCount', filemod_count, 'ModloadCount', modload_count, 'NetconnCount', netconn_count, 'RegmodCount', regmod_count, 'ScriptloadCount', scriptload_count, 'OrgKey', org_key, 'ParentCmdline', parent_cmdline, 'ParentCmdlineLength', parent_cmdline_length, 'ParentEffectiveReputation', parent_effective_reputation, 'ParentEffectiveReputationSource', parent_effective_reputation_source, 'ParentGuid', parent_guid, 'ParentHash', parent_hash, 'ParentIssuer', parent_issuer, 'ParentPid', parent_pid, 'ParentName', parent_name, 'ParentProductName', parent_product_name, 'ParentPublisher', parent_publisher, 'ParentReputation', parent_reputation, 'ParentUsername', parent_username, 'ProcessCmdline', process_cmdline, 'ProcessCmdlineLength', process_cmdline_length, 'ProcessCompanyName', process_company_name, 'ProcessContainerPid', process_container_pid, 'ProcessDuration', process_duration, 'ProcessEffectiveReputation', process_effective_reputation, 'ProcessEffectiveReputationSource', process_effective_reputation_source, 'ProcessElevated', process_elevated, 'ProcessEndTime', process_end_time, 'ProcessFileDescription', process_file_description, 'ProcessGuid', process_guid, 'ProcessHash', process_hash, 'ProcessIntegrityLevel', process_integrity_level, 'ProcessInternalName', process_internal_name, 'ProcessIssuer', process_issuer, 'ProcessName', process_name, 'ProcessOriginalFilename', process_original_filename, 'ProcessPid', process_pid, 'ProcessPrivileges', process_privileges, 'ProcessPublisher', process_publisher, 'ProcessReputation', process_reputation, 'ProcessSha256', process_sha256, 'ProcessStartTime', process_start_time, 'ProcessUsername', process_username, 'ProcessProductName', process_product_name, 'ProcessProductVersion', process_product_version, 'WindowsEventId', windows_event_id) | project TimeGenerated = backendTimeAsDate,AdditionalFields = AdditionalFields,EventCount = toint(1),EventResult = iff(auth_event_action == 'ACTION_LOGON_FAILED', 'Failure', 'Success'),EventSchema = 'Authentication',EventSchemaVersion = '0.1.3',EventStartTime = backendTimeAsDate,EventEndTime = backendTimeAsDate,EventType = 'Logon',EventOriginalUid = event_id,EventOriginalType = 'auth.event.logonop',EventProductVersion = '2.3',ActorUserId = auth_user_id,ActorUserIdType = 'SID',ActorUsername = auth_username,ActorSessionId = auth_logon_id,ActingAppId = process_pid,ActingAppName = process_name,ActingAppType = 'Process',TargetUserId = auth_user_id,TargetUserIdType = 'SID',TargetUsername = auth_username,TargetSessionId = auth_logon_id,TargetAppId = process_pid,TargetAppName = process_name,TargetAppType = 'Process',TargetHostName = auth_server,TargetDomain = auth_domain_name,TargetDomainType = 'WINDOWS',SrcPortNumber = toint(auth_remote_port),SrcHostname = device_name,SrcDvcId = device_id,SrcDeviceType = 'Computer',SrcDvcOs = device_os,SrcIpAddr= DvcIpAddr,SrcGeoCountry = tostring(SplittedGeo[2]),SrcGeoRegion = tostring(SplittedGeo[1]),SrcGeoCity = tostring(SplittedGeo[0]),LogonMethod = LogonMethod,LogonProtocol = LogonProtocol,DvcOriginalAction = auth_event_action,DvcIpAddr = DvcIpAddr,DvcHostname = device_name,DVC = device_id,DvcId = device_id,DvcOs = device_os | extend ActorUsernameType = case (ActorUsername contains '@' , 'UPN', ActorUsername contains '\\', 'Windows', (ActorUsername has 'CN=' or ActorUsername has 'OU=' or ActorUsername has 'DC='), 'DN', isempty(ActorUsername), '', 'Simple') | extend TargetUsernameType = case (TargetUsername contains '@' , 'UPN', TargetUsername contains '\\', 'Windows', (TargetUsername has 'CN=' or TargetUsername has 'OU=' or TargetUsername has 'DC='), 'DN', isempty(TargetUsername), '', 'Simple') | extend EventProduct = 'Carbon Black Cloud', EventVendor = 'VMWare'",
+ "transformKql": "source | extend splitBackendTime = split(backend_timestamp,' ') | extend backendTimeAsDate = todatetime(strcat(splitBackendTime[0],'T',splitBackendTime[1],'Z')) | extend splitDeviceTimestamp = split(device_timestamp,' ') | extend DeviceTimestampAsDate = todatetime(strcat(splitDeviceTimestamp[0],'T',splitDeviceTimestamp[1],'Z'))| extend LogonMethod = case(toint(auth_logon_type) == 2, 'Interactive',toint(auth_logon_type) == 3, 'Network',toint(auth_logon_type) == 4, 'Batch',toint(auth_logon_type) == 5, 'Service',toint(auth_logon_type) == 7, 'Unlock',toint(auth_logon_type) == 8, 'NetworkCleartext',toint(auth_logon_type) == 9, 'NewCredentials',toint(auth_logon_type) == 10, 'RemoteInteractive',toint(auth_logon_type) == 11, 'CachedInteractive','Non-Valid Logon Type') | extend DvcIpAddr = device_external_ip| extend LogonProtocol = case(auth_package == 'NLTM', 'NLTM', 'Kerberos')| extend SplittedGeo = split(auth_remote_location, ',')| extend AdditionalFields = bag_pack('AuthCleartextCredentialsLogon', auth_cleartext_credentials_logon, 'AuthDaemonLogon', auth_daemon_logon, 'AuthElevatedTokenLogon', auth_elevated_token_logon, 'AuthFailureStatus', auth_failure_status, 'AuthFailureSubStatus', auth_failure_sub_status, 'AuthImpersonationLevel', auth_impersonation_level, 'AuthInteractiveLogon', auth_interactive_logon, 'AuthKeyLength', auth_key_length, 'AuthLogonType', auth_logon_type, 'AuthPrivileges', auth_privileges, 'AuthRemoteLogon', auth_remote_logon, 'AuthRestrictedAdminLogon', auth_restricted_admin_logon, 'AuthVirtualAccountLogon', auth_virtual_account_logon, 'DeviceExternalIp', device_external_ip, 'DeviceInternalIp', device_internal_ip, 'DeviceInstalledBy', device_installed_by, 'DeviceLocation', device_location, 'DevicePolicy', device_policy, 'DevicePolicyId', device_policy_id, 'DeviceTargetPriority', device_target_priority, 'FilemodCount', filemod_count, 'ModloadCount', modload_count, 'NetconnCount', netconn_count, 'RegmodCount', regmod_count, 'ScriptloadCount', scriptload_count, 'OrgKey', org_key, 'ParentCmdline', parent_cmdline, 'ParentCmdlineLength', parent_cmdline_length, 'ParentEffectiveReputation', parent_effective_reputation, 'ParentEffectiveReputationSource', parent_effective_reputation_source, 'ParentGuid', parent_guid, 'ParentHash', parent_hash, 'ParentIssuer', parent_issuer, 'ParentPid', parent_pid, 'ParentName', parent_name, 'ParentProductName', parent_product_name, 'ParentPublisher', parent_publisher, 'ParentReputation', parent_reputation, 'ParentUsername', parent_username, 'ProcessCmdline', process_cmdline, 'ProcessCmdlineLength', process_cmdline_length, 'ProcessCompanyName', process_company_name, 'ProcessContainerPid', process_container_pid, 'ProcessDuration', process_duration, 'ProcessEffectiveReputation', process_effective_reputation, 'ProcessEffectiveReputationSource', process_effective_reputation_source, 'ProcessElevated', process_elevated, 'ProcessEndTime', process_end_time, 'ProcessFileDescription', process_file_description, 'ProcessGuid', process_guid, 'ProcessHash', process_hash, 'ProcessIntegrityLevel', process_integrity_level, 'ProcessInternalName', process_internal_name, 'ProcessIssuer', process_issuer, 'ProcessName', process_name, 'ProcessOriginalFilename', process_original_filename, 'ProcessPid', process_pid, 'ProcessPrivileges', process_privileges, 'ProcessPublisher', process_publisher, 'ProcessReputation', process_reputation, 'ProcessSha256', process_sha256, 'ProcessStartTime', process_start_time, 'ProcessUsername', process_username, 'ProcessProductName', process_product_name, 'ProcessProductVersion', process_product_version, 'WindowsEventId', windows_event_id) | project TimeGenerated = backendTimeAsDate,AdditionalFields = AdditionalFields,EventCount = toint(1),EventResult = iff(auth_event_action == 'ACTION_LOGON_FAILED', 'Failure', 'Success'),EventSchema = 'Authentication',EventSchemaVersion = '0.1.3',EventStartTime = backendTimeAsDate,EventEndTime = backendTimeAsDate,EventType = 'Logon',EventOriginalUid = event_id,EventOriginalType = 'auth.event.logonop',EventProductVersion = '2.3',ActorUserId = auth_user_id,ActorUserIdType = 'SID',ActorUsername = auth_username,ActorSessionId = auth_logon_id,ActingAppId = process_pid,ActingAppName = process_name,ActingAppType = 'Process',TargetUserId = auth_user_id,TargetUserIdType = 'SID',TargetUsername = auth_username,TargetSessionId = auth_logon_id,TargetAppId = process_pid,TargetAppName = process_name,TargetAppType = 'Process',TargetHostName = auth_server,TargetDomain = auth_domain_name,TargetDomainType = 'WINDOWS',SrcPortNumber = toint(auth_remote_port),SrcHostname = device_name,SrcDvcId = device_id,SrcDeviceType = 'Computer',SrcDvcOs = device_os,SrcIpAddr= DvcIpAddr,SrcGeoCountry = tostring(SplittedGeo[2]),SrcGeoRegion = tostring(SplittedGeo[1]),SrcGeoCity = tostring(SplittedGeo[0]),LogonMethod = LogonMethod,LogonProtocol = LogonProtocol,DvcOriginalAction = auth_event_action,DvcIpAddr = DvcIpAddr,DvcHostname = device_name,DVC = device_id,DvcId = device_id,DvcOs = device_os | extend ActorUsernameType = case (ActorUsername contains '@' , 'UPN', ActorUsername contains '\\\\', 'Windows', (ActorUsername has 'CN=' or ActorUsername has 'OU=' or ActorUsername has 'DC='), 'DN', isempty(ActorUsername), '', 'Simple') | extend TargetUsernameType = case (TargetUsername contains '@' , 'UPN', TargetUsername contains '\\\\', 'Windows', (TargetUsername has 'CN=' or TargetUsername has 'OU=' or TargetUsername has 'DC='), 'DN', isempty(TargetUsername), '', 'Simple') | extend EventProduct = 'Carbon Black Cloud', EventVendor = 'VMWare'",
"outputStream": "Microsoft-ASimAuthenticationEventLogs"
},
{
@@ -2534,6 +2534,9 @@
},
"type": "object"
},
+ "streamName": {
+ "type": "array"
+ },
"roleArn": {
"defaultValue": "roleArn",
"type": "string",
@@ -2583,7 +2586,7 @@
"kind": "AmazonWebServicesS3",
"properties": {
"connectorDefinitionName": "carbonBlackAWSS3",
- "dataType": {
+ "dataTypes": {
"logs": {
"state": "enabled"
}
@@ -2625,7 +2628,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "VMware Carbon Black Cloud data connector with template version 3.0.3",
+ "description": "VMware Carbon Black Cloud data connector with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion2')]",
@@ -3038,7 +3041,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CriticalThreatDetected_AnalyticalRules Analytics Rule with template version 3.0.3",
+ "description": "CriticalThreatDetected_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -3066,10 +3069,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "VMwareCarbonBlack",
"dataTypes": [
"CarbonBlackNotifications_CL"
- ]
+ ],
+ "connectorId": "VMwareCarbonBlack"
}
],
"tactics": [
@@ -3080,22 +3083,22 @@
],
"entityMappings": [
{
- "entityType": "Host",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "HostCustomEntity"
+ "columnName": "HostCustomEntity",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -3151,7 +3154,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "KnownMalwareDetected_AnalyticalRules Analytics Rule with template version 3.0.3",
+ "description": "KnownMalwareDetected_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -3179,10 +3182,10 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "VMwareCarbonBlack",
"dataTypes": [
"CarbonBlackEvents_CL"
- ]
+ ],
+ "connectorId": "VMwareCarbonBlack"
}
],
"tactics": [
@@ -3193,31 +3196,31 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "AccountCustomEntity"
+ "columnName": "AccountCustomEntity",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "Host",
"fieldMappings": [
{
- "identifier": "FullName",
- "columnName": "HostCustomEntity"
+ "columnName": "HostCustomEntity",
+ "identifier": "FullName"
}
- ]
+ ],
+ "entityType": "Host"
},
{
- "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -3273,7 +3276,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "VMwareCarbonBlack Workbook with template version 3.0.3",
+ "description": "VMwareCarbonBlack Workbook with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -3369,7 +3372,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CarbonBlackConnector Playbook with template version 3.0.3",
+ "description": "CarbonBlackConnector Playbook with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
@@ -5003,7 +5006,7 @@
],
"metadata": {
"comments": "This connector used to perform different actions on alerts , device and threats using CarbonBlack cloud endpoint API.",
- "lastUpdateTime": "2024-10-15T19:22:24.265Z",
+ "lastUpdateTime": "2024-11-19T15:06:50.446Z",
"releaseNotes": {
"version": "1.0",
"title": "[variables('blanks')]",
@@ -5035,7 +5038,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "EndpointTakeActionFromTeams-CarbonBlack Playbook with template version 3.0.3",
+ "description": "EndpointTakeActionFromTeams-CarbonBlack Playbook with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion2')]",
@@ -6838,7 +6841,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "IsolateEndpoint-CarbonBlack Playbook with template version 3.0.3",
+ "description": "IsolateEndpoint-CarbonBlack Playbook with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion3')]",
@@ -7581,7 +7584,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "EndpointEnrichment-CarbonBlack Playbook with template version 3.0.3",
+ "description": "EndpointEnrichment-CarbonBlack Playbook with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion4')]",
@@ -8005,7 +8008,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.3",
+ "version": "3.0.4",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "VMware Carbon Black Cloud",
diff --git a/Solutions/VMware Carbon Black Cloud/ReleaseNotes.md b/Solutions/VMware Carbon Black Cloud/ReleaseNotes.md
index b4bc33b9dd6..c21d2f75395 100644
--- a/Solutions/VMware Carbon Black Cloud/ReleaseNotes.md
+++ b/Solutions/VMware Carbon Black Cloud/ReleaseNotes.md
@@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|-----------------------------------------------------------|
+| 3.0.4 | 19-11-2024 | Modified TransformKQL queries of CCP **Data Connector** |
| 3.0.3 | 28-10-2024 | Added Sample Queries to the CCP **Data Connector** template |
| 3.0.2 | 15-10-2024 | Added new CCP **Data Connector** to the Solution |
| 3.0.1 | 17-04-2024 | Added Azure Deploy button for government portal deployments in **Data connectors** |
diff --git a/Solutions/VMware vCenter/Package/3.0.3.zip b/Solutions/VMware vCenter/Package/3.0.3.zip
new file mode 100644
index 00000000000..85e64436a45
Binary files /dev/null and b/Solutions/VMware vCenter/Package/3.0.3.zip differ
diff --git a/Solutions/VMware vCenter/Package/mainTemplate.json b/Solutions/VMware vCenter/Package/mainTemplate.json
index ad22b91c621..34c70187130 100644
--- a/Solutions/VMware vCenter/Package/mainTemplate.json
+++ b/Solutions/VMware vCenter/Package/mainTemplate.json
@@ -41,7 +41,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "VMware vCenter",
- "_solutionVersion": "3.0.2",
+ "_solutionVersion": "3.0.3",
"solutionId": "azuresentinel.azure-sentinel-solution-vcenter",
"_solutionId": "[variables('solutionId')]",
"workbookVersion1": "1.0.0",
@@ -55,7 +55,7 @@
"_parserName1": "[concat(parameters('workspace'),'/','vCenter')]",
"_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'vCenter')]",
"parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('vCenter-Parser')))]",
- "parserVersion1": "1.0.0",
+ "parserVersion1": "1.0.1",
"parserContentId1": "vCenter-Parser"
},
"uiConfigId1": "VMwarevCenter",
@@ -93,7 +93,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "vCenter Workbook with template version 3.0.2",
+ "description": "vCenter Workbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -181,7 +181,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "vCenter Data Parser with template version 3.0.2",
+ "description": "vCenter Data Parser with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -198,7 +198,7 @@
"displayName": "vCenter",
"category": "Microsoft Sentinel Parser",
"functionAlias": "vCenter",
- "query": "let vCenter_Login =() {\nvcenter_CL\n| where Message has (\"UserLoginSessionEvent\")\n| parse Message with * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity \"]\" * \"[User \" DomainName:string \"\\\\\" Username:string \"@\" SourceIP \" logged in as \" UserAgent:string \"]\"\n};\nlet vCenter_Logout =() {vcenter_CL\n| where Message has (\"UserLogoutSessionEvent\")\n| parse Message with * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity \"]\" * \"[User\" DomainName:string \"\\\\\" Username:string \"@\" SourceIP \" logged out (login time:\" LoginTime:string \", number of API invocations: \" APIInvocationCount:int \", user agent:\" UserAgent:string \")]\"\n};\nlet vCenter_Role=() {vcenter_CL\n| where Message has_any(\"RoleAddedEvent\",\"RoleRemovedEvent\")\n| parse Message with * \" \" * \" \" Hostname:string \"vpxd\" * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity:string \"]\" * \"[New role \" RoleName:string \" \" Operation:string \"]\"\n};\nlet vCenter_RoleModified=() {vcenter_CL\n| where Message has (\"RoleUpdatedEvent\")\n| parse Message with * \" \" * \" \" Hostname:string \"vpxd\" * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity:string \"]\" * \"Previous name: \" OldRoleName:string \", new name \"NewRoleName:string \" Added privileges: \" AddedPriviledges:string \" Removed privileges: \" RemovedPriviledges:string \"]\"\n};\nunion vCenter_Login,vCenter_Logout,vCenter_Role,vCenter_RoleModified\n",
+ "query": "let vCenter_Login =() {\n vcenter_CL\n | where Message has (\"UserLoginSessionEvent\")\n | parse Message with * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity \"]\" * \"[User \" DomainName:string \"\\\\\" Username:string \"@\" SourceIP \" logged in as \" UserAgent:string \"]\" *\n};\nlet vCenter_Logout =() {\n vcenter_CL\n | where Message has (\"UserLogoutSessionEvent\")\n | parse Message with * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity \"]\" * \"[User\" DomainName:string \"\\\\\" Username:string \"@\" SourceIP \" logged out (login time:\" LoginTime:string \", number of API invocations: \" APIInvocationCount:int \", user agent:\" UserAgent:string \")]\" *\n};\nlet vCenter_Role=() {\n vcenter_CL\n | where Message has_any(\"RoleAddedEvent\",\"RoleRemovedEvent\")\n | parse Message with * \" \" * \" \" Hostname:string \"vpxd\" * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity:string \"]\" * \"[New role \" RoleName:string \" \" Operation:string \"]\" *\n};\nlet vCenter_RoleModified=() {\n vcenter_CL\n | where Message has (\"RoleUpdatedEvent\")\n | parse Message with * \" \" * \" \" Hostname:string \"vpxd\" * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity:string \"]\" * \"Previous name: \" OldRoleName:string \", new name \"NewRoleName:string \" Added privileges: \" AddedPriviledges:string \" Removed privileges: \" RemovedPriviledges:string \"]\" *\n};\nunion vCenter_Login,vCenter_Logout,vCenter_Role,vCenter_RoleModified\n| extend ClientIP = SourceIP\n",
"functionParameters": "",
"version": 2,
"tags": [
@@ -248,8 +248,8 @@
"contentId": "[variables('parserObject1').parserContentId1]",
"contentKind": "Parser",
"displayName": "vCenter",
- "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
- "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.1')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.1')))]",
"version": "[variables('parserObject1').parserVersion1]"
}
},
@@ -263,7 +263,7 @@
"displayName": "vCenter",
"category": "Microsoft Sentinel Parser",
"functionAlias": "vCenter",
- "query": "let vCenter_Login =() {\nvcenter_CL\n| where Message has (\"UserLoginSessionEvent\")\n| parse Message with * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity \"]\" * \"[User \" DomainName:string \"\\\\\" Username:string \"@\" SourceIP \" logged in as \" UserAgent:string \"]\"\n};\nlet vCenter_Logout =() {vcenter_CL\n| where Message has (\"UserLogoutSessionEvent\")\n| parse Message with * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity \"]\" * \"[User\" DomainName:string \"\\\\\" Username:string \"@\" SourceIP \" logged out (login time:\" LoginTime:string \", number of API invocations: \" APIInvocationCount:int \", user agent:\" UserAgent:string \")]\"\n};\nlet vCenter_Role=() {vcenter_CL\n| where Message has_any(\"RoleAddedEvent\",\"RoleRemovedEvent\")\n| parse Message with * \" \" * \" \" Hostname:string \"vpxd\" * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity:string \"]\" * \"[New role \" RoleName:string \" \" Operation:string \"]\"\n};\nlet vCenter_RoleModified=() {vcenter_CL\n| where Message has (\"RoleUpdatedEvent\")\n| parse Message with * \" \" * \" \" Hostname:string \"vpxd\" * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity:string \"]\" * \"Previous name: \" OldRoleName:string \", new name \"NewRoleName:string \" Added privileges: \" AddedPriviledges:string \" Removed privileges: \" RemovedPriviledges:string \"]\"\n};\nunion vCenter_Login,vCenter_Logout,vCenter_Role,vCenter_RoleModified\n",
+ "query": "let vCenter_Login =() {\n vcenter_CL\n | where Message has (\"UserLoginSessionEvent\")\n | parse Message with * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity \"]\" * \"[User \" DomainName:string \"\\\\\" Username:string \"@\" SourceIP \" logged in as \" UserAgent:string \"]\" *\n};\nlet vCenter_Logout =() {\n vcenter_CL\n | where Message has (\"UserLogoutSessionEvent\")\n | parse Message with * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity \"]\" * \"[User\" DomainName:string \"\\\\\" Username:string \"@\" SourceIP \" logged out (login time:\" LoginTime:string \", number of API invocations: \" APIInvocationCount:int \", user agent:\" UserAgent:string \")]\" *\n};\nlet vCenter_Role=() {\n vcenter_CL\n | where Message has_any(\"RoleAddedEvent\",\"RoleRemovedEvent\")\n | parse Message with * \" \" * \" \" Hostname:string \"vpxd\" * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity:string \"]\" * \"[New role \" RoleName:string \" \" Operation:string \"]\" *\n};\nlet vCenter_RoleModified=() {\n vcenter_CL\n | where Message has (\"RoleUpdatedEvent\")\n | parse Message with * \" \" * \" \" Hostname:string \"vpxd\" * \"Event [\" EventId:string \"] [1-1] [\" EventTime:datetime \"] [\" EventType:string \"] [\" EventSeverity:string \"]\" * \"Previous name: \" OldRoleName:string \", new name \"NewRoleName:string \" Added privileges: \" AddedPriviledges:string \" Removed privileges: \" RemovedPriviledges:string \"]\" *\n};\nunion vCenter_Login,vCenter_Logout,vCenter_Role,vCenter_RoleModified\n| extend ClientIP = SourceIP\n",
"functionParameters": "",
"version": 2,
"tags": [
@@ -313,7 +313,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "VMware vCenter data connector with template version 3.0.2",
+ "description": "VMware vCenter data connector with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -703,7 +703,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "vCenter-Root impersonation_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "vCenter-Root impersonation_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -731,16 +731,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "vCenter",
"dataTypes": [
"vCenter"
- ]
+ ],
+ "connectorId": "vCenter"
},
{
- "connectorId": "CustomLogsAma",
"dataTypes": [
"vcenter_CL"
- ]
+ ],
+ "connectorId": "CustomLogsAma"
}
],
"tactics": [
@@ -813,7 +813,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "vCenterRootLogin_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "vCenterRootLogin_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -841,16 +841,16 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "vCenter",
"dataTypes": [
"vCenter"
- ]
+ ],
+ "connectorId": "vCenter"
},
{
- "connectorId": "CustomLogsAma",
"dataTypes": [
"vcenter_CL"
- ]
+ ],
+ "connectorId": "CustomLogsAma"
}
],
"tactics": [
@@ -920,7 +920,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.2",
+ "version": "3.0.3",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "VMware vCenter",
diff --git a/Solutions/VMware vCenter/Parsers/vCenter.yaml b/Solutions/VMware vCenter/Parsers/vCenter.yaml
index 55198b50c5c..534301b8589 100644
--- a/Solutions/VMware vCenter/Parsers/vCenter.yaml
+++ b/Solutions/VMware vCenter/Parsers/vCenter.yaml
@@ -1,27 +1,31 @@
id: a466d02c-cfe0-4377-9ae0-fdfc8dd79e78
Function:
Title: Parser for vCenter
- Version: '1.0.0'
- LastUpdated: '2023-08-23'
+ Version: '1.0.1'
+ LastUpdated: '2024-11-08'
Category: Microsoft Sentinel Parser
FunctionName: vCenter
FunctionAlias: vCenter
FunctionQuery: |
let vCenter_Login =() {
- vcenter_CL
- | where Message has ("UserLoginSessionEvent")
- | parse Message with * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity "]" * "[User " DomainName:string "\\" Username:string "@" SourceIP " logged in as " UserAgent:string "]"
+ vcenter_CL
+ | where Message has ("UserLoginSessionEvent")
+ | parse Message with * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity "]" * "[User " DomainName:string "\\" Username:string "@" SourceIP " logged in as " UserAgent:string "]" *
};
- let vCenter_Logout =() {vcenter_CL
- | where Message has ("UserLogoutSessionEvent")
- | parse Message with * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity "]" * "[User" DomainName:string "\\" Username:string "@" SourceIP " logged out (login time:" LoginTime:string ", number of API invocations: " APIInvocationCount:int ", user agent:" UserAgent:string ")]"
+ let vCenter_Logout =() {
+ vcenter_CL
+ | where Message has ("UserLogoutSessionEvent")
+ | parse Message with * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity "]" * "[User" DomainName:string "\\" Username:string "@" SourceIP " logged out (login time:" LoginTime:string ", number of API invocations: " APIInvocationCount:int ", user agent:" UserAgent:string ")]" *
};
- let vCenter_Role=() {vcenter_CL
- | where Message has_any("RoleAddedEvent","RoleRemovedEvent")
- | parse Message with * " " * " " Hostname:string "vpxd" * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity:string "]" * "[New role " RoleName:string " " Operation:string "]"
+ let vCenter_Role=() {
+ vcenter_CL
+ | where Message has_any("RoleAddedEvent","RoleRemovedEvent")
+ | parse Message with * " " * " " Hostname:string "vpxd" * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity:string "]" * "[New role " RoleName:string " " Operation:string "]" *
};
- let vCenter_RoleModified=() {vcenter_CL
- | where Message has ("RoleUpdatedEvent")
- | parse Message with * " " * " " Hostname:string "vpxd" * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity:string "]" * "Previous name: " OldRoleName:string ", new name "NewRoleName:string " Added privileges: " AddedPriviledges:string " Removed privileges: " RemovedPriviledges:string "]"
+ let vCenter_RoleModified=() {
+ vcenter_CL
+ | where Message has ("RoleUpdatedEvent")
+ | parse Message with * " " * " " Hostname:string "vpxd" * "Event [" EventId:string "] [1-1] [" EventTime:datetime "] [" EventType:string "] [" EventSeverity:string "]" * "Previous name: " OldRoleName:string ", new name "NewRoleName:string " Added privileges: " AddedPriviledges:string " Removed privileges: " RemovedPriviledges:string "]" *
};
- union vCenter_Login,vCenter_Logout,vCenter_Role,vCenter_RoleModified
\ No newline at end of file
+ union vCenter_Login,vCenter_Logout,vCenter_Role,vCenter_RoleModified
+ | extend ClientIP = SourceIP
diff --git a/Solutions/VMware vCenter/ReleaseNotes.md b/Solutions/VMware vCenter/ReleaseNotes.md
index 005dfa93493..5ba59fe2232 100644
--- a/Solutions/VMware vCenter/ReleaseNotes.md
+++ b/Solutions/VMware vCenter/ReleaseNotes.md
@@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
-| 3.0.2 | 09-08-2024 | Deprecating data connectors |
+| 3.0.3 | 18-11-2024 | Modified **Parser** vCenter.yaml for better parsing |
+| 3.0.2 | 09-08-2024 | Deprecating **Data Connectors** |
| 3.0.1 | 27-05-2024 | Updated the **Data Connector** instructions |
| 3.0.0 | 27-07-2023 | Corrected the links in the solution |
diff --git a/Solutions/Vectra AI Stream/Data/Solution_Vectra.json b/Solutions/Vectra AI Stream/Data/Solution_Vectra.json
index 82f27ce0fe0..4a7019f4ff9 100644
--- a/Solutions/Vectra AI Stream/Data/Solution_Vectra.json
+++ b/Solutions/Vectra AI Stream/Data/Solution_Vectra.json
@@ -26,12 +26,13 @@
"Vectra AI Stream/Parsers/vectra_ssh.yaml",
"Vectra AI Stream/Parsers/vectra_ssl.yaml",
"Vectra AI Stream/Parsers/vectra_stream.yaml",
- "Vectra AI Stream/Parsers/vectra_x509.yaml"
+ "Vectra AI Stream/Parsers/vectra_x509.yaml",
+ "Vectra AI Stream/Parsers/vectra_match.yaml"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\Users\\fguillot\\Documents\\GitHub\\Azure-Sentinel\\Solutions\\Vectra AI Stream",
- "Version": "3.0.0",
+ "Version": "3.0.1",
"TemplateSpec": true,
"Is1Pconnector": false
}
\ No newline at end of file
diff --git a/Solutions/Vectra AI Stream/Package/3.0.1.zip b/Solutions/Vectra AI Stream/Package/3.0.1.zip
new file mode 100644
index 00000000000..1cfb58f83c7
Binary files /dev/null and b/Solutions/Vectra AI Stream/Package/3.0.1.zip differ
diff --git a/Solutions/Vectra AI Stream/Package/createUiDefinition.json b/Solutions/Vectra AI Stream/Package/createUiDefinition.json
index 9d77ada7447..886b719f74b 100644
--- a/Solutions/Vectra AI Stream/Package/createUiDefinition.json
