Merge pull request #10946 from Azure/customama-migration-solutions
OMS Migration for CustomAMA solutions
This commit is contained in:
v-dvedak
GitHub
Коммит
61fb8f3ba9
|
|
@ -8,6 +8,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheHTTPServer
|
||||
dataTypes:
|
||||
- ApacheHTTPServer
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- ApacheHTTPServer_CL
|
||||
queryFrequency: 10m
|
||||
queryPeriod: 10m
|
||||
triggerOperator: gt
|
||||
|
|
@ -30,5 +33,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Url
|
||||
columnName: UrlCustomEntity
|
||||
version: 1.0.1
|
||||
version: 1.0.2
|
||||
kind: Scheduled
|
||||
|
|
@ -8,6 +8,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheHTTPServer
|
||||
dataTypes:
|
||||
- ApacheHTTPServer
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- ApacheHTTPServer_CL
|
||||
queryFrequency: 15m
|
||||
queryPeriod: 15m
|
||||
triggerOperator: gt
|
||||
|
|
@ -27,5 +30,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Url
|
||||
columnName: UrlCustomEntity
|
||||
version: 1.0.1
|
||||
version: 1.0.2
|
||||
kind: Scheduled
|
||||
|
|
@ -8,6 +8,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheHTTPServer
|
||||
dataTypes:
|
||||
- ApacheHTTPServer
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- ApacheHTTPServer_CL
|
||||
queryFrequency: 10m
|
||||
queryPeriod: 10m
|
||||
triggerOperator: gt
|
||||
|
|
@ -27,5 +30,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.0.1
|
||||
version: 1.0.2
|
||||
kind: Scheduled
|
||||
|
|
@ -8,6 +8,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheHTTPServer
|
||||
dataTypes:
|
||||
- ApacheHTTPServer
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- ApacheHTTPServer_CL
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
|
|
@ -29,5 +32,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.0.1
|
||||
version: 1.0.2
|
||||
kind: Scheduled
|
||||
|
|
@ -8,6 +8,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheHTTPServer
|
||||
dataTypes:
|
||||
- ApacheHTTPServer
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- ApacheHTTPServer_CL
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
|
|
@ -31,5 +34,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.0.1
|
||||
version: 1.0.2
|
||||
kind: Scheduled
|
||||
|
|
@ -8,6 +8,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheHTTPServer
|
||||
dataTypes:
|
||||
- ApacheHTTPServer
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- ApacheHTTPServer_CL
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
|
|
@ -26,5 +29,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Url
|
||||
columnName: UrlCustomEntity
|
||||
version: 1.0.1
|
||||
version: 1.0.2
|
||||
kind: Scheduled
|
||||
|
|
@ -8,6 +8,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheHTTPServer
|
||||
dataTypes:
|
||||
- ApacheHTTPServer
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- ApacheHTTPServer_CL
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
|
|
@ -35,5 +38,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Url
|
||||
columnName: UrlCustomEntity
|
||||
version: 1.0.0
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
||||
|
|
@ -8,6 +8,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheHTTPServer
|
||||
dataTypes:
|
||||
- ApacheHTTPServer
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- ApacheHTTPServer_CL
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
|
|
@ -28,5 +31,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.0.0
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
||||
|
|
@ -8,6 +8,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheHTTPServer
|
||||
dataTypes:
|
||||
- ApacheHTTPServer
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- ApacheHTTPServer_CL
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 14d
|
||||
triggerOperator: gt
|
||||
|
|
@ -38,5 +41,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Url
|
||||
columnName: UrlCustomEntity
|
||||
version: 1.0.0
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
||||
|
|
@ -8,6 +8,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheHTTPServer
|
||||
dataTypes:
|
||||
- ApacheHTTPServer
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- ApacheHTTPServer_CL
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
|
|
@ -32,5 +35,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Url
|
||||
columnName: UrlCustomEntity
|
||||
version: 1.0.0
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"id": "ApacheHTTPServer",
|
||||
"title": "Apache HTTP Server",
|
||||
"title": "[Deprecated] Apache HTTP Server",
|
||||
"publisher": "Apache",
|
||||
"descriptionMarkdown": "The Apache HTTP Server data connector provides the capability to ingest [Apache HTTP Server](http://httpd.apache.org/) events into Microsoft Sentinel. Refer to [Apache Logs documentation](https://httpd.apache.org/docs/2.4/logs.html) for more information.",
|
||||
"additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
|
||||
|
|
|
|||
|
|
@ -2,12 +2,12 @@
|
|||
"Name": "ApacheHTTPServer",
|
||||
"Author": "Microsoft - support@microsoft.com",
|
||||
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/ApacheHTTPServer/Workbooks/Images/Logo/apache.svg\" width=\"75px\" height=\"75px\">",
|
||||
"Description": "The Apache HTTP Server solution provides the capability to ingest [Apache HTTP Server](http://httpd.apache.org/) events into Microsoft Sentinel. Refer to [Apache Logs documentation](https://httpd.apache.org/docs/2.4/logs.html) for more information.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)",
|
||||
"Description": "The Apache HTTP Server solution provides the capability to ingest [Apache HTTP Server](http://httpd.apache.org/) events into Microsoft Sentinel. Refer to [Apache Logs documentation](https://httpd.apache.org/docs/2.4/logs.html) for more information.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/azure/sentinel/ama-migrate?WT.mc_id=Portal-fx).",
|
||||
"Workbooks": [
|
||||
"Workbooks/ApacheHTTPServer.json"
|
||||
],
|
||||
],
|
||||
"Parsers": [
|
||||
"Parsers/ApacheHTTPServer.txt"
|
||||
"Parsers/ApacheHTTPServer.yaml"
|
||||
],
|
||||
"Hunting Queries": [
|
||||
"Hunting Queries/ApacheFilesErrorRequests.yaml",
|
||||
|
|
@ -24,7 +24,7 @@
|
|||
"Data Connectors": [
|
||||
"Data Connectors/Connector_ApacheHTTPServer_agent.json"
|
||||
],
|
||||
"Analytic Rules": [
|
||||
"Analytic Rules": [
|
||||
"Analytic Rules/ApacheCVE-2021-41773.yaml",
|
||||
"Analytic Rules/ApacheCommandInURI.yaml",
|
||||
"Analytic Rules/ApacheKnownMaliciousUserAgents.yaml",
|
||||
|
|
@ -36,9 +36,11 @@
|
|||
"Analytic Rules/ApacheRequestToRareFile.yaml",
|
||||
"Analytic Rules/ApacheRequestToSensitiveFiles.yaml"
|
||||
],
|
||||
"dependentDomainSolutionIds": [
|
||||
"azuresentinel.azure-sentinel-solution-customlogsviaama"
|
||||
],
|
||||
"BasePath": "C:\\GitHub\\azure\\Solutions\\ApacheHTTPServer",
|
||||
"Version": "2.0.2",
|
||||
"Version": "3.0.0",
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"TemplateSpec": true,
|
||||
"Is1PConnector": false
|
||||
"TemplateSpec": true
|
||||
}
|
||||
|
|
@ -7,6 +7,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheHTTPServer
|
||||
dataTypes:
|
||||
- ApacheHTTPServer
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- ApacheHTTPServer_CL
|
||||
tactics:
|
||||
- InitialAccess
|
||||
relevantTechniques:
|
||||
|
|
|
|||
|
|
@ -7,6 +7,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheHTTPServer
|
||||
dataTypes:
|
||||
- ApacheHTTPServer
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- ApacheHTTPServer_CL
|
||||
tactics:
|
||||
- InitialAccess
|
||||
relevantTechniques:
|
||||
|
|
|
|||
|
|
@ -7,6 +7,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheHTTPServer
|
||||
dataTypes:
|
||||
- ApacheHTTPServer
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- ApacheHTTPServer_CL
|
||||
tactics:
|
||||
- InitialAccess
|
||||
relevantTechniques:
|
||||
|
|
|
|||
|
|
@ -7,6 +7,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheHTTPServer
|
||||
dataTypes:
|
||||
- ApacheHTTPServer
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- ApacheHTTPServer_CL
|
||||
tactics:
|
||||
- InitialAccess
|
||||
relevantTechniques:
|
||||
|
|
|
|||
|
|
@ -7,6 +7,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheHTTPServer
|
||||
dataTypes:
|
||||
- ApacheHTTPServer
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- ApacheHTTPServer_CL
|
||||
tactics:
|
||||
- InitialAccess
|
||||
relevantTechniques:
|
||||
|
|
|
|||
|
|
@ -7,6 +7,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheHTTPServer
|
||||
dataTypes:
|
||||
- ApacheHTTPServer
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- ApacheHTTPServer_CL
|
||||
tactics:
|
||||
- InitialAccess
|
||||
relevantTechniques:
|
||||
|
|
|
|||
|
|
@ -7,6 +7,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheHTTPServer
|
||||
dataTypes:
|
||||
- ApacheHTTPServer
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- ApacheHTTPServer_CL
|
||||
tactics:
|
||||
- InitialAccess
|
||||
relevantTechniques:
|
||||
|
|
|
|||
|
|
@ -7,6 +7,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheHTTPServer
|
||||
dataTypes:
|
||||
- ApacheHTTPServer
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- ApacheHTTPServer_CL
|
||||
tactics:
|
||||
- Persistence
|
||||
- CommandAndControl
|
||||
|
|
|
|||
|
|
@ -7,6 +7,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheHTTPServer
|
||||
dataTypes:
|
||||
- ApacheHTTPServer
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- ApacheHTTPServer_CL
|
||||
tactics:
|
||||
- Impact
|
||||
- InitialAccess
|
||||
|
|
|
|||
|
|
@ -7,6 +7,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheHTTPServer
|
||||
dataTypes:
|
||||
- ApacheHTTPServer
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- ApacheHTTPServer_CL
|
||||
tactics:
|
||||
- Impact
|
||||
- InitialAccess
|
||||
|
|
|
|||
Двоичный файл не отображается.
|
|
@ -6,7 +6,7 @@
|
|||
"config": {
|
||||
"isWizard": false,
|
||||
"basics": {
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/ApacheHTTPServer/Workbooks/Images/Logo/apache.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Apache HTTP Server solution provides the capability to ingest [Apache HTTP Server](http://httpd.apache.org/) events into Microsoft Sentinel. Refer to [Apache Logs documentation](https://httpd.apache.org/docs/2.4/logs.html) for more information.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/ApacheHTTPServer/Workbooks/Images/Logo/apache.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ApacheHTTPServer/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Apache HTTP Server solution provides the capability to ingest [Apache HTTP Server](http://httpd.apache.org/) events into Microsoft Sentinel. Refer to [Apache Logs documentation](https://httpd.apache.org/docs/2.4/logs.html) for more information.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/azure/sentinel/ama-migrate?WT.mc_id=Portal-fx).\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"subscription": {
|
||||
"resourceProviders": [
|
||||
"Microsoft.OperationsManagement/solutions",
|
||||
|
|
@ -60,14 +60,14 @@
|
|||
"name": "dataconnectors1-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "The solution installs the data connector for ingesting Apache HTTP Server activity and logging events including initial request, mapping process, resolution of the connection, and any errors that may have occurred. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
|
||||
"text": "This Solution installs the data connector for ApacheHTTPServer. You can get ApacheHTTPServer custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "dataconnectors-parser-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the ApacheHttpServer Kusto Function alias."
|
||||
"text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
|
||||
}
|
||||
},
|
||||
{
|
||||
|
|
@ -323,7 +323,7 @@
|
|||
"name": "huntingquery1-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query shows list of files with error requests. This hunting query depends on ApacheHTTPServer data connector (ApacheHTTPServer Parser or Table)"
|
||||
"text": "Query shows list of files with error requests. This hunting query depends on ApacheHTTPServer CustomLogsAma data connector (ApacheHTTPServer ApacheHTTPServer_CL Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -337,7 +337,7 @@
|
|||
"name": "huntingquery2-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query shows list of files requested This hunting query depends on ApacheHTTPServer data connector (ApacheHTTPServer Parser or Table)"
|
||||
"text": "Query shows list of files requested This hunting query depends on ApacheHTTPServer CustomLogsAma data connector (ApacheHTTPServer ApacheHTTPServer_CL Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -351,7 +351,7 @@
|
|||
"name": "huntingquery3-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query detects rare files requested This hunting query depends on ApacheHTTPServer data connector (ApacheHTTPServer Parser or Table)"
|
||||
"text": "Query detects rare files requested This hunting query depends on ApacheHTTPServer CustomLogsAma data connector (ApacheHTTPServer ApacheHTTPServer_CL Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -365,7 +365,7 @@
|
|||
"name": "huntingquery4-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query shows rare user agent strings with client errors This hunting query depends on ApacheHTTPServer data connector (ApacheHTTPServer Parser or Table)"
|
||||
"text": "Query shows rare user agent strings with client errors This hunting query depends on ApacheHTTPServer CustomLogsAma data connector (ApacheHTTPServer ApacheHTTPServer_CL Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -379,7 +379,7 @@
|
|||
"name": "huntingquery5-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query shows rare URLs requested. This hunting query depends on ApacheHTTPServer data connector (ApacheHTTPServer Parser or Table)"
|
||||
"text": "Query shows rare URLs requested. This hunting query depends on ApacheHTTPServer CustomLogsAma data connector (ApacheHTTPServer ApacheHTTPServer_CL Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -393,7 +393,7 @@
|
|||
"name": "huntingquery6-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query shows rare user agents This hunting query depends on ApacheHTTPServer data connector (ApacheHTTPServer Parser or Table)"
|
||||
"text": "Query shows rare user agents This hunting query depends on ApacheHTTPServer CustomLogsAma data connector (ApacheHTTPServer ApacheHTTPServer_CL Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -407,7 +407,7 @@
|
|||
"name": "huntingquery7-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query shows list of requests to unexisting files This hunting query depends on ApacheHTTPServer data connector (ApacheHTTPServer Parser or Table)"
|
||||
"text": "Query shows list of requests to unexisting files This hunting query depends on ApacheHTTPServer CustomLogsAma data connector (ApacheHTTPServer ApacheHTTPServer_CL Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -421,7 +421,7 @@
|
|||
"name": "huntingquery8-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query detects Unexpected Post Requests This hunting query depends on ApacheHTTPServer data connector (ApacheHTTPServer Parser or Table)"
|
||||
"text": "Query detects Unexpected Post Requests This hunting query depends on ApacheHTTPServer CustomLogsAma data connector (ApacheHTTPServer ApacheHTTPServer_CL Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -435,7 +435,7 @@
|
|||
"name": "huntingquery9-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query shows URLs list with client errors. This hunting query depends on ApacheHTTPServer data connector (ApacheHTTPServer Parser or Table)"
|
||||
"text": "Query shows URLs list with client errors. This hunting query depends on ApacheHTTPServer CustomLogsAma data connector (ApacheHTTPServer ApacheHTTPServer_CL Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -449,7 +449,7 @@
|
|||
"name": "huntingquery10-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query shows URLs list with server errors. This hunting query depends on ApacheHTTPServer data connector (ApacheHTTPServer Parser or Table)"
|
||||
"text": "Query shows URLs list with server errors. This hunting query depends on ApacheHTTPServer CustomLogsAma data connector (ApacheHTTPServer ApacheHTTPServer_CL Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
|
|||
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
|
|
@ -0,0 +1,32 @@
|
|||
{
|
||||
"location": {
|
||||
"type": "string",
|
||||
"minLength": 1,
|
||||
"defaultValue": "[resourceGroup().location]",
|
||||
"metadata": {
|
||||
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
|
||||
}
|
||||
},
|
||||
"workspace-location": {
|
||||
"type": "string",
|
||||
"defaultValue": "",
|
||||
"metadata": {
|
||||
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
|
||||
}
|
||||
},
|
||||
"workspace": {
|
||||
"defaultValue": "",
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
|
||||
}
|
||||
},
|
||||
"workbook1-name": {
|
||||
"type": "string",
|
||||
"defaultValue": "Apache HTTP Server",
|
||||
"minLength": 1,
|
||||
"metadata": {
|
||||
"description": "Name for the workbook"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|
||||
|-------------|--------------------------------|--------------------------------------------------------------------|
|
||||
| 3.0.0 | 13-08-2024 | Deprecating data connectors |
|
||||
|
|
@ -4,9 +4,12 @@ description: |
|
|||
'This rule alerts if there is any critical event occured in the SAP system'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: SecurityBridge
|
||||
- connectorId: SecurityBridgeSAP
|
||||
dataTypes:
|
||||
- SecurityBridgeLogs_CL
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- SecurityBridgeLogs_CL
|
||||
queryFrequency: 5m
|
||||
queryPeriod: 5m
|
||||
triggerOperator: gt
|
||||
|
|
@ -32,5 +35,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: HostName
|
||||
columnName: Computer
|
||||
version: 1.0.2
|
||||
version: 1.0.3
|
||||
kind: Scheduled
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"id": "SecurityBridgeSAP",
|
||||
"title": "SecurityBridge Threat Detection for SAP",
|
||||
"title": "[Deprecated] SecurityBridge Threat Detection for SAP",
|
||||
"publisher": "SecurityBridge",
|
||||
"descriptionMarkdown": "SecurityBridge is the first and only holistic, natively integrated security platform, addressing all aspects needed to protect organizations running SAP from internal and external threats against their core business applications. The SecurityBridge platform is an SAP-certified add-on, used by organizations around the globe, and addresses the clients’ need for advanced cybersecurity, real-time monitoring, compliance, code security, and patching to protect against internal and external threats.This Microsoft Sentinel Solution allows you to integrate SecurityBridge Threat Detection events from all your on-premise and cloud based SAP instances into your security monitoring.Use this Microsoft Sentinel Solution to receive normalized and speaking security events, pre-built dashboards and out-of-the-box templates for your SAP security monitoring.",
|
||||
"additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
|
||||
|
|
@ -72,7 +72,7 @@
|
|||
},
|
||||
{
|
||||
"title": "1. Install and onboard the agent for Linux or Windows",
|
||||
"description": "This solution requires logs collection via an Microsoft Sentinel agent installation\n\n> The Sentinel agent is supported on the following Operating Systems: \n1. Windows Servers \n2. SUSE Linux Enterprise Server\n3. Redhat Linux Enterprise Server\n4. Oracle Linux Enterprise Server\n5. If you have the SAP solution installed on HPUX / AIX then you will need to deploy a log collector on one of the Linux options listed above and forward your logs to that collector\n\n",
|
||||
"description": "This solution requires logs collection via an Microsoft Sentinel agent installation\n\n> The Microsoft Sentinel agent is supported on the following Operating Systems: \n1. Windows Servers \n2. SUSE Linux Enterprise Server\n3. Redhat Linux Enterprise Server\n4. Oracle Linux Enterprise Server\n5. If you have the SAP solution installed on HPUX / AIX then you will need to deploy a log collector on one of the Linux options listed above and forward your logs to that collector\n\n",
|
||||
"instructions": [
|
||||
{
|
||||
"parameters": {
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
{
|
||||
"Name": "SecurityBridge App",
|
||||
"Author": "Christoph Nagy - christoph.nagy@securitybridge.com",
|
||||
"Logo": "<img src=\"https://raw.githubusercontent.com/frozenstrawberries/Azure-Sentinel/master/Logos/SecurityBridgeLogo-Vector-TM_75x75.svg\" width=\"75px\" height=\"75px\">",
|
||||
"Description": "The [SecurityBridge App](https://securitybridge.com/) solution provides the capability to ingest SecurityBridge Threat Detection events from all on-premise and cloud based SAP instances into Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs\n\n- [Agent based logs collection from Windows and Linux machines](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-custom-logs)",
|
||||
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/SecurityBridgeLogo-Vector-TM_75x75.svg\" width=\"75px\" height=\"75px\">",
|
||||
"Description": "The [SecurityBridge App](https://securitybridge.com/) solution provides the capability to ingest SecurityBridge Threat Detection events from all on-premise and cloud based SAP instances into Microsoft Sentinel.\n\nThis solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/azure/sentinel/ama-migrate?WT.mc_id=Portal-fx).",
|
||||
"Workbooks": [
|
||||
"Workbooks/SecurityBridgeThreatDetectionforSAP.json"
|
||||
],
|
||||
|
|
@ -10,16 +10,16 @@
|
|||
"Analytical Rules/CriticalEventTriggered.yaml"
|
||||
],
|
||||
"Parsers": [
|
||||
"Parsers/SecurityBridgeLogs.txt"
|
||||
],
|
||||
"Hunting Queries": [
|
||||
"Parsers/SecurityBridgeLogs.yaml"
|
||||
],
|
||||
"Data Connectors": [
|
||||
"Data Connectors/Connector_SecurityBridge.json"
|
||||
],
|
||||
"dependentDomainSolutionIds": [
|
||||
"azuresentinel.azure-sentinel-solution-customlogsviaama"
|
||||
],
|
||||
"BasePath": "https://raw.githubusercontent.com/frozenstrawberries/Azure-Sentinel/master/Solutions/SecurityBridge/",
|
||||
"Version": "2.0.1",
|
||||
"Version": "3.0.0",
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"TemplateSpec": true,
|
||||
"Is1PConnector": false
|
||||
"TemplateSpec": true
|
||||
}
|
||||
Двоичный файл не отображается.
