Merge pull request #8910 from Azure/v-sudkharat/PaloAltoPrismaCloudSolution

Updating main template of PaloAltoPrismaCloud for ARM-TTK failure.
2023-09-04 14:22:03 +05:30 · 2023-09-04 14:22:03 +05:30 · 18a1e02796
--- a/Rules/PaloAltoPrismaCloudAclAccessKeysNotRotated.yaml
+++ b/Rules/PaloAltoPrismaCloudAclAccessKeysNotRotated.yaml
@ -3,6 +3,7 @@ name: Palo Alto Prisma Cloud - Access keys are not rotated for 90 days
 description: |
  'Detects access keys which were not rotated for 90 days.'
 severity: Medium
+status: Available
 requiredDataConnectors:
  - connectorId: PaloAltoPrismaCloud
    dataTypes:
@ -26,5 +27,5 @@ entityMappings:
    fieldMappings:
      - identifier: Name
        columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Rules/PaloAltoPrismaCloudAclAllowAllOut.yaml
+++ b/Rules/PaloAltoPrismaCloudAclAllowAllOut.yaml
@ -3,6 +3,7 @@ name: Palo Alto Prisma Cloud - Network ACL allow all outbound traffic
 description: |
  'Detects network ACLs with outbound rule to allow all traffic.'
 severity: Medium
+status: Available
 requiredDataConnectors:
  - connectorId: PaloAltoPrismaCloud
    dataTypes:
@ -26,5 +27,5 @@ entityMappings:
    fieldMappings:
      - identifier: Name
        columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Rules/PaloAltoPrismaCloudAclAllowInToAdminPort.yaml
+++ b/Rules/PaloAltoPrismaCloudAclAllowInToAdminPort.yaml
@ -3,6 +3,7 @@ name: Palo Alto Prisma Cloud - Network ACL allow ingress traffic to server admin
 description: |
  'Detects Network ACLs allow ingress traffic to server administration ports.'
 severity: Medium
+status: Available
 requiredDataConnectors:
  - connectorId: PaloAltoPrismaCloud
    dataTypes:
@ -26,5 +27,5 @@ entityMappings:
    fieldMappings:
      - identifier: Name
        columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Rules/PaloAltoPrismaCloudAclInAllowAll.yaml
+++ b/Rules/PaloAltoPrismaCloudAclInAllowAll.yaml
@ -3,6 +3,7 @@ name: Palo Alto Prisma Cloud - Network ACLs Inbound rule to allow All Traffic
 description: |
  'Detects Network ACLs with Inbound rule to allow All Traffic.'
 severity: Medium
+status: Available
 requiredDataConnectors:
  - connectorId: PaloAltoPrismaCloud
    dataTypes:
@ -26,5 +27,5 @@ entityMappings:
    fieldMappings:
      - identifier: Name
        columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Rules/PaloAltoPrismaCloudAnomalousApiKeyActivity.yaml
+++ b/Rules/PaloAltoPrismaCloudAnomalousApiKeyActivity.yaml
@ -3,6 +3,7 @@ name: Palo Alto Prisma Cloud - Anomalous access key usage
 description: |
  'Detects anomalous API key usage activity.'
 severity: Medium
+status: Available
 requiredDataConnectors:
  - connectorId: PaloAltoPrismaCloud
    dataTypes:
@ -29,5 +30,5 @@ entityMappings:
    fieldMappings:
      - identifier: Name
        columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Rules/PaloAltoPrismaCloudHighRiskScoreAlert.yaml
+++ b/Rules/PaloAltoPrismaCloudHighRiskScoreAlert.yaml
@ -3,6 +3,7 @@ name: Palo Alto Prisma Cloud - High risk score alert
 description: |
  'Detects alerts with high risk score value.'
