Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge branch 'master' into v-laanjana/Package-Creation/IronNet-Collective-Defense

This commit is contained in:
v-sabiraj 2022-06-20 10:55:45 +05:30
Родитель de53a225f7
Коммит ac959b6a27
3 изменённых файлов: 689 добавлений и 4100 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

Двоичные данные
Solutions/IronNet IronDefense/Package/2.0.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

353
Solutions/IronNet IronDefense/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/IronNet%20IronDefense/Workbooks/Images/Logos/IronNet.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n[IronDefense](https://www.ironnet.com/products/irondefense) is the industrys most advanced network detection and response (NDR) platform built to stop the most sophisticated cyber threats. As an advanced NDR tool, IronDefense improves visibility across the threat landscape while amplifying detection efficacy within your network environment. As a result, your SOC team can be more efficient and effective with existing cyber defense tools, resources, and analyst capacity.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Workbooks:** 2, **Analytic Rules:** 1, **Playbooks:** 2\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/IronNet%20IronDefense/Workbooks/Images/Logos/IronNet.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [IronNet Collective Defense](https://www.ironnet.com/what-is-collective-defense) solution enables ingestion of IronDefense alerts, events, and IronDome notifications into Microsoft Sentinel, enabling Microsoft Sentinel to utilize IronDefense's behavioral analytics and the IronDome community to quickly identify threats in your enterprise network.\r\n \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview\r\n ](https: //azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n a. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\n\n**Data Connectors:** 1, **Workbooks:** 2, **Analytic Rules:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@ -44,7 +44,7 @@
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
@ -60,17 +60,7 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for IronNet IronDefense. You can get IronNet IronDefense CommonSecurityLog data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. The logs will be received in the CommonSecurityLog table in your Azure Sentinel / Azure Log Analytics workspace."
}
},
{
"name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about normalized format",
"uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema"
}
"text": "This Solution installs the data connector for IronNet IronDefense. You can get IronNet IronDefense CommonSecurityLog data in your Microsoft Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. The logs will be received in the CommonSecurityLog table in your Microsoft Sentinel / Azure Log Analytics workspace."
}
},
{
@ -98,64 +88,18 @@
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Azure Sentinel and combine them into unified interactive experiences.",
"text": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences."
}
},
{
"name": "workbooks-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
},
{
"name": "workbook2",
"type": "Microsoft.Common.Section",
"label": "IronDefense Alert Dashboard",
"elements": [
{
"name": "workbook2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Dashboard to view IronDefense alerts."
}
},
{
"name": "workbook2-name",
"type": "Microsoft.Common.TextBox",
"label": "Display Name",
"defaultValue": "IronDefenseAlertDashboard",
"toolTip": "Display name for the workbook.",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a workbook name"
}
}
]
},
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
"label": "IronDefense Alert Details",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "View IronDefense alert details from the IronDefense Alerts dashboard."
}
},
{
"name": "workbook1-name",
"type": "Microsoft.Common.TextBox",
"label": "Display Name",
"defaultValue": "IronDefenseAlertDetails",
"toolTip": "Display name for the workbook.",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a workbook name"
}
}
]
}
]
},
@ -172,7 +116,13 @@
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs analytic rules for IronNet IronDefense that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
"text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
}
},
{
"name": "analytics-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
@ -194,277 +144,12 @@
]
}
]
},
{
"name": "appregistration",
"label": "App Registration",
"subLabel": {
"preValidation": "Configure the App registration",
"postValidation": "Done"
},
"bladeTitle": "App Registration",
"elements": [
{
"name": "appregistration-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution requires an app registration in the Microsoft identity platform in order to make API requests to Azure Sentinel. Please consult the IronDefense Integration for Azure Sentinel document provided in the IronNet Knowledge Base for detailed setup instructions."
}
},
{
"name": "appregistration-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "IronNet Knowledge Base",
"uri": "https://kb.ironnet.com/knowledge"
}
}
},
{
"name": "appregistration-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Microsoft Identity Platform Overview",
"uri": "https://docs.microsoft.com/azure/active-directory/develop/v2-overview"
}
}
}
]
},
{
"name": "playbooks",
"label": "Playbooks",
"subLabel": {
"preValidation": "Configure the playbooks",
"postValidation": "Done"
},
"bladeTitle": "Playbooks",
"elements": [
{
"name": "playbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs playbook resources. A security playbook is a collection of procedures that can be run from Azure Sentinel in response to an alert. A security playbook can help automate and orchestrate your response, and can be run manually or set to run automatically when specific alerts are triggered. Security playbooks in Azure Sentinel are based on Azure Logic Apps, which means that you get all the power, customizability, and built-in templates of Logic Apps. Each playbook is created for the specific subscription you choose, but when you look at the Playbooks page, you will see all the playbooks across any selected subscriptions.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "playbookIronAPI",
"type": "Microsoft.Common.Section",
"elements": [
{
"name": "playbookIronAPI-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "IronAPI Configuration"
}
},
{
"name": "playbook-IronApiUsername",
"type": "Microsoft.Common.TextBox",
"label": "IronDefense Username",
"defaultValue": "",
"toolTip": "IronVue username to connect to IronDefense API",
"constraints": {
"required": true,
"regex": "^.{1,256}$",
"validationMessage": "Please enter the full URL with http or https."
}
},
{
"name": "playbook-IronApiPassword",
"type": "Microsoft.Common.PasswordBox",
"label": {
"password": "IronDefense Password"
},
"toolTip": "Password to connect to IronDefense API",
"constraints": {
"required": true
},
"options": {
"hideConfirmation": false
}
},
{
"name": "playbook-IronDefenseUrl",
"type": "Microsoft.Common.TextBox",
"label": "IronDefense URL",
"defaultValue": "",
"toolTip": "Please enter the URL to the IronDefense deployment. E.g. \"https://example.ironnetcybercloud.com\"",
"constraints": {
"required": true,
"regex": "^https?://.{1,256}$",
"validationMessage": "Please enter the full URL with http or https."
}
}
]
},
{
"name": "playbookAppRegistration",
"type": "Microsoft.Common.Section",
"elements": [
{
"name": "playbookAppRegistration-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "App registration for access to the Sentinel API"
}
},
{
"name": "playbook-ClientId",
"type": "Microsoft.Common.TextBox",
"label": "Client ID",
"defaultValue": "",
"toolTip": "Please enter application (client} ID for Azure Sentinel API access.",
"constraints": {
"required": true,
"regex": "^[a-z0-9A-Z]{8}-[a-z0-9A-Z]{4}-[a-z0-9A-Z]{4}-[a-z0-9A-Z]{4}-[a-z0-9A-Z]{12}$",
"validationMessage": "Please enter a valid UUID"
}
},
{
"name": "playbook-ClientSecret",
"type": "Microsoft.Common.PasswordBox",
"label": {
"password": "Client Secret",
"confirmPassword": "Confirm Client Secret"
},
"toolTip": "Please enter application (client} secret for Azure Sentinel API access.",
"constraints": {
"required": true
},
"options": {
"hideConfirmation": false
}
}
]
},
{
"name": "playbook1",
"type": "Microsoft.Common.Section",
"elements": [
{
"name": "playbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Updates IronDefense alert workflow status and rating via IronAPI when the corresponding Sentinel Incident is updated."
}
},
{
"name": "playbook1-ShareCommentWithIrondome",
"type": "Microsoft.Common.CheckBox",
"label": "Share Comments With Irondome (Recommended)",
"toolTip": "Share incident comments with IronDome to contribute to collective defense"
},
{
"name": "playbook1-param_recurrence_interval",
"type": "Microsoft.Common.TextBox",
"label": "Playbook Recurrence Interval",
"defaultValue": "15",
"toolTip": "Please enter the time interval to check for incident updates",
"constraints": {
"required": true,
"regex": "[0-9]{1,256}$",
"validationMessage": "Please enter a valid number"
}
},
{
"name": "playbook1-param_recurrence_frequency",
"type": "Microsoft.Common.DropDown",
"label": "Playbook Recurrence Frequency",
"placeholder": "Minute",
"defaultValue": "Minute",
"toolTip": "Please select a unit of time for the playbook recurrence interval",
"constraints": {
"allowedValues": [
{
"label": "Day",
"value": "Day"
},
{
"label": "Hour",
"value": "Hour"
},
{
"label": "Minute",
"value": "Minute"
},
{
"label": "Month",
"value": "Month"
},
{
"label": "Second",
"value": "Second"
}
],
"required": true
},
"visible": true
},
{
"name": "playbook1-PlaybookName",
"type": "Microsoft.Common.TextBox",
"label": "Playbook Name",
"defaultValue": "UpdateIronDefenseAlerts",
"toolTip": "Please enter Playbook Name",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter the Playbook Name"
}
}
]
},
{
"name": "playbook2",
"type": "Microsoft.Common.Section",
"elements": [
{
"name": "playbook2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Updates Azure Sentinel incidents when the corresponding IronDefense alert is updated in IronVue."
}
},
{
"name": "playbook2-PlaybookName",
"type": "Microsoft.Common.TextBox",
"label": "Playbook Name",
"defaultValue": "UpdateAzureSentinelIncidents",
"toolTip": "Please enter Playbook Name",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter the Playbook Name"
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[resourceGroup().location]",
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
"workspace": "[basics('workspace')]",
"workbook1-name": "[steps('workbooks').workbook1.workbook1-name]",
"workbook2-name": "[steps('workbooks').workbook2.workbook2-name]",
"playbook-IronApiUsername": "[steps('playbooks').playbookIronAPI.playbook-IronApiUsername]",
"playbook-IronApiPassword": "[steps('playbooks').playbookIronAPI.playbook-IronApiPassword]",
"playbook-IronDefenseUrl": "[steps('playbooks').playbookIronAPI.playbook-IronDefenseUrl]",
"playbook-ClientId": "[steps('playbooks').playbookAppRegistration.playbook-ClientId]",
"playbook-ClientSecret": "[steps('playbooks').playbookAppRegistration.playbook-ClientSecret]",
"playbook1-ShareCommentWithIrondome": "[steps('playbooks').playbook1.playbook1-ShareCommentWithIrondome]",
"playbook1-param_recurrence_interval": "[steps('playbooks').playbook1.playbook1-param_recurrence_interval]",
"playbook1-param_recurrence_frequency": "[steps('playbooks').playbook1.playbook1-param_recurrence_frequency]",
"playbook1-PlaybookName": "[steps('playbooks