+++ b/Solutions/Vectra AI Stream/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": " \n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Vectra%20AI%20Stream/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n**Note:** Please refer to the following before installing the solution: \n\n• There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Vectra AI Stream](https://www.vectra.ai/products/platform) solution allows you to easily connect your Vectra Platform with Microsoft Sentinel, to ingest network metadata collected at scale throughout your environment by Vectra sensors (On-premise or Cloud). This gives you deep insight into your organization's network traffic and improves your security operation capabilities. For a complete list of protocols and attributes supported, check out our [Network Metadata reference guide]( https://support.vectra.ai/s/article/KB-VS-1245)\n\r\n1. ** Vectra AI Stream (Network Enriched Metadata) via AMA** - This data connector helps ingest Vectra AI Stream events into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here]( https://learn.microsoft.com/en-us/azure/sentinel/connect-cef-syslog-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. ** Vectra AI Stream (Network Enriched Metadata) via Legacy Agent** - This data connector helps ingest Vectra AI Stream events into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of ** Vectra AI Stream (Network Enriched Metadata) via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Parsers:** 19\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": " \n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Vectra%20AI%20Stream/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n**Note:** Please refer to the following before installing the solution: \n\n• There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Vectra AI Stream](https://www.vectra.ai/products/platform) solution allows you to easily connect your Vectra Platform with Microsoft Sentinel, to ingest network metadata collected at scale throughout your environment by Vectra sensors (On-premise or Cloud). This gives you deep insight into your organization's network traffic and improves your security operation capabilities. For a complete list of protocols and attributes supported, check out our [Network Metadata reference guide]( https://support.vectra.ai/s/article/KB-VS-1245)\n\r\n1. ** Vectra AI Stream (Network Enriched Metadata) via AMA** - This data connector helps ingest Vectra AI Stream events into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here]( https://learn.microsoft.com/en-us/azure/sentinel/connect-cef-syslog-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. ** Vectra AI Stream (Network Enriched Metadata) via Legacy Agent** - This data connector helps ingest Vectra AI Stream events into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of ** Vectra AI Stream (Network Enriched Metadata) via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Parsers:** 20\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
diff --git a/Solutions/Vectra AI Stream/Package/mainTemplate.json b/Solutions/Vectra AI Stream/Package/mainTemplate.json
index acc1aabae59..d67ea172518 100644
--- a/Solutions/Vectra AI Stream/Package/mainTemplate.json
+++ b/Solutions/Vectra AI Stream/Package/mainTemplate.json
@@ -33,7 +33,7 @@
"email": "tme@vetcra.ai",
"_email": "[variables('email')]",
"_solutionName": "Vectra AI Stream",
- "_solutionVersion": "3.0.0",
+ "_solutionVersion": "3.0.1",
"solutionId": "vectraaiinc.vectra_sentinel_solution",
"_solutionId": "[variables('solutionId')]",
"uiConfigId1": "AIVectraStream",
@@ -177,7 +177,7 @@
"_parserName18": "[concat(parameters('workspace'),'/','vectra_stream')]",
"_parserId18": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'vectra_stream')]",
"parserTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('vectra_stream-Parser')))]",
- "parserVersion18": "1.0.0",
+ "parserVersion18": "1.0.1",
"parserContentId18": "vectra_stream-Parser"
},
"parserObject19": {
@@ -187,6 +187,13 @@
"parserVersion19": "1.0.0",
"parserContentId19": "vectra_x509-Parser"
},
+ "parserObject20": {
+ "_parserName20": "[concat(parameters('workspace'),'/','vectra_match')]",
+ "_parserId20": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'vectra_match')]",
+ "parserTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('vectra_match-Parser')))]",
+ "parserVersion20": "1.0.0",
+ "parserContentId20": "vectra_match-Parser"
+ },
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
@@ -199,7 +206,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Vectra AI Stream data connector with template version 3.0.0",
+ "description": "Vectra AI Stream data connector with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -606,7 +613,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Vectra AI Stream data connector with template version 3.0.0",
+ "description": "Vectra AI Stream data connector with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion2')]",
@@ -1165,7 +1172,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "VectraStream_function Data Parser with template version 3.0.0",
+ "description": "VectraStream_function Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -1297,7 +1304,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "vectra_beacon Data Parser with template version 3.0.0",
+ "description": "vectra_beacon Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject2').parserVersion2]",
@@ -1429,7 +1436,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "vectra_dcerpc Data Parser with template version 3.0.0",
+ "description": "vectra_dcerpc Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject3').parserVersion3]",
@@ -1561,7 +1568,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "vectra_dhcp Data Parser with template version 3.0.0",
+ "description": "vectra_dhcp Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject4').parserVersion4]",
@@ -1693,7 +1700,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "vectra_dns Data Parser with template version 3.0.0",
+ "description": "vectra_dns Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject5').parserVersion5]",
@@ -1825,7 +1832,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "vectra_http Data Parser with template version 3.0.0",
+ "description": "vectra_http Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject6').parserVersion6]",
@@ -1957,7 +1964,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "vectra_isession Data Parser with template version 3.0.0",
+ "description": "vectra_isession Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject7').parserVersion7]",
@@ -2089,7 +2096,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "vectra_kerberos Data Parser with template version 3.0.0",
+ "description": "vectra_kerberos Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject8').parserVersion8]",
@@ -2221,7 +2228,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "vectra_ldap Data Parser with template version 3.0.0",
+ "description": "vectra_ldap Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject9').parserVersion9]",
@@ -2353,7 +2360,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "vectra_ntlm Data Parser with template version 3.0.0",
+ "description": "vectra_ntlm Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject10').parserVersion10]",
@@ -2485,7 +2492,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "vectra_radius Data Parser with template version 3.0.0",
+ "description": "vectra_radius Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject11').parserVersion11]",
@@ -2617,7 +2624,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "vectra_rdp Data Parser with template version 3.0.0",
+ "description": "vectra_rdp Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject12').parserVersion12]",
@@ -2749,7 +2756,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "vectra_smbfiles Data Parser with template version 3.0.0",
+ "description": "vectra_smbfiles Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject13').parserVersion13]",
@@ -2881,7 +2888,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "vectra_smbmapping Data Parser with template version 3.0.0",
+ "description": "vectra_smbmapping Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject14').parserVersion14]",
@@ -3013,7 +3020,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "vectra_smtp Data Parser with template version 3.0.0",
+ "description": "vectra_smtp Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject15').parserVersion15]",
@@ -3145,7 +3152,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "vectra_ssh Data Parser with template version 3.0.0",
