Merge pull request #4833 from Azure/v-ntripathi/NISTPackage1.0.2

NIST package 1.0.2

Solutions/NISTSP80053/Package/createUiDefinition.json

@@ -109,7 +109,7 @@
             "name": "analytics-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "This Microsoft Sentinel Solution installs analytic rules for NISTSP80053 that you can enable for custom alert generation in Microsoft Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Microsoft Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
+              "text": "This Microsoft Sentinel Solution installs analytic rules for NIST SP 800-53 that you can enable for custom alert generation in Microsoft Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Microsoft Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
               "link": {
                 "label": "Learn more",
                 "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
@@ -161,7 +161,7 @@
                 "name": "playbook1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "This playbook ingests events from NISTSP80053 into Log Analytics using the API."
+                  "text": "This playbook ingests events from NIST SP 800-53 into Log Analytics using the API."
                 }
               },
               {
@@ -223,7 +223,7 @@
                 "name": "playbook2-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "This playbook ingests events from NISTSP80053 into Log Analytics using the API."
+                  "text": "This playbook ingests events from NIST SP 800-53 into Log Analytics using the API."
                 }
               },
               {
@@ -249,7 +249,7 @@
                 "name": "playbook3-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "This playbook ingests events from NISTSP80053 into Log Analytics using the API."
+                  "text": "This playbook ingests events from NIST SP 800-53 into Log Analytics using the API."
                 }
               },
               {

Solutions/NISTSP80053/Package/mainTemplate.json

@@ -598,13 +598,13 @@
       "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
       "apiVersion": "2021-03-01-preview",
       "properties": {
-        "version": "1.0.1",
+        "version": "1.0.3",
         "kind": "Solution",
         "contentId": "[variables('_sourceId')]",
         "parentId": "[variables('_sourceId')]",
         "source": {
           "kind": "Solution",
-          "name": "NISTSP80053",
+          "name": "NIST SP 800-53",
           "sourceId": "[variables('_sourceId')]"
         },
         "author": {
@@ -623,27 +623,27 @@
             {
               "kind": "AnalyticsRule",
               "contentId": "[variables('_NISTSP80053PostureChanged_AnalyticalRules')]",
-              "version": "1.0.1"
+              "version": "1.0.3"
             },
             {
               "kind": "Playbook",
               "contentId": "[variables('_playbook1-Playbooks')]",
-              "version": "1.0.1"
+              "version": "1.0.3"
             },
             {
               "kind": "Playbook",
               "contentId": "[variables('_playbook2-Playbooks')]",
-              "version": "1.0.1"
+              "version": "1.0.3"
             },
             {
               "kind": "Playbook",
               "contentId": "[variables('_playbook3-Playbooks')]",
-              "version": "1.0.1"
+              "version": "1.0.3"
             },
             {
               "kind": "Workbook",
               "contentId": "[variables('_NISTSP80053_workbook')]",
-              "version": "1.0.1"
+              "version": "1.0.3"
             }
           ]
         },

Solutions/NISTSP80053/data/Solution_NISTSP80053.json

@@ -16,5 +16,5 @@
   ],
   "Metadata": "SolutionMetadata.json",
   "BasePath": "C:\\GitHub\\azure\\Solutions\\NISTSP80053",
-  "Version": "1.0.1"
+  "Version": "1.0.3"
 }

Tools/Create-Azure-Sentinel-Solution/input/Solution_IoTOTThreatMonitoringwithDefenderforIoT.json

@@ -1,33 +0,0 @@
-{
-  "Name": "IoTOTThreatMonitoringwithDefenderforIoT",
-  "Author": "Eli Forbes - v-eliforbes@microsoft.com",
-  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">",
-  "Description": "There has been a long-standing split between ICS/SCADA (OT) and Corporate (IT) cybersecurity. This split was often driven by significant differences in technology/tooling. Microsoft Defender for IoT's integration with Azure Sentinel drives convergency by providing a single pane for coverage of both D4IOT (OT) and Azure Sentinel (IT) alerting. This solution includes Workbooks, Analytics rules, and Playbooks providing a guide OT detection, Analysis, and Response.",
-  "Workbooks": [
-    "Workbooks/IoTOTThreatMonitoringwithDefenderforIoT.json"
-  ],
-  "Analytic Rules": [
-    "Analytic Rules/IoTDenialofService.yaml",
-    "Analytic Rules/IoTExcessiveLoginAttempts.yaml",
-    "Analytic Rules/IoTFirmwareUpdates.yaml",
-    "Analytic Rules/IoTHighBandwidth.yaml",
-    "Analytic Rules/IoTIllegalFunctionCodes.yaml",
-    "Analytic Rules/IoTInsecurePLC.yaml",
-    "Analytic Rules/IoTInternetAccess.yaml",
-    "Analytic Rules/IoTMalware.yaml",
-    "Analytic Rules/IoTNetworkScanning.yaml",
-    "Analytic Rules/IoTPLCStopCommand.yaml",
-    "Analytic Rules/IoTUnauthorizedDevice.yaml",
-    "Analytic Rules/IoTUnauthorizedNetworkConfiguration.yaml",
-    "Analytic Rules/IoTUnauthorizedPLCModifications.yaml",
-    "Analytic Rules/IoTUnauthorizedRemoteAccess.yaml"
-  ],
-  "Playbooks": [
-    "Playbooks/AutoCloseIncidents.json",
-    "Playbooks/MailBySensor.json",
-    "Playbooks/NewAssetServiceNowTicket.json"
-  ],
-  "Metadata": "SolutionMetadata.json",
-  "BasePath": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT",
-  "Version": "1.0.11"
-}

Tools/Create-Azure-Sentinel-Solution/input/Solution_MaturityModelForEventLogManagementM2131.json

@@ -1,34 +0,0 @@
-
-{
-  "Name": "MaturityModelForEventLogManagementM2131",
-  "Author": "TJ Banasik - thomas.banasik@microsoft.com",
-  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
-  "Description": "This solution is designed to enable Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to increase visibility before, during, and after a cybersecurity incident. The solution includes (1) workbook, (4) hunting queries, (8) analytics rules, and (3) playbooks providing a comprehensive approach to design, build, monitoring, and response in logging architectures. Information from logs on information systems1 (for both on-premises systems and connections hosted by third parties, such as cloud services providers (CSPs) is invaluable in the detection, investigation, and remediation of cyber threats. Executive Order 14028, Improving the Nation's Cybersecurity, directs decisive action to improve the Federal Government’s investigative and remediation capabilities. This memorandum was developed in accordance with and addresses the requirements in section 8 of the Executive Order for logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center (SOC) of each agency. In addition, this memorandum establishes requirements for agencies3 to increase the sharing of such information, as needed and appropriate, to accelerate incident response efforts and to enable more effective defense of Federal information and executive branch departments and agencies.For more information, see (💡Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents (M-21-31))[https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf].",
-  "Workbooks": [
-  "Workbooks/MaturityModelForEventLogManagement_M2131.json"
-  ],
-  "Playbooks": [
-  "Playbooks/Notify_LogManagementTeam.json",
-  "Playbooks/Open_DevOpsTaskRecommendation.json",
-  "Playbooks/Open_JIRATicketRecommendation.json"
-  ],
-  "Analytic Rules": [
-  "Analytic Rules/M2131AssetStoppedLogging.yaml",
-  "Analytic Rules/M2131DataConnectorAddedChangedRemoved.yaml",
-  "Analytic Rules/M2131EventLogManagementPostureChangedEL0.yaml",
-  "Analytic Rules/M2131EventLogManagementPostureChangedEL1.yaml",
-  "Analytic Rules/M2131EventLogManagementPostureChangedEL2.yaml",
-  "Analytic Rules/M2131EventLogManagementPostureChangedEL3.yaml",
-  "Analytic Rules/M2131LogRetentionLessThan1Year.yaml",
-  "Analytic Rules/M2131RecommendedDatatableUnhealthy.yaml"
-  ],
-  "Hunting Queries": [
-  "Hunting Queries/M2131RecommendedDatatableNotLoggedEL0.yaml",
-  "Hunting Queries/M2131RecommendedDatatableNotLoggedEL1.yaml",
-  "Hunting Queries/M2131RecommendedDatatableNotLoggedEL2.yaml",
-  "Hunting Queries/M2131RecommendedDatatableNotLoggedEL3.yaml"
-  ],
-  "Metadata": "SolutionMetadata.json",
-  "BasePath": "C:\\GitHub\\azure\\Solutions\\MaturityModelForEventLogManagementM2131",
-  "Version": "1.0.3"
-}

Tools/Create-Azure-Sentinel-Solution/input/Solution_NISTSP80053.json

@@ -0,0 +1,20 @@
+{
+  "Name": "NISTSP80053",
+  "Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">",
+  "Description": "This solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This workbook is designed to augment staffing through automation, visibility, assessment, monitoring and remediation. The Microsoft Sentinel: NIST SP 800-53 R4 Solution demonstrates best practice guidance, but Microsoft does not guarantee nor imply compliance. All requirements, validations, and controls are governed by the 💡[National Institute of Standards and Technology (NIST)](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/archive/2015-01-22). This workbook provides visibility and situational awareness for security capabilities delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation. Recommendations do not imply coverage of respective controls as they are often one of several courses of action for approaching requirements which is unique to each customer. Recommendations should be considered a starting point for planning full or partial coverage of respective requirements. This workbook does not address all controls within the framework. It should be considered a supplemental tool to gain visibility of technical controls within cloud, multi-cloud, and hybrid networks. For the full listing of respective controls, see the💡[Microsoft Cloud Service Trust Portal](https://servicetrust.microsoft.com/)",
+  "Analytic Rules": [
+    "Analytic Rules/NISTSP80053PostureChanged.yaml"
+  ],
+  "Playbooks": [
+	"Playbooks/Notify_GovernanceComplianceTeam.json",
+	"Playbooks/Open_DevOpsTaskRecommendation.json",
+	"Playbooks/Open_JIRATicketRecommendation.json"
+  ],
+  "Workbooks" : [
+	"Workbooks/NISTSP80053.json"
+  ],
+  "Metadata": "SolutionMetadata.json",
+  "BasePath": "C:\\GitHub\\azure\\Solutions\\NISTSP80053",
+  "Version": "1.0.3"
+}

Tools/Create-Azure-Sentinel-Solution/input/Solution_ThreatAnalysis&Response.json

@@ -1,14 +0,0 @@
-{
-  "Name": "ThreatAnalysis&Response",
-  "Author": "Sanmit Biraj - v-sabiraj@microsoft.com",
-  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
-  "Description": "MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. The MITRE ATT&CK Cloud Matrix provides tactics and techniques representing the MITRE ATT&CK® Matrix for Enterprise covering cloud-based techniques. The Matrix contains information for the following platforms: Azure AD, Office 365, SaaS, IaaS. For more information, see the 💡 [MITRE ATT&CK: Cloud Matrix](https://attack.mitre.org/matrices/enterprise/cloud/)",
-  "WorkbookDescription": "Workbook to showcase MITRE ATT&CK Coverage for Azure Sentinel",
-  "Workbooks": [
-    "Workbooks/ThreatAnalysis&Response.json",
-    "Workbooks/DynamicThreatModeling&Response.json"
-  ],
-  "Metadata": "SolutionMetadata.json",
-  "BasePath": "C:\\GitHub\\azure\\Solutions\\ThreatAnalysis&Response",
-  "Version": "1.0.14"
-}

Tools/Create-Azure-Sentinel-Solution/input/Solution_ZeroTrust(TIC3.0).json

@@ -1,22 +0,0 @@
-
-{
-  "Name": "ZeroTrust(TIC3.0)",
-  "Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
-  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
-  "Description": "The Microsoft Sentinel: Zero Trust (TIC3.0) Workbook provides an automated visualization of Zero Trust principles cross walked to the Trusted Internet Connections framework. Compliance isn’t just an annual requirement, and organizations must monitor configurations over time like a muscle. This workbook leverages the full breadth of Microsoft security offerings across Azure, Office 365, Teams, Intune, Windows Virtual Desktop, and many more. This workbook enables Implementers, SecOps Analysts, Assessors, Security & Compliance Decision Makers, and MSSPs to gain situational awareness for cloud workloads' security posture. The workbook features 76+ control cards aligned to the TIC 3.0 security capabilities with selectable GUI buttons for navigation. This workbook is designed to augment staffing through automation, artificial intelligence, machine learning, query/alerting generation, visualizations, tailored recommendations, and respective documentation references.",
-  "WorkbookDescription": "Gain insights into ZeroTrust logs.",
-  "Workbooks": [
-    "Workbooks/ZeroTrust(TIC3.0).json"
-  ],
-  "Analytic Rules": [
-    "Analytic Rules/Zero_Trust_TIC3.0_ControlAssessmentPostureChange.yaml"
-  ],
-  "Playbooks": [
-    "Playbooks/Notify_GovernanceComplianceTeam.json",
-    "Playbooks/Open_DevOpsTaskRecommendation.json",
-    "Playbooks/Open_JIRATicketRecommendation.json"
-  ],
-  "Metadata": "SolutionMetadata.json",
-  "BasePath": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/ZeroTrust(TIC3.0)",
-  "Version": "2.0.1"
-}