CSE Solution packaged
This commit is contained in:
v-shukore
Родитель
df1fc2c6b8
Коммит
394a009016
|
|
@ -7,7 +7,7 @@
|
|||
"Workbooks/Cisco Secure Endpoint Overview.json"
|
||||
],
|
||||
"Parsers": [
|
||||
"Parsers/CiscoSecureEndpoint.txt"
|
||||
"Parsers/CiscoSecureEndpoint.yaml"
|
||||
],
|
||||
"Hunting Queries": [
|
||||
"Hunting Queries/CiscoSEInfectedHosts.yaml",
|
||||
|
|
@ -38,7 +38,7 @@
|
|||
"Analytic Rules/CiscoSEWebshell.yaml"
|
||||
],
|
||||
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\CiscoSecureEndpoint",
|
||||
"Version": "2.0.1",
|
||||
"Version": "3.0.0",
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"TemplateSpec": true,
|
||||
"Is1PConnector": false
|
||||
|
|
|
|||
Двоичные данные
Solutions/Cisco Secure Endpoint/Package/3.0.0.zip
Двоичные данные
Solutions/Cisco Secure Endpoint/Package/3.0.0.zip
Двоичный файл не отображается.
|
|
@ -6,7 +6,7 @@
|
|||
"config": {
|
||||
"isWizard": false,
|
||||
"basics": {
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/cisco-logo-72px.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cisco%20Secure%20Endpoint/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Cisco Secure Endpoint](https://www.cisco.com/site/us/en/products/security/endpoint-security/secure-endpoint/index.html) (formerly AMP for Endpoints) data connector provides the capability to ingest Cisco Secure Endpoint [audit logs](https://api-docs.amp.cisco.com/api_resources/AuditLog?api_host=api.amp.cisco.com&api_version=v1) and [events](https://api-docs.amp.cisco.com/api_actions/details?api_action=GET+%2Fv1%2Fevents&api_host=api.amp.cisco.com&api_resource=Event&api_version=v1) into Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 11, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/cisco-logo-72px.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cisco%20Secure%20Endpoint/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Cisco Secure Endpoint](https://www.cisco.com/site/us/en/products/security/endpoint-security/secure-endpoint/index.html) (formerly AMP for Endpoints) data connector provides the capability to ingest Cisco Secure Endpoint [audit logs](https://api-docs.amp.cisco.com/api_resources/AuditLog?api_host=api.amp.cisco.com&api_version=v1) and [events](https://api-docs.amp.cisco.com/api_actions/details?api_action=GET+%2Fv1%2Fevents&api_host=api.amp.cisco.com&api_resource=Event&api_version=v1) into Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 11, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"subscription": {
|
||||
"resourceProviders": [
|
||||
"Microsoft.OperationsManagement/solutions",
|
||||
|
|
@ -60,14 +60,14 @@
|
|||
"name": "dataconnectors1-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This solution installs the data connector for ingesting Cisco Secure Endpoint audit logs and events into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
|
||||
"text": "This Solution installs the data connector for Cisco Secure Endpoint. You can get Cisco Secure Endpoint custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "dataconnectors-parser-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "The solution also installs a parser that transforms ingested data. The transformed logs can be accessed using the CiscoSecureEndpoint Kusto Function alias."
