solution updated azure firewall with playbook (#5938)

* solution updated azure firewall with playbook

* added skip validations

* update package

* Updated ui

* Update SkipValidationsTemplates.json

Co-authored-by: v-amolpatil <v-amolpatil@microsoft.com>
Co-authored-by: v-sabiraj <v-sabiraj@microsoft.com>

.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json

@@ -204,6 +204,11 @@
     "templateName": "NewHighSeverityVulnDetectedAcrossMulitpleHostsV2.yaml",
     "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
   },
+  {
+    "id": "61e1b765-da84-47a5-adb3-ace3ae7f2937",
+    "templateName": "SeveralDenyActionsRegistered.yaml",
+    "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
+  },
   {
     "id": "dbba4298-45b2-4ded-887f-874632a701b4",
     "templateName": "AccountCreatedandDeletedinShortTimeframe.yaml",

.script/tests/detectionTemplateSchemaValidation/SkipStrcutreValidationsTemplates.json

@@ -10,6 +10,8 @@
     "3755058f-8d97-4fca-b543-603d56c6fd30",
     "96c8f92e-a617-4158-94ea-dea51557b40e",
     "089e2363-8a7a-4899-9ac4-23fcad3104c1",
+    "da498ea0-f3bd-437f-9f36-eaf5ba5e0a6c",
+    "61e1b765-da84-47a5-adb3-ace3ae7f2937",
     "da498ea0-f3bd-437f-9f36-eaf5ba5e0a6c",        
     "dbba4298-45b2-4ded-887f-874632a701b4",
     "1116337d-c2dd-4e58-9e5b-afd6bfcb51c1",

.script/tests/idChangeValidatorTest/SkipIdValidationsTemplates.json

@@ -32,6 +32,7 @@
   "96c8f92e-a617-4158-94ea-dea51557b40e",
   "089e2363-8a7a-4899-9ac4-23fcad3104c1",
   "da498ea0-f3bd-437f-9f36-eaf5ba5e0a6c",
+  "61e1b765-da84-47a5-adb3-ace3ae7f2937",
   "dbba4298-45b2-4ded-887f-874632a701b4",
   "1116337d-c2dd-4e58-9e5b-afd6bfcb51c1",
   "e7b9ea73-1980-4318-96a6-da559486664b",

Detections/AzureFirewall/SeveralDenyActionsRegistered.yaml

@@ -1,47 +1,4 @@
-id: f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e
+id: 61e1b765-da84-47a5-adb3-ace3ae7f2937
 name: Several deny actions registered
 description: |
-  'Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.'
-severity: Medium
-requiredDataConnectors:
-  - connectorId: AzureFirewall
-    dataTypes: 
-      - AzureDiagnostics
-queryFrequency: 1h
-queryPeriod: 1h
-triggerOperator: gt
-triggerThreshold: 1
-tactics:
-  - Discovery
-  - LateralMovement
-  - CommandAndControl
-relevantTechniques:
-  - T1046
-  - T1071
-  - T1210
-query: |
-
-  let threshold = 1;
-  AzureDiagnostics
-      | where OperationName in ("AzureFirewallApplicationRuleLog","AzureFirewallNetworkRuleLog")
-      | extend msg_s_replaced0 = replace(@"\s\s",@" ",msg_s)
-      | extend msg_s_replaced1 = replace(@"\.\s",@" ",msg_s_replaced0)
-      | extend msg_a = split(msg_s_replaced1," ")
-      | extend srcAddr_a = split(msg_a[3],":") , destAddr_a = split(msg_a[5],":")
-      | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])
-      | where action == "Deny"
-      | extend url = iff(destIp matches regex "\\d+\\.\\d+\\.\\d+\\.\\d+","",destIp)
-      | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol
-      | where count_ >= ["threshold"]
-      | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp
-entityMappings:
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: IPCustomEntity
-  - entityType: URL
-    fieldMappings:
-      - identifier: Url
-        columnName: URLCustomEntity
-version: 1.0.1
-kind: Scheduled
+  'As part of content migration , this file is moved to new location. You can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Firewall'

Solutions/Azure Firewall/Analytic Rules/SeveralDenyActionsRegistered.yaml

@@ -0,0 +1,48 @@
+id: f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e
+name: Several deny actions registered
+description: |
+  'Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.'
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: AzureFirewall
+    dataTypes: 
+      - AzureDiagnostics
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 1
+tactics:
+  - Discovery
+  - LateralMovement
+  - CommandAndControl
+relevantTechniques:
+  - T1046
+  - T1071
+  - T1210
+query: |
+
+  let threshold = 1;
+  AzureDiagnostics
+      | where OperationName in ("AzureFirewallApplicationRuleLog","AzureFirewallNetworkRuleLog")
+      | extend msg_s_replaced0 = replace(@"\s\s",@" ",msg_s)
+      | extend msg_s_replaced1 = replace(@"\.\s",@" ",msg_s_replaced0)
+      | extend msg_a = split(msg_s_replaced1," ")
+      | extend srcAddr_a = split(msg_a[3],":") , destAddr_a = split(msg_a[5],":")
+      | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])
+      | where action == "Deny"
+      | extend url = iff(destIp matches regex "\\d+\\.\\d+\\.\\d+\\.\\d+","",destIp)
+      | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol
+      | where count_ >= ["threshold"]
+      | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+  - entityType: URL
+    fieldMappings:
+      - identifier: Url
+        columnName: URLCustomEntity
+version: 1.0.1
+kind: Scheduled

