Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Solution Tool Updates for Template Spec Migration (#4655) 

* Initial Template Spec Automation

* Example Template Spec Input File

* Updated code to add Template Spec for parser

* Updated Dataconnector meatdata id

* Handled Template Spec for AR, HQ and Workbooks

* 1PConnector support and techniques, id prop for HQ

* Handled the review scenarios

* Updated Package tool for comments from Sarath

* Tool updates

* Updated files

* Working Template with Analytical Rule Fix

* Updated ResourceId ref of Workbook, AR and HQ

* Fixed the solutionId issue

* Fixed AnalyticalRule typo

* Fixing query frequency, query period issue

* Updated code as per Roey's feedback

* Incorporated the feedback from Roey

* Changed ParserName

* Modified Template Spec Name

* Added missing status property for Analytics Rule

* Workbook Metadata and Analytic Rules Changes

* Update createSolution.ps1

* Update createSolution.ps1

* Fixed multiple workbook key issue

* Reverted parser updates

* Commiting changes for the workbooks and contentId fix

* Checking-in the Parser changes for template specs

* Changing the function alias of the parser object

* Content Types are referenced as varaibles across metadata dependencies and changed Parser content id

* Update createSolution.ps1

* Template Spec V2 Tooling Changes

* upated analytical rule version to 2.0.0

* read the version property from input file

* Copied code to the V2 folder

* Handled UIdefinition changes in templating file

* Deleted unwanted files

* Deleted unwanted files

* Removed preview keyword

* IsPreview flag for data connector has been handled

* Workbook UI Parameter Block commented

* Removing workbook name from UI

* Versioning change for the content types

* Added the logic for the existing function apps title

* Function App existing code modified Logic

* adding the description validation check

* Workbook Versioning change

* ISV email property handling in the tool

* Playbook TemplateSpec code changes

* Updated correct content for Playbooks

* Fixed JSON Validation issues

* Added missing metadata prop

* Added new template spec name code changes

* Update Metadata Path

* Added resource property for DC content changes

* Added customConnectorCount, Removed Junk Resource

* Fixed the locale issue in documentation links

* Added ReadMe file and Resolve review comments (#5115)

* Added ReadMe file and Resolve review comments

* Fixed PR validation issue

Co-authored-by: Eli Forbes <v-eliforbes@microsoft.com>
Co-authored-by: v-sabiraj <v-sabiraj@microsoft.com>
Co-authored-by: Sarath Tirumalareddy <tichandr@microsoft.com>
Co-authored-by: Sapan Goel <95875056+ms-sapangoel@users.noreply.github.com>
Co-authored-by: ashishsyal <89064706+ashishsyal@users.noreply.github.com>
This commit is contained in:
v-rucdu 2022-05-26 10:55:44 +05:30 коммит произвёл GitHub
Родитель 6744a2eed2
Коммит 22e3e6e903
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
24 изменённых файлов: 3230 добавлений и 86 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

16
Solutions/AkamaiSecurityEvents/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,16 @@
{
"publisherId": "azuresentinel",
"offerId": "azure-sentinel-solution-akamai",
"firstPublishDate": "2022-03-2",
"providers": [ "Microsoft" ],
"categories": {
"domains": [ "Security - Cloud Security" ],
"verticals": []
},
"support": {
"tier": "Microsoft",
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
}
}

13
Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaEnforcementAPIConnector/azuredeploy.json
Просмотреть файл

@ -1,15 +1,18 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {
"customApis_CiscoUmbrellaEnforcementAPI_name": "CiscoUmbrellaEnforcementAPI"
"parameters": {
"customApis_CiscoUmbrellaEnforcementAPI_name": {
"defaultValue": "CiscoUmbrellaEnforcementAPI",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Web/customApis",
"apiVersion": "2016-06-01",
"name": "[variables('customApis_CiscoUmbrellaEnforcementAPI_name')]",
"name": "[parameters('customApis_CiscoUmbrellaEnforcementAPI_name')]",
"location": "[resourceGroup().location]",
"properties": {
"connectionParameters": {
@ -29,7 +32,7 @@
},
"brandColor": "#FFFFFF",
"description": "Connector for Cisco Umbrella Enforcment API",
"displayName": "[variables('customApis_CiscoUmbrellaEnforcementAPI_name')]",
"displayName": "[parameters('customApis_CiscoUmbrellaEnforcementAPI_name')]",
"iconUri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAMAAABiM0N1AAABdFBMVEUAAAAA//8AgP8Aqv8AgL8AmcwAmeYAotEAldUAn98AntsAodkAnNYAn9cIotgIntoHoNsHnNwHodcHndgGotoGoNsGnNYGn9cFn9sEoNgEndkEoNoEntsEntgEoNsEn9gDn9kDoNoDn9gDoNgDn9kFn9gFntgFn9kFn9oFoNoFn9gEn9kEoNkEn9oEoNgEn9kEntkEoNoEoNkEn9kEn9kEntkEoNgEntgEn9kEn9oEntoEn9gEoNgEntkEn9kEoNkEn9oEn9oEntgDn9kDn9gDoNkDn9kFn9oFn9gFn9kFntkFn9oEn9kEntoEn9gEoNkEn9kEoNkEn9oEn9gEn9kEn9kEn9kEn9kEn9kEn9kEn9kEn9kEn9kEntkEn9kEn9kEn9kEn9oDn9kFn9kEoNkEn9kEn9kEn9kEn9kEn9oEn9kEn9kEn9kEn9kEoNkEn9kEn9gEn9kEn9kEn9kEn9kEn9kEoNkEn9kEn9kEn9kEn9n///940Z2XAAAAenRSTlMAAQIDBAUKCwwQFRsfICEiIyQmJykrLC04Ozw+P0JGSEpTVVtdaGlqbW5wcnN1dnh5e35/gIGDhIeIiYqLjI2Oj5CRkpibnKSlp6mqsLGys7q7v8DCxMfKz9DS1NXW19jZ2t7g4+To6u3u7/Dx8vP09fb3+Pn6+/z9/h6/P2sAAAABYktHRHtP0rX8AAACB0lEQVRYw+2WaVPTYBRGb9SK4oI7dd+tAiqCra1FqKIoKu4bUFQQtJY2SUna2vPr/VCSafKmpONkHMfJ86m5OXOmN3Pfm4jEiRMnTtQZKadCkfWRHkTrlMKRcg8iIALkvxRlKsM+yq10RTLVW6qohuETuZWuSA1zi7+r/uiKBLb4z4jyxt0wUd5Ih4jyRlps7DCRjRUisrG26khpoOsdIDqR5bRmUvPhTsVFan7EKdjYMq5n2zdHK/5H6lRcJF31IU4hZ2TjNfJHolL4Qi71tLMv/xyOAInzV3LgftE0vjz1zMnRZz/qa28GAgg5PrtmrTw8onqG6oBvPQzqAJxQCe1eC4C68jExBKroOWA2NkUe4rZzwVWvZ78NzGeuZJc6RWW4qCUG+xXicBMac4X3gLXXI5oCHu0QkW2dogpcCCSmYeOkiKSACY+oCN93KofyHbReJgOIJWi/e17DgkdkwJx6uk83AWa2K4QJZ9rLE99rXQ8UyblvADcUwoCzIiJyB6pKa30B+yZx/iMsK0QR8iIi2gdY9IgKwEzC/7BFRPp+saEQD8A6JSLXgYJ3rG1g/mZq4mun6NKx/j2jsKIQh5rQfJF/CzQO9jCQm6VJlRh3B3LMP9rX7G6ihd0qoeXaR6SV05TDtm9y0dQ/z3aKXi1X9U9ju4IIST5ZtVYfJ+NlFydOnKjyG0KNPhWovN8UAAAAAElFTkSuQmCC",
"backendService": {
"serviceUrl": "https://s-platform.api.opendns.com"

13
Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaInvestigateAPIConnector/azuredeploy.json
Просмотреть файл

