Merge pull request #5058 from Azure/v-ntripathi/InfobloxCDC

Infoblox CDC connectivity criteria change.

Solutions/Infoblox Cloud Data Connector/Data Connectors/InfobloxCloudDataConnector.json

@@ -51,7 +51,7 @@
         {
             "type": "IsConnectedQuery",
             "value": [
-                "InfobloxCDC\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
+                "InfobloxCDC\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)"
             ]
         }
     ],

Solutions/Infoblox Cloud Data Connector/Data/Solution_Infoblox.json

@@ -13,8 +13,11 @@
     "Data Connectors": [
         "Data Connectors/InfobloxCloudDataConnector.json"
     ],
+	"Parsers": [
+		"Parsers/InfobloxCDC.txt"
+	],
 	"Metadata": "SolutionMetadata.json",
 	"BasePath": "C:\\GitHub\\azure\\Solutions\\Infoblox Cloud Data Connector",
-    "Version": "1.1.0"
+    "Version": "2.0.1"
   }
   

Solutions/Infoblox Cloud Data Connector/Package/createUiDefinition.json

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/infoblox_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Infoblox](https://www.infoblox.com/) cloud managed Data Connector (DC) is a utility designed to collect DNS query and response data and security logs and transfer the data to defined destinations such as the BloxOne Threat Defense Cloud, Infoblox NIOS reporting server, and syslog servers such as a SIEM (Security Information and Event Manager).\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 2\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/infoblox_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Infoblox](https://www.infoblox.com/) cloud managed Data Connector (DC) is a utility designed to collect DNS query and response data and security logs and transfer the data to defined destinations such as the BloxOne Threat Defense Cloud, Infoblox NIOS reporting server, and syslog servers such as a SIEM (Security Information and Event Manager).\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -44,7 +44,7 @@
         "placeholder": "Select a workspace",
         "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
         "constraints": {
-          "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+          "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
           "required": true
         },
         "visible": true
@@ -60,7 +60,14 @@
             "name": "dataconnectors1-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "This Solution installs the data connector for Infoblox Cloud Data Connector. You can get Infoblox Cloud Data Connector CommonSecurityLog data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. The logs will be received in the CommonSecurityLog table in your Azure Sentinel / Azure Log Analytics workspace."
+              "text": "This Solution installs the data connector for Infoblox Cloud Data Connector. You can get Infoblox Cloud Data Connector CommonSecurityLog data in your Microsoft Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. The logs will be received in the CommonSecurityLog table in your Microsoft Sentinel / Azure Log Analytics workspace."
+            }
+          },
+          {
+            "name": "dataconnectors-parser-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
             }
           },
           {
@@ -98,7 +105,7 @@
             "name": "workbooks-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "This Azure Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Azure Sentinel and combine them into unified interactive experiences.",
+              "text": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences.",
               "link": {
                 "label": "Learn more",
                 "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
@@ -114,7 +121,7 @@
                 "name": "workbook1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Get a closer look at your BloxOne Threat Defense security event data. This workbook is intended to help visualize BloxOne Threat Defense data as part of the Infoblox Cloud Data Connector. Drilldown your data and visualize events, trends, and anomalous changes over time."
+                  "text": "Get a closer look at your BloxOne DNS Query/Response logs, DHCP logs and Threat Defense security event data. This workbook is intended to help visualize BloxOne query data as part of the Infoblox Cloud Data Connector. Drilldown your data and visualize events, trends, and anomalous changes over time."
                 }
               },
               {
@@ -146,7 +153,7 @@
             "name": "analytics-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "This Azure Sentinel Solution installs analytic rules for Infoblox Cloud Data Connector that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
+              "text": "This Microsoft Sentinel Solution installs analytic rules for Infoblox Cloud Data Connector that you can enable for custom alert generation in Microsoft Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Microsoft Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
               "link": {
                 "label": "Learn more",
                 "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
@@ -156,13 +163,13 @@
           {
             "name": "analytic1",
             "type": "Microsoft.Common.Section",
-            "label": "High Number of High Threat Level Detected",
+            "label": "Infoblox - High Number of High Threat Level Queries Detected",
             "elements": [
               {
                 "name": "analytic1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "This creates an incident in the event a host generates a high number of high threat level queries."
+                  "text": "This creates an incident in the event a single host generates at least 200 high threat level RPZ queries (Threat Defense security hits) in 1 hour. Query count threshold and scheduling is customizable."
                 }
               }
             ]
@@ -170,13 +177,27 @@
           {
             "name": "analytic2",
             "type": "Microsoft.Common.Section",
-            "label": "High Number of NXDOMAIN DNS Queries Detected",
+            "label": "Infoblox - High Number of NXDOMAIN DNS Responses Detected",
             "elements": [
               {
                 "name": "analytic2-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "This creates an incident in the event a host generates a high number of DNS queries for non-existent domains."
+                  "text": "This creates an incident in the event a single host generates at least 200 DNS responses for non-existent domains in 1 hour. Query count threshold and scheduling is customizable."
+                }
+              }
+            ]
+          },
+          {
+            "name": "analytic3",
+            "type": "Microsoft.Common.Section",
+            "label": "Infoblox - High Threat Level Query Not Blocked Detected",
+            "elements": [
+              {
+                "name": "analytic3-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "This creates an incident in the event a single host generates at least 1 high threat level query (Threat Defense security hit) that is not blocked or redirected in 1 hour. Query count threshold and scheduling is customizable."
                 }
               }
             ]
@@ -185,7 +206,7 @@
       }
     ],
     "outputs": {
-      "workspace-location": "[resourceGroup().location]",
+      "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
       "location": "[location()]",
       "workspace": "[basics('workspace')]",
       "workbook1-name": "[steps('workbooks').workbook1.workbook1-name]"

Tools/Create-Azure-Sentinel-Solution/input/Solution_Infoblox.json

@@ -0,0 +1,23 @@
+{
+    "Name": "Infoblox Cloud Data Connector",
+    "Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
+    "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/infoblox_logo.svg\" width=\"75px\" height=\"75px\">",
+    "Description": "The [Infoblox](https://www.infoblox.com/) cloud managed Data Connector (DC) is a utility designed to collect DNS query and response data and security logs and transfer the data to defined destinations such as the BloxOne Threat Defense Cloud, Infoblox NIOS reporting server, and syslog servers such as a SIEM (Security Information and Event Manager).",
+    "WorkbookDescription": "Get a closer look at your BloxOne DNS Query/Response logs, DHCP logs and Threat Defense security event data. This workbook is intended to help visualize BloxOne query data as part of the Infoblox Cloud Data Connector. Drilldown your data and visualize events, trends, and anomalous changes over time.",
+    "Workbooks": ["Workbooks/InfobloxCDCB1TDWorkbook.json"],
+    "Analytic Rules": [
+      "Analytic Rules/Infoblox-HighNumberOfHighThreatLevelQueriesDetected.yaml",
+      "Analytic Rules/Infoblox-HighNumberOfNXDOMAINDNSResponsesDetected.yaml",
+      "Analytic Rules/Infoblox-HighThreatLevelQueryNotBlockedDetected.yaml"
+    ],
+    "Data Connectors": [
+        "Data Connectors/InfobloxCloudDataConnector.json"
+    ],
+	"Parsers": [
+		"Parsers/InfobloxCDC.txt"
+	],
+	"Metadata": "SolutionMetadata.json",
+	"BasePath": "C:\\GitHub\\azure\\Solutions\\Infoblox Cloud Data Connector",
+    "Version": "2.0.1"
+  }
+