|
||||
"text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
|
||||
}
|
||||
},
|
||||
{
|
||||
|
|
|
|||
|
|
@ -51,6 +51,13 @@
|
|||
"_workbookContentId1": "[variables('workbookContentId1')]",
|
||||
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
|
||||
"_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
|
||||
"parserObject1": {
|
||||
"_parserName1": "[concat(parameters('workspace'),'/','CiscoSecureEndpoint Data Parser')]",
|
||||
"_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'CiscoSecureEndpoint Data Parser')]",
|
||||
"parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('CiscoSecureEndpoint-Parser')))]",
|
||||
"parserVersion1": "1.0.0",
|
||||
"parserContentId1": "CiscoSecureEndpoint-Parser"
|
||||
},
|
||||
"huntingQueryObject1": {
|
||||
"huntingQueryVersion1": "1.0.0",
|
||||
"_huntingQuerycontentId1": "2b2415f3-6bfd-48df-8f9f-a1ccf67449f5",
|
||||
|
|
@ -278,6 +285,138 @@
|
|||
"version": "[variables('workbookVersion1')]"
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
|
||||
"apiVersion": "2023-04-01-preview",
|
||||
"name": "[variables('parserObject1').parserTemplateSpecName1]",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"dependsOn": [
|
||||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "CiscoSecureEndpoint Data Parser with template version 3.0.0",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('parserObject1').parserVersion1]",
|
||||
"parameters": {},
|
||||
"variables": {},
|
||||
"resources": [
|
||||
{
|
||||
"name": "[variables('parserObject1')._parserName1]",
|
||||
"apiVersion": "2022-10-01",
|
||||
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"properties": {
|
||||
"eTag": "*",
|
||||
"displayName": "CiscoSecureEndpoint Data Parser",
|
||||
"category": "Microsoft Sentinel Parser",
|
||||
"functionAlias": "CiscoSecureEndpoint",
|
||||
"query": "CiscoSecureEndpoint_CL\n| extend \n EventVendor = 'Cisco',\n EventProduct = 'Cisco Secure Endpoint'\n| project-rename \n EventSubType = audit_log_type_s,\n SrcUserName = audit_log_user_s,\n DstMacAddr = computer_network_addresses_s,\n DstHostname = computer_hostname_s,\n DstUsername = computer_user_s,\n DstIpAddr = computer_external_ip_s,\n ConnectorGuid = connector_guid_g,\n GroupGuid = group_guids_s,\n DvcId = id_d,\n EventOriginalId = event_type_id_d,\n ThreatName = detection_s,\n ThreatId = detection_id_s,\n ThreatSeverity = severity_s,\n DstDvcHostname = new_attributes_name_s,\n DvcHostname = new_attributes_hostname_s,\n DvcIpAddr = new_attributes_ip_external_s,\n DstDvcOsId = new_attributes_operating_system_id_d,\n EventProductVersion = new_attributes_product_version_id_d,\n SrcDvcId = computer_connector_guid_g,\n ComputerLinksComputer = computer_links_computer_s,\n ComputerLinksTrajectory = computer_links_trajectory_s,\n ComputerLinksGroup = computer_links_group_s,\n IndicatorThreatType = file_disposition_s,\n SrcFileName = file_file_name_s,\n SrcFilePath = file_file_path_s,\n SrcFileMD5 = file_identity_md5_g,\n SrcFileSHA1 = file_identity_sha1_s,\n SrcFileSHA256 = file_identity_sha256_s,\n ParentProcessId = file_parent_process_id_d,\n ParentProcessMD5 = file_parent_identity_md5_g,\n ParentProcessSHA1 = file_parent_identity_sha1_s,\n ParentProcessSHA256 = file_parent_identity_sha256_s,\n ParentProcessName = file_parent_file_name_s,\n ParentProcessFileDescription = file_parent_disposition_s\n| extend\n EventEndTime=iff(isnotempty(created_at_t), created_at_t, date_t),\n EventMessage=iff(isnotempty(event_s), event_s, event_type_s),\n Hostname = DstHostname,\n User = DstUsername\n| project-away \n created_at_t,\n date_t,\n event_s,\n event_type_s\n",
|
||||
"functionParameters": "",
|
||||
"version": 2,
|
||||
"tags": [
|
||||
{
|
||||
"name": "description",
|
||||
"value": ""
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
|
||||
"apiVersion": "2022-01-01-preview",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
|
||||
"dependsOn": [
|
||||
"[variables('parserObject1')._parserId1]"
|
||||
],
|
||||
"properties": {
|
||||
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'CiscoSecureEndpoint Data Parser')]",
|
||||
"contentId": "[variables('parserObject1').parserContentId1]",
|
||||
"kind": "Parser",
|
||||
"version": "[variables('parserObject1').parserVersion1]",
|
||||
"source": {
|
||||
"name": "Cisco Secure Endpoint",
|
||||
"kind": "Solution",
|
||||