@ -1,15 +1,18 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {
"customApis_CiscoUmbrellaInvestigateAPIConnector_name": "CiscoUmbrellaInvestigateAPI"
"parameters": {
"customApis_CiscoUmbrellaInvestigateAPIConnector_name": {
"defaultValue": "CiscoUmbrellaInvestigateAPI",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Web/customApis",
"apiVersion": "2016-06-01",
"name": "[variables('customApis_CiscoUmbrellaInvestigateAPIConnector_name')]",
"name": "[parameters('customApis_CiscoUmbrellaInvestigateAPIConnector_name')]",
"location": "[resourceGroup().location]",
"properties": {
"connectionParameters": {
@ -29,7 +32,7 @@
},
"brandColor": "#FFFFFF",
"description": "Connector for Cisco Umbrella Investigate API",
"displayName": "[variables('customApis_CiscoUmbrellaInvestigateAPIConnector_name')]",
"displayName": "[parameters('customApis_CiscoUmbrellaInvestigateAPIConnector_name')]",
"iconUri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAMAAABiM0N1AAABdFBMVEUAAAAA//8AgP8Aqv8AgL8AmcwAmeYAotEAldUAn98AntsAodkAnNYAn9cIotgIntoHoNsHnNwHodcHndgGotoGoNsGnNYGn9cFn9sEoNgEndkEoNoEntsEntgEoNsEn9gDn9kDoNoDn9gDoNgDn9kFn9gFntgFn9kFn9oFoNoFn9gEn9kEoNkEn9oEoNgEn9kEntkEoNoEoNkEn9kEn9kEntkEoNgEntgEn9kEn9oEntoEn9gEoNgEntkEn9kEoNkEn9oEn9oEntgDn9kDn9gDoNkDn9kFn9oFn9gFn9kFntkFn9oEn9kEntoEn9gEoNkEn9kEoNkEn9oEn9gEn9kEn9kEn9kEn9kEn9kEn9kEn9kEn9kEn9kEntkEn9kEn9kEn9kEn9oDn9kFn9kEoNkEn9kEn9kEn9kEn9kEn9oEn9kEn9kEn9kEn9kEoNkEn9kEn9gEn9kEn9kEn9kEn9kEn9kEoNkEn9kEn9kEn9kEn9n///940Z2XAAAAenRSTlMAAQIDBAUKCwwQFRsfICEiIyQmJykrLC04Ozw+P0JGSEpTVVtdaGlqbW5wcnN1dnh5e35/gIGDhIeIiYqLjI2Oj5CRkpibnKSlp6mqsLGys7q7v8DCxMfKz9DS1NXW19jZ2t7g4+To6u3u7/Dx8vP09fb3+Pn6+/z9/h6/P2sAAAABYktHRHtP0rX8AAACB0lEQVRYw+2WaVPTYBRGb9SK4oI7dd+tAiqCra1FqKIoKu4bUFQQtJY2SUna2vPr/VCSafKmpONkHMfJ86m5OXOmN3Pfm4jEiRMnTtQZKadCkfWRHkTrlMKRcg8iIALkvxRlKsM+yq10RTLVW6qohuETuZWuSA1zi7+r/uiKBLb4z4jyxt0wUd5Ih4jyRlps7DCRjRUisrG26khpoOsdIDqR5bRmUvPhTsVFan7EKdjYMq5n2zdHK/5H6lRcJF31IU4hZ2TjNfJHolL4Qi71tLMv/xyOAInzV3LgftE0vjz1zMnRZz/qa28GAgg5PrtmrTw8onqG6oBvPQzqAJxQCe1eC4C68jExBKroOWA2NkUe4rZzwVWvZ78NzGeuZJc6RWW4qCUG+xXicBMac4X3gLXXI5oCHu0QkW2dogpcCCSmYeOkiKSACY+oCN93KofyHbReJgOIJWi/e17DgkdkwJx6uk83AWa2K4QJZ9rLE99rXQ8UyblvADcUwoCzIiJyB6pKa30B+yZx/iMsK0QR8iIi2gdY9IgKwEzC/7BFRPp+saEQD8A6JSLXgYJ3rG1g/mZq4mun6NKx/j2jsKIQh5rQfJF/CzQO9jCQm6VJlRh3B3LMP9rX7G6ihd0qoeXaR6SV05TDtm9y0dQ/z3aKXi1X9U9ju4IIST5ZtVYfJ+NlFydOnKjyG0KNPhWovN8UAAAAAElFTkSuQmCC",
"backendService": {
"serviceUrl": "https://investigate.api.umbrella.com"

13
Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaManagementAPIConnector/azuredeploy.json
Просмотреть файл

@ -1,15 +1,18 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {
"customApis_CiscoUmbrellaManagementAPI_name": "CiscoUmbrellaManagementAPI"
"parameters": {
"customApis_CiscoUmbrellaManagementAPI_name": {
"defaultValue": "CiscoUmbrellaManagementAPI",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Web/customApis",
"apiVersion": "2016-06-01",
"name": "[variables('customApis_CiscoUmbrellaManagementAPI_name')]",
"name": "[parameters('customApis_CiscoUmbrellaManagementAPI_name')]",
"location": "[resourceGroup().location]",
"properties": {
"connectionParameters": {
@ -42,7 +45,7 @@
},
"brandColor": "#FFFFFF",
"description": "Connector for Cisco Umbrella Management API",
"displayName": "[variables('customApis_CiscoUmbrellaManagementAPI_name')]",
"displayName": "[parameters('customApis_CiscoUmbrellaManagementAPI_name')]",
"iconUri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAMAAABiM0N1AAABdFBMVEUAAAAA//8AgP8Aqv8AgL8AmcwAmeYAotEAldUAn98AntsAodkAnNYAn9cIotgIntoHoNsHnNwHodcHndgGotoGoNsGnNYGn9cFn9sEoNgEndkEoNoEntsEntgEoNsEn9gDn9kDoNoDn9gDoNgDn9kFn9gFntgFn9kFn9oFoNoFn9gEn9kEoNkEn9oEoNgEn9kEntkEoNoEoNkEn9kEn9kEntkEoNgEntgEn9kEn9oEntoEn9gEoNgEntkEn9kEoNkEn9oEn9oEntgDn9kDn9gDoNkDn9kFn9oFn9gFn9kFntkFn9oEn9kEntoEn9gEoNkEn9kEoNkEn9oEn9gEn9kEn9kEn9kEn9kEn9kEn9kEn9kEn9kEn9kEntkEn9kEn9kEn9kEn9oDn9kFn9kEoNkEn9kEn9kEn9kEn9kEn9oEn9kEn9kEn9kEn9kEoNkEn9kEn9gEn9kEn9kEn9kEn9kEn9kEoNkEn9kEn9kEn9kEn9n///940Z2XAAAAenRSTlMAAQIDBAUKCwwQFRsfICEiIyQmJykrLC04Ozw+P0JGSEpTVVtdaGlqbW5wcnN1dnh5e35/gIGDhIeIiYqLjI2Oj5CRkpibnKSlp6mqsLGys7q7v8DCxMfKz9DS1NXW19jZ2t7g4+To6u3u7/Dx8vP09fb3+Pn6+/z9/h6/P2sAAAABYktHRHtP0rX8AAACB0lEQVRYw+2WaVPTYBRGb9SK4oI7dd+tAiqCra1FqKIoKu4bUFQQtJY2SUna2vPr/VCSafKmpONkHMfJ86m5OXOmN3Pfm4jEiRMnTtQZKadCkfWRHkTrlMKRcg8iIALkvxRlKsM+yq10RTLVW6qohuETuZWuSA1zi7+r/uiKBLb4z4jyxt0wUd5Ih4jyRlps7DCRjRUisrG26khpoOsdIDqR5bRmUvPhTsVFan7EKdjYMq5n2zdHK/5H6lRcJF31IU4hZ2TjNfJHolL4Qi71tLMv/xyOAInzV3LgftE0vjz1zMnRZz/qa28GAgg5PrtmrTw8onqG6oBvPQzqAJxQCe1eC4C68jExBKroOWA2NkUe4rZzwVWvZ78NzGeuZJc6RWW4qCUG+xXicBMac4X3gLXXI5oCHu0QkW2dogpcCCSmYeOkiKSACY+oCN93KofyHbReJgOIJWi/e17DgkdkwJx6uk83AWa2K4QJZ9rLE99rXQ8UyblvADcUwoCzIiJyB6pKa30B+yZx/iMsK0QR8iIi2gdY9IgKwEzC/7BFRPp+saEQD8A6JSLXgYJ3rG1g/mZq4mun6NKx/j2jsKIQh5rQfJF/CzQO9jCQm6VJlRh3B3LMP9rX7G6ihd0qoeXaR6SV05TDtm9y0dQ/z3aKXi1X9U9ju4IIST5ZtVYfJ+NlFydOnKjyG0KNPhWovN8UAAAAAElFTkSuQmCC",
"backendService": {
"serviceUrl": "https://management.api.umbrella.com"

13
Solutions/CiscoUmbrella/Playbooks/CiscoUmbrellaNetworkDeviceManagementAPIConnector/azuredeploy.json
Просмотреть файл

@ -1,15 +1,18 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {
"customApis_CiscoUmbrellaNetworkDeviceManagementAPI_name": "CiscoUmbrellaNetworkDeviceManagementAPI"
"parameters": {
"customApis_CiscoUmbrellaNetworkDeviceManagementAPI_name": {
"defaultValue": "CiscoUmbrellaNetworkDeviceManagementAPI",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Web/customApis",
"apiVersion": "2016-06-01",
"name": "[variables('customApis_CiscoUmbrellaNetworkDeviceManagementAPI_name')]",
"name": "[parameters('customApis_CiscoUmbrellaNetworkDeviceManagementAPI_name')]",
"location": "[resourceGroup().location]",
"properties": {
"connectionParameters": {
@ -42,7 +45,7 @@
},
"brandColor": "#FFFFFF",
"description": "Connector for Cisco Umbrella Network Device Management API",
"displayName": "[variables('customApis_CiscoUmbrellaNetworkDeviceManagementAPI_name')]",
"displayName": "[parameters('customApis_CiscoUmbrellaNetworkDeviceManagementAPI_name')]",
"iconUri": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAMAAABiM0N1AAABdFBMVEUAAAAA//8AgP8Aqv8AgL8AmcwAmeYAotEAldUAn98AntsAodkAnNYAn9cIotgIntoHoNsHnNwHodcHndgGotoGoNsGnNYGn9cFn9sEoNgEndkEoNoEntsEntgEoNsEn9gDn9kDoNoDn9gDoNgDn9kFn9gFntgFn9kFn9oFoNoFn9gEn9kEoNkEn9oEoNgEn9kEntkEoNoEoNkEn9kEn9kEntkEoNgEntgEn9kEn9oEntoEn9gEoNgEntkEn9kEoNkEn9oEn9oEntgDn9kDn9gDoNkDn9kFn9oFn9gFn9kFntkFn9oEn9kEntoEn9gEoNkEn9kEoNkEn9oEn9gEn9kEn9kEn9kEn9kEn9kEn9kEn9kEn9kEn9kEntkEn9kEn9kEn9kEn9oDn9kFn9kEoNkEn9kEn9kEn9kEn9kEn9oEn9kEn9kEn9kEn9kEoNkEn9kEn9gEn9kEn9kEn9kEn9kEn9kEoNkEn9kEn9kEn9kEn9n///940Z2XAAAAenRSTlMAAQIDBAUKCwwQFRsfICEiIyQmJykrLC04Ozw+P0JGSEpTVVtdaGlqbW5wcnN1dnh5e35/gIGDhIeIiYqLjI2Oj5CRkpibnKSlp6mqsLGys7q7v8DCxMfKz9DS1NXW19jZ2t7g4+To6u3u7/Dx8vP09fb3+Pn6+/z9/h6/P2sAAAABYktHRHtP0rX8AAACB0lEQVRYw+2WaVPTYBRGb9SK4oI7dd+tAiqCra1FqKIoKu4bUFQQtJY2SUna2vPr/VCSafKmpONkHMfJ86m5OXOmN3Pfm4jEiRMnTtQZKadCkfWRHkTrlMKRcg8iIALkvxRlKsM+yq10RTLVW6qohuETuZWuSA1zi7+r/uiKBLb4z4jyxt0wUd5Ih4jyRlps7DCRjRUisrG26khpoOsdIDqR5bRmUvPhTsVFan7EKdjYMq5n2zdHK/5H6lRcJF31IU4hZ2TjNfJHolL4Qi71tLMv/xyOAInzV3LgftE0vjz1zMnRZz/qa28GAgg5PrtmrTw8onqG6oBvPQzqAJxQCe1eC4C68jExBKroOWA2NkUe4rZzwVWvZ78NzGeuZJc6RWW4qCUG+xXicBMac4X3gLXXI5oCHu0QkW2dogpcCCSmYeOkiKSACY+oCN93KofyHbReJgOIJWi/e17DgkdkwJx6uk83AWa2K4QJZ9rLE99rXQ8UyblvADcUwoCzIiJyB6pKa30B+yZx/iMsK0QR8iIi2gdY9IgKwEzC/7BFRPp+saEQD8A6JSLXgYJ3rG1g/mZq4mun6NKx/j2jsKIQh5rQfJF/CzQO9jCQm6VJlRh3B3LMP9rX7G6ihd0qoeXaR6SV05TDtm9y0dQ/z3aKXi1X9U9ju4IIST5ZtVYfJ+NlFydOnKjyG0KNPhWovN8UAAAAAElFTkSuQmCC",
"backendService": {
"serviceUrl": "https://management.api.umbrella.com"

37
Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-AddIpToDestinationList/azuredeploy.json
Просмотреть файл

@ -1,6 +1,32 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "CiscoUmbrella-AddIpToDestinationList",
"description": "This playbook showcases an example of triggering an incident within a targeted Teams channel and opening up a ticket within Service Now. Additionally The playbook will also list playbooks that can be initiated from teams using an adaptive card and callbacks that will take action upon certain entities identified in the incident.",
"prerequisites": [
"1. ServiceNow Instance URL, Username, and password.",
"2. Access and authorization to enable API connectors",
"3. Teams Group ID and Alert Channel ID where the messages are to be posted in."
],
"lastUpdateTime": "2021-06-29T10:00:00.000Z",
"entities": [
"Account",
"Url",
"Host"
],
"tags": [
"Sync",
"Notification",
"Teams Response"
],
"support": {
"tier": "community"
},
"author": {
"name": "Jing Nghik"
}
},
"parameters": {
"PlaybookName": {
"defaultValue": "CiscoUmbrella-AddIpToDestinationList",
@ -26,13 +52,16 @@
"metadata": {
"description": "Id of the Teams Channel where the adaptive card will be posted."
}
},
"customApis_ciscoumbrellamanagement_name": {
"defaultValue": "CiscoUmbrellaManagementAPI",
"type": "String"
}
},
"variables": {
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
"TeamsConnectionName": "[concat('teams-', parameters('PlaybookName'))]",
"CiscoUmbrellaManagementAPIConnectionName": "[concat('ciscoumbrellamanagement-connection-', parameters('PlaybookName'))]",
"customApis_ciscoumbrellamanagement_name": "CiscoUmbrellaManagementAPI"
"CiscoUmbrellaManagementAPIConnectionName": "[concat('ciscoumbrellamanagement-connection-', parameters('PlaybookName'))]"
},
"resources": [
{
@ -58,7 +87,7 @@
"displayName": "[variables('CiscoUmbrellaManagementAPIConnectionName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', variables('customApis_ciscoumbrellamanagement_name'))]"
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellamanagement_name'))]"
}
}
},
@ -1120,7 +1149,7 @@
"ciscoumbrellamanagement": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('CiscoUmbrellaManagementAPIConnectionName'))]",
"connectionName": "[variables('CiscoUmbrellaManagementAPIConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', variables('customApis_ciscoumbrellamanagement_name'))]"
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellamanagement_name'))]"
}
}
}

37
Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-AssignPolicyToIdentity/azuredeploy.json
Просмотреть файл

@ -1,6 +1,32 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "CiscoUmbrella-AssignPolicyToIdentity",
"description": "This playbook showcases an example of triggering an incident within a targeted Teams channel and opening up a ticket within Service Now. Additionally The playbook will also list playbooks that can be initiated from teams using an adaptive card and callbacks that will take action upon certain entities identified in the incident.",
"prerequisites": [
"1. ServiceNow Instance URL, Username, and password.",
"2. Access and authorization to enable API connectors",
"3. Teams Group ID and Alert Channel ID where the messages are to be posted in."
],
"lastUpdateTime": "2021-06-29T10:00:00.000Z",
"entities": [
"Account",
"Url",
"Host"
],
"tags": [
"Sync",
"Notification",
"Teams Response"
],
"support": {
"tier": "community"
},
"author": {
"name": "Jing Nghik"
}
},
"parameters": {
"PlaybookName": {
"defaultValue": "CiscoUmbrella-AssignPolicyToIdentity",
@ -9,12 +35,15 @@
"PolicyId": {
"defaultValue": "",
"type": "String"
},
"customApis_ciscoumbrellanetworkdevicemanagement_name": {
"defaultValue": "CiscoUmbrellaNetworkDeviceManagementAPI",
"type": "String"
}
},
"variables": {
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
"CiscoUmbrellaNetworkDeviceManagementAPIConnectionName": "[concat('ciscoumbrellanetworkdevice-connection-', parameters('PlaybookName'))]",
"customApis_ciscoumbrellanetworkdevicemanagement_name": "CiscoUmbrellaNetworkDeviceManagementAPI"
"CiscoUmbrellaNetworkDeviceManagementAPIConnectionName": "[concat('ciscoumbrellanetworkdevice-connection-', parameters('PlaybookName'))]"
},
"resources": [
{
@ -40,7 +69,7 @@
"displayName": "[variables('CiscoUmbrellaNetworkDeviceManagementAPIConnectionName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', variables('customApis_ciscoumbrellanetworkdevicemanagement_name'))]"
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellanetworkdevicemanagement_name'))]"
}
}
},
@ -385,7 +414,7 @@
"ciscoumbrellanetworkdevicemanagement": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('CiscoUmbrellaNetworkDeviceManagementAPIConnectionName'))]",
"connectionName": "[variables('CiscoUmbrellaNetworkDeviceManagementAPIConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', variables('customApis_ciscoumbrellanetworkdevicemanagement_name'))]"
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellanetworkdevicemanagement_name'))]"
}
}
}

37
Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-BlockDomain/azuredeploy.json
Просмотреть файл