|
|
@ -6,7 +6,7 @@
|
|||
"config": {
|
||||
"isWizard": false,
|
||||
"basics": {
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/frozenstrawberries/Azure-Sentinel/master/Logos/SecurityBridgeLogo-Vector-TM_75x75.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [SecurityBridge App](https://securitybridge.com/) solution provides the capability to ingest SecurityBridge Threat Detection events from all on-premise and cloud based SAP instances into Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs\n\n- [Agent based logs collection from Windows and Linux machines](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-custom-logs)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/SecurityBridgeLogo-Vector-TM_75x75.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SecurityBridge%20App/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [SecurityBridge App](https://securitybridge.com/) solution provides the capability to ingest SecurityBridge Threat Detection events from all on-premise and cloud based SAP instances into Microsoft Sentinel.\n\nThis solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/azure/sentinel/ama-migrate?WT.mc_id=Portal-fx).\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"subscription": {
|
||||
"resourceProviders": [
|
||||
"Microsoft.OperationsManagement/solutions",
|
||||
|
|
|
|||
|
|
@ -38,67 +38,55 @@
|
|||
}
|
||||
},
|
||||
"variables": {
|
||||
"solutionId": "securitybridge1647511278080.securitybridge-sentinel-app-1",
|
||||
"_solutionId": "[variables('solutionId')]",
|
||||
"email": "christoph.nagy@securitybridge.com",
|
||||
"_email": "[variables('email')]",
|
||||
"_solutionName": "SecurityBridge App",
|
||||
"_solutionVersion": "3.0.0",
|
||||
"solutionId": "securitybridge1647511278080.securitybridge-sentinel-app-1",
|
||||
"_solutionId": "[variables('solutionId')]",
|
||||
"workbookVersion1": "1.0.0",
|
||||
"workbookContentId1": "SecurityBridgeWorkbook",
|
||||
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
|
||||
"workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]",
|
||||
"workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
|
||||
"_workbookContentId1": "[variables('workbookContentId1')]",
|
||||
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
|
||||
"analyticRuleVersion1": "1.0.0",
|
||||
"analyticRulecontentId1": "8c5c766a-ce9b-4112-b6ed-1b8fe33733b7",
|
||||
"_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
|
||||
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
|
||||
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]",
|
||||
"parserVersion1": "1.0.0",
|
||||
"parserContentId1": "SecurityBridgeLogs-Parser",
|
||||
"_parserContentId1": "[variables('parserContentId1')]",
|
||||
"parserName1": "SecurityBridge Threat Detection for SAP Data Parser",
|
||||
"_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
|
||||
"parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
|
||||
"_parserId1": "[variables('parserId1')]",
|
||||
"parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]",
|
||||
"_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
|
||||
"analyticRuleObject1": {
|
||||
"analyticRuleVersion1": "1.0.3",
|
||||
"_analyticRulecontentId1": "8c5c766a-ce9b-4112-b6ed-1b8fe33733b7",
|
||||
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '8c5c766a-ce9b-4112-b6ed-1b8fe33733b7')]",
|
||||
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('8c5c766a-ce9b-4112-b6ed-1b8fe33733b7')))]",
|
||||
"_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8c5c766a-ce9b-4112-b6ed-1b8fe33733b7','-', '1.0.3')))]"
|
||||
},
|
||||
"parserObject1": {
|
||||
"_parserName1": "[concat(parameters('workspace'),'/','SecurityBridge Threat Detection for SAP Data Parser')]",
|
||||
"_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'SecurityBridge Threat Detection for SAP Data Parser')]",
|
||||
"parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('SecurityBridgeLogs-Parser')))]",
|
||||
"parserVersion1": "1.0.0",
|
||||
"parserContentId1": "SecurityBridgeLogs-Parser"
|
||||
},
|
||||
"uiConfigId1": "SecurityBridgeSAP",
|
||||
"_uiConfigId1": "[variables('uiConfigId1')]",
|
||||
"dataConnectorContentId1": "SecurityBridgeSAP",
|
||||
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
|
||||
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
|
||||
"_dataConnectorId1": "[variables('dataConnectorId1')]",
|
||||
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
|
||||
"dataConnectorVersion1": "1.0.0"
|
||||
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
|
||||
"dataConnectorVersion1": "1.0.0",
|
||||
"_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
|
||||
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.Resources/templateSpecs",
|
||||
"apiVersion": "2021-05-01",
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
|
||||
"apiVersion": "2023-04-01-preview",
|
||||
"name": "[variables('workbookTemplateSpecName1')]",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"tags": {
|
||||
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
|
||||
"hidden-sentinelContentType": "Workbook"
|
||||
},
|
||||
"properties": {
|
||||
"description": "SecurityBridge App Workbook with template",
|
||||
"displayName": "SecurityBridge App workbook template"
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/templateSpecs/versions",
|
||||
"apiVersion": "2021-05-01",
|
||||
"name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"tags": {
|
||||
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
|
||||
"hidden-sentinelContentType": "Workbook"
|
||||
},
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
|
||||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "SecurityBridgeThreatDetectionforSAPWorkbook Workbook with template version 2.0.1",
|
||||
"description": "SecurityBridgeThreatDetectionforSAP Workbook with template version 3.0.0",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('workbookVersion1')]",
|
||||
|
|
@ -163,54 +151,47 @@
|
|||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"packageKind": "Solution",
|
||||
"packageVersion": "[variables('_solutionVersion')]",
|
||||
"packageName": "[variables('_solutionName')]",
|
||||
"packageId": "[variables('_solutionId')]",
|
||||
"contentSchemaVersion": "3.0.0",
|
||||
"contentId": "[variables('_workbookContentId1')]",
|
||||
"contentKind": "Workbook",
|
||||
"displayName": "[parameters('workbook1-name')]",
|
||||
"contentProductId": "[variables('_workbookcontentProductId1')]",
|
||||
"id": "[variables('_workbookcontentProductId1')]",
|
||||
"version": "[variables('workbookVersion1')]"
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/templateSpecs",
|
||||
"apiVersion": "2021-05-01",
|
||||
"name": "[variables('analyticRuleTemplateSpecName1')]",
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
|
||||
"apiVersion": "2023-04-01-preview",
|
||||
"name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"tags": {
|
||||
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
|
||||
"hidden-sentinelContentType": "AnalyticsRule"
|
||||
},
|
||||
"properties": {
|
||||
"description": "SecurityBridge App Analytics Rule 1 with template",
|
||||
"displayName": "SecurityBridge App Analytics Rule template"
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/templateSpecs/versions",
|
||||
"apiVersion": "2021-05-01",
|
||||
"name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"tags": {
|
||||
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
|
||||
"hidden-sentinelContentType": "AnalyticsRule"
|
||||
},
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]"
|
||||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "CriticalEventTriggered_AnalyticalRules Analytics Rule with template version 2.0.1",
|
||||
"description": "CriticalEventTriggered_AnalyticalRules Analytics Rule with template version 3.0.0",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('analyticRuleVersion1')]",
|
||||
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
|
||||
"parameters": {},
|
||||
"variables": {},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
|
||||
"name": "[variables('AnalyticRulecontentId1')]",
|
||||
"apiVersion": "2022-04-01-preview",
|
||||
"name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
|
||||
"apiVersion": "2023-02-01-preview",
|
||||
"kind": "Scheduled",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"properties": {
|
||||
"description": "This rule alerts if there is any critical event occured in the SAP system",
|
||||
"displayName": "SecurityBridge: A critical event occured",
|
||||
"enabled": false,
|
||||
"query": "\nSecurityBridgeLogs\n| where Severity contains \"Critical\"\n",
|
||||
"query": "SecurityBridgeLogs\n| where Severity contains \"Critical\"\n",
|
||||
"queryFrequency": "PT5M",
|
||||
"queryPeriod": "PT5M",
|
||||
"severity": "Medium",
|
||||
|
|
@ -224,39 +205,48 @@
|
|||
"dataTypes": [
|
||||
"SecurityBridgeLogs_CL"
|
||||
],
|
||||
"connectorId": "SecurityBridge"
|
||||
"connectorId": "SecurityBridgeSAP"
|
||||
},
|
||||
{
|
||||
"datatypes": [
|
||||
"SecurityBridgeLogs_CL"
|
||||
],
|
||||
"connectorId": "CustomLogsAma"
|
||||
}
|
||||
],
|
||||
"tactics": [
|
||||
"InitialAccess"
|
||||
],
|
||||
"techniques": [
|
||||
"T1189"
|
||||
],
|
||||
"entityMappings": [
|
||||
{
|
||||
"entityType": "Account",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "maincontact",
|
||||
"identifier": "Name"
|
||||
}
|
||||
]
|
||||
],
|
||||
"entityType": "Account"
|
||||
},
|
||||
{
|
||||
"entityType": "Host",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "dhost",
|
||||
"identifier": "HostName"
|
||||
}
|
||||
]
|
||||
],
|
||||
"entityType": "Host"
|
||||
},
|
||||
{
|
||||
"entityType": "Host",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "Computer",
|
||||
"identifier": "HostName"
|
||||
}
|
||||
]
|
||||
],
|
||||
"entityType": "Host"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -264,13 +254,13 @@
|
|||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
|
||||
"apiVersion": "2022-01-01-preview",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]",
|
||||
"properties": {
|
||||
"description": "SecurityBridge App Analytics Rule 1",
|
||||
"parentId": "[variables('analyticRuleId1')]",
|
||||
"contentId": "[variables('_analyticRulecontentId1')]",
|
||||
