![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection/Workbooks/Images/Logos/Log4j.svg\")
",
- "Description": "Microsoft's security research teams have been tracking threats taking advantage of [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228), a remote code execution (RCE) vulnerability in [Apache Log4j 2](https://logging.apache.org/log4j/2.x/) referred to as “Log4Shell”. The vulnerability allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component. For more technical and mitigation information about the vulnerability, please read the [Microsoft Security Response Center blog](https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/). This solution provides content to monitor, detect and investigate signals related to exploitation of this vulnerability in Microsoft Sentinel.\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. Azure Web Application Firewall (WAF) \n 2. Microsoft 365 \n 3. Windows Server DNS \n 4. CiscoASA \n 5. PaloAlto-PAN-OS \n 6. Microsoft Entra ID \n 7. Azure Activity \n 8. Amazon Web Services \n 9. Azure Firewall \n 10. SquidProxy \n 11. Zscaler Private Access (ZPA) \n 12. Syslog \n 13. Check Point \n 14. Microsoft Defender XDR",
+ "Description": "Microsoft's security research teams have been tracking threats taking advantage of [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228), a remote code execution (RCE) vulnerability in [Apache Log4j 2](https://logging.apache.org/log4j/2.x/) referred to as “Log4Shell”. The vulnerability allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component. For more technical and mitigation information about the vulnerability, please read the [Microsoft Security Response Center blog](https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/). This solution provides content to monitor, detect and investigate signals related to exploitation of this vulnerability in Microsoft Sentinel.\n\n**Prerequisite :-**\n\n This is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. Azure Web Application Firewall (WAF) \n 2. Microsoft 365 \n 3. Windows Server DNS \n 4. CiscoASA \n 5. PaloAlto-PAN-OS \n 6. Microsoft Entra ID \n 7. Azure Activity \n 8. Amazon Web Services \n 9. Azure Firewall \n 10. SquidProxy \n 11. Zscaler Private Access (ZPA) \n 12. Syslog \n 13. Check Point \n 14. Microsoft Defender XDR",
"Workbooks": [
"Workbooks/Log4jPostCompromiseHunting.json",
"Workbooks/Log4jImpactAssessment.json"
@@ -34,7 +34,7 @@
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Apache Log4j Vulnerability Detection",
"Metadata": "SolutionMetadata.json",
- "Version": "2.0.5",
+ "Version": "3.0.2",
"TemplateSpec": true,
"Is1Pconnector": true
}
\ No newline at end of file
diff --git a/Solutions/Apache Log4j Vulnerability Detection/Package/3.0.2.zip b/Solutions/Apache Log4j Vulnerability Detection/Package/3.0.2.zip
new file mode 100644
index 0000000000..f325115165
Binary files /dev/null and b/Solutions/Apache Log4j Vulnerability Detection/Package/3.0.2.zip differ
diff --git a/Solutions/Apache Log4j Vulnerability Detection/Package/createUiDefinition.json b/Solutions/Apache Log4j Vulnerability Detection/Package/createUiDefinition.json
index 67cdbbb06d..44d33a7bf7 100644
--- a/Solutions/Apache Log4j Vulnerability Detection/Package/createUiDefinition.json
+++ b/Solutions/Apache Log4j Vulnerability Detection/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nMicrosoft's security research teams have been tracking threats taking advantage of [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228), a remote code execution (RCE) vulnerability in [Apache Log4j 2](https://logging.apache.org/log4j/2.x/) referred to as “Log4Shell”. The vulnerability allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component. For more technical and mitigation information about the vulnerability, please read the [Microsoft Security Response Center blog](https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/). This solution provides content to monitor, detect and investigate signals related to exploitation of this vulnerability in Microsoft Sentinel.\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. Azure Web Application Firewall (WAF) \n 2. Microsoft 365 \n 3. Windows Server DNS \n 4. CiscoASA \n 5. PaloAlto-PAN-OS \n 6. Microsoft Entra ID \n 7. Azure Activity \n 8. Amazon Web Services \n 9. Azure Firewall \n 10. SquidProxy \n 11. Zscaler Private Access (ZPA) \n 12. Syslog \n 13. Check Point \n 14. Microsoft Defender XDR\n\n**Workbooks:** 2, **Analytic Rules:** 4, **Hunting Queries:** 10, **Watchlists:** 1, **Playbooks:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nMicrosoft's security research teams have been tracking threats taking advantage of [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228), a remote code execution (RCE) vulnerability in [Apache Log4j 2](https://logging.apache.org/log4j/2.x/) referred to as “Log4Shell”. The vulnerability allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component. For more technical and mitigation information about the vulnerability, please read the [Microsoft Security Response Center blog](https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/). This solution provides content to monitor, detect and investigate signals related to exploitation of this vulnerability in Microsoft Sentinel.\n\n**Prerequisite :-**\n\n This is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. Azure Web Application Firewall (WAF) \n 2. Microsoft 365 \n 3. Windows Server DNS \n 4. CiscoASA \n 5. PaloAlto-PAN-OS \n 6. Microsoft Entra ID \n 7. Azure Activity \n 8. Amazon Web Services \n 9. Azure Firewall \n 10. SquidProxy \n 11. Zscaler Private Access (ZPA) \n 12. Syslog \n 13. Check Point \n 14. Microsoft Defender XDR\n\n**Workbooks:** 2, **Analytic Rules:** 4, **Hunting Queries:** 10, **Watchlists:** 1, **Playbooks:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
diff --git a/Solutions/Apache Log4j Vulnerability Detection/Package/mainTemplate.json b/Solutions/Apache Log4j Vulnerability Detection/Package/mainTemplate.json
index ec3e8334c0..83667ffc6c 100644
--- a/Solutions/Apache Log4j Vulnerability Detection/Package/mainTemplate.json
+++ b/Solutions/Apache Log4j Vulnerability Detection/Package/mainTemplate.json
@@ -57,7 +57,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Apache Log4j Vulnerability Detection",
- "_solutionVersion": "3.0.1",
+ "_solutionVersion": "3.0.2",
"solutionId": "azuresentinel.azure-sentinel-solution-apachelog4jvulnerability",
"_solutionId": "[variables('solutionId')]",
"workbookVersion1": "1.0.0",
@@ -182,7 +182,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Log4jPostCompromiseHunting Workbook with template version 3.0.1",
+ "description": "Log4jPostCompromiseHunting Workbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -298,7 +298,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Log4jImpactAssessment Workbook with template version 3.0.1",
+ "description": "Log4jImpactAssessment Workbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion2')]",
@@ -406,7 +406,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Log4jVulnerableMachines_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "Log4jVulnerableMachines_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -443,13 +443,13 @@