Solutions/Azure Firewall/Data/Solution_AzureFirewall.json

@@ -0,0 +1,23 @@
+{
+  "Name": "Azure Firewall",
+  "Author": "Microsoft - support@microsoft.com",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/ArubaClearPass.svg\" width=\"75px\" height=\"75px\">",
+  "Description": "The [Azure Firewall](https://docs.microsoft.com/azure/firewall/overview) solution for Microsoft Sentinel enables ingestion of DNS Proxy, Application Rule and Network Rule [logs](https://docs.microsoft.com/azure/firewall/logs-and-metrics) from Azure Firewalls.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs\n\n a. [Azure Monitor Resource Diagnostics](https://docs.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings?tabs=portal)",
+  "Workbooks": [
+    "Solutions/Azure Firewall/Workbooks/AzureFirewallWorkbook.json"
+  ],
+  "Playbooks": [
+  "Solutions/Azure Firewall/Playbooks/AzureFirewallConnector/azuredeploy.json",
+   "Solutions/Azure Firewall/Playbooks/AzureFirewall-BlockIP-addToIPGroup/azuredeploy.json",
+   "Solutions/Azure Firewall/Playbooks/AzureFirewall-AddIPtoTIAllowList/azuredeploy.json",
+   "Solutions/Azure Firewall/Playbooks/AzureFirewall-BlockIP-addNewRule/azuredeploy.json"
+  ],
+  "Analytic Rules": [
+	"Solutions/Azure Firewall/Analytic Rules/SeveralDenyActionsRegistered.yaml"
+  ],
+  "BasePath": "C:\\GitHub\\Azure-Sentinel",
+  "Version": "2.0.0",
+  "Metadata": "SolutionMetadata.json",
+  "TemplateSpec": true,
+  "Is1PConnector": true
+}

Solutions/Azure Firewall/Package/createUiDefinition.json

@@ -0,0 +1,159 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+  "handler": "Microsoft.Azure.CreateUIDef",
+  "version": "0.1.2-preview",
+  "parameters": {
+    "config": {
+      "isWizard": false,
+      "basics": {
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Azure Firewall](https://docs.microsoft.com/azure/firewall/overview) solution for Microsoft Sentinel enables ingestion of DNS Proxy, Application Rule and Network Rule [logs](https://docs.microsoft.com/azure/firewall/logs-and-metrics) from Azure Firewalls.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs\n\n a. [Azure Monitor Resource Diagnostics](https://docs.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings?tabs=portal)\n\n**Workbooks:** 1, **Analytic Rules:** 1, **Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "subscription": {
+          "resourceProviders": [
+            "Microsoft.OperationsManagement/solutions",
+            "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+            "Microsoft.Insights/workbooks",
+            "Microsoft.Logic/workflows"
+          ]
+        },
+        "location": {
+          "metadata": {
+            "hidden": "Hiding location, we get it from the log analytics workspace"
+          },
+          "visible": false
+        },
+        "resourceGroup": {
+          "allowExisting": true
+        }
+      }
+    },
+    "basics": [
+      {
+        "name": "getLAWorkspace",
+        "type": "Microsoft.Solutions.ArmApiControl",
+        "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+        "condition": "[greater(length(resourceGroup().name),0)]",
+        "request": {
+          "method": "GET",
+          "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+        }
+      },
+      {
+        "name": "workspace",
+        "type": "Microsoft.Common.DropDown",
+        "label": "Workspace",
+        "placeholder": "Select a workspace",
+        "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+        "constraints": {
+          "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+          "required": true
+        },
+        "visible": true
+      }
+    ],
+    "steps": [
+      {
+        "name": "workbooks",
+        "label": "Workbooks",
+        "subLabel": {
+          "preValidation": "Configure the workbooks",
+          "postValidation": "Done"
+        },
+        "bladeTitle": "Workbooks",
+        "elements": [
+          {
+            "name": "workbooks-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This solution installs workbook to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view. "
+            }
+          },
+          {
+            "name": "workbooks-link",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "link": {
+                "label": "Learn more",
+                "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
+              }
+            }
+          }
+        ]
+      },
+      {
+        "name": "analytics",
+        "label": "Analytics",
+        "subLabel": {
+          "preValidation": "Configure the analytics",
+          "postValidation": "Done"
+        },
+        "bladeTitle": "Analytics",
+        "elements": [
+          {
+            "name": "analytics-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
+            }
+          },
+          {
+            "name": "analytics-link",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "link": {
+                "label": "Learn more",
+                "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+              }
+            }
+          },
+          {
+            "name": "analytic1",
+            "type": "Microsoft.Common.Section",
+            "label": "Several deny actions registered",
+            "elements": [
+              {
+                "name": "analytic1-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall."
+                }
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "name": "playbooks",
+        "label": "Playbooks",
+        "subLabel": {
+          "preValidation": "Configure the playbooks",
+          "postValidation": "Done"
+        },
+        "bladeTitle": "Playbooks",
+        "elements": [
+          {
+            "name": "playbooks-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub."
+            }
+          },
+          {
+            "name": "playbooks-link",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "link": {
+                "label": "Learn more",
+                "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+              }
+            }
+          }
+        ]
+      }
+    ],
+    "outputs": {
+      "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+      "location": "[location()]",
+      "workspace": "[basics('workspace')]"
+    }
+  }
+}