@ -1,16 +1,45 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "CiscoUmbrella-BlockDomain",
"description": "This playbook showcases an example of triggering an incident within a targeted Teams channel and opening up a ticket within Service Now. Additionally The playbook will also list playbooks that can be initiated from teams using an adaptive card and callbacks that will take action upon certain entities identified in the incident.",
"prerequisites": [
"1. ServiceNow Instance URL, Username, and password.",
"2. Access and authorization to enable API connectors",
"3. Teams Group ID and Alert Channel ID where the messages are to be posted in."
],
"lastUpdateTime": "2021-06-29T10:00:00.000Z",
"entities": [
"Account",
"Url",
"Host"
],
"tags": [
"Sync",
"Notification",
"Teams Response"
],
"support": {
"tier": "community"
},
"author": {
"name": "Jing Nghik"
}
},
"parameters": {
"PlaybookName": {
"defaultValue": "CiscoUmbrella-BlockDomain",
"type": "String"
},
"customApis_ciscoumbrellaenforcement_name": {
"defaultValue": "CiscoUmbrellaEnforcementAPI",
"type": "String"
}
},
"variables": {
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
"CiscoUmbrellaEnforcementAPIConnectionName": "[concat('ciscoumbrellaenforcement-connection-', parameters('PlaybookName'))]",
"customApis_ciscoumbrellaenforcement_name": "CiscoUmbrellaEnforcementAPI"
"CiscoUmbrellaEnforcementAPIConnectionName": "[concat('ciscoumbrellaenforcement-connection-', parameters('PlaybookName'))]"
},
"resources": [
{
@ -36,7 +65,7 @@
"displayName": "[variables('CiscoUmbrellaEnforcementAPIConnectionName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', variables('customApis_ciscoumbrellaenforcement_name'))]"
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellaenforcement_name'))]"
}
}
},
@ -229,7 +258,7 @@
"ciscoumbrellaenforcement": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('CiscoUmbrellaEnforcementAPIConnectionName'))]",
"connectionName": "[variables('CiscoUmbrellaEnforcementAPIConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', variables('customApis_ciscoumbrellaenforcement_name'))]"
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellaenforcement_name'))]"
}
}
}

37
Solutions/CiscoUmbrella/Playbooks/Playbooks/CiscoUmbrella-GetDomainInfo/azuredeploy.json
Просмотреть файл

@ -1,16 +1,45 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "CiscoUmbrella-GetDomainInfo",
"description": "This playbook showcases an example of triggering an incident within a targeted Teams channel and opening up a ticket within Service Now. Additionally The playbook will also list playbooks that can be initiated from teams using an adaptive card and callbacks that will take action upon certain entities identified in the incident.",
"prerequisites": [
"1. ServiceNow Instance URL, Username, and password.",
"2. Access and authorization to enable API connectors",
"3. Teams Group ID and Alert Channel ID where the messages are to be posted in."
],
"lastUpdateTime": "2021-06-29T10:00:00.000Z",
"entities": [
"Account",
"Url",
"Host"
],
"tags": [
"Sync",
"Notification",
"Teams Response"
],
"support": {
"tier": "community"
},
"author": {
"name": "Jing Nghik"
}
},
"parameters": {
"PlaybookName": {
"defaultValue": "CiscoUmbrella-GetDomainInfo",
"type": "String"
},
"customApis_ciscoumbrellainvestigate_name": {
"defaultValue": "CiscoUmbrellaInvestigateAPI",
"type": "String"
}
},
"variables": {
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
"CiscoUmbrellaInvestigateAPIConnectionName": "[concat('ciscoumbrellainvestigate-connection-', parameters('PlaybookName'))]",
"customApis_ciscoumbrellainvestigate_name": "CiscoUmbrellaInvestigateAPI"
"CiscoUmbrellaInvestigateAPIConnectionName": "[concat('ciscoumbrellainvestigate-connection-', parameters('PlaybookName'))]"
},
"resources": [
{
@ -36,7 +65,7 @@
"displayName": "[variables('CiscoUmbrellaInvestigateAPIConnectionName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', variables('customApis_ciscoumbrellainvestigate_name'))]"
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellainvestigate_name'))]"
}
}
},
@ -239,7 +268,7 @@
"ciscoumbrellainvestigate": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('CiscoUmbrellaInvestigateAPIConnectionName'))]",
"connectionName": "[variables('CiscoUmbrellaInvestigateAPIConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', variables('customApis_ciscoumbrellainvestigate_name'))]"
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('customApis_ciscoumbrellainvestigate_name'))]"
}
}
}

16
Solutions/CiscoUmbrella/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,16 @@
{
"publisherId": "azuresentinel",
"offerId": "azure-sentinel-solution-ciscoumbrella",
"firstPublishDate": "2022-04-01",
"providers": [ "Microsoft" ],
"categories": {
"domains": [ "Security - Cloud Security" ],
"verticals": []
},
"support": {
"tier": "Microsoft",
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
}
}

5
Solutions/Okta Single Sign-On/Playbooks/OktaCustomConnector/azuredeploy.json
Просмотреть файл

@ -21,7 +21,6 @@
}
}
},
"variables": {},
"resources": [
{
@ -60,8 +59,6 @@
"version": "1.0"
},
"host": "$substring([parameters('Service EndPoint')],8 )",
"basePath": "/",
"schemes": [ "https" ],
"consumes": [],
@ -505,7 +502,6 @@
]
}
},
"/api/v1/users/{userId}/lifecycle/expire_password": {},
"/api/v1/users/{userId}/lifecycle/reset_password": {
"post": {
"responses": {
@ -628,7 +624,6 @@
]
}
},
"": {},
"/api/v1/groups/{groupId}/users/{userId}": {
"delete": {
"responses": {

18
Tools/Create-Azure-Sentinel-Solution/README.md
Просмотреть файл

@ -32,6 +32,8 @@ The packaging tool detailed below provides an easy way to generate your solution
Clone the repository [Azure-Sentinel](https://github.com/Azure/Azure-Sentinel) to `C:\One`.
For creating solution packages with Template Spec Resource, please refer the instructions mentioned in [Readme](https://github.com/Azure/Azure-Sentinel/blob/master/Tools/Create-Azure-Sentinel-Solution/V2/README.md) File.
### Create Input File
Create an input file and place it in the path `C:\One\Azure-Sentinel\Tools\Create-Sentinel-Solution\input`.
@ -46,8 +48,11 @@ Create an input file and place it in the path `C:\One\Azure-Sentinel\Tools\Creat
* Name: Solution Name - Ex. "Symantec Endpoint Protection"
* Author: Author Name+Email of Solution - Ex. "Eli Forbes - v-eliforbes@microsoft.com"
* Logo: Link to the Logo used in createUiDefinition.json
* - NOTE: This field is only recommended for Azure Global Cloud. It is not recommended for solutions in Azure Government Cloud as the image will not be shown properly.
* Description: Solution Description used in createUiDefinition.json. Can include markdown.
* WorkbookDescription: Workbook description(s), generally from Workbooks Metadata. This field can be a string if 1 description is used, and an array if multiple are used.
* WorkbookDescription: Workbook description(s), generally from Workbooks' Metadata. This field can be a string if 1 description is used across all, and an array if multiple are used.
* PlaybookDescription: Playbook description(s), generally from Playbooks' Metadata. This field can be a string if 1 description is used across all, and an array if multiple are used.
* WatchlistDescription: Watchlist description(s), generally from Watchlists' Property data. This field can be a string if 1 description is used across all, and an array if multiple are used. This field is used if the description from the Watchlist resource is not desired in the Create-UI.
* Workbooks, Analytic Rules, Playbooks, etc.: These fields take arrays of paths relative to the repo root, or BasePath if provided.
* SavedSearches: This input assumes a format of any of the following:
* -- Direct export via API (see https://docs.microsoft.com/rest/api/loganalytics/saved-searches/list-by-workspace)
@ -56,8 +61,9 @@ Create an input file and place it in the path `C:\One\Azure-Sentinel\Tools\Creat
*
* - NOTE: Playbooks field can take standard Playbooks, Custom Connectors, and Function Apps
* BasePath: Optional base path to use. Either Internet URL or File Path. Default is repo root (https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/)
* Version: Version to be used during package creation
* Version: Version to be used during package creation. We should use any version >= 2.0.0 in case solution needs to be packaged for Template Spec
* Metadata: Name of metadata file for the Solution, path is to be considered from BasePath.
* TemplateSpec: Boolean value used to determine whether the package should be generated as a template spec
*/
{
"Name": "{SolutionName}",
@ -68,14 +74,17 @@ Create an input file and place it in the path `C:\One\Azure-Sentinel\Tools\Creat
"Workbooks": [],
"Analytic Rules": [],
"Playbooks": [],
"PlaybookDescription": ["{Description of playbook}"],
"Parsers": [],
"SavedSearches": [],
"Hunting Queries": [],
"Data Connectors": [],
"Watchlists": [],
"WatchlistDescription": [],
"BasePath": "{Path to Solution Content}",
"Version": "1.0.0",
"Metadata": "{Name of Solution Metadata file}",
"TemplateSpec": false
}
```
@ -107,7 +116,8 @@ Create an input file and place it in the path `C:\One\Azure-Sentinel\Tools\Creat
],
"BasePath": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/McAfeeePO/",
"Version": "1.0.0",
"Metadata": "SolutionMetadata.json"
"Metadata": "SolutionMetadata.json",
"TemplateSpec": false
}
```
@ -131,7 +141,7 @@ Create a file and place it in the base path of solution `https://raw.githubuser
* providers: Provider of the solution. Specify one or many providers as a comma separated list as applicable for the solution - Ex. Cisco, Checkpoint, Microsoft
* categories: Domain and Vertical applicability of the solution. There can be multiple domain and/or vertical categories applicable to the same solution which can be represented as an array. For e.g. Domains - "Security - Network", "Application", etc. and Vertical - "Healthcare", "Finance". Refer to the [Microsoft Sentinel content and solutions categories documentation](https://aka.ms/sentinelcontentcategories) for a complete list of valid Microsoft Sentinel categories.
* support: Name, Email, Tier and Link for the solution support details.
* - NOTE: Additional metadata properties like Version, Author, etc. are used by the packaging tool based on the values provided in the input file. Format specified in the example below. Refer to [Microsoft
* - NOTE: Additional metadata properties like Version, Author, etc. are used by the packaging tool based on the values provided in the input file. Format specified in the example below. Refer to [Microsoft
content and support documentation](https://aka.ms/sentinelcontentsupportmodel) for further information.
*/
{