"sourceId": "[variables('_solutionId')]"
|
||||
},
|
||||
"author": {
|
||||
"name": "Microsoft",
|
||||
"email": "[variables('_email')]"
|
||||
},
|
||||
"support": {
|
||||
"name": "Microsoft Corporation",
|
||||
"email": "support@microsoft.com",
|
||||
"tier": "Microsoft",
|
||||
"link": "https://support.microsoft.com"
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"packageKind": "Solution",
|
||||
"packageVersion": "[variables('_solutionVersion')]",
|
||||
"packageName": "[variables('_solutionName')]",
|
||||
"packageId": "[variables('_solutionId')]",
|
||||
"contentSchemaVersion": "3.0.0",
|
||||
"contentId": "[variables('parserObject1').parserContentId1]",
|
||||
"contentKind": "Parser",
|
||||
"displayName": "CiscoSecureEndpoint Data Parser",
|
||||
"contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
|
||||
"id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
|
||||
"version": "[variables('parserObject1').parserVersion1]"
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
|
||||
"apiVersion": "2022-10-01",
|
||||
"name": "[variables('parserObject1')._parserName1]",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"properties": {
|
||||
"eTag": "*",
|
||||
"displayName": "CiscoSecureEndpoint Data Parser",
|
||||
"category": "Microsoft Sentinel Parser",
|
||||
"functionAlias": "CiscoSecureEndpoint",
|
||||
"query": "CiscoSecureEndpoint_CL\n| extend \n EventVendor = 'Cisco',\n EventProduct = 'Cisco Secure Endpoint'\n| project-rename \n EventSubType = audit_log_type_s,\n SrcUserName = audit_log_user_s,\n DstMacAddr = computer_network_addresses_s,\n DstHostname = computer_hostname_s,\n DstUsername = computer_user_s,\n DstIpAddr = computer_external_ip_s,\n ConnectorGuid = connector_guid_g,\n GroupGuid = group_guids_s,\n DvcId = id_d,\n EventOriginalId = event_type_id_d,\n ThreatName = detection_s,\n ThreatId = detection_id_s,\n ThreatSeverity = severity_s,\n DstDvcHostname = new_attributes_name_s,\n DvcHostname = new_attributes_hostname_s,\n DvcIpAddr = new_attributes_ip_external_s,\n DstDvcOsId = new_attributes_operating_system_id_d,\n EventProductVersion = new_attributes_product_version_id_d,\n SrcDvcId = computer_connector_guid_g,\n ComputerLinksComputer = computer_links_computer_s,\n ComputerLinksTrajectory = computer_links_trajectory_s,\n ComputerLinksGroup = computer_links_group_s,\n IndicatorThreatType = file_disposition_s,\n SrcFileName = file_file_name_s,\n SrcFilePath = file_file_path_s,\n SrcFileMD5 = file_identity_md5_g,\n SrcFileSHA1 = file_identity_sha1_s,\n SrcFileSHA256 = file_identity_sha256_s,\n ParentProcessId = file_parent_process_id_d,\n ParentProcessMD5 = file_parent_identity_md5_g,\n ParentProcessSHA1 = file_parent_identity_sha1_s,\n ParentProcessSHA256 = file_parent_identity_sha256_s,\n ParentProcessName = file_parent_file_name_s,\n ParentProcessFileDescription = file_parent_disposition_s\n| extend\n EventEndTime=iff(isnotempty(created_at_t), created_at_t, date_t),\n EventMessage=iff(isnotempty(event_s), event_s, event_type_s),\n Hostname = DstHostname,\n User = DstUsername\n| project-away \n created_at_t,\n date_t,\n event_s,\n event_type_s\n",
|
||||
"functionParameters": "",
|
||||
"version": 2,
|
||||
"tags": [
|
||||
{
|
||||
"name": "description",
|
||||
"value": ""
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
|
||||
"apiVersion": "2022-01-01-preview",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
|
||||
"dependsOn": [
|
||||
"[variables('parserObject1')._parserId1]"
|
||||
],
|
||||
"properties": {
|
||||
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'CiscoSecureEndpoint Data Parser')]",
|
||||
"contentId": "[variables('parserObject1').parserContentId1]",
|
||||
"kind": "Parser",
|
||||
"version": "[variables('parserObject1').parserVersion1]",
|
||||
"source": {
|
||||
"kind": "Solution",
|
||||
"name": "Cisco Secure Endpoint",
|
||||
"sourceId": "[variables('_solutionId')]"
|
||||
},
|
||||
"author": {
|
||||
"name": "Microsoft",
|
||||
"email": "[variables('_email')]"
|
||||
},
|
||||
"support": {
|
||||
"name": "Microsoft Corporation",
|
||||
"email": "support@microsoft.com",
|
||||
"tier": "Microsoft",
|
||||
"link": "https://support.microsoft.com"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
|
||||
"apiVersion": "2023-04-01-preview",
|
||||
|
|
@ -1535,31 +1674,31 @@
|
|||
],
|
||||
"entityMappings": [
|
||||
{
|
||||
"entityType": "IP",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "NetworkAddresses_ip",
|
||||
"identifier": "Address"
|
||||
}
|
||||
]
|
||||
],
|
||||
"entityType": "IP"
|
||||
},
|
||||
{
|
||||
"entityType": "Host",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "computer_hostname_s",
|
||||
"identifier": "HostName"
|
||||
}
|
||||
]
|
||||
],
|
||||
"entityType": "Host"
|
||||
},
|
||||
{
|
||||
"entityType": "URL",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "computer_links_trajectory_s",
|
||||
"identifier": "Url"
|
||||
}
|
||||
]
|
||||
],
|
||||
"entityType": "URL"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -1657,22 +1796,22 @@
|
|||
],
|
||||
"entityMappings": [
|
||||
{
|
||||
"entityType": "Host",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "HostCustomEntity",
|
||||
"identifier": "HostName"
|
||||
}
|
||||
]
|
||||
],
|
||||
"entityType": "Host"
|
||||
},
|
||||
{
|
||||
"entityType": "Malware",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "MalwareCustomEntity",
|
||||
"identifier": "Name"
|
||||
}
|
||||
]
|
||||
],
|
||||
"entityType": "Malware"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -1773,22 +1912,22 @@
|
|||
],
|
||||
"entityMappings": [
|
||||
{
|
||||
"entityType": "Host",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "HostCustomEntity",
|
||||
"identifier": "HostName"
|
||||
}
|
||||
]
|
||||
],
|
||||
"entityType": "Host"
|
||||
},
|
||||
{
|
||||
"entityType": "Malware",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "MalwareCustomEntity",
|
||||
"identifier": "Name"
|
||||
}
|
||||
]
|
||||
],
|
||||
"entityType": "Malware"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -1889,22 +2028,22 @@
|
|||
],
|
||||
"entityMappings": [
|
||||
{
|
||||
"entityType": "Host",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "HostCustomEntity",
|
||||
"identifier": "HostName"
|
||||
}
|
||||
]
|
||||
],
|
||||
"entityType": "Host"
|
||||
},
|
||||
{
|
||||
"entityType": "Malware",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "MalwareCustomEntity",
|
||||
"identifier": "Name"
|
||||
}
|
||||
]
|
||||
],
|
||||
"entityType": "Malware"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -2005,22 +2144,22 @@
|
|||
],
|
||||
"entityMappings": [
|
||||
{
|
||||
"entityType": "Host",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "HostCustomEntity",
|
||||
"identifier": "HostName"
|
||||
}
|
||||
]
|
||||
],
|
||||
"entityType": "Host"
|
||||
},
|
||||
{
|
||||
"entityType": "Malware",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "MalwareCustomEntity",
|
||||
"identifier": "Name"
|
||||
}
|
||||
]
|
||||
],
|
||||
"entityType": "Malware"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -2119,13 +2258,13 @@
|
|||
],
|
||||
"entityMappings": [
|
||||
{
|
||||
"entityType": "Malware",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "MalwareCustomEntity",
|
||||
"identifier": "Name"
|
||||
}
|
||||
]
|
||||
],
|
||||
"entityType": "Malware"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -2224,13 +2363,13 @@
|
|||
],
|
||||
"entityMappings": [
|
||||
{
|
||||
"entityType": "Host",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "HostCustomEntity",
|
||||
"identifier": "HostName"
|
||||
}
|
||||
]
|
||||
],
|
||||
"entityType": "Host"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -2328,13 +2467,13 @@
|
|||
],
|
||||
"entityMappings": [
|
||||
{
|
||||
"entityType": "Host",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "HostCustomEntity",
|
||||
"identifier": "HostName"
|
||||
}
|
||||
]
|
||||
],
|
||||
"entityType": "Host"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -2432,22 +2571,22 @@
|
|||
],
|
||||
"entityMappings": [
|
||||
{
|
||||
"entityType": "Host",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "HostCustomEntity",
|
||||
"identifier": "HostName"
|
||||
}
|
||||
]
|
||||
],
|
||||
"entityType": "Host"
|
||||
},
|
||||
{
|
||||
"entityType": "Malware",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "MalwareCustomEntity",
|
||||
"identifier": "Name"
|
||||
}
|
||||
]
|
||||
],
|
||||
"entityType": "Malware"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -2546,13 +2685,13 @@
|
|||
],
|
||||
"entityMappings": [
|
||||
{
|
||||
"entityType": "Host",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "HostCustomEntity",
|
||||
"identifier": "HostName"
|
||||
}
|
||||
]
|
||||
],
|
||||
"entityType": "Host"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -2650,22 +2789,22 @@
|
|||
],
|
||||
"entityMappings": [
|
||||
{
|
||||
"entityType": "Host",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "HostCustomEntity",
|
||||
"identifier": "HostName"
|
||||
}
|
||||
]
|
||||
],
|
||||
"entityType": "Host"
|
||||
},
|
||||
{
|
||||
"entityType": "Malware",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "MalwareCustomEntity",
|
||||
"identifier": "Name"
|
||||
}
|
||||
]
|
||||
],
|
||||
"entityType": "Malware"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -2722,7 +2861,7 @@
|
|||
"contentSchemaVersion": "3.0.0",
|
||||
"displayName": "Cisco Secure Endpoint",
|
||||
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
|
||||
"descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cisco%20Secure%20Endpoint/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <a href=\"https://www.cisco.com/site/us/en/products/security/endpoint-security/secure-endpoint/index.html\">Cisco Secure Endpoint</a> (formerly AMP for Endpoints) data connector provides the capability to ingest Cisco Secure Endpoint <a href=\"https://api-docs.amp.cisco.com/api_resources/AuditLog?api_host=api.amp.cisco.com&api_version=v1\">audit logs</a> and <a href=\"https://api-docs.amp.cisco.com/api_actions/details?api_action=GET+%2Fv1%2Fevents&api_host=api.amp.cisco.com&api_resource=Event&api_version=v1\">events</a> into Microsoft Sentinel.</p>\n<p><strong>Underlying Microsoft Technologies used:</strong></p>\n<p>This solution takes a dependency on the following technologies, and some of these dependencies either may be in <a href=\"https://azure.microsoft.com/support/legal/preview-supplemental-terms/\">Preview</a> state or might result in additional ingestion or operational costs:</p>\n<ol type=\"a\">\n<li><p><a href=\"https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api\">Azure Monitor HTTP Data Collector API</a></p>\n</li>\n<li><p><a href=\"https://azure.microsoft.com/services/functions/#overview\">Azure Functions</a></p>\n</li>\n</ol>\n<p><strong>Data Connectors:</strong> 1, <strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 11, <strong>Hunting Queries:</strong> 10</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
|
||||
"descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cisco%20Secure%20Endpoint/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <a href=\"https://www.cisco.com/site/us/en/products/security/endpoint-security/secure-endpoint/index.html\">Cisco Secure Endpoint</a> (formerly AMP for Endpoints) data connector provides the capability to ingest Cisco Secure Endpoint <a href=\"https://api-docs.amp.cisco.com/api_resources/AuditLog?api_host=api.amp.cisco.com&api_version=v1\">audit logs</a> and <a href=\"https://api-docs.amp.cisco.com/api_actions/details?api_action=GET+%2Fv1%2Fevents&api_host=api.amp.cisco.com&api_resource=Event&api_version=v1\">events</a> into Microsoft Sentinel.</p>\n<p><strong>Underlying Microsoft Technologies used:</strong></p>\n<p>This solution takes a dependency on the following technologies, and some of these dependencies either may be in <a href=\"https://azure.microsoft.com/support/legal/preview-supplemental-terms/\">Preview</a> state or might result in additional ingestion or operational costs:</p>\n<ol type=\"a\">\n<li><p><a href=\"https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api\">Azure Monitor HTTP Data Collector API</a></p>\n</li>\n<li><p><a href=\"https://azure.microsoft.com/services/functions/#overview\">Azure Functions</a></p>\n</li>\n</ol>\n<p><strong>Data Connectors:</strong> 1, <strong>Parsers:</strong> 1, <strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 11, <strong>Hunting Queries:</strong> 10</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
|
||||
"contentKind": "Solution",
|
||||
"contentProductId": "[variables('_solutioncontentProductId')]",
|
||||
"id": "[variables('_solutioncontentProductId')]",
|
||||
|
|
@ -2752,6 +2891,11 @@
|
|||
"contentId": "[variables('_workbookContentId1')]",
|
||||
"version": "[variables('workbookVersion1')]"
|
||||
},
|
||||
{
|
||||
"kind": "Parser",
|
||||
"contentId": "[variables('parserObject1').parserContentId1]",
|
||||
"version": "[variables('parserObject1').parserVersion1]"
|
||||
},
|
||||
{
|
||||
"kind": "HuntingQuery",
|
||||
"contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче