Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Repackaged for OMS Migration

This commit is contained in:
v-rusraut 2024-07-12 15:40:43 +05:30
Родитель cb51834619
Коммит 0dafae9237
29 изменённых файлов: 438 добавлений и 285 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

5
Solutions/Illusive Platform/Analytic Rules/Illusive_Detection_Query.yaml
Просмотреть файл

@ -11,6 +11,9 @@ requiredDataConnectors:
- connectorId: illusiveAttackManagementSystemAma
dataTypes:
- CommonSecurityLog
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
@ -49,5 +52,5 @@ alertDetailsOverride:
Illusive Incident: {{IncidentId}}
alertDescriptionFormat: |
Illusive Incident {{IncidentId}} generated at {{TimeGenerated}}
version: 1.0.3
version: 1.0.5
kind: Scheduled

11
Solutions/Illusive Platform/Data Connectors/template_IllusivePlatformAMA.json
Просмотреть файл

@ -1,6 +1,6 @@
{
"id": "illusiveAttackManagementSystemAma",
"title": "[Recommended] Illusive Platform via AMA",
"title": "[Deprecated] Illusive Platform via AMA",
"publisher": "illusive",
"descriptionMarkdown": "The Illusive Platform Connector allows you to share Illusive's attack surface analysis data and incident logs with Microsoft Sentinel and view this information in dedicated dashboards that offer insight into your organization's attack surface risk (ASM Dashboard) and track unauthorized lateral movement in your organization's network (ADS Dashboard).",
"graphQueries": [
@ -81,15 +81,12 @@
"instructionSteps": [
{
"title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
"description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine",
"instructions": [
]
"description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
},
{
"title": "Step B. Forward Illusive Common Event Format (CEF) logs to Syslog agent",
"description": "1. Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.\n> 2. Log onto the Illusive Console, and navigate to Settings->Reporting.\n> 3. Find Syslog Servers\n> 4. Supply the following information:\n>> 1. Host name: Linux Syslog agent IP address or FQDN host name\n>> 2. Port: 514\n>> 3. Protocol: TCP\n>> 4. Audit messages: Send audit messages to server\n> 5. To add the syslog server, click Add.\n> 6. For more information about how to add a new syslog server in the Illusive platform, please find the Illusive Networks Admin Guide in here: https://support.illusivenetworks.com/hc/en-us/sections/360002292119-Documentation-by-Version",
"instructions": [
]
"description": "1. Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.\n> 2. Log onto the Illusive Console, and navigate to Settings->Reporting.\n> 3. Find Syslog Servers\n> 4. Supply the following information:\n>> 1. Host name: Linux Syslog agent IP address or FQDN host name\n>> 2. Port: 514\n>> 3. Protocol: TCP\n>> 4. Audit messages: Send audit messages to server\n> 5. To add the syslog server, click Add.\n> 6. For more information about how to add a new syslog server in the Illusive platform, please find the Illusive Networks Admin Guide in here: https://support.illusivenetworks.com/hc/en-us/sections/360002292119-Documentation-by-Version"
},
{
"title": "Step C. Validate connection",

7
Solutions/Illusive Platform/Data/Solution_IllusiveAttackManagementSystem.json
Просмотреть файл

@ -2,7 +2,7 @@
"Name": "Illusive Platform",
"Author": "Illusive Networks",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/illusiveAttackManagementSystem.svg\" width=\"75px\" height=\"75px\">",
"Description": "The Illusive Platform solution for Microsoft Sentinel enables you to ingest Illusive Platforms attack surface analysis data and incident logs into Microsoft Sentinel and view this information in dedicated dashboards that offer insight into your organization's attack surface risk (ASM Dashboard) and track unauthorized lateral movement in your organization's network (ADS Dashboard).\n\r\n1. **Illusive Platform via AMA** - This data connector helps in ingesting Illusive Platform logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Illusive Platform via Legacy Agent** - This data connector helps in ingesting Illusive Platform logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Illusive Platform via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
"Description": "The Illusive Platform solution for Microsoft Sentinel enables you to ingest Illusive Platforms attack surface analysis data and incident logs into Microsoft Sentinel and view this information in dedicated dashboards that offer insight into your organization's attack surface risk (ASM Dashboard) and track unauthorized lateral movement in your organization's network (ADS Dashboard).\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024.**",
"Data Connectors": [
"Data Connectors/illusive Attack Management System.json",
@ -15,8 +15,11 @@
"Analytic Rules": [
"Analytic Rules/Illusive_Detection_Query.yaml"
],
"dependentDomainSolutionIds": [
"azuresentinel.azure-sentinel-solution-commoneventformat"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Illusive Platform",
"Version": "3.0.0",
"Version": "3.0.1",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false

Двоичные данные
Solutions/Illusive Platform/Package/3.0.1.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

9
Solutions/Illusive Platform/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/illusiveAttackManagementSystem.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/OSSEC/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Illusive Platform solution for Microsoft Sentinel enables you to ingest Illusive Platforms attack surface analysis data and incident logs into Microsoft Sentinel and view this information in dedicated dashboards that offer insight into your organization's attack surface risk (ASM Dashboard) and track unauthorized lateral movement in your organization's network (ADS Dashboard).\n\r\n1. **Illusive Platform via AMA** - This data connector helps in ingesting Illusive Platform logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Illusive Platform via Legacy Agent** - This data connector helps in ingesting Illusive Platform logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Illusive Platform via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Workbooks:** 2, **Analytic Rules:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/illusiveAttackManagementSystem.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Illusive%20Platform/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Illusive Platform solution for Microsoft Sentinel enables you to ingest Illusive Platforms attack surface analysis data and incident logs into Microsoft Sentinel and view this information in dedicated dashboards that offer insight into your organization's attack surface risk (ASM Dashboard) and track unauthorized lateral movement in your organization's network (ADS Dashboard).\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024.**\n\n**Data Connectors:** 2, **Workbooks:** 2, **Analytic Rules:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@ -60,7 +60,7 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the data connector to ingest Illusive attack surface management and threat detection data in Common Event Format (CEF) into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
"text": "This Solution installs the data connector for Illusive Platform. You can get Illusive Platform CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
@ -73,14 +73,13 @@
}
}
}
]
},
{
"name": "workbooks",
"label": "Workbooks",
"subLabel": {
"preValidation": "Configure the This Solution installs the data connector for Illusive Platform. You can get Illusive Platform CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view.",
"preValidation": "Configure the workbooks",
"postValidation": "Done"
},
"bladeTitle": "Workbooks",
@ -167,7 +166,7 @@
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Create a Microsoft Sentinel incident upon a new Illusive alert (incident) and associate all related Illusive events to the relevant Microsoft Sentinel alert. This is done by filtering and processing Illusive Syslog messages."
"text": "Create a Sentinel incident upon a new Illusive alert (incident) and associate all related Illusive events to the relevant Sentinel alert. This is done by filtering and processing Illusive Syslog messages."
}
}
]

86
Solutions/Illusive Platform/Package/mainTemplate.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

40
Solutions/Illusive Platform/Package/testParameters.json Normal file
Просмотреть файл

@ -0,0 +1,40 @@
{
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
},
"workbook1-name": {
"type": "string",
"defaultValue": "Illusive ADS Dashboard",
"minLength": 1,
"metadata": {
"description": "Name for the workbook"
}
},
"workbook2-name": {
"type": "string",
"defaultValue": "Illusive ASM Dashboard",
"minLength": 1,
"metadata": {
"description": "Name for the workbook"
}
}
}

5
Solutions/Illusive Platform/ReleaseNotes.md
Просмотреть файл

@ -1,5 +1,4 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
| 3.0.0 | 13-09-2023 | Addition of new Illusive Platform AMA **Data Connector** | |
| 3.0.1 | 12-07-2024 | Deprecating data connector |
| 3.0.0 | 13-09-2023 | Addition of new Illusive Platform AMA **Data Connector** |

5
Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-DataExfiltrationAttack.yaml
Просмотреть файл

@ -11,6 +11,9 @@ requiredDataConnectors:
- connectorId: InfobloxCloudDataConnectorAma
dataTypes:
- CommonSecurityLog (InfobloxCDC)
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@ -65,5 +68,5 @@ incidentConfiguration:
reopenClosedIncident: true
lookbackDuration: 7d
matchingMethod: AllEntities
version: 1.0.1
version: 1.0.2
kind: Scheduled

5
Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-HighThreatLevelQueryNotBlockedDetected.yaml
Просмотреть файл

@ -11,6 +11,9 @@ requiredDataConnectors:
- connectorId: InfobloxCloudDataConnectorAma
dataTypes:
- CommonSecurityLog (InfobloxCDC)
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@ -66,5 +69,5 @@ eventGroupingSettings:
aggregationKind: SingleAlert
incidentConfiguration:
createIncident: true
version: 1.0.2
version: 1.0.3
kind: Scheduled

5
Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-ManyHighThreatLevelQueriesFromSingleHostDetected.yaml
Просмотреть файл

@ -11,6 +11,9 @@ requiredDataConnectors:
- connectorId: InfobloxCloudDataConnectorAma
dataTypes:
- CommonSecurityLog (InfobloxCDC)
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@ -50,5 +53,5 @@ eventGroupingSettings:
aggregationKind: SingleAlert
incidentConfiguration:
createIncident: true
version: 1.0.1
version: 1.0.2
kind: Scheduled

5
Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-ManyHighThreatLevelSingleQueryDetected.yaml
Просмотреть файл

@ -11,6 +11,9 @@ requiredDataConnectors:
- connectorId: InfobloxCloudDataConnectorAma
dataTypes:
- CommonSecurityLog (InfobloxCDC)
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@ -50,5 +53,5 @@ eventGroupingSettings:
aggregationKind: SingleAlert
incidentConfiguration:
createIncident: true
version: 1.0.2
version: 1.0.3
kind: Scheduled

5
Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-ManyNXDOMAINDNSResponsesDetected.yaml
Просмотреть файл

@ -11,6 +11,9 @@ requiredDataConnectors:
- connectorId: InfobloxCloudDataConnectorAma
dataTypes:
- CommonSecurityLog (InfobloxCDC)
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@ -50,5 +53,5 @@ eventGroupingSettings:
aggregationKind: SingleAlert
incidentConfiguration:
createIncident: true
version: 1.0.1
version: 1.0.2
kind: Scheduled

5
Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-CommonSecurityLogMatchFound-MalwareC2.yaml
Просмотреть файл

@ -17,6 +17,9 @@ requiredDataConnectors:
- connectorId: InfobloxCloudDataConnector
dataTypes:
- CommonSecurityLog (InfobloxCDC)
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
@ -69,5 +72,5 @@ eventGroupingSettings:
aggregationKind: SingleAlert
incidentConfiguration:
createIncident: true
version: 1.0.1
version: 1.0.2
kind: Scheduled

5
Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-InfobloxCDCMatchFound-LookalikeDomains.yaml
Просмотреть файл

@ -14,6 +14,9 @@ requiredDataConnectors:
- connectorId: InfobloxCloudDataConnectorAma
dataTypes:
- CommonSecurityLog (InfobloxCDC)
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
@ -78,5 +81,5 @@ eventGroupingSettings:
aggregationKind: SingleAlert
incidentConfiguration:
createIncident: true
version: 1.0.2
version: 1.0.3
kind: Scheduled

5
Solutions/Infoblox Cloud Data Connector/Analytic Rules/Infoblox-TI-SyslogMatchFound-URL.yaml
Просмотреть файл

@ -17,6 +17,9 @@ requiredDataConnectors:
- connectorId: InfobloxCloudDataConnector
dataTypes:
- CommonSecurityLog (InfobloxCDC)
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
@ -68,5 +71,5 @@ eventGroupingSettings:
aggregationKind: SingleAlert
incidentConfiguration:
createIncident: true
version: 1.0.1
version: 1.0.2
kind: Scheduled