363
Tools/Create-Azure-Sentinel-Solution/V2/README.md Normal file
Просмотреть файл

@ -0,0 +1,363 @@
# Microsoft Sentinel Solutions Packaging Tool Guidance
Microsoft Sentinel Solutions provide an in-product experience for central discoverability, single-step deployment, and enablement of end-to-end product and/or domain and/or vertical scenarios in Microsoft Sentinel. This experience is powered by Azure Marketplace for Solutions' discoverability, deployment and enablement and Microsoft Partner Center for Solutions authoring and publishing. Refer to details in [Microsoft Sentinel solutions documentation](https://aka.ms/azuresentinelsolutionsdoc). Detailed partner guidance for authoring and publishing solutions is covered in [building Microsoft Sentinel solutions guidance](https://aka.ms/sentinelsolutionsbuildguide).
The packaging tool detailed below provides an easy way to generate your solution package of choice in an automated manner and enables validation of the package generated as well. You can package different types of Microsoft Sentinel content that includes a combination of data connectors, parsers or Kusto Functions, workbooks, analytic rules, hunting queries, Azure Logic apps custom connectors, playbooks and watchlists.
## Setup
- Install PowerShell 7.1+
- If you already have PowerShell 5.1, please follow this [upgrade guide](https://docs.microsoft.com/powershell/scripting/install/migrating-from-windows-powershell-51-to-powershell-7?view=powershell-7.1).
- If you do not already have PowerShell, please follow this [installation guide](https://docs.microsoft.com/powershell/scripting/install/installing-powershell-core-on-windows?view=powershell-7.1).
- Install Node.js
- The installation process can be started from [their website](https://nodejs.org/).
- Install YAML Toolkit for Powershell
- `Install-Module powershell-yaml`
- *For ease of editing, it's recommended to use VSCode with the 'Azure Resource Manager (ARM) Tools' extension installed*
- Install [VSCode](https://code.visualstudio.com/).
- Install the [Azure Resource Manager (ARM) Tools Extension](https://marketplace.visualstudio.com/items?itemName=msazurermtools.azurerm-vscode-tools).
- This extension provides language support, resource auto-completion, and automatic template validation within your IDE.
## Creating Solution Package
Clone the repository [Azure-Sentinel](https://github.com/Azure/Azure-Sentinel) to `C:\One`.
### Create Input File
Create an input file and place it in the path `C:\One\Azure-Sentinel\Tools\Create-Sentinel-Solution\input`.
#### **Input File Format:**
```json
/**
* Solution Automation Input File Json
* -----------------------------------------------------
* The purpose of this json is to provide detail on the various fields the input file can have.
* Name: Solution Name - Ex. "Symantec Endpoint Protection"
* Author: Author Name+Email of Solution - Ex. "Eli Forbes - v-eliforbes@microsoft.com"
* Logo: Link to the Logo used in createUiDefinition.json
* - NOTE: This field is only recommended for Azure Global Cloud. It is not recommended for solutions in Azure Government Cloud as the image will not be shown properly.
* Description: Solution Description used in createUiDefinition.json. Can include markdown.
* WorkbookDescription: Workbook description(s), generally from Workbooks' Metadata. This field can be a string if 1 description is used across all, and an array if multiple are used.
* PlaybookDescription: Playbook description(s), generally from Playbooks' Metadata. This field can be a string if 1 description is used across all, and an array if multiple are used.
* WatchlistDescription: Watchlist description(s), generally from Watchlists' Property data. This field can be a string if 1 description is used across all, and an array if multiple are used. This field is used if the description from the Watchlist resource is not desired in the Create-UI.
* Workbooks, Analytic Rules, Playbooks, etc.: These fields take arrays of paths relative to the repo root, or BasePath if provided.
* SavedSearches: This input assumes a format of any of the following:
* -- Direct export via API (see https://docs.microsoft.com/rest/api/loganalytics/saved-searches/list-by-workspace)
* -- Array of SavedSearch resources
* -- Raw ARM template
*
* - NOTE: Playbooks field can take standard Playbooks, Custom Connectors, and Function Apps
* BasePath: Optional base path to use. Either Internet URL or File Path. Default is repo root (https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/)
* Version: Version to be used during package creation. We should use any version >= 2.0.0 in case solution needs to be packaged for Template Spec
* Metadata: Name of metadata file for the Solution, path is to be considered from BasePath.
* TemplateSpec: Boolean value used to determine whether the package should be generated as a template spec
*/
{
"Name": "{SolutionName}",
"Author": "{AuthorName - Email}",
"Logo": "<img src=\"{LogoLink}\" width=\"75px\" height=\"75px\">",
"Description": "{Solution Description}",
"WorkbookDescription": ["{Description of workbook}"],
"Workbooks": [],
"WorkbookBladeDescription: string; //Description used in the CreateUiDefinition.json for Workbooks Blade
"AnalyticalRuleBladeDescription": "{//Description used in the CreateUiDefinition.json for Analytical Rule Blade"
"HuntingQueryBladeDescription": "//Description used in the CreateUiDefinition.json for Hunting Query Blade"
"PlaybooksBladeDescription": "//Description used in the CreateUiDefinition.json for Playbook Blade"
"Analytic Rules": [],
"Playbooks": [],
"PlaybookDescription": ["{Description of playbook}"],
"Parsers": [],
"SavedSearches": [],
"Hunting Queries": [],
"Data Connectors": [],
"Watchlists": [],
"WatchlistDescription": [],
"BasePath": "{Path to Solution Content}",
"Version": "2.0.0",
"Metadata": "{Name of Solution Metadata file}",
"TemplateSpec": true,
"Is1PConnector": false
}
```
#### **Example of Input File: Solution_McAfeePO.json**
```json
{
"Name": "Cisco Umbrella",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/cisco-logo-72px.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [Cisco Umbrella](https://umbrella.cisco.com/) solution for Microsoft Sentinel enables you to ingest [Cisco Umbrella events](https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning) stored in Amazon S3 into Microsoft Sentinel using the Amazon S3 REST API.
**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:
a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)
b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview) ",
"WorkbookBladeDescription": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences.",
"AnalyticalRuleBladeDescription": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view. ",
"HuntingQueryBladeDescription": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view",
"PlaybooksBladeDescription": "This solution installs the following Playbook templates. After installing the solution, playbooks can be managed in the Manage solution view. ",
"Data Connectors": [
"DataConnectors/CiscoUmbrella/CiscoUmbrella_API_FunctionApp.json"
],
"Parsers": [
"Solutions/CiscoUmbrella/Parsers/Cisco_Umbrella"
],
"Hunting Queries": [
"Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaAnomalousFQDNsforDomain.yaml",
"Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaBlockedUserAgents.yaml",
"Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaDNSErrors.yaml",
"Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaDNSRequestsUunreliableCategory.yaml",
"Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaHighCountsOfTheSameBytesInSize.yaml",
"Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaHighValuesOfUploadedData.yaml",
"Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaPossibleConnectionC2.yaml",
"Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaPossibleDataExfiltration.yaml",
"Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaProxyAllowedUnreliableCategory.yaml",
"Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaRequestsUncategorizedURI.yaml"
],
"Analytic Rules": [
"Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml",
"Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml",
"Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaCryptoMinerUserAgentDetected.yaml",
"Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaEmptyUserAgentDetected.yaml",
"Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaHackToolUserAgentDetected.yaml",
"Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaPowershellUserAgentDetected.yaml",
"Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaRareUserAgentDetected.yaml",
"Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml",
"Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaRequestBlocklistedFileType.yaml",
"Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaURIContainsIPAddress.yaml"
],
"Workbooks": [
"Solutions/CiscoUmbrella/Workbooks/CiscoUmbrella.json"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel",
"Version": "2.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
}
```
### Create Solution Metadata File
Create a file and place it in the base path of solution `https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/McAfeeePO/`.
* Refer to the [Microsoft Sentinel content and solutions categories documentation](https://aka.ms/sentinelcontentcategories) for a complete list of valid Microsoft Sentinel categories.
* Refer to [Microsoft Sentinel content and support documentation](https://aka.ms/sentinelcontentsupportmodel) for information on valid support models.
#### **Metadata File Format:**
```json
/**
* Solution Automation Metadata File Json
* -----------------------------------------------------
