diff --git a/Solutions/Azure Cloud NGFW by Palo Alto Networks/ReleaseNotes.md b/Solutions/Azure Cloud NGFW by Palo Alto Networks/ReleaseNotes.md index 82ed96d9093..03a22cab8b3 100644 --- a/Solutions/Azure Cloud NGFW by Palo Alto Networks/ReleaseNotes.md +++ b/Solutions/Azure Cloud NGFW by Palo Alto Networks/ReleaseNotes.md @@ -1,4 +1,5 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| -| 3.0.1 | 02-12-2024 | Updated Data Connector Ids for dependent content | -| 3.0.0 | 15-02-2024 | Initial Release | +| 3.0.2 | 09-01-2025 | Updated **Analytic RUles** and **Workbooks** | +| 3.0.1 | 02-12-2024 | Updated **Data Connector** Ids for dependent content | +| 3.0.0 | 15-02-2024 | Initial Solution Release | diff --git a/Solutions/Samsung Knox Asset Intelligence/Package/3.0.0.zip b/Solutions/Samsung Knox Asset Intelligence/Package/3.0.0.zip index 7cc3d8a6a1b..b57bfc18bf7 100644 Binary files a/Solutions/Samsung Knox Asset Intelligence/Package/3.0.0.zip and b/Solutions/Samsung Knox Asset Intelligence/Package/3.0.0.zip differ diff --git a/Solutions/Samsung Knox Asset Intelligence/Package/3.0.1.zip b/Solutions/Samsung Knox Asset Intelligence/Package/3.0.1.zip new file mode 100644 index 00000000000..22a2fa5f005 Binary files /dev/null and b/Solutions/Samsung Knox Asset Intelligence/Package/3.0.1.zip differ diff --git a/Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json b/Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json index a727b21552f..910e1acd79e 100644 --- a/Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json +++ b/Solutions/Samsung Knox Asset Intelligence/Package/mainTemplate.json @@ -42,7 +42,7 @@ "_email": "[variables('email')]", "_solutionName": "Samsung Knox Asset Intelligence", "_solutionVersion": "3.0.0", - "solutionId": "samsungelectronics1734042706970.azure-sentinel-solution-samsung-knox-asset-intelligence", + "solutionId": "samsungelectronics1734042706970.azure-sentinel-solution-samsung-knox-kai", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "SamsungDCDefinition", "_uiConfigId1": "[variables('uiConfigId1')]", @@ -469,7 +469,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5b5bf4e9-62b8-4ef2-aeb3-ecd249fb6187\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CustomTimeRange\",\"label\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":604800000}},{\"id\":\"6b4373f0-7c1a-47d8-baed-bc5d0cd7233e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"timebrush\",\"label\":\"Time Filter\",\"type\":4,\"isRequired\":true,\"isHiddenWhenLocked\":true,\"typeSettings\":{\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":60000,\"endTime\":\"2016-12-12T18:01:00Z\"}},{\"id\":\"a40ffccc-08a0-4e15-9bf2-3ed99658d4d8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"selectedseverity\",\"label\":\"Severity\",\"type\":2,\"description\":\"Filter on Security Events by Severity\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\\"high\\\", \\\"med\\\",\\\"low\\\"]\",\"value\":[\"value::all\"]},{\"id\":\"e2572416-ae1f-42db-8c31-8d0d4c4315d4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"selectedtype\",\"label\":\"Type\",\"type\":2,\"description\":\"Filter on Security Events by Type\",\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\\"Audit\\\",\\\"Application\\\", \\\"Process\\\", \\\"User\\\", \\\"Network\\\", \\\"System\\\"]\",\"defaultValue\":\"value::all\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let audit = view(){\\n Samsung_Knox_Audit_CL\\n };\\nlet application= view(){\\n Samsung_Knox_Application_CL\\n };\\n let system= view(){\\n Samsung_Knox_System_CL\\n };\\n let process= view(){\\n Samsung_Knox_Process_CL\\n };\\n let user= view(){\\n Samsung_Knox_User_CL\\n };\\n let network= view(){\\n Samsung_Knox_Network_CL\\n };\\nlet selectedtables = dynamic([{selectedtype}]);\\nlet severityParam = dynamic([{selectedseverity}]);\\nlet maxdatapoints = 10000;\\nlet starttime = {CustomTimeRange:start};\\nlet endtime = {CustomTimeRange:end};\\nlet day = datetime_diff('day',endtime,starttime);\\nlet initialbinsize = case(day >=30, 1d, day >=7, 1d, day >=1,1h,5m);\\nlet datapoints = (binsize : timespan){\\nunion (audit() | where \\\"Audit\\\" in (selectedtables)), (application() | where \\\"Application\\\" in (selectedtables)),(process() | where \\\"Process\\\" in (selectedtables)),(user() | where \\\"User\\\" in (selectedtables)),(network() | where \\\"Network\\\" in (selectedtables)),(system() | where \\\"System\\\" in (selectedtables))\\n| where TimeGenerated >= {CustomTimeRange:start} and TimeGenerated <={CustomTimeRange:end} \\n| where Severity in (severityParam)\\n| summarize Count=count() by Name, bin(TimeGenerated,binsize)};\\n\\nlet totalpoints = datapoints(initialbinsize) |summarize totalrows = count();\\nlet inttotalpoints = toint(toscalar(totalpoints));\\nlet binsizefactor = inttotalpoints/maxdatapoints +1;\\nlet binsize = binsizefactor * initialbinsize;\\n\\nunion (audit() | where \\\"Audit\\\" in (selectedtables)), (application() | where \\\"Application\\\" in (selectedtables)),(process() | where \\\"Process\\\" in (selectedtables)),(user() | where \\\"User\\\" in (selectedtables)),(network() | where \\\"Network\\\" in (selectedtables)),(system() | where \\\"System\\\" in (selectedtables))\\n| where TimeGenerated >= {CustomTimeRange:start} and TimeGenerated <={CustomTimeRange:end} \\n| where Severity in (severityParam)\\n| summarize Count=count() by Name, bin(TimeGenerated,binsize)\\n\",\"size\":2,\"title\":\"Total events\",\"noDataMessage\":\"No security event data found for the selected time period, severity or type.  Please update the filters applied.\",\"timeBrushParameterName\":\"timebrush\",\"timeBrushExportOnlyWhenBrushed\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"60\",\"name\":\"query - 7\",\"styleSettings\":{\"margin\":\"0px\",\"padding\":\"0px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\n\\nlet severityParam = dynamic([{selectedseverity}]);\\nlet audit = view(){\\n Samsung_Knox_Audit_CL\\n };\\nlet application= view(){\\n Samsung_Knox_Application_CL\\n };\\n let system= view(){\\n Samsung_Knox_System_CL\\n };\\n let process= view(){\\n Samsung_Knox_Process_CL\\n };\\n let user= view(){\\n Samsung_Knox_User_CL\\n };\\n let network= view(){\\n Samsung_Knox_Network_CL\\n };\\nlet selectedtables = dynamic([{selectedtype}]);\\nunion (audit() | where \\\"Audit\\\" in (selectedtables)), (application() | where \\\"Application\\\" in (selectedtables)),(process() | where \\\"Process\\\" in (selectedtables)),(user() | where \\\"User\\\" in (selectedtables)),(network() | where \\\"Network\\\" in (selectedtables)),(system() | where \\\"System\\\" in (selectedtables))\\n|where iff('{timebrush:label}'==\\\"12/12/2016 10:00 AM - 10:01 AM\\\" , TimeGenerated >= {CustomTimeRange:start} and TimeGenerated <={CustomTimeRange:end}, TimeGenerated >= {timebrush:start} and TimeGenerated <={timebrush:end})\\n|where Severity in (severityParam)\\n| summarize count() by Severity\\n| where Severity in ('high', 'med','low')\\n|order by case( Severity == 'high',3, Severity == 'med',2, Severity == 'low',1,0)\\n\",\"size\":4,\"title\":\"Events by severity\",\"noDataMessage\":\"No security event data found for the selected time period, severity or type.  Please update the filters applied.