12
Solutions/Infoblox Cloud Data Connector/Data Connectors/template_InfobloxCloudDataConnectorAMA.json
Просмотреть файл

@ -1,6 +1,6 @@
{
"id": "InfobloxCloudDataConnectorAma",
"title": "[Recommended] Infoblox Cloud Data Connector via AMA",
"title": "[Deprecated] Infoblox Cloud Data Connector via AMA",
"publisher": "Infoblox",
"descriptionMarkdown": "The Infoblox Cloud Data Connector allows you to easily connect your Infoblox BloxOne data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.",
"additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser) which is deployed with the Microsoft Sentinel Solution.",
@ -107,15 +107,13 @@
"instructionSteps": [
{
"title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
"description": "_Note: CEF logs are collected only from Linux Agents_\n\n1. Navigate to your **Microsoft Sentinel workspace > Data connectors** blade.\n\n2. Search for the **Common Event Format (CEF) via AMA** data connector and open it.\n\n3. Ensure there is no existing DCR configured to collect required facility of logs as it may cause log duplication. Create a new **DCR (Data Collection Rule)**.\n\n\t_Note: It is recommended to install the AMA agent v1.27 at minimum. [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplication._\n\n4. Run the command provided in the **CEF via AMA data connector** page to configure the CEF collector on the machine.",
"instructions": [
]
"description": "_Note: CEF logs are collected only from Linux Agents_\n\n1. Navigate to your **Microsoft Sentinel workspace > Data connectors** blade.\n\n2. Search for the **Common Event Format (CEF) via AMA** data connector and open it.\n\n3. Ensure there is no existing DCR configured to collect required facility of logs as it may cause log duplication. Create a new **DCR (Data Collection Rule)**.\n\n\t_Note: It is recommended to install the AMA agent v1.27 at minimum. [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplication._\n\n4. Run the command provided in the **CEF via AMA data connector** page to configure the CEF collector on the machine."
},
{
"title": "Step B. Configure Infoblox BloxOne to send Syslog data to the Infoblox Cloud Data Connector to forward to the Syslog agent",
"description": "Follow the steps below to configure the Infoblox CDC to send BloxOne data to Microsoft Sentinel via the Linux Syslog agent.\n1. Navigate to **Manage > Data Connector**.\n2. Click the **Destination Configuration** tab at the top.\n3. Click **Create > Syslog**. \n - **Name**: Give the new Destination a meaningful **name**, such as **Microsoft-Sentinel-Destination**.\n - **Description**: Optionally give it a meaningful **description**.\n - **State**: Set the state to **Enabled**.\n - **Format**: Set the format to **CEF**.\n - **FQDN/IP**: Enter the IP address of the Linux device on which the Linux agent is installed.\n - **Port**: Leave the port number at **514**.\n - **Protocol**: Select desired protocol and CA certificate if applicable.\n - Click **Save & Close**.\n4. Click the **Traffic Flow Configuration** tab at the top.\n5. Click **Create**.\n - **Name**: Give the new Traffic Flow a meaningful **name**, such as **Microsoft-Sentinel-Flow**.\n - **Description**: Optionally give it a meaningful **description**. \n - **State**: Set the state to **Enabled**. \n - Expand the **Service Instance** section. \n - **Service Instance**: Select your desired Service Instance for which the Data Connector service is enabled. \n - Expand the **Source Configuration** section. \n - **Source**: Select **BloxOne Cloud Source**. \n - Select all desired **log types** you wish to collect. Currently supported log types are:\n - Threat Defense Query/Response Log\n - Threat Defense Threat Feeds Hits Log\n - DDI Query/Response Log\n - DDI DHCP Lease Log\n - Expand the **Destination Configuration** section. \n - Select the **Destination** you just created. \n - Click **Save & Close**. \n6. Allow the configuration some time to activate.",
"instructions": [
]
"description": "Follow the steps below to configure the Infoblox CDC to send BloxOne data to Microsoft Sentinel via the Linux Syslog agent.\n1. Navigate to **Manage > Data Connector**.\n2. Click the **Destination Configuration** tab at the top.\n3. Click **Create > Syslog**. \n - **Name**: Give the new Destination a meaningful **name**, such as **Microsoft-Sentinel-Destination**.\n - **Description**: Optionally give it a meaningful **description**.\n - **State**: Set the state to **Enabled**.\n - **Format**: Set the format to **CEF**.\n - **FQDN/IP**: Enter the IP address of the Linux device on which the Linux agent is installed.\n - **Port**: Leave the port number at **514**.\n - **Protocol**: Select desired protocol and CA certificate if applicable.\n - Click **Save & Close**.\n4. Click the **Traffic Flow Configuration** tab at the top.\n5. Click **Create**.\n - **Name**: Give the new Traffic Flow a meaningful **name**, such as **Microsoft-Sentinel-Flow**.\n - **Description**: Optionally give it a meaningful **description**. \n - **State**: Set the state to **Enabled**. \n - Expand the **Service Instance** section. \n - **Service Instance**: Select your desired Service Instance for which the Data Connector service is enabled. \n - Expand the **Source Configuration** section. \n - **Source**: Select **BloxOne Cloud Source**. \n - Select all desired **log types** you wish to collect. Currently supported log types are:\n - Threat Defense Query/Response Log\n - Threat Defense Threat Feeds Hits Log\n - DDI Query/Response Log\n - DDI DHCP Lease Log\n - Expand the **Destination Configuration** section. \n - Select the **Destination** you just created. \n - Click **Save & Close**. \n6. Allow the configuration some time to activate."
},
{
"title": "Step C. Validate connection",

7
Solutions/Infoblox Cloud Data Connector/Data/Solution_Infoblox.json
Просмотреть файл

@ -2,7 +2,7 @@
"Name": "Infoblox Cloud Data Connector",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/infoblox_logo.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [Infoblox](https://www.infoblox.com/) Cloud solution allows you to easily connect your Infoblox BloxOne data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.\n\r\n1. **Infoblox Cloud Data Connector via AMA** - This data connector helps in ingesting Infoblox Cloud Data Connector logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Infoblox Cloud Data Connector via Legacy Agent** - This data connector helps in ingesting Infoblox Cloud Data Connector logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Infoblox Cloud Data Connector via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
"Description": "The [Infoblox](https://www.infoblox.com/) Cloud solution allows you to easily connect your Infoblox BloxOne data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024.**",
"Workbooks": [
"Workbooks/InfobloxCDCB1TDWorkbook.json"
],
@ -36,9 +36,12 @@
"Playbooks/Infoblox-Incident-Enrichment-Domains/azuredeploy.json",
"Playbooks/Infoblox-Incident-Send-Email/azuredeploy.json"
],
"dependentDomainSolutionIds": [
"azuresentinel.azure-sentinel-solution-commoneventformat"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure-sentinel\\Solutions\\Infoblox Cloud Data Connector",
"Version": "3.0.3",
"Version": "3.0.4",
"TemplateSpec": true,
"Is1PConnector": false
}

Двоичные данные
Solutions/Infoblox Cloud Data Connector/Package/3.0.4.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

9
Solutions/Infoblox Cloud Data Connector/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/infoblox_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Infoblox%20Cloud%20Data%20Connector/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Infoblox](https://www.infoblox.com/) Cloud solution allows you to easily connect your Infoblox BloxOne data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.\n\r\n1. **Infoblox Cloud Data Connector via AMA** - This data connector helps in ingesting Infoblox Cloud Data Connector logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Infoblox Cloud Data Connector via Legacy Agent** - This data connector helps in ingesting Infoblox Cloud Data Connector logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Infoblox Cloud Data Connector via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 8, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/infoblox_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Infoblox%20Cloud%20Data%20Connector/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Infoblox](https://www.infoblox.com/) Cloud solution allows you to easily connect your Infoblox BloxOne data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024.**\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 8, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@ -63,13 +63,6 @@
"text": "This Solution installs the data connector for Infoblox Cloud Data Connector. You can get Infoblox Cloud Data Connector CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for Infoblox Cloud Data Connector. You can get Infoblox Cloud Data Connector CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",

317
Solutions/Infoblox Cloud Data Connector/Package/mainTemplate.json
Просмотреть файл

@ -41,7 +41,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Infoblox Cloud Data Connector",
"_solutionVersion": "3.0.3",
"_solutionVersion": "3.0.4",
"solutionId": "infoblox.infoblox-cdc-solution",
"_solutionId": "[variables('solutionId')]",
"workbookVersion1": "2.0.0",
@ -52,60 +52,60 @@
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
"analyticRuleObject1": {
"analyticRuleVersion1": "1.0.1",
"analyticRuleVersion1": "1.0.2",
"_analyticRulecontentId1": "8db2b374-0337-49bd-94c9-cfbf8e5d83ad",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '8db2b374-0337-49bd-94c9-cfbf8e5d83ad')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('8db2b374-0337-49bd-94c9-cfbf8e5d83ad')))]",
"_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8db2b374-0337-49bd-94c9-cfbf8e5d83ad','-', '1.0.1')))]"
"_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8db2b374-0337-49bd-94c9-cfbf8e5d83ad','-', '1.0.2')))]"
},
"analyticRuleObject2": {
"analyticRuleVersion2": "1.0.2",
"analyticRuleVersion2": "1.0.3",
"_analyticRulecontentId2": "dc7af829-d716-4774-9d6f-03d9aa7c27a4",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dc7af829-d716-4774-9d6f-03d9aa7c27a4')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dc7af829-d716-4774-9d6f-03d9aa7c27a4')))]",
"_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dc7af829-d716-4774-9d6f-03d9aa7c27a4','-', '1.0.2')))]"
"_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dc7af829-d716-4774-9d6f-03d9aa7c27a4','-', '1.0.3')))]"
},
"analyticRuleObject3": {
"analyticRuleVersion3": "1.0.1",
"analyticRuleVersion3": "1.0.2",
"_analyticRulecontentId3": "3822b794-fa89-4420-aad6-0e1a2307f419",
"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3822b794-fa89-4420-aad6-0e1a2307f419')]",
"analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3822b794-fa89-4420-aad6-0e1a2307f419')))]",
"_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3822b794-fa89-4420-aad6-0e1a2307f419','-', '1.0.1')))]"
"_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3822b794-fa89-4420-aad6-0e1a2307f419','-', '1.0.2')))]"
},
"analyticRuleObject4": {
"analyticRuleVersion4": "1.0.2",
"analyticRuleVersion4": "1.0.3",
"_analyticRulecontentId4": "99278700-79ca-4b0f-b416-bf57ec699e1a",
"analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '99278700-79ca-4b0f-b416-bf57ec699e1a')]",
"analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('99278700-79ca-4b0f-b416-bf57ec699e1a')))]",
"_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','99278700-79ca-4b0f-b416-bf57ec699e1a','-', '1.0.2')))]"
"_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','99278700-79ca-4b0f-b416-bf57ec699e1a','-', '1.0.3')))]"
},
"analyticRuleObject5": {
"analyticRuleVersion5": "1.0.1",
"analyticRuleVersion5": "1.0.2",
"_analyticRulecontentId5": "b2f34315-9065-488e-88d0-a171d2b0da8e",
"analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b2f34315-9065-488e-88d0-a171d2b0da8e')]",
"analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b2f34315-9065-488e-88d0-a171d2b0da8e')))]",
"_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b2f34315-9065-488e-88d0-a171d2b0da8e','-', '1.0.1')))]"
"_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b2f34315-9065-488e-88d0-a171d2b0da8e','-', '1.0.2')))]"
},
"analyticRuleObject6": {
"analyticRuleVersion6": "1.0.1",
"analyticRuleVersion6": "1.0.2",
"_analyticRulecontentId6": "5b0864a9-4577-4087-b9fa-de3e14a8a999",
"analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5b0864a9-4577-4087-b9fa-de3e14a8a999')]",
"analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5b0864a9-4577-4087-b9fa-de3e14a8a999')))]",
"_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5b0864a9-4577-4087-b9fa-de3e14a8a999','-', '1.0.1')))]"
"_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5b0864a9-4577-4087-b9fa-de3e14a8a999','-', '1.0.2')))]"
},
"analyticRuleObject7": {
"analyticRuleVersion7": "1.0.2",
"analyticRuleVersion7": "1.0.3",
"_analyticRulecontentId7": "568730be-b39d-45e3-a392-941e00837d52",
"analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '568730be-b39d-45e3-a392-941e00837d52')]",
"analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('568730be-b39d-45e3-a392-941e00837d52')))]",
"_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','568730be-b39d-45e3-a392-941e00837d52','-', '1.0.2')))]"
"_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','568730be-b39d-45e3-a392-941e00837d52','-', '1.0.3')))]"
},
"analyticRuleObject8": {
"analyticRuleVersion8": "1.0.1",
"analyticRuleVersion8": "1.0.2",
"_analyticRulecontentId8": "28ee3c2b-eb4b-44de-a71e-e462843fea72",
"analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '28ee3c2b-eb4b-44de-a71e-e462843fea72')]",
"analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('28ee3c2b-eb4b-44de-a71e-e462843fea72')))]",