* The purpose of this json is to provide detail on the various fields the metadata solution can have. Refer to the metadata schema and example provided after the definitions for further context.
* publisherId: An identifier that's used by Partner Center to uniquely identify the publisher associated with a commercial marketplace account.- Ex. "azuresentinel", "CheckPoint", "semperis"
* offerId: Id of the Offer of Solution - Ex. "azure-sentinel-solution-ciscoaci", "azure-sentinel-solution-semperis-dsp"
* firstPublishDate: Solution first published date
* lastPublishDate: Latest published date of Solution
* providers: Provider of the solution. Specify one or many providers as a comma separated list as applicable for the solution - Ex. Cisco, Checkpoint, Microsoft
* categories: Domain and Vertical applicability of the solution. There can be multiple domain and/or vertical categories applicable to the same solution which can be represented as an array. For e.g. Domains - "Security - Network", "Application", etc. and Vertical - "Healthcare", "Finance". Refer to the [Microsoft Sentinel content and solutions categories documentation](https://aka.ms/sentinelcontentcategories) for a complete list of valid Microsoft Sentinel categories.
* support: Name, Email, Tier and Link for the solution support details.
* - NOTE: Additional metadata properties like Version, Author, etc. are used by the packaging tool based on the values provided in the input file. Format specified in the example below. Refer to [Microsoft
content and support documentation](https://aka.ms/sentinelcontentsupportmodel) for further information.
*/
{
"publisherId": {Id of Publisher},
"offerId": {Solution Offer Id},
"firstPublishDate": {Solution First Published Date},
"lastPublishDate": {Solution recent Published Date},
"providers": {Solution provider list},
"categories": {
"domains" : {Solution category domain list},
"verticals": {Solution category vertical list},
},
"support": {
"name": {Publisher ID},
"email": {Email for Solution Support},
"tier": {Support Tier},
"link": {Link of Support contacts for Solution},
}
}
```
#### **Example of Input File: SolutionMetadata.json**
```json
{
"publisherId": "azuresentinel",
"offerId": "azure-sentinel-solution-mcafeeepo",
"firstPublishDate": "2021-03-26",
"lastPublishDate": "2021-08-09",
"providers": ["Cisco"],
"categories": {
"domains" : ["Security - Network"],
"verticals": []
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
```
### Generate Solution Package
To generate the solution package from the given input file, run the `createSolutionV2.ps1` script in the automation folder, `Tools/Create-Azure-Sentinel-Solution/V2`.
> Ex. From repository root, run: `./Tools/Create-Azure-Sentinel-Solution/V2/createSolutionV2.ps1`
This will generate and compress the solution package, and name the package using the version provided in the input file.
The package consists of the following files:
* `createUIDefinition.json`: Template containing the definition for the Deployment Creation UI
* `mainTemplate.json`: Template containing Deployable Resources
These files will be created in the solution's `Package` folder with respect to the resources provided in the given input file. For every new modification to the files after the initial version of package, a new zip file should be created with an updated version name (1.0.1, 1.0.2, etc.) containing modified `createUIDefinition.json` and `mainTemplate.json` files.
Upon package creation, the automation will automatically import and run validation on the generated files using the Azure Toolkit / TTK CLI tool.
### Azure Toolkit Validation
The Azure Toolkit Validation is run automatically after package generation. However, if you make any manual edits to the template after the package is generated, you'll need to manually run the Azure Toolkit technical validation on your solution to check the end result.
If you've already run the package creation tool in your current PowerShell instance, you should have the validation command imported and available, otherwise follow the steps below to install.
#### Azure Toolkit Validation Setup
- Clone the [arm-ttk repository](https://github.com/Azure/arm-ttk) to `C:\One`
- If `C:\One` does not exist, create the folder.
- You may also choose a different folder, but properly reference it in the Profile script.
- Open your Powershell Profile script
- To find your Powershell Profile Script:
- Open Powershell.
- Type `$profile`, and hit enter.
- Your Powershell Profile script path will be output to the screen.
- Open the Profile script.
- Add the following line of code to your Profile script.
- `Import-Module C:\One\arm-ttk\arm-ttk\arm-ttk.psd1`
- Save and close your Profile script.
- Refresh your profile.
- Run the following command in Powershell: `& $profile`
- Alternatively, you can close and re-open your PowerShell window.
#### Azure Toolkit Validation Usage
- Navigate to the directory of your solution.
- Run: `Test-AzTemplate`
### Manual Validation
Once the package is created and Azure Toolkit technical validation is passing, one should manually validate that the package is created as desired.
**1. Validate createUiDefinition.json:**
* Open [CreateUISandbox](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/SandboxBlade).
* Copy json content from createUiDefinition.json (in the recent version).
* Clear that content in the editor and replace with copied content in step #2.
* Click on preview
* You should see the User Interface preview of data connector, workbook, etc., and descriptions you provided in input file.
* Check the description and User Interface of solution preview.
**2. Validate maintemplate.json:**
Validate `mainTemplate.json` by deploying the template in portal.
Follow these steps to deploy in portal:
* Open up <https://aka.ms/AzureSentinelPrP> which launches the Azure portal with the needed private preview flags.
* Go to "Deploy a Custom Template" on the portal
* Select "Build your own template in Editor".
* Copy json content from `mainTemplate.json` (in the recent version).
* Clear that content in the editor and replace with copied content in step #3.
* Click Save and then progress to selecting subscription, Sentinel-enabled resource group, and corresponding workspace, etc., to complete the deployment.
* Click Review + Create to trigger deployment.
* Check if the deployment successfully completes.
* You should see the data connector, workbook, etc., deployed in the respective galleries and validate – let us know your feedback.
### Known Failures
#### VMSizes Must Match Template
This will generally show as a warning but the test will be skipped. This will not be perceived as an error by the build.
### Common Issues
#### Template Should Not Contain Blanks
This issue most commonly comes from the serialized workbook and playbooks, due to certain properties in the json having values of null, [], or {}. To fix this, remove these properties.
#### IDs Should Be Derived from ResourceIDs
Some IDs used, most commonly in resources of type `Microsoft.Web/connections`, tend to throw this error despite seeming to fit the expected format. To fix this define two variables, one which uses the problematic ID value, and another which references the first variable, then use this second variable as necessary in place of the ID value. See below for example of such a variable pair:
```json
"variables": {
"playbook-1-connection-1": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('workspace-location'), '/managedApis/microsoftgraphsecurity')]",
"_playbook-1-connection-1": "[variables('playbook-1-connection-1')]"
}
```
#### ApiVersions Should Be Recent
Some resources, particularly playbook-related resources, come in with outdated `apiVersion` properties, and depending on the version it may not be picked up as outdated by the validation.
Please ensure that resources of the following types use the corresponding versions:
```json
{
"type": "Microsoft.Web/connections",
"apiVersion": "2018-07-01-preview",
}
```
```json
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2019-05-01",
}
```
#### Parameters Must Be Referenced
It's possible some default parameters may go unused, especially if the solution consists mainly of playbooks. On failure this check will output the unused parameter(s) that exist within the `mainTemplate.json` file.
To fix this, remove the unused parameter from the `parameters` section of `mainTemplate.json`, and check the following common issue "Outputs Must Be Present In Template Parameters".
#### Outputs Must Be Present In Template Parameters
In most cases, this error is a result of removing an unused parameter reference from `mainTemplate.json`. To fix the error in such a case, remove the problematic output variable from the `outputs` section of `createUiDefinition.json`.
Otherwise, the parameter will need be added in the `parameters` section of `mainTemplate.json` and referenced as necessary.
#### Main Template Encoding Issues
If you generate your solution package using a version of PowerShell under 7.1, you'll likely face encoding errors which cause issues within the `mainTemplate.json` file.
The main encoding issue here will be that single-quote characters `'` are encoded into `\u0027`, and due to function references relying on single-quotes, this will break the template.
To resolve this issue, it's recommended that you install PowerShell 7.1+ and re-generate the package.
See [Setup](#setup) to install PowerShell 7.1+.
#### YAML Conversion Issues
If the YAML Toolkit for PowerShell is not installed, you may experience errors related to converting `.yaml` files, for analytic rules or otherwise.
To resolve this issue, it's recommended that you install the YAML Toolkit for Powershell.
See [Setup](#setup) to install the YAML Toolkit for PowerShell.