Solutions/Azure Firewall/Playbooks/AzureFirewallConnector/azuredeploy.json

@@ -16,7 +16,7 @@
   },
   "variables": {
     "azure": "[concat('https://management','.azure','.com')]",
-    "domain": "[replace([concat('https://management','.azure','.com')], 'https://', '')]"
+    "domain": "[replace(variables('azure'), 'https://', '')]"
   },
   "resources": [
     {

Solutions/Azure Firewall/SolutionMetadata.json

@@ -0,0 +1,16 @@
+{
+	"publisherId": "azuresentinel",
+	"offerId": "azure-sentinel-solution-azurefirewall",
+	"firstPublishDate": "2022-05-23",
+	"providers": ["Microsoft"],
+	"categories": {
+		"domains" : ["Security - Threat Protection"],
+		"verticals": []
+	},
+	"support": {
+		"tier": "Microsoft",
+		"name": "Microsoft Corporation",
+		"email": "support@microsoft.com",
+		"link": "https://support.microsoft.com/"
+	}
+}

Tools/Create-Azure-Sentinel-Solution/V2/MigratedContent/DetectionsMigrated.json

@@ -65,6 +65,12 @@
         "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/QualysVMV2/",
         "NewPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/QualysVM/Analytic%20Rules"
     },
+    {
+        "FileName": "SeveralDenyActionsRegistered.yaml",
+        "DetectionId": "f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e",
+        "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureFirewall/",
+        "NewPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Firewall/Analytic%20Rules"
+    },
     {
         "FileName": "AccountCreatedandDeletedinShortTimeframe.yaml",
         "DetectionId": "bb616d82-108f-47d3-9dec-9652ea0d3bf6",

Tools/Create-Azure-Sentinel-Solution/V2/MigratedContent/PlaybooksMigrated.json

@@ -68,8 +68,8 @@
         "NewPath": "Solutions/Servicenow/Playbooks/SNOW-CreateAndUpdateIncident"
     },
     {
-        "OldPath": "Playbooks/AzureFirewall",
-        "NewPath": "Solutions/Azure Firewall/Playbooks"
+        "OldPath": "Playbooks/AzureFirewall/AzureFirewall-AddIPtoTIAllowList",
+        "NewPath": "Solutions/Azure Firewall/Playbooks/AzureFirewall-AddIPtoTIAllowList"
     },
     {
         "OldPath": "Playbooks/CrowdStrike/Playbooks/CrowdStrike_Base",
@@ -116,20 +116,16 @@
         "NewPath": "Solutions/MicrosoftDefenderForEndpoint/Playbooks/Unisolate-MDEMachine"
     },
     {
-        "OldPath": "Playbooks/Get-VirusTotalDomainReport",
-        "NewPath": "Solutions/VirusTotal/Playbooks/Get-VirusTotalDomainReport"
+        "OldPath": "Playbooks/AzureFirewall/AzureFirewall-BlockIP-addNewRule",
+        "NewPath": "Solutions/Azure Firewall/Playbooks/AzureFirewall-BlockIP-addNewRule"
     },
     {
-        "OldPath": "Playbooks/Get-VirusTotalFileInfo",
-        "NewPath": "Solutions/VirusTotal/Playbooks/Get-VirusTotalFileInfo"
+        "OldPath": "Playbooks/AzureFirewall/AzureFirewall-BlockIP-addToIPGroup",
+        "NewPath": "Solutions/Azure Firewall/Playbooks/AzureFirewall-BlockIP-addToIPGroup"
     },
     {
-        "OldPath": "Playbooks/Get-VirusTotalIPReport",
-        "NewPath": "Solutions/VirusTotal/Playbooks/Get-VirusTotalIPReport"
-    },
-    {
-        "OldPath": "Playbooks/Get-VirusTotalURLReport",
-        "NewPath": "Solutions/VirusTotal/Playbooks/Get-VirusTotalURLReport"
+        "OldPath": "Playbooks/AzureFirewall/AzureFirewallConnector",
+        "NewPath": "Solutions/Azure Firewall/Playbooks/AzureFirewallConnector"
     },
     {
         "OldPath": "Playbooks/Advanced-SNOW-Teams-Integration",