Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added Silverfort Solution #10941

Merged
merged 14 commits into from
Sep 18, 2024
Merged

Added Silverfort Solution #10941

merged 14 commits into from
Sep 18, 2024

Conversation

FrankGasparovic
Copy link
Contributor

Change(s):

  • Added SolutionMetadata.json to define metadata for the Silverfort solution in Microsoft Sentinel.
  • Included SilverfortWorkbook.json to provide a detailed workbook template offering insights into Silverfort logs and events.
  • Added Certrifried.yaml, Log4Shell.yaml, NoPac_Breach.yaml, and User_Brute_Force.yaml to create analytic rules for detecting specific incidents reported by Silverfort.
  • Included SilverfortITDROnPrem.json to configure the Silverfort ITDR Admin Console data connector for Microsoft Sentinel.

Reason for Change(s):

  • To integrate Silverfort’s identity threat detection and response capabilities within Microsoft Sentinel, providing enhanced security insights, analytics, and incident detection.
  • This integration allows users to monitor, analyze, and respond to Silverfort-related events directly within their Sentinel workspace, leveraging advanced detection rules and a custom data connector.

Version Updated:

  • Yes
  • The version for Detections/Analytic Rule templates has been updated to 1.0.0 for the new rules: Certrifried, Log4Shell, NoPac_Breach, and User_Brute_Force.

Testing Completed:

  • Yes
  • All components were tested in a Microsoft Sentinel environment to ensure they work as expected. The analytic rules were validated to trigger correctly, the workbook displayed the intended data, and the data connector ingested logs without errors.

Checked that the validations are passing and have addressed any issues that are present:

  • Yes
  • All necessary validations were run locally, and any identified issues were resolved prior to submission.

@FrankGasparovic FrankGasparovic requested review from a team as code owners August 7, 2024 20:26
@v-prasadboke v-prasadboke self-assigned this Aug 8, 2024
@v-prasadboke v-prasadboke added the Solution Solution specialty review needed label Aug 8, 2024
@v-prasadboke
Copy link
Contributor

Hello @FrankGasparovic, Please add input file which should be in Data folder. It is needed to package the solution.
You can refer to this Solution for more clarification - https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Agari

Also add workbook metadata to this file
https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/WorkbooksMetadata.json

Analytic rules are missing with entity mappings, techniques and tactics.

Please do share sample data to test the content of the solution.

@v-prasadboke
Copy link
Contributor

Also I have one doubt.

Is this Solution Microsoft supported. We haven't received any instructions for the same.
If it is not please correct the support details in solution metadata and publisher id should be different

@FrankGasparovic
Copy link
Contributor Author

@v-prasadboke The PR has been updated based on your feedback. Please let me know if there is anything else needed.

@FrankGasparovic FrankGasparovic requested a review from a team as a code owner August 15, 2024 15:56
v-prasadboke
v-prasadboke reviewed Aug 20, 2024
View reviewed changes
Solutions/Silverfort/Data Connectors/SilverfortAma.json Outdated
"graphQueries": [
{
"metricName": "Total data received",
"legend": "DATATYPE_NAME",
Copy link
Contributor

@v-prasadboke v-prasadboke Aug 20, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please replace DATA_TYPE name with data type.
You can refer to this Connector for more clarification
https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OneIdentity/Data%20Connectors/OneIdentity.JSON

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolved

v-prasadboke
v-prasadboke reviewed Aug 20, 2024
View reviewed changes
Logos/silverfort-logo.svg Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Logo size should be below 5kb

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolved

Solutions/Silverfort/SolutionMetadata.json Outdated
@@ -0,0 +1,15 @@
{
"publisherId": "silverfort5120441444412",
"offerId": "silverfort",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please include sentinel keyword in offer id

image

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolved

@v-prasadboke
Copy link
Contributor

Hello @FrankGasparovic, Thanks for committing the required changes. We will get back to you by 28 August, 2024.

@v-prasadboke v-prasadboke added the Connector Connector specialty review needed label Sep 4, 2024
@FrankGasparovic
Copy link
Contributor Author

Hi @v-prasadboke,

I wanted to check on on the current status of the PR?

@v-prasadboke
Copy link
Contributor

Hello @FrankGasparovic, Please update the branch from master. Also if possible can you please try to provide me write access to your branch. Need to push some required commits

@FrankGasparovic
Copy link
Contributor Author

@v-prasadboke I have pulled in the latest upstream changes. I unfortunately can not give you write permissions on our forked repository. Can you please provide me the files you need to add or replace? Feel free to email me at [email protected] with the zip.

@v-prasadboke
Copy link
Contributor

Hello @FrankGasparovic, We want you package the solution using V3 tool. Also add release notes to the solution.
V3 tool - https://github.com/Azure/Azure-Sentinel/blob/master/Tools/Create-Azure-Sentinel-Solution/V3/README.md

Release notes reference - https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IPinfo/ReleaseNotes.md
Release notes should be same as referred above

@FrankGasparovic
Copy link
Contributor Author

@v-prasadboke The solution has been packaged with v3 and we have added release notes

@v-prasadboke
Copy link
Contributor

Hello @FrankGasparovic, Can you please try to resolve failing validation errors

@FrankGasparovic
Copy link
Contributor Author

@v-prasadboke All checks have been resolved

@v-atulyadav v-atulyadav merged commit b0bf0e4 into Azure:master Sep 18, 2024
35 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@v-prasadboke v-prasadboke v-prasadboke approved these changes

@v-atulyadav v-atulyadav v-atulyadav approved these changes

Assignees

@v-prasadboke v-prasadboke

Labels
Connector Connector specialty review needed Solution Solution specialty review needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@FrankGasparovic @v-prasadboke @v-atulyadav