Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #10727 from Azure/v-sabiraj-Sophospackageupdate 

Sophos Endpoint Protection package update
This commit is contained in:
v-dvedak 2024-07-08 13:38:43 +05:30 коммит произвёл GitHub
Родитель 7ee29991d1 089f4f342e
Коммит 7f3010e62d
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
7 изменённых файлов: 308 добавлений и 31 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

12
Solutions/Sophos Endpoint Protection/Data Connectors/SophosEP_ccp/SophosEP_PollingConfig.json
Просмотреть файл

@ -17,13 +17,14 @@
"type": "OAuth2",
"ClientSecret": "{{clientSecret}}",
"ClientId": "{{clientId}}",
"GrantType": "client_credentials",
"TokenEndpoint": "https://id.sophos.com/api/v2/oauth2/token",
"tokenEndpointHeaders": {
"Accept": "application/json",
"Content-Type": "application/x-www-form-urlencoded"
},
"scope": "token"
"TokenEndpointQueryParameters": {},
"scope": "token",
"grantType": "client_credentials"
},
"request": {
"apiEndpoint": "https://api-{{sophosRegion}}.central.sophos.com/siem/v1/alerts",
@ -55,7 +56,7 @@
{
"name": "SophosEndpointProtectionCCPEventsPolling",
"apiVersion": "2022-12-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"type": "Microsoft.SecurityInsights/dataConnectors",
"location": "{{location}}",
"kind": "RestApiPoller",
"properties": {
@ -70,13 +71,14 @@
"type": "OAuth2",
"ClientSecret": "{{clientSecret}}",
"ClientId": "{{clientId}}",
"GrantType": "client_credentials",
"TokenEndpoint": "https://id.sophos.com/api/v2/oauth2/token",
"tokenEndpointHeaders": {
"Accept": "application/json",
"Content-Type": "application/x-www-form-urlencoded"
},
"scope": "token"
"TokenEndpointQueryParameters": {},
"scope": "token",
"grantType": "client_credentials"
},
"request": {
"apiEndpoint": "https://api-{{sophosRegion}}.central.sophos.com/siem/v1/events",

4
Solutions/Sophos Endpoint Protection/Data Connectors/SophosEP_ccp/SophosEP_Tables.json
Просмотреть файл

@ -1,7 +1,7 @@
[
{
"name": "SophosEPAlerts_CL",
"type": "Microsoft.OperationalInsights/workspaces",
"type": "Microsoft.OperationalInsights/workspaces/tables",
"apiVersion": "2021-03-01-privatepreview",
"location": "{{location}}",
"tags": {},
@ -85,7 +85,7 @@
},
{
"name": "SophosEPEvents_CL",
"type": "Microsoft.OperationalInsights/workspaces",
"type": "Microsoft.OperationalInsights/workspaces/tables",
"apiVersion": "2021-03-01-privatepreview",
"location": "{{location}}",
"tags": {},

10
Solutions/Sophos Endpoint Protection/Data Connectors/SophosEP_ccp/azuredeploy_SophosEndpoint_poller_connector.json
Просмотреть файл

@ -779,13 +779,14 @@
"type": "OAuth2",
"ClientSecret": "[[parameters('clientSecret')]",
"ClientId": "[[parameters('clientId')]",
"GrantType": "client_credentials",
"TokenEndpoint": "[variables('tokenEndpoint')]",
"tokenEndpointHeaders": {
"Accept": "application/json",
"Content-Type": "application/x-www-form-urlencoded"
},
"scope": "token"
"TokenEndpointQueryParameters": {},
"scope": "token",
"grantType": "client_credentials"
},
"request": {
"apiEndpoint": "[[concat('https://api-',parameters('sophosRegion'), variables('alertsApiEndpoint'))]",
@ -832,13 +833,14 @@
"type": "OAuth2",
"ClientSecret": "[[parameters('clientSecret')]",
"ClientId": "[[parameters('clientId')]",
"GrantType": "client_credentials",
"TokenEndpoint": "[variables('tokenEndpoint')]",
"tokenEndpointHeaders": {
"Accept": "application/json",
"Content-Type": "application/x-www-form-urlencoded"
},
"scope": "token"
"TokenEndpointQueryParameters": {},
"scope": "token",
"grantType": "client_credentials"
},
"request": {
"apiEndpoint": "[[concat('https://api-',parameters('sophosRegion'), variables('eventsApiEndpoint'))]",

Двоичные данные
Solutions/Sophos Endpoint Protection/Package/3.0.4.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

4
Solutions/Sophos Endpoint Protection/Package/createUiDefinition.json
Просмотреть файл

@ -57,14 +57,14 @@
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors-text1",
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for Sophos Endpoint Protection. You can get Sophos Endpoint Protection custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-text2",
"name": "dataconnectors2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for Sophos Endpoint Protection. You can get Sophos Endpoint Protection data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."

308
Solutions/Sophos Endpoint Protection/Package/mainTemplate.json
Просмотреть файл

@ -47,7 +47,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Sophos Endpoint Protection",
"_solutionVersion": "3.0.3",
"_solutionVersion": "3.0.4",
"solutionId": "azuresentinel.azure-sentinel-solution-sophosep",
"_solutionId": "[variables('solutionId')]",
"parserObject1": {
@ -66,12 +66,14 @@
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0.0",
"_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"dataConnectorCCPVersion": "1.0.0",
"_dataConnectorContentIdConnectorDefinition2": "SophosEndpointProtectionCCPDefinition",
"dataConnectorTemplateNameConnectorDefinition2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition2')))]",
"_dataConnectorContentIdConnections2": "SophosEndpointProtectionCCPDefinitionConnections",
"dataConnectorTemplateNameConnections2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections2')))]",
"dataCollectionEndpointId2": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]",
"blanks": "[replace('b', 'b', '')]",
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
@ -84,7 +86,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "SophosEPEvent Data Parser with template version 3.0.3",
"description": "SophosEPEvent Data Parser with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@ -216,7 +218,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Sophos Endpoint Protection data connector with template version 3.0.3",
"description": "Sophos Endpoint Protection data connector with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@ -625,6 +627,7 @@
"apiVersion": "2022-09-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
"location": "[parameters('workspace-location')]",
"kind": "Customizable",
"properties": {
"connectorUiConfig": {
"id": "SophosEndpointProtectionCCPDefinition",
@ -741,8 +744,7 @@
}
]
}
},
"kind": "Customizable"
}
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition2')))]",
@ -784,6 +786,7 @@
"apiVersion": "2022-06-01",
"type": "Microsoft.Insights/dataCollectionRules",
"location": "[parameters('workspace-location')]",
"kind": "[variables('blanks')]",
"properties": {
"dataCollectionEndpointId": "[variables('dataCollectionEndpointId2')]",
"streamDeclarations": {
@ -947,7 +950,7 @@
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"workspaceResourceId": "[variables('workspaceResourceId')]",
"name": "clv2ws1"
}
]
@ -975,6 +978,220 @@
}
]
}
},
{
"name": "SophosEPAlerts_CL",
"apiVersion": "2022-10-01",
"type": "Microsoft.OperationalInsights/workspaces/tables",
"location": "[parameters('workspace-location')]",
"properties": {
"schema": {
"name": "SophosEPAlerts_CL",
"columns": [
{
"name": "TimeGenerated",
"type": "Datetime",
"isDefaultDisplay": true,
"description": "The timestamp (UTC) reflecting the time in which the event was generated."
},
{
"name": "CustomerId",
"type": "string"
},
{
"name": "EventSeverity",
"type": "string"
},
{
"name": "EventVendor",
"type": "string"
},
{
"name": "EventType",
"type": "string"
},
{
"name": "EventProduct",
"type": "string"
},
{
"name": "event_service_event_id",
"type": "string"
},
{
"name": "EventEndTime",
"type": "datetime"
},
{
"name": "DvcAction",
"type": "string"
},
{
"name": "description",
"type": "string"
},
{
"name": "DvcHostname",
"type": "string"
},
{
"name": "EventOriginalUid",
"type": "string"
},
{
"name": "data",
"type": "dynamic"
},
{
"name": "Source",
"type": "string"
},
{
"name": "info",
"type": "dynamic"
},
{
"name": "ThreatName",
"type": "string"
},
{
"name": "threat_cleanable",
"type": "boolean"
}
]
}
}
},
{
"name": "SophosEPEvents_CL",
"apiVersion": "2022-10-01",
"type": "Microsoft.OperationalInsights/workspaces/tables",
"location": "[parameters('workspace-location')]",
"properties": {
"schema": {
"name": "SophosEPEvents_CL",
"columns": [
{
"name": "TimeGenerated",
"type": "Datetime",
"isDefaultDisplay": true,
"description": "The timestamp (UTC) reflecting the time in which the event was generated."
},
{
"name": "EventVendor",
"type": "string"
},
{
"name": "EventProduct",
"type": "string"
},
{
"name": "EventType",
"type": "string"
},
{
"name": "amsi_threat_data",
"type": "dynamic"
},
{
"name": "appCerts",
"type": "dynamic"
},
{
"name": "AppSha256",
"type": "string"
},
{
"name": "CoreRemedyItems",
"type": "string"
},
{
"name": "CoreRemedyTotalItems",
"type": "int"
},
{
"name": "Created",
"type": "datetime"
},
{
"name": "CustomerId",
"type": "string"
},
{
"name": "details",
"type": "dynamic"
},
{
"name": "EndpointId",
"type": "string"
},
{
"name": "SrcDvcType",
"type": "string"
},
{
"name": "ThreatCategory",
"type": "string"
},
{
"name": "EventOriginalUid",
"type": "string"
},
{
"name": "ips_threat_data",
"type": "dynamic"
},
{
"name": "DvcHostname",
"type": "string"
},
{
"name": "EventMessage",
"type": "string"
},
{
"name": "EventSubType",
"type": "string"
},
{
"name": "EventSeverity",
"type": "string"
},
{
"name": "Source",
"type": "string"
},
{
"name": "source_info",
"type": "dynamic"
},
{
"name": "SrcIpAddr",
"type": "string"
},
{
"name": "ThreatName",
"type": "string"
},
{
"name": "DvcAction",
"type": "string"
},
{
"name": "DstUserSid",
"type": "string"
},
{
"name": "EventEndTime",
"type": "datetime"
},
{
"name": "whitelist_properties",
"type": "dynamic"
}
]
}
}
}
]
},
@ -992,6 +1209,7 @@
"apiVersion": "2022-09-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
"location": "[parameters('workspace-location')]",
"kind": "Customizable",
"properties": {
"connectorUiConfig": {
"id": "SophosEndpointProtectionCCPDefinition",
@ -1108,8 +1326,7 @@
}
]
}
},
"kind": "Customizable"
}
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition2')))]",
@ -1177,11 +1394,6 @@
"type": "string",
"minLength": 1
},
"sophosTenantId": {
"defaultValue": "Enter sophosTenantId value",
"type": "string",
"minLength": 1
},
"connectorDefinitionName": {
"defaultValue": "Sophos Endpoint Protection (using REST API) (Preview)",
"type": "string",
@ -1198,6 +1410,11 @@
},
"type": "object"
},
"sophosTenantId": {
"defaultValue": "sophosTenantId",
"type": "string",
"minLength": 1
},
"AuthorizationCode": {
"defaultValue": "-NA-",
"type": "securestring",
@ -1239,6 +1456,7 @@
"apiVersion": "2023-02-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "RestApiPoller",
"properties": {
"connectorDefinitionName": "SophosEndpointProtectionCCPDefinition",
"dataType": "SophosEPAlerts_CL",
@ -1251,13 +1469,14 @@
"type": "OAuth2",
"ClientSecret": "[[parameters('ClientSecret')]",
"ClientId": "[[parameters('ClientId')]",
"GrantType": "client_credentials",
"TokenEndpoint": "https://id.sophos.com/api/v2/oauth2/token",
"tokenEndpointHeaders": {
"Accept": "application/json",
"Content-Type": "application/x-www-form-urlencoded"
},
"scope": "token"
"TokenEndpointQueryParameters": {},
"scope": "token",
"grantType": "client_credentials"
},
"request": {
"apiEndpoint": "[[concat('https://api-', parameters('sophosRegion'), '.central.sophos.com/siem/v1/alerts')]",
@ -1284,8 +1503,61 @@
"$.items"
]
}
},
"kind": "RestApiPoller"
}
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'SophosEndpointProtectionCCPEventsPolling')]",
"apiVersion": "2023-02-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "RestApiPoller",
"properties": {
"connectorDefinitionName": "SophosEndpointProtectionCCPDefinition",
"dataType": "SophosEPEvents_CL",
"dcrConfig": {
"dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
"dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]",
"streamName": "Custom-SophosEPEvents_CL"
},
"auth": {
"type": "OAuth2",
"ClientSecret": "[[parameters('ClientSecret')]",
"ClientId": "[[parameters('ClientId')]",
"TokenEndpoint": "https://id.sophos.com/api/v2/oauth2/token",
"tokenEndpointHeaders": {
"Accept": "application/json",
"Content-Type": "application/x-www-form-urlencoded"
},
"TokenEndpointQueryParameters": {},
"scope": "token",
"grantType": "client_credentials"
},
"request": {
"apiEndpoint": "[[concat('https://api-', parameters('sophosRegion'), '.central.sophos.com/siem/v1/events')]",
"rateLimitQPS": 10,
"queryWindowInMin": 5,
"httpMethod": "GET",
"retryCount": 3,
"timeoutInSeconds": 60,
"queryTimeFormat": "UnixTimestamp",
"startTimeAttributeName": "from_date",
"headers": {
"Accept": "application/json",
"X-Tenant-ID": "[[parameters('sophosTenantId')]"
}
},
"paging": {
"pagingType": "NextPageToken",
"nextPageTokenJsonPath": "$.next_cursor",
"hasNextFlagJsonPath": "$.has_more",
"nextPageParaName": "cursor"
},
"response": {
"eventsJsonPaths": [
"$.items"
]
}
}
}
]
},
@ -1303,7 +1575,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "3.0.3",
"version": "3.0.4",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Sophos Endpoint Protection",

1
Solutions/Sophos Endpoint Protection/ReleaseNotes.md
Просмотреть файл

@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
| 3.0.4 | 01-07-2024 | Updated files for CCP connector to fix the connectivity |
| 3.0.3 | 25-04-2024 | Repackaged for parser issue with old names |
| 3.0.2 | 12-04-2024 | Repackaged for parser fix in solution package |
| 3.0.1 | 12-03-2024 | Updated Sophos Endpoint **Function App** and **Parser** <br/>Added new CCP **Data Connector** |