+ "description": "vectra_ssh Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject16').parserVersion16]",
@@ -3277,7 +3284,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "vectra_ssl Data Parser with template version 3.0.0",
+ "description": "vectra_ssl Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject17').parserVersion17]",
@@ -3409,7 +3416,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "vectra_stream Data Parser with template version 3.0.0",
+ "description": "vectra_stream Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject18').parserVersion18]",
@@ -3426,7 +3433,7 @@
"displayName": "vectra_stream parser for Vectra AI",
"category": "Microsoft Sentinel Parser",
"functionAlias": "vectra_stream",
- "query": "let vectra_stream = view () {\nunion isfuzzy=true vectra_beacon, vectra_dcerpc, vectra_dhcp, vectra_dns, vectra_http, vectra_isession, vectra_kerberos, vectra_ldap, vectra_ntlm, vectra_radius, vectra_rdp, vectra_smbfiles, vectra_smbmapping, vectra_smtp, vectra_ssh, vectra_ssl, vectra_x509\n};\nvectra_stream",
+ "query": "let vectra_stream = view () {\nunion isfuzzy=true vectra_beacon, vectra_dcerpc, vectra_dhcp, vectra_dns, vectra_http, vectra_isession, vectra_kerberos, vectra_ldap, vectra_ntlm, vectra_radius, vectra_rdp, vectra_smbfiles, vectra_smbmapping, vectra_smtp, vectra_ssh, vectra_ssl, vectra_x509, vectra_match\n};\nvectra_stream",
"functionParameters": "",
"version": 2,
"tags": [
@@ -3476,8 +3483,8 @@
"contentId": "[variables('parserObject18').parserContentId18]",
"contentKind": "Parser",
"displayName": "vectra_stream parser for Vectra AI",
- "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject18').parserContentId18,'-', '1.0.0')))]",
- "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject18').parserContentId18,'-', '1.0.0')))]",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject18').parserContentId18,'-', '1.0.1')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject18').parserContentId18,'-', '1.0.1')))]",
"version": "[variables('parserObject18').parserVersion18]"
}
},
@@ -3491,7 +3498,7 @@
"displayName": "vectra_stream parser for Vectra AI",
"category": "Microsoft Sentinel Parser",
"functionAlias": "vectra_stream",
- "query": "let vectra_stream = view () {\nunion isfuzzy=true vectra_beacon, vectra_dcerpc, vectra_dhcp, vectra_dns, vectra_http, vectra_isession, vectra_kerberos, vectra_ldap, vectra_ntlm, vectra_radius, vectra_rdp, vectra_smbfiles, vectra_smbmapping, vectra_smtp, vectra_ssh, vectra_ssl, vectra_x509\n};\nvectra_stream",
+ "query": "let vectra_stream = view () {\nunion isfuzzy=true vectra_beacon, vectra_dcerpc, vectra_dhcp, vectra_dns, vectra_http, vectra_isession, vectra_kerberos, vectra_ldap, vectra_ntlm, vectra_radius, vectra_rdp, vectra_smbfiles, vectra_smbmapping, vectra_smtp, vectra_ssh, vectra_ssl, vectra_x509, vectra_match\n};\nvectra_stream",
"functionParameters": "",
"version": 2,
"tags": [
@@ -3541,7 +3548,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "vectra_x509 Data Parser with template version 3.0.0",
+ "description": "vectra_x509 Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject19').parserVersion19]",
@@ -3664,17 +3671,149 @@
}
}
},
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('parserObject20').parserTemplateSpecName20]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "vectra_match Data Parser with template version 3.0.1",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('parserObject20').parserVersion20]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[variables('parserObject20')._parserName20]",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "vectra_match parser for Vectra AI",
+ "category": "Microsoft Sentinel Parser",
+ "functionAlias": "vectra_match",
+ "query": "let vectra_match = view () {\n vectra_match_CL\n | extend\n EventVendor=\"Vectra AI\",\n EventProduct=\"Stream\",\n EventType=\"vectra_match\"\n};\nvectra_match\n",
+ "functionParameters": "",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": ""
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject20')._parserId20,'/'))))]",
+ "dependsOn": [
+ "[variables('parserObject20')._parserId20]"
+ ],
+ "properties": {
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'vectra_match')]",
+ "contentId": "[variables('parserObject20').parserContentId20]",
+ "kind": "Parser",
+ "version": "[variables('parserObject20').parserVersion20]",
+ "source": {
+ "name": "Vectra AI Stream",
+ "kind": "Solution",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Vectra TME Team",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Vectra AI",
+ "email": "support@vectra.ai",
+ "tier": "Partner",
+ "link": "https://www.vectra.ai/support"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('parserObject20').parserContentId20]",
+ "contentKind": "Parser",
+ "displayName": "vectra_match parser for Vectra AI",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject20').parserContentId20,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject20').parserContentId20,'-', '1.0.0')))]",
+ "version": "[variables('parserObject20').parserVersion20]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "[variables('parserObject20')._parserName20]",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "vectra_match parser for Vectra AI",
+ "category": "Microsoft Sentinel Parser",
+ "functionAlias": "vectra_match",
+ "query": "let vectra_match = view () {\n vectra_match_CL\n | extend\n EventVendor=\"Vectra AI\",\n EventProduct=\"Stream\",\n EventType=\"vectra_match\"\n};\nvectra_match\n",
+ "functionParameters": "",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": ""
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "location": "[parameters('workspace-location')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject20')._parserId20,'/'))))]",
+ "dependsOn": [
+ "[variables('parserObject20')._parserId20]"
+ ],
+ "properties": {
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'vectra_match')]",
+ "contentId": "[variables('parserObject20').parserContentId20]",
+ "kind": "Parser",
+ "version": "[variables('parserObject20').parserVersion20]",
+ "source": {
+ "kind": "Solution",
+ "name": "Vectra AI Stream",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Vectra TME Team",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Vectra AI",
+ "email": "support@vectra.ai",
+ "tier": "Partner",
+ "link": "https://www.vectra.ai/support"
+ }
+ }
+ },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.0",
+ "version": "3.0.1",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Vectra AI Stream",
"publisherDisplayName": "Vectra AI",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nNote: Please refer to the following before installing the solution:
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Vectra AI Stream solution allows you to easily connect your Vectra Platform with Microsoft Sentinel, to ingest network metadata collected at scale throughout your environment by Vectra sensors (On-premise or Cloud). This gives you deep insight into your organization's network traffic and improves your security operation capabilities. For a complete list of protocols and attributes supported, check out our Network Metadata reference guide
\n\n** Vectra AI Stream (Network Enriched Metadata) via AMA** - This data connector helps ingest Vectra AI Stream events into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here . Microsoft recommends using this Data Connector .
\n \n** Vectra AI Stream (Network Enriched Metadata) via Legacy Agent** - This data connector helps ingest Vectra AI Stream events into your Log Analytics Workspace using the legacy Log Analytics agent.
\n \n \nNOTE: Microsoft recommends installation of ** Vectra AI Stream (Network Enriched Metadata) via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details .
\nData Connectors: 2, Parsers: 19
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
+ "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nNote: Please refer to the following before installing the solution:
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Vectra AI Stream solution allows you to easily connect your Vectra Platform with Microsoft Sentinel, to ingest network metadata collected at scale throughout your environment by Vectra sensors (On-premise or Cloud). This gives you deep insight into your organization's network traffic and improves your security operation capabilities. For a complete list of protocols and attributes supported, check out our Network Metadata reference guide
\n\n** Vectra AI Stream (Network Enriched Metadata) via AMA** - This data connector helps ingest Vectra AI Stream events into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here . Microsoft recommends using this Data Connector .
\n \n** Vectra AI Stream (Network Enriched Metadata) via Legacy Agent** - This data connector helps ingest Vectra AI Stream events into your Log Analytics Workspace using the legacy Log Analytics agent.
\n \n \nNOTE: Microsoft recommends installation of ** Vectra AI Stream (Network Enriched Metadata) via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details .
\nData Connectors: 2, Parsers: 20
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
@@ -3803,6 +3942,11 @@
"kind": "Parser",
"contentId": "[variables('parserObject19').parserContentId19]",
"version": "[variables('parserObject19').parserVersion19]"
+ },
+ {
+ "kind": "Parser",
+ "contentId": "[variables('parserObject20').parserContentId20]",
+ "version": "[variables('parserObject20').parserVersion20]"
}
]
},
diff --git a/Solutions/Vectra AI Stream/Parsers/vectra_match.yaml b/Solutions/Vectra AI Stream/Parsers/vectra_match.yaml
new file mode 100644
index 00000000000..06712f5648b
--- /dev/null
+++ b/Solutions/Vectra AI Stream/Parsers/vectra_match.yaml
@@ -0,0 +1,17 @@
+id: 7ba35238-0db6-4f32-bb69-9b47c3050b0e
+Function:
+ Title: vectra_match parser for Vectra AI
+ Version: 1.0.0
+ LastUpdated: '2024-11-15'
+Category: Microsoft Sentinel Parser
+FunctionName: vectra_match
+FunctionAlias: vectra_match
+FunctionQuery: |+
+ let vectra_match = view () {
+ vectra_match_CL
+ | extend
+ EventVendor="Vectra AI",
+ EventProduct="Stream",
+ EventType="vectra_match"
+ };
+ vectra_match
\ No newline at end of file
diff --git a/Solutions/Vectra AI Stream/Parsers/vectra_stream.yaml b/Solutions/Vectra AI Stream/Parsers/vectra_stream.yaml
index 181d5ee80db..2dea282e138 100644
--- a/Solutions/Vectra AI Stream/Parsers/vectra_stream.yaml
+++ b/Solutions/Vectra AI Stream/Parsers/vectra_stream.yaml
@@ -1,13 +1,13 @@
id: 6f157121-0831-4d7b-9c2f-32cbc17cb8e0
Function:
Title: vectra_stream parser for Vectra AI
- Version: 1.0.0
- LastUpdated: '2024-04-26'
+ Version: 1.0.1
+ LastUpdated: '2024-11-15'
Category: Microsoft Sentinel Parser
FunctionName: vectra_stream
FunctionAlias: vectra_stream
FunctionQuery: |-
let vectra_stream = view () {
- union isfuzzy=true vectra_beacon, vectra_dcerpc, vectra_dhcp, vectra_dns, vectra_http, vectra_isession, vectra_kerberos, vectra_ldap, vectra_ntlm, vectra_radius, vectra_rdp, vectra_smbfiles, vectra_smbmapping, vectra_smtp, vectra_ssh, vectra_ssl, vectra_x509
+ union isfuzzy=true vectra_beacon, vectra_dcerpc, vectra_dhcp, vectra_dns, vectra_http, vectra_isession, vectra_kerberos, vectra_ldap, vectra_ntlm, vectra_radius, vectra_rdp, vectra_smbfiles, vectra_smbmapping, vectra_smtp, vectra_ssh, vectra_ssl, vectra_x509, vectra_match
};
vectra_stream
\ No newline at end of file
diff --git a/Solutions/Vectra AI Stream/ReleaseNotes.md b/Solutions/Vectra AI Stream/ReleaseNotes.md
index 1a3030b9a96..799e2ec6efb 100644
--- a/Solutions/Vectra AI Stream/ReleaseNotes.md
+++ b/Solutions/Vectra AI Stream/ReleaseNotes.md
@@ -1,3 +1,4 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------------------|
+| 3.0.1 | 19-11-2024 |Added new **Parser** vectra_match to the Solution Update the solution to support a new metadata type: match (suricata)|
| 3.0.0 | 10-07-2024 | Added new **AMA Data Connector** Removed deprecated content **Hunting Queries** And **Workbooks** Added new **Parsers** to the Solution |
\ No newline at end of file
diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
index 1bb10f4d768..4c04cbd03c8 100644
--- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
+++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
@@ -1958,8 +1958,7 @@
"CommonSecurityLog"
],
"dataConnectorsDependencies": [
- "ForcepointCSG",
- "ForcepointCSGAma"
+ "CefAma"
],
"previewImagesFileNames": [
"ForcepointCloudSecurityGatewayWhite.png",
@@ -2986,8 +2985,7 @@
"CommonSecurityLog"
],
"dataConnectorsDependencies": [
- "Claroty",
- "ClarotyAma"
+ "CefAma"
],
"previewImagesFileNames": [
"ClarotyBlack.png",
@@ -3363,8 +3361,7 @@
"PingFederateEvent"
],
"dataConnectorsDependencies": [
- "PingFederate",
- "PingFederateAma"
+ "CefAma"
],
"previewImagesFileNames": [
"PingFederateBlack1.png",
diff --git a/Tools/MDO-Power BI Dashboard b/Tools/MDO-Power BI Dashboard
deleted file mode 100644
index 8b137891791..00000000000
--- a/Tools/MDO-Power BI Dashboard
+++ /dev/null
@@ -1 +0,0 @@
-
diff --git a/Tools/MDO Power BI Dashboard/MDO Detection Details Report - v1.22 (Sentinel,LogAnalytics).pbit b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/MDO Detection Details Report - v1.22 (Sentinel,LogAnalytics).pbit
similarity index 100%
rename from Tools/MDO Power BI Dashboard/MDO Detection Details Report - v1.22 (Sentinel,LogAnalytics).pbit
rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/MDO Detection Details Report - v1.22 (Sentinel,LogAnalytics).pbit
diff --git a/Tools/MDO Power BI Dashboard/MDO Detection Details Report v2.3.1.pbit b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/MDO Detection Details Report v2.3.1(legacy).pbit
similarity index 100%
rename from Tools/MDO Power BI Dashboard/MDO Detection Details Report v2.3.1.pbit
rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/MDO Detection Details Report v2.3.1(legacy).pbit
diff --git a/Tools/MDO Power BI Dashboard/Media/MDOLA1.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOLA1.png
similarity index 100%
rename from Tools/MDO Power BI Dashboard/Media/MDOLA1.png
rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOLA1.png
diff --git a/Tools/MDO Power BI Dashboard/Media/MDOLA2.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOLA2.png
similarity index 100%
rename from Tools/MDO Power BI Dashboard/Media/MDOLA2.png
rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOLA2.png
diff --git a/Tools/MDO Power BI Dashboard/Media/MDOLA3.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOLA3.png
similarity index 100%
rename from Tools/MDO Power BI Dashboard/Media/MDOLA3.png
rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOLA3.png
diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI1.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI1.png
similarity index 100%
rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI1.png
rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI1.png
diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI10.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI10.png
similarity index 100%
rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI10.png
rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI10.png
diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI11.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI11.png
similarity index 100%
rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI11.png
rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI11.png
diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI12.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI12.png
similarity index 100%
rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI12.png
rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI12.png
diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI13.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI13.png
similarity index 100%
rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI13.png
rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI13.png
diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI14.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI14.png
similarity index 100%
rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI14.png
rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI14.png
diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI15.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI15.png
similarity index 100%
rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI15.png
rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI15.png
diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI16.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI16.png
similarity index 100%
rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI16.png
rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI16.png
diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI17.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI17.png
similarity index 100%
rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI17.png
rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI17.png
diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI18.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI18.png
similarity index 100%
rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI18.png
rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI18.png
diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI19.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI19.png
similarity index 100%
rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI19.png
rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI19.png
diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI2.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI2.png
similarity index 100%
rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI2.png
rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI2.png
diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI20.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI20.png
similarity index 100%
rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI20.png
rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI20.png
diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI3.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI3.png
similarity index 100%
rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI3.png
rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI3.png
diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI4.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI4.png
similarity index 100%
rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI4.png
rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI4.png
diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI5.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI5.png
similarity index 100%
rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI5.png
rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI5.png
diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI6.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI6.png
similarity index 100%
rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI6.png
rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI6.png
diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI7.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI7.png
similarity index 100%
rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI7.png
rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI7.png
diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI8.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI8.png
similarity index 100%
rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI8.png
rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI8.png
diff --git a/Tools/MDO Power BI Dashboard/Media/MDOPowerBI9.png b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI9.png
similarity index 100%
rename from Tools/MDO Power BI Dashboard/Media/MDOPowerBI9.png
rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Media/MDOPowerBI9.png
diff --git a/Tools/MDO Power BI Dashboard/Readme.md b/Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Readme.md
similarity index 100%
rename from Tools/MDO Power BI Dashboard/Readme.md
rename to Tools/Microsoft Defender for Office 365/Microsoft Defender for Office 365 Detection Details Report/Readme.md
diff --git a/Tools/Microsoft Defender for Office 365/Readme.md b/Tools/Microsoft Defender for Office 365/Readme.md
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json
index 6bb23bf2bc5..ca52096d5af 100644
--- a/Workbooks/WorkbooksMetadata.json
+++ b/Workbooks/WorkbooksMetadata.json
@@ -78,9 +78,7 @@
"ThreatIntelligenceIndicator"
],
"dataConnectorsDependencies": [
- "ForcepointNgfw",
"ThreatIntelligence",
- "ForcepointNgfwAma",
"CefAma"
],
"previewImagesFileNames": [
@@ -1381,8 +1379,6 @@
"CommonSecurityLog"
],
"dataConnectorsDependencies": [
- "ForcepointNgfw",
- "ForcepointNgfwAma",
"CefAma"
],
"previewImagesFileNames": [
@@ -2451,8 +2447,6 @@
"CommonSecurityLog"
],
"dataConnectorsDependencies": [
- "ForcepointCSG",
- "ForcepointCSGAma",
"CefAma"
],
"previewImagesFileNames": [
@@ -3747,8 +3741,6 @@
"CommonSecurityLog"
],
"dataConnectorsDependencies": [
- "Claroty",
- "ClarotyAma",
"CefAma"
],
"previewImagesFileNames": [
@@ -4170,8 +4162,6 @@
"PingFederateEvent"
],
"dataConnectorsDependencies": [
- "PingFederate",
- "PingFederateAma",
"CefAma"
],
"previewImagesFileNames": [
@@ -8356,6 +8346,9 @@
"provider": "InspiraEnterprise",
"source": {
"kind": "Community"
+ },
+ "author": {
+ "name": "Inspira Enterprise"
}
},
{
@@ -8381,8 +8374,11 @@
"templateRelativePath": "User_Analytics_Workbook.json",
"subtitle": "",
"provider": "InspiraEnterprise",
+ "source": {
+ "kind": "Community"
+ },
"author": {
- "name": "InspiraEnterprise"
+ "name": "Inspira Enterprise"
}
},
{
@@ -8408,8 +8404,11 @@
"templateRelativePath": "Syslog-Bifurcation.json",
"subtitle": "",
"provider": "InspiraEnterprise",
+ "source": {
+ "kind": "Community"
+ },
"author": {
- "name": "InspiraEnterprise"
+ "name": "Inspira Enterprise"
}
}
]
\ No newline at end of file