Infoblox CDC connectivity criteria change.
This commit is contained in:
NikTripathi
Родитель
48f1ccbb29
Коммит
47e22c57bf
|
|
@ -51,7 +51,7 @@
|
|||
{
|
||||
"type": "IsConnectedQuery",
|
||||
"value": [
|
||||
"InfobloxCDC\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
|
||||
"InfobloxCDC\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)"
|
||||
]
|
||||
}
|
||||
],
|
||||
|
|
|
|||
|
|
@ -13,8 +13,11 @@
|
|||
"Data Connectors": [
|
||||
"Data Connectors/InfobloxCloudDataConnector.json"
|
||||
],
|
||||
"Parsers": [
|
||||
"Parsers/InfobloxCDC.txt"
|
||||
],
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"BasePath": "C:\\GitHub\\azure\\Solutions\\Infoblox Cloud Data Connector",
|
||||
"Version": "1.1.0"
|
||||
"Version": "2.0.1"
|
||||
}
|
||||
|
||||
|
|
|
|||
Двоичный файл не отображается.
|
|
@ -6,7 +6,7 @@
|
|||
"config": {
|
||||
"isWizard": false,
|
||||
"basics": {
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/infoblox_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Infoblox](https://www.infoblox.com/) cloud managed Data Connector (DC) is a utility designed to collect DNS query and response data and security logs and transfer the data to defined destinations such as the BloxOne Threat Defense Cloud, Infoblox NIOS reporting server, and syslog servers such as a SIEM (Security Information and Event Manager).\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 2\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/infoblox_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Infoblox](https://www.infoblox.com/) cloud managed Data Connector (DC) is a utility designed to collect DNS query and response data and security logs and transfer the data to defined destinations such as the BloxOne Threat Defense Cloud, Infoblox NIOS reporting server, and syslog servers such as a SIEM (Security Information and Event Manager).\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"subscription": {
|
||||
"resourceProviders": [
|
||||
"Microsoft.OperationsManagement/solutions",
|
||||
|
|
@ -44,7 +44,7 @@
|
|||
"placeholder": "Select a workspace",
|
||||
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
|
||||
"constraints": {
|
||||
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
|
||||
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
|
||||
"required": true
|
||||
},
|
||||
"visible": true
|
||||
|
|
@ -60,7 +60,14 @@
|
|||
"name": "dataconnectors1-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This Solution installs the data connector for Infoblox Cloud Data Connector. You can get Infoblox Cloud Data Connector CommonSecurityLog data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. The logs will be received in the CommonSecurityLog table in your Azure Sentinel / Azure Log Analytics workspace."
|
||||
"text": "This Solution installs the data connector for Infoblox Cloud Data Connector. You can get Infoblox Cloud Data Connector CommonSecurityLog data in your Microsoft Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. The logs will be received in the CommonSecurityLog table in your Microsoft Sentinel / Azure Log Analytics workspace."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "dataconnectors-parser-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
|
||||
}
|
||||
},
|
||||
{
|
||||
|
|
@ -98,7 +105,7 @@
|
|||
"name": "workbooks-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This Azure Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Azure Sentinel and combine them into unified interactive experiences.",
|
||||
"text": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences.",
|
||||
"link": {
|
||||
"label": "Learn more",
|
||||
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
|
||||
|
|
@ -114,7 +121,7 @@
|
|||
"name": "workbook1-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Get a closer look at your BloxOne Threat Defense security event data. This workbook is intended to help visualize BloxOne Threat Defense data as part of the Infoblox Cloud Data Connector. Drilldown your data and visualize events, trends, and anomalous changes over time."
|
||||
"text": "Get a closer look at your BloxOne DNS Query/Response logs, DHCP logs and Threat Defense security event data. This workbook is intended to help visualize BloxOne query data as part of the Infoblox Cloud Data Connector. Drilldown your data and visualize events, trends, and anomalous changes over time."
