Trend Micro Deep Security Repackaging Changes
Trend Micro Deep Security Repackaging Changes
This commit is contained in:
MeenaChatla
Родитель
c96ddfcb65
Коммит
6ac1cfbfed
|
|
@ -15,7 +15,7 @@
|
|||
],
|
||||
|
||||
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Trend Micro Deep Security",
|
||||
"Version": "2.0.0",
|
||||
"Version": "2.0.1",
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"TemplateSpec": true,
|
||||
"Is1PConnector": false
|
||||
|
|
|
|||
Двоичный файл не отображается.
|
|
@ -104,7 +104,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "Trend Micro Deep Security data connector with template version 2.0.0",
|
||||
"description": "Trend Micro Deep Security data connector with template version 2.0.1",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('dataConnectorVersion1')]",
|
||||
|
|
@ -498,7 +498,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "TrendMicroDeepSecurityAttackActivityWorkbook Workbook with template version 2.0.0",
|
||||
"description": "TrendMicroDeepSecurityAttackActivityWorkbook Workbook with template version 2.0.1",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('workbookVersion1')]",
|
||||
|
|
@ -544,19 +544,6 @@
|
|||
"name": "Trend Micro",
|
||||
"tier": "Partner",
|
||||
"link": "https://success.trendmicro.com/dcx/s/?language=en_US"
|
||||
},
|
||||
"dependencies": {
|
||||
"operator": "AND",
|
||||
"criteria": [
|
||||
{
|
||||
"contentId": "CommonSecurityLog",
|
||||
"kind": "DataType"
|
||||
},
|
||||
{
|
||||
"contentId": "TrendMicro",
|
||||
"kind": "DataConnector"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -591,7 +578,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName2'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "TrendMicroDeepSecurityOverviewWorkbook Workbook with template version 2.0.0",
|
||||
"description": "TrendMicroDeepSecurityOverviewWorkbook Workbook with template version 2.0.1",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('workbookVersion2')]",
|
||||
|
|
@ -637,19 +624,6 @@
|
|||
"name": "Trend Micro",
|
||||
"tier": "Partner",
|
||||
"link": "https://success.trendmicro.com/dcx/s/?language=en_US"
|
||||
},
|
||||
"dependencies": {
|
||||
"operator": "AND",
|
||||
"criteria": [
|
||||
{
|
||||
"contentId": "CommonSecurityLog",
|
||||
"kind": "DataType"
|
||||
},
|
||||
{
|
||||
"contentId": "TrendMicro",
|
||||
"kind": "DataConnector"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -684,7 +658,7 @@
|
|||
"[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "TrendMicroDeepSecurity Data Parser with template version 2.0.0",
|
||||
"description": "TrendMicroDeepSecurity Data Parser with template version 2.0.1",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('parserVersion1')]",
|
||||
|
|
@ -701,7 +675,7 @@
|
|||
"displayName": "TrendMicroDeepSecurity",
|
||||
"category": "Samples",
|
||||
"functionAlias": "TrendMicroDeepSecurity",
|
||||
"query": "\n\r\nCommonSecurityLog\r\n| where DeviceVendor has_any (\"TrendMicro\", \"Trend Micro\")\r\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", int(null)),DeviceCustomNumber1),\r\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", int(null)),DeviceCustomNumber2),\r\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", int(null)),DeviceCustomNumber3)\r\n| extend DeepSecurityHostID = DeviceCustomNumber1\r\n| extend DeepSecurityModuleName =\r\niff(toint(DeviceEventClassID) in (20,21,100,850,851,852,853,854),\"Firewall\",\r\niff(toint(DeviceEventClassID)>=1000000 and toint(DeviceEventClassID)<2000000,\"Intrusion Prevention\",\r\niff(toint(DeviceEventClassID)>=2000000 and toint(DeviceEventClassID)<3000000,\"Integrity Monitoring\",\r\niff(toint(DeviceEventClassID)>=3000000 and toint(DeviceEventClassID)<4000000,\"Log Inspection\",\r\niff(toint(DeviceEventClassID)>=4000000 and toint(DeviceEventClassID)<5000000,\"Anti-Malware\",\r\niff(toint(DeviceEventClassID)>=5000000 