2396
Tools/Create-Azure-Sentinel-Solution/V2/createSolutionV2.ps1 Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

48
Tools/Create-Azure-Sentinel-Solution/V2/input/Solution_CiscoUmbrellaTemplateSpec.json Normal file
Просмотреть файл

@ -0,0 +1,48 @@
{
"Name": "Cisco Umbrella",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/cisco-logo-72px.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [Cisco Umbrella](https://umbrella.cisco.com/) solution for Microsoft Sentinel enables you to ingest [Cisco Umbrella events](https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning) stored in Amazon S3 into Microsoft Sentinel using the Amazon S3 REST API.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\n\ta. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\n\tb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview) ",
"WorkbookBladeDescription": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences.",
"AnalyticalRuleBladeDescription": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view. ",
"HuntingQueryBladeDescription": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view",
"PlaybooksBladeDescription": "This solution installs the following Playbook templates. After installing the solution, playbooks can be managed in the Manage solution view. ",
"Data Connectors": [
"DataConnectors/CiscoUmbrella/CiscoUmbrella_API_FunctionApp.json"
],
"Parsers": [
"Solutions/CiscoUmbrella/Parsers/Cisco_Umbrella"
],
"Hunting Queries": [
"Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaAnomalousFQDNsforDomain.yaml",
"Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaBlockedUserAgents.yaml",
"Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaDNSErrors.yaml",
"Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaDNSRequestsUunreliableCategory.yaml",
"Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaHighCountsOfTheSameBytesInSize.yaml",
"Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaHighValuesOfUploadedData.yaml",
"Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaPossibleConnectionC2.yaml",
"Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaPossibleDataExfiltration.yaml",
"Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaProxyAllowedUnreliableCategory.yaml",
"Solutions/CiscoUmbrella/Hunting Queries/CiscoUmbrellaRequestsUncategorizedURI.yaml"
],
"Analytic Rules": [
"Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml",
"Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml",
"Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaCryptoMinerUserAgentDetected.yaml",
"Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaEmptyUserAgentDetected.yaml",
"Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaHackToolUserAgentDetected.yaml",
"Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaPowershellUserAgentDetected.yaml",
"Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaRareUserAgentDetected.yaml",
"Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml",
"Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaRequestBlocklistedFileType.yaml",
"Solutions/CiscoUmbrella/Analytic Rules/CiscoUmbrellaURIContainsIPAddress.yaml"
],
"Workbooks": [
"Solutions/CiscoUmbrella/Workbooks/CiscoUmbrella.json"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel",
"Version": "2.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
}

34
Tools/Create-Azure-Sentinel-Solution/V2/templating/SolutionAutomationInput.ts Normal file
Просмотреть файл

@ -0,0 +1,34 @@
/**
* Solution Automation Input File Interface
* -----------------------------------------------------
* The purpose of this interface is to provide detail on
* the various fields the input file can have.
*/
interface SolutionAutomationInput {
Name: string; //Solution Name - Ex. "Symantec Endpoint Protection"
Author: string; //Author of Solution - Ex. "Eli Forbes - v-eliforbes@microsoft.com"
Logo: string; //Link to the Logo used in the CreateUiDefinition.json
Description: string; //Solution Description used in the CreateUiDefinition.json
WorkbookDescription: string|string[]; //Workbook description(s) from ASI-Portal Workbooks Metadata
Version: string; //Package version to be created
//The following fields take arrays of paths relative to the solutions folder.
//Ex. Workbooks: ["Workbooks/SymantecEndpointProtection.json"]
Workbooks?: string[];
WorkbookBladeDescription: string; //Description used in the CreateUiDefinition.json for Workbooks Blade
AnalyticalRuleBladeDescription: string; //Description used in the CreateUiDefinition.json for Analytical Rule Blade
HuntingQueryBladeDescription: string; //Description used in the CreateUiDefinition.json for Hunting Query Blade
PlaybooksBladeDescription: string; //Description used in the CreateUiDefinition.json for Playbook Blade
"Analytic Rules"?: string[];
Playbooks?: string[];
PlaybookDescription?: string|string[]; //Description used in the CreateUiDefinition.json
Parsers?: string[];
SavedSearches?: string[];
"Hunting Queries"?: string[];
"Data Connectors"?: string[];
Watchlists?: string[];
WatchlistDescription?: string|string[]; //Description used in the CreateUiDefinition.json
BasePath?: string; //Optional base path to use. Either Internet URL or File Path. Default = "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/""
Metadata: string; //Path to the SolutionMetadata file
TemplateSpec: true;
Is1PConnector: false;
}

60
Tools/Create-Azure-Sentinel-Solution/V2/templating/baseCreateUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,60 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "{{Logo}}\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n{{SolutionDescription}}\n\n{{DataConnectorCount}}{{ParserCount}}{{WorkbookCount}}{{AnalyticRuleCount}}{{HuntingQueryCount}}{{WatchlistCount}}{{LogicAppCustomConnectorCount}}{{PlaybookCount}}\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}

36
Tools/Create-Azure-Sentinel-Solution/V2/templating/baseMainTemplate.json Normal file
Просмотреть файл

@ -0,0 +1,36 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"author": "{{author}}",
"comments": "Solution template for {{SolutionName}}"
},
"parameters": {
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
}
},
"variables": {},
"resources": [],
"outputs": {}
}

13
Tools/Create-Azure-Sentinel-Solution/V2/templating/replaceLocationValue.js Normal file
Просмотреть файл

@ -0,0 +1,13 @@
/** replacePlaybookVarNames.js
* This small script is utilized to perform a global replacement of playbook variables within a string.
* This is necessary due to PowerShell not providing global match/replacement capability.
*/
const regexStr = /(resourceGroup\(\)\.location)/g;
const inputString = process.argv[2];
const playbookNum = process.argv[3];
if (inputString.match(regexStr)) {
console.log(inputString.replace(regexStr, "parameters('workspace-location')"))
} else {
console.log(inputString);
}

13
Tools/Create-Azure-Sentinel-Solution/V2/templating/replacePlaybookParamNames.js Normal file
Просмотреть файл

@ -0,0 +1,13 @@
/** replacePlaybookParamNames.js
* This small script is utilized to perform a global replacement of playbook parameter variables within a string.
* This is necessary due to PowerShell not providing global match/replacement capability.
*/
const regexStr = /parameters\(\'([\w\-\s]+)\'\)/g;
const inputString = process.argv[2];
const playbookNum = process.argv[3];
if (inputString.match(regexStr)) {
console.log(inputString.replace(regexStr, `parameters('playbook${playbookNum}-$1')`))
} else {
console.log(inputString);
}

13
Tools/Create-Azure-Sentinel-Solution/V2/templating/replacePlaybookVarNames.js Normal file
Просмотреть файл

@ -0,0 +1,13 @@
/** replacePlaybookVarNames.js
* This small script is utilized to perform a global replacement of playbook variables within a string.
* This is necessary due to PowerShell not providing global match/replacement capability.
*/
const regexStr = /variables\(\'(\w+)\'\)/g;
const inputString = process.argv[2];
const playbookNum = process.argv[3];
if (inputString.match(regexStr)) {
console.log(inputString.replace(regexStr, `variables('playbook${playbookNum}-$1')`))
} else {
console.log(inputString);
}

3
Tools/Create-Azure-Sentinel-Solution/templating/SolutionAutomationInput.ts
Просмотреть файл

@ -16,10 +16,13 @@ interface SolutionAutomationInput {
Workbooks?: string[];
"Analytic Rules"?: string[];
Playbooks?: string[];
PlaybookDescription?: string|string[]; //Description used in the CreateUiDefinition.json
Parsers?: string[];
SavedSearches?: string[];
"Hunting Queries"?: string[];
"Data Connectors"?: string[];
Watchlists?: string[];
WatchlistDescription?: string|string[]; //Description used in the CreateUiDefinition.json
BasePath?: string; //Optional base path to use. Either Internet URL or File Path. Default = "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/""
Metadata: string; //Path to the SolutionMetadata File
}

2
Tools/Create-Azure-Sentinel-Solution/templating/baseMainTemplate.json
Просмотреть файл

@ -26,7 +26,7 @@
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Sentinel is setup"
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
}
},

80
Tools/CustomLogsIngestion-DCE-DCR/src/Send-AzMonitorCustomLogs.ps1
Просмотреть файл

@ -1,4 +1,4 @@
<#
<#
THE SCRIPT IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SCRIPT OR THE USE OR OTHER DEALINGS IN THE
@ -6,15 +6,15 @@
.SYNOPSIS
Sends custom logs to a specific table in Azure Monitor.
.DESCRIPTION
Script to send data to a data collection endpoint which is a unique connection point for your subscription.
The payload sent to Azure Monitor must be in JSON format. A data collection rule is needed in your Azure tenant that understands the format of the source data, potentially filters and transforms it for the target table, and then directs it to a specific table in a specific workspace.
You can modify the target table and workspace by modifying the data collection rule without any change to the REST API call or source data.
.PARAMETER LogPath
Path to the log file or folder to read logs from and send them to Azure Monitor.
.PARAMETER AADAppId
Azure Active Directory application to authenticate against the API to send logs to Azure Monitor data collection endpoint.
This script supports the Client Credential Grant Flow.
@ -24,22 +24,22 @@
.PARAMETER TenantId
ID of Tenant
.PARAMETER DcrImmutableId
Immutable ID of the data collection rule used to process events flowing to an Azure Monitor data table.
.PARAMETER DceURI
Uri of the data collection endpoint used to host the data collection rule.
.PARAMETER StreamName
Name of stream to send data to before being procesed and sent to an Azure Monitor data table.
.EXAMPLE
PS> Send-AzMonitorCustomLogs -LogPath C:\WinEvents.json -AADAppId 'XXXX' -AADAppSecret 'XXXXXX' -TenantId 'XXXXXX' -DcrImmutableId 'dcr-XXXX' -DceURI 'https://XXXX.westus2-1.ingest.monitor.azure.com' -StreamName 'Custom-WindowsEvent'
.EXAMPLE
.EXAMPLE
PS> Send-AzMonitorCustomLogs -LogPath C:\WinEvents.json -AADAppId 'XXXX' -AADAppSecret 'XXXXXX' -TenantId 'XXXXXX' -DcrImmutableId 'dcr-XXXX' -DceURI 'https://XXXX.westus2-1.ingest.monitor.azure.com' -StreamName 'Custom-WindowsEvent'
.EXAMPLE
PS> Send-AzMonitorCustomLogs -LogPath C:\WinEventsFolder\ -AADAppId 'XXXX' -AADAppSecret 'XXXXXX' -TenantId 'XXXXXX' -DcrImmutableId 'dcr-XXXX' -DceURI 'https://XXXX.westus2-1.ingest.monitor.azure.com' -StreamName 'Custom-WindowsEvent'
.NOTES
# Author: Roberto Rodriguez (@Cyb3rWard0g)
# Modified: Sreedhar Ande
@ -47,22 +47,22 @@
# License: MIT
# Reference:
# https://docs.microsoft.com/en-us/azure/azure-monitor/logs/custom-logs-overview
# https://docs.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-custom-logs-api#send-sample-data
# https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview
# https://docs.microsoft.com/azure/azure-monitor/logs/tutorial-custom-logs-api#send-sample-data
# https://securitytidbits.wordpress.com/2017/04/14/powershell-and-gzip-compression/
# Custom Logs Limit
# Maximum size of API call: 1MB for both compressed and uncompressed data
# Maximum data/minute per DCR: 1 GB for both compressed and uncompressed data. Retry after the duration listed in the Retry-After header in the response.
# Maximum requests/minute per DCR: 6,000. Retry after the duration listed in the Retry-After header in the response.
# Maximum requests/minute per DCR: 6,000. Retry after the duration listed in the Retry-After header in the response.
#>
param(
param(
[Parameter(Mandatory=$true)]
[ValidateScript({
[ValidateScript({
if( -Not ($_ | Test-Path) ){
throw "File or folder does not exist"
}
}
return $true
})]
[string]$LogPath,
@ -75,7 +75,7 @@ param(
[Parameter(Mandatory=$true)]
[string]$AADAppSecret,
[Parameter(Mandatory=$true)]
[string]$DcrImmutableId,
@ -89,11 +89,11 @@ param(
#region HelperFunctions
Function Write-Log {
<#
.DESCRIPTION
.DESCRIPTION
Write-Log is used to write information to a log file and to the console.
.PARAMETER Severity
parameter specifies the severity of the log message. Values can be: Information, Warning, or Error.
parameter specifies the severity of the log message. Values can be: Information, Warning, or Error.
#>
[CmdletBinding()]
@ -102,18 +102,18 @@ Function Write-Log {
[ValidateNotNullOrEmpty()]
[string]$Message,
[string]$LogFileName,
[parameter()]
[ValidateNotNullOrEmpty()]
[ValidateSet('Information', 'Warning', 'Error')]
[string]$Severity = 'Information'
)
# Write the message out to the correct channel
# Write the message out to the correct channel
switch ($Severity) {
"Information" { Write-Host $Message -ForegroundColor Green }
"Warning" { Write-Host $Message -ForegroundColor Yellow }
"Error" { Write-Host $Message -ForegroundColor Red }
}
}
try {
[PSCustomObject] [ordered] @{
Time = (Get-Date -f g)
@ -122,8 +122,8 @@ Function Write-Log {
} | Export-Csv -Path "$PSScriptRoot\$LogFileName" -Append -NoTypeInformation -Force
}
catch {
Write-Error "An error occurred in Write-Log() method" -ErrorAction SilentlyContinue
}
Write-Error "An error occurred in Write-Log() method" -ErrorAction SilentlyContinue
}
}
#endregion
@ -133,7 +133,7 @@ Function Get-BearerToken {
Try {
Add-Type -AssemblyName System.Web
Write-Log -Message "Obtaining Access Token" -LogFileName $LogFileName -Severity Information
$scope = [System.Web.HttpUtility]::UrlEncode("https://monitor.azure.com//.default")
$scope = [System.Web.HttpUtility]::UrlEncode("https://monitor.azure.com//.default")
$body = "client_id=$AADAppId&scope=$scope&client_secret=$AADAppSecret&grant_type=client_credentials";
$headers = @{"Content-Type" = "application/x-www-form-urlencoded"};
$uri = "https://login.microsoftonline.com/$TenantID/oauth2/v2.0/token"
@ -149,19 +149,19 @@ Function Get-BearerToken {
Function Send-DataToDCE {
[CmdletBinding()]
param (
[parameter(Mandatory = $true)] $JsonPayload,
param (
[parameter(Mandatory = $true)] $JsonPayload,
[parameter(Mandatory = $true)] $AccessToken,
[parameter(Mandatory = $true)] $DceURI,
[parameter(Mandatory = $true)] $DcrImmutableId,
[parameter(Mandatory = $true)] $StreamName,
[parameter(Mandatory = $true)] $ApiVersion
)
# Initialize Headers and URI for POST request to the Data Collection Endpoint (DCE)
$headers = @{"Authorization" = "Bearer $AccessToken"; "Content-Type" = "application/json"}
$uri = "$DceURI/dataCollectionRules/$DcrImmutableId/streams/$StreamName`?api-version=$ApiVersion"
Try {
# Sending data to Data Collection Endpoint (DCE) -> Data Collection Rule (DCR) -> Azure Monitor table
$IngestionStatus = Invoke-RestMethod -Uri $uri -Method "POST" -Body $JsonPayload -Headers $headers -verbose
@ -177,13 +177,13 @@ Function Send-DataToDCE {
# Check Powershell version, needs to be 5 or higher
if ($host.Version.Major -lt 5) {
Write-Log -Message "Supported PowerShell version for this script is 5 or above" -LogFileName $LogFileName -Severity Error
Write-Log -Message "Supported PowerShell version for this script is 5 or above" -LogFileName $LogFileName -Severity Error
exit
}
$ApiVersion = "2021-11-01-preview"
$TimeStamp = Get-Date -Format yyyyMMdd_HHmmss
$TimeStamp = Get-Date -Format yyyyMMdd_HHmmss
$LogFileName = '{0}_{1}.csv' -f "CustomlogsIngestion", $TimeStamp
@ -207,21 +207,21 @@ foreach ($file in $LogPath){
##################
$bearerToken = Get-BearerToken
foreach ($dataset in $all_datasets){
foreach ($dataset in $all_datasets){
$extn = [IO.Path]::GetExtension($dataset)
if ($extn -ieq ".csv") {
$json_records = Get-Content $dataset | ConvertFrom-Csv | ConvertTo-Json
$json_payload= $json_records | Convertfrom-json | ConvertTo-Json
if ($extn -ieq ".csv") {
$json_records = Get-Content $dataset | ConvertFrom-Csv | ConvertTo-Json
$json_payload= $json_records | Convertfrom-json | ConvertTo-Json
}
else {
$json_records = Get-Content $dataset
$json_payload= $json_records | Convertfrom-json | ConvertTo-Json
}
$payload_size = ([System.Text.Encoding]::UTF8.GetBytes($json_payload).Length)
If ($payload_size -le 1mb) {
Write-Log -Message "Sending log events with size $dataset_size" -LogFileName $LogFileName -Severity Information
Send-DataToDCE -JsonPayload $json_payload -AccessToken $bearerToken -DceURI $DceURI -DcrImmutableId $DcrImmutableId -StreamName $StreamName -ApiVersion $ApiVersion
Send-DataToDCE -JsonPayload $json_payload -AccessToken $bearerToken -DceURI $DceURI -DcrImmutableId $DcrImmutableId -StreamName $StreamName -ApiVersion $ApiVersion
}
else {
# Maximum size of API call: 1MB for both compressed and uncompressed data