"parentId": "[variables('analyticRuleObject1').analyticRuleId1]",
|
||||
"contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
|
||||
"kind": "AnalyticsRule",
|
||||
"version": "[variables('analyticRuleVersion1')]",
|
||||
"version": "[variables('analyticRuleObject1').analyticRuleVersion1]",
|
||||
"source": {
|
||||
"kind": "Solution",
|
||||
"name": "SecurityBridge App",
|
||||
|
|
@ -289,59 +279,53 @@
|
|||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"packageKind": "Solution",
|
||||
"packageVersion": "[variables('_solutionVersion')]",
|
||||
"packageName": "[variables('_solutionName')]",
|
||||
"packageId": "[variables('_solutionId')]",
|
||||
"contentSchemaVersion": "3.0.0",
|
||||
"contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
|
||||
"contentKind": "AnalyticsRule",
|
||||
"displayName": "SecurityBridge: A critical event occured",
|
||||
"contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
|
||||
"id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
|
||||
"version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/templateSpecs",
|
||||
"apiVersion": "2021-05-01",
|
||||
"name": "[variables('parserTemplateSpecName1')]",
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
|
||||
"apiVersion": "2023-04-01-preview",
|
||||
"name": "[variables('parserObject1').parserTemplateSpecName1]",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"tags": {
|
||||
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
|
||||
"hidden-sentinelContentType": "Parser"
|
||||
},
|
||||
"properties": {
|
||||
"description": "SecurityBridgeLogs Data Parser with template",
|
||||
"displayName": "SecurityBridgeLogs Data Parser template"
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/templateSpecs/versions",
|
||||
"apiVersion": "2021-05-01",
|
||||
"name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"tags": {
|
||||
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
|
||||
"hidden-sentinelContentType": "Parser"
|
||||
},
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
|
||||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "SecurityBridgeLogs Data Parser with template version 2.0.1",
|
||||
"description": "SecurityBridgeLogs Data Parser with template version 3.0.0",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('parserVersion1')]",
|
||||
"contentVersion": "[variables('parserObject1').parserVersion1]",
|
||||
"parameters": {},
|
||||
"variables": {},
|
||||
"resources": [
|
||||
{
|
||||
"name": "[variables('_parserName1')]",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "[variables('parserObject1')._parserName1]",
|
||||
"apiVersion": "2022-10-01",
|
||||
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"properties": {
|
||||
"eTag": "*",
|
||||
"displayName": "SecurityBridge Threat Detection for SAP Data Parser",
|
||||
"category": "Samples",
|
||||
"displayName": "Parser for SecurityBridgeLogs",
|
||||
"category": "Microsoft Sentinel Parser",
|
||||
"functionAlias": "SecurityBridgeLogs",
|
||||
"query": "\nSecurityBridgeLogs_CL\n| extend CEFVersion = tostring(split(RawData, '|')[0]), DeviceVendor = tostring(split(RawData, '|')[1]), DeviceProduct = tostring(split(RawData, '|')[2]), DeviceVersion = tostring(split(RawData, '|')[3]), DeviceEventClassID = tostring(split(RawData, '|')[4]), Name = tostring(split(RawData, '|')[5]), Severity = tostring(split(RawData, '|')[6]), AdditionalExtensions = tostring(split(RawData, '|')[7])\n| extend SAPsid = tostring(split(split(AdditionalExtensions, \"cs1=\")[1], \"cs1\")[0]),\n SAPclient = tostring(split(split(AdditionalExtensions, \"cs2=\")[1], \"cs2\")[0]),\n SAPdb = tostring(split(split(AdditionalExtensions, \"cs3=\")[1], \"cs3\")[0]),\n [\"Email address event originator\"] = tostring(split(split(AdditionalExtensions, \"cs4=\")[1], \"cs4\")[0]),\n [\"Main contact area of responsibility\"] = tostring(split(split(AdditionalExtensions, \"cs5=\")[1], \"cs5\")[0]),\n [\"Backup contact area of responsibility\"] = tostring(split(split(AdditionalExtensions, \"cs6=\")[1], \"cs6\")[0])\n| extend dhost = tostring(replace_string(tostring(split(split(RawData, \"dhost=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"dhost=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n duid = tostring(replace_string(tostring(split(split(RawData, \"duid=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"duid=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n duser = tostring(replace_string(tostring(split(split(RawData, \"duser=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"duser=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n dvchost = tostring(replace_string(tostring(split(split(RawData, \"dvchost=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"dvchost=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n msg = tostring(split(split(RawData, \"msg=\")[1], \"rt=\")[0]),\n rt = tostring(replace_string(tostring(split(split(RawData, \"rt=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"rt=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n src = tostring(replace_string(tostring(split(split(RawData, \"src=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"src=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n shost = tostring(replace_string(tostring(split(split(RawData, \"shost=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"shost=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n type = tostring(replace_string(tostring(split(split(RawData, \"type=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"type=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n externalid = tostring(replace_string(tostring(split(split(RawData, \"externalid=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"externalid=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n SAPos = tostring(replace_string(tostring(split(split(RawData, \"SAPos=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"SAPos=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n SAPrelease = tostring(replace_string(tostring(split(split(RawData, \"SAPrelease=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"SAPrelease=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n SAPinstallationnumber = tostring(replace_string(tostring(split(split(RawData, \"SAPinstallationnumber=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"SAPinstallationnumber=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n SAPhost = tostring(replace_string(tostring(split(split(RawData, \"SAPhost=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"SAPhost=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n Severity = case(toint(Severity) < 3, \"Low\", toint(Severity) < 7, \"Medium\", toint(Severity) < 9, \"High\", toint(Severity) >= 9, \"Critical\", \"None\"),\n maincontact = split(split([\"Main contact area of responsibility\"], ',')[-1], ' ')[2]",
|
||||
"version": 1,
|
||||
"query": "SecurityBridgeLogs_CL\n| extend CEFVersion = tostring(split(RawData, '|')[0]), DeviceVendor = tostring(split(RawData, '|')[1]), DeviceProduct = tostring(split(RawData, '|')[2]), DeviceVersion = tostring(split(RawData, '|')[3]), DeviceEventClassID = tostring(split(RawData, '|')[4]), Name = tostring(split(RawData, '|')[5]), Severity = tostring(split(RawData, '|')[6]), AdditionalExtensions = tostring(split(RawData, '|')[7])\n| extend SAPsid = tostring(split(split(AdditionalExtensions, \"cs1=\")[1], \"cs1\")[0]),\n SAPclient = tostring(split(split(AdditionalExtensions, \"cs2=\")[1], \"cs2\")[0]),\n SAPdb = tostring(split(split(AdditionalExtensions, \"cs3=\")[1], \"cs3\")[0]),\n [\"Email address event originator\"] = tostring(split(split(AdditionalExtensions, \"cs4=\")[1], \"cs4\")[0]),\n [\"Main contact area of responsibility\"] = tostring(split(split(AdditionalExtensions, \"cs5=\")[1], \"cs5\")[0]),\n [\"Backup contact area of responsibility\"] = tostring(split(split(AdditionalExtensions, \"cs6=\")[1], \"cs6\")[0])\n| extend dhost = tostring(replace_string(tostring(split(split(RawData, \"dhost=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"dhost=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n duid = tostring(replace_string(tostring(split(split(RawData, \"duid=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"duid=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n duser = tostring(replace_string(tostring(split(split(RawData, \"duser=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"duser=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n dvchost = tostring(replace_string(tostring(split(split(RawData, \"dvchost=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"dvchost=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n msg = tostring(split(split(RawData, \"msg=\")[1], \"rt=\")[0]),\n rt = tostring(replace_string(tostring(split(split(RawData, \"rt=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"rt=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n src = tostring(replace_string(tostring(split(split(RawData, \"src=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"src=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n shost = tostring(replace_string(tostring(split(split(RawData, \"shost=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"shost=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n type = tostring(replace_string(tostring(split(split(RawData, \"type=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"type=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n externalid = tostring(replace_string(tostring(split(split(RawData, \"externalid=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"externalid=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n SAPos = tostring(replace_string(tostring(split(split(RawData, \"SAPos=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"SAPos=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n SAPrelease = tostring(replace_string(tostring(split(split(RawData, \"SAPrelease=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"SAPrelease=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n SAPinstallationnumber = tostring(replace_string(tostring(split(split(RawData, \"SAPinstallationnumber=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"SAPinstallationnumber=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n SAPhost = tostring(replace_string(tostring(split(split(RawData, \"SAPhost=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"SAPhost=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n Severity = case(toint(Severity) < 3, \"Low\", toint(Severity) < 7, \"Medium\", toint(Severity) < 9, \"High\", toint(Severity) >= 9, \"Critical\", \"None\"),\n maincontact = split(split([\"Main contact area of responsibility\"], ',')[-1], ' ')[2]\n",
