Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Symantec VIP Template Package (#5039) 

* Symantec VIP Template Package

* preview + id fixes

* handle review comments

* 3p fix

* branding fix
This commit is contained in:
elforb 2022-05-26 03:54:47 -07:00 коммит произвёл GitHub
Родитель cc5cf85a4b
Коммит 851627ca83
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
11 изменённых файлов: 1287 добавлений и 125 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

124
DataConnectors/Symantec VIP/Connector_Syslog_SymantecVIP.json
Просмотреть файл

@ -1,124 +0,0 @@
{
"id": "SymantecVIP",
"title": "Symantec VIP",
"publisher": "Symantec",
"descriptionMarkdown": "The [Symantec VIP](https://vip.symantec.com/) connector allows you to easily connect your Symantec VIP logs with Azure Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.",
"additionalRequirementBanner":"These queries and workbooks are dependent on a parser based on a Kusto Function to work as expected. Follow the steps to use this Kusto functions alias **SymantecVIP** in queries and workbooks. [Follow these steps to get this Kusto functions.](https://aka.ms/sentinelgithubparserssymantecvip)",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "SymantecVIP",
"baseQuery": "SymantecVIP"
}
],
"sampleQueries": [
{
"description" : "Top 10 Reasons for Failed RADIUS Authentication ",
"query": "SymantecVIP \n | summarize count() by Reason \n| top 10 by count_"
},
{
"description" : "Top 10 Users",
"query": "SymantecVIP \n | summarize count() by User \n| top 10 by count_"
}
],
"dataTypes": [
{
"name": "Syslog (SymantecVIP)",
"lastDataReceivedQuery": "SymantecVIP \n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"SymantecVIP \n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "write permission is required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"delete": true
}
}
],
"customs": [
{
"name": "Symantec VIP",
"description": "must be configured to export logs via Syslog"
}
]
},
"instructionSteps": [
{
"title": "",
"description": ">This data connector depends on a parser based on a Kusto Function to work as expected. [Follow the steps](https://aka.ms/sentinelgithubparserssymantecvip) to use the Kusto function alias, **SymantecVIP**",
"instructions": [
]
},
{
"title": "1. Install and onboard the agent for Linux",
"description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
"instructions": [
{
"parameters": {
"title": "Choose where to install the agent:",
"instructionSteps": [
{
"title": "Install agent on Azure Linux Virtual Machine",
"description": "Select the machine to install the agent on and then click **Connect**.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxVirtualMachine"
},
"type": "InstallAgent"
}
]
},
{
"title": "Install agent on a non-Azure Linux Machine",
"description": "Download the agent on the relevant machine and follow the instructions.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxNonAzure"
},
"type": "InstallAgent"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
]
},
{
"title": "2. Configure the logs to be collected",
"description": "Configure the facilities you want to collect and their severities.\n 1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n 2. Select **Apply below configuration to my machines** and select the facilities and severities.\n 3. Click **Save**.",
"instructions": [
{
"parameters": {
"linkType": "OpenSyslogSettings"
},
"type": "InstallAgent"
}
]
},
{
"title": "3. Configure and connect the Symantec VIP",
"description":"[Follow these instructions](https://help.symantec.com/cs/VIP_EG_INSTALL_CONFIG/VIP/v134652108_v128483142/Configuring-syslog) to configure the Symantec VIP Enterprise Gateway to forward syslog. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address."
}
]
}

1
Detections/SymantecVIP/ClientDeniedAccess.yaml → Solutions/Symantec VIP/Analytical Rules/ClientDeniedAccess.yaml
Просмотреть файл

@ -40,4 +40,5 @@ entityMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
status: Available
kind: Scheduled

1
Detections/SymantecVIP/ExcessiveFailedAuthenticationsfromInvalidInputs.yaml → Solutions/Symantec VIP/Analytical Rules/ExcessiveFailedAuthenticationsfromInvalidInputs.yaml
Просмотреть файл

@ -34,4 +34,5 @@ entityMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
status: Available
kind: Scheduled

123
Solutions/Symantec VIP/Data Connectors/Connector_Syslog_SymantecVIP.json Normal file
Просмотреть файл

@ -0,0 +1,123 @@
{
"id": "SymantecVIP",
"title": "Symantec VIP",
"publisher": "Symantec",
"descriptionMarkdown": "The [Symantec VIP](https://vip.symantec.com/) connector allows you to easily connect your Symantec VIP logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.",
"additionalRequirementBanner": "These queries and workbooks are dependent on a parser based on a Kusto Function to work as expected. Follow the steps to use this Kusto functions alias **SymantecVIP** in queries and workbooks. [Follow these steps to get this Kusto functions.](https://aka.ms/sentinelgithubparserssymantecvip)",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "SymantecVIP",
"baseQuery": "SymantecVIP"
}
],
"sampleQueries": [
{
"description": "Top 10 Reasons for Failed RADIUS Authentication ",
"query": "SymantecVIP \n | summarize count() by Reason \n| top 10 by count_"
},
{
"description": "Top 10 Users",
"query": "SymantecVIP \n | summarize count() by User \n| top 10 by count_"
}
],
"dataTypes": [
{
"name": "Syslog (SymantecVIP)",
"lastDataReceivedQuery": "SymantecVIP \n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"SymantecVIP \n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "write permission is required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"delete": true
}
}
],
"customs": [
{
"name": "Symantec VIP",
"description": "must be configured to export logs via Syslog"
}
]
},
"instructionSteps": [
{
"title": "",
"description": ">This data connector depends on a parser based on a Kusto Function to work as expected. [Follow the steps](https://aka.ms/sentinelgithubparserssymantecvip) to use the Kusto function alias, **SymantecVIP**",
"instructions": []
},
{
"title": "1. Install and onboard the agent for Linux",
"description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
"instructions": [
{
"parameters": {
"title": "Choose where to install the agent:",
"instructionSteps": [
{
"title": "Install agent on Azure Linux Virtual Machine",
"description": "Select the machine to install the agent on and then click **Connect**.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxVirtualMachine"
},
"type": "InstallAgent"
}
]
},
{
"title": "Install agent on a non-Azure Linux Machine",
"description": "Download the agent on the relevant machine and follow the instructions.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxNonAzure"
},
"type": "InstallAgent"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
]
},
{
"title": "2. Configure the logs to be collected",
"description": "Configure the facilities you want to collect and their severities.\n 1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n 2. Select **Apply below configuration to my machines** and select the facilities and severities.\n 3. Click **Save**.",
"instructions": [
{
"parameters": {
"linkType": "OpenSyslogSettings"
},
"type": "InstallAgent"
}
]
},
{
"title": "3. Configure and connect the Symantec VIP",
"description": "[Follow these instructions](https://help.symantec.com/cs/VIP_EG_INSTALL_CONFIG/VIP/v134652108_v128483142/Configuring-syslog) to configure the Symantec VIP Enterprise Gateway to forward syslog. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address."
}
]
}

22
Solutions/Symantec VIP/Data/Solution_SymantecVIP.json Normal file
Просмотреть файл

@ -0,0 +1,22 @@
{
"Name": "Symantec VIP",
"Author": "Microsoft",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/symantec_logo.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [Symantec VIP](https://vip.symantec.com/) solution for Microsoft Sentinel enables you to ingest Symantec VIP's authentication logs into Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution is dependent on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs\n\n- [Agent-based log collection (Syslog)](https://docs.microsoft.com/azure/sentinel/connect-syslog)",
"Data Connectors": [
"DataConnectors/Symantec VIP/Connector_Syslog_SymantecVIP.json"
],
"Workbooks": [
"Workbooks/SymantecVIP.json"
],
"Analytic Rules": [
"Detections/SymantecVIP/ClientDeniedAccess.yaml",
"Detections/SymantecVIP/ExcessiveFailedAuthenticationsfromInvalidInputs.yaml"
],
"Parsers": ["Parsers/SymantecVIP/SymantecVIP.txt"],
"BasePath": "C:\\Users\\v-eliforbes\\Azure-Sentinel",
"Version": "2.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
}

Двоичные данные
Solutions/Symantec VIP/Package/2.0.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

176
Solutions/Symantec VIP/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,176 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/symantec_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Symantec VIP](https://vip.symantec.com/) solution for Microsoft Sentinel enables you to ingest Symantec VIP's authentication logs into Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution is dependent on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs\n\n- [Agent-based log collection (Syslog)](https://docs.microsoft.com/azure/sentinel/connect-syslog)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for Symantec VIP. You can get Symantec VIP Syslog data in your Microsoft Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. The logs will be received in the Syslog table in your Microsoft Sentinel / Azure Log Analytics workspace."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
},
{
"name": "workbooks",
"label": "Workbooks",
"subLabel": {
"preValidation": "Configure the workbooks",
"postValidation": "Done"
},
"bladeTitle": "Workbooks",
"elements": [
{
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences."
}
},
{
"name": "workbooks-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
}
]
},
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
}
},
{
"name": "analytics-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "ClientDeniedAccess",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Creates an incident in the event a Client has an excessive amounts of denied access requests."
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "Excessive Failed Authentication from Invalid Inputs",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Creates an incident in the event that a user generates an excessive amount of failed authentications due to invalid inputs, indications of a potential brute force."
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}

948
Solutions/Symantec VIP/Package/mainTemplate.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

0
Parsers/SymantecVIP/SymantecVIP.txt → Solutions/Symantec VIP/Parsers/SymantecVIP.txt
Просмотреть файл

15
Solutions/Symantec VIP/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"publisherId": "azuresentinel",
"offerId": "azure-sentinel-solution-symantecvip",
"firstPublishDate": "2022-05-16",
"providers": ["Symantec"],
"categories": {
"domains" : ["Security - Network"]
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}

2
Workbooks/SymantecVIP.json → Solutions/Symantec VIP/Workbooks/SymantecVIP.json
Просмотреть файл

@ -403,6 +403,6 @@
"name": "query - 4 - Copy"
}
],
"fromTemplateId": "sentinel-UserWorkbook",
"fromTemplateId": "sentinel-SymantecVIP",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}