 severity: Medium
+status: Available
 requiredDataConnectors:
  - connectorId: PaloAltoPrismaCloud
    dataTypes:
@ -28,5 +29,5 @@ entityMappings:
    fieldMappings:
      - identifier: Name
        columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Rules/PaloAltoPrismaCloudHighSeverityAlertOpenedForXDays.yaml
+++ b/Rules/PaloAltoPrismaCloudHighSeverityAlertOpenedForXDays.yaml
@ -3,6 +3,7 @@ name: Palo Alto Prisma Cloud - High severity alert opened for several days
 description: |
  'Detects high severity alert which is opened for several days.'
 severity: Medium
+status: Available
 requiredDataConnectors:
  - connectorId: PaloAltoPrismaCloud
    dataTypes:
@ -30,5 +31,5 @@ entityMappings:
    fieldMappings:
      - identifier: Name
        columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Rules/PaloAltoPrismaCloudIamAdminGroup.yaml
+++ b/Rules/PaloAltoPrismaCloudIamAdminGroup.yaml
@ -3,6 +3,7 @@ name: Palo Alto Prisma Cloud - IAM Group with Administrator Access Permissions
 description: |
  'Detects IAM Groups with Administrator Access Permissions.'
 severity: Medium
+status: Available
 requiredDataConnectors:
  - connectorId: PaloAltoPrismaCloud
    dataTypes:
@ -26,5 +27,5 @@ entityMappings:
    fieldMappings:
      - identifier: Name
        columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Rules/PaloAltoPrismaCloudInactiveUser.yaml
+++ b/Rules/PaloAltoPrismaCloudInactiveUser.yaml
@ -3,6 +3,7 @@ name: Palo Alto Prisma Cloud - Inactive user
 description: |
  'Detects users inactive for 30 days.'
 severity: Low
+status: Available
 requiredDataConnectors:
  - connectorId: PaloAltoPrismaCloud
    dataTypes:
@ -25,5 +26,5 @@ entityMappings:
    fieldMappings:
      - identifier: Name
        columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Rules/PaloAltoPrismaCloudMaxRiskScoreAlert.yaml
+++ b/Rules/PaloAltoPrismaCloudMaxRiskScoreAlert.yaml
@ -3,6 +3,7 @@ name: Palo Alto Prisma Cloud - Maximum risk score alert
 description: |
  'Detects alerts with maximum risk score value.'
 severity: Medium
+status: Available
 requiredDataConnectors:
  - connectorId: PaloAltoPrismaCloud
    dataTypes:
@ -26,5 +27,5 @@ entityMappings:
    fieldMappings:
      - identifier: Name
        columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Rules/PaloAltoPrismaCloudMultipleFailedLoginsUser.yaml
+++ b/Rules/PaloAltoPrismaCloudMultipleFailedLoginsUser.yaml
@ -3,6 +3,7 @@ name: Palo Alto Prisma Cloud - Multiple failed logins for user
 description: |
  'Detects multiple failed logins for the same user account.'
 severity: Medium
+status: Available
 requiredDataConnectors:
  - connectorId: PaloAltoPrismaCloud
    dataTypes:
@ -29,5 +30,5 @@ entityMappings:
    fieldMappings:
      - identifier: Name
        columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Solutions/PaloAltoPrismaCloud/Data/system_generated_metadata.json
+++ b/Solutions/PaloAltoPrismaCloud/Data/system_generated_metadata.json
@ -0,0 +1,38 @@
+{
+  "Name": "PaloAltoPrismaCloud",
+  "Author": "Microsoft - support@microsoft.com",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/PaloAltoPrismaCloud/logo/Palo-alto-logo.png\" width=\"75px\" height=\"75px\">",
+  "Description": "The [Palo Alto Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud) CSPM solution provides the capability to ingest Prisma Cloud CSPM alerts and audit logs into Microsoft Sentinel using the Prisma Cloud CSPM API. Refer to Prisma Cloud CSPM API documentation for more information. \r \n **Underlying Microsoft Technologies used:** \r \n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r \n a.  [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \r \n b.  [Azure Functions](https://azure.microsoft.com/services/functions/#overview)",
+  "Metadata": "SolutionMetadata.json",
+  "BasePath": "C:\\One\\Azure\\Azure-Sentinel\\Solutions\\PaloAltoPrismaCloud",
+  "Version": "3.0.0",
+  "TemplateSpec": true,
+  "Is1Pconnector": false,
+  "publisherId": "azuresentinel",
+  "offerId": "azure-sentinel-solution-paloaltoprisma",
+  "providers": [
+    "Palo Alto Networks"
+  ],
+  "categories": {
+    "domains": [
+      "Security - Cloud Security"
+    ]
+  },
+  "firstPublishDate": "2021-04-16",
+  "support": {
+    "name": "Microsoft Corporation",
+    "email": "support@microsoft.com",
+    "tier": "Microsoft",
+    "link": "https://support.microsoft.com"
+  },
+  "Data Connectors": "[\n  \"Data Connectors/PrismaCloud_API_FunctionApp.json\"\n]",
+  "Parsers": "[\n  \"PaloAltoPrismaCloud.txt\"\n]",
+  "Playbooks": [
+    "Playbooks/CustomConnector/PrismaCloudCSPMCustomConnector/azuredeploy.json",
+    "Playbooks/PrismaCloudCSPMPlaybooks/PrismaCloudCSPM-Enrichment/azuredeploy.json",
+    "Playbooks/PrismaCloudCSPMPlaybooks/PrismaCloudCSPM-Remediation/azuredeploy.json"
+  ],
+  "Workbooks": "[\n  \"Workbooks/PaloAltoPrismaCloudOverview.json\"\n]",
+  "Analytic Rules": "[\n  \"PaloAltoPrismaCloudAclAccessKeysNotRotated.yaml\",\n  \"PaloAltoPrismaCloudAclAllowAllOut.yaml\",\n  \"PaloAltoPrismaCloudAclAllowInToAdminPort.yaml\",\n  \"PaloAltoPrismaCloudAclInAllowAll.yaml\",\n  \"PaloAltoPrismaCloudAnomalousApiKeyActivity.yaml\",\n  \"PaloAltoPrismaCloudHighRiskScoreAlert.yaml\",\n  \"PaloAltoPrismaCloudHighSeverityAlertOpenedForXDays.yaml\",\n  \"PaloAltoPrismaCloudIamAdminGroup.yaml\",\n  \"PaloAltoPrismaCloudInactiveUser.yaml\",\n  \"PaloAltoPrismaCloudMaxRiskScoreAlert.yaml\",\n  \"PaloAltoPrismaCloudMultipleFailedLoginsUser.yaml\"\n]",
+  "Hunting Queries": "[\n  \"PaloAltoPrismaCloudAccessKeysUsed.yaml\",\n  \"PaloAltoPrismaCloudFailedLoginsSources.yaml\",\n  \"PaloAltoPrismaCloudFailedLoginsUsers.yaml\",\n  \"PaloAltoPrismaCloudHighRiskScoreOpenedAlerts.yaml\",\n  \"PaloAltoPrismaCloudHighSeverityAlerts.yaml\",\n  \"PaloAltoPrismaCloudNewUsers.yaml\",\n  \"PaloAltoPrismaCloudOpenedAlerts.yaml\",\n  \"PaloAltoPrismaCloudTopResources.yaml\",\n  \"PaloAltoPrismaCloudUpdatedResources.yaml\"\n]"
+}
--- a/Solutions/PaloAltoPrismaCloud/Package/3.0.0.zip
+++ b/Solutions/PaloAltoPrismaCloud/Package/3.0.0.zip
--- a/Solutions/PaloAltoPrismaCloud/Package/mainTemplate.json
+++ b/Solutions/PaloAltoPrismaCloud/Package/mainTemplate.json