"_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','28ee3c2b-eb4b-44de-a71e-e462843fea72','-', '1.0.1')))]"
"_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','28ee3c2b-eb4b-44de-a71e-e462843fea72','-', '1.0.2')))]"
},
"uiConfigId1": "InfobloxCloudDataConnector",
"_uiConfigId1": "[variables('uiConfigId1')]",
@ -234,7 +234,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "InfobloxCDCB1TDWorkbook Workbook with template version 3.0.3",
"description": "InfobloxCDCB1TDWorkbook Workbook with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@ -325,7 +325,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Infoblox-DataExfiltrationAttack_AnalyticalRules Analytics Rule with template version 3.0.3",
"description": "Infoblox-DataExfiltrationAttack_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@ -363,6 +363,12 @@
"dataTypes": [
"CommonSecurityLog (InfobloxCDC)"
]
},
{
"connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
]
}
],
"tactics": [
@ -377,8 +383,8 @@
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIP",
"identifier": "Address"
"identifier": "Address",
"columnName": "SourceIP"
}
]
},
@ -386,16 +392,16 @@
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "HostName"
"identifier": "HostName",
"columnName": "DeviceName"
},
{
"columnName": "InfobloxB1SrcOSVersion",
"identifier": "OSVersion"
"identifier": "OSVersion",
"columnName": "InfobloxB1SrcOSVersion"
},
{
"columnName": "SourceUserName",
"identifier": "FullName"
"identifier": "FullName",
"columnName": "SourceUserName"
}
]
},
@ -403,12 +409,12 @@
"entityType": "Malware",
"fieldMappings": [
{
"columnName": "InfobloxB1FeedName",
"identifier": "Name"
"identifier": "Name",
"columnName": "InfobloxB1FeedName"
},
{
"columnName": "InfobloxB1FeedName",
"identifier": "Category"
"identifier": "Category",
"columnName": "InfobloxB1FeedName"
}
]
}
@ -418,18 +424,18 @@
},
"customDetails": {
"SourceMACAddress": "SourceMACAddress",
"InfobloxB1Network": "InfobloxB1Network",
"InfobloxB1Action": "InfobloxB1PolicyAction",
"InfobloxB1FeedName": "InfobloxB1FeedName",
"InfobloxB1PolicyName": "InfobloxB1PolicyName",
"InfobloxB1Action": "InfobloxB1PolicyAction"
"InfobloxB1Network": "InfobloxB1Network"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"lookbackDuration": "7d",
"reopenClosedIncident": true,
"matchingMethod": "AllEntities",
"enabled": true,
"reopenClosedIncident": true
"lookbackDuration": "7d"
}
}
}
@ -484,7 +490,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Infoblox-HighThreatLevelQueryNotBlockedDetected_AnalyticalRules Analytics Rule with template version 3.0.3",
"description": "Infoblox-HighThreatLevelQueryNotBlockedDetected_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@ -522,6 +528,12 @@
"dataTypes": [
"CommonSecurityLog (InfobloxCDC)"
]
},
{
"connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
]
}
],
"tactics": [
@ -536,8 +548,8 @@
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIP",
"identifier": "Address"
"identifier": "Address",
"columnName": "SourceIP"
}
]
},
@ -545,16 +557,16 @@
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "HostName"
"identifier": "HostName",
"columnName": "DeviceName"
},
{
"columnName": "InfobloxB1SrcOSVersion",
"identifier": "OSVersion"
"identifier": "OSVersion",
"columnName": "InfobloxB1SrcOSVersion"
},
{
"columnName": "SourceUserName",
"identifier": "FullName"
"identifier": "FullName",
"columnName": "SourceUserName"
}
]
},
@ -562,8 +574,8 @@
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "DestinationDnsDomain",
"identifier": "DomainName"
"identifier": "DomainName",
"columnName": "DestinationDnsDomain"
}
]
},
@ -571,12 +583,12 @@
"entityType": "Malware",
"fieldMappings": [
{
"columnName": "ThreatProperty",
"identifier": "Name"
"identifier": "Name",
"columnName": "ThreatProperty"
},
{
"columnName": "ThreatClass",
"identifier": "Category"
"identifier": "Category",
"columnName": "ThreatClass"
}
]
}
@ -586,10 +598,10 @@
},
"customDetails": {
"SourceMACAddress": "SourceMACAddress",
"InfobloxB1Network": "InfobloxB1Network",
"InfobloxB1Action": "InfobloxB1PolicyAction",
"InfobloxB1FeedName": "InfobloxB1FeedName",
"InfobloxB1PolicyName": "InfobloxB1PolicyName",
"InfobloxB1Action": "InfobloxB1PolicyAction"
"InfobloxB1Network": "InfobloxB1Network"
},
"incidentConfiguration": {
"createIncident": true
@ -646,7 +658,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Infoblox-ManyHighThreatLevelQueriesFromSingleHostDetected_AnalyticalRules Analytics Rule with template version 3.0.3",
"description": "Infoblox-ManyHighThreatLevelQueriesFromSingleHostDetected_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@ -684,6 +696,12 @@
"dataTypes": [
"CommonSecurityLog (InfobloxCDC)"
]
},
{
"connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
]
}
],
"tactics": [
@ -698,8 +716,8 @@
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIP",
"identifier": "Address"
"identifier": "Address",
"columnName": "SourceIP"
}
]
},
@ -707,16 +725,16 @@
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "HostName"
"identifier": "HostName",
"columnName": "DeviceName"
},
{
"columnName": "InfobloxB1SrcOSVersion",
"identifier": "OSVersion"
"identifier": "OSVersion",
"columnName": "InfobloxB1SrcOSVersion"
},
{
"columnName": "SourceUserName",
"identifier": "FullName"
"identifier": "FullName",
"columnName": "SourceUserName"
}
]
}
@ -782,7 +800,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Infoblox-ManyHighThreatLevelSingleQueryDetected_AnalyticalRules Analytics Rule with template version 3.0.3",
"description": "Infoblox-ManyHighThreatLevelSingleQueryDetected_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@ -820,6 +838,12 @@
"dataTypes": [
"CommonSecurityLog (InfobloxCDC)"
]
},
{
"connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
]
}
],
"tactics": [
@ -834,8 +858,8 @@
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "DestinationDnsDomain",
"identifier": "DomainName"
"identifier": "DomainName",
"columnName": "DestinationDnsDomain"
}
]
},
@ -843,12 +867,12 @@
"entityType": "Malware",
"fieldMappings": [
{
"columnName": "ThreatProperty",
"identifier": "Name"
"identifier": "Name",
"columnName": "ThreatProperty"
},
{
"columnName": "ThreatClass",
"identifier": "Category"
"identifier": "Category",
"columnName": "ThreatClass"
}
]
}
@ -857,8 +881,8 @@
"aggregationKind": "SingleAlert"
},
"customDetails": {
"InfobloxB1FeedName": "InfobloxB1FeedName",
"InfobloxB1Network": "InfobloxB1Network",
"InfobloxB1FeedName": "InfobloxB1FeedName",
"InfobloxB1PolicyName": "InfobloxB1PolicyName"
},
"incidentConfiguration": {
@ -916,7 +940,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Infoblox-ManyNXDOMAINDNSResponsesDetected_AnalyticalRules Analytics Rule with template version 3.0.3",
"description": "Infoblox-ManyNXDOMAINDNSResponsesDetected_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@ -954,6 +978,12 @@
"dataTypes": [
"CommonSecurityLog (InfobloxCDC)"
]
},
{
"connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
]
}
],
"tactics": [
@ -968,8 +998,8 @@
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIP",
"identifier": "Address"
"identifier": "Address",
"columnName": "SourceIP"
}
]
},
@ -977,16 +1007,16 @@
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "HostName"
"identifier": "HostName",
"columnName": "DeviceName"
},
{
"columnName": "InfobloxB1SrcOSVersion",
"identifier": "OSVersion"
"identifier": "OSVersion",
"columnName": "InfobloxB1SrcOSVersion"
},
{
"columnName": "SourceUserName",
"identifier": "FullName"
"identifier": "FullName",
"columnName": "SourceUserName"
}
]
}
@ -1052,7 +1082,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Infoblox-TI-CommonSecurityLogMatchFound-MalwareC2_AnalyticalRules Analytics Rule with template version 3.0.3",
"description": "Infoblox-TI-CommonSecurityLogMatchFound-MalwareC2_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@ -1102,6 +1132,12 @@
"dataTypes": [
"CommonSecurityLog (InfobloxCDC)"
]
},
{
"connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
]
}
],
"tactics": [
@ -1116,8 +1152,8 @@
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIP",
"identifier": "Address"
"identifier": "Address",
"columnName": "SourceIP"
}
]
},
@ -1125,12 +1161,12 @@
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "HostName"
"identifier": "HostName",
"columnName": "DeviceName"
},
{
"columnName": "SourceUserName",
"identifier": "FullName"
"identifier": "FullName",
"columnName": "SourceUserName"
}
]
},
@ -1138,8 +1174,8 @@
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "DestinationDnsDomain",
"identifier": "DomainName"
"identifier": "DomainName",
"columnName": "DestinationDnsDomain"
}
]
}
@ -1205,7 +1241,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Infoblox-TI-InfobloxCDCMatchFound-LookalikeDomains_AnalyticalRules Analytics Rule with template version 3.0.3",
"description": "Infoblox-TI-InfobloxCDCMatchFound-LookalikeDomains_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@ -1249,6 +1285,12 @@
"dataTypes": [
"CommonSecurityLog (InfobloxCDC)"
]
},
{
"connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
]
}
],
"tactics": [
@ -1263,8 +1305,8 @@
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIP",
"identifier": "Address"
"identifier": "Address",
"columnName": "SourceIP"
}
]
},
@ -1272,16 +1314,16 @@
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "HostName"
"identifier": "HostName",
"columnName": "DeviceName"
},
{
"columnName": "InfobloxB1SrcOSVersion",
"identifier": "OSVersion"
"identifier": "OSVersion",
"columnName": "InfobloxB1SrcOSVersion"
},
{
"columnName": "SourceUserName",
"identifier": "FullName"
"identifier": "FullName",
"columnName": "SourceUserName"
}
]
},
@ -1289,8 +1331,8 @@
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "DestinationDnsDomain",
"identifier": "DomainName"
"identifier": "DomainName",
"columnName": "DestinationDnsDomain"
}
]
},
@ -1298,12 +1340,12 @@
"entityType": "Malware",
"fieldMappings": [
{
"columnName": "ThreatProperty",
"identifier": "Name"
"identifier": "Name",
"columnName": "ThreatProperty"
},
{
"columnName": "ThreatClass",
"identifier": "Category"
"identifier": "Category",
"columnName": "ThreatClass"
}
]
}
@ -1313,10 +1355,10 @@
},
"customDetails": {
"SourceMACAddress": "SourceMACAddress",
"InfobloxB1Network": "InfobloxB1Network",
"InfobloxB1Action": "InfobloxB1PolicyAction",
"InfobloxB1FeedName": "InfobloxB1FeedName",
"InfobloxB1PolicyName": "InfobloxB1PolicyName",
"InfobloxB1Action": "InfobloxB1PolicyAction"
"InfobloxB1Network": "InfobloxB1Network"
},
"incidentConfiguration": {
"createIncident": true
@ -1373,7 +1415,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Infoblox-TI-SyslogMatchFound-URL_AnalyticalRules Analytics Rule with template version 3.0.3",
"description": "Infoblox-TI-SyslogMatchFound-URL_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@ -1423,6 +1465,12 @@
"dataTypes": [
"CommonSecurityLog (InfobloxCDC)"
]
},
{
"connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
]
}
],
"tactics": [
@ -1437,8 +1485,8 @@
"entityType": "IP",
"fieldMappings": [
{
"columnName": "HostIP",
"identifier": "Address"
"identifier": "Address",
"columnName": "HostIP"
}
]
},
@ -1446,8 +1494,8 @@
"entityType": "Host",
"fieldMappings": [
{
"columnName": "Computer",
"identifier": "HostName"
"identifier": "HostName",
"columnName": "Computer"
}
]
},
@ -1455,8 +1503,8 @@
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "Url",
"identifier": "DomainName"
"identifier": "DomainName",
"columnName": "Url"
}
]
},
@ -1464,8 +1512,8 @@
"entityType": "URL",
"fieldMappings": [
{
"columnName": "Url",
"identifier": "Url"
"identifier": "Url",
"columnName": "Url"
}
]
}
@ -1528,7 +1576,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Infoblox Cloud Data Connector data connector with template version 3.0.3",
"description": "Infoblox Cloud Data Connector data connector with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@ -1921,7 +1969,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Infoblox Cloud Data Connector data connector with template version 3.0.3",
"description": "Infoblox Cloud Data Connector data connector with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion2')]",
@ -1937,7 +1985,7 @@
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId2')]",
"title": "[Recommended] Infoblox Cloud Data Connector via AMA",
"title": "[Deprecated] Infoblox Cloud Data Connector via AMA",
"publisher": "Infoblox",
"descriptionMarkdown": "The Infoblox Cloud Data Connector allows you to easily connect your Infoblox BloxOne data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.",
"additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser) which is deployed with the Microsoft Sentinel Solution.",
@ -2108,7 +2156,7 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_dataConnectorContentId2')]",
"contentKind": "DataConnector",
"displayName": "[Recommended] Infoblox Cloud Data Connector via AMA",
"displayName": "[Deprecated] Infoblox Cloud Data Connector via AMA",
"contentProductId": "[variables('_dataConnectorcontentProductId2')]",
"id": "[variables('_dataConnectorcontentProductId2')]",
"version": "[variables('dataConnectorVersion2')]"
@ -2151,7 +2199,7 @@
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "[Recommended] Infoblox Cloud Data Connector via AMA",
"title": "[Deprecated] Infoblox Cloud Data Connector via AMA",
"publisher": "Infoblox",
"descriptionMarkdown": "The Infoblox Cloud Data Connector allows you to easily connect your Infoblox BloxOne data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.",
"graphQueries": [
@ -2298,7 +2346,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "InfobloxCDC Data Parser with template version 3.0.3",
"description": "InfobloxCDC Data Parser with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@ -2428,7 +2476,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Infoblox-Import-AISCOMM-Weekly Playbook with template version 3.0.3",
"description": "Infoblox-Import-AISCOMM-Weekly Playbook with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
@ -2966,7 +3014,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Infoblox-Import-Emails-Weekly Playbook with template version 3.0.3",
"description": "Infoblox-Import-Emails-Weekly Playbook with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion2')]",
@ -3503,7 +3551,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Infoblox-Import-Hashes-Weekly Playbook with template version 3.0.3",
"description": "Infoblox-Import-Hashes-Weekly Playbook with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion3')]",
@ -4040,7 +4088,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Infoblox-Import-Hosts-Daily-LookalikeDomains Playbook with template version 3.0.3",
"description": "Infoblox-Import-Hosts-Daily-LookalikeDomains Playbook with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion4')]",
@ -4578,7 +4626,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Infoblox-Import-Hosts-Daily-MalwareC2DGA Playbook with template version 3.0.3",
"description": "Infoblox-Import-Hosts-Daily-MalwareC2DGA Playbook with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion5')]",
@ -5116,7 +5164,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Infoblox-Import-Hosts-Daily-Phishing Playbook with template version 3.0.3",
"description": "Infoblox-Import-Hosts-Daily-Phishing Playbook with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion6')]",
@ -5654,7 +5702,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Infoblox-Import-Hosts-Hourly Playbook with template version 3.0.3",
"description": "Infoblox-Import-Hosts-Hourly Playbook with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion7')]",
@ -6191,7 +6239,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Infoblox-Import-IPs-Hourly Playbook with template version 3.0.3",
"description": "Infoblox-Import-IPs-Hourly Playbook with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion8')]",
@ -6728,7 +6776,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Infoblox-Import-URLs-Hourly Playbook with template version 3.0.3",
"description": "Infoblox-Import-URLs-Hourly Playbook with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion9')]",
@ -7265,7 +7313,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Infoblox-Incident-Enrichment-Domains Playbook with template version 3.0.3",
"description": "Infoblox-Incident-Enrichment-Domains Playbook with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion10')]",
@ -7735,7 +7783,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Infoblox-Incident-Send-Email Playbook with template version 3.0.3",
"description": "Infoblox-Incident-Send-Email Playbook with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion11')]",
@ -8297,12 +8345,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "3.0.3",
"version": "3.0.4",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Infoblox Cloud Data Connector",
"publisherDisplayName": "Infoblox",
"descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Infoblox%20Cloud%20Data%20Connector/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <a href=\"https://www.infoblox.com/\">Infoblox</a> Cloud solution allows you to easily connect your Infoblox BloxOne data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search &amp; correlation, alerting, and threat intelligence enrichment for each log.</p>\n<ol>\n<li><p><strong>Infoblox Cloud Data Connector via AMA</strong> - This data connector helps in ingesting Infoblox Cloud Data Connector logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent <a href=\"https://learn.microsoft.com/azure/sentinel/connect-cef-ama\">here</a>. <strong>Microsoft recommends using this Data Connector</strong>.</p>\n</li>\n<li><p><strong>Infoblox Cloud Data Connector via Legacy Agent</strong> - This data connector helps in ingesting Infoblox Cloud Data Connector logs into your Log Analytics Workspace using the legacy Log Analytics agent.</p>\n</li>\n</ol>\n<p><strong>NOTE:</strong> Microsoft recommends installation of Infoblox Cloud Data Connector via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by <strong>Aug 31, 2024,</strong> and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost <a href=\"https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate\">more details</a>.</p>\n<p><strong>Data Connectors:</strong> 2, <strong>Parsers:</strong> 1, <strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 8, <strong>Playbooks:</strong> 11</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Infoblox%20Cloud%20Data%20Connector/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <a href=\"https://www.infoblox.com/\">Infoblox</a> Cloud solution allows you to easily connect your Infoblox BloxOne data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search &amp; correlation, alerting, and threat intelligence enrichment for each log.</p>\n<p>This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.</p>\n<p><strong>NOTE:</strong> Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by <strong>Aug 31, 2024.</strong></p>\n<p><strong>Data Connectors:</strong> 2, <strong>Parsers:</strong> 1, <strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 8, <strong>Playbooks:</strong> 11</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
@ -8324,7 +8372,6 @@
"link": "https://support.infoblox.com/"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "Workbook",
@ -8440,6 +8487,10 @@
"kind": "Playbook",
"contentId": "[variables('_Infoblox-Incident-Send-Email')]",
"version": "[variables('playbookVersion11')]"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-commoneventformat"
}
]
},

1
Solutions/Infoblox Cloud Data Connector/ReleaseNotes.md
Просмотреть файл

@ -1,5 +1,6 @@
| **Version** | **Date Modified** | **Change History** |
|---------------|--------------------------------|------------------------------------------------------------------------|
| 3.0.4 | 12-07-2024 | Deprecating data connectors |
| 3.0.3 | 30-04-2024 | Updated package for parser issue fix while reinstall |
| 3.0.2 | 05-03-2024 | Updated InfobloxCDC parser to manually parse with extract() rather than dynamically due to slowness |
| 3.0.1 | 11-09-2023 | Addition of new Infoblox Cloud Data Connector AMA **Data Connector** |

12
Solutions/iboss/Data Connectors/template_ibossAMA.json
Просмотреть файл

@ -1,6 +1,6 @@
{
"id": "ibossAma",
"title": "[Recommended] iboss via AMA",
"title": "[Deprecated] iboss via AMA",
"publisher": "iboss",
"descriptionMarkdown": "The [iboss](https://www.iboss.com) data connector enables you to seamlessly connect your Threat Console to Microsoft Sentinel and enrich your instance with iboss URL event logs. Our logs are forwarded in Common Event Format (CEF) over Syslog and the configuration required can be completed on the iboss platform without the use of a proxy. Take advantage of our connector to garner critical data points and gain insight into security threats.",
"graphQueries": [
@ -78,15 +78,13 @@
"instructionSteps": [
{
"title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
"description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine",
"instructions": [
]
"description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
},
{
"title": "Step B. Forward Common Event Format (CEF) logs",
"description": "Set your Threat Console to send Syslog messages in CEF format to your Azure workspace. Make note of your Workspace ID and Primary Key within your Log Analytics Workspace (Select the workspace from the Log Analytics workspaces menu in the Azure portal. Then select Agents management in the Settings section). \n\n>1. Navigate to Reporting & Analytics inside your iboss Console\n\n>2. Select Log Forwarding -> Forward From Reporter\n\n>3. Select Actions -> Add Service\n\n>4. Toggle to Microsoft Sentinel as a Service Type and input your Workspace ID/Primary Key along with other criteria. If a dedicated proxy Linux machine has been configured, toggle to Syslog as a Service Type and configure the settings to point to your dedicated proxy Linux machine\n\n>5. Wait one to two minutes for the setup to complete\n\n>6. Select your Microsoft Sentinel Service and verify the Sentinel Setup Status is Successful. If a dedicated proxy Linux machine has been configured, you may proceed with validating your connection",
"instructions": [
]
"description": "Set your Threat Console to send Syslog messages in CEF format to your Azure workspace. Make note of your Workspace ID and Primary Key within your Log Analytics Workspace (Select the workspace from the Log Analytics workspaces menu in the Azure portal. Then select Agents management in the Settings section). \n\n>1. Navigate to Reporting & Analytics inside your iboss Console\n\n>2. Select Log Forwarding -> Forward From Reporter\n\n>3. Select Actions -> Add Service\n\n>4. Toggle to Microsoft Sentinel as a Service Type and input your Workspace ID/Primary Key along with other criteria. If a dedicated proxy Linux machine has been configured, toggle to Syslog as a Service Type and configure the settings to point to your dedicated proxy Linux machine\n\n>5. Wait one to two minutes for the setup to complete\n\n>6. Select your Microsoft Sentinel Service and verify the Sentinel Setup Status is Successful. If a dedicated proxy Linux machine has been configured, you may proceed with validating your connection"
},
{
"title": "Step C. Validate connection",

9
Solutions/iboss/Data/Solution_iboss.json
Просмотреть файл

@ -2,10 +2,10 @@
"Name": "iboss",
"Author": "iboss",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/iboss/Workbooks/Images/Logo/iboss_full-logo_2020_vector_black.svg\" width=\"75px\" height=\"75px\">",
"Description": "The iboss Solution provides means to connect your Threat Console to Microsoft Sentinel and enrich your instance with iboss URL event logs. Our logs are forwarded in Common Event Format (CEF) over Syslog and the configuration required can be completed on the iboss platform without the use of a proxy. Take advantage of our connector to garner critical data points and gain insight into security threats.\n\r\n1. **Iboss via AMA** - This data connector helps in ingesting Iboss logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Iboss via Legacy Agent** - This data connector helps in ingesting Iboss logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Iboss via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
"Description": "The iboss Solution provides means to connect your Threat Console to Microsoft Sentinel and enrich your instance with iboss URL event logs. Our logs are forwarded in Common Event Format (CEF) over Syslog and the configuration required can be completed on the iboss platform without the use of a proxy. Take advantage of our connector to garner critical data points and gain insight into security threats.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024.**",
"Data Connectors": [
"Data Connectors/iboss_cef.json",
"Data Connectors/template_ibossAMA.json"
"Data Connectors/template_ibossAMA.json"
],
"Parsers": [
"Parsers/ibossUrlEvent.yaml"
@ -14,8 +14,11 @@
"Workbooks/ibossMalwareAndC2.json",
"Workbooks/ibossWebUsage.json"
],
"dependentDomainSolutionIds": [
"azuresentinel.azure-sentinel-solution-commoneventformat"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\iboss",
"Version": "3.0.0",
"Version": "3.0.1",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false

Двоичные данные
Solutions/iboss/Package/3.0.1.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

7
Solutions/iboss/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/iboss/Workbooks/Images/Logo/iboss_full-logo_2020_vector_black.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/iboss/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe iboss Solution provides means to connect your Threat Console to Microsoft Sentinel and enrich your instance with iboss URL event logs. Our logs are forwarded in Common Event Format (CEF) over Syslog and the configuration required can be completed on the iboss platform without the use of a proxy. Take advantage of our connector to garner critical data points and gain insight into security threats.\n\r\n1. **Iboss via AMA** - This data connector helps in ingesting Iboss logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Iboss via Legacy Agent** - This data connector helps in ingesting Iboss logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Iboss via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/iboss/Workbooks/Images/Logo/iboss_full-logo_2020_vector_black.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/iboss/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe iboss Solution provides means to connect your Threat Console to Microsoft Sentinel and enrich your instance with iboss URL event logs. Our logs are forwarded in Common Event Format (CEF) over Syslog and the configuration required can be completed on the iboss platform without the use of a proxy. Take advantage of our connector to garner critical data points and gain insight into security threats.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024.**\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@ -60,7 +60,7 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for iboss. You can get iboss custom log data in your Microsoft Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. This data connector creates custom log table(s) ibossUrlEvent in your Microsoft Sentinel / Azure Log Analytics workspace."
"text": "This Solution installs the data connector for iboss. You can get iboss custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
@ -80,7 +80,6 @@
}
}
}
]
},
{
@ -96,7 +95,7 @@
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences."
"text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
}
},
{

101
Solutions/iboss/Package/mainTemplate.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

40
Solutions/iboss/Package/testParameters.json Normal file
Просмотреть файл

@ -0,0 +1,40 @@
{
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
},
"workbook1-name": {
"type": "string",
"defaultValue": "iboss Malware and C2",
"minLength": 1,
"metadata": {
"description": "Name for the workbook"
}
},
"workbook2-name": {
"type": "string",
"defaultValue": "iboss Web Usage",
"minLength": 1,
"metadata": {
"description": "Name for the workbook"
}
}
}

5
Solutions/iboss/ReleaseNotes.md
Просмотреть файл

@ -1,5 +1,4 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
| 3.0.0 | 20-09-2023 | Addition of new Iboss AMA **Data Connector** | |
| 3.0.1 | 12-07-2024 | Deprecating data connectors |
| 3.0.0 | 20-09-2023 | Addition of new Iboss AMA **Data Connector** |