|
||||
}
|
||||
},
|
||||
{
|
||||
|
|
@ -146,7 +153,7 @@
|
|||
"name": "analytics-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This Azure Sentinel Solution installs analytic rules for Infoblox Cloud Data Connector that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
|
||||
"text": "This Microsoft Sentinel Solution installs analytic rules for Infoblox Cloud Data Connector that you can enable for custom alert generation in Microsoft Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Microsoft Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
|
||||
"link": {
|
||||
"label": "Learn more",
|
||||
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
|
||||
|
|
@ -156,13 +163,13 @@
|
|||
{
|
||||
"name": "analytic1",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "High Number of High Threat Level Detected",
|
||||
"label": "Infoblox - High Number of High Threat Level Queries Detected",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic1-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This creates an incident in the event a host generates a high number of high threat level queries."
|
||||
"text": "This creates an incident in the event a single host generates at least 200 high threat level RPZ queries (Threat Defense security hits) in 1 hour. Query count threshold and scheduling is customizable."
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -170,13 +177,27 @@
|
|||
{
|
||||
"name": "analytic2",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "High Number of NXDOMAIN DNS Queries Detected",
|
||||
"label": "Infoblox - High Number of NXDOMAIN DNS Responses Detected",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic2-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This creates an incident in the event a host generates a high number of DNS queries for non-existent domains."
|
||||
"text": "This creates an incident in the event a single host generates at least 200 DNS responses for non-existent domains in 1 hour. Query count threshold and scheduling is customizable."
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic3",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Infoblox - High Threat Level Query Not Blocked Detected",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic3-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This creates an incident in the event a single host generates at least 1 high threat level query (Threat Defense security hit) that is not blocked or redirected in 1 hour. Query count threshold and scheduling is customizable."
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -185,7 +206,7 @@
|
|||
}
|
||||
],
|
||||
"outputs": {
|
||||
"workspace-location": "[resourceGroup().location]",
|
||||
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
|
||||
"location": "[location()]",
|
||||
"workspace": "[basics('workspace')]",
|
||||
"workbook1-name": "[steps('workbooks').workbook1.workbook1-name]"
|
||||
|
|
|
|||
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -0,0 +1,23 @@
|
|||
{
|
||||
"Name": "Infoblox Cloud Data Connector",
|
||||
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
|
||||
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/infoblox_logo.svg\" width=\"75px\" height=\"75px\">",
|
||||
"Description": "The [Infoblox](https://www.infoblox.com/) cloud managed Data Connector (DC) is a utility designed to collect DNS query and response data and security logs and transfer the data to defined destinations such as the BloxOne Threat Defense Cloud, Infoblox NIOS reporting server, and syslog servers such as a SIEM (Security Information and Event Manager).",
|
||||
"WorkbookDescription": "Get a closer look at your BloxOne DNS Query/Response logs, DHCP logs and Threat Defense security event data. This workbook is intended to help visualize BloxOne query data as part of the Infoblox Cloud Data Connector. Drilldown your data and visualize events, trends, and anomalous changes over time.",
|
||||
"Workbooks": ["Workbooks/InfobloxCDCB1TDWorkbook.json"],
|
||||
"Analytic Rules": [
|
||||
"Analytic Rules/Infoblox-HighNumberOfHighThreatLevelQueriesDetected.yaml",
|
||||