|
||||
"functionParameters": "",
|
||||
"version": 2,
|
||||
"tags": [
|
||||
{
|
||||
"name": "description",
|
||||
"value": "SecurityBridge Threat Detection for SAP Data Parser"
|
||||
"value": ""
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -349,15 +333,15 @@
|
|||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
|
||||
"apiVersion": "2022-01-01-preview",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
|
||||
"dependsOn": [
|
||||
"[variables('_parserName1')]"
|
||||
"[variables('parserObject1')._parserId1]"
|
||||
],
|
||||
"properties": {
|
||||
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
|
||||
"contentId": "[variables('_parserContentId1')]",
|
||||
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'SecurityBridge Threat Detection for SAP Data Parser')]",
|
||||
"contentId": "[variables('parserObject1').parserContentId1]",
|
||||
"kind": "Parser",
|
||||
"version": "[variables('parserVersion1')]",
|
||||
"version": "[variables('parserObject1').parserVersion1]",
|
||||
"source": {
|
||||
"name": "SecurityBridge App",
|
||||
"kind": "Solution",
|
||||
|
|
@ -376,36 +360,54 @@
|
|||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"packageKind": "Solution",
|
||||
"packageVersion": "[variables('_solutionVersion')]",
|
||||
"packageName": "[variables('_solutionName')]",
|
||||
"packageId": "[variables('_solutionId')]",
|
||||
"contentSchemaVersion": "3.0.0",
|
||||
"contentId": "[variables('parserObject1').parserContentId1]",
|
||||
"contentKind": "Parser",
|
||||
"displayName": "Parser for SecurityBridgeLogs",
|
||||
"contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
|
||||
"id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
|
||||
"version": "[variables('parserObject1').parserVersion1]"
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
|
||||
"apiVersion": "2021-06-01",
|
||||
"name": "[variables('_parserName1')]",
|
||||
"apiVersion": "2022-10-01",
|
||||
"name": "[variables('parserObject1')._parserName1]",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"properties": {
|
||||
"eTag": "*",
|
||||
"displayName": "SecurityBridge Threat Detection for SAP Data Parser",
|
||||
"category": "Samples",
|
||||
"displayName": "Parser for SecurityBridgeLogs",
|
||||
"category": "Microsoft Sentinel Parser",
|
||||
"functionAlias": "SecurityBridgeLogs",
|
||||
"query": "\nSecurityBridgeLogs_CL\n| extend CEFVersion = tostring(split(RawData, '|')[0]), DeviceVendor = tostring(split(RawData, '|')[1]), DeviceProduct = tostring(split(RawData, '|')[2]), DeviceVersion = tostring(split(RawData, '|')[3]), DeviceEventClassID = tostring(split(RawData, '|')[4]), Name = tostring(split(RawData, '|')[5]), Severity = tostring(split(RawData, '|')[6]), AdditionalExtensions = tostring(split(RawData, '|')[7])\n| extend SAPsid = tostring(split(split(AdditionalExtensions, \"cs1=\")[1], \"cs1\")[0]),\n SAPclient = tostring(split(split(AdditionalExtensions, \"cs2=\")[1], \"cs2\")[0]),\n SAPdb = tostring(split(split(AdditionalExtensions, \"cs3=\")[1], \"cs3\")[0]),\n [\"Email address event originator\"] = tostring(split(split(AdditionalExtensions, \"cs4=\")[1], \"cs4\")[0]),\n [\"Main contact area of responsibility\"] = tostring(split(split(AdditionalExtensions, \"cs5=\")[1], \"cs5\")[0]),\n [\"Backup contact area of responsibility\"] = tostring(split(split(AdditionalExtensions, \"cs6=\")[1], \"cs6\")[0])\n| extend dhost = tostring(replace_string(tostring(split(split(RawData, \"dhost=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"dhost=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n duid = tostring(replace_string(tostring(split(split(RawData, \"duid=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"duid=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n duser = tostring(replace_string(tostring(split(split(RawData, \"duser=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"duser=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n dvchost = tostring(replace_string(tostring(split(split(RawData, \"dvchost=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"dvchost=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n msg = tostring(split(split(RawData, \"msg=\")[1], \"rt=\")[0]),\n rt = tostring(replace_string(tostring(split(split(RawData, \"rt=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"rt=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n src = tostring(replace_string(tostring(split(split(RawData, \"src=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"src=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n shost = tostring(replace_string(tostring(split(split(RawData, \"shost=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"shost=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n type = tostring(replace_string(tostring(split(split(RawData, \"type=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"type=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n externalid = tostring(replace_string(tostring(split(split(RawData, \"externalid=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"externalid=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n SAPos = tostring(replace_string(tostring(split(split(RawData, \"SAPos=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"SAPos=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n SAPrelease = tostring(replace_string(tostring(split(split(RawData, \"SAPrelease=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"SAPrelease=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n SAPinstallationnumber = tostring(replace_string(tostring(split(split(RawData, \"SAPinstallationnumber=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"SAPinstallationnumber=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n SAPhost = tostring(replace_string(tostring(split(split(RawData, \"SAPhost=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"SAPhost=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n Severity = case(toint(Severity) < 3, \"Low\", toint(Severity) < 7, \"Medium\", toint(Severity) < 9, \"High\", toint(Severity) >= 9, \"Critical\", \"None\"),\n maincontact = split(split([\"Main contact area of responsibility\"], ',')[-1], ' ')[2]",
|
||||
"version": 1
|
||||
"query": "SecurityBridgeLogs_CL\n| extend CEFVersion = tostring(split(RawData, '|')[0]), DeviceVendor = tostring(split(RawData, '|')[1]), DeviceProduct = tostring(split(RawData, '|')[2]), DeviceVersion = tostring(split(RawData, '|')[3]), DeviceEventClassID = tostring(split(RawData, '|')[4]), Name = tostring(split(RawData, '|')[5]), Severity = tostring(split(RawData, '|')[6]), AdditionalExtensions = tostring(split(RawData, '|')[7])\n| extend SAPsid = tostring(split(split(AdditionalExtensions, \"cs1=\")[1], \"cs1\")[0]),\n SAPclient = tostring(split(split(AdditionalExtensions, \"cs2=\")[1], \"cs2\")[0]),\n SAPdb = tostring(split(split(AdditionalExtensions, \"cs3=\")[1], \"cs3\")[0]),\n [\"Email address event originator\"] = tostring(split(split(AdditionalExtensions, \"cs4=\")[1], \"cs4\")[0]),\n [\"Main contact area of responsibility\"] = tostring(split(split(AdditionalExtensions, \"cs5=\")[1], \"cs5\")[0]),\n [\"Backup contact area of responsibility\"] = tostring(split(split(AdditionalExtensions, \"cs6=\")[1], \"cs6\")[0])\n| extend dhost = tostring(replace_string(tostring(split(split(RawData, \"dhost=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"dhost=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n duid = tostring(replace_string(tostring(split(split(RawData, \"duid=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"duid=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n duser = tostring(replace_string(tostring(split(split(RawData, \"duser=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"duser=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n dvchost = tostring(replace_string(tostring(split(split(RawData, \"dvchost=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"dvchost=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n msg = tostring(split(split(RawData, \"msg=\")[1], \"rt=\")[0]),\n rt = tostring(replace_string(tostring(split(split(RawData, \"rt=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"rt=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n src = tostring(replace_string(tostring(split(split(RawData, \"src=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"src=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n shost = tostring(replace_string(tostring(split(split(RawData, \"shost=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"shost=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n type = tostring(replace_string(tostring(split(split(RawData, \"type=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"type=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n externalid = tostring(replace_string(tostring(split(split(RawData, \"externalid=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"externalid=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n SAPos = tostring(replace_string(tostring(split(split(RawData, \"SAPos=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"SAPos=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n SAPrelease = tostring(replace_string(tostring(split(split(RawData, \"SAPrelease=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"SAPrelease=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n SAPinstallationnumber = tostring(replace_string(tostring(split(split(RawData, \"SAPinstallationnumber=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"SAPinstallationnumber=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n SAPhost = tostring(replace_string(tostring(split(split(RawData, \"SAPhost=\")[1], \"=\")[0]), tostring(split(split(split(RawData, \"SAPhost=\")[1], \"=\")[0], \" \")[-1]), \"\")),\n Severity = case(toint(Severity) < 3, \"Low\", toint(Severity) < 7, \"Medium\", toint(Severity) < 9, \"High\", toint(Severity) >= 9, \"Critical\", \"None\"),\n maincontact = split(split([\"Main contact area of responsibility\"], ',')[-1], ' ')[2]\n",
|
||||
"functionParameters": "",
|
||||
"version": 2,
|
||||
"tags": [
|
||||
{
|
||||
"name": "description",
|
||||
"value": ""
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
|
||||
"apiVersion": "2022-01-01-preview",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
|
||||
"dependsOn": [
|
||||
"[variables('_parserId1')]"
|
||||
"[variables('parserObject1')._parserId1]"
|
||||
],
|
||||
"properties": {
|
||||
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
|
||||
"contentId": "[variables('_parserContentId1')]",
|
||||
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'SecurityBridge Threat Detection for SAP Data Parser')]",
|
||||
"contentId": "[variables('parserObject1').parserContentId1]",
|
||||
"kind": "Parser",
|
||||
"version": "[variables('parserVersion1')]",
|
||||
"version": "[variables('parserObject1').parserVersion1]",
|
||||
"source": {
|
||||
"kind": "Solution",
|
||||
"name": "SecurityBridge App",
|
||||
|
|
@ -424,33 +426,15 @@
|
|||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/templateSpecs",
|
||||
"apiVersion": "2021-05-01",
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
|
||||
"apiVersion": "2023-04-01-preview",
|
||||
"name": "[variables('dataConnectorTemplateSpecName1')]",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"tags": {
|
||||
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
|
||||
"hidden-sentinelContentType": "DataConnector"
|
||||
},
|
||||
"properties": {
|
||||
"description": "SecurityBridge App data connector with template",
|
||||
"displayName": "SecurityBridge App template"
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/templateSpecs/versions",
|
||||
"apiVersion": "2021-05-01",
|
||||
"name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"tags": {
|
||||
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
|
||||
"hidden-sentinelContentType": "DataConnector"
|
||||
},
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
|
||||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "SecurityBridge App data connector with template version 2.0.1",
|
||||
"description": "SecurityBridge App data connector with template version 3.0.0",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('dataConnectorVersion1')]",
|
||||
|
|
@ -466,10 +450,10 @@
|
|||
"properties": {
|
||||
"connectorUiConfig": {
|
||||
"id": "[variables('_uiConfigId1')]",
|
||||
"title": "SecurityBridge Threat Detection for SAP",
|
||||
"title": "[Deprecated] SecurityBridge Threat Detection for SAP",
|
||||
"publisher": "SecurityBridge",
|
||||
"descriptionMarkdown": "SecurityBridge is the first and only holistic, natively integrated security platform, addressing all aspects needed to protect organizations running SAP from internal and external threats against their core business applications. The SecurityBridge platform is an SAP-certified add-on, used by organizations around the globe, and addresses the clients’ need for advanced cybersecurity, real-time monitoring, compliance, code security, and patching to protect against internal and external threats.This Microsoft Sentinel Solution allows you to integrate SecurityBridge Threat Detection events from all your on-premise and cloud based SAP instances into your security monitoring.Use this Microsoft Sentinel Solution to receive normalized and speaking security events, pre-built dashboards and out-of-the-box templates for your SAP security monitoring.",
|
||||
"additionalRequirementBanner": "You will need a SecurityBridge Platform subscription to use this Microsoft Sentinel Solution and this data connector requires installation of Sentinel Agend for the log collection. For more information please contact sales@securitybridge.com",
|
||||
"additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
|
||||
"graphQueries": [
|
||||
{
|
||||
"metricName": "Total data received",
|
||||
|
|
@ -527,13 +511,13 @@
|
|||
},
|
||||
"instructionSteps": [
|
||||
{
|
||||
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://aka.ms/sentinel-SecurityBridgeLogs-parser) to create the Kusto Functions alias, **SecurityBridgeLogs**"
|
||||
"description": "*NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SecurityBridgeLogs and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityBridge%20App/Parsers/SecurityBridgeLogs.txt).The function usually takes 10-15 minutes to activate after solution installation/update."
|
||||
},
|
||||
{
|
||||
"description": ">**NOTE:** This data connector has been developed using SecurityBridge Application Platform 7.4.0."
|
||||
},
|
||||
{
|
||||
"description": "This solution requires logs collection via an Microsoft Sentinel agent installation\n\n> The Sentinel agent is supported on the following Operating Systems: \n1. Windows Servers \n2. SUSE Linux Enterprise Server\n3. Redhat Linux Enterprise Server\n4. Oracle Linux Enterprise Server\n5. If you have the SAP solution installed on HPUX / AIX then you will need to deploy a log collector on one of the Linux options listed above and forward your logs to that collector\n\n",
|
||||
"description": "This solution requires logs collection via an Microsoft Sentinel agent installation\n\n> The Microsoft Sentinel agent is supported on the following Operating Systems: \n1. Windows Servers \n2. SUSE Linux Enterprise Server\n3. Redhat Linux Enterprise Server\n4. Oracle Linux Enterprise Server\n5. If you have the SAP solution installed on HPUX / AIX then you will need to deploy a log collector on one of the Linux options listed above and forward your logs to that collector\n\n",
|
||||
"instructions": [
|
||||
{
|
||||
"parameters": {
|
||||
|
|
@ -631,7 +615,7 @@
|
|||
},
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
|
||||
"apiVersion": "2022-01-01-preview",
|
||||
"apiVersion": "2023-04-01-preview",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
|
||||
"properties": {
|
||||
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
|
||||
|
|
@ -656,12 +640,23 @@
|
|||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"packageKind": "Solution",
|
||||
"packageVersion": "[variables('_solutionVersion')]",
|
||||
"packageName": "[variables('_solutionName')]",
|
||||
"packageId": "[variables('_solutionId')]",
|
||||
"contentSchemaVersion": "3.0.0",
|
||||
"contentId": "[variables('_dataConnectorContentId1')]",
|
||||
"contentKind": "DataConnector",
|
||||
"displayName": "[Deprecated] SecurityBridge Threat Detection for SAP",
|
||||
"contentProductId": "[variables('_dataConnectorcontentProductId1')]",
|
||||
"id": "[variables('_dataConnectorcontentProductId1')]",
|
||||
"version": "[variables('dataConnectorVersion1')]"
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
|
||||
"apiVersion": "2022-01-01-preview",
|
||||
"apiVersion": "2023-04-01-preview",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
|
||||
"dependsOn": [
|
||||
"[variables('_dataConnectorId1')]"
|
||||
|
|
@ -697,7 +692,7 @@
|
|||
"kind": "GenericUI",
|
||||
"properties": {
|
||||
"connectorUiConfig": {
|
||||
"title": "SecurityBridge Threat Detection for SAP",
|
||||
"title": "[Deprecated] SecurityBridge Threat Detection for SAP",
|
||||
"publisher": "SecurityBridge",
|
||||
"descriptionMarkdown": "SecurityBridge is the first and only holistic, natively integrated security platform, addressing all aspects needed to protect organizations running SAP from internal and external threats against their core business applications. The SecurityBridge platform is an SAP-certified add-on, used by organizations around the globe, and addresses the clients’ need for advanced cybersecurity, real-time monitoring, compliance, code security, and patching to protect against internal and external threats.This Microsoft Sentinel Solution allows you to integrate SecurityBridge Threat Detection events from all your on-premise and cloud based SAP instances into your security monitoring.Use this Microsoft Sentinel Solution to receive normalized and speaking security events, pre-built dashboards and out-of-the-box templates for your SAP security monitoring.",
|
||||
"graphQueries": [
|
||||
|
|
@ -757,13 +752,13 @@
|
|||
},
|
||||
"instructionSteps": [
|
||||
{
|
||||
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://aka.ms/sentinel-SecurityBridgeLogs-parser) to create the Kusto Functions alias, **SecurityBridgeLogs**"
|
||||
"description": "*NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SecurityBridgeLogs and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityBridge%20App/Parsers/SecurityBridgeLogs.txt).The function usually takes 10-15 minutes to activate after solution installation/update."
|
||||
},
|
||||
{
|
||||
"description": ">**NOTE:** This data connector has been developed using SecurityBridge Application Platform 7.4.0."
|
||||
},
|
||||
{
|
||||
"description": "This solution requires logs collection via an Microsoft Sentinel agent installation\n\n> The Sentinel agent is supported on the following Operating Systems: \n1. Windows Servers \n2. SUSE Linux Enterprise Server\n3. Redhat Linux Enterprise Server\n4. Oracle Linux Enterprise Server\n5. If you have the SAP solution installed on HPUX / AIX then you will need to deploy a log collector on one of the Linux options listed above and forward your logs to that collector\n\n",
|
||||
"description": "This solution requires logs collection via an Microsoft Sentinel agent installation\n\n> The Microsoft Sentinel agent is supported on the following Operating Systems: \n1. Windows Servers \n2. SUSE Linux Enterprise Server\n3. Redhat Linux Enterprise Server\n4. Oracle Linux Enterprise Server\n5. If you have the SAP solution installed on HPUX / AIX then you will need to deploy a log collector on one of the Linux options listed above and forward your logs to that collector\n\n",
|
||||
"instructions": [
|
||||
{
|
||||
"parameters": {
|
||||
|
|
@ -857,18 +852,25 @@
|
|||
}
|
||||
],
|
||||
"id": "[variables('_uiConfigId1')]",
|
||||
"additionalRequirementBanner": "You will need a SecurityBridge Platform subscription to use this Microsoft Sentinel Solution and this data connector requires installation of Sentinel Agend for the log collection. For more information please contact sales@securitybridge.com"
|
||||
"additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution."
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
|
||||
"apiVersion": "2022-01-01-preview",
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
|
||||
"apiVersion": "2023-04-01-preview",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"properties": {
|
||||
"version": "2.0.1",
|
||||
"version": "3.0.0",
|
||||
"kind": "Solution",
|
||||
"contentSchemaVersion": "2.0.0",
|
||||
"contentSchemaVersion": "3.0.0",
|
||||
"displayName": "SecurityBridge App",
|
||||
"publisherDisplayName": "Christoph Nagy",
|
||||
"descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SecurityBridge%20App/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <a href=\"https://securitybridge.com/\">SecurityBridge App</a> solution provides the capability to ingest SecurityBridge Threat Detection events from all on-premise and cloud based SAP instances into Microsoft Sentinel.</p>\n<p>This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation.</p>\n<p><strong>NOTE</strong>: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by <strong>Aug 31, 2024</strong>. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost <a href=\"https://learn.microsoft.com/azure/sentinel/ama-migrate?WT.mc_id=Portal-fx\">more details</a>.</p>\n<p><strong>Data Connectors:</strong> 1, <strong>Parsers:</strong> 1, <strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
|
||||
"contentKind": "Solution",
|
||||
"contentProductId": "[variables('_solutioncontentProductId')]",
|
||||
"id": "[variables('_solutioncontentProductId')]",
|
||||
"icon": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/SecurityBridgeLogo-Vector-TM_75x75.svg\" width=\"75px\" height=\"75px\">",
|
||||
"contentId": "[variables('_solutionId')]",
|
||||
"parentId": "[variables('_solutionId')]",
|
||||
"source": {
|
||||
|
|
@ -887,7 +889,6 @@
|
|||
"link": "https://securitybridge.com/contact/"
|
||||
},
|
||||
"dependencies": {
|
||||
"operator": "AND",
|
||||
"criteria": [
|
||||
{
|
||||
"kind": "Workbook",
|
||||
|
|
@ -896,18 +897,22 @@
|
|||
},
|
||||
{
|
||||
"kind": "AnalyticsRule",
|
||||
"contentId": "[variables('analyticRulecontentId1')]",
|
||||
"version": "[variables('analyticRuleVersion1')]"
|
||||
"contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
|
||||
"version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
|
||||
},
|
||||
{
|
||||
"kind": "Parser",
|
||||
"contentId": "[variables('_parserContentId1')]",
|
||||
"version": "[variables('parserVersion1')]"
|
||||
"contentId": "[variables('parserObject1').parserContentId1]",
|
||||
"version": "[variables('parserObject1').parserVersion1]"
|
||||
},
|
||||
{
|
||||
"kind": "DataConnector",
|
||||
"contentId": "[variables('_dataConnectorContentId1')]",
|
||||
"version": "[variables('dataConnectorVersion1')]"
|
||||
},
|
||||
{
|
||||
"kind": "Solution",
|
||||
"contentId": "azuresentinel.azure-sentinel-solution-customlogsviaama"
|
||||
}
|
||||
]
|
||||
},
|
||||
|
|
|
|||
|
|
@ -0,0 +1,32 @@
|
|||
{
|
||||
"location": {
|
||||
"type": "string",
|
||||
"minLength": 1,
|
||||
"defaultValue": "[resourceGroup().location]",
|
||||
"metadata": {
|
||||
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
|
||||
}
|
||||
},
|
||||
"workspace-location": {
|
||||
"type": "string",
|
||||
"defaultValue": "",
|
||||
"metadata": {
|
||||
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
|
||||
}
|
||||
},
|
||||
"workspace": {
|
||||
"defaultValue": "",
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
|
||||
}
|
||||
},
|
||||
"workbook1-name": {
|
||||
"type": "string",
|
||||
"defaultValue": "SecurityBridge App",
|
||||
"minLength": 1,
|
||||
"metadata": {
|
||||
"description": "Name for the workbook"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|
||||
|-------------|--------------------------------|--------------------------------|
|
||||
| 3.0.0 | 08-08-2024 | Deprecating data connectors |
|
||||
|
|
@ -8,6 +8,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheTomcat
|
||||
dataTypes:
|
||||
- TomcatEvent
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- Tomcat_CL
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
|
|
@ -27,5 +30,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Url
|
||||
columnName: UrlCustomEntity
|
||||
version: 1.0.0
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -8,6 +8,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheTomcat
|
||||
dataTypes:
|
||||
- TomcatEvent
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- Tomcat_CL
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
|
|
@ -27,5 +30,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Name
|
||||
columnName: MalwareCustomEntity
|
||||
version: 1.0.0
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
||||
|
|
@ -8,6 +8,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheTomcat
|
||||
dataTypes:
|
||||
- TomcatEvent
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- Tomcat_CL
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
|
|
@ -29,5 +32,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.0.0
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
||||
|
|
@ -8,6 +8,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheTomcat
|
||||
dataTypes:
|
||||
- TomcatEvent
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- Tomcat_CL
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
|
|
@ -31,5 +34,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.0.0
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
||||
|
|
@ -8,6 +8,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheTomcat
|
||||
dataTypes:
|
||||
- TomcatEvent
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- Tomcat_CL
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
|
|
@ -31,5 +34,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.0.0
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
||||
|
|
@ -8,6 +8,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheTomcat
|
||||
dataTypes:
|
||||
- TomcatEvent
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- Tomcat_CL
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
|
|
@ -40,5 +43,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Url
|
||||
columnName: UrlCustomEntity
|
||||
version: 1.0.0
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
||||
|
|
@ -8,6 +8,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheTomcat
|
||||
dataTypes:
|
||||
- TomcatEvent
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- Tomcat_CL
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
|
|
@ -31,5 +34,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.0.0
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
||||
|
|
@ -8,6 +8,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheTomcat
|
||||
dataTypes:
|
||||
- TomcatEvent
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- Tomcat_CL
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
|
|
@ -31,5 +34,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Url
|
||||
columnName: UrlCustomEntity
|
||||
version: 1.0.0
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -8,6 +8,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheTomcat
|
||||
dataTypes:
|
||||
- TomcatEvent
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- Tomcat_CL
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
|
|
@ -26,5 +29,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Url
|
||||
columnName: UrlCustomEntity
|
||||
version: 1.0.0
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -8,6 +8,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheTomcat
|
||||
dataTypes:
|
||||
- TomcatEvent
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- Tomcat_CL
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
|
|
@ -42,5 +45,5 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: IPCustomEntity
|
||||
version: 1.0.0
|
||||
version: 1.0.1
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"id": "ApacheTomcat",
|
||||
"title": "Apache Tomcat",
|
||||
"title": "[Deprecated] Apache Tomcat",
|
||||
"publisher": "Apache",
|
||||
"descriptionMarkdown": "The Apache Tomcat solution provides the capability to ingest [Apache Tomcat](http://tomcat.apache.org/) events into Microsoft Sentinel. Refer to [Apache Tomcat documentation](http://tomcat.apache.org/tomcat-10.0-doc/logging.html) for more information.",
|
||||
"additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
|
||||
|
|
|
|||
|
|
@ -2,16 +2,16 @@
|
|||
"Name": "Tomcat",
|
||||
"Author": "Microsoft - support@microsoft.com",
|
||||
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
|
||||
"Description": "The Apache Tomcat solution provides the capability to ingest [Apache Tomcat](http://tomcat.apache.org/) events into Microsoft Sentinel. Refer to [Apache Tomcat documentation](http://tomcat.apache.org/tomcat-10.0-doc/logging.html) for more information.\r\n \r\n**Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)",
|
||||
"Description": "The Apache Tomcat solution provides the capability to ingest [Apache Tomcat](http://tomcat.apache.org/) events into Microsoft Sentinel. Refer to [Apache Tomcat documentation](http://tomcat.apache.org/tomcat-10.0-doc/logging.html) for more information.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/azure/sentinel/ama-migrate?WT.mc_id=Portal-fx).",
|
||||
"Data Connectors": [
|
||||
"Data Connectors/Connector_Tomcat_agent.json"
|
||||
],
|
||||
"Parsers": [
|
||||
"Parsers/TomcatEvent.txt"
|
||||
"Parsers/TomcatEvent.yaml"
|
||||
],
|
||||
"Workbooks": [
|
||||
"Workbooks/Tomcat.json"
|
||||
],
|
||||
],
|
||||
"Analytic Rules": [
|
||||
"Analytic Rules/TomcatCommandsinRequest.yaml",
|
||||
"Analytic Rules/TomcatKnownMaliciousUserAgent.yaml",
|
||||
|
|
@ -37,9 +37,11 @@
|
|||
"Hunting Queries/TomcatUncommonUAsWithClientErrors.yaml",
|
||||
"Hunting Queries/TomcatUncommonUAsWithServerErrors.yaml"
|
||||
],
|
||||
"dependentDomainSolutionIds": [
|
||||
"azuresentinel.azure-sentinel-solution-customlogsviaama"
|
||||
],
|
||||
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Tomcat",
|
||||
"Version": "2.0.1",
|
||||
"Version": "3.0.0",
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"TemplateSpec": true,
|
||||
"Is1PConnector": false
|
||||
"TemplateSpec": true
|
||||
}
|
||||
|
|
@ -7,6 +7,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheTomcat
|
||||
dataTypes:
|
||||
- TomcatEvent
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- Tomcat_CL
|
||||
tactics:
|
||||
- InitialAccess
|
||||
relevantTechniques:
|
||||
|
|
|
|||
|
|
@ -7,6 +7,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheTomcat
|
||||
dataTypes:
|
||||
- TomcatEvent
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- Tomcat_CL
|
||||
tactics:
|
||||
- Exfiltration
|
||||
- Collection
|
||||
|
|
|
|||
|
|
@ -7,6 +7,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheTomcat
|
||||
dataTypes:
|
||||
- TomcatEvent
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- Tomcat_CL
|
||||
tactics:
|
||||
- DefenseEvasion
|
||||
relevantTechniques:
|
||||
|
|
|
|||
|
|
@ -7,6 +7,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheTomcat
|
||||
dataTypes:
|
||||
- TomcatEvent
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- Tomcat_CL
|
||||
tactics:
|
||||
- InitialAccess
|
||||
relevantTechniques:
|
||||
|
|
|
|||
|
|
@ -7,6 +7,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheTomcat
|
||||
dataTypes:
|
||||
- TomcatEvent
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- Tomcat_CL
|
||||
tactics:
|
||||
- InitialAccess
|
||||
relevantTechniques:
|
||||
|
|
|
|||
|
|
@ -7,6 +7,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheTomcat
|
||||
dataTypes:
|
||||
- TomcatEvent
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- Tomcat_CL
|
||||
tactics:
|
||||
- InitialAccess
|
||||
relevantTechniques:
|
||||
|
|
|
|||
|
|
@ -7,6 +7,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheTomcat
|
||||
dataTypes:
|
||||
- TomcatEvent
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- Tomcat_CL
|
||||
tactics:
|
||||
- Impact
|
||||
- InitialAccess
|
||||
|
|
|
|||
|
|
@ -7,6 +7,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheTomcat
|
||||
dataTypes:
|
||||
- TomcatEvent
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- Tomcat_CL
|
||||
tactics:
|
||||
- Impact
|
||||
- InitialAccess
|
||||
|
|
|
|||
|
|
@ -7,6 +7,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheTomcat
|
||||
dataTypes:
|
||||
- TomcatEvent
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- Tomcat_CL
|
||||
tactics:
|
||||
- InitialAccess
|
||||
relevantTechniques:
|
||||
|
|
|
|||
|
|
@ -7,6 +7,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheTomcat
|
||||
dataTypes:
|
||||
- TomcatEvent
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- Tomcat_CL
|
||||
tactics:
|
||||
- InitialAccess
|
||||
relevantTechniques:
|
||||
|
|
|
|||
|
|
@ -7,6 +7,9 @@ requiredDataConnectors:
|
|||
- connectorId: ApacheTomcat
|
||||
dataTypes:
|
||||
- TomcatEvent
|
||||
- connectorId: CustomLogsAma
|
||||
datatypes:
|
||||
- Tomcat_CL
|
||||
tactics:
|
||||
- InitialAccess
|
||||
relevantTechniques:
|
||||
|
|
|
|||
Двоичный файл не отображается.
|
|
@ -6,7 +6,7 @@
|
|||
"config": {
|
||||
"isWizard": false,
|
||||
"basics": {
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Apache Tomcat solution provides the capability to ingest [Apache Tomcat](http://tomcat.apache.org/) events into Microsoft Sentinel. Refer to [Apache Tomcat documentation](http://tomcat.apache.org/tomcat-10.0-doc/logging.html) for more information.\r\n \r\n**Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Tomcat/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Apache Tomcat solution provides the capability to ingest [Apache Tomcat](http://tomcat.apache.org/) events into Microsoft Sentinel. Refer to [Apache Tomcat documentation](http://tomcat.apache.org/tomcat-10.0-doc/logging.html) for more information.\n\n This solution is dependent on the Custom logs via AMA connector to collect the logs. The Custom logs solution will be installed as part of this solution installation. \n\n **NOTE**: Microsoft recommends installation of Custom logs via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024**. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/azure/sentinel/ama-migrate?WT.mc_id=Portal-fx).\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"subscription": {
|
||||
"resourceProviders": [
|
||||
"Microsoft.OperationsManagement/solutions",
|
||||
|
|
@ -60,14 +60,14 @@
|
|||
"name": "dataconnectors1-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "The solution installs the data connector ingesting Apache Tomcat internal logging and web application logging will remain independent. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
|
||||
"text": "This Solution installs the data connector for Tomcat. You can get Tomcat custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "dataconnectors-parser-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the TomcatEvent Kusto Function alias."
|
||||
"text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
|
||||
}
|
||||
},
|
||||
{
|
||||
|
|
@ -323,7 +323,7 @@
|
|||
"name": "huntingquery1-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query shows request to forbidden files. This hunting query depends on ApacheTomcat data connector (TomcatEvent Parser or Table)"
|
||||
"text": "Query shows request to forbidden files. This hunting query depends on ApacheTomcat CustomLogsAma data connector (TomcatEvent Tomcat_CL Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -337,7 +337,7 @@
|
|||
"name": "huntingquery2-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query shows abnormal request size. This hunting query depends on ApacheTomcat data connector (TomcatEvent Parser or Table)"
|
||||
"text": "Query shows abnormal request size. This hunting query depends on ApacheTomcat CustomLogsAma data connector (TomcatEvent Tomcat_CL Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -351,7 +351,7 @@
|
|||
"name": "huntingquery3-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query shows errors events. This hunting query depends on ApacheTomcat data connector (TomcatEvent Parser or Table)"
|
||||
"text": "Query shows errors events. This hunting query depends on ApacheTomcat CustomLogsAma data connector (TomcatEvent Tomcat_CL Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -365,7 +365,7 @@
|
|||
"name": "huntingquery4-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query shows rare files requested This hunting query depends on ApacheTomcat data connector (TomcatEvent Parser or Table)"
|
||||
"text": "Query shows rare files requested This hunting query depends on ApacheTomcat CustomLogsAma data connector (TomcatEvent Tomcat_CL Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -379,7 +379,7 @@
|
|||
"name": "huntingquery5-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query shows rare URLs requested. This hunting query depends on ApacheTomcat data connector (TomcatEvent Parser or Table)"
|
||||
"text": "Query shows rare URLs requested. This hunting query depends on ApacheTomcat CustomLogsAma data connector (TomcatEvent Tomcat_CL Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -393,7 +393,7 @@
|
|||
"name": "huntingquery6-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query shows list of files with error requests. This hunting query depends on ApacheTomcat data connector (TomcatEvent Parser or Table)"
|
||||
"text": "Query shows list of files with error requests. This hunting query depends on ApacheTomcat CustomLogsAma data connector (TomcatEvent Tomcat_CL Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -407,7 +407,7 @@
|
|||
"name": "huntingquery7-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query shows URLs list with client errors. This hunting query depends on ApacheTomcat data connector (TomcatEvent Parser or Table)"
|
||||
"text": "Query shows URLs list with client errors. This hunting query depends on ApacheTomcat CustomLogsAma data connector (TomcatEvent Tomcat_CL Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -421,7 +421,7 @@
|
|||
"name": "huntingquery8-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query shows URLs list with server errors. This hunting query depends on ApacheTomcat data connector (TomcatEvent Parser or Table)"
|
||||
"text": "Query shows URLs list with server errors. This hunting query depends on ApacheTomcat CustomLogsAma data connector (TomcatEvent Tomcat_CL Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -435,7 +435,7 @@
|
|||
"name": "huntingquery9-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query searches uncommon user agent strings. This hunting query depends on ApacheTomcat data connector (TomcatEvent Parser or Table)"
|
||||
"text": "Query searches uncommon user agent strings. This hunting query depends on ApacheTomcat CustomLogsAma data connector (TomcatEvent Tomcat_CL Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -449,7 +449,7 @@
|
|||
"name": "huntingquery10-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query shows rare user agent strings with client errors This hunting query depends on ApacheTomcat data connector (TomcatEvent Parser or Table)"
|
||||
"text": "Query shows rare user agent strings with client errors This hunting query depends on ApacheTomcat CustomLogsAma data connector (TomcatEvent Tomcat_CL Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -463,7 +463,7 @@
|
|||
"name": "huntingquery11-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Query shows rare user agent strings with server errors This hunting query depends on ApacheTomcat data connector (TomcatEvent Parser or Table)"
|
||||
"text": "Query shows rare user agent strings with server errors This hunting query depends on ApacheTomcat CustomLogsAma data connector (TomcatEvent Tomcat_CL Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
|
|||
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
|
|
@ -0,0 +1,32 @@
|
|||
{
|
||||
"location": {
|
||||
"type": "string",
|
||||
"minLength": 1,
|
||||
"defaultValue": "[resourceGroup().location]",
|
||||
"metadata": {
|
||||
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
|
||||
}
|
||||
},
|
||||
"workspace-location": {
|
||||
"type": "string",
|
||||
"defaultValue": "",
|
||||
"metadata": {
|
||||
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
|
||||
}
|
||||
},
|
||||
"workspace": {
|
||||
"defaultValue": "",
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
|
||||
}
|
||||
},
|
||||
"workbook1-name": {
|
||||
"type": "string",
|
||||
"defaultValue": "ApacheTomcat",
|
||||
"minLength": 1,
|
||||
"metadata": {
|
||||
"description": "Name for the workbook"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|
||||
|-------------|--------------------------------|-------------------------------------------------------------------------------------|
|
||||
| 3.0.0 | 13-08-2024 | Deprecating data connectors |
|
||||
Загрузка…
Ссылка в новой задаче