Merge pull request #11684 from Azure/v-shukore/SymentecVIP-ProxySG-TI…

…-VMwareCarbonBlack Solution packaged for Removed Custom Entity mappings from Analytic Rule
Azure · Jan 22, 2025 · bd06709 · bd06709
2 parents 12b326d + 119660b
commit bd06709
Show file tree

Hide file tree

Showing 11 changed files with 80 additions and 85 deletions.
diff --git a/Solutions/Symantec VIP/Data/Solution_SymantecVIP.json b/Solutions/Symantec VIP/Data/Solution_SymantecVIP.json
@@ -17,7 +17,7 @@
     "azuresentinel.azure-sentinel-solution-syslog"
   ],
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Symantec VIP",
-  "Version": "3.0.1",
+  "Version": "3.0.2",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true
 }
diff --git a/Solutions/Symantec VIP/Package/3.0.2.zip b/Solutions/Symantec VIP/Package/3.0.2.zip
diff --git a/Solutions/Symantec VIP/Package/mainTemplate.json b/Solutions/Symantec VIP/Package/mainTemplate.json
@@ -39,7 +39,7 @@
   },
   "variables": {
     "_solutionName": "Symantec VIP",
-    "_solutionVersion": "3.0.1",
+    "_solutionVersion": "3.0.2",
     "solutionId": "azuresentinel.azure-sentinel-solution-symantecvip",
     "_solutionId": "[variables('solutionId')]",
     "workbookVersion1": "1.0.0",
@@ -50,18 +50,18 @@
     "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
     "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
     "analyticRuleObject1": {
-      "analyticRuleVersion1": "1.0.3",
+      "analyticRuleVersion1": "1.0.4",
       "_analyticRulecontentId1": "a9956d3a-07a9-44a6-a279-081a85020cae",
       "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a9956d3a-07a9-44a6-a279-081a85020cae')]",
       "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a9956d3a-07a9-44a6-a279-081a85020cae')))]",
-      "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a9956d3a-07a9-44a6-a279-081a85020cae','-', '1.0.3')))]"
+      "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a9956d3a-07a9-44a6-a279-081a85020cae','-', '1.0.4')))]"
     },
     "analyticRuleObject2": {
-      "analyticRuleVersion2": "1.0.3",
+      "analyticRuleVersion2": "1.0.4",
       "_analyticRulecontentId2": "c775a46b-21b1-46d7-afa6-37e3e577a27b",
       "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c775a46b-21b1-46d7-afa6-37e3e577a27b')]",
       "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c775a46b-21b1-46d7-afa6-37e3e577a27b')))]",
-      "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c775a46b-21b1-46d7-afa6-37e3e577a27b','-', '1.0.3')))]"
+      "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c775a46b-21b1-46d7-afa6-37e3e577a27b','-', '1.0.4')))]"
     },
     "parserObject1": {
       "_parserName1": "[concat(parameters('workspace'),'/','SymantecVIP')]",
@@ -82,7 +82,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SymantecVIP Workbook with template version 3.0.1",
+        "description": "SymantecVIP Workbook with template version 3.0.2",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion1')]",
@@ -137,10 +137,6 @@
                       "contentId": "Syslog",
                       "kind": "DataType"
                     },
-                    {
-                      "contentId": "SymantecVIP",
-                      "kind": "DataConnector"
-                    },
                     {
                       "contentId": "SyslogAma",
                       "kind": "DataConnector"
@@ -173,7 +169,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ClientDeniedAccess_AnalyticalRules Analytics Rule with template version 3.0.1",
+        "description": "ClientDeniedAccess_AnalyticalRules Analytics Rule with template version 3.0.2",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -190,7 +186,7 @@
                 "description": "Creates an incident in the event a Client has an excessive amounts of denied access requests.",
                 "displayName": "ClientDeniedAccess",
                 "enabled": false,
-                "query": "let threshold = 15;\nlet rejectedAccess = SymantecVIP\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)\n| where Total > threshold\n| project ClientIP;\nSymantecVIP\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| join kind=inner rejectedAccess on ClientIP\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User\n| extend timestamp = StartTime, IPCustomEntity = ClientIP, AccountCustomEntity = User\n",
+                "query": "let threshold = 15;\nlet rejectedAccess = SymantecVIP\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)\n| where Total > threshold\n| project ClientIP;\nSymantecVIP\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| join kind=inner rejectedAccess on ClientIP\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User\n",
                 "queryFrequency": "PT1H",
                 "queryPeriod": "PT1H",
                 "severity": "Medium",
@@ -201,10 +197,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "SyslogAma",
                     "datatypes": [
                       "Syslog"
-                    ]
+                    ],
+                    "connectorId": "SyslogAma"
                   }
                 ],
                 "tactics": [
@@ -215,22 +211,22 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "AccountCustomEntity",
-                        "identifier": "FullName"
+                        "identifier": "FullName",
+                        "columnName": "User"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "columnName": "IPCustomEntity",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "ClientIP"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -285,7 +281,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ExcessiveFailedAuthenticationsfromInvalidInputs_AnalyticalRules Analytics Rule with template version 3.0.1",
+        "description": "ExcessiveFailedAuthenticationsfromInvalidInputs_AnalyticalRules Analytics Rule with template version 3.0.2",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -302,7 +298,7 @@
                 "description": "Creates an incident in the event that a user generates an excessive amount of failed authentications due to invalid inputs, indications of a potential brute force.",
                 "displayName": "Excessive Failed Authentication from Invalid Inputs",
                 "enabled": false,
-                "query": "let threshold = 15;\nSymantecVIP\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP\n| where Total > threshold\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = User\n",
+                "query": "let threshold = 15;\nSymantecVIP\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP\n| where Total > threshold\n",
                 "queryFrequency": "PT1H",
                 "queryPeriod": "PT1H",
                 "severity": "Medium",
@@ -313,10 +309,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "SyslogAma",
                     "datatypes": [
                       "Syslog"
-                    ]
+                    ],
+                    "connectorId": "SyslogAma"
                   }
                 ],
                 "tactics": [
@@ -327,22 +323,22 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "columnName": "AccountCustomEntity",
-                        "identifier": "FullName"
+                        "identifier": "FullName",
+                        "columnName": "User"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "columnName": "IPCustomEntity",
-                        "identifier": "Address"
+                        "identifier": "Address",
+                        "columnName": "ClientIP"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -397,7 +393,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SymantecVIP Data Parser with template version 3.0.1",
+        "description": "SymantecVIP Data Parser with template version 3.0.2",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -523,7 +519,7 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.0.1",
+        "version": "3.0.2",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "Symantec VIP",

diff --git a/Solutions/Symantec VIP/ReleaseNotes.md b/Solutions/Symantec VIP/ReleaseNotes.md
@@ -1,5 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                             |
 |-------------|--------------------------------|------------------------------------------------|
+| 3.0.2       | 20-01-2025                     | Removed Custom Entity mappings from **Analytic rules**          |
 | 3.0.1       | 31-12-2024                     | Removed Deprecated **Data connector**          |
 | 3.0.0       | 01-08-2024                     | Update **Parser** as part of Syslog migration  |
 |             |                                | Deprecating data connectors                    |
diff --git a/Solutions/SymantecProxySG/Data/Solution_SymantecProxySG.json b/Solutions/SymantecProxySG/Data/Solution_SymantecProxySG.json
@@ -17,7 +17,7 @@
     "azuresentinel.azure-sentinel-solution-syslog"
   ],
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\SymantecProxySG",
-  "Version": "3.0.2",
+  "Version": "3.0.3",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true
 }
diff --git a/Solutions/SymantecProxySG/Package/3.0.3.zip b/Solutions/SymantecProxySG/Package/3.0.3.zip