Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge branch 'Azure:master' into master

This commit is contained in:
rahul0216 2024-11-27 05:22:32 -08:00 коммит произвёл GitHub
Родитель 12b9c85843 39c79bb9bc
Коммит 7e299743ec
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
44 изменённых файлов: 4371 добавлений и 2485 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

113
.script/tests/KqlvalidationsTests/CustomTables/Rubrik_Events_Data_CL.json Normal file
Просмотреть файл

@ -0,0 +1,113 @@
{
"Name":"Rubrik_Events_Data_CL",
"Properties":[
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "custom_details_objectId_g",
"Type": "string"
},
{
"Name": "custom_details_seriesId_g",
"Type": "string"
},
{
"Name": "custom_details_id_g",
"Type": "string"
},
{
"Name": "custom_details_clusterId_g",
"Type": "string"
},
{
"Name": "summary_s",
"Type": "string"
},
{
"Name": "source_s",
"Type": "string"
},
{
"Name": "severity_s",
"Type": "string"
},
{
"Name": "timestamp_s",
"Type": "datetime"
},
{
"Name": "class_s",
"Type": "string"
},
{
"Name": "custom_details_type_s",
"Type": "string"
},
{
"Name": "custom_details_objectId_s",
"Type": "string"
},
{
"Name": "custom_details_objectName_s",
"Type": "string"
},
{
"Name": "custom_details_objectType_s",
"Type": "string"
},
{
"Name": "custom_details_status_s",
"Type": "string"
},
{
"Name": "custom_details_clusterName_s",
"Type": "string"
},
{
"Name": "custom_details_eventName_s",
"Type": "string"
},
{
"Name": "custom_details_auditUserName_s",
"Type": "string"
},
{
"Name": "custom_details_auditUserId_s",
"Type": "string"
},
{
"Name": "custom_details_location_s",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

25
Detections/MultipleDataSources/powershell_MangoSandstorm.yaml
Просмотреть файл

@ -1,5 +1,5 @@
id: ce74dc9a-cb3c-4081-8c2f-7d39f6b7bae1
name: Identify Mango Sandstorm powershell commands
name: Identify Mango Sandstorm powershell commands
description: |
'The query below identifies powershell commands used by the threat actor Mango Sandstorm.
Reference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/'
@ -7,7 +7,7 @@ severity: High
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
- SecurityEvent
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
@ -29,23 +29,22 @@ query: |
| where EventID == 4688
| where Process has_any ("powershell.exe","powershell_ise.exe","pwsh.exe") and CommandLine has_cs "-exec bypass -w 1 -enc"
| where CommandLine contains_cs "UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA"
| extend DvcHostName = Computer, ProcessID = ProcessId
| extend DvcHostname = Computer, ProcessId = tostring(ProcessId), ActorUsername = Account
),
(DeviceProcessEvents
| where FileName =~ "powershell.exe" and ProcessCommandLine has_cs "-exec bypass -w 1 -enc"
| where ProcessCommandLine contains_cs "UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA"
| extend DvcHostName = DeviceName, ProcessID = InitiatingProcessId
| where FileName =~ "powershell.exe" and ProcessCommandLine has_cs "-exec bypass -w 1 -enc"
| where ProcessCommandLine contains_cs "UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA"
| extend DvcHostname = DeviceName, ProcessId = tostring(InitiatingProcessId), ActorUsername = strcat(AccountDomain, @"\", AccountName)
),
(imProcessCreate
| where Process has_any ("powershell.exe","powershell_ise.exe","pwsh.exe") and CommandLine has_cs "-exec bypass -w 1 -enc"
| where CommandLine contains_cs "UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA"
| extend ProcessID = TargetProcessId
| extend ProcessId = tostring(TargetProcessId)
)
)
| extend AccountName = tostring(split(ActorUsername, "\\")[0]), AccountNTDomain = tostring(split(ActorUsername, "\\")[1]), ProcessID = TargetProcessId
| extend AccountName = tostring(split(ActorUsername, "\\")[0]), AccountNTDomain = tostring(split(ActorUsername, "\\")[1])
| extend HostName = tostring(split(DvcHostname, ".")[0]), DomainIndex = toint(indexof(DvcHostname, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DvcHostname, DomainIndex + 1), DvcHostname)
entityMappings:
- entityType: Account
fieldMappings:
@ -53,8 +52,8 @@ entityMappings:
columnName: ActorUsername
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- identifier: NTDomain
columnName: AccountNTDomain
- entityType: Host
fieldMappings:
- identifier: FullName
@ -66,8 +65,8 @@ entityMappings:
- entityType: Process
fieldMappings:
- identifier: ProcessId
columnName: ProcessID
version: 1.0.4
columnName: ProcessId
version: 1.0.5
kind: Scheduled
metadata:
source:

10
Sample Data/Custom/Rubrik_Events_Data_CL.csv Normal file
Просмотреть файл

@ -0,0 +1,10 @@
TimeGenerated [UTC],custom_details_objectId_g,custom_details_seriesId_g,custom_details_id_g,custom_details_clusterId_g,summary_s,source_s,severity_s,timestamp_s,class_s,custom_details_type_s,custom_details_objectId_s,custom_details_objectName_s,custom_details_objectType_s,custom_details_status_s,custom_details_clusterName_s,custom_details_eventName_s,custom_details_auditUserName_s,custom_details_auditUserId_s,custom_details_location_s
"11/8/2024, 5:30:42.136 AM",047ed0bc-6b72-4ea8-b9a0-c7fb89aa5811,01930a3b-e0cf-7b83-b02c-2db1087d3b0d,6617cef8-c37c-41db-988e-d8372bbe90f3,00000000-0000-0000-0000-000000000000,Waiting for 1 snapshot(s) to be available for file recovery.,Rubrik Security Cloud,info,2024-11-08T05:30:40.64979627Z,Index,Event,,use-test,AzureNativeVm,Running,Polaris,CloudNativeIndexSnapshotsWaitForSnappableIndexTaskStarted,,,
"11/8/2024, 5:30:50.314 AM",047ed0bc-6b72-4ea8-b9a0-c7fb89aa5811,01930a3f-f5ce-7900-8443-8a368f5baa2b,688bc4b0-f17d-4784-a96f-9a8cd387e43d,00000000-0000-0000-0000-000000000000,Successfully replicated snapshot taken at 08 Nov 24 5:00 AM UTC for the use-test Azure virtual machine in the use-test_group resource group in the TM-Lab-EA subscription to the region westus of TM-Lab-EA Azure subscription.,Rubrik Security Cloud,info,2024-11-08T05:29:57.30752593Z,Replication,Event,,use-test,AzureNativeVm,Success,Polaris,CloudNativeReplicateSnapshotsReplicateTaskSucceeded,,,
"11/8/2024, 5:25:31.234 AM",047ed0bc-6b72-4ea8-b9a0-c7fb89aa5811,01930a3b-e0cf-7b83-b02c-2db1087d3b0d,9cb57a51-4064-4c45-a10b-4693f8b5aaa7,00000000-0000-0000-0000-000000000000,Started indexing of the snapshots of the use-test Azure virtual machine in the use-test_group resource group in the TM-Lab-EA subscription.,Rubrik Security Cloud,info,2024-11-08T05:25:17.200115471Z,Index,Event,,use-test,AzureNativeVm,TaskSuccess,Polaris,CloudNativeIndexSnapshotsJobStarted,,,
"11/8/2024, 5:17:19.245 AM",,3787cdc1-a7ba-41ed-9c6e-cc5d8d4a2a27,88ece1ed-1a95-43b9-ae38-302cf05c19d8,00000000-0000-0000-0000-000000000000,xyz@gmail.com successfully created the webhook Rubrik-other-events.,Rubrik Security Cloud,info,2024-11-08T05:17:18.370059549Z,Configuration,Audit,auth0|65b91cdc85d3150aa4a1b3d0,xyz@gmail.com,User,Success,Polaris,WebhookCreated,xyz@gmail.com,auth0|65b91cdc85d3150aa4a1b3d0,
"11/8/2024, 5:18:40.088 AM",,496f42ec-e684-4a04-b191-e6a3a122d49f,efb7669b-8891-4a76-a613-d104f661b856,00000000-0000-0000-0000-000000000000,xyz@gmail.com successfully created the webhook Rubrik-AnomalyOrchestrator.,Rubrik Security Cloud,info,2024-11-08T05:18:39.20837609Z,Configuration,Audit,auth0|65b91cdc85d3150aa4a1b3d0,xyz@gmail.com,User,Success,Polaris,WebhookCreated,xyz@gmail.com,auth0|65b91cdc85d3150aa4a1b3d0,
"11/8/2024, 5:16:28.396 AM",,,,,Rubrik Polaris webhook test event,Rubrik Security Cloud,info,2024-11-08T05:16:14.067423864Z,Configuration,Event,,,,Succeeded,Rubrik Security Cloud,,,,test-location
"11/7/2024, 1:25:23.986 PM",,,,,Rubrik Polaris webhook test event,Rubrik Security Cloud,info,2024-11-07T13:25:01.215428023Z,Configuration,Event,,,,Succeeded,Rubrik Security Cloud,,,,test-location
"11/8/2024, 5:29:22.352 AM",047ed0bc-6b72-4ea8-b9a0-c7fb89aa5811,01930a3b-e0cf-7b83-b02c-2db1087d3b0d,e17bfee9-bed2-4691-b58d-0885322600c0,00000000-0000-0000-0000-000000000000,Started indexing of snapshot taken at 08 Nov 24 5:00 AM UTC.,Rubrik Security Cloud,info,2024-11-08T05:29:20.550468555Z,Index,Event,,use-test,AzureNativeVm,Running,Polaris,CloudNativeIndexSnapshotBegin,,,
"11/8/2024, 5:21:33.309 AM",,28b3ccfd-6679-4f88-b416-5658d859dc6c,f690f13a-12f9-4b80-a268-48ba26a6e917,00000000-0000-0000-0000-000000000000,xyz@gmail.com successfully created the webhook Rubrik-ThreathuntOrchestrator.,Rubrik Security Cloud,info,2024-11-08T05:21:31.535526647Z,Configuration,Audit,auth0|65b91cdc85d3150aa4a1b3d0,xyz@gmail.com,User,Success,Polaris,WebhookCreated,xyz@gmail.com,auth0|65b91cdc85d3150aa4a1b3d0,
1 TimeGenerated [UTC] custom_details_objectId_g custom_details_seriesId_g custom_details_id_g custom_details_clusterId_g summary_s source_s severity_s timestamp_s class_s custom_details_type_s custom_details_objectId_s custom_details_objectName_s custom_details_objectType_s custom_details_status_s custom_details_clusterName_s custom_details_eventName_s custom_details_auditUserName_s custom_details_auditUserId_s custom_details_location_s
2 11/8/2024, 5:30:42.136 AM 047ed0bc-6b72-4ea8-b9a0-c7fb89aa5811 01930a3b-e0cf-7b83-b02c-2db1087d3b0d 6617cef8-c37c-41db-988e-d8372bbe90f3 00000000-0000-0000-0000-000000000000 Waiting for 1 snapshot(s) to be available for file recovery. Rubrik Security Cloud info 2024-11-08T05:30:40.64979627Z Index Event use-test AzureNativeVm Running Polaris CloudNativeIndexSnapshotsWaitForSnappableIndexTaskStarted
3 11/8/2024, 5:30:50.314 AM 047ed0bc-6b72-4ea8-b9a0-c7fb89aa5811 01930a3f-f5ce-7900-8443-8a368f5baa2b 688bc4b0-f17d-4784-a96f-9a8cd387e43d 00000000-0000-0000-0000-000000000000 Successfully replicated snapshot taken at 08 Nov 24 5:00 AM UTC for the use-test Azure virtual machine in the use-test_group resource group in the TM-Lab-EA subscription to the region westus of TM-Lab-EA Azure subscription. Rubrik Security Cloud info 2024-11-08T05:29:57.30752593Z Replication Event use-test AzureNativeVm Success Polaris CloudNativeReplicateSnapshotsReplicateTaskSucceeded
4 11/8/2024, 5:25:31.234 AM 047ed0bc-6b72-4ea8-b9a0-c7fb89aa5811 01930a3b-e0cf-7b83-b02c-2db1087d3b0d 9cb57a51-4064-4c45-a10b-4693f8b5aaa7 00000000-0000-0000-0000-000000000000 Started indexing of the snapshots of the use-test Azure virtual machine in the use-test_group resource group in the TM-Lab-EA subscription. Rubrik Security Cloud info 2024-11-08T05:25:17.200115471Z Index Event use-test AzureNativeVm TaskSuccess Polaris CloudNativeIndexSnapshotsJobStarted
5 11/8/2024, 5:17:19.245 AM 3787cdc1-a7ba-41ed-9c6e-cc5d8d4a2a27 88ece1ed-1a95-43b9-ae38-302cf05c19d8 00000000-0000-0000-0000-000000000000 xyz@gmail.com successfully created the webhook Rubrik-other-events. Rubrik Security Cloud info 2024-11-08T05:17:18.370059549Z Configuration Audit auth0|65b91cdc85d3150aa4a1b3d0 xyz@gmail.com User Success Polaris WebhookCreated xyz@gmail.com auth0|65b91cdc85d3150aa4a1b3d0
6 11/8/2024, 5:18:40.088 AM 496f42ec-e684-4a04-b191-e6a3a122d49f efb7669b-8891-4a76-a613-d104f661b856 00000000-0000-0000-0000-000000000000 xyz@gmail.com successfully created the webhook Rubrik-AnomalyOrchestrator. Rubrik Security Cloud info 2024-11-08T05:18:39.20837609Z Configuration Audit auth0|65b91cdc85d3150aa4a1b3d0 xyz@gmail.com User Success Polaris WebhookCreated xyz@gmail.com auth0|65b91cdc85d3150aa4a1b3d0
7 11/8/2024, 5:16:28.396 AM Rubrik Polaris webhook test event Rubrik Security Cloud info 2024-11-08T05:16:14.067423864Z Configuration Event Succeeded Rubrik Security Cloud test-location
8 11/7/2024, 1:25:23.986 PM Rubrik Polaris webhook test event Rubrik Security Cloud info 2024-11-07T13:25:01.215428023Z Configuration Event Succeeded Rubrik Security Cloud test-location
9 11/8/2024, 5:29:22.352 AM 047ed0bc-6b72-4ea8-b9a0-c7fb89aa5811 01930a3b-e0cf-7b83-b02c-2db1087d3b0d e17bfee9-bed2-4691-b58d-0885322600c0 00000000-0000-0000-0000-000000000000 Started indexing of snapshot taken at 08 Nov 24 5:00 AM UTC. Rubrik Security Cloud info 2024-11-08T05:29:20.550468555Z Index Event use-test AzureNativeVm Running Polaris CloudNativeIndexSnapshotBegin
10 11/8/2024, 5:21:33.309 AM 28b3ccfd-6679-4f88-b416-5658d859dc6c f690f13a-12f9-4b80-a268-48ba26a6e917 00000000-0000-0000-0000-000000000000 xyz@gmail.com successfully created the webhook Rubrik-ThreathuntOrchestrator. Rubrik Security Cloud info 2024-11-08T05:21:31.535526647Z Configuration Audit auth0|65b91cdc85d3150aa4a1b3d0 xyz@gmail.com User Success Polaris WebhookCreated xyz@gmail.com auth0|65b91cdc85d3150aa4a1b3d0

8
Solutions/Broadcom SymantecDLP/Data/Solution_Broadcom SymantecDLP.json
Просмотреть файл

@ -2,11 +2,7 @@
"Name": "Broadcom SymantecDLP",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [Broadcom Symantec Data Loss Prevention (DLP)](https://www.broadcom.com/products/cyber-security/information-protection/data-loss-prevention) connector allows you to easily connect your Symantec DLP with Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.",
"Data Connectors": [
"Data Connectors/Connector_Syslog_SymantecDLP.json",
"Data Connectors/template_SymantecDLPAMA.json"
],
"Description": "The [Broadcom Symantec Data Loss Prevention (DLP)](https://www.broadcom.com/products/cyber-security/information-protection/data-loss-prevention) connector allows you to easily connect your Symantec DLP with Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector.The existing connectors were deprecated on **Aug 31, 2024**.",
"Parsers": [
"Parsers/SymantecDLP.yaml"
],
@ -14,7 +10,7 @@
"azuresentinel.azure-sentinel-solution-commoneventformat"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Broadcom SymantecDLP",
"Version": "3.0.2",
"Version": "3.0.3",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false

Двоичные данные
Solutions/Broadcom SymantecDLP/Package/3.0.3.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

36
Solutions/Broadcom SymantecDLP/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Broadcom%20SymantecDLP/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Broadcom Symantec Data Loss Prevention (DLP)](https://www.broadcom.com/products/cyber-security/information-protection/data-loss-prevention) connector allows you to easily connect your Symantec DLP with Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Broadcom%20SymantecDLP/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Broadcom Symantec Data Loss Prevention (DLP)](https://www.broadcom.com/products/cyber-security/information-protection/data-loss-prevention) connector allows you to easily connect your Symantec DLP with Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector.The existing connectors were deprecated on **Aug 31, 2024**.\n\n**Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@ -50,39 +50,7 @@
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for Broadcom SymantecDLP. You can get Broadcom SymantecDLP CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
}
],
"steps": [{}],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",

718
Solutions/Broadcom SymantecDLP/Package/mainTemplate.json
Просмотреть файл

@ -33,27 +33,9 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Broadcom SymantecDLP",
"_solutionVersion": "3.0.2",
"_solutionVersion": "3.0.3",
"solutionId": "azuresentinel.azure-sentinel-solution-broadcomsymantecdlp",
"_solutionId": "[variables('solutionId')]",
"uiConfigId1": "BroadcomSymantecDLP",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "BroadcomSymantecDLP",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0.0",
"_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"uiConfigId2": "BroadcomSymantecDLPAma",
"_uiConfigId2": "[variables('uiConfigId2')]",
"dataConnectorContentId2": "BroadcomSymantecDLPAma",
"_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
"dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
"_dataConnectorId2": "[variables('dataConnectorId2')]",
"dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
"dataConnectorVersion2": "1.0.0",
"_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"parserObject1": {
"_parserName1": "[concat(parameters('workspace'),'/','SymantecDLP')]",
"_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'SymantecDLP')]",
@ -64,688 +46,6 @@
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Broadcom SymantecDLP data connector with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
"title": "[Deprecated] Broadcom Symantec DLP via Legacy Agent",
"publisher": "Broadcom",
"descriptionMarkdown": "The [Broadcom Symantec Data Loss Prevention (DLP)](https://www.broadcom.com/products/cyber-security/information-protection/data-loss-prevention) connector allows you to easily connect your Symantec DLP with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organizations information, where it travels, and improves your security operation capabilities.",
"additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "SymantecDLP",
"baseQuery": "CommonSecurityLog \n| where DeviceVendor == \"Symantec\" and DeviceProduct == \"DLP\""
}
],
"sampleQueries": [
{
"description": "Top 10 Triggered Activities",
"query": "SymantecDLP \n | summarize count() by Activity \n| top 10 by count_"
},
{
"description": "Top 10 Filenames",
"query": "SymantecDLP \n | summarize count() by FileName \n| top 10 by count_"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"CommonSecurityLog \n| where DeviceVendor == \"Symantec\" and DeviceProduct == \"DLP\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)"
]
}
],
"dataTypes": [
{
"name": "CommonSecurityLog (SymantecDLP)",
"lastDataReceivedQuery": "CommonSecurityLog \n| where DeviceVendor == \"Symantec\" and DeviceProduct == \"DLP\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SymantecDLP and load the function code or click [here](https://aka.ms/sentinel-symantecdlp-parser). The function usually takes 10-15 minutes to activate after solution installation/update."
},
{
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
"innerSteps": [
{
"title": "1.1 Select or create a Linux machine",
"description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
},
{
"title": "1.2 Install the CEF collector on the Linux machine",
"description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python –version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId",
"PrimaryKey"
],
"label": "Run the following command to install and apply the CEF collector:",
"value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
},
"type": "CopyableLabel"
}
]
}
],
"title": "1. Linux Syslog agent configuration"
},
{
"description": "Configure Symantec DLP to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://knowledge.broadcom.com/external/article/159509/generating-syslog-messages-from-data-los.html) to configure the Symantec DLP to forward syslog\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.",
"title": "2. Forward Symantec DLP logs to a Syslog agent"
},
{
"description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python –version\n\n>2. You must have elevated permissions (sudo) on your machine",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Run the following command to validate your connectivity:",
"value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
},
"type": "CopyableLabel"
}
],
"title": "3. Validate connection"
},
{
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
"title": "4. Secure your machine "
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "Broadcom SymantecDLP",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_dataConnectorContentId1')]",
"contentKind": "DataConnector",
"displayName": "[Deprecated] Broadcom Symantec DLP via Legacy Agent",
"contentProductId": "[variables('_dataConnectorcontentProductId1')]",
"id": "[variables('_dataConnectorcontentProductId1')]",
"version": "[variables('dataConnectorVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
],
"location": "[parameters('workspace-location')]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "Broadcom SymantecDLP",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "[Deprecated] Broadcom Symantec DLP via Legacy Agent",
"publisher": "Broadcom",
"descriptionMarkdown": "The [Broadcom Symantec Data Loss Prevention (DLP)](https://www.broadcom.com/products/cyber-security/information-protection/data-loss-prevention) connector allows you to easily connect your Symantec DLP with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organizations information, where it travels, and improves your security operation capabilities.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "SymantecDLP",
"baseQuery": "CommonSecurityLog \n| where DeviceVendor == \"Symantec\" and DeviceProduct == \"DLP\""
}
],
"dataTypes": [
{
"name": "CommonSecurityLog (SymantecDLP)",
"lastDataReceivedQuery": "CommonSecurityLog \n| where DeviceVendor == \"Symantec\" and DeviceProduct == \"DLP\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"CommonSecurityLog \n| where DeviceVendor == \"Symantec\" and DeviceProduct == \"DLP\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)"
]
}
],
"sampleQueries": [
{
"description": "Top 10 Triggered Activities",
"query": "SymantecDLP \n | summarize count() by Activity \n| top 10 by count_"
},
{
"description": "Top 10 Filenames",
"query": "SymantecDLP \n | summarize count() by FileName \n| top 10 by count_"
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SymantecDLP and load the function code or click [here](https://aka.ms/sentinel-symantecdlp-parser). The function usually takes 10-15 minutes to activate after solution installation/update."
},
{
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
"innerSteps": [
{
"title": "1.1 Select or create a Linux machine",
"description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
},
{
"title": "1.2 Install the CEF collector on the Linux machine",
"description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python –version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId",
"PrimaryKey"
],
"label": "Run the following command to install and apply the CEF collector:",
"value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
},
"type": "CopyableLabel"
}
]
}
],
"title": "1. Linux Syslog agent configuration"
},
{
"description": "Configure Symantec DLP to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://knowledge.broadcom.com/external/article/159509/generating-syslog-messages-from-data-los.html) to configure the Symantec DLP to forward syslog\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.",
"title": "2. Forward Symantec DLP logs to a Syslog agent"
},
{
"description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python –version\n\n>2. You must have elevated permissions (sudo) on your machine",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Run the following command to validate your connectivity:",
"value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
},
"type": "CopyableLabel"
}
],
"title": "3. Validate connection"
},
{
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
"title": "4. Secure your machine "
}
],
"id": "[variables('_uiConfigId1')]",
"additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution."
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('dataConnectorTemplateSpecName2')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Broadcom SymantecDLP data connector with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion2')]",
"parameters": {},
"variables": {},
"resources": [
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId2')]",
"title": "[Deprecated] Broadcom Symantec DLP via AMA",
"publisher": "Broadcom",
"descriptionMarkdown": "The [Broadcom Symantec Data Loss Prevention (DLP)](https://www.broadcom.com/products/cyber-security/information-protection/data-loss-prevention) connector allows you to easily connect your Symantec DLP with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organizations information, where it travels, and improves your security operation capabilities.",
"additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "SymantecDLP",
"baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Symantec'\n |where DeviceProduct =~ 'DLP'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
}
],
"sampleQueries": [
{
"description": "Top 10 Triggered Activities",
"query": "SymantecDLP \n | summarize count() by Activity \n| top 10 by count_"
},
{
"description": "Top 10 Filenames",
"query": "SymantecDLP \n | summarize count() by FileName \n| top 10 by count_"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"CommonSecurityLog\n |where DeviceVendor =~ 'Symantec'\n |where DeviceProduct =~ 'DLP'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"dataTypes": [
{
"name": "CommonSecurityLog (SymantecDLP)",
"lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Symantec'\n |where DeviceProduct =~ 'DLP'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
},
{
"description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
}
]
},
"instructionSteps": [
{
"description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SymantecDLP and load the function code or click [here](https://aka.ms/sentinel-symantecdlp-parser). The function usually takes 10-15 minutes to activate after solution installation/update.",
"instructions": [
{
"parameters": {
"title": "1. Kindly follow the steps to configure the data connector",
"instructionSteps": [
{
"title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
"description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
},
{
"title": "Step B. Forward Symantec DLP logs to a Syslog agent",
"description": "Configure Symantec DLP to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://knowledge.broadcom.com/external/article/159509/generating-syslog-messages-from-data-los.html) to configure the Symantec DLP to forward syslog\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address."
},
{
"title": "Step C. Validate connection",
"description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
"instructions": [
{
"parameters": {
"label": "Run the following command to validate your connectivity:",
"value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
},
"type": "CopyableLabel"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
]
},
{
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
"title": "2. Secure your machine "
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
"contentId": "[variables('_dataConnectorContentId2')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion2')]",
"source": {
"kind": "Solution",
"name": "Broadcom SymantecDLP",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_dataConnectorContentId2')]",
"contentKind": "DataConnector",
"displayName": "[Deprecated] Broadcom Symantec DLP via AMA",
"contentProductId": "[variables('_dataConnectorcontentProductId2')]",
"id": "[variables('_dataConnectorcontentProductId2')]",
"version": "[variables('dataConnectorVersion2')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId2')]"
],
"location": "[parameters('workspace-location')]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
"contentId": "[variables('_dataConnectorContentId2')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion2')]",
"source": {
"kind": "Solution",
"name": "Broadcom SymantecDLP",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "[Deprecated] Broadcom Symantec DLP via AMA",
"publisher": "Broadcom",
"descriptionMarkdown": "The [Broadcom Symantec Data Loss Prevention (DLP)](https://www.broadcom.com/products/cyber-security/information-protection/data-loss-prevention) connector allows you to easily connect your Symantec DLP with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organizations information, where it travels, and improves your security operation capabilities.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "SymantecDLP",
"baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Symantec'\n |where DeviceProduct =~ 'DLP'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
}
],
"dataTypes": [
{
"name": "CommonSecurityLog (SymantecDLP)",
"lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Symantec'\n |where DeviceProduct =~ 'DLP'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"CommonSecurityLog\n |where DeviceVendor =~ 'Symantec'\n |where DeviceProduct =~ 'DLP'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"sampleQueries": [
{
"description": "Top 10 Triggered Activities",
"query": "SymantecDLP \n | summarize count() by Activity \n| top 10 by count_"
},
{
"description": "Top 10 Filenames",
"query": "SymantecDLP \n | summarize count() by FileName \n| top 10 by count_"
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
},
{
"description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
}
]
},
"instructionSteps": [
{
"description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SymantecDLP and load the function code or click [here](https://aka.ms/sentinel-symantecdlp-parser). The function usually takes 10-15 minutes to activate after solution installation/update.",
"instructions": [
{
"parameters": {
"title": "1. Kindly follow the steps to configure the data connector",
"instructionSteps": [
{
"title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
"description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
},
{
"title": "Step B. Forward Symantec DLP logs to a Syslog agent",
"description": "Configure Symantec DLP to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://knowledge.broadcom.com/external/article/159509/generating-syslog-messages-from-data-los.html) to configure the Symantec DLP to forward syslog\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address."
},
{
"title": "Step C. Validate connection",
"description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
"instructions": [
{
"parameters": {
"label": "Run the following command to validate your connectivity:",
"value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
},
"type": "CopyableLabel"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
]
},
{
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
"title": "2. Secure your machine "
}
],
"id": "[variables('_uiConfigId2')]",
"additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution."
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@ -755,7 +55,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "SymantecDLP Data Parser with template version 3.0.2",
"description": "SymantecDLP Data Parser with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@ -883,12 +183,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "3.0.2",
"version": "3.0.3",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Broadcom SymantecDLP",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
"descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Broadcom%20SymantecDLP/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <a href=\"https://www.broadcom.com/products/cyber-security/information-protection/data-loss-prevention\">Broadcom Symantec Data Loss Prevention (DLP)</a> connector allows you to easily connect your Symantec DLP with Microsoft Sentinel.</p>\n</li>\n</ol>\n<p>This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.</p>\n<p><strong>NOTE:</strong> Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.</p>\n<p><strong>Data Connectors:</strong> 2, <strong>Parsers:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Broadcom%20SymantecDLP/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <a href=\"https://www.broadcom.com/products/cyber-security/information-protection/data-loss-prevention\">Broadcom Symantec Data Loss Prevention (DLP)</a> connector allows you to easily connect your Symantec DLP with Microsoft Sentinel.</p>\n<p>This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.</p>\n<p><strong>NOTE:</strong> Microsoft recommends installation of CEF via AMA Connector.The existing connectors were deprecated on <strong>Aug 31, 2024</strong>.</p>\n<p><strong>Parsers:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
@ -912,16 +212,6 @@
},
"dependencies": {
"criteria": [
{
"kind": "DataConnector",
"contentId": "[variables('_dataConnectorContentId1')]",
"version": "[variables('dataConnectorVersion1')]"
},
{
"kind": "DataConnector",
"contentId": "[variables('_dataConnectorContentId2')]",
"version": "[variables('dataConnectorVersion2')]"
},
{
"kind": "Parser",
"contentId": "[variables('parserObject1').parserContentId1]",

1
Solutions/Broadcom SymantecDLP/ReleaseNotes.md
Просмотреть файл

@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
| 3.0.3 | 27-11-2024 | Removed Deprecated **Data Connectors** |
| 3.0.2 | 08-07-2024 | Deprecated **Data Connector** |
| 3.0.1 | 01-09-2023 | Addition of new Broadcom SymantecDLP AMA **Data Connector** |
| 3.0.0 | 27-07-2023 | Corrected the links in the solution. |

91
Solutions/Commvault Security IQ/Data Connectors/AzureFunctionCommvaultSecurityIQ/main.py
Просмотреть файл

@ -1,4 +1,4 @@
from datetime import datetime, timedelta
from datetime import datetime, timedelta, timezone
import base64
import hashlib
import hmac
@ -20,7 +20,7 @@ container_name = "sentinelcontainer"
blob_name = "timestamp"
cs = os.environ.get('ConnectionString')
customer_id = os.environ.get('AzureSentinelWorkspaceId','')
shared_key = os.environ.get('AzureSentinelSharedKey')
verify = False
@ -32,7 +32,7 @@ url = None
qsdk_token = None
headers = {
"Content-Type": "application/json",
"Accept": "application/json",
"Accept": "application/json"
}
job_details_body = {
@ -92,17 +92,14 @@ job_details_body = {
"paths": [{"path": "/**/*"}],
}
@app.function_name(name="AzureFunctionCommvaultSecurityIQ")
@app.schedule(schedule="0 */5 * * * *", arg_name="myTimer", run_on_startup=True,
use_monitor=False)
def myTimer(myTimer: func.TimerRequest) -> None:
global qsdk_token,url
if myTimer.past_due:
def main(mytimer: func.TimerRequest) -> None:
global qsdk_token, url
if mytimer.past_due:
logging.info('The timer is past due!')
logging.info('Executing Python timer trigger function.')
pattern = r'https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$'
match = re.match(pattern, str(logAnalyticsUri))
if (not match):
@ -116,25 +113,40 @@ def myTimer(myTimer: func.TimerRequest) -> None:
url = "https://" + uri + "/commandcenter/api"
secret_name = "access-token"
qsdk_token = client.get_secret(secret_name).value
headers["authtoken"] = "QSDK "+qsdk_token
ustring = "/events?level=10&showInfo=false&showMinor=false&showMajor=true&showCritical=false&showAnomalous=true"
headers["authtoken"] = "QSDK " + qsdk_token
ustring = "/events?level=10&showInfo=false&showMinor=false&showMajor=true&showCritical=true&showAnomalous=true"
f_url = url + ustring
current_date = datetime.utcnow()
current_date = datetime.now(timezone.utc)
to_time = int(current_date.timestamp())
fromtime = read_blob(cs, container_name, blob_name)
if fromtime is None:
fromtime = int((current_date - timedelta(days=2)).timestamp())
logging.info("Starts at: [{}]".format(datetime.now().strftime("%Y-%m-%d %H:%M:%S")))
logging.info("From Time : [{}] , since the time read from blob is None".format(fromtime))
else:
fromtime_dt = datetime.fromtimestamp(fromtime, tz=timezone.utc)
time_diff = current_date - fromtime_dt
if time_diff > timedelta(days=2):
updatedfromtime = int((current_date - timedelta(days=2)).timestamp())
logging.info("From Time : [{}] , since the time read from blob : [{}] is older than 2 days".format(updatedfromtime,fromtime))
fromtime = updatedfromtime
elif time_diff < timedelta(minutes = 5):
updatedfromtime = int((current_date - timedelta(minutes=5)).timestamp())
logging.info("From Time : [{}] , since the time read from blob : [{}] is less than 5 minutes".format(updatedfromtime,fromtime))
fromtime = updatedfromtime
max_fetch = 1000
headers["pagingInfo"] = f"0,{max_fetch}"
logging.info("Starts at: [{}]".format(datetime.now(timezone.utc).strftime("%Y-%m-%d %H:%M:%S")))
event_endpoint = f"{f_url}&fromTime={fromtime}&toTime={to_time}"
logging.info("Event endpoint : [{}]".format(event_endpoint))
response = requests.get(event_endpoint, headers=headers, verify=verify)
logging.info("Response Status Code : " + str(response.status_code))
if response.status_code == 200:
events = response.json()
logging.info("Events Data")
logging.info(events)
data = events.get("commservEvents")
data = [event for event in data if event.get("eventCodeString") in "7:211|7:212|7:293|7:269|14:337|14:338|69:59|7:333|69:60|35:5575"]
data = [event for event in data if
event.get("eventCodeString") in "7:211|7:212|7:293|7:269|14:337|14:338|69:59|7:333|69:60|35:5575"]
post_data = []
if data:
for event in data:
@ -147,7 +159,7 @@ def myTimer(myTimer: func.TimerRequest) -> None:
upload_timestamp_blob(cs, container_name, blob_name, to_time+1)
logging.info("Function App Executed")
else:
print("No new events found.")
print("No new events found.")
else:
logging.error("Failed to get events with status code : "+str(response.status_code))
@ -195,22 +207,22 @@ def get_backup_anomaly(anomaly_id: int) -> str:
def define_severity(anomaly_sub_type: str) -> str | None:
"""
Function to get severity from anomaly sub type
Args:
anomaly_sub_type (str): The sub type of anomaly
Returns:
str | None: The severity of the anomaly or None if not found
"""
severity = None
if anomaly_sub_type in ("File Type", "Threat Analysis"):
severity = Constants.severity_high
elif anomaly_sub_type == "File Activity":
severity = Constants.severity_info
return severity
Function to get severity from anomaly sub type
Args:
anomaly_sub_type (str): The sub type of anomaly
Returns:
str | None: The severity of the anomaly or None if not found
"""
severity = None
if anomaly_sub_type in ("File Type", "Threat Analysis"):
severity = Constants.severity_high
elif anomaly_sub_type == "File Activity":
severity = Constants.severity_info
return severity
def if_zero_set_none(value: str | None | int) -> str | None | int:
@ -365,6 +377,7 @@ def get_job_details(job_id, url, headers):
logging.info(data)
return None
def get_user_details(client_name):
"""
Retrieves the user ID and user name associated with a given client name.
@ -511,7 +524,7 @@ def build_signature(date, content_length, method, content_type, resource):
Returns:
str: The authorization signature
"""
x_headers = 'x-ms-date:' + date
string_to_hash = method + "\n" + str(content_length) + "\n" + content_type + "\n" + x_headers + "\n" + resource
bytes_to_hash = bytes(string_to_hash, encoding="utf-8")
@ -584,7 +597,7 @@ def gen_chunks_to_object(data, chunksize=100):
Yields:
_type_: the chunk
"""
"""
chunk = []
for index, line in enumerate(data):
if (index % chunksize == 0 and index > 0):
@ -636,7 +649,7 @@ def read_blob(connection_string, container_name, blob_name):
Returns:
int | None: Timestamp or None if not found
"""
try:
blob_service_client = BlobServiceClient.from_connection_string(connection_string)
blob_client = blob_service_client.get_blob_client(container=container_name, blob=blob_name)
@ -647,11 +660,11 @@ def read_blob(connection_string, container_name, blob_name):
timestamp = int(content)
logging.info(f"Timestamp read from blob {blob_name}: {timestamp}")
return timestamp
except ResourceNotFoundError:
logging.info(f"Blob '{blob_name}' does not exist.")
return None
except Exception as e:
logging.error(f"An error occurred: {str(e)}")
raise e

Двоичные данные
Solutions/Commvault Security IQ/Data Connectors/CommvaultSecurityIQDataConnector.zip
Просмотреть файл

Двоичный файл не отображается.

1
Solutions/Commvault Security IQ/Data Connectors/azuredeploy_CommvaultSecurityIQ_FunctionApp.json
Просмотреть файл

@ -160,6 +160,7 @@
"AzureSentinelWorkspaceId": "[parameters('AzureSentinelWorkspaceId')]",
"AzureSentinelSharedKey": "[parameters('AzureSentinelSharedKey')]",
"ConnectionString": "[parameters('ConnectionString')]",
"AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(parameters('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(parameters('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]",
"KeyVaultName": "[parameters('KeyVaultName')]",
"WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-CommvaultSecurityIQ-functionapp"
}

8
Solutions/Forcepoint CASB/Data/Solution_ForcepointCASB.json
Просмотреть файл

@ -2,19 +2,15 @@
"Name": "Forcepoint CASB",
"Author": "Forcepoint",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [Forcepoint CASB](https://www.forcepoint.com/product/casb-cloud-access-security-broker) (Cloud Access Security Broker) Solution for Microsoft Sentinel allows you to automatically export CASB logs and events into Microsoft Sentinel in real-time. This enriches visibility into user activities across locations and cloud applications, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel. \n\nFor more details about this solution refer to [integration documentation](https://forcepoint.github.io/docs/casb_and_azure_sentinel/). \n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.",
"Description": "The [Forcepoint CASB](https://www.forcepoint.com/product/casb-cloud-access-security-broker) (Cloud Access Security Broker) Solution for Microsoft Sentinel allows you to automatically export CASB logs and events into Microsoft Sentinel in real-time. This enriches visibility into user activities across locations and cloud applications, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel. \n\nFor more details about this solution refer to [integration documentation](https://forcepoint.github.io/docs/casb_and_azure_sentinel/). \n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.",
"Workbooks": [
"Solutions/Forcepoint CASB/Workbooks/ForcepointCASB.json"
],
"Data Connectors": [
"Solutions/Forcepoint CASB/Data Connectors/Forcepoint CASB.json",
"Solutions/Forcepoint CASB/Data Connectors/template_Forcepoint CASBAMA.json"
],
"dependentDomainSolutionIds": [
"azuresentinel.azure-sentinel-solution-commoneventformat"
],
"BasePath": "C:\\Github\\Azure-Sentinel",
"Version": "3.0.1",
"Version": "3.0.2",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false

Двоичные данные
Solutions/Forcepoint CASB/Package/3.0.2.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

26
Solutions/Forcepoint CASB/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Forcepoint%20CASB/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Forcepoint CASB](https://www.forcepoint.com/product/casb-cloud-access-security-broker) (Cloud Access Security Broker) Solution for Microsoft Sentinel allows you to automatically export CASB logs and events into Microsoft Sentinel in real-time. This enriches visibility into user activities across locations and cloud applications, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel. \n\nFor more details about this solution refer to [integration documentation](https://forcepoint.github.io/docs/casb_and_azure_sentinel/). \n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Forcepoint%20CASB/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Forcepoint CASB](https://www.forcepoint.com/product/casb-cloud-access-security-broker) (Cloud Access Security Broker) Solution for Microsoft Sentinel allows you to automatically export CASB logs and events into Microsoft Sentinel in real-time. This enriches visibility into user activities across locations and cloud applications, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel. \n\nFor more details about this solution refer to [integration documentation](https://forcepoint.github.io/docs/casb_and_azure_sentinel/). \n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.\n\n**Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@ -51,30 +51,6 @@
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for Forcepoint CASB. You can get Forcepoint CASB CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
},
{
"name": "workbooks",
"label": "Workbooks",

752
Solutions/Forcepoint CASB/Package/mainTemplate.json
Просмотреть файл

@ -39,7 +39,7 @@
},
"variables": {
"_solutionName": "Forcepoint CASB",
"_solutionVersion": "3.0.1",
"_solutionVersion": "3.0.2",
"solutionId": "microsoftsentinelcommunity.azure-sentinel-solution-forcepoint-casb",
"_solutionId": "[variables('solutionId')]",
"workbookVersion1": "1.0.0",
@ -49,24 +49,6 @@
"_workbookContentId1": "[variables('workbookContentId1')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
"uiConfigId1": "ForcepointCasb",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "ForcepointCasb",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0.0",
"_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"uiConfigId2": "ForcepointCasbAma",
"_uiConfigId2": "[variables('uiConfigId2')]",
"dataConnectorContentId2": "ForcepointCasbAma",
"_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
"dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
"_dataConnectorId2": "[variables('dataConnectorId2')]",
"dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
"dataConnectorVersion2": "1.0.0",
"_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
@ -79,7 +61,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "ForcepointCASB Workbook with template version 3.0.1",
"description": "ForcepointCASB Workbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@ -140,6 +122,10 @@
{
"contentId": "ForcepointCasbAma",
"kind": "DataConnector"
},
{
"contentId": "CefAma",
"kind": "DataConnector"
}
]
}
@ -160,729 +146,17 @@
"version": "[variables('workbookVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Forcepoint CASB data connector with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
"title": "[Deprecated] Forcepoint CASB via Legacy Agent",
"publisher": "Forcepoint CASB",
"descriptionMarkdown": "The Forcepoint CASB (Cloud Access Security Broker) Connector allows you to automatically export CASB logs and events into Microsoft Sentinel in real-time. This enriches visibility into user activities across locations and cloud applications, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "ForcepointCASB",
"baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CASB\"\n"
}
],
"sampleQueries": [
{
"description": "Top 5 Users With The Highest Number Of Logs",
"query": "CommonSecurityLog \n| summarize Count = count() by DestinationUserName\n| top 5 by DestinationUserName\n| render barchart"
},
{
"description": "Top 5 Users by Number of Failed Attempts ",
"query": "CommonSecurityLog \n| extend outcome = coalesce(column_ifexists(\"EventOutcome\", \"\"), tostring(split(split(AdditionalExtensions, \";\", 2)[0], \"=\", 1)[0]), \"\")\n| extend reason = coalesce(column_ifexists(\"Reason\", \"\"), tostring(split(split(AdditionalExtensions, \";\", 3)[0], \"=\", 1)[0]), \"\")\n| where outcome ==\"Failure\"\n| summarize Count= count() by DestinationUserName\n| render barchart"
}
],
"dataTypes": [
{
"name": "CommonSecurityLog (ForcepointCASB)",
"lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CASB\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CASB\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
"innerSteps": [
{
"title": "1.1 Select or create a Linux machine",
"description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel. This machine can be on your on-prem environment, Azure or other clouds."
},
{
"title": "1.2 Install the CEF collector on the Linux machine",
"description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId",
"PrimaryKey"
],
"label": "Run the following command to install and apply the CEF collector:",
"value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
},
"type": "CopyableLabel"
}
]
}
],
"title": "1. Linux Syslog agent configuration"
},
{
"description": "Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.",
"title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
},
{
"description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version \n \n>2. You must have elevated permissions (sudo) on your machine",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Run the following command to validate your connectivity:",
"value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
},
"type": "CopyableLabel"
}
],
"title": "3. Validate connection"
},
{
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
"title": "4. Secure your machine "
},
{
"description": "To complete the installation of this Forcepoint product integration, follow the guide linked below.\n\n[Installation Guide >](https://frcpnt.com/casb-sentinel)",
"title": "5. Forcepoint integration installation guide "
}
],
"metadata": {
"id": "04f93db2-8f2a-4edc-bb78-9e1e7587faff",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Forcepoint"
},
"support": {
"name": "Forcepoint",
"link": "https://support.forcepoint.com",
"tier": "developer"
}
}
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "Forcepoint CASB",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Forcepoint"
},
"support": {
"tier": "Community",
"name": "Community",
"link": "https://github.com/Azure/Azure-Sentinel/issues"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_dataConnectorContentId1')]",
"contentKind": "DataConnector",
"displayName": "[Deprecated] Forcepoint CASB via Legacy Agent",
"contentProductId": "[variables('_dataConnectorcontentProductId1')]",
"id": "[variables('_dataConnectorcontentProductId1')]",
"version": "[variables('dataConnectorVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
],
"location": "[parameters('workspace-location')]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "Forcepoint CASB",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Forcepoint"
},
"support": {
"tier": "Community",
"name": "Community",
"link": "https://github.com/Azure/Azure-Sentinel/issues"
}
}
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "[Deprecated] Forcepoint CASB via Legacy Agent",
"publisher": "Forcepoint CASB",
"descriptionMarkdown": "The Forcepoint CASB (Cloud Access Security Broker) Connector allows you to automatically export CASB logs and events into Microsoft Sentinel in real-time. This enriches visibility into user activities across locations and cloud applications, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "ForcepointCASB",
"baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CASB\"\n"
}
],
"dataTypes": [
{
"name": "CommonSecurityLog (ForcepointCASB)",
"lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CASB\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CASB\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"sampleQueries": [
{
"description": "Top 5 Users With The Highest Number Of Logs",
"query": "CommonSecurityLog \n| summarize Count = count() by DestinationUserName\n| top 5 by DestinationUserName\n| render barchart"
},
{
"description": "Top 5 Users by Number of Failed Attempts ",
"query": "CommonSecurityLog \n| extend outcome = coalesce(column_ifexists(\"EventOutcome\", \"\"), tostring(split(split(AdditionalExtensions, \";\", 2)[0], \"=\", 1)[0]), \"\")\n| extend reason = coalesce(column_ifexists(\"Reason\", \"\"), tostring(split(split(AdditionalExtensions, \";\", 3)[0], \"=\", 1)[0]), \"\")\n| where outcome ==\"Failure\"\n| summarize Count= count() by DestinationUserName\n| render barchart"
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
"innerSteps": [
{
"title": "1.1 Select or create a Linux machine",
"description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel. This machine can be on your on-prem environment, Azure or other clouds."
},
{
"title": "1.2 Install the CEF collector on the Linux machine",
"description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId",
"PrimaryKey"
],
"label": "Run the following command to install and apply the CEF collector:",
"value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
},
"type": "CopyableLabel"
}
]
}
],
"title": "1. Linux Syslog agent configuration"
},
{
"description": "Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.",
"title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
},
{
"description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version \n \n>2. You must have elevated permissions (sudo) on your machine",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Run the following command to validate your connectivity:",
"value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
},
"type": "CopyableLabel"
}
],
"title": "3. Validate connection"
},
{
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
"title": "4. Secure your machine "
},
{
"description": "To complete the installation of this Forcepoint product integration, follow the guide linked below.\n\n[Installation Guide >](https://frcpnt.com/casb-sentinel)",
"title": "5. Forcepoint integration installation guide "
}
],
"id": "[variables('_uiConfigId1')]"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('dataConnectorTemplateSpecName2')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Forcepoint CASB data connector with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion2')]",
"parameters": {},
"variables": {},
"resources": [
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId2')]",
"title": "[Deprecated] Forcepoint CASB via AMA",
"publisher": "Forcepoint CASB",
"descriptionMarkdown": "The Forcepoint CASB (Cloud Access Security Broker) Connector allows you to automatically export CASB logs and events into Microsoft Sentinel in real-time. This enriches visibility into user activities across locations and cloud applications, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "ForcepointCASB",
"baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CASB'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
}
],
"sampleQueries": [
{
"description": "Top 5 Users With The Highest Number Of Logs",
"query": "CommonSecurityLog \n| summarize Count = count() by DestinationUserName\n| top 5 by DestinationUserName\n| render barchart"
},
{
"description": "Top 5 Users by Number of Failed Attempts ",
"query": "CommonSecurityLog \n| extend outcome = coalesce(column_ifexists(\"EventOutcome\", \"\"), tostring(split(split(AdditionalExtensions, \";\", 2)[0], \"=\", 1)[0]), \"\")\n| extend reason = coalesce(column_ifexists(\"Reason\", \"\"), tostring(split(split(AdditionalExtensions, \";\", 3)[0], \"=\", 1)[0]), \"\")\n| where outcome ==\"Failure\"\n| summarize Count= count() by DestinationUserName\n| render barchart"
}
],
"dataTypes": [
{
"name": "CommonSecurityLog (ForcepointCASB)",
"lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CASB'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CASB'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
},
{
"description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
}
]
},
"instructionSteps": [
{
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
"instructions": [
{
"parameters": {
"title": "1. Kindly follow the steps to configure the data connector",
"instructionSteps": [
{
"title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
"description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine."
},
{
"title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
"description": "Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address."
},
{
"title": "Step C. Validate connection",
"description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
"instructions": [
{
"parameters": {
"label": "Run the following command to validate your connectivity:",
"value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
},
"type": "CopyableLabel"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
]
},
{
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
"title": "2. Secure your machine "
},
{
"description": "To complete the installation of this Forcepoint product integration, follow the guide linked below.\n\n[Installation Guide >](https://frcpnt.com/casb-sentinel)",
"title": "3. Forcepoint integration installation guide "
}
],
"metadata": {
"id": "04f93db2-8f2a-4edc-bb78-9e1e7587faff",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Forcepoint"
},
"support": {
"name": "Forcepoint",
"link": "https://support.forcepoint.com",
"tier": "developer"
}
}
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
"contentId": "[variables('_dataConnectorContentId2')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion2')]",
"source": {
"kind": "Solution",
"name": "Forcepoint CASB",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Forcepoint"
},
"support": {
"tier": "Community",
"name": "Community",
"link": "https://github.com/Azure/Azure-Sentinel/issues"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_dataConnectorContentId2')]",
"contentKind": "DataConnector",
"displayName": "[Deprecated] Forcepoint CASB via AMA",
"contentProductId": "[variables('_dataConnectorcontentProductId2')]",
"id": "[variables('_dataConnectorcontentProductId2')]",
"version": "[variables('dataConnectorVersion2')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId2')]"
],
"location": "[parameters('workspace-location')]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
"contentId": "[variables('_dataConnectorContentId2')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion2')]",
"source": {
"kind": "Solution",
"name": "Forcepoint CASB",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Forcepoint"
},
"support": {
"tier": "Community",
"name": "Community",
"link": "https://github.com/Azure/Azure-Sentinel/issues"
}
}
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "[Deprecated] Forcepoint CASB via AMA",
"publisher": "Forcepoint CASB",
"descriptionMarkdown": "The Forcepoint CASB (Cloud Access Security Broker) Connector allows you to automatically export CASB logs and events into Microsoft Sentinel in real-time. This enriches visibility into user activities across locations and cloud applications, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "ForcepointCASB",
"baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CASB'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
}
],
"dataTypes": [
{
"name": "CommonSecurityLog (ForcepointCASB)",
"lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CASB'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CASB'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"sampleQueries": [
{
"description": "Top 5 Users With The Highest Number Of Logs",
"query": "CommonSecurityLog \n| summarize Count = count() by DestinationUserName\n| top 5 by DestinationUserName\n| render barchart"
},
{
"description": "Top 5 Users by Number of Failed Attempts ",
"query": "CommonSecurityLog \n| extend outcome = coalesce(column_ifexists(\"EventOutcome\", \"\"), tostring(split(split(AdditionalExtensions, \";\", 2)[0], \"=\", 1)[0]), \"\")\n| extend reason = coalesce(column_ifexists(\"Reason\", \"\"), tostring(split(split(AdditionalExtensions, \";\", 3)[0], \"=\", 1)[0]), \"\")\n| where outcome ==\"Failure\"\n| summarize Count= count() by DestinationUserName\n| render barchart"
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
},
{
"description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
}
]
},
"instructionSteps": [
{
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
"instructions": [
{
"parameters": {
"title": "1. Kindly follow the steps to configure the data connector",
"instructionSteps": [
{
"title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
"description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine."
},
{
"title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
"description": "Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address."
},
{
"title": "Step C. Validate connection",
"description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
"instructions": [
{
"parameters": {
"label": "Run the following command to validate your connectivity:",
"value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
},
"type": "CopyableLabel"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
]
},
{
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
"title": "2. Secure your machine "
},
{
"description": "To complete the installation of this Forcepoint product integration, follow the guide linked below.\n\n[Installation Guide >](https://frcpnt.com/casb-sentinel)",
"title": "3. Forcepoint integration installation guide "
}
],
"id": "[variables('_uiConfigId2')]"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "3.0.1",
"version": "3.0.2",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Forcepoint CASB",
"publisherDisplayName": "Community",
"descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Forcepoint%20CASB/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <a href=\"https://www.forcepoint.com/product/casb-cloud-access-security-broker\">Forcepoint CASB</a> (Cloud Access Security Broker) Solution for Microsoft Sentinel allows you to automatically export CASB logs and events into Microsoft Sentinel in real-time. This enriches visibility into user activities across locations and cloud applications, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.</p>\n<p>For more details about this solution refer to <a href=\"https://forcepoint.github.io/docs/casb_and_azure_sentinel/\">integration documentation</a>.</p>\n<p>This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.</p>\n<p><strong>NOTE:</strong> Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by <strong>Aug 31, 2024</strong>.</p>\n<p><strong>Data Connectors:</strong> 2, <strong>Workbooks:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Forcepoint%20CASB/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <a href=\"https://www.forcepoint.com/product/casb-cloud-access-security-broker\">Forcepoint CASB</a> (Cloud Access Security Broker) Solution for Microsoft Sentinel allows you to automatically export CASB logs and events into Microsoft Sentinel in real-time. This enriches visibility into user activities across locations and cloud applications, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.</p>\n<p>For more details about this solution refer to <a href=\"https://forcepoint.github.io/docs/casb_and_azure_sentinel/\">integration documentation</a>.</p>\n<p>This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.</p>\n<p><strong>NOTE:</strong> Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on <strong>Aug 31, 2024</strong>.</p>\n<p><strong>Workbooks:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
@ -909,16 +183,6 @@
"contentId": "[variables('_workbookContentId1')]",
"version": "[variables('workbookVersion1')]"
},
{
"kind": "DataConnector",
"contentId": "[variables('_dataConnectorContentId1')]",
"version": "[variables('dataConnectorVersion1')]"
},
{
"kind": "DataConnector",
"contentId": "[variables('_dataConnectorContentId2')]",
"version": "[variables('dataConnectorVersion2')]"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-commoneventformat"

7
Solutions/Forcepoint CASB/ReleaseNotes.md
Просмотреть файл

@ -1,6 +1,5 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
| 3.0.1 | 15-07-2024 | Deprecating data connectors |
| 3.0.0 | 31-08-2023 | Addition of new Forcepoint CASB AMA **Data Connector** | |
| 3.0.2 | 27-11-2024 | Removed Deprecated **Data Connectors** |
| 3.0.1 | 15-07-2024 | Deprecating data connectors |
| 3.0.0 | 31-08-2023 | Addition of new Forcepoint CASB AMA **Data Connector** |

8
Solutions/Illumio Core/Data/Solution_IllumioCore.json
Просмотреть файл

@ -2,11 +2,7 @@
"Name": "Illumio Core",
"Author": "Microsoft",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [Illumio Core](https://www.illumio.com/products/) solution allows you to ingest Illumio Core logs into Microsoft Sentinel. \n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.",
"Data Connectors": [
"Solutions/Illumio Core/Data Connectors/Connector_IllumioCore_CEF.json",
"Solutions/Illumio Core/Data Connectors/template_IllumioCoreAMA.json"
],
"Description": "The [Illumio Core](https://www.illumio.com/products/) solution allows you to ingest Illumio Core logs into Microsoft Sentinel. \n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.",
"Parsers": [
"Solutions/Illumio Core/Parsers/IllumioCoreEvent.yaml"
],
@ -14,7 +10,7 @@
"azuresentinel.azure-sentinel-solution-commoneventformat"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel",
"Version": "3.0.2",
"Version": "3.0.3",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false

Двоичные данные
Solutions/Illumio Core/Package/3.0.3.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

36
Solutions/Illumio Core/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Illumio%20Core/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Illumio Core](https://www.illumio.com/products/) solution allows you to ingest Illumio Core logs into Microsoft Sentinel. \n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Illumio%20Core/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Illumio Core](https://www.illumio.com/products/) solution allows you to ingest Illumio Core logs into Microsoft Sentinel. \n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.\n\n**Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@ -50,39 +50,7 @@
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for Illumio Core. You can get Illumio Core CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
}
],
"steps": [{}],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",

698
Solutions/Illumio Core/Package/mainTemplate.json
Просмотреть файл

@ -31,27 +31,9 @@
},
"variables": {
"_solutionName": "Illumio Core",
"_solutionVersion": "3.0.2",
"_solutionVersion": "3.0.3",
"solutionId": "azuresentinel.azure-sentinel-solution-illumiocore",
"_solutionId": "[variables('solutionId')]",
"uiConfigId1": "IllumioCore",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "IllumioCore",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0.0",
"_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"uiConfigId2": "IllumioCoreAma",
"_uiConfigId2": "[variables('uiConfigId2')]",
"dataConnectorContentId2": "IllumioCoreAma",
"_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
"dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
"_dataConnectorId2": "[variables('dataConnectorId2')]",
"dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
"dataConnectorVersion2": "1.0.0",
"_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"parserObject1": {
"_parserName1": "[concat(parameters('workspace'),'/','IllumioCoreEvent')]",
"_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'IllumioCoreEvent')]",
@ -62,668 +44,6 @@
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Illumio Core data connector with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
"title": "[Deprecated] Illumio Core via Legacy Agent",
"publisher": "Illumio",
"descriptionMarkdown": "The [Illumio Core](https://www.illumio.com/products/) data connector provides the capability to ingest Illumio Core logs into Microsoft Sentinel.",
"additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "IllumioCore",
"baseQuery": "IllumioCoreEvent"
}
],
"sampleQueries": [
{
"description": "Top 10 Event Types",
"query": "IllumioCoreEvent\n | where isnotempty(EventType)\n | summarize count() by EventType\n | top 10 by count_"
}
],
"dataTypes": [
{
"name": "CommonSecurityLog (IllumioCore)",
"lastDataReceivedQuery": "IllumioCoreEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"IllumioCoreEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias IllumioCoreEvent and load the function code or click [here](https://aka.ms/sentinel-IllumioCore-parser).The function usually takes 10-15 minutes to activate after solution installation/update and maps Illumio Core events to Microsoft Sentinel Information Model (ASIM)."
},
{
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
"innerSteps": [
{
"title": "1.1 Select or create a Linux machine",
"description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
},
{
"title": "1.2 Install the CEF collector on the Linux machine",
"description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId",
"PrimaryKey"
],
"label": "Run the following command to install and apply the CEF collector:",
"value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
},
"type": "CopyableLabel"
}
]
}
],
"title": "1. Linux Syslog agent configuration"
},
{
"description": "2.1 Configure Event Format\n\n 1. From the PCE web console menu, choose **Settings > Event Settings** to view your current settings.\n\n 2. Click **Edit** to change the settings.\n\n 3. Set **Event Format** to CEF.\n\n 4. (Optional) Configure **Event Severity** and **Retention Period**.\n\n2.2 Configure event forwarding to an external syslog server\n\n 1. From the PCE web console menu, choose **Settings > Event Settings**.\n\n 2. Click **Add**.\n\n 3. Click **Add Repository**.\n\n 4. Complete the **Add Repository** dialog.\n\n 5. Click **OK** to save the event forwarding configuration.",
"title": "2. Configure Ilumio Core to send logs using CEF"
},
{
"description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Run the following command to validate your connectivity:",
"value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
},
"type": "CopyableLabel"
}
],
"title": "3. Validate connection"
},
{
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
"title": "4. Secure your machine "
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "Illumio Core",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft"
},
"support": {
"name": "Microsoft",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_dataConnectorContentId1')]",
"contentKind": "DataConnector",
"displayName": "[Deprecated] Illumio Core via Legacy Agent",
"contentProductId": "[variables('_dataConnectorcontentProductId1')]",
"id": "[variables('_dataConnectorcontentProductId1')]",
"version": "[variables('dataConnectorVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
],
"location": "[parameters('workspace-location')]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "Illumio Core",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft"
},
"support": {
"name": "Microsoft",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "[Deprecated] Illumio Core via Legacy Agent",
"publisher": "Illumio",
"descriptionMarkdown": "The [Illumio Core](https://www.illumio.com/products/) data connector provides the capability to ingest Illumio Core logs into Microsoft Sentinel.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "IllumioCore",
"baseQuery": "IllumioCoreEvent"
}
],
"dataTypes": [
{
"name": "CommonSecurityLog (IllumioCore)",
"lastDataReceivedQuery": "IllumioCoreEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"IllumioCoreEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"sampleQueries": [
{
"description": "Top 10 Event Types",
"query": "IllumioCoreEvent\n | where isnotempty(EventType)\n | summarize count() by EventType\n | top 10 by count_"
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias IllumioCoreEvent and load the function code or click [here](https://aka.ms/sentinel-IllumioCore-parser).The function usually takes 10-15 minutes to activate after solution installation/update and maps Illumio Core events to Microsoft Sentinel Information Model (ASIM)."
},
{
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
"innerSteps": [
{
"title": "1.1 Select or create a Linux machine",
"description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
},
{
"title": "1.2 Install the CEF collector on the Linux machine",
"description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId",
"PrimaryKey"
],
"label": "Run the following command to install and apply the CEF collector:",
"value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
},
"type": "CopyableLabel"
}
]
}
],
"title": "1. Linux Syslog agent configuration"
},
{
"description": "2.1 Configure Event Format\n\n 1. From the PCE web console menu, choose **Settings > Event Settings** to view your current settings.\n\n 2. Click **Edit** to change the settings.\n\n 3. Set **Event Format** to CEF.\n\n 4. (Optional) Configure **Event Severity** and **Retention Period**.\n\n2.2 Configure event forwarding to an external syslog server\n\n 1. From the PCE web console menu, choose **Settings > Event Settings**.\n\n 2. Click **Add**.\n\n 3. Click **Add Repository**.\n\n 4. Complete the **Add Repository** dialog.\n\n 5. Click **OK** to save the event forwarding configuration.",
"title": "2. Configure Ilumio Core to send logs using CEF"
},
{
"description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Run the following command to validate your connectivity:",
"value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
},
"type": "CopyableLabel"
}
],
"title": "3. Validate connection"
},
{
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
"title": "4. Secure your machine "
}
],
"id": "[variables('_uiConfigId1')]",
"additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution."
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('dataConnectorTemplateSpecName2')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Illumio Core data connector with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion2')]",
"parameters": {},
"variables": {},
"resources": [
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId2')]",
"title": "[Deprecated] Illumio Core via AMA",
"publisher": "Illumio",
"descriptionMarkdown": "The [Illumio Core](https://www.illumio.com/products/) data connector provides the capability to ingest Illumio Core logs into Microsoft Sentinel.",
"additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "IllumioCore",
"baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Illumio'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
}
],
"sampleQueries": [
{
"description": "Top 10 Event Types",
"query": "IllumioCoreEvent\n | where isnotempty(EventType)\n | summarize count() by EventType\n | top 10 by count_"
}
],
"dataTypes": [
{
"name": "CommonSecurityLog (IllumioCore)",
"lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Illumio'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"CommonSecurityLog\n |where DeviceVendor =~ 'Illumio'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
},
{
"description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
}
]
},
"instructionSteps": [
{
"description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias IllumioCoreEvent and load the function code or click [here](https://aka.ms/sentinel-IllumioCore-parser).The function usually takes 10-15 minutes to activate after solution installation/update and maps Illumio Core events to Microsoft Sentinel Information Model (ASIM).",
"instructions": [
{
"parameters": {
"title": "1. Kindly follow the steps to configure the data connector",
"instructionSteps": [
{
"title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
"description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine."
},
{
"title": "Step B. Configure Ilumio Core to send logs using CEF",
"description": "Configure Event Format\n\n 1. From the PCE web console menu, choose **Settings > Event Settings** to view your current settings.\n\n 2. Click **Edit** to change the settings.\n\n 3. Set **Event Format** to CEF.\n\n 4. (Optional) Configure **Event Severity** and **Retention Period**.\n\nConfigure event forwarding to an external syslog server\n\n 1. From the PCE web console menu, choose **Settings > Event Settings**.\n\n 2. Click **Add**.\n\n 3. Click **Add Repository**.\n\n 4. Complete the **Add Repository** dialog.\n\n 5. Click **OK** to save the event forwarding configuration."
},
{
"title": "Step C. Validate connection",
"description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
"instructions": [
{
"parameters": {
"label": "Run the following command to validate your connectivity:",
"value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
},
"type": "CopyableLabel"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
]
},
{
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
"title": "2. Secure your machine "
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
"contentId": "[variables('_dataConnectorContentId2')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion2')]",
"source": {
"kind": "Solution",
"name": "Illumio Core",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft"
},
"support": {
"name": "Microsoft",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_dataConnectorContentId2')]",
"contentKind": "DataConnector",
"displayName": "[Deprecated] Illumio Core via AMA",
"contentProductId": "[variables('_dataConnectorcontentProductId2')]",
"id": "[variables('_dataConnectorcontentProductId2')]",
"version": "[variables('dataConnectorVersion2')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId2')]"
],
"location": "[parameters('workspace-location')]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
"contentId": "[variables('_dataConnectorContentId2')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion2')]",
"source": {
"kind": "Solution",
"name": "Illumio Core",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft"
},
"support": {
"name": "Microsoft",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "[Deprecated] Illumio Core via AMA",
"publisher": "Illumio",
"descriptionMarkdown": "The [Illumio Core](https://www.illumio.com/products/) data connector provides the capability to ingest Illumio Core logs into Microsoft Sentinel.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "IllumioCore",
"baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Illumio'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
}
],
"dataTypes": [
{
"name": "CommonSecurityLog (IllumioCore)",
"lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Illumio'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"CommonSecurityLog\n |where DeviceVendor =~ 'Illumio'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"sampleQueries": [
{
"description": "Top 10 Event Types",
"query": "IllumioCoreEvent\n | where isnotempty(EventType)\n | summarize count() by EventType\n | top 10 by count_"
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
},
{
"description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
}
]
},
"instructionSteps": [
{
"description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias IllumioCoreEvent and load the function code or click [here](https://aka.ms/sentinel-IllumioCore-parser).The function usually takes 10-15 minutes to activate after solution installation/update and maps Illumio Core events to Microsoft Sentinel Information Model (ASIM).",
"instructions": [
{
"parameters": {
"title": "1. Kindly follow the steps to configure the data connector",
"instructionSteps": [
{
"title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
"description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine."
},
{
"title": "Step B. Configure Ilumio Core to send logs using CEF",
"description": "Configure Event Format\n\n 1. From the PCE web console menu, choose **Settings > Event Settings** to view your current settings.\n\n 2. Click **Edit** to change the settings.\n\n 3. Set **Event Format** to CEF.\n\n 4. (Optional) Configure **Event Severity** and **Retention Period**.\n\nConfigure event forwarding to an external syslog server\n\n 1. From the PCE web console menu, choose **Settings > Event Settings**.\n\n 2. Click **Add**.\n\n 3. Click **Add Repository**.\n\n 4. Complete the **Add Repository** dialog.\n\n 5. Click **OK** to save the event forwarding configuration."
},
{
"title": "Step C. Validate connection",
"description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
"instructions": [
{
"parameters": {
"label": "Run the following command to validate your connectivity:",
"value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
},
"type": "CopyableLabel"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
]
},
{
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
"title": "2. Secure your machine "
}
],
"id": "[variables('_uiConfigId2')]",
"additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution."
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@ -733,7 +53,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "IllumioCoreEvent Data Parser with template version 3.0.2",
"description": "IllumioCoreEvent Data Parser with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@ -859,12 +179,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "3.0.2",
"version": "3.0.3",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Illumio Core",
"publisherDisplayName": "Microsoft Sentinel, Microsoft",
"descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Illumio%20Core/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <a href=\"https://www.illumio.com/products/\">Illumio Core</a> solution allows you to ingest Illumio Core logs into Microsoft Sentinel.</p>\n<p>This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.</p>\n<p><strong>NOTE:</strong> Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by <strong>Aug 31, 2024</strong>.</p>\n<p><strong>Data Connectors:</strong> 2, <strong>Parsers:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Illumio%20Core/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <a href=\"https://www.illumio.com/products/\">Illumio Core</a> solution allows you to ingest Illumio Core logs into Microsoft Sentinel.</p>\n<p>This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.</p>\n<p><strong>NOTE:</strong> Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on <strong>Aug 31, 2024</strong>.</p>\n<p><strong>Parsers:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
@ -887,16 +207,6 @@
},
"dependencies": {
"criteria": [
{
"kind": "DataConnector",
"contentId": "[variables('_dataConnectorContentId1')]",
"version": "[variables('dataConnectorVersion1')]"
},
{
"kind": "DataConnector",
"contentId": "[variables('_dataConnectorContentId2')]",
"version": "[variables('dataConnectorVersion2')]"
},
{
"kind": "Parser",
"contentId": "[variables('parserObject1').parserContentId1]",

3
Solutions/Illumio Core/ReleaseNotes.md
Просмотреть файл

@ -1,6 +1,7 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|-----------------------------------------------------|
| 3.0.2 | 15-07-2024 | Deprecating data connector |
| 3.0.3 | 27-11-2024 | Removed Deprecated **Data Connectors** |
| 3.0.2 | 15-07-2024 | Deprecating data connector |
| 3.0.1 | 12-09-2023 | Addition of new Illumio Core AMA **Data Connector** |
| 3.0.0 | 24-07-2023 | Corrected the links in the solution. |

Двоичные данные
Solutions/Okta Single Sign-On/Package/3.1.0.zip
Просмотреть файл

Двоичный файл не отображается.

62
Solutions/Okta Single Sign-On/Package/mainTemplate.json
Просмотреть файл

@ -55,7 +55,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Okta Single Sign-On",
"_solutionVersion": "3.0.11",
"_solutionVersion": "3.1.0",
"solutionId": "azuresentinel.azure-sentinel-solution-okta",
"_solutionId": "[variables('solutionId')]",
"analyticRuleObject1": {
@ -234,6 +234,8 @@
"parserVersion1": "1.0.2",
"parserContentId1": "OktaSSO-Parser"
},
"SessionId": "authenticationContext_externalSessionId_s",
"_SessionId": "[variables('SessionId')]",
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
@ -246,7 +248,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "FailedLoginsFromUnknownOrInvalidUser_AnalyticalRules Analytics Rule with template version 3.0.11",
"description": "FailedLoginsFromUnknownOrInvalidUser_AnalyticalRules Analytics Rule with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@ -365,7 +367,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "LoginfromUsersfromDifferentCountrieswithin3hours_AnalyticalRules Analytics Rule with template version 3.0.11",
"description": "LoginfromUsersfromDifferentCountrieswithin3hours_AnalyticalRules Analytics Rule with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@ -475,7 +477,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.11",
"description": "PasswordSpray_AnalyticalRules Analytics Rule with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@ -585,7 +587,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PhishingDetection_AnalyticalRules Analytics Rule with template version 3.0.11",
"description": "PhishingDetection_AnalyticalRules Analytics Rule with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@ -712,7 +714,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "NewDeviceLocationCriticalOperation_AnalyticalRules Analytics Rule with template version 3.0.11",
"description": "NewDeviceLocationCriticalOperation_AnalyticalRules Analytics Rule with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@ -785,7 +787,7 @@
}
],
"customDetails": {
"SessionId": "authenticationContext_externalSessionId_s",
"SessionId": "[variables('_SessionId')]",
"Location": "Location"
},
"alertDetailsOverride": {
@ -845,7 +847,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "MFAFatigue_AnalyticalRules Analytics Rule with template version 3.0.11",
"description": "MFAFatigue_AnalyticalRules Analytics Rule with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@ -959,7 +961,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "HighRiskAdminActivity_AnalyticalRules Analytics Rule with template version 3.0.11",
"description": "HighRiskAdminActivity_AnalyticalRules Analytics Rule with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@ -1030,7 +1032,7 @@
}
],
"customDetails": {
"SessionId": "authenticationContext_externalSessionId_s"
"SessionId": "[variables('_SessionId')]"
}
}
},
@ -1085,7 +1087,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "DeviceRegistrationMaliciousIP_AnalyticalRules Analytics Rule with template version 3.0.11",
"description": "DeviceRegistrationMaliciousIP_AnalyticalRules Analytics Rule with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@ -1208,7 +1210,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "UserSessionImpersonation_AnalyticalRules Analytics Rule with template version 3.0.11",
"description": "UserSessionImpersonation_AnalyticalRules Analytics Rule with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
@ -1326,7 +1328,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Okta Single Sign-On data connector with template version 3.0.11",
"description": "Okta Single Sign-On data connector with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@ -2678,7 +2680,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "AdminPrivilegeGrant_HuntingQueries Hunting Query with template version 3.0.11",
"description": "AdminPrivilegeGrant_HuntingQueries Hunting Query with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@ -2763,7 +2765,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "CreateAPIToken_HuntingQueries Hunting Query with template version 3.0.11",
"description": "CreateAPIToken_HuntingQueries Hunting Query with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@ -2848,7 +2850,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "ImpersonationSession_HuntingQueries Hunting Query with template version 3.0.11",
"description": "ImpersonationSession_HuntingQueries Hunting Query with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@ -2933,7 +2935,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RareMFAOperation_HuntingQueries Hunting Query with template version 3.0.11",
"description": "RareMFAOperation_HuntingQueries Hunting Query with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@ -3018,7 +3020,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "UserPasswordReset_HuntingQueries Hunting Query with template version 3.0.11",
"description": "UserPasswordReset_HuntingQueries Hunting Query with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@ -3103,7 +3105,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "NewDeviceRegistration_HuntingQueries Hunting Query with template version 3.0.11",
"description": "NewDeviceRegistration_HuntingQueries Hunting Query with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
@ -3188,7 +3190,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "LoginsVPSProvider_HuntingQueries Hunting Query with template version 3.0.11",
"description": "LoginsVPSProvider_HuntingQueries Hunting Query with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
@ -3273,7 +3275,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "LoginNordVPN_HuntingQueries Hunting Query with template version 3.0.11",
"description": "LoginNordVPN_HuntingQueries Hunting Query with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
@ -3358,7 +3360,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "LoginFromMultipleLocations_HuntingQueries Hunting Query with template version 3.0.11",
"description": "LoginFromMultipleLocations_HuntingQueries Hunting Query with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]",
@ -3443,7 +3445,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "LegacyAuthentication_HuntingQueries Hunting Query with template version 3.0.11",
"description": "LegacyAuthentication_HuntingQueries Hunting Query with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]",
@ -3528,7 +3530,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "OktaCustomConnector Playbook with template version 3.0.11",
"description": "OktaCustomConnector Playbook with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
@ -4823,7 +4825,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Okta-EnrichIncidentWithUserDetails Playbook with template version 3.0.11",
"description": "Okta-EnrichIncidentWithUserDetails Playbook with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion2')]",
@ -5182,7 +5184,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Okta-PromptUser Playbook with template version 3.0.11",
"description": "Okta-PromptUser Playbook with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion3')]",
@ -5633,7 +5635,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Okta-ResponseFromTeams Playbook with template version 3.0.11",
"description": "Okta-ResponseFromTeams Playbook with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion4')]",
@ -6140,7 +6142,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "OktaSingleSignOn Workbook with template version 3.0.11",
"description": "OktaSingleSignOn Workbook with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@ -6236,7 +6238,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "OktaSSO Data Parser with template version 3.0.11",
"description": "OktaSSO Data Parser with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@ -6364,7 +6366,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "3.0.11",
"version": "3.1.0",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Okta Single Sign-On",

4
Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikAnomalyOrchestrator/__init__.py
Просмотреть файл

@ -13,12 +13,12 @@ def orchestrator_function(context: df.DurableOrchestrationContext):
Returns:
str: result of Activity function
"""
applogger.debug("{} AnomalyOrchestrator function called!".format(LOGS_STARTS_WITH))
applogger.info("{} AnomalyOrchestrator function called!".format(LOGS_STARTS_WITH))
json_data = context.get_input()
result1 = yield context.call_activity(
"RubrikActivity", {"data": json_data, "log_type": ANOMALY_LOG_TYPE}
)
applogger.debug(
applogger.info(
"{} AnomalyOrchestrator function completed!".format(LOGS_STARTS_WITH)
)
return result1

28
Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikEventsOrchestrator/__init__.py Normal file
Просмотреть файл

@ -0,0 +1,28 @@
"""This __init__ file will be called by Http Starter function to pass the Other Events data to activity function."""
import azure.durable_functions as df
from shared_code.consts import EVENTS_LOG_TYPE, LOGS_STARTS_WITH
from shared_code.logger import applogger
def orchestrator_function(context: df.DurableOrchestrationContext):
"""Get General data from durable orchestration context and schedule an activity for execution.
Args:
context (df.DurableOrchestrationContext): Context of the durable orchestration execution.
Returns:
str: result of Activity function
"""
applogger.info("{} RubrikEventOrchestrator function called!".format(LOGS_STARTS_WITH))
json_data = context.get_input()
result1 = yield context.call_activity(
"RubrikActivity", {"data": json_data, "log_type": EVENTS_LOG_TYPE}
)
applogger.info(
"{} RubrikEventOrchestrator function completed!".format(LOGS_STARTS_WITH)
)
return result1
main = df.Orchestrator.create(orchestrator_function)

10
Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikEventsOrchestrator/function.json Normal file
Просмотреть файл

@ -0,0 +1,10 @@
{
"scriptFile": "__init__.py",
"bindings": [
{
"name": "context",
"type": "orchestrationTrigger",
"direction": "in"
}
]
}

10
Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikHttpStarter/__init__.py
Просмотреть файл

@ -23,9 +23,7 @@ def get_data_from_request_body(request):
json_data = json.dumps(data)
return json_data
except ValueError as value_error:
applogger.error(
"{}(method={}) {}".format(LOGS_STARTS_WITH, __method_name, value_error)
)
applogger.error("{}(method={}) {}".format(LOGS_STARTS_WITH, __method_name, value_error))
raise RubrikException(value_error)
except Exception as err:
applogger.error("{}(method={}) {}".format(LOGS_STARTS_WITH, __method_name, err))
@ -63,11 +61,7 @@ async def main(req: func.HttpRequest, starter: str) -> func.HttpResponse:
headers={"Content-Length": str(len(body))},
)
else:
applogger.info(
"{}(method={})No required data found.".format(
LOGS_STARTS_WITH, __method_name
)
)
applogger.info("{}(method={})No required data found.".format(LOGS_STARTS_WITH, __method_name))
body = "No required data found."
return func.HttpResponse(
body=body,

4
Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikRansomwareOrchestrator/__init__.py
Просмотреть файл

@ -13,14 +13,14 @@ def orchestrator_function(context: df.DurableOrchestrationContext):
Returns:
str: result of Activity function
"""
applogger.debug(
applogger.info(
"{} RansomwareOrchestrator function called!".format(LOGS_STARTS_WITH)
)
json_data = context.get_input()
result1 = yield context.call_activity(
"RubrikActivity", {"data": json_data, "log_type": RANSOMWARE_LOG_TYPE}
)
applogger.debug(
applogger.info(
"{} RansomwareOrchestrator function completed!".format(LOGS_STARTS_WITH)
)
return result1

4
Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikThreathuntOrchestrator/__init__.py
Просмотреть файл

@ -13,14 +13,14 @@ def orchestrator_function(context: df.DurableOrchestrationContext):
Returns:
str: result of Activity function
"""
applogger.debug(
applogger.info(
"{} ThreatHuntOrchestrator function called!".format(LOGS_STARTS_WITH)
)
json_data = context.get_input()
result1 = yield context.call_activity(
"RubrikActivity", {"data": json_data, "log_type": THREATHUNT_LOG_TYPE}
)
applogger.debug(
applogger.info(
"{} ThreatHuntOrchestrator function completed!".format(LOGS_STARTS_WITH)
)
return result1

Двоичные данные
Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents.zip
Просмотреть файл

Двоичный файл не отображается.

29
Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents_FunctionApp.json
Просмотреть файл

@ -18,6 +18,11 @@
"metricName": "Total ThreatHunt Event data received",
"legend": "Rubrik_ThreatHunt_Data_CL",
"baseQuery": "Rubrik_ThreatHunt_Data_CL"
},
{
"metricName": "Total Other Events data received",
"legend": "Rubrik_Events_Data_CL",
"baseQuery": "Rubrik_Events_Data_CL"
}
],
"sampleQueries": [
@ -32,6 +37,10 @@
{
"description": "Rubrik ThreatHunt Events - Threat Hunt Events for all severity types.",
"query": "Rubrik_ThreatHunt_Data_CL\n | sort by TimeGenerated desc"
},
{
"description": "Rubrik Other Events - Other Events for all severity types.",
"query": "Rubrik_Events_Data_CL\n | sort by TimeGenerated desc"
}
],
"dataTypes": [
@ -46,6 +55,10 @@
{
"name": "Rubrik_ThreatHunt_Data_CL",
"lastDataReceivedQuery": "Rubrik_ThreatHunt_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "Rubrik_Events_Data_CL",
"lastDataReceivedQuery": "Rubrik_Events_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
@ -66,6 +79,12 @@
"value": [
"Rubrik_ThreatHunt_Data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
},
{
"type": "IsConnectedQuery",
"value": [
"Rubrik_Events_Data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
@ -137,7 +156,7 @@
},
{
"title": "Option 1 - Azure Resource Manager (ARM) Template",
"description": "Use this method for automated deployment of the Rubrik connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-RubrikWebhookEvents-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tFunction Name \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tAnomalies_table_name \n\t\tRansomwareAnalysis_table_name \n\t\tThreatHunts_table_name\n\t\tLogLevel \n \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
"description": "Use this method for automated deployment of the Rubrik connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-RubrikWebhookEvents-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tFunction Name \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tAnomaliesTableName \n\t\tRansomwareAnalysisTableName \n\t\tThreatHuntsTableName \n\t\tEventsTableName \n\t\tLogLevel \n \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
},
{
"title": "Option 2 - Manual Deployment of Azure Functions",
@ -149,7 +168,7 @@
},
{
"title": "",
"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tAnomalies_table_name\n\t\tRansomwareAnalysis_table_name\n\t\tThreatHunts_table_name\n\t\tLogLevel\n\t\tlogAnalyticsUri (optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://<CustomerId>.ods.opinsights.azure.us. \n4. Once all application settings have been entered, click **Save**."
"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tAnomaliesTableName\n\t\tRansomwareAnalysisTableName\n\t\tThreatHuntsTableName\n\t\tEventsTableName\n\t\tLogLevel\n\t\tlogAnalyticsUri (optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://<CustomerId>.ods.opinsights.azure.us. \n4. Once all application settings have been entered, click **Save**."
},
{
"title": "",
@ -161,11 +180,11 @@
},
{
"title": "2) Add a webhook in RubrikSecurityCloud to send data to Microsoft Sentinel.",
"description": "Follow the Rubrik User Guide instructions to [Add a Webhook](https://docs.rubrik.com/en-us/saas/saas/common/adding_webhook.html) to begin receiving event information related to Ransomware Anomalies \n 1. Select the Generic as the webhook Provider(This will use CEF formatted event information)\n 2. Enter the URL part from copied Function-url as the webhook URL endpoint and replace **{functionname}** with **\"RubrikAnomalyOrchestrator\"**, for the Rubrik Microsoft Sentinel Solution \n 3. Select the Advanced or Custom Authentication option \n 4. Enter x-functions-key as the HTTP header \n 5. Enter the Function access key(value of code parameter from copied function-url) as the HTTP value(Note: if you change this function access key in Microsoft Sentinel in the future you will need to update this webhook configuration) \n 6. Select the EventType as Anomaly \n 7. Select the following severity levels: Critical, Warning, Informational \n 8. Repeat the same steps to add webhooks for Ransomware Investigation Analysis and Threat Hunt. \n\n NOTE: while adding webhooks for Ransomware Investigation Analysis and Threat Hunt, replace **{functionname}** with **\"RubrikRansomwareOrchestrator\"** and **\"RubrikThreatHuntOrchestrator\"** respectively in copied function-url."
"description": "Follow the Rubrik User Guide instructions to [Add a Webhook](https://docs.rubrik.com/en-us/saas/saas/common/adding_webhook.html) to begin receiving event information \n 1. Select the Microsoft Sentinel as the webhook Provider \n 2. Enter the desired Webhook name \n 3. Enter the URL part from copied Function-url as the webhook URL endpoint and replace **{functionname}** with **\"RubrikAnomalyOrchestrator\"**, for the Rubrik Microsoft Sentinel Solution \n 4. Select the EventType as Anomaly \n 5. Select the following severity levels: Critical, Warning, Informational \n 6. Choose multiple log types, if desired, when running **\"RubrikEventsOrchestrator\"** \n 7. Repeat the same steps to add webhooks for Anomaly Detection Analysis, Threat Hunt and Other Events.\n \n\n NOTE: while adding webhooks for Anomaly Detection Analysis, Threat Hunt and Other Events, replace **{functionname}** with **\"RubrikRansomwareOrchestrator\"**, **\"RubrikThreatHuntOrchestrator\"** and **\"RubrikEventsOrchestrator\"** respectively in copied function-url."
},
{
"title": "",
"description": "*Now we are done with the rubrik Webhook configuration. Once the webhook events triggered , you should be able to see the Anomaly, Ransomware Investigation Analysis, Threat Hunt events from the Rubrik into respective LogAnalytics workspace table called \"Rubrik_Anomaly_Data_CL\", \"Rubrik_Ransomware_Data_CL\", \"Rubrik_ThreatHunt_Data_CL\".*\n\n"
"description": "*Now we are done with the rubrik Webhook configuration. Once the webhook events triggered , you should be able to see the Anomaly, Anomaly Detection Analysis, Threat Hunt events and Other Events from the Rubrik into respective LogAnalytics workspace table called \"Rubrik_Anomaly_Data_CL\", \"Rubrik_Ransomware_Data_CL\", \"Rubrik_ThreatHunt_Data_CL\", and \"Rubrik_Events_Data_CL\".*\n\n"
}
]
}
}

25
Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/azuredeploy_Connector_RubrikWebhookEvents_AzureFunction.json
Просмотреть файл

@ -24,25 +24,33 @@
},
"AnomaliesTableName": {
"type": "string",
"defaultValue": "Rubrik_Anomaly_Data_CL",
"defaultValue": "Rubrik_Anomaly_Data",
"metadata": {
"description": "Enter name of the table used to store Rubrik Anamaly logs. Default is 'Rubrik_Anomaly_Data_CL'"
}
},
"RansomwareAnalysisTableName": {
"type": "string",
"defaultValue": "Rubrik_Ransomware_Data_CL",
"metadata": {
"defaultValue": "Rubrik_Ransomware_Data",
"metadata": {
"description": "Enter name of the table used to store Rubrik Ransomware logs. Default is 'Rubrik_Ransomware_Data_CL'"
}
},
"ThreatHuntsTableName": {
"type": "string",
"defaultValue": "Rubrik_ThreatHunt_Data_CL",
"metadata": {
"defaultValue": "Rubrik_ThreatHunt_Data",
"metadata": {
"description": "Enter name of the table used to store Rubrik ThreatHunt logs. Default is 'Rubrik_ThreatHunt_Data_CL'"
}
},
"EventsTableName": {
"type": "string",
"defaultValue": "Rubrik_Events_Data",
"metadata": {
"description": "Enter the table name for types other than Anomaly, Ransomware, and Threat Hunt"
}
},
"LogLevel": {
"type": "string",
"metadata": {
@ -117,7 +125,6 @@
"keySource": "Microsoft.Storage"
},
"minimumTlsVersion": "TLS1_2"
}
},
{
@ -217,7 +224,7 @@
"alwaysOn": true,
"reserved": true,
"siteConfig": {
"linuxFxVersion": "python|3.9"
"linuxFxVersion": "python|3.11"
}
},
"resources": [
@ -231,6 +238,7 @@
"properties": {
"FUNCTIONS_EXTENSION_VERSION": "~4",
"FUNCTIONS_WORKER_RUNTIME": "python",
"AzureWebJobsDisableHomepage": "True",
"APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]",
"APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]",
"AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]",
@ -240,6 +248,7 @@
"RansomwareAnalysis_table_name": "[parameters('RansomwareAnalysisTableName')]",
"ThreatHunts_table_name": "[parameters('ThreatHuntsTableName')]",
"Anomalies_table_name": "[parameters('AnomaliesTableName')]",
"Events_table_name": "[parameters('EventsTableName')]",
"LogLevel": "[parameters('LogLevel')]",
"WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-RubrikWebhookEvents-functionapp"
}
@ -283,4 +292,4 @@
}
}
]
}
}

7
Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/shared_code/consts.py
Просмотреть файл

@ -6,6 +6,7 @@ DEFAULT_LOG_LEVEL = "INFO"
LOG_LEVEL = os.environ.get("LogLevel", "")
WORKSPACE_ID = os.environ.get("WorkspaceID")
WORKSPACE_KEY = os.environ.get("WorkspaceKey")
ANOMALY_LOG_TYPE = os.environ.get("Anomalies_table_name")
RANSOMWARE_LOG_TYPE = os.environ.get("RansomwareAnalysis_table_name")
THREATHUNT_LOG_TYPE = os.environ.get("ThreatHunts_table_name")
ANOMALY_LOG_TYPE = os.environ.get("Anomalies_table_name", "Rubrik_Anomaly_Data")
RANSOMWARE_LOG_TYPE = os.environ.get("RansomwareAnalysis_table_name", "Rubrik_Ransomware_Data")
THREATHUNT_LOG_TYPE = os.environ.get("ThreatHunts_table_name", "Rubrik_ThreatHunt_Data")
EVENTS_LOG_TYPE = os.environ.get("Events_table_name", "Rubrik_Events_Data")

5
Solutions/RubrikSecurityCloud/Data/Solution_RubrikSecurityCloud.json
Просмотреть файл

@ -16,13 +16,14 @@
"Playbooks/RubrikFileObjectContextAnalysis/azuredeploy.json",
"Playbooks/RubrikUserIntelligenceAnalysis/azuredeploy.json",
"Playbooks/RubrikRetrieveUserIntelligenceInformation/azuredeploy.json",
"Playbooks/RubrikAnomalyGenerateDownloadableLink/azuredeploy.json"
"Playbooks/RubrikAnomalyGenerateDownloadableLink/azuredeploy.json",
"Playbooks/RubrikWorkloadAnalysis/azuredeploy.json"
],
"Data Connectors": [
"Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents_FunctionApp.json"
],
"BasePath": "C:\\Azure-Sentinel\\Solutions\\RubrikSecurityCloud",
"Version": "3.2.1",
"Version": "3.3.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false

Двоичные данные
Solutions/RubrikSecurityCloud/Package/3.3.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

2
Solutions/RubrikSecurityCloud/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/rubrikLogo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/RubrikSecurityCloud/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Rubrik Security Cloud](https://www.rubrik.com/) solution enables security operations teams to integrate insights from Rubriks Data Observability services into Microsoft Sentinel. \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://learn.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/products/functions/#overview)\n\n**Data Connectors:** 1, **Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 12\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/rubrikLogo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/RubrikSecurityCloud/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Rubrik Security Cloud](https://www.rubrik.com/) solution enables security operations teams to integrate insights from Rubriks Data Observability services into Microsoft Sentinel. \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://learn.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/products/functions/#overview)\n\n**Data Connectors:** 1, **Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 13\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",

2128
Solutions/RubrikSecurityCloud/Package/mainTemplate.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Двоичные данные
Solutions/RubrikSecurityCloud/Playbooks/RubrikWorkloadAnalysis/Images/RubrikWorkloadAnalysis.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 1.7 MiB

66
Solutions/RubrikSecurityCloud/Playbooks/RubrikWorkloadAnalysis/README.md Normal file
Просмотреть файл

@ -0,0 +1,66 @@
# RubrikWorkloadAnalysis
## Summary
This playbook retrieves sensitive IP and Host data to enrich the incident details, and adjusts the incident's severity level based on the gathered information.
### Prerequisites
1. User must have a valid Rubrik Client ID and Client Secret.
2. Store Service account credentials in Key Vault and obtain keyvault name and tenantId
* Create a Key Vault with a unique name
* Go to KeyVault -> secrets, click on Generate/import and create 'Rubrik--Client-Id' & 'Rubrik-Client-Secret' for storing client_id and client_secret respectively
**NOTE:** Make sure the Permission model in the Access Configuration of Keyvault is selected to the Vault access policy. If not then change it to **'Vault access policy'**
### Deployment instructions
1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
2. Fill in the required parameters:
* Playbook Name: Enter the playbook name here.
* Keyvault Name: Enter name of keyvault where service account credentials are stored(e.g. RubrikSentinelKeyVault).
* Tenant ID: Enter Tenant ID of your Microsoft EntraID where keyvault is available.
* Rubrik Base URL: Enter Base URL of the RubrikApi instance (Example: https://rubrik-tme.my.rubrik.com).
* Increase Severity Level: Enter a value to increase the severity level of the incident.(Example: for value 1 incident severity will change from Low to Medium)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRubrikSecurityCloud%2FPlaybooks%2FRubrikWorkloadAnalysis%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRubrikSecurityCloud%2FPlaybooks%2FRubrikWorkloadAnalysis%2Fazuredeploy.json)
### Post-Deployment instructions
#### a. Authorize connections
Once deployment is complete, authorize each connection like keyvault, azureloganalytics.
1. Go to your logic app -> API connections -> Select keyvault connection resource
2. Go to General -> edit API connection
3. Click the keyvault connection resource
4. Click edit API connection
5. Click Authorize
6. Sign in
7. Click Save
8. Repeat steps for other connections
#### b. Assign Role to add a comment in the incident
After authorizing each connection, assign a role to this playbook.
1. Go to Log Analytics Workspace → <your workspace> → Access Control → Add
2. Add role assignment
3. Assignment type: Job function roles
4. Role: Microsoft Sentinel Contributor
5. Members: select managed identity for "assigned access to" and add your logic app as a member.
6. Click on review+assign
#### c. Add Access policy in Keyvault
Add access policy for the playbook's managed identity to read, and write secrets of key vault.
1. Go to the logic app → <your logic app> → identity → System assigned Managed identity and copy Object (principal) ID.
2. Go to keyvaults → <your keyvault> → Access policies → create.
3. Select all keys & secrets permissions. Click next.
4. In the principal section, search by copied object ID. Click next.
5. Click review + create.
#### d. Configurations in Microsoft Sentinel
1. In Microsoft Sentinel, Configure the analytic rules to trigger an incident.
* Analytic Rule must contain at least one of the below fields mapped in Custom Details to successfully run this playbook.
* IP
* Host
2. In Microsoft Sentinel, Configure the automation rules to trigger the playbook.
* Go to Microsoft Sentinel -> <your workspace> -> Automation
* Click on **Create** -> **Automation rule**
* Provide a name for your rule
* In the Analytic rule name condition, select the analytic rule that you have created.
* In Actions dropdown select **Run playbook**
* In the second dropdown select your deployed playbook
* Click on **Apply**
* Save the Automation rule.
**NOTE:** If you want to manually run the playbook on a particular incident follow the below steps:
- Go to Microsoft Sentinel -> <your workspace> -> Incidents
- Select an incident.
- In the right pane, click on Actions, and from the dropdown select the 'Run Playbook' option.
- click on the Run button beside this playbook.

1923
Solutions/RubrikSecurityCloud/Playbooks/RubrikWorkloadAnalysis/azuredeploy.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

1
Solutions/RubrikSecurityCloud/ReleaseNotes.md
Просмотреть файл

@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
| 3.3.0 | 19-11-2024 | Added one new Playbook(RubrikWorkloadAnalysis) and updated the RubrikWebhookEvents Data Connector to add a new Orchestrator for Rubrik Events.
| 3.2.1 | 11-11-2024 | Fixed the issue of Custom Connector id parameter in RubrikRansomwareDiscoveryAndVmRecovery playbook. |
| 3.2.0 | 24-02-2024 | Added 3 new Playbooks(RubrikFileObjectContextAnalysis, RubrikUserIntelligenceAnalysis, RubrikRetrieveUserIntelligenceInformation) for FileObject and User, fixed clusterLocation issue of Collect_IOC_Scan_Data adaptive card in RubrikRansomwareDiscoveryAndVmRecovery playbook and updated python packages to fix vulnerability CVE-2023-50782 of cryptography module. Enhanced Anomaly Analysis playbook and added RubrikAnomalyGenerateDownloadableLink playbook. |
| 3.1.0 | 20-10-2023 | Updated the **DataConnector** code by implementing Durable Function App. |

2
Solutions/RubrikSecurityCloud/SolutionMetadata.json
Просмотреть файл

@ -2,7 +2,7 @@
"publisherId": "rubrik_inc",
"offerId": "rubrik_sentinel",
"firstPublishDate": "2022-07-19",
"lastPublishDate": "2024-03-17",
"lastPublishDate": "2024-11-19",
"providers": [
"Rubrik"
],

3
Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
Просмотреть файл

@ -1040,8 +1040,7 @@
"CommonSecurityLog"
],
"dataConnectorsDependencies": [
"ForcepointCasb",
"ForcepointCasbAma"
"CefAma"
],
"previewImagesFileNames": [
"ForcepointCASBWhite.png",

2
Workbooks/WorkbooksMetadata.json
Просмотреть файл

@ -1357,8 +1357,6 @@
"CommonSecurityLog"
],
"dataConnectorsDependencies": [
"ForcepointCasb",
"ForcepointCasbAma",
"CefAma"
],
"previewImagesFileNames": [