MaturityModelForEventLogManagementM2131 solution package 1.0.3

2022-05-05 16:20:31 +05:30 · 2022-05-05 16:20:31 +05:30 · 4567b96984
--- a/Solutions/MaturityModelForEventLogManagementM2131/Package/1.0.3.zip
+++ b/Solutions/MaturityModelForEventLogManagementM2131/Package/1.0.3.zip
--- a/Solutions/MaturityModelForEventLogManagementM2131/Package/createUiDefinition.json
+++ b/Solutions/MaturityModelForEventLogManagementM2131/Package/createUiDefinition.json
@ -6,7 +6,7 @@
    "config": {
      "isWizard": false,
      "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThis solution is designed to enable Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to increase visibility before, during, and after a cybersecurity incident. The solution includes (1) workbook, (4) hunting queries, (8) analytics rules, and (3) playbooks providing a comprehensive approach to design, build, monitoring, and response in logging architectures. Information from logs on information systems1 (for both on-premises systems and connections hosted by third parties, such as cloud services providers (CSPs) is invaluable in the detection, investigation, and remediation of cyber threats. Executive Order 14028, Improving the Nation's Cybersecurity, directs decisive action to improve the Federal Government’s investigative and remediation capabilities. This memorandum was developed in accordance with and addresses the requirements in section 8 of the Executive Order for logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center (SOC) of each agency. In addition, this memorandum establishes requirements for agencies3 to increase the sharing of such information, as needed and appropriate, to accelerate incident response efforts and to enable more effective defense of Federal information and executive branch departments and agencies.For more information, see (💡Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents (M-21-31))[https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf].\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Workbooks:** 1, **Analytic Rules:** 8, **Hunting Queries:** 4, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThis solution is designed to enable Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to increase visibility before, during, and after a cybersecurity incident. The solution includes (1) workbook, (4) hunting queries, (8) analytics rules, and (3) playbooks providing a comprehensive approach to design, build, monitoring, and response in logging architectures. Information from logs on information systems1 (for both on-premises systems and connections hosted by third parties, such as cloud services providers (CSPs) is invaluable in the detection, investigation, and remediation of cyber threats. Executive Order 14028, Improving the Nation's Cybersecurity, directs decisive action to improve the Federal Government’s investigative and remediation capabilities. This memorandum was developed in accordance with and addresses the requirements in section 8 of the Executive Order for logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center (SOC) of each agency. In addition, this memorandum establishes requirements for agencies3 to increase the sharing of such information, as needed and appropriate, to accelerate incident response efforts and to enable more effective defense of Federal information and executive branch departments and agencies.For more information, see (💡[Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents (M-21-31)](https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)).\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Workbooks:** 1, **Analytic Rules:** 8, **Hunting Queries:** 4, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
        "subscription": {
          "resourceProviders": [
            "Microsoft.OperationsManagement/solutions",
@ -44,7 +44,7 @@
        "placeholder": "Select a workspace",
        "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
        "constraints": {
-          "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+          "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
          "required": true
        },
        "visible": true
@ -442,7 +442,7 @@
      }
    ],
    "outputs": {
-      "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(filter.id, toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+      "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
      "location": "[location()]",
      "workspace": "[basics('workspace')]",
      "workbook1-name": "[steps('workbooks').workbook1.workbook1-name]",
--- a/Solutions/MaturityModelForEventLogManagementM2131/Package/mainTemplate.json
+++ b/Solutions/MaturityModelForEventLogManagementM2131/Package/mainTemplate.json
--- a/Solutions/MaturityModelForEventLogManagementM2131/data/Solution_MaturityModelForEventLogManagementM2131.json
+++ b/Solutions/MaturityModelForEventLogManagementM2131/data/Solution_MaturityModelForEventLogManagementM2131.json
@ -30,5 +30,5 @@
  ],
  "Metadata": "SolutionMetadata.json",
  "BasePath": "C:\\GitHub\\azure\\Solutions\\MaturityModelForEventLogManagementM2131",
-  "Version": "1.0.1"
+  "Version": "1.0.3"
 }
--- a/Tools/Create-Azure-Sentinel-Solution/input/Solution_CybersecurityMaturityModelCertification(CMMC)2.0.json
+++ b/Tools/Create-Azure-Sentinel-Solution/input/Solution_CybersecurityMaturityModelCertification(CMMC)2.0.json
@ -1,21 +0,0 @@
-{
-  "Name": "CybersecurityMaturityModelCertification(CMMC)2.0",
-  "Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
-  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">",
-  "Description": "The Microsoft Sentinel: Cybersecurity Maturity Model Certification (CMMC) 2.0 Solution provides a mechanism for viewing log queries aligned to CMMC 2.0 requirements across the Microsoft portfolio. This solution enables governance and compliance teams to design, build, monitor, and respond to CMMC 2.0 requirements across 25+ Microsoft products. The solution includes the new CMMC 2.0 Workbook, (2) Analytics Rules, and (1) Playbook. While only Microsoft Sentinel is required to get started, the solution is enhanced with numerous Microsoft offerings. This Solution enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness visibility for the security posture of cloud workloads. There are also recommendations for selecting, designing, deploying, and configuring Microsoft offerings for alignment with respective security best practice.",
-  "Analytic Rules": [
-    "Analytic Rules/CMMC2.0Level1FoundationalPosture.yaml",
-	"Analytic Rules/CMMC2.0Level2AdvancedPosture.yaml"
-  ],
-  "Playbooks":  [
-  "Playbooks/Notify_GovernanceComplianceTeam.json",
-  "Playbooks/Open_DevOpsTaskRecommendation.json",
-  "Playbooks/Open_JIRATicketRecommendation.json"
-  ],
-  "Workbooks": [
-  "Workbooks/CybersecurityMaturityModelCertification(CMMC)2.0.json"
-  ],
-  "Metadata": "SolutionMetadata.json",
-  "BasePath": "C:\\GitHub\\azure\\Solutions\\CybersecurityMaturityModelCertification(CMMC)2.0",
-  "Version": "1.0.4"
-}
--- a/Tools/Create-Azure-Sentinel-Solution/input/Solution_GitHub.json
+++ b/Tools/Create-Azure-Sentinel-Solution/input/Solution_GitHub.json
@ -1,42 +0,0 @@
-{
-  "Name": "GitHub",
-  "Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
-  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/GitHub.svg\"width=\"75px\"height=\"75px\">",
-  "Description": "",
-  "Workbooks": [
-	  "Workbooks/GithubWorkbook.json"
-  ],
-  "Analytic Rules": [
-    "Detections/(Preview) GitHub - A payment method was removed.yaml",
-    "Detections/(Preview) GitHub - Activities from Infrequent Country.yaml",
-	"Detections/(Preview) GitHub - Oauth application - a client secret was removed.yaml",
-	"Detections/(Preview) GitHub - Repository was created.yaml",
-	"Detections/(Preview) GitHub - Repository was destroyed.yaml",
-	"Detections/(Preview) GitHub - Two Factor Authentication Disabled in GitHub.yaml",
-	"Detections/(Preview) GitHub - User visibility Was changed.yaml",
-	"Detections/(Preview) GitHub - User was added to the organization.yaml",
-	"Detections/(Preview) GitHub - User was blocked.yaml",
-	"Detections/(Preview) GitHub - User was invited to the repository .yaml",
-	"Detections/(Preview) GitHub - pull request was created.yaml",
-	"Detections/(Preview) GitHub - pull request was merged.yaml"
-  ],
-  "Hunting Queries": [
-	  "Hunting Queries/First Time User Invite and Add Member to Org.yaml",
-	  "Hunting Queries/Inactive or New Account Usage.yaml",
-	  "Hunting Queries/Mass Deletion of Repositories .yaml",
-	  "Hunting Queries/Oauth App Restrictions Disabled.yaml",
-	  "Hunting Queries/Org Repositories Default Permissions Change.yaml",
-	  "Hunting Queries/Repository Permission Switched to Public.yaml",
-	  "Hunting Queries/User First Time Repository Delete Activity.yaml",
-	  "Hunting Queries/User Grant Access and Grants Other Access.yaml"
-  ],
-  "Parsers": [
-	  "Parsers/GitHubAuditData.txt"
-	  ],
-  "Data Connectors": [
-    "Data Connectors/azuredeploy_GitHub_native_poller_connector.json"
-  ],
-  "Metadata": "SolutionMetadata.json",
-  "BasePath": "C:\\GitHub\\azure\\Solutions\\GitHub",
-  "Version": "1.0.48"
-}
--- a/Tools/Create-Azure-Sentinel-Solution/input/Solution_InfobloxNIOS.json
+++ b/Tools/Create-Azure-Sentinel-Solution/input/Solution_InfobloxNIOS.json
@ -1,46 +0,0 @@
-{
-  "Name": "Infoblox NIOS",
-  "Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
-  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/infoblox_logo.svg\"width=\"75px\"height=\"75px\">",
-  "Description": "The [Infoblox Network Identity Operating System (NIOS)](https://www.infoblox.com/glossary/network-identity-operating-system-nios/) is the operating system that powers Infoblox core network services, ensuring non-stop operation of network infrastructure. The basis for Next Level Networking, NIOS automates the error-prone and time-consuming manual tasks associated with deploying and managing DNS, DHCP, and IP address management (IPAM) required for continuous network availability and business uptime.",
-  "Data Connectors" : [
-    "Data Connectors/Connector_Syslog_Infoblox.json"
-    ],
-  "Workbooks": [
-	"Workbooks/Infoblox-Workbook-V2.json"
-	],
-  "Parsers": [
-	"Parser/InfobloxNIOS.txt",
-	"Parser/Infoblox_all.txt",
-	"Parser/Infoblox_allotherdhcpdTypes.txt",
-	"Parser/Infoblox_allotherdnsTypes.txt",
-	"Parser/Infoblox_dhcp_consolidated.txt",
-	"Parser/Infoblox_dhcpadded.txt",
-	"Parser/Infoblox_dhcpbindupdate.txt",
-	"Parser/Infoblox_dhcpdiscover.txt",
-	"Parser/Infoblox_dhcpexpire.txt",
-	"Parser/Infoblox_dhcpinform.txt",
-	"Parser/Infoblox_dhcpoffer.txt",
-	"Parser/Infoblox_dhcpoption.txt",
-	"Parser/Infoblox_dhcpother.txt",
-	"Parser/Infoblox_dhcppack.txt",
-	"Parser/Infoblox_dhcprelease.txt",
-	"Parser/Infoblox_dhcpremoved.txt",
-	"Parser/Infoblox_dhcprequest.txt",
-	"Parser/Infoblox_dhcpsession.txt",
-	"Parser/Infoblox_dns_consolidated.txt",
-	"Parser/Infoblox_dnsclient.txt",
-	"Parser/Infoblox_dnsgss.txt",
-	"Parser/Infoblox_dnszone.txt"
-    ],
-  "Analytic Rules": [
-	"Analytic Rules/ExcessiveNXDOMAINDNSQueries.yaml",
-	"Analytic Rules/PotentialDHCPStarvationAttack.yaml"
-	],
-  "Watchlists": [
-	"Workbooks/Watchlist/InfobloxDevices-watchlist.json"
-	],
-  "Metadata": "SolutionMetadata.json",
-  "BasePath": "C:\\GitHub\\azure\\Solutions\\Infoblox NIOS\\",
-  "Version": "1.0.2"
-}
--- a/Tools/Create-Azure-Sentinel-Solution/input/Solution_MaturityModelForEventLogManagementM2131.json
+++ b/Tools/Create-Azure-Sentinel-Solution/input/Solution_MaturityModelForEventLogManagementM2131.json
@ -0,0 +1,34 @@
+
+{
+  "Name": "MaturityModelForEventLogManagementM2131",
+  "Author": "TJ Banasik - thomas.banasik@microsoft.com",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
+  "Description": "This solution is designed to enable Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to increase visibility before, during, and after a cybersecurity incident. The solution includes (1) workbook, (4) hunting queries, (8) analytics rules, and (3) playbooks providing a comprehensive approach to design, build, monitoring, and response in logging architectures. Information from logs on information systems1 (for both on-premises systems and connections hosted by third parties, such as cloud services providers (CSPs) is invaluable in the detection, investigation, and remediation of cyber threats. Executive Order 14028, Improving the Nation's Cybersecurity, directs decisive action to improve the Federal Government’s investigative and remediation capabilities. This memorandum was developed in accordance with and addresses the requirements in section 8 of the Executive Order for logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center (SOC) of each agency. In addition, this memorandum establishes requirements for agencies3 to increase the sharing of such information, as needed and appropriate, to accelerate incident response efforts and to enable more effective defense of Federal information and executive branch departments and agencies.For more information, see (💡Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents (M-21-31))[https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf].",
+  "Workbooks": [
+  "Workbooks/MaturityModelForEventLogManagement_M2131.json"
+  ],
+  "Playbooks": [
+  "Playbooks/Notify_LogManagementTeam.json",
+  "Playbooks/Open_DevOpsTaskRecommendation.json",
+  "Playbooks/Open_JIRATicketRecommendation.json"
+  ],
+  "Analytic Rules": [
+  "Analytic Rules/M2131AssetStoppedLogging.yaml",
+  "Analytic Rules/M2131DataConnectorAddedChangedRemoved.yaml",
+  "Analytic Rules/M2131EventLogManagementPostureChangedEL0.yaml",
+  "Analytic Rules/M2131EventLogManagementPostureChangedEL1.yaml",
+  "Analytic Rules/M2131EventLogManagementPostureChangedEL2.yaml",
+  "Analytic Rules/M2131EventLogManagementPostureChangedEL3.yaml",
+  "Analytic Rules/M2131LogRetentionLessThan1Year.yaml",
+  "Analytic Rules/M2131RecommendedDatatableUnhealthy.yaml"
+  ],
+  "Hunting Queries": [
+  "Hunting Queries/M2131RecommendedDatatableNotLoggedEL0.yaml",
+  "Hunting Queries/M2131RecommendedDatatableNotLoggedEL1.yaml",
+  "Hunting Queries/M2131RecommendedDatatableNotLoggedEL2.yaml",
+  "Hunting Queries/M2131RecommendedDatatableNotLoggedEL3.yaml"
+  ],
+  "Metadata": "SolutionMetadata.json",
+  "BasePath": "C:\\GitHub\\azure\\Solutions\\MaturityModelForEventLogManagementM2131",
+  "Version": "1.0.3"
+}