"Analytic Rules/Infoblox-HighNumberOfNXDOMAINDNSResponsesDetected.yaml",
|
||||
"Analytic Rules/Infoblox-HighThreatLevelQueryNotBlockedDetected.yaml"
|
||||
],
|
||||
"Data Connectors": [
|
||||
"Data Connectors/InfobloxCloudDataConnector.json"
|
||||
],
|
||||
"Parsers": [
|
||||
"Parsers/InfobloxCDC.txt"
|
||||
],
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"BasePath": "C:\\GitHub\\azure\\Solutions\\Infoblox Cloud Data Connector",
|
||||
"Version": "2.0.1"
|
||||
}
|
||||
|
||||
|
|
@ -1,33 +0,0 @@
|
|||
{
|
||||
"Name": "IoTOTThreatMonitoringwithDefenderforIoT",
|
||||
"Author": "Eli Forbes - v-eliforbes@microsoft.com",
|
||||
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">",
|
||||
"Description": "There has been a long-standing split between ICS/SCADA (OT) and Corporate (IT) cybersecurity. This split was often driven by significant differences in technology/tooling. Microsoft Defender for IoT's integration with Azure Sentinel drives convergency by providing a single pane for coverage of both D4IOT (OT) and Azure Sentinel (IT) alerting. This solution includes Workbooks, Analytics rules, and Playbooks providing a guide OT detection, Analysis, and Response.",
|
||||
"Workbooks": [
|
||||
"Workbooks/IoTOTThreatMonitoringwithDefenderforIoT.json"
|
||||
],
|
||||
"Analytic Rules": [
|
||||
"Analytic Rules/IoTDenialofService.yaml",
|
||||
"Analytic Rules/IoTExcessiveLoginAttempts.yaml",
|
||||
"Analytic Rules/IoTFirmwareUpdates.yaml",
|
||||
"Analytic Rules/IoTHighBandwidth.yaml",
|
||||
"Analytic Rules/IoTIllegalFunctionCodes.yaml",
|
||||
"Analytic Rules/IoTInsecurePLC.yaml",
|
||||
"Analytic Rules/IoTInternetAccess.yaml",
|
||||
"Analytic Rules/IoTMalware.yaml",
|
||||
"Analytic Rules/IoTNetworkScanning.yaml",
|
||||
"Analytic Rules/IoTPLCStopCommand.yaml",
|
||||
"Analytic Rules/IoTUnauthorizedDevice.yaml",
|
||||
"Analytic Rules/IoTUnauthorizedNetworkConfiguration.yaml",
|
||||
"Analytic Rules/IoTUnauthorizedPLCModifications.yaml",
|
||||
"Analytic Rules/IoTUnauthorizedRemoteAccess.yaml"
|
||||
],
|
||||
"Playbooks": [
|
||||
"Playbooks/AutoCloseIncidents.json",
|
||||
"Playbooks/MailBySensor.json",
|
||||
"Playbooks/NewAssetServiceNowTicket.json"
|
||||
],
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"BasePath": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT",
|
||||
"Version": "1.0.11"
|
||||
}
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
|
||||
{
|
||||
"Name": "MaturityModelForEventLogManagementM2131",
|
||||
"Author": "TJ Banasik - thomas.banasik@microsoft.com",
|
||||
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
|
||||
"Description": "This solution is designed to enable Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to increase visibility before, during, and after a cybersecurity incident. The solution includes (1) workbook, (4) hunting queries, (8) analytics rules, and (3) playbooks providing a comprehensive approach to design, build, monitoring, and response in logging architectures. Information from logs on information systems1 (for both on-premises systems and connections hosted by third parties, such as cloud services providers (CSPs) is invaluable in the detection, investigation, and remediation of cyber threats. Executive Order 14028, Improving the Nation's Cybersecurity, directs decisive action to improve the Federal Government’s investigative and remediation capabilities. This memorandum was developed in accordance with and addresses the requirements in section 8 of the Executive Order for logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center (SOC) of each agency. In addition, this memorandum establishes requirements for agencies3 to increase the sharing of such information, as needed and appropriate, to accelerate incident response efforts and to enable more effective defense of Federal information and executive branch departments and agencies.For more information, see (💡Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents (M-21-31))[https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf].",
|
||||
"Workbooks": [
|
||||
"Workbooks/MaturityModelForEventLogManagement_M2131.json"
|
||||
],
|
||||
"Playbooks": [
|
||||
"Playbooks/Notify_LogManagementTeam.json",
|
||||
"Playbooks/Open_DevOpsTaskRecommendation.json",
|
||||
"Playbooks/Open_JIRATicketRecommendation.json"
|
||||
],
|
||||
"Analytic Rules": [
|
||||
"Analytic Rules/M2131AssetStoppedLogging.yaml",
|
||||
"Analytic Rules/M2131DataConnectorAddedChangedRemoved.yaml",
|
||||
"Analytic Rules/M2131EventLogManagementPostureChangedEL0.yaml",
|
||||
"Analytic Rules/M2131EventLogManagementPostureChangedEL1.yaml",
|
||||
"Analytic Rules/M2131EventLogManagementPostureChangedEL2.yaml",
|
||||
"Analytic Rules/M2131EventLogManagementPostureChangedEL3.yaml",
|
||||
"Analytic Rules/M2131LogRetentionLessThan1Year.yaml",
|
||||
"Analytic Rules/M2131RecommendedDatatableUnhealthy.yaml"
|
||||
],
|
||||
"Hunting Queries": [
|
||||
"Hunting Queries/M2131RecommendedDatatableNotLoggedEL0.yaml",
|
||||
"Hunting Queries/M2131RecommendedDatatableNotLoggedEL1.yaml",
|
||||
"Hunting Queries/M2131RecommendedDatatableNotLoggedEL2.yaml",
|
||||
"Hunting Queries/M2131RecommendedDatatableNotLoggedEL3.yaml"
|
||||
],
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"BasePath": "C:\\GitHub\\azure\\Solutions\\MaturityModelForEventLogManagementM2131",
|
||||
"Version": "1.0.3"
|
||||
}
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
{
|
||||
"Name": "ThreatAnalysis&Response",
|
||||
"Author": "Sanmit Biraj - v-sabiraj@microsoft.com",
|
||||
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
|
||||
"Description": "MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. The MITRE ATT&CK Cloud Matrix provides tactics and techniques representing the MITRE ATT&CK® Matrix for Enterprise covering cloud-based techniques. The Matrix contains information for the following platforms: Azure AD, Office 365, SaaS, IaaS. For more information, see the 💡 [MITRE ATT&CK: Cloud Matrix](https://attack.mitre.org/matrices/enterprise/cloud/)",
|
||||
"WorkbookDescription": "Workbook to showcase MITRE ATT&CK Coverage for Azure Sentinel",
|
||||
"Workbooks": [
|
||||
"Workbooks/ThreatAnalysis&Response.json",
|
||||
"Workbooks/DynamicThreatModeling&Response.json"
|
||||
],
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"BasePath": "C:\\GitHub\\azure\\Solutions\\ThreatAnalysis&Response",
|
||||
"Version": "1.0.14"
|
||||
}
|
||||
|
|
@ -1,22 +0,0 @@
|
|||
|
||||
{
|
||||
"Name": "ZeroTrust(TIC3.0)",
|
||||
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
|
||||
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
|
||||
"Description": "The Microsoft Sentinel: Zero Trust (TIC3.0) Workbook provides an automated visualization of Zero Trust principles cross walked to the Trusted Internet Connections framework. Compliance isn’t just an annual requirement, and organizations must monitor configurations over time like a muscle. This workbook leverages the full breadth of Microsoft security offerings across Azure, Office 365, Teams, Intune, Windows Virtual Desktop, and many more. This workbook enables Implementers, SecOps Analysts, Assessors, Security & Compliance Decision Makers, and MSSPs to gain situational awareness for cloud workloads' security posture. The workbook features 76+ control cards aligned to the TIC 3.0 security capabilities with selectable GUI buttons for navigation. This workbook is designed to augment staffing through automation, artificial intelligence, machine learning, query/alerting generation, visualizations, tailored recommendations, and respective documentation references.",
|
||||
"WorkbookDescription": "Gain insights into ZeroTrust logs.",
|
||||
"Workbooks": [
|
||||
"Workbooks/ZeroTrust(TIC3.0).json"
|
||||
],
|
||||
"Analytic Rules": [
|
||||
"Analytic Rules/Zero_Trust_TIC3.0_ControlAssessmentPostureChange.yaml"
|
||||
],
|
||||
"Playbooks": [
|
||||
"Playbooks/Notify_GovernanceComplianceTeam.json",
|
||||
"Playbooks/Open_DevOpsTaskRecommendation.json",
|
||||
"Playbooks/Open_JIRATicketRecommendation.json"
|
||||
],
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"BasePath": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/ZeroTrust(TIC3.0)",
|
||||
"Version": "2.0.1"
|
||||
}
|
||||
Загрузка…
Ссылка в новой задаче