],
"entityMappings": [
{
+ "entityType": "Host",
"fieldMappings": [
{
- "identifier": "HostName",
- "columnName": "VirtualMachine"
+ "columnName": "VirtualMachine",
+ "identifier": "HostName"
}
- ],
- "entityType": "Host"
+ ]
}
]
}
@@ -505,7 +505,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AzureWAFmatching_log4j_vuln_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "AzureWAFmatching_log4j_vuln_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -547,13 +547,13 @@
],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "MaliciousHost"
+ "columnName": "MaliciousHost",
+ "identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -609,7 +609,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Log4J_IPIOC_Dec112021_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "Log4J_IPIOC_Dec112021_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -726,39 +726,39 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "Name"
+ "columnName": "Name",
+ "identifier": "Name"
},
{
- "identifier": "UPNSuffix",
- "columnName": "UPNSuffix"
+ "columnName": "UPNSuffix",
+ "identifier": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "Host",
"fieldMappings": [
{
- "identifier": "HostName",
- "columnName": "HostName"
+ "columnName": "HostName",
+ "identifier": "HostName"
},
{
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "columnName": "DnsDomain",
+ "identifier": "DnsDomain"
}
- ],
- "entityType": "Host"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPEntity"
+ "columnName": "IPEntity",
+ "identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -814,7 +814,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "UserAgentSearch_log4j_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "UserAgentSearch_log4j_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -898,31 +898,31 @@
],
"entityMappings": [
{
+ "entityType": "URL",
"fieldMappings": [
{
- "identifier": "Url",
- "columnName": "Url"
+ "columnName": "Url",
+ "identifier": "Url"
}
- ],
- "entityType": "URL"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "SourceIP"
+ "columnName": "SourceIP",
+ "identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
},
{
+ "entityType": "Account",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "Account"
+ "columnName": "Account",
+ "identifier": "Name"
}
- ],
- "entityType": "Account"
+ ]
}
]
}
@@ -978,7 +978,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "WAF_log4j_vulnerability_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "WAF_log4j_vulnerability_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -1063,7 +1063,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NetworkConnectionldap_log4j_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "NetworkConnectionldap_log4j_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -1148,7 +1148,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Firewall_Disable_Activity_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "Firewall_Disable_Activity_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@@ -1233,7 +1233,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Apache_log4j_Vulnerability_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "Apache_log4j_Vulnerability_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@@ -1318,7 +1318,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Process_Termination_Activity_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "Process_Termination_Activity_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@@ -1403,7 +1403,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Suspicious_ShellScript_Activity_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "Suspicious_ShellScript_Activity_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
@@ -1488,7 +1488,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Base64_Download_Activity_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "Base64_Download_Activity_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
@@ -1573,7 +1573,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Container_Miner_Activity_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "Container_Miner_Activity_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
@@ -1658,7 +1658,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Linux_Toolkit_Detected_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "Linux_Toolkit_Detected_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]",
@@ -1743,7 +1743,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NetworkConnectionToNewExternalLDAPServer_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "NetworkConnectionToNewExternalLDAPServer_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]",
@@ -1828,7 +1828,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "BatchImportToSentinel Playbook with template version 3.0.1",
+ "description": "BatchImportToSentinel Playbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
@@ -2047,7 +2047,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Log4jIndicatorProcessor Playbook with template version 3.0.1",
+ "description": "Log4jIndicatorProcessor Playbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion2')]",
@@ -2346,12 +2346,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.1",
+ "version": "3.0.2",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Apache Log4j Vulnerability Detection",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nMicrosoft's security research teams have been tracking threats taking advantage of CVE-2021-44228, a remote code execution (RCE) vulnerability in Apache Log4j 2 referred to as “Log4Shell”. The vulnerability allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component. For more technical and mitigation information about the vulnerability, please read the Microsoft Security Response Center blog. This solution provides content to monitor, detect and investigate signals related to exploitation of this vulnerability in Microsoft Sentinel.
\nPrerequisite :-
\nInstall one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.
\nWorkbooks: 2, Analytic Rules: 4, Hunting Queries: 10, Watchlists: 1, Playbooks: 2
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nMicrosoft's security research teams have been tracking threats taking advantage of CVE-2021-44228, a remote code execution (RCE) vulnerability in Apache Log4j 2 referred to as “Log4Shell”. The vulnerability allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component. For more technical and mitigation information about the vulnerability, please read the Microsoft Security Response Center blog. This solution provides content to monitor, detect and investigate signals related to exploitation of this vulnerability in Microsoft Sentinel.
\nPrerequisite :-
\nThis is a domain solution and does not include any data connectors. Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.
\nWorkbooks: 2, Analytic Rules: 4, Hunting Queries: 10, Watchlists: 1, Playbooks: 2