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"severity\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"severity\",\"color\":\"redBright\"},{\"columnName\":\"severity\",\"color\":\"orange\"},{\"columnName\":\"severity\",\"color\":\"lightBlue\"}]}}},{\"columnMatch\":\"count_\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"severity\",\"color\":\"lightBlue\"},{\"columnName\":\"severity\",\"color\":\"lightBlue\"},{\"columnName\":\"severity\",\"color\":\"lightBlue\"}]}}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"redBright\",\"text\":\"{0}\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"yellow\",\"text\":\"{0}\"},{\"operator\":\"==\",\"thresholdValue\":\"med\",\"representation\":\"orange\",\"text\":\"{0}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}\"}]}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"none\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortOrderField\":1}},\"customWidth\":\"100\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let severityParam = dynamic([{selectedseverity}]);\\nlet audit = view(){\\n Samsung_Knox_Audit_CL\\n };\\nlet application= view(){\\n Samsung_Knox_Application_CL\\n };\\n let system= view(){\\n Samsung_Knox_System_CL\\n };\\n let process= view(){\\n Samsung_Knox_Process_CL\\n };\\n let user= view(){\\n Samsung_Knox_User_CL\\n };\\n let network= view(){\\n Samsung_Knox_Network_CL\\n };\\nlet selectedtables = dynamic([{selectedtype}]);\\nunion (audit() | where \\\"Audit\\\" in (selectedtables)), (application() | where \\\"Application\\\" in (selectedtables)),(process() | where \\\"Process\\\" in (selectedtables)),(user() | where \\\"User\\\" in (selectedtables)),(network() | where \\\"Network\\\" in (selectedtables)),(system() | where \\\"System\\\" in (selectedtables))\\n|where iff('{timebrush:label}'==\\\"12/12/2016 10:00 AM - 10:01 AM\\\" , TimeGenerated >= {CustomTimeRange:start} and TimeGenerated <={CustomTimeRange:end}, TimeGenerated >= {timebrush:start} and TimeGenerated <={timebrush:end})\\n|where Severity in (severityParam)\\n| summarize count() by Type\\n| render piechart \",\"size\":3,\"title\":\"Events by type\",\"noDataMessage\":\"No security event data found for the selected time period, severity or type.  Please update the filters applied.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Samsung_Knox_Application_CL\",\"label\":\"Application\"},{\"seriesName\":\"Samsung_Knox_Network_CL\",\"label\":\"Network\"},{\"seriesName\":\"Samsung_Knox_User_CL\",\"label\":\"User\"},{\"seriesName\":\"Samsung_Knox_Process_CL\",\"label\":\"Process\"},{\"seriesName\":\"Samsung_Knox_Audit_CL\",\"label\":\"Audit\"},{\"seriesName\":\"Samsung_Knox_System_CL\",\"label\":\"System\"}]}},\"name\":\"query - 11\"}]},\"name\":\"group - 9\"}]},\"customWidth\":\"40\",\"name\":\"group - 8\",\"styleSettings\":{\"margin\":\"0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\nlet audit = view(){\\n Samsung_Knox_Audit_CL\\n };\\nlet application= view(){\\n Samsung_Knox_Application_CL\\n };\\n let system= view(){\\n Samsung_Knox_System_CL\\n };\\n let process= view(){\\n Samsung_Knox_Process_CL\\n };\\n let user= view(){\\n Samsung_Knox_User_CL\\n };\\n let network= view(){\\n Samsung_Knox_Network_CL\\n };\\nlet selectedtables = dynamic([{selectedtype}]);\\nlet severityParam = dynamic([{selectedseverity}]);\\nunion (audit() | where \\\"Audit\\\" in (selectedtables)), (application() | where \\\"Application\\\" in (selectedtables)),(process() | where \\\"Process\\\" in (selectedtables)),(user() | where \\\"User\\\" in (selectedtables)),(network() | where \\\"Network\\\" in (selectedtables)),(system() | where \\\"System\\\" in (selectedtables))\\n| where iff('{timebrush:label}'==\\\"12/12/2016 10:00 AM - 10:01 AM\\\" , TimeGenerated >= {CustomTimeRange:start} and TimeGenerated <={CustomTimeRange:end}, TimeGenerated >= {timebrush:start} and TimeGenerated <={timebrush:end})\\n| where Severity in (severityParam)\\n|project Time =TimeGenerated,\\nName,\\nSeverity,\\n[\\\"Device Model\\\"] = DeviceModel,\\nType = replace_string(replace_string(Type,\\\"Samsung_Knox_\\\",\\\"\\\"),\\\"_CL\\\",\\\"\\\"),\\nProfile,\\n[\\\"MITRE Technique ID(s)\\\"] = array_strcat(MitreTtp,\\\", \\\")\\n| sort by Time desc\\n\\n\\n\",\"size\":2,\"title\":\"Event list\",\"noDataMessage\":\"No security event data found for the selected time period, severity or type.  Please update the filters applied.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"dot-redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"med\",\"representation\":\"dot-orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"dot-yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"LOW\",\"representation\":\"dot-yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"HIGH\",\"representation\":\"dot-redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MED\",\"representation\":\"dot-orange\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":1000}},\"name\":\"query - 9\"}]},\"name\":\"group - 6\"}],\"fromTemplateId\":\"sentinel-SamsungKnoxAssetIntelligence\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5b5bf4e9-62b8-4ef2-aeb3-ecd249fb6187\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CustomTimeRange\",\"label\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":604800000}},{\"id\":\"6b4373f0-7c1a-47d8-baed-bc5d0cd7233e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"timebrush\",\"label\":\"Time Filter\",\"type\":4,\"isRequired\":true,\"isHiddenWhenLocked\":true,\"typeSettings\":{\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":60000,\"endTime\":\"2016-12-12T18:01:00Z\"}},{\"id\":\"a40ffccc-08a0-4e15-9bf2-3ed99658d4d8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"selectedseverity\",\"label\":\"Severity\",\"type\":2,\"description\":\"Filter on Security Events by Severity\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\\"high\\\", \\\"med\\\",\\\"low\\\"]\",\"value\":[\"value::all\"]},{\"id\":\"e2572416-ae1f-42db-8c31-8d0d4c4315d4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"selectedtype\",\"label\":\"Type\",\"type\":2,\"description\":\"Filter on Security Events by Type\",\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\\"Audit\\\",\\\"Application\\\", \\\"Process\\\", \\\"User\\\", \\\"Network\\\", \\\"System\\\"]\",\"defaultValue\":\"value::all\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let audit = view(){\\n Samsung_Knox_Audit_CL\\n };\\nlet application= view(){\\n Samsung_Knox_Application_CL\\n };\\n let system= view(){\\n Samsung_Knox_System_CL\\n };\\n let process= view(){\\n Samsung_Knox_Process_CL\\n };\\n let user= view(){\\n Samsung_Knox_User_CL\\n };\\n let network= view(){\\n Samsung_Knox_Network_CL\\n };\\nlet selectedtables = dynamic([{selectedtype}]);\\nlet severityParam = dynamic([{selectedseverity}]);\\nlet maxdatapoints = 10000;\\nlet starttime = {CustomTimeRange:start};\\nlet endtime = {CustomTimeRange:end};\\nlet day = datetime_diff('day',endtime,starttime);\\nlet initialbinsize = case(day >=30, 1d, day >=7, 1d, day >=1,1h,5m);\\nlet datapoints = (binsize : timespan){\\nunion (audit() | where \\\"Audit\\\" in (selectedtables)), (application() | where \\\"Application\\\" in (selectedtables)),(process() | where \\\"Process\\\" in (selectedtables)),(user() | where \\\"User\\\" in (selectedtables)),(network() | where \\\"Network\\\" in (selectedtables)),(system() | where \\\"System\\\" in (selectedtables))\\n| where TimeGenerated >= {CustomTimeRange:start} and TimeGenerated <={CustomTimeRange:end} \\n| where Severity in (severityParam)\\n| summarize Count=count() by Name, bin(TimeGenerated,binsize)};\\n\\nlet totalpoints = datapoints(initialbinsize) |summarize totalrows = count();\\nlet inttotalpoints = toint(toscalar(totalpoints));\\nlet binsizefactor = inttotalpoints/maxdatapoints +1;\\nlet binsize = binsizefactor * initialbinsize;\\n\\nunion (audit() | where \\\"Audit\\\" in (selectedtables)), (application() | where \\\"Application\\\" in (selectedtables)),(process() | where \\\"Process\\\" in (selectedtables)),(user() | where \\\"User\\\" in (selectedtables)),(network() | where \\\"Network\\\" in (selectedtables)),(system() | where \\\"System\\\" in (selectedtables))\\n| where TimeGenerated >= {CustomTimeRange:start} and TimeGenerated <={CustomTimeRange:end} \\n| where Severity in (severityParam)\\n| summarize Count=count() by Name, bin(TimeGenerated,binsize)\\n\",\"size\":2,\"title\":\"Total events\",\"noDataMessage\":\"No security event data found for the selected time period, severity or type.  Please update the filters applied.\",\"timeBrushParameterName\":\"timebrush\",\"timeBrushExportOnlyWhenBrushed\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"60\",\"name\":\"query - 7\",\"styleSettings\":{\"margin\":\"0px\",\"padding\":\"0px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\n\\nlet severityParam = dynamic([{selectedseverity}]);\\nlet audit = view(){\\n Samsung_Knox_Audit_CL\\n };\\nlet application= view(){\\n Samsung_Knox_Application_CL\\n };\\n let system= view(){\\n Samsung_Knox_System_CL\\n };\\n let process= view(){\\n Samsung_Knox_Process_CL\\n };\\n let user= view(){\\n Samsung_Knox_User_CL\\n };\\n let network= view(){\\n Samsung_Knox_Network_CL\\n };\\nlet selectedtables = dynamic([{selectedtype}]);\\nunion (audit() | where \\\"Audit\\\" in (selectedtables)), (application() | where \\\"Application\\\" in (selectedtables)),(process() | where \\\"Process\\\" in (selectedtables)),(user() | where \\\"User\\\" in (selectedtables)),(network() | where \\\"Network\\\" in (selectedtables)),(system() | where \\\"System\\\" in (selectedtables))\\n|where iff('{timebrush:label}'==\\\"12/12/2016 10:00 AM - 10:01 AM\\\" , TimeGenerated >= {CustomTimeRange:start} and TimeGenerated <={CustomTimeRange:end}, TimeGenerated >= {timebrush:start} and TimeGenerated <={timebrush:end})\\n|where Severity in (severityParam)\\n| summarize count() by Severity\\n| where Severity in ('high', 'med','low')\\n|order by case( Severity == 'high',3, Severity == 'med',2, Severity == 'low',1,0)\\n\",\"size\":4,\"title\":\"Events by severity\",\"noDataMessage\":\"No security event data found for the selected time period, severity or type.  Please update the filters applied.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"severity\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"severity\",\"color\":\"redBright\"},{\"columnName\":\"severity\",\"color\":\"orange\"},{\"columnName\":\"severity\",\"color\":\"lightBlue\"}]}}},{\"columnMatch\":\"count_\",\"formatter\":22,\"formatOptions\":{\"compositeBarSettings\":{\"labelText\":\"\",\"columnSettings\":[{\"columnName\":\"severity\",\"color\":\"lightBlue\"},{\"columnName\":\"severity\",\"color\":\"lightBlue\"},{\"columnName\":\"severity\",\"color\":\"lightBlue\"}]}}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"redBright\",\"text\":\"{0}\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"yellow\",\"text\":\"{0}\"},{\"operator\":\"==\",\"thresholdValue\":\"med\",\"representation\":\"orange\",\"text\":\"{0}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}\"}]}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"none\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortOrderField\":1}},\"customWidth\":\"100\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let severityParam = dynamic([{selectedseverity}]);\\nlet audit = view(){\\n Samsung_Knox_Audit_CL\\n };\\nlet application= view(){\\n Samsung_Knox_Application_CL\\n };\\n let system= view(){\\n Samsung_Knox_System_CL\\n };\\n let process= view(){\\n Samsung_Knox_Process_CL\\n };\\n let user= view(){\\n Samsung_Knox_User_CL\\n };\\n let network= view(){\\n Samsung_Knox_Network_CL\\n };\\nlet selectedtables = dynamic([{selectedtype}]);\\nunion (audit() | where \\\"Audit\\\" in (selectedtables)), (application() | where \\\"Application\\\" in (selectedtables)),(process() | where \\\"Process\\\" in (selectedtables)),(user() | where \\\"User\\\" in (selectedtables)),(network() | where \\\"Network\\\" in (selectedtables)),(system() | where \\\"System\\\" in (selectedtables))\\n|where iff('{timebrush:label}'==\\\"12/12/2016 10:00 AM - 10:01 AM\\\" , TimeGenerated >= {CustomTimeRange:start} and TimeGenerated <={CustomTimeRange:end}, TimeGenerated >= {timebrush:start} and TimeGenerated <={timebrush:end})\\n|where Severity in (severityParam)\\n| summarize count() by Type\\n| render piechart \",\"size\":3,\"title\":\"Events by type\",\"noDataMessage\":\"No security event data found for the selected time period, severity or type.  Please update the filters applied.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Samsung_Knox_Application_CL\",\"label\":\"Application\"},{\"seriesName\":\"Samsung_Knox_Network_CL\",\"label\":\"Network\"},{\"seriesName\":\"Samsung_Knox_User_CL\",\"label\":\"User\"},{\"seriesName\":\"Samsung_Knox_Process_CL\",\"label\":\"Process\"},{\"seriesName\":\"Samsung_Knox_Audit_CL\",\"label\":\"Audit\"},{\"seriesName\":\"Samsung_Knox_System_CL\",\"label\":\"System\"}]}},\"name\":\"query - 11\"}]},\"name\":\"group - 9\"}]},\"customWidth\":\"40\",\"name\":\"group - 8\",\"styleSettings\":{\"margin\":\"0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\nlet audit = view(){\\n Samsung_Knox_Audit_CL\\n };\\nlet application= view(){\\n Samsung_Knox_Application_CL\\n };\\n let system= view(){\\n Samsung_Knox_System_CL\\n };\\n let process= view(){\\n Samsung_Knox_Process_CL\\n };\\n let user= view(){\\n Samsung_Knox_User_CL\\n };\\n let network= view(){\\n Samsung_Knox_Network_CL\\n };\\nlet selectedtables = dynamic([{selectedtype}]);\\nlet severityParam = dynamic([{selectedseverity}]);\\nunion (audit() | where \\\"Audit\\\" in (selectedtables)), (application() | where \\\"Application\\\" in (selectedtables)),(process() | where \\\"Process\\\" in (selectedtables)),(user() | where \\\"User\\\" in (selectedtables)),(network() | where \\\"Network\\\" in (selectedtables)),(system() | where \\\"System\\\" in (selectedtables))\\n| where iff('{timebrush:label}'==\\\"12/12/2016 10:00 AM - 10:01 AM\\\" , TimeGenerated >= {CustomTimeRange:start} and TimeGenerated <={CustomTimeRange:end}, TimeGenerated >= {timebrush:start} and TimeGenerated <={timebrush:end})\\n| where Severity in (severityParam)\\n|project Time =TimeGenerated,\\nName,\\nSeverity,\\n[\\\"Device Model\\\"] = DeviceModel,\\nType = replace_string(replace_string(Type,\\\"Samsung_Knox_\\\",\\\"\\\"),\\\"_CL\\\",\\\"\\\"),\\nProfile,\\n[\\\"MITRE Technique ID(s)\\\"] = array_strcat(MitreTtp,\\\", \\\")\\n| sort by Time desc\\n\\n\\n\",\"size\":2,\"title\":\"Event list\",\"noDataMessage\":\"No security event data found for the selected time period, severity or type.  Please update the filters applied.\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"dot-redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"med\",\"representation\":\"dot-orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"dot-yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"LOW\",\"representation\":\"dot-yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"HIGH\",\"representation\":\"dot-redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MED\",\"representation\":\"dot-orange\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":1000}},\"name\":\"query - 9\"}]},\"name\":\"group - 6\"}],\"fromTemplateId\":\"sentinel-SamsungKnoxAssetIntelligence\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -599,13 +599,13 @@ "aggregationKind": "SingleAlert" }, "incidentConfiguration": { + "createIncident": true, "groupingConfiguration": { - "enabled": false, - "lookbackDuration": "5H", "reopenClosedIncident": false, + "lookbackDuration": "5H", + "enabled": false, "matchingMethod": "AllEntities" - }, - "createIncident": true + } } } }, @@ -700,13 +700,13 @@ "aggregationKind": "SingleAlert" }, "incidentConfiguration": { + "createIncident": true, "groupingConfiguration": { - "enabled": false, - "lookbackDuration": "5H", "reopenClosedIncident": false, + "lookbackDuration": "5H", + "enabled": false, "matchingMethod": "AllEntities" - }, - "createIncident": true + } } } }, @@ -801,13 +801,13 @@ "aggregationKind": "SingleAlert" }, "incidentConfiguration": { + "createIncident": true, "groupingConfiguration": { - "enabled": false, - "lookbackDuration": "5H", "reopenClosedIncident": false, + "lookbackDuration": "5H", + "enabled": false, "matchingMethod": "AllEntities" - }, - "createIncident": true + } } } }, @@ -902,13 +902,13 @@ "aggregationKind": "SingleAlert" }, "incidentConfiguration": { + "createIncident": true, "groupingConfiguration": { - "enabled": false, - "lookbackDuration": "5H", "reopenClosedIncident": false, + "lookbackDuration": "5H", + "enabled": false, "matchingMethod": "AllEntities" - }, - "createIncident": true + } } } }, @@ -997,13 +997,13 @@ "aggregationKind": "SingleAlert" }, "incidentConfiguration": { + "createIncident": true, "groupingConfiguration": { - "enabled": false, - "lookbackDuration": "5H", "reopenClosedIncident": false, + "lookbackDuration": "5H", + "enabled": false, "matchingMethod": "AllEntities" - }, - "createIncident": true + } } } }, @@ -1095,13 +1095,13 @@ "alertDynamicProperties": [] }, "incidentConfiguration": { + "createIncident": true, "groupingConfiguration": { - "enabled": false, - "lookbackDuration": "5H", "reopenClosedIncident": false, + "lookbackDuration": "5H", + "enabled": false, "matchingMethod": "AllEntities" - }, - "createIncident": true + } } } }, @@ -1196,13 +1196,13 @@ "aggregationKind": "SingleAlert" }, "incidentConfiguration": { + "createIncident": true, "groupingConfiguration": { - "enabled": false, - "lookbackDuration": "5H", "reopenClosedIncident": false, + "lookbackDuration": "5H", + "enabled": false, "matchingMethod": "AllEntities" - }, - "createIncident": true + } } } }, diff --git a/Solutions/Samsung Knox Asset Intelligence/ReleaseNotes.md b/Solutions/Samsung Knox Asset Intelligence/ReleaseNotes.md index c27b7456a60..97684650f65 100644 --- a/Solutions/Samsung Knox Asset Intelligence/ReleaseNotes.md +++ b/Solutions/Samsung Knox Asset Intelligence/ReleaseNotes.md @@ -1,3 +1,5 @@ -| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | -|-------------|--------------------------------|----------------------------------------------------| -| 3.0.0 | 30-12-2024 | Initial Solution Release | +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|--------------------------| +| 3.0.0 | 30-12-2024 | Initial Solution Release | +| 3.0.1 | 03-01-2025 | Updated Solution offerId | + diff --git a/Solutions/Samsung Knox Asset Intelligence/SolutionMetadata.json b/Solutions/Samsung Knox Asset Intelligence/SolutionMetadata.json index 0ef51c049f5..6ee043ea5a6 100644 --- a/Solutions/Samsung Knox Asset Intelligence/SolutionMetadata.json +++ b/Solutions/Samsung Knox Asset Intelligence/SolutionMetadata.json @@ -1,6 +1,6 @@ { "publisherId": "samsungelectronics1734042706970", - "offerId": "azure-sentinel-solution-samsung-knox-asset-intelligence", + "offerId": "azure-sentinel-solution-samsung-knox-kai", "firstPublishDate": "2025-01-15", "providers": ["Samsung"], "categories": {