Merge pull request #10293 from roysagi/new-xdome-connector
Claroty xDome Data connector - reset
This commit is contained in:
v-dvedak
GitHub
Коммит
669fb3d003
|
|
@ -0,0 +1,34 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!-- Generator: Adobe Illustrator 25.4.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
|
||||
<svg version="1.1" id="9b820c71-8a9d-4764-a394-2da57de28d48" xmlns="http://www.w3.org/2000/svg" x="0px" y="0px"
|
||||
viewBox="0 0 1266.3 278" xml:space="preserve">
|
||||
<style type="text/css">
|
||||
.st0{fill:#E20AB7;}
|
||||
.st1{fill:none;}
|
||||
</style>
|
||||
<path d="M1185.3,153.6v41.6h-21.9v-41.3l-46.3-76.7h23.4l34.5,57.5l34.9-57.5h21.6L1185.3,153.6z"/>
|
||||
<path d="M455.6,77.2h21.9v99.4h61.7v18.5h-83.6V77.2z"/>
|
||||
<path d="M1031.4,95.8h-39.1V77.2h100.1v18.5h-39.1v99.4h-21.9V95.8z"/>
|
||||
<path d="M912.3,77.1c-33.1,0-59.9,26.8-59.9,59.9c0,33.1,26.8,59.9,59.9,59.9c33.1,0,59.9-26.8,59.9-59.9
|
||||
C972.3,103.9,945.4,77.1,912.3,77.1z M912.3,176.8c-22,0-39.8-17.8-39.8-39.8s17.8-39.8,39.8-39.8c22,0,39.8,17.8,39.8,39.8
|
||||
S934.3,176.8,912.3,176.8z"/>
|
||||
<g>
|
||||
<polygon points="632.2,77.2 610.6,77.2 557.5,195.2 580.1,195.2 621.2,99.1 662.5,195.2 685.4,195.2 "/>
|
||||
</g>
|
||||
<g>
|
||||
<path d="M790.9,156.4c16-6.2,25.1-19.4,25.1-37.2c0-26.1-19.2-42-50.2-42h-48.5v18.6l47.5,0c19.2,0,29.2,8.6,29.2,23.4
|
||||
c0,14.8-9.9,23.6-29.2,23.6l-47.5,0v52.4h21.9v-34.4h26.6c1.5,0,3,0,4.6-0.2l24.1,34.5H818L790.9,156.4z"/>
|
||||
</g>
|
||||
<path d="M371.9,96.7L371.9,96.7l45.7-0.1V76.9h-45.7c-33,0.2-59.7,26.9-59.7,59.9c0,33,26.7,59.8,59.7,59.9v0.1h45.7v-18.9h-45.7v0
|
||||
c-22.3-0.2-40.3-18.3-40.3-40.6C331.6,114.9,349.6,96.8,371.9,96.7z"/>
|
||||
<path class="st0" d="M248.8,94.9l-9.3,9.2c-3.8-47.6-43.9-52.8-53-53.3l8.4-8.9c-15.6-13.9-30.5-18.4-43.5-18.4v58.3
|
||||
c-0.9,0-1.7-0.1-2.6-0.1c0,0-0.1,0-0.1,0c-31.8,0.1-57.5,25.8-57.5,57.6c0,31.8,25.7,57.5,57.5,57.6c0,0,0.1,0,0.1,0
|
||||
c0.9,0,1.8,0,2.6-0.1v56c13,0,27.9-4.5,43.5-18.4l-7.1-7.5c10.9-0.9,48.4-7.4,51.9-53.5l8.8,8.4C289.9,135.5,248.8,94.9,248.8,94.9z
|
||||
M237.5,106.1l-31.2,30.8c-0.5-11-4-21.2-9.8-29.7L237.5,106.1z M184.6,52.7L184.4,94c-7.9-6.2-17.4-10.4-27.9-11.8L184.6,52.7z
|
||||
M123.9,139.4c0-13.8,11.2-24.9,24.9-24.9c13.8,0,24.9,11.2,24.9,24.9c0,13.8-11.2,24.9-24.9,24.9
|
||||
C135.1,164.3,123.9,153.1,123.9,139.4z M158.5,196.2c9.8-1.6,18.7-5.7,26.1-11.6l0.2,39.3L158.5,196.2z M197.1,170.8
|
||||
c5.5-8.4,8.8-18.3,9.2-29l31.5,30L197.1,170.8z"/>
|
||||
<path class="st0" d="M135.2,209.7c-34.8-5.3-61.5-35.3-61.5-71.5c0-36.2,26.7-66.3,61.5-71.5V24C77,29.6,31.5,78.6,31.5,138.2
|
||||
c0,59.6,45.5,108.6,103.7,114.2V209.7z"/>
|
||||
<rect x="2.4" y="2.8" class="st1" width="1260.8" height="273.4"/>
|
||||
</svg>
|
||||
|
После Ширина: | Высота: | Размер: 2.3 KiB |
|
|
@ -0,0 +1,11 @@
|
|||
TenantId,TimeGenerated [UTC],DeviceVendor,DeviceProduct,DeviceVersion,DeviceEventClassID,Activity,LogSeverity,OriginalLogSeverity,AdditionalExtensions,DeviceAction,ApplicationProtocol,EventCount,DestinationDnsDomain,DestinationServiceName,DestinationTranslatedAddress,DestinationTranslatedPort,CommunicationDirection,DeviceDnsDomain,DeviceExternalID,DeviceFacility,DeviceInboundInterface,DeviceNtDomain,DeviceOutboundInterface,DevicePayloadId,ProcessName,DeviceTranslatedAddress,DestinationHostName,DestinationMACAddress,DestinationNTDomain,DestinationProcessId,DestinationUserPrivileges,DestinationProcessName,DestinationPort,DestinationIP,DeviceTimeZone,DestinationUserID,DestinationUserName,DeviceAddress,DeviceName,DeviceMacAddress,ProcessID,EndTime [UTC],ExternalID,ExtID,FileCreateTime,FileHash,FileID,FileModificationTime,FilePath,FilePermission,FileType,FileName,FileSize,ReceivedBytes,Message,OldFileCreateTime,OldFileHash,OldFileID,OldFileModificationTime,OldFileName,OldFilePath,OldFilePermission,OldFileSize,OldFileType,SentBytes,EventOutcome,Protocol,Reason,RequestURL,RequestClientApplication,RequestContext,RequestCookies,RequestMethod,ReceiptTime,SourceHostName,SourceMACAddress,SourceNTDomain,SourceDnsDomain,SourceServiceName,SourceTranslatedAddress,SourceTranslatedPort,SourceProcessId,SourceUserPrivileges,SourceProcessName,SourcePort,SourceIP,StartTime [UTC],SourceUserID,SourceUserName,EventType,DeviceEventCategory,DeviceCustomIPv6Address1,DeviceCustomIPv6Address1Label,DeviceCustomIPv6Address2,DeviceCustomIPv6Address2Label,DeviceCustomIPv6Address3,DeviceCustomIPv6Address3Label,DeviceCustomIPv6Address4,DeviceCustomIPv6Address4Label,DeviceCustomFloatingPoint1,DeviceCustomFloatingPoint1Label,DeviceCustomFloatingPoint2,DeviceCustomFloatingPoint2Label,DeviceCustomFloatingPoint3,DeviceCustomFloatingPoint3Label,DeviceCustomFloatingPoint4,DeviceCustomFloatingPoint4Label,DeviceCustomNumber1,FieldDeviceCustomNumber1,DeviceCustomNumber1Label,DeviceCustomNumber2,FieldDeviceCustomNumber2,DeviceCustomNumber2Label,DeviceCustomNumber3,FieldDeviceCustomNumber3,DeviceCustomNumber3Label,DeviceCustomString1,DeviceCustomString1Label,DeviceCustomString2,DeviceCustomString2Label,DeviceCustomString3,DeviceCustomString3Label,DeviceCustomString4,DeviceCustomString4Label,DeviceCustomString5,DeviceCustomString5Label,DeviceCustomString6,DeviceCustomString6Label,DeviceCustomDate1,DeviceCustomDate1Label,DeviceCustomDate2,DeviceCustomDate2Label,FlexDate1,FlexDate1Label,FlexNumber1,FlexNumber1Label,FlexNumber2,FlexNumber2Label,FlexString1,FlexString1Label,FlexString2,FlexString2Label,RemoteIP,RemotePort,MaliciousIP,ThreatSeverity,IndicatorThreatType,ThreatDescription,ThreatConfidence,ReportReferenceLink,MaliciousIPLongitude,MaliciousIPLatitude,MaliciousIPCountry,Computer,SourceSystem,SimplifiedDeviceAction,CollectorHostName,Type,_ResourceId
|
||||
00000000-0000-0000-0000-000000000000,"1/25/2024, 1:21:53.378 PM",Claroty,Claroty,0,123,device_change_event,5,,device_asset_id=None;device_uid=11111111-1111-1111-1111-111111111111;device_mac_list=[];device_ip_list=[];device_site_name=None;device_category=None;device_subcategory=None;device_manufacturer=None;device_type=None;device_type_family=None;device_model=None;device_connection_type_list=[];device_network_list=[];device_labels=[];device_assignees=[];device_note=None;device_os=None;change_id=123;change_timestamp=2024-01-25T13:06:59+00:00;change_description=description;change_alert_id=6;change_alerted_attribute=AP Location;previous_value=old_value;new_value=new_value,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Location Change,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,hostname,OpsManager,,testLogForwarder2,CommonSecurityLog,
|
||||
00000000-0000-0000-0000-000000000000,"1/25/2024, 1:21:53.377 PM",Claroty,Claroty,0,1,server_incident,4,,incident_id=1;location=None;server_name=server1;interface_name=interface;interface_type=management;updated_by=superuser;status=Open;timestamp=2024-01-25T13:06:59+00:00,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Server went down,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,hostname,OpsManager,,testLogForwarder2,CommonSecurityLog,
|
||||
00000000-0000-0000-0000-000000000000,"1/25/2024, 1:21:53.376 PM",Claroty,Claroty,0,123,alert_affected_device,5,,alert_id=123;alert_name=Joe;alert_category=Policy Deviation;alert_description=Cool alert;alert_device_status=Unresolved;alert_labels=[];alert_assignees=[];alert_note=None;alert_mitre_technique_ids=[];alert_mitre_technique_names=[];alert_mitre_technique_enterprise_ids=[];alert_mitre_technique_enterprise_names=[];device_asset_id=None;device_uid=11111111-1111-1111-1111-111111111111;device_mac_list=[];device_ip_list=[];device_site_name=None;device_category=None;device_subcategory=None;device_manufacturer=None;device_type=None;device_type_family=None;device_model=None;device_connection_type_list=[];device_network_list=[];device_labels=[];device_assignees=[];device_note=None;device_os=None;policy_name=my policy;policy_models=[],,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Out-of-Policy Communication,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,hostname,OpsManager,,testLogForwarder2,CommonSecurityLog,
|
||||
00000000-0000-0000-0000-000000000000,"1/25/2024, 1:21:53.371 PM",Claroty,Claroty,0,123,comm_event,5,,device_asset_id=None;device_uid=11111111-1111-1111-1111-111111111111;device_mac_list=[];device_ip_list=[];device_site_name=None;device_category=None;device_subcategory=None;device_manufacturer=None;device_type=None;device_type_family=None;device_model=None;device_connection_type_list=[];device_network_list=[];device_labels=[];device_assignees=[];device_note=None;device_os=None;event_id=123;event_description=description;event_alert_id=6;server_port=789;client_id=None,,,,,,,,,,,,,,,,,,,22:22:22:22:22:22,,,,,456,2.2.2.2,,,,,,,,,,,2024-01-25T13:06:59+00:00,,,,,,,,,,,,,,,,,,,,,,None,,,,,,,,,11:11:11:11:11:11,,,,,,,,,123,1.1.1.1,,,,,SMBv1 Communication,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,hostname,OpsManager,,testLogForwarder2,CommonSecurityLog,
|
||||
00000000-0000-0000-0000-000000000000,"1/25/2024, 1:21:53.370 PM",Claroty,Claroty,0,CVE-2022-12345 - None,vulnerability_affected_device,5,,vulnerability_name=CVE-2022-12345;vulnerability_labels=[];vulnerability_assignees=[];vulnerability_note=None;vulnerability_release_date=2024-01-25T13:06:59+00:00;vulnerability_cves=['CVE-2022-12345'];vulnerability_cvssv2_base_score=7.0;vulnerability_cvssv3_base_score=7.0;vulnerability_description=heap overflow;vulnerability_affected_products=None;vulnerability_is_known_exploited=False;vulnerability_known_exploits=None;device_asset_id=None;device_uid=11111111-1111-1111-1111-111111111111;device_mac_list=[];device_ip_list=[];device_site_name=None;device_category=None;device_subcategory=None;device_manufacturer=None;device_type=None;device_type_family=None;device_model=None;device_connection_type_list=[];device_network_list=[];device_labels=[];device_assignees=[];device_note=None;device_os=None;device_vulnerability_relevance=potentially_relevant;device_vulnerability_relevance_source=['Medigate'];device_vulnerability_overall_cvss_v3_score=7.0;device_vulnerability_manufacturer_remediation_info=[];device_vulnerability_manufacturer_remediation_info_source=None,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Platform,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,hostname,OpsManager,,testLogForwarder2,CommonSecurityLog,
|
||||
00000000-0000-0000-0000-000000000000,"1/25/2024, 11:28:54.559 AM",Medigate,Medical Device Security Platform,0,1,server_incident,4,,incident_id=1;location=None;server_name=server1;interface_name=interface;interface_type=management;updated_by=superuser;status=Open;timestamp=2024-01-25T11:14:00+00:00,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Server went down,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,hostname,OpsManager,,testLogForwarder2,CommonSecurityLog,
|
||||
00000000-0000-0000-0000-000000000000,"1/25/2024, 11:28:54.558 AM",Medigate,Medical Device Security Platform,0,123,alert_affected_device,5,,alert_id=123;alert_name=Joe;alert_category=Policy Deviation;alert_description=Cool alert;alert_device_status=Unresolved;alert_labels=[];alert_assignees=[];alert_note=None;alert_mitre_technique_ids=[];alert_mitre_technique_names=[];alert_mitre_technique_enterprise_ids=[];alert_mitre_technique_enterprise_names=[];device_asset_id=None;device_uid=11111111-1111-1111-1111-111111111111;device_mac_list=[];device_ip_list=[];device_site_name=None;device_category=None;device_subcategory=None;device_manufacturer=None;device_type=None;device_type_family=None;device_model=None;device_connection_type_list=[];device_network_list=[];device_labels=[];device_assignees=[];device_note=None;device_os=None;policy_name=my policy;policy_models=[],,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Out-of-Policy Communication,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,hostname,OpsManager,,testLogForwarder2,CommonSecurityLog,
|
||||
00000000-0000-0000-0000-000000000000,"1/25/2024, 11:28:54.550 AM",Medigate,Medical Device Security Platform,0,123,device_change_event,5,,device_asset_id=None;device_uid=11111111-1111-1111-1111-111111111111;device_mac_list=[];device_ip_list=[];device_site_name=None;device_category=None;device_subcategory=None;device_manufacturer=None;device_type=None;device_type_family=None;device_model=None;device_connection_type_list=[];device_network_list=[];device_labels=[];device_assignees=[];device_note=None;device_os=None;change_id=123;change_timestamp=2024-01-25T11:14:00+00:00;change_description=description;change_alert_id=6;change_alerted_attribute=AP Location;previous_value=old_value;new_value=new_value,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Location Change,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,hostname,OpsManager,,testLogForwarder2,CommonSecurityLog,
|
||||
00000000-0000-0000-0000-000000000000,"1/25/2024, 11:28:54.545 AM",Medigate,Medical Device Security Platform,0,CVE-2022-12345 - None,vulnerability_affected_device,5,,vulnerability_name=CVE-2022-12345;vulnerability_labels=[];vulnerability_assignees=[];vulnerability_note=None;vulnerability_release_date=2024-01-25T11:14:00+00:00;vulnerability_cves=['CVE-2022-12345'];vulnerability_cvssv2_base_score=7.0;vulnerability_cvssv3_base_score=7.0;vulnerability_description=heap overflow;vulnerability_affected_products=None;vulnerability_is_known_exploited=False;vulnerability_known_exploits=None;device_asset_id=None;device_uid=11111111-1111-1111-1111-111111111111;device_mac_list=[];device_ip_list=[];device_site_name=None;device_category=None;device_subcategory=None;device_manufacturer=None;device_type=None;device_type_family=None;device_model=None;device_connection_type_list=[];device_network_list=[];device_labels=[];device_assignees=[];device_note=None;device_os=None;device_vulnerability_relevance=potentially_relevant;device_vulnerability_relevance_source=['Medigate'];device_vulnerability_overall_cvss_v3_score=7.0;device_vulnerability_manufacturer_remediation_info=[];device_vulnerability_manufacturer_remediation_info_source=None,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Platform,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,hostname,OpsManager,,testLogForwarder2,CommonSecurityLog,
|
||||
00000000-0000-0000-0000-000000000000,"1/25/2024, 11:28:54.543 AM",Medigate,Medical Device Security Platform,0,123,comm_event,5,,device_asset_id=None;device_uid=11111111-1111-1111-1111-111111111111;device_mac_list=[];device_ip_list=[];device_site_name=None;device_category=None;device_subcategory=None;device_manufacturer=None;device_type=None;device_type_family=None;device_model=None;device_connection_type_list=[];device_network_list=[];device_labels=[];device_assignees=[];device_note=None;device_os=None;event_id=123;event_description=description;event_alert_id=6;server_port=789;client_id=None,,,,,,,,,,,,,,,,,,,22:22:22:22:22:22,,,,,456,2.2.2.2,,,,,,,,,,,2024-01-25T11:14:00+00:00,,,,,,,,,,,,,,,,,,,,,,None,,,,,,,,,11:11:11:11:11:11,,,,,,,,,123,1.1.1.1,,,,,SMBv1 Communication,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,hostname,OpsManager,,testLogForwarder2,CommonSecurityLog,
|
||||
|
|
|
@ -0,0 +1,123 @@
|
|||
{
|
||||
"id": "ClarotyxDome",
|
||||
"title": "Claroty xDome",
|
||||
"publisher": "Claroty",
|
||||
"logo": "ClarotyLogo.svg",
|
||||
"descriptionMarkdown": "[Claroty](https://claroty.com/) xDome delivers comprehensive security and alert management capabilities for healthcare and industrial network environments. It is designed to map multiple source types, identify the collected data, and integrate it into Microsoft Sentinel data models. This results in the ability to monitor all potential threats in your healthcare and industrial environments in one location, leading to more effective security monitoring and a stronger security posture.",
|
||||
"graphQueries": [
|
||||
{
|
||||
"metricName": "Total data received",
|
||||
"legend": "ClarotyxDomeLogs",
|
||||
"baseQuery": "CommonSecurityLog\n| where DeviceVendor in (\"Medigate\", \"Claroty\")"
|
||||
}
|
||||
],
|
||||
"sampleQueries": [
|
||||
{
|
||||
"description": "Fetch logs from Claroty xDome",
|
||||
"query": "\nCommonSecurityLog\n| where DeviceVendor in (\"Medigate\", \"Claroty\") | sort by TimeGenerated"
|
||||
}
|
||||
],
|
||||
"connectivityCriterias": [
|
||||
{
|
||||
"type": "IsConnectedQuery",
|
||||
"value": [
|
||||
"\nCommonSecurityLog\n| where DeviceVendor in (\"Medigate\", \"Claroty\")\n\n| summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
|
||||
]
|
||||
}
|
||||
],
|
||||
"dataTypes": [
|
||||
{
|
||||
"name": "CommonSecurityLog (ClarotyxDome)",
|
||||
"lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor in (\"Medigate\", \"Claroty\")\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
|
||||
}
|
||||
],
|
||||
"availability": {
|
||||
"status": 1,
|
||||
"isPreview": false
|
||||
},
|
||||
"permissions": {
|
||||
"resourceProvider": [
|
||||
{
|
||||
"provider": "Microsoft.OperationalInsights/workspaces",
|
||||
"permissionsDisplayText": "read and write permissions are required.",
|
||||
"providerDisplayName": "Workspace",
|
||||
"scope": "Workspace",
|
||||
"requiredPermissions": {
|
||||
"read": true,
|
||||
"write": true,
|
||||
"delete": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
|
||||
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
|
||||
"providerDisplayName": "Keys",
|
||||
"scope": "Workspace",
|
||||
"requiredPermissions": {
|
||||
"action": true
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"instructionSteps": [
|
||||
{
|
||||
"title": "1. Linux Syslog agent configuration",
|
||||
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
|
||||
"innerSteps": [
|
||||
{
|
||||
"title": "1.1 Select or create a Linux machine",
|
||||
"description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
|
||||
},
|
||||
{
|
||||
"title": "1.2 Install the CEF collector on the Linux machine",
|
||||
"description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python --version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
|
||||
"instructions": [
|
||||
{
|
||||
"parameters": {
|
||||
"fillWith": ["WorkspaceId", "PrimaryKey"],
|
||||
"label": "Run the following command to install and apply the CEF collector:",
|
||||
"value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
|
||||
},
|
||||
"type": "CopyableLabel"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"title": "2. Forward Common Event Format (CEF) logs to Syslog agent",
|
||||
"description": "Configure the Claroty xDome - Microsoft Sentinel integration to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel."
|
||||
},
|
||||
{
|
||||
"title": "3. Validate connection",
|
||||
"description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python --version\n\n>2. You must have elevated permissions (sudo) on your machine",
|
||||
"instructions": [
|
||||
{
|
||||
"parameters": {
|
||||
"fillWith": ["WorkspaceId"],
|
||||
"label": "Run the following command to validate your connectivity:",
|
||||
"value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
|
||||
},
|
||||
"type": "CopyableLabel"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"title": "4. Secure your machine ",
|
||||
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
|
||||
}
|
||||
],
|
||||
"metadata": {
|
||||
"id": "d37af052-f3e4-4bd5-9f5d-f12469037cc8",
|
||||
"version": "1.0.0",
|
||||
"kind": "dataConnector",
|
||||
"source": { "kind": "solution", "name": "Claroty" },
|
||||
"author": { "name": "Claroty" },
|
||||
"support": {
|
||||
"name": "xDome Customer Support",
|
||||
"link": "https://claroty.com/support-policy",
|
||||
"tier": "developer"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
{
|
||||
"Name": "Claroty xDome",
|
||||
"Author": "Claroty",
|
||||
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/ClarotyLogo.svg\" width=\"75px\" height=\"75px\">",
|
||||
"Description": "[Claroty](https://claroty.com/) xDome delivers comprehensive security and alert management capabilities for healthcare and industrial network environments. It is designed to map multiple source types, identify the collected data, and integrate it into Microsoft Sentinel data models. This results in the ability to monitor all potential threats in your healthcare and industrial environments in one location, leading to more effective security monitoring and a stronger security posture.",
|
||||
"Data Connectors": [
|
||||
"Data Connectors/Claroty_xDome.json"
|
||||
],
|
||||
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\ClarotyxDome",
|
||||
"Version": "3.0.0",
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"TemplateSpec": true,
|
||||
"Is1Pconnector": false
|
||||
}
|
||||
Двоичный файл не отображается.
|
|
@ -0,0 +1,85 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
|
||||
"handler": "Microsoft.Azure.CreateUIDef",
|
||||
"version": "0.1.2-preview",
|
||||
"parameters": {
|
||||
"config": {
|
||||
"isWizard": false,
|
||||
"basics": {
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/ClarotyLogo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Claroty%20xDome/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Claroty](https://claroty.com/) xDome delivers comprehensive security and alert management capabilities for healthcare and industrial network environments. It is designed to map multiple source types, identify the collected data, and integrate it into Microsoft Sentinel data models. This results in the ability to monitor all potential threats in your healthcare and industrial environments in one location, leading to more effective security monitoring and a stronger security posture.\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"subscription": {
|
||||
"resourceProviders": [
|
||||
"Microsoft.OperationsManagement/solutions",
|
||||
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
|
||||
"Microsoft.Insights/workbooks",
|
||||
"Microsoft.Logic/workflows"
|
||||
]
|
||||
},
|
||||
"location": {
|
||||
"metadata": {
|
||||
"hidden": "Hiding location, we get it from the log analytics workspace"
|
||||
},
|
||||
"visible": false
|
||||
},
|
||||
"resourceGroup": {
|
||||
"allowExisting": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"basics": [
|
||||
{
|
||||
"name": "getLAWorkspace",
|
||||
"type": "Microsoft.Solutions.ArmApiControl",
|
||||
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
|
||||
"condition": "[greater(length(resourceGroup().name),0)]",
|
||||
"request": {
|
||||
"method": "GET",
|
||||
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "workspace",
|
||||
"type": "Microsoft.Common.DropDown",
|
||||
"label": "Workspace",
|
||||
"placeholder": "Select a workspace",
|
||||
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
|
||||
"constraints": {
|
||||
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
|
||||
"required": true
|
||||
},
|
||||
"visible": true
|
||||
}
|
||||
],
|
||||
"steps": [
|
||||
{
|
||||
"name": "dataconnectors",
|
||||
"label": "Data Connectors",
|
||||
"bladeTitle": "Data Connectors",
|
||||
"elements": [
|
||||
{
|
||||
"name": "dataconnectors1-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This Solution installs the data connector for Claroty xDome. You can get Claroty xDome CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "dataconnectors-link2",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"link": {
|
||||
"label": "Learn more about connecting data sources",
|
||||
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"outputs": {
|
||||
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
|
||||
"location": "[location()]",
|
||||
"workspace": "[basics('workspace')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,455 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"metadata": {
|
||||
"author": "Claroty",
|
||||
"comments": "Solution template for Claroty xDome"
|
||||
},
|
||||
"parameters": {
|
||||
"location": {
|
||||
"type": "string",
|
||||
"minLength": 1,
|
||||
"defaultValue": "[resourceGroup().location]",
|
||||
"metadata": {
|
||||
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
|
||||
}
|
||||
},
|
||||
"workspace-location": {
|
||||
"type": "string",
|
||||
"defaultValue": "",
|
||||
"metadata": {
|
||||
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
|
||||
}
|
||||
},
|
||||
"workspace": {
|
||||
"defaultValue": "",
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
|
||||
}
|
||||
}
|
||||
},
|
||||
"variables": {
|
||||
"_solutionName": "Claroty xDome",
|
||||
"_solutionVersion": "3.0.0",
|
||||
"solutionId": "claroty.microsoft-sentinel-solution-xdome",
|
||||
"_solutionId": "[variables('solutionId')]",
|
||||
"uiConfigId1": "ClarotyxDome",
|
||||
"_uiConfigId1": "[variables('uiConfigId1')]",
|
||||
"dataConnectorContentId1": "ClarotyxDome",
|
||||
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
|
||||
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
|
||||
"_dataConnectorId1": "[variables('dataConnectorId1')]",
|
||||
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
|
||||
"dataConnectorVersion1": "1.0.0",
|
||||
"_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
|
||||
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
|
||||
"apiVersion": "2023-04-01-preview",
|
||||
"name": "[variables('dataConnectorTemplateSpecName1')]",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"dependsOn": [
|
||||
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "Claroty xDome data connector with template version 3.0.0",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('dataConnectorVersion1')]",
|
||||
"parameters": {},
|
||||
"variables": {},
|
||||
"resources": [
|
||||
{
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
|
||||
"apiVersion": "2021-03-01-preview",
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"kind": "GenericUI",
|
||||
"properties": {
|
||||
"connectorUiConfig": {
|
||||
"id": "[variables('_uiConfigId1')]",
|
||||
"title": "Claroty xDome",
|
||||
"publisher": "Claroty",
|
||||
"logo": "ClarotyLogo.svg",
|
||||
"descriptionMarkdown": "[Claroty](https://claroty.com/) xDome delivers comprehensive security and alert management capabilities for healthcare and industrial network environments. It is designed to map multiple source types, identify the collected data, and integrate it into Microsoft Sentinel data models. This results in the ability to monitor all potential threats in your healthcare and industrial environments in one location, leading to more effective security monitoring and a stronger security posture.",
|
||||
"graphQueries": [
|
||||
{
|
||||
"metricName": "Total data received",
|
||||
"legend": "ClarotyxDomeLogs",
|
||||
"baseQuery": "CommonSecurityLog\n| where DeviceVendor in (\"Medigate\", \"Claroty\")"
|
||||
}
|
||||
],
|
||||
"sampleQueries": [
|
||||
{
|
||||
"description": "Fetch logs from Claroty xDome",
|
||||
"query": "\nCommonSecurityLog\n| where DeviceVendor in (\"Medigate\", \"Claroty\") | sort by TimeGenerated"
|
||||
}
|
||||
],
|
||||
"connectivityCriterias": [
|
||||
{
|
||||
"type": "IsConnectedQuery",
|
||||
"value": [
|
||||
"\nCommonSecurityLog\n| where DeviceVendor in (\"Medigate\", \"Claroty\")\n\n| summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
|
||||
]
|
||||
}
|
||||
],
|
||||
"dataTypes": [
|
||||
{
|
||||
"name": "CommonSecurityLog (ClarotyxDome)",
|
||||
"lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor in (\"Medigate\", \"Claroty\")\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
|
||||
}
|
||||
],
|
||||
"availability": {
|
||||
"status": 1,
|
||||
"isPreview": false
|
||||
},
|
||||
"permissions": {
|
||||
"resourceProvider": [
|
||||
{
|
||||
"provider": "Microsoft.OperationalInsights/workspaces",
|
||||
"permissionsDisplayText": "read and write permissions are required.",
|
||||
"providerDisplayName": "Workspace",
|
||||
"scope": "Workspace",
|
||||
"requiredPermissions": {
|
||||
"read": true,
|
||||
"write": true,
|
||||
"delete": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
|
||||
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
|
||||
"providerDisplayName": "Keys",
|
||||
"scope": "Workspace",
|
||||
"requiredPermissions": {
|
||||
"action": true
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"instructionSteps": [
|
||||
{
|
||||
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
|
||||
"innerSteps": [
|
||||
{
|
||||
"title": "1.1 Select or create a Linux machine",
|
||||
"description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
|
||||
},
|
||||
{
|
||||
"title": "1.2 Install the CEF collector on the Linux machine",
|
||||
"description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python --version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
|
||||
"instructions": [
|
||||
{
|
||||
"parameters": {
|
||||
"fillWith": [
|
||||
"WorkspaceId",
|
||||
"PrimaryKey"
|
||||
],
|
||||
"label": "Run the following command to install and apply the CEF collector:",
|
||||
"value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
|
||||
},
|
||||
"type": "CopyableLabel"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"title": "1. Linux Syslog agent configuration"
|
||||
},
|
||||
{
|
||||
"description": "Configure the Claroty xDome - Microsoft Sentinel integration to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.",
|
||||
"title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
|
||||
},
|
||||
{
|
||||
"description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python --version\n\n>2. You must have elevated permissions (sudo) on your machine",
|
||||
"instructions": [
|
||||
{
|
||||
"parameters": {
|
||||
"fillWith": [
|
||||
"WorkspaceId"
|
||||
],
|
||||
"label": "Run the following command to validate your connectivity:",
|
||||
"value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
|
||||
},
|
||||
"type": "CopyableLabel"
|
||||
}
|
||||
],
|
||||
"title": "3. Validate connection"
|
||||
},
|
||||
{
|
||||
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
|
||||
"title": "4. Secure your machine "
|
||||
}
|
||||
],
|
||||
"metadata": {
|
||||
"id": "d37af052-f3e4-4bd5-9f5d-f12469037cc8",
|
||||
"version": "1.0.0",
|
||||
"kind": "dataConnector",
|
||||
"source": {
|
||||
"kind": "solution",
|
||||
"name": "Claroty"
|
||||
},
|
||||
"author": {
|
||||
"name": "Claroty"
|
||||
},
|
||||
"support": {
|
||||
"name": "xDome Customer Support",
|
||||
"link": "https://claroty.com/support-policy",
|
||||
"tier": "developer"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
|
||||
"apiVersion": "2023-04-01-preview",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
|
||||
"properties": {
|
||||
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
|
||||
"contentId": "[variables('_dataConnectorContentId1')]",
|
||||
"kind": "DataConnector",
|
||||
"version": "[variables('dataConnectorVersion1')]",
|
||||
"source": {
|
||||
"kind": "Solution",
|
||||
"name": "Claroty xDome",
|
||||
"sourceId": "[variables('_solutionId')]"
|
||||
},
|
||||
"author": {
|
||||
"name": "Claroty"
|
||||
},
|
||||
"support": {
|
||||
"name": "xDome Customer Support",
|
||||
"link": "https://claroty.com/support-policy",
|
||||
"tier": "Partner"
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"packageKind": "Solution",
|
||||
"packageVersion": "[variables('_solutionVersion')]",
|
||||
"packageName": "[variables('_solutionName')]",
|
||||
"packageId": "[variables('_solutionId')]",
|
||||
"contentSchemaVersion": "3.0.0",
|
||||
"contentId": "[variables('_dataConnectorContentId1')]",
|
||||
"contentKind": "DataConnector",
|
||||
"displayName": "Claroty xDome",
|
||||
"contentProductId": "[variables('_dataConnectorcontentProductId1')]",
|
||||
"id": "[variables('_dataConnectorcontentProductId1')]",
|
||||
"version": "[variables('dataConnectorVersion1')]"
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
|
||||
"apiVersion": "2023-04-01-preview",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
|
||||
"dependsOn": [
|
||||
"[variables('_dataConnectorId1')]"
|
||||
],
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"properties": {
|
||||
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
|
||||
"contentId": "[variables('_dataConnectorContentId1')]",
|
||||
"kind": "DataConnector",
|
||||
"version": "[variables('dataConnectorVersion1')]",
|
||||
"source": {
|
||||
"kind": "Solution",
|
||||
"name": "Claroty xDome",
|
||||
"sourceId": "[variables('_solutionId')]"
|
||||
},
|
||||
"author": {
|
||||
"name": "Claroty"
|
||||
},
|
||||
"support": {
|
||||
"name": "xDome Customer Support",
|
||||
"link": "https://claroty.com/support-policy",
|
||||
"tier": "Partner"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
|
||||
"apiVersion": "2021-03-01-preview",
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"kind": "GenericUI",
|
||||
"properties": {
|
||||
"connectorUiConfig": {
|
||||
"title": "Claroty xDome",
|
||||
"publisher": "Claroty",
|
||||
"descriptionMarkdown": "[Claroty](https://claroty.com/) xDome delivers comprehensive security and alert management capabilities for healthcare and industrial network environments. It is designed to map multiple source types, identify the collected data, and integrate it into Microsoft Sentinel data models. This results in the ability to monitor all potential threats in your healthcare and industrial environments in one location, leading to more effective security monitoring and a stronger security posture.",
|
||||
"graphQueries": [
|
||||
{
|
||||
"metricName": "Total data received",
|
||||
"legend": "ClarotyxDomeLogs",
|
||||
"baseQuery": "CommonSecurityLog\n| where DeviceVendor in (\"Medigate\", \"Claroty\")"
|
||||
}
|
||||
],
|
||||
"dataTypes": [
|
||||
{
|
||||
"name": "CommonSecurityLog (ClarotyxDome)",
|
||||
"lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor in (\"Medigate\", \"Claroty\")\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
|
||||
}
|
||||
],
|
||||
"connectivityCriterias": [
|
||||
{
|
||||
"type": "IsConnectedQuery",
|
||||
"value": [
|
||||
"\nCommonSecurityLog\n| where DeviceVendor in (\"Medigate\", \"Claroty\")\n\n| summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
|
||||
]
|
||||
}
|
||||
],
|
||||
"sampleQueries": [
|
||||
{
|
||||
"description": "Fetch logs from Claroty xDome",
|
||||
"query": "\nCommonSecurityLog\n| where DeviceVendor in (\"Medigate\", \"Claroty\") | sort by TimeGenerated"
|
||||
}
|
||||
],
|
||||
"availability": {
|
||||
"status": 1,
|
||||
"isPreview": false
|
||||
},
|
||||
"permissions": {
|
||||
"resourceProvider": [
|
||||
{
|
||||
"provider": "Microsoft.OperationalInsights/workspaces",
|
||||
"permissionsDisplayText": "read and write permissions are required.",
|
||||
"providerDisplayName": "Workspace",
|
||||
"scope": "Workspace",
|
||||
"requiredPermissions": {
|
||||
"read": true,
|
||||
"write": true,
|
||||
"delete": true
|
||||
}
|
||||
},
|
||||
{
|
||||
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
|
||||
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
|
||||
"providerDisplayName": "Keys",
|
||||
"scope": "Workspace",
|
||||
"requiredPermissions": {
|
||||
"action": true
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"instructionSteps": [
|
||||
{
|
||||
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
|
||||
"innerSteps": [
|
||||
{
|
||||
"title": "1.1 Select or create a Linux machine",
|
||||
"description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
|
||||
},
|
||||
{
|
||||
"title": "1.2 Install the CEF collector on the Linux machine",
|
||||
"description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python --version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
|
||||
"instructions": [
|
||||
{
|
||||
"parameters": {
|
||||
"fillWith": [
|
||||
"WorkspaceId",
|
||||
"PrimaryKey"
|
||||
],
|
||||
"label": "Run the following command to install and apply the CEF collector:",
|
||||
"value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
|
||||
},
|
||||
"type": "CopyableLabel"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"title": "1. Linux Syslog agent configuration"
|
||||
},
|
||||
{
|
||||
"description": "Configure the Claroty xDome - Microsoft Sentinel integration to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.",
|
||||
"title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
|
||||
},
|
||||
{
|
||||
"description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python --version\n\n>2. You must have elevated permissions (sudo) on your machine",
|
||||
"instructions": [
|
||||
{
|
||||
"parameters": {
|
||||
"fillWith": [
|
||||
"WorkspaceId"
|
||||
],
|
||||
"label": "Run the following command to validate your connectivity:",
|
||||
"value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
|
||||
},
|
||||
"type": "CopyableLabel"
|
||||
}
|
||||
],
|
||||
"title": "3. Validate connection"
|
||||
},
|
||||
{
|
||||
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
|
||||
"title": "4. Secure your machine "
|
||||
}
|
||||
],
|
||||
"id": "[variables('_uiConfigId1')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
|
||||
"apiVersion": "2023-04-01-preview",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"properties": {
|
||||
"version": "3.0.0",
|
||||
"kind": "Solution",
|
||||
"contentSchemaVersion": "3.0.0",
|
||||
"displayName": "Claroty xDome",
|
||||
"publisherDisplayName": "xDome Customer Support",
|
||||
"descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Claroty%20xDome/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p><a href=\"https://claroty.com/\">Claroty</a> xDome delivers comprehensive security and alert management capabilities for healthcare and industrial network environments. It is designed to map multiple source types, identify the collected data, and integrate it into Microsoft Sentinel data models. This results in the ability to monitor all potential threats in your healthcare and industrial environments in one location, leading to more effective security monitoring and a stronger security posture.</p>\n<p><strong>Data Connectors:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
|
||||
"contentKind": "Solution",
|
||||
"contentProductId": "[variables('_solutioncontentProductId')]",
|
||||
"id": "[variables('_solutioncontentProductId')]",
|
||||
"icon": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/ClarotyLogo.svg\" width=\"75px\" height=\"75px\">",
|
||||
"contentId": "[variables('_solutionId')]",
|
||||
"parentId": "[variables('_solutionId')]",
|
||||
"source": {
|
||||
"kind": "Solution",
|
||||
"name": "Claroty xDome",
|
||||
"sourceId": "[variables('_solutionId')]"
|
||||
},
|
||||
"author": {
|
||||
"name": "Claroty"
|
||||
},
|
||||
"support": {
|
||||
"name": "xDome Customer Support",
|
||||
"tier": "Partner",
|
||||
"link": "https://claroty.com/support-policy"
|
||||
},
|
||||
"dependencies": {
|
||||
"operator": "AND",
|
||||
"criteria": [
|
||||
{
|
||||
"kind": "DataConnector",
|
||||
"contentId": "[variables('_dataConnectorContentId1')]",
|
||||
"version": "[variables('dataConnectorVersion1')]"
|
||||
}
|
||||
]
|
||||
},
|
||||
"firstPublishDate": "2024-02-01",
|
||||
"providers": [
|
||||
"Claroty"
|
||||
],
|
||||
"categories": {
|
||||
"domains": [
|
||||
"Security - Threat Intelligence",
|
||||
"Security - Vulnerability Management"
|
||||
],
|
||||
"verticals": [
|
||||
"Healthcare",
|
||||
"Manufacturing"
|
||||
]
|
||||
}
|
||||
},
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
|
||||
}
|
||||
],
|
||||
"outputs": {}
|
||||
}
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
{
|
||||
"location": {
|
||||
"type": "string",
|
||||
"minLength": 1,
|
||||
"defaultValue": "[resourceGroup().location]",
|
||||
"metadata": {
|
||||
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
|
||||
}
|
||||
},
|
||||
"workspace-location": {
|
||||
"type": "string",
|
||||
"defaultValue": "",
|
||||
"metadata": {
|
||||
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
|
||||
}
|
||||
},
|
||||
"workspace": {
|
||||
"defaultValue": "",
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|
||||
|-------------|--------------------------------|--------------------------------------------------------------------------------|
|
||||
| 3.0.0 | 16-04-2024 | Initial Solution Release |
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
{
|
||||
"publisherId": "claroty",
|
||||
"offerId": "microsoft-sentinel-solution-xdome",
|
||||
"firstPublishDate": "2024-02-01",
|
||||
"providers": ["Claroty"],
|
||||
"categories": {
|
||||
"domains" : ["Security - Threat Intelligence", "Security - Vulnerability Management"],
|
||||
"verticals": ["Healthcare", "Manufacturing"]
|
||||
},
|
||||
"support": {
|
||||
"name": "xDome Customer Support",
|
||||
"link": "https://claroty.com/support-policy",
|
||||
"tier": "Partner"
|
||||
}
|
||||
}
|
||||
Загрузка…
Ссылка в новой задаче