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -2374,7 +2374,6 @@ "link": "https://support.microsoft.com/" }, "dependencies": { - "operator": "AND", "criteria": [ { "kind": "Workbook", @@ -2469,7 +2468,7 @@ { "kind": "Watchlist", "contentId": "[variables('_Campaign')]", - "version": "3.0.1" + "version": "3.0.2" }, { "kind": "Solution", diff --git a/Solutions/Apache Log4j Vulnerability Detection/ReleaseNotes.md b/Solutions/Apache Log4j Vulnerability Detection/ReleaseNotes.md index d531a00cc8..5b5aa7796d 100644 --- a/Solutions/Apache Log4j Vulnerability Detection/ReleaseNotes.md +++ b/Solutions/Apache Log4j Vulnerability Detection/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|----------------------------------------------------------------------------| +| 3.0.2 | 07-02-0024 | Updated solution description | | 3.0.1 | 02-01-2024 | Tagged for dependent solutions for deployment | | 3.0.0 | 06-11-2023 | Changes for rebranding from Azure Active Directory to Microsoft Entra ID | diff --git a/Solutions/Attacker Tools Threat Protection Essentials/Data/Solution_AttackersToolsThreatProtectionEssentials.json b/Solutions/Attacker Tools Threat Protection Essentials/Data/Solution_AttackersToolsThreatProtectionEssentials.json index 4c2770147a..a839b27772 100644 --- a/Solutions/Attacker Tools Threat Protection Essentials/Data/Solution_AttackersToolsThreatProtectionEssentials.json +++ b/Solutions/Attacker Tools Threat Protection Essentials/Data/Solution_AttackersToolsThreatProtectionEssentials.json @@ -2,7 +2,7 @@ "Name": "Attacker Tools Threat Protection Essentials", "Author": "Microsoft - support@microsoft.com", "Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\")
",
- "Description": "The **Attacker Tools Threat Protection Essentials** solution contains security content that is relevant for detection of tools commonly used by attackers in various campaigns. These tools can be commercial, open-source, built-in or publicly available and have historically been seen used by adversaries in different phases of the ATTACK kill chain. \r\n \r\n **Pre-requisites:** \r\n \r\n This is a [domain solution](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution. \r\n \r\n 1. [Windows Security Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-securityeventsazure-sentinel-solution-securityevents) \n\n 2. [ Windows Server DNS ](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-dnsazure-sentinel-solution-dns) \n\n 3. [Windows Forwarded Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsforwardedeventsazure-sentinel-solution-windowsforwardedevents) \n\n 4. [Microsoft Entra ID ](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-azureactivedirectoryazure-sentinel-solution-azureactivedirectory) \n\n**Keywords:** attack tools, penetration testing, Impacket, Powercat, Nishang, Cobalt Strike, ADFind, Credential Dumping, PowerShell Empire ",
+ "Description": "The **Attacker Tools Threat Protection Essentials** solution contains security content that is relevant for detection of tools commonly used by attackers in various campaigns. These tools can be commercial, open-source, built-in or publicly available and have historically been seen used by adversaries in different phases of the ATTACK kill chain. \r\n \r\n **Pre-requisites:** \r\n \r\n This is a [domain solution](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution. \r\n \r\n 1. Windows Security Events \n 2. Windows Server DNS \n 3. Windows Forwarded Events \n 4. Microsoft Entra ID \n\n**Keywords:** attack tools, penetration testing, Impacket, Powercat, Nishang, Cobalt Strike, ADFind, Credential Dumping, PowerShell Empire ",
"Hunting Queries": [
"Hunting Queries/CobaltDNSBeacon.yaml",
"Hunting Queries/PotentialImpacketExecution.yaml"
@@ -14,7 +14,7 @@
"Analytic Rules/powershell_empire.yaml"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Attacker Tools Threat Protection Essentials",
- "Version": "3.0.1",
+ "Version": "3.0.2",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": true
diff --git a/Solutions/Attacker Tools Threat Protection Essentials/Package/3.0.2.zip b/Solutions/Attacker Tools Threat Protection Essentials/Package/3.0.2.zip
new file mode 100644
index 0000000000..e09090cd83
Binary files /dev/null and b/Solutions/Attacker Tools Threat Protection Essentials/Package/3.0.2.zip differ
diff --git a/Solutions/Attacker Tools Threat Protection Essentials/Package/createUiDefinition.json b/Solutions/Attacker Tools Threat Protection Essentials/Package/createUiDefinition.json
index 86c6e1b544..f9feea9b23 100644
--- a/Solutions/Attacker Tools Threat Protection Essentials/Package/createUiDefinition.json
+++ b/Solutions/Attacker Tools Threat Protection Essentials/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Attacker%20Tools%20Threat%20Protection%20Essentials/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe **Attacker Tools Threat Protection Essentials** solution contains security content that is relevant for detection of tools commonly used by attackers in various campaigns. These tools can be commercial, open-source, built-in or publicly available and have historically been seen used by adversaries in different phases of the ATTACK kill chain. \r\n \r\n **Pre-requisites:** \r\n \r\n This is a [domain solution](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution. \r\n \r\n 1. [Windows Security Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-securityeventsazure-sentinel-solution-securityevents) \n\n 2. [ Windows Server DNS ](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-dnsazure-sentinel-solution-dns) \n\n 3. [Windows Forwarded Events](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsforwardedeventsazure-sentinel-solution-windowsforwardedevents) \n\n 4. [Microsoft Entra ID ](https://ms.portal.azure.com/#create/azuresentinel.azure-sentinel-solution-azureactivedirectoryazure-sentinel-solution-azureactivedirectory) \n\n**Keywords:** attack tools, penetration testing, Impacket, Powercat, Nishang, Cobalt Strike, ADFind, Credential Dumping, PowerShell Empire \n\n**Analytic Rules:** 4, **Hunting Queries:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Attacker%20Tools%20Threat%20Protection%20Essentials/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe **Attacker Tools Threat Protection Essentials** solution contains security content that is relevant for detection of tools commonly used by attackers in various campaigns. These tools can be commercial, open-source, built-in or publicly available and have historically been seen used by adversaries in different phases of the ATTACK kill chain. \r\n \r\n **Pre-requisites:** \r\n \r\n This is a [domain solution](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution. \r\n \r\n 1. Windows Security Events \n 2. Windows Server DNS \n 3. Windows Forwarded Events \n 4. Microsoft Entra ID \n\n**Keywords:** attack tools, penetration testing, Impacket, Powercat, Nishang, Cobalt Strike, ADFind, Credential Dumping, PowerShell Empire \n\n**Analytic Rules:** 4, **Hunting Queries:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
diff --git a/Solutions/Attacker Tools Threat Protection Essentials/Package/mainTemplate.json b/Solutions/Attacker Tools Threat Protection Essentials/Package/mainTemplate.json
index bd3ebe718e..036bb02202 100644
--- a/Solutions/Attacker Tools Threat Protection Essentials/Package/mainTemplate.json
+++ b/Solutions/Attacker Tools Threat Protection Essentials/Package/mainTemplate.json
@@ -33,7 +33,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Attacker Tools Threat Protection Essentials",
- "_solutionVersion": "3.0.1",
+ "_solutionVersion": "3.0.2",
"solutionId": "azuresentinel.azure-sentinel-solution-attackertools",
"_solutionId": "[variables('solutionId')]",
"huntingQueryObject1": {
@@ -86,7 +86,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CobaltDNSBeacon_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "CobaltDNSBeacon_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -171,7 +171,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PotentialImpacketExecution_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "PotentialImpacketExecution_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -256,7 +256,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AdFind_Usage_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "AdFind_Usage_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -309,12 +309,12 @@
"entityType": "Account",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountName"
+ "columnName": "AccountName",
+ "identifier": "Name"
},
{
- "identifier": "UPNSuffix",
- "columnName": "AccountDomain"
+ "columnName": "AccountDomain",
+ "identifier": "UPNSuffix"
}
]
},
@@ -322,12 +322,12 @@
"entityType": "Host",
"fieldMappings": [
{
- "identifier": "HostName",
- "columnName": "HostName"
+ "columnName": "HostName",
+ "identifier": "HostName"
},
{
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "columnName": "DnsDomain",
+ "identifier": "DnsDomain"
}
]
},
@@ -335,12 +335,12 @@
"entityType": "Process",
"fieldMappings": [
{
- "identifier": "ProcessId",
- "columnName": "InitiatingProcessFileName"
+ "columnName": "InitiatingProcessFileName",
+ "identifier": "ProcessId"
},
{
- "identifier": "CommandLine",
- "columnName": "ProcessCommandLine"
+ "columnName": "ProcessCommandLine",
+ "identifier": "CommandLine"
}
]
},
@@ -348,12 +348,12 @@
"entityType": "FileHash",
"fieldMappings": [
{
- "identifier": "Algorithm",
- "columnName": "FileHashAlgorithm"
+ "columnName": "FileHashAlgorithm",
+ "identifier": "Algorithm"
},
{
- "identifier": "Value",
- "columnName": "SHA256"
+ "columnName": "SHA256",
+ "identifier": "Value"
}
]
}
@@ -411,7 +411,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CredentialDumpingServiceInstallation_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "CredentialDumpingServiceInstallation_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -459,8 +459,8 @@
"entityType": "Account",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "AccountName"
+ "columnName": "AccountName",
+ "identifier": "Name"
}
]
},
@@ -468,8 +468,8 @@
"entityType": "File",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "ImagePath"
+ "columnName": "ImagePath",
+ "identifier": "Name"
}
]
},
@@ -477,12 +477,12 @@
"entityType": "Host",
"fieldMappings": [
{
- "identifier": "HostName",
- "columnName": "HostName"
+ "columnName": "HostName",
+ "identifier": "HostName"
},
{
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "columnName": "DnsDomain",
+ "identifier": "DnsDomain"
}
]
}
@@ -540,7 +540,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CredentialDumpingToolsFileArtifacts_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "CredentialDumpingToolsFileArtifacts_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -588,8 +588,8 @@
"entityType": "File",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "TargetFilename"
+ "columnName": "TargetFilename",
+ "identifier": "Name"
}
]
},
@@ -597,12 +597,12 @@
"entityType": "Host",
"fieldMappings": [
{
- "identifier": "HostName",
- "columnName": "HostName"
+ "columnName": "HostName",
+ "identifier": "HostName"
},
{
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "columnName": "DnsDomain",
+ "identifier": "DnsDomain"
}
]
},
@@ -610,8 +610,8 @@
"entityType": "Process",
"fieldMappings": [
{
- "identifier": "CommandLine",
- "columnName": "Image"
+ "columnName": "Image",
+ "identifier": "CommandLine"
}
]
}
@@ -669,7 +669,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "powershell_empire_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "powershell_empire_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -853,12 +853,12 @@
"entityType": "Account",
"fieldMappings": [
{
- "identifier": "Name",
- "columnName": "SubjectUserName"
+ "columnName": "SubjectUserName",
+ "identifier": "Name"
},
{
- "identifier": "NTDomain",
- "columnName": "SubjectDomainName"
+ "columnName": "SubjectDomainName",
+ "identifier": "NTDomain"
}
]
},
@@ -866,12 +866,12 @@
"entityType": "Host",
"fieldMappings": [
{
- "identifier": "HostName",
- "columnName": "HostName"
+ "columnName": "HostName",
+ "identifier": "HostName"
},
{
- "identifier": "DnsDomain",
- "columnName": "DnsDomain"
+ "columnName": "DnsDomain",
+ "identifier": "DnsDomain"
}
]
}
@@ -925,12 +925,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.1",
+ "version": "3.0.2",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Attacker Tools Threat Protection Essentials",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Attacker Tools Threat Protection Essentials solution contains security content that is relevant for detection of tools commonly used by attackers in various campaigns. These tools can be commercial, open-source, built-in or publicly available and have historically been seen used by adversaries in different phases of the ATTACK kill chain.
\nPre-requisites:
\nThis is a domain solution and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.
\nKeywords: attack tools, penetration testing, Impacket, Powercat, Nishang, Cobalt Strike, ADFind, Credential Dumping, PowerShell Empire
\nAnalytic Rules: 4, Hunting Queries: 2
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Attacker Tools Threat Protection Essentials solution contains security content that is relevant for detection of tools commonly used by attackers in various campaigns. These tools can be commercial, open-source, built-in or publicly available and have historically been seen used by adversaries in different phases of the ATTACK kill chain.
\nPre-requisites:
\nThis is a domain solution and does not include any data connectors. The content in this solution supports the connectors listed below. Install one or more of the listed solutions, to unlock the value provided by this solution.
\nKeywords: attack tools, penetration testing, Impacket, Powercat, Nishang, Cobalt Strike, ADFind, Credential Dumping, PowerShell Empire
\nAnalytic Rules: 4, Hunting Queries: 2
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -953,7 +953,6 @@ "link": "https://support.microsoft.com" }, "dependencies": { - "operator": "AND", "criteria": [ { "kind": "HuntingQuery", @@ -984,6 +983,22 @@ "kind": "AnalyticsRule", "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" + }, + { + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-securityevents" + }, + { + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-dns" + }, + { + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-windowsforwardedevents" + }, + { + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-azureactivedirectory" } ] }, diff --git a/Solutions/Attacker Tools Threat Protection Essentials/ReleaseNotes.md b/Solutions/Attacker Tools Threat Protection Essentials/ReleaseNotes.md index c839d030c4..e594ea4968 100644 --- a/Solutions/Attacker Tools Threat Protection Essentials/ReleaseNotes.md +++ b/Solutions/Attacker Tools Threat Protection Essentials/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------------------------------------| +| 3.0.2 | 07-02-2024 | Tagged for dependent solutions for deployment | | 3.0.1 | 23-01-2024 | Added subTechniques in Template | | 3.0.0 | 06-11-2023 | Changes for rebranding from Azure Active Directory to Microsoft Entra ID | diff --git a/Solutions/Network Session Essentials/Data/Solution_NetworkSessionEssentials.json b/Solutions/Network Session Essentials/Data/Solution_NetworkSessionEssentials.json index 588ecc331a..a04c1ee0e0 100644 --- a/Solutions/Network Session Essentials/Data/Solution_NetworkSessionEssentials.json +++ b/Solutions/Network Session Essentials/Data/Solution_NetworkSessionEssentials.json @@ -2,7 +2,7 @@ "Name": "Network Session Essentials", "Author": "Microsoft - support@microsoft.com", "Logo": "",
- "Description": "[Network Session Essentials](https://aka.ms/NetworkSessionEssential) is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the [ASIM](https://aka.ms/AboutASIM).\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. [Amazon Web Services](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-amazonwebservicesazure-sentinel-solution-amazonwebservices) \n 2. [Azure Firewall](https://portal.azure.com/#create/sentinel4azurefirewall.sentinel4azurefirewallsentinel4azurefirewall) \n 3. [Azure Network Security Groups](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-networksecuritygroupazure-sentinel-solution-networksecuritygroup) \n 4. [Check Point](https://portal.azure.com/#create/checkpoint.checkpoint-sentinel-solutionssentinel-1) \n 5. [Cisco ASA](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-ciscoasaazure-sentinel-solution-ciscoasa) \n 6. [Cisco Meraki Security Events](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-ciscomerakiazure-sentinel-solution-ciscomeraki) \n 7. [Corelight](https://portal.azure.com/#create/corelightinc1584998267292.corelight-for-azure-sentinelcorelight-for-azure-sentinel-solution-template) \n 8. [Fortinet FortiGate](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-fortinetfortigateazure-sentinel-solution-fortinetfortigate) \n 9. [Microsoft Defender for IoT](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-unifiedmicrosoftsocforotazure-sentinel-solution-unifiedmicrosoftsocforot) \n 10. [Microsoft Defender for Cloud](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoftdefenderforcloudazure-sentinel-solution-microsoftdefenderforcloud) \n 11. [Microsoft Sysmon For Linux](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-sysmonforlinuxazure-sentinel-solution-sysmonforlinux) \n 12. [Windows Firewall](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsfirewallazure-sentinel-solution-windowsfirewall) \n 13. [Palo Alto PANOS](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-paloaltopanosazure-sentinel-solution-paloaltopanos) \n 14. [Vectra AI Stream](https://portal.azure.com/#create/vectraaiinc.vectra_sentinel_solutionvectra_sentinel_solutions) \n 15. [WatchGuard Firebox](https://portal.azure.com/#create/watchguard-technologies.watchguard_firebox_msswatchguard-sentinel-solution-plan) \n 16. [Zscaler Internet Access](https://portal.azure.com/#create/zscaler1579058425289.zscaler_internet_access_msszia_msentinel_v1) \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n 2. Logic app for data summarization\n\n**Recommendation :-**\n\nIt is highly recommended to use the **Summarize data** logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.",
+ "Description": "[Network Session Essentials](https://aka.ms/NetworkSessionEssential) is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the [ASIM](https://aka.ms/AboutASIM).\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. Amazon Web Services \n 2. Azure Firewall \n 3. Azure Network Security Groups \n 4. Check Point \n 5. Cisco ASA \n 6. Cisco Meraki Security Events \n 7. Corelight \n 8. Fortinet FortiGate \n 9. Microsoft Defender for IoT \n 10. Microsoft Defender for Cloud \n 11. Microsoft Sysmon For Linux \n 12. Windows Firewall \n 13. Palo Alto PANOS \n 14. Vectra AI Stream \n 15. WatchGuard Firebox \n 16. Zscaler Internet Access \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n 2. Logic app for data summarization\n\n**Recommendation :-**\n\nIt is highly recommended to use the **Summarize data** logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.",
"Workbooks": [
"Workbooks/NetworkSessionEssentials.json"
],
@@ -30,7 +30,7 @@
],
"WatchlistDescription": "Monitor Network Session Essentials Solution's' configurable conditions here. Choose between Detection or Hunting for Type and set Threshold type to Static or Anomaly to tune monitoring as needed",
"BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Network Session Essentials",
- "Version": "3.0.1",
+ "Version": "3.0.3",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
diff --git a/Solutions/Network Session Essentials/Package/3.0.2.zip b/Solutions/Network Session Essentials/Package/3.0.2.zip
index 77351f6163..bf801a46f1 100644
Binary files a/Solutions/Network Session Essentials/Package/3.0.2.zip and b/Solutions/Network Session Essentials/Package/3.0.2.zip differ
diff --git a/Solutions/Network Session Essentials/Package/createUiDefinition.json b/Solutions/Network Session Essentials/Package/createUiDefinition.json
index 567aa0837f..2c0ca3567a 100644
--- a/Solutions/Network Session Essentials/Package/createUiDefinition.json
+++ b/Solutions/Network Session Essentials/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network%20Session%20Essentials/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Network Session Essentials](https://aka.ms/NetworkSessionEssential) is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the [ASIM](https://aka.ms/AboutASIM).\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. [Amazon Web Services](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-amazonwebservicesazure-sentinel-solution-amazonwebservices) \n 2. [Azure Firewall](https://portal.azure.com/#create/sentinel4azurefirewall.sentinel4azurefirewallsentinel4azurefirewall) \n 3. [Azure Network Security Groups](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-networksecuritygroupazure-sentinel-solution-networksecuritygroup) \n 4. [Check Point](https://portal.azure.com/#create/checkpoint.checkpoint-sentinel-solutionssentinel-1) \n 5. [Cisco ASA](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-ciscoasaazure-sentinel-solution-ciscoasa) \n 6. [Cisco Meraki Security Events](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-ciscomerakiazure-sentinel-solution-ciscomeraki) \n 7. [Corelight](https://portal.azure.com/#create/corelightinc1584998267292.corelight-for-azure-sentinelcorelight-for-azure-sentinel-solution-template) \n 8. [Fortinet FortiGate](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-fortinetfortigateazure-sentinel-solution-fortinetfortigate) \n 9. [Microsoft Defender for IoT](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-unifiedmicrosoftsocforotazure-sentinel-solution-unifiedmicrosoftsocforot) \n 10. [Microsoft Defender for Cloud](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoftdefenderforcloudazure-sentinel-solution-microsoftdefenderforcloud) \n 11. [Microsoft Sysmon For Linux](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-sysmonforlinuxazure-sentinel-solution-sysmonforlinux) \n 12. [Windows Firewall](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsfirewallazure-sentinel-solution-windowsfirewall) \n 13. [Palo Alto PANOS](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-paloaltopanosazure-sentinel-solution-paloaltopanos) \n 14. [Vectra AI Stream](https://portal.azure.com/#create/vectraaiinc.vectra_sentinel_solutionvectra_sentinel_solutions) \n 15. [WatchGuard Firebox](https://portal.azure.com/#create/watchguard-technologies.watchguard_firebox_msswatchguard-sentinel-solution-plan) \n 16. [Zscaler Internet Access](https://portal.azure.com/#create/zscaler1579058425289.zscaler_internet_access_msszia_msentinel_v1) \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n 2. Logic app for data summarization\n\n**Recommendation :-**\n\nIt is highly recommended to use the **Summarize data** logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.\n\n**Workbooks:** 1, **Analytic Rules:** 7, **Hunting Queries:** 4, **Watchlists:** 1, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Network%20Session%20Essentials/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Network Session Essentials](https://aka.ms/NetworkSessionEssential) is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the [ASIM](https://aka.ms/AboutASIM).\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. Amazon Web Services \n 2. Azure Firewall \n 3. Azure Network Security Groups \n 4. Check Point \n 5. Cisco ASA \n 6. Cisco Meraki Security Events \n 7. Corelight \n 8. Fortinet FortiGate \n 9. Microsoft Defender for IoT \n 10. Microsoft Defender for Cloud \n 11. Microsoft Sysmon For Linux \n 12. Windows Firewall \n 13. Palo Alto PANOS \n 14. Vectra AI Stream \n 15. WatchGuard Firebox \n 16. Zscaler Internet Access \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n 2. Logic app for data summarization\n\n**Recommendation :-**\n\nIt is highly recommended to use the **Summarize data** logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.\n\n**Workbooks:** 1, **Analytic Rules:** 7, **Hunting Queries:** 4, **Watchlists:** 1, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
diff --git a/Solutions/Network Session Essentials/Package/mainTemplate.json b/Solutions/Network Session Essentials/Package/mainTemplate.json
index e095754ded..d43a76087f 100644
--- a/Solutions/Network Session Essentials/Package/mainTemplate.json
+++ b/Solutions/Network Session Essentials/Package/mainTemplate.json
@@ -391,101 +391,101 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AWSS3",
"dataTypes": [
"AWSVPCFlow"
- ]
+ ],
+ "connectorId": "AWSS3"
},
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceNetworkEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
},
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "SecurityEvents"
},
{
- "connectorId": "WindowsForwardedEvents",
"dataTypes": [
"WindowsEvent"
- ]
+ ],
+ "connectorId": "WindowsForwardedEvents"
},
{
- "connectorId": "Zscaler",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Zscaler"
},
{
- "connectorId": "MicrosoftSysmonForLinux",
"dataTypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "MicrosoftSysmonForLinux"
},
{
- "connectorId": "PaloAltoNetworks",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "PaloAltoNetworks"
},
{
- "connectorId": "AzureMonitor(VMInsights)",
"dataTypes": [
"VMConnection"
- ]
+ ],
+ "connectorId": "AzureMonitor(VMInsights)"
},
{
- "connectorId": "AzureFirewall",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureFirewall"
},
{
- "connectorId": "AzureNSG",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureNSG"
},
{
- "connectorId": "CiscoASA",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CiscoASA"
},
{
- "connectorId": "Corelight",
"dataTypes": [
"Corelight_CL"
- ]
+ ],
+ "connectorId": "Corelight"
},
{
- "connectorId": "AIVectraStream",
"dataTypes": [
"VectraStream"
- ]
+ ],
+ "connectorId": "AIVectraStream"
},
{
- "connectorId": "CheckPoint",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CheckPoint"
},
{
- "connectorId": "Fortinet",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Fortinet"
},
{
- "connectorId": "CiscoMeraki",
"dataTypes": [
"Syslog",
"CiscoMerakiNativePoller"
- ]
+ ],
+ "connectorId": "CiscoMeraki"
}
],
"tactics": [
@@ -505,9 +505,9 @@
"aggregationKind": "AlertPerResult"
},
"customDetails": {
- "Score": "score",
+ "AnomalyFieldType": "anomalyFieldType",
"AnomalyFieldValue": "anomalyFieldValue",
- "AnomalyFieldType": "anomalyFieldType"
+ "Score": "score"
},
"alertDetailsOverride": {
"alertDisplayNameFormat": "Anomaly was observed with {{anomalyFieldValue}} Traffic",
@@ -594,101 +594,101 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AWSS3",
"dataTypes": [
"AWSVPCFlow"
- ]
+ ],
+ "connectorId": "AWSS3"
},
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceNetworkEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
},
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "SecurityEvents"
},
{
- "connectorId": "WindowsForwardedEvents",
"dataTypes": [
"WindowsEvent"
- ]
+ ],
+ "connectorId": "WindowsForwardedEvents"
},
{
- "connectorId": "Zscaler",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Zscaler"
},
{
- "connectorId": "MicrosoftSysmonForLinux",
"dataTypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "MicrosoftSysmonForLinux"
},
{
- "connectorId": "PaloAltoNetworks",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "PaloAltoNetworks"
},
{
- "connectorId": "AzureMonitor(VMInsights)",
"dataTypes": [
"VMConnection"
- ]
+ ],
+ "connectorId": "AzureMonitor(VMInsights)"
},
{
- "connectorId": "AzureFirewall",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureFirewall"
},
{
- "connectorId": "AzureNSG",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureNSG"
},
{
- "connectorId": "CiscoASA",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CiscoASA"
},
{
- "connectorId": "Corelight",
"dataTypes": [
"Corelight_CL"
- ]
+ ],
+ "connectorId": "Corelight"
},
{
- "connectorId": "AIVectraStream",
"dataTypes": [
"VectraStream"
- ]
+ ],
+ "connectorId": "AIVectraStream"
},
{
- "connectorId": "CheckPoint",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CheckPoint"
},
{
- "connectorId": "Fortinet",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Fortinet"
},
{
- "connectorId": "CiscoMeraki",
"dataTypes": [
"Syslog",
"CiscoMerakiNativePoller"
- ]
+ ],
+ "connectorId": "CiscoMeraki"
}
],
"tactics": [
@@ -707,16 +707,16 @@
"aggregationKind": "AlertPerResult"
},
"customDetails": {
- "DstPortNumber": "DstPortNumber",
+ "AllNetworkDirections": "NetworkDirections",
"AllDvcAction": "DvcActions",
"AllNetworkProtocols": "NetworkProtocols",
- "AllNetworkDirections": "NetworkDirections"
+ "DstPortNumber": "DstPortNumber"
},
"alertDetailsOverride": {
- "alertDescriptionFormat": "{{Description}}",
"alertSeverityColumnName": "Severity",
+ "alertDisplayNameFormat": "Detected {{Name}}",
"alertTacticsColumnName": "Tactic",
- "alertDisplayNameFormat": "Detected {{Name}}"
+ "alertDescriptionFormat": "{{Description}}"
}
}
},
@@ -799,101 +799,101 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AWSS3",
"dataTypes": [
"AWSVPCFlow"
- ]
+ ],
+ "connectorId": "AWSS3"
},
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceNetworkEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
},
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "SecurityEvents"
},
{
- "connectorId": "WindowsForwardedEvents",
"dataTypes": [
"WindowsEvent"
- ]
+ ],
+ "connectorId": "WindowsForwardedEvents"
},
{
- "connectorId": "Zscaler",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Zscaler"
},
{
- "connectorId": "MicrosoftSysmonForLinux",
"dataTypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "MicrosoftSysmonForLinux"
},
{
- "connectorId": "PaloAltoNetworks",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "PaloAltoNetworks"
},
{
- "connectorId": "AzureMonitor(VMInsights)",
"dataTypes": [
"VMConnection"
- ]
+ ],
+ "connectorId": "AzureMonitor(VMInsights)"
},
{
- "connectorId": "AzureFirewall",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureFirewall"
},
{
- "connectorId": "AzureNSG",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureNSG"
},
{
- "connectorId": "CiscoASA",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CiscoASA"
},
{
- "connectorId": "Corelight",
"dataTypes": [
"Corelight_CL"
- ]
+ ],
+ "connectorId": "Corelight"
},
{
- "connectorId": "AIVectraStream",
"dataTypes": [
"VectraStream"
- ]
+ ],
+ "connectorId": "AIVectraStream"
},
{
- "connectorId": "CheckPoint",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CheckPoint"
},
{
- "connectorId": "Fortinet",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Fortinet"
},
{
- "connectorId": "CiscoMeraki",
"dataTypes": [
"Syslog",
"CiscoMerakiNativePoller"
- ]
+ ],
+ "connectorId": "CiscoMeraki"
}
],
"tactics": [
@@ -911,16 +911,16 @@
"aggregationKind": "AlertPerResult"
},
"customDetails": {
- "DstPortNumber": "DstPortNumber",
+ "AllNetworkDirections": "NetworkDirections",
"AllDvcAction": "DvcActions",
"AllNetworkProtocols": "NetworkProtocols",
- "AllNetworkDirections": "NetworkDirections"
+ "DstPortNumber": "DstPortNumber"
},
"alertDetailsOverride": {
- "alertDescriptionFormat": "{{Description}}",
"alertSeverityColumnName": "Severity",
+ "alertDisplayNameFormat": "Detected {{Name}}",
"alertTacticsColumnName": "Tactic",
- "alertDisplayNameFormat": "Detected {{Name}}"
+ "alertDescriptionFormat": "{{Description}}"
}
}
},
@@ -1003,101 +1003,101 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AWSS3",
"dataTypes": [
"AWSVPCFlow"
- ]
+ ],
+ "connectorId": "AWSS3"
},
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceNetworkEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
},
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "SecurityEvents"
},
{
- "connectorId": "WindowsForwardedEvents",
"dataTypes": [
"WindowsEvent"
- ]
+ ],
+ "connectorId": "WindowsForwardedEvents"
},
{
- "connectorId": "Zscaler",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Zscaler"
},
{
- "connectorId": "MicrosoftSysmonForLinux",
"dataTypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "MicrosoftSysmonForLinux"
},
{
- "connectorId": "PaloAltoNetworks",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "PaloAltoNetworks"
},
{
- "connectorId": "AzureMonitor(VMInsights)",
"dataTypes": [
"VMConnection"
- ]
+ ],
+ "connectorId": "AzureMonitor(VMInsights)"
},
{
- "connectorId": "AzureFirewall",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureFirewall"
},
{
- "connectorId": "AzureNSG",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureNSG"
},
{
- "connectorId": "CiscoASA",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CiscoASA"
},
{
- "connectorId": "Corelight",
"dataTypes": [
"Corelight_CL"
- ]
+ ],
+ "connectorId": "Corelight"
},
{
- "connectorId": "AIVectraStream",
"dataTypes": [
"VectraStream"
- ]
+ ],
+ "connectorId": "AIVectraStream"
},
{
- "connectorId": "CheckPoint",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CheckPoint"
},
{
- "connectorId": "Fortinet",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Fortinet"
},
{
- "connectorId": "CiscoMeraki",
"dataTypes": [
"Syslog",
"CiscoMerakiNativePoller"
- ]
+ ],
+ "connectorId": "CiscoMeraki"
}
],
"tactics": [
@@ -1194,101 +1194,101 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AWSS3",
"dataTypes": [
"AWSVPCFlow"
- ]
+ ],
+ "connectorId": "AWSS3"
},
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceNetworkEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
},
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "SecurityEvents"
},
{
- "connectorId": "WindowsForwardedEvents",
"dataTypes": [
"WindowsEvent"
- ]
+ ],
+ "connectorId": "WindowsForwardedEvents"
},
{
- "connectorId": "Zscaler",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Zscaler"
},
{
- "connectorId": "MicrosoftSysmonForLinux",
"dataTypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "MicrosoftSysmonForLinux"
},
{
- "connectorId": "PaloAltoNetworks",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "PaloAltoNetworks"
},
{
- "connectorId": "AzureMonitor(VMInsights)",
"dataTypes": [
"VMConnection"
- ]
+ ],
+ "connectorId": "AzureMonitor(VMInsights)"
},
{
- "connectorId": "AzureFirewall",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureFirewall"
},
{
- "connectorId": "AzureNSG",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureNSG"
},
{
- "connectorId": "CiscoASA",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CiscoASA"
},
{
- "connectorId": "Corelight",
"dataTypes": [
"Corelight_CL"
- ]
+ ],
+ "connectorId": "Corelight"
},
{
- "connectorId": "AIVectraStream",
"dataTypes": [
"VectraStream"
- ]
+ ],
+ "connectorId": "AIVectraStream"
},
{
- "connectorId": "CheckPoint",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CheckPoint"
},
{
- "connectorId": "Fortinet",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Fortinet"
},
{
- "connectorId": "CiscoMeraki",
"dataTypes": [
"Syslog",
"CiscoMerakiNativePoller"
- ]
+ ],
+ "connectorId": "CiscoMeraki"
}
],
"tactics": [
@@ -1302,8 +1302,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "SrcIpAddr"
+ "columnName": "SrcIpAddr",
+ "identifier": "Address"
}
]
}
@@ -1396,101 +1396,101 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AWSS3",
"dataTypes": [
"AWSVPCFlow"
- ]
+ ],
+ "connectorId": "AWSS3"
},
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceNetworkEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
},
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "SecurityEvents"
},
{
- "connectorId": "WindowsForwardedEvents",
"dataTypes": [
"WindowsEvent"
- ]
+ ],
+ "connectorId": "WindowsForwardedEvents"
},
{
- "connectorId": "Zscaler",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Zscaler"
},
{
- "connectorId": "MicrosoftSysmonForLinux",
"dataTypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "MicrosoftSysmonForLinux"
},
{
- "connectorId": "PaloAltoNetworks",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "PaloAltoNetworks"
},
{
- "connectorId": "AzureMonitor(VMInsights)",
"dataTypes": [
"VMConnection"
- ]
+ ],
+ "connectorId": "AzureMonitor(VMInsights)"
},
{
- "connectorId": "AzureFirewall",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureFirewall"
},
{
- "connectorId": "AzureNSG",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureNSG"
},
{
- "connectorId": "CiscoASA",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CiscoASA"
},
{
- "connectorId": "Corelight",
"dataTypes": [
"Corelight_CL"
- ]
+ ],
+ "connectorId": "Corelight"
},
{
- "connectorId": "AIVectraStream",
"dataTypes": [
"VectraStream"
- ]
+ ],
+ "connectorId": "AIVectraStream"
},
{
- "connectorId": "CheckPoint",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CheckPoint"
},
{
- "connectorId": "Fortinet",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Fortinet"
},
{
- "connectorId": "CiscoMeraki",
"dataTypes": [
"Syslog",
"CiscoMerakiNativePoller"
- ]
+ ],
+ "connectorId": "CiscoMeraki"
}
],
"tactics": [
@@ -1504,8 +1504,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "SrcIpAddr"
+ "columnName": "SrcIpAddr",
+ "identifier": "Address"
}
]
}
@@ -1598,101 +1598,101 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AWSS3",
"dataTypes": [
"AWSVPCFlow"
- ]
+ ],
+ "connectorId": "AWSS3"
},
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceNetworkEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
},
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "SecurityEvents"
},
{
- "connectorId": "WindowsForwardedEvents",
"dataTypes": [
"WindowsEvent"
- ]
+ ],
+ "connectorId": "WindowsForwardedEvents"
},
{
- "connectorId": "Zscaler",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Zscaler"
},
{
- "connectorId": "MicrosoftSysmonForLinux",
"dataTypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "MicrosoftSysmonForLinux"
},
{
- "connectorId": "PaloAltoNetworks",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "PaloAltoNetworks"
},
{
- "connectorId": "AzureMonitor(VMInsights)",
"dataTypes": [
"VMConnection"
- ]
+ ],
+ "connectorId": "AzureMonitor(VMInsights)"
},
{
- "connectorId": "AzureFirewall",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureFirewall"
},
{
- "connectorId": "AzureNSG",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureNSG"
},
{
- "connectorId": "CiscoASA",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CiscoASA"
},
{
- "connectorId": "Corelight",
"dataTypes": [
"Corelight_CL"
- ]
+ ],
+ "connectorId": "Corelight"
},
{
- "connectorId": "AIVectraStream",
"dataTypes": [
"VectraStream"
- ]
+ ],
+ "connectorId": "AIVectraStream"
},
{
- "connectorId": "CheckPoint",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CheckPoint"
},
{
- "connectorId": "Fortinet",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Fortinet"
},
{
- "connectorId": "CiscoMeraki",
"dataTypes": [
"Syslog",
"CiscoMerakiNativePoller"
- ]
+ ],
+ "connectorId": "CiscoMeraki"
}
],
"tactics": [
@@ -1707,8 +1707,8 @@
"entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "SrcIpAddr"
+ "columnName": "SrcIpAddr",
+ "identifier": "Address"
}
]
},
@@ -1716,17 +1716,17 @@
"entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "DstIpAddr"
+ "columnName": "DstIpAddr",
+ "identifier": "Address"
}
]
}
],
"customDetails": {
- "FrequencyCount": "TotalSrcBytes",
"DstPortNumber": "DstPortNumber",
- "TotalDstBytes": "TotalDstBytes",
- "FrequencyTime": "MostFrequentTimeDeltaCount"
+ "FrequencyTime": "MostFrequentTimeDeltaCount",
+ "FrequencyCount": "TotalSrcBytes",
+ "TotalDstBytes": "TotalDstBytes"
},
"alertDetailsOverride": {
"alertDisplayNameFormat": "Potential beaconing from {{SrcIpAddr}} to {{DstIpAddr}}",
@@ -3592,7 +3592,7 @@
"contentSchemaVersion": "3.0.0",
"displayName": "Network Session Essentials",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nNetwork Session Essentials is a domain solution and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the ASIM.
\nPrerequisite :-
\nInstall one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\nRecommendation :-
\nIt is highly recommended to use the Summarize data logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.
\nWorkbooks: 1, Analytic Rules: 7, Hunting Queries: 4, Watchlists: 1, Playbooks: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nNetwork Session Essentials is a domain solution and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the ASIM.
\nPrerequisite :-
\nInstall one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\nRecommendation :-
\nIt is highly recommended to use the Summarize data logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.
\nWorkbooks: 1, Analytic Rules: 7, Hunting Queries: 4, Watchlists: 1, Playbooks: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -3615,7 +3615,6 @@ "link": "https://support.microsoft.com" }, "dependencies": { - "operator": "AND", "criteria": [ { "kind": "Workbook", @@ -3686,7 +3685,71 @@ "kind": "Watchlist", "contentId": "[variables('_NetworkSession Monitor Configuration')]", "version": "3.0.2" - } + }, + { + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-amazonwebservices" + }, + { + "kind": "Solution", + "contentId": "sentinel4azurefirewall.sentinel4azurefirewall" + }, + { + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-networksecuritygroup" + }, + { + "kind": "Solution", + "contentId": "checkpoint.checkpoint-sentinel-solutions" + }, + { + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-ciscoasa" + }, + { + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-ciscomeraki" + }, + { + "kind": "Solution", + "contentId": "corelightinc1584998267292.corelight-for-azure-sentinel" + }, + { + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-fortinetfortigate" + }, + { + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-unifiedmicrosoftsocforot" + }, + { + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-microsoftdefenderforcloud" + }, + { + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-sysmonforlinux" + }, + { + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-windowsfirewall" + }, + { + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-paloaltopanos" + }, + { + "kind": "Solution", + "contentId": "vectraaiinc.vectra_sentinel_solution" + }, + { + "kind": "Solution", + "contentId": "watchguard-technologies.watchguard_firebox_mss" + }, + { + "kind": "Solution", + "contentId": "zscaler1579058425289.zscaler_internet_access_mss" + } ] }, "firstPublishDate": "2022-11-11", diff --git a/Solutions/Network Session Essentials/ReleaseNotes.md b/Solutions/Network Session Essentials/ReleaseNotes.md index 74a195b751..ac41e5ad72 100644 --- a/Solutions/Network Session Essentials/ReleaseNotes.md +++ b/Solutions/Network Session Essentials/ReleaseNotes.md @@ -1,5 +1,6 @@ -| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | -|-------------|--------------------------------|------------------------------------------------| -| 3.0.2 | 24-01-2024 |Updated **Analytic Rule** (DetectPortMisuseByAnomalyBasedDetection) | -| 3.0.1 | 02-01-2024 |Tagged for dependent solutions for deployment | -| 3.0.0 | 24-07-2023 |Updated ApiVersion for **Watchlist** | +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|-----------------------------------------------------------------------| +| 3.0.2 | 07-02-2024 |Updated **Analytic Rule** (DetectPortMisuseByAnomalyBasedDetection) | +| | |Updated solution description | +| 3.0.1 | 02-01-2024 |Tagged for dependent solutions for deployment | +| 3.0.0 | 24-07-2023 |Updated ApiVersion for **Watchlist** |