and toint(DeviceEventClassID)<6000000,\"Web Reputation\",\r\niff(toint(DeviceEventClassID)>=6000000 and toint(DeviceEventClassID)<7000000,\"Application Control\",\"System\")))))))\r\n| extend actionReason = iff(DeepSecurityModuleName == \"Application Control\", DeviceCustomString1, \"\")\r\n| extend sha1 = iff(DeepSecurityModuleName == \"Application Control\", DeviceCustomString2, \"\")\r\n| extend md5 = iff(DeepSecurityModuleName == \"Application Control\", DeviceCustomString3, \"\")\r\n| parse AdditionalExtensions with * \"target=\" target \";\" *\r\n| extend LIDescription = iff (DeepSecurityModuleName == \"Log Inspection\", DeviceCustomString1, \"\")\r\n| extend FragmentationBits = iff (DeepSecurityModuleName == \"Firewall\", DeviceCustomString3, \"\")\r\n| extend TCPFlags = iff (DeepSecurityModuleName == \"Firewall\" or DeepSecurityModuleName == \"Intrusion Prevention\", DeviceCustomString2, \"\")\r\n| extend InfectedResource = iff(DeepSecurityModuleName == \"Anti-Malware\", DeviceCustomString3, \"\")\r\n| extend ResourceType = iff(DeepSecurityModuleName == \"Anti-Malware\", DeviceCustomString4, \"\")\r\n| extend RiskLevel = iff(DeepSecurityModuleName == \"Anti-Malware\", DeviceCustomString5, \"\")\r\n| extend DPIStreamPosition = iff(DeepSecurityModuleName == \"Intrusion Prevention\", DeviceCustomString5, \"\")\r\n| extend DPIFlags = iff(DeepSecurityModuleName == \"Intrusion Prevention\", DeviceCustomString6, \"\")\r\n| extend DPIPacketPosition = iff(DeepSecurityModuleName == \"Intrusion Prevention\", DeviceCustomNumber3, 0)\r\n| where DeviceProduct startswith \"Deep Security\"\r\n| project-away DeviceCustomNumber1, DeviceCustomNumber1Label, DeviceCustomNumber2, DeviceCustomNumber2Label, DeviceCustomNumber3, DeviceCustomNumber3Label, DeviceCustomString1, DeviceCustomString1Label, DeviceCustomString2, DeviceCustomString2Label, DeviceCustomString3, DeviceCustomString3Label, DeviceCustomString4, DeviceCustomString4Label, DeviceCustomString5, DeviceCustomString5Label, DeviceCustomString6, DeviceCustomString6Label",
|
||||
"query": "\n\r\nCommonSecurityLog\r\n| where DeviceVendor has_any (\"TrendMicro\", \"Trend Micro\")\r\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\r\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\r\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3)\r\n| extend DeepSecurityHostID = DeviceCustomNumber1\r\n| extend DeepSecurityModuleName =\r\niff(toint(DeviceEventClassID) in (20,21,100,850,851,852,853,854),\"Firewall\",\r\niff(toint(DeviceEventClassID)>=1000000 and toint(DeviceEventClassID)<2000000,\"Intrusion Prevention\",\r\niff(toint(DeviceEventClassID)>=2000000 and toint(DeviceEventClassID)<3000000,\"Integrity Monitoring\",\r\niff(toint(DeviceEventClassID)>=3000000 and toint(DeviceEventClassID)<4000000,\"Log Inspection\",\r\niff(toint(DeviceEventClassID)>=4000000 and toint(DeviceEventClassID)<5000000,\"Anti-Malware\",\r\niff(toint(DeviceEventClassID)>=5000000 and toint(DeviceEventClassID)<6000000,\"Web Reputation\",\r\niff(toint(DeviceEventClassID)>=6000000 and toint(DeviceEventClassID)<7000000,\"Application Control\",\"System\")))))))\r\n| extend actionReason = iff(DeepSecurityModuleName == \"Application Control\", DeviceCustomString1, \"\")\r\n| extend sha1 = iff(DeepSecurityModuleName == \"Application Control\", DeviceCustomString2, \"\")\r\n| extend md5 = iff(DeepSecurityModuleName == \"Application Control\", DeviceCustomString3, \"\")\r\n| parse AdditionalExtensions with * \"target=\" target \";\" *\r\n| extend LIDescription = iff (DeepSecurityModuleName == \"Log Inspection\", DeviceCustomString1, \"\")\r\n| extend FragmentationBits = iff (DeepSecurityModuleName == \"Firewall\", DeviceCustomString3, \"\")\r\n| extend TCPFlags = iff (DeepSecurityModuleName == \"Firewall\" or DeepSecurityModuleName == \"Intrusion Prevention\", DeviceCustomString2, \"\")\r\n| extend InfectedResource = iff(DeepSecurityModuleName == \"Anti-Malware\", DeviceCustomString3, \"\")\r\n| extend ResourceType = iff(DeepSecurityModuleName == \"Anti-Malware\", DeviceCustomString4, \"\")\r\n| extend RiskLevel = iff(DeepSecurityModuleName == \"Anti-Malware\", DeviceCustomString5, \"\")\r\n| extend DPIStreamPosition = iff(DeepSecurityModuleName == \"Intrusion Prevention\", DeviceCustomString5, \"\")\r\n| extend DPIFlags = iff(DeepSecurityModuleName == \"Intrusion Prevention\", DeviceCustomString6, \"\")\r\n| extend DPIPacketPosition = iff(DeepSecurityModuleName == \"Intrusion Prevention\", DeviceCustomNumber3, 0)\r\n| where DeviceProduct startswith \"Deep Security\"\r\n| project-away DeviceCustomNumber1, DeviceCustomNumber1Label, DeviceCustomNumber2, DeviceCustomNumber2Label, DeviceCustomNumber3, DeviceCustomNumber3Label, DeviceCustomString1, DeviceCustomString1Label, DeviceCustomString2, DeviceCustomString2Label, DeviceCustomString3, DeviceCustomString3Label, DeviceCustomString4, DeviceCustomString4Label, DeviceCustomString5, DeviceCustomString5Label, DeviceCustomString6, DeviceCustomString6Label",
|
||||
"version": 1,
|
||||
"tags": [
|
||||
{
|
||||
|
|
@ -752,7 +726,7 @@
|
|||
"displayName": "TrendMicroDeepSecurity",
|
||||
"category": "Samples",
|
||||
"functionAlias": "TrendMicroDeepSecurity",
|
||||
"query": "\n\r\nCommonSecurityLog\r\n| where DeviceVendor has_any (\"TrendMicro\", \"Trend Micro\")\r\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", int(null)),DeviceCustomNumber1),\r\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", int(null)),DeviceCustomNumber2),\r\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", int(null)),DeviceCustomNumber3)\r\n| extend DeepSecurityHostID = DeviceCustomNumber1\r\n| extend DeepSecurityModuleName =\r\niff(toint(DeviceEventClassID) in (20,21,100,850,851,852,853,854),\"Firewall\",\r\niff(toint(DeviceEventClassID)>=1000000 and toint(DeviceEventClassID)<2000000,\"Intrusion Prevention\",\r\niff(toint(DeviceEventClassID)>=2000000 and toint(DeviceEventClassID)<3000000,\"Integrity Monitoring\",\r\niff(toint(DeviceEventClassID)>=3000000 and toint(DeviceEventClassID)<4000000,\"Log Inspection\",\r\niff(toint(DeviceEventClassID)>=4000000 and toint(DeviceEventClassID)<5000000,\"Anti-Malware\",\r\niff(toint(DeviceEventClassID)>=5000000 and toint(DeviceEventClassID)<6000000,\"Web Reputation\",\r\niff(toint(DeviceEventClassID)>=6000000 and toint(DeviceEventClassID)<7000000,\"Application Control\",\"System\")))))))\r\n| extend actionReason = iff(DeepSecurityModuleName == \"Application Control\", DeviceCustomString1, \"\")\r\n| extend sha1 = iff(DeepSecurityModuleName == \"Application Control\", DeviceCustomString2, \"\")\r\n| extend md5 = iff(DeepSecurityModuleName == \"Application Control\", DeviceCustomString3, \"\")\r\n| parse AdditionalExtensions with * \"target=\" target \";\" *\r\n| extend LIDescription = iff (DeepSecurityModuleName == \"Log Inspection\", DeviceCustomString1, \"\")\r\n| extend FragmentationBits = iff (DeepSecurityModuleName == \"Firewall\", DeviceCustomString3, \"\")\r\n| extend TCPFlags = iff (DeepSecurityModuleName == \"Firewall\" or DeepSecurityModuleName == \"Intrusion Prevention\", DeviceCustomString2, \"\")\r\n| extend InfectedResource = iff(DeepSecurityModuleName == \"Anti-Malware\", DeviceCustomString3, \"\")\r\n| extend ResourceType = iff(DeepSecurityModuleName == \"Anti-Malware\", DeviceCustomString4, \"\")\r\n| extend RiskLevel = iff(DeepSecurityModuleName == \"Anti-Malware\", DeviceCustomString5, \"\")\r\n| extend DPIStreamPosition = iff(DeepSecurityModuleName == \"Intrusion Prevention\", DeviceCustomString5, \"\")\r\n| extend DPIFlags = iff(DeepSecurityModuleName == \"Intrusion Prevention\", DeviceCustomString6, \"\")\r\n| extend DPIPacketPosition = iff(DeepSecurityModuleName == \"Intrusion Prevention\", DeviceCustomNumber3, 0)\r\n| where DeviceProduct startswith \"Deep Security\"\r\n| project-away DeviceCustomNumber1, DeviceCustomNumber1Label, DeviceCustomNumber2, DeviceCustomNumber2Label, DeviceCustomNumber3, DeviceCustomNumber3Label, DeviceCustomString1, DeviceCustomString1Label, DeviceCustomString2, DeviceCustomString2Label, DeviceCustomString3, DeviceCustomString3Label, DeviceCustomString4, DeviceCustomString4Label, DeviceCustomString5, DeviceCustomString5Label, DeviceCustomString6, DeviceCustomString6Label",
|
||||
"query": "\n\r\nCommonSecurityLog\r\n| where DeviceVendor has_any (\"TrendMicro\", \"Trend Micro\")\r\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\r\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\r\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3)\r\n| extend DeepSecurityHostID = DeviceCustomNumber1\r\n| extend DeepSecurityModuleName =\r\niff(toint(DeviceEventClassID) in (20,21,100,850,851,852,853,854),\"Firewall\",\r\niff(toint(DeviceEventClassID)>=1000000 and toint(DeviceEventClassID)<2000000,\"Intrusion Prevention\",\r\niff(toint(DeviceEventClassID)>=2000000 and toint(DeviceEventClassID)<3000000,\"Integrity Monitoring\",\r\niff(toint(DeviceEventClassID)>=3000000 and toint(DeviceEventClassID)<4000000,\"Log Inspection\",\r\niff(toint(DeviceEventClassID)>=4000000 and toint(DeviceEventClassID)<5000000,\"Anti-Malware\",\r\niff(toint(DeviceEventClassID)>=5000000 and toint(DeviceEventClassID)<6000000,\"Web Reputation\",\r\niff(toint(DeviceEventClassID)>=6000000 and toint(DeviceEventClassID)<7000000,\"Application Control\",\"System\")))))))\r\n| extend actionReason = iff(DeepSecurityModuleName == \"Application Control\", DeviceCustomString1, \"\")\r\n| extend sha1 = iff(DeepSecurityModuleName == \"Application Control\", DeviceCustomString2, \"\")\r\n| extend md5 = iff(DeepSecurityModuleName == \"Application Control\", DeviceCustomString3, \"\")\r\n| parse AdditionalExtensions with * \"target=\" target \";\" *\r\n| extend LIDescription = iff (DeepSecurityModuleName == \"Log Inspection\", DeviceCustomString1, \"\")\r\n| extend FragmentationBits = iff (DeepSecurityModuleName == \"Firewall\", DeviceCustomString3, \"\")\r\n| extend TCPFlags = iff (DeepSecurityModuleName == \"Firewall\" or DeepSecurityModuleName == \"Intrusion Prevention\", DeviceCustomString2, \"\")\r\n| extend InfectedResource = iff(DeepSecurityModuleName == \"Anti-Malware\", DeviceCustomString3, \"\")\r\n| extend ResourceType = iff(DeepSecurityModuleName == \"Anti-Malware\", DeviceCustomString4, \"\")\r\n| extend RiskLevel = iff(DeepSecurityModuleName == \"Anti-Malware\", DeviceCustomString5, \"\")\r\n| extend DPIStreamPosition = iff(DeepSecurityModuleName == \"Intrusion Prevention\", DeviceCustomString5, \"\")\r\n| extend DPIFlags = iff(DeepSecurityModuleName == \"Intrusion Prevention\", DeviceCustomString6, \"\")\r\n| extend DPIPacketPosition = iff(DeepSecurityModuleName == \"Intrusion Prevention\", DeviceCustomNumber3, 0)\r\n| where DeviceProduct startswith \"Deep Security\"\r\n| project-away DeviceCustomNumber1, DeviceCustomNumber1Label, DeviceCustomNumber2, DeviceCustomNumber2Label, DeviceCustomNumber3, DeviceCustomNumber3Label, DeviceCustomString1, DeviceCustomString1Label, DeviceCustomString2, DeviceCustomString2Label, DeviceCustomString3, DeviceCustomString3Label, DeviceCustomString4, DeviceCustomString4Label, DeviceCustomString5, DeviceCustomString5Label, DeviceCustomString6, DeviceCustomString6Label",
|
||||
"version": 1
|
||||
}
|
||||
},
|
||||
|
|
@ -789,7 +763,7 @@
|
|||
"apiVersion": "2022-01-01-preview",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"properties": {
|
||||
"version": "2.0.0",
|
||||
"version": "2.0.1",
|
||||
"kind": "Solution",
|
||||
"contentSchemaVersion": "2.0.0",
|
||||
"contentId": "[variables('_solutionId')]",
|
||||
|
|
@ -846,4 +820,4 @@
|
|||
}
|
||||
],
|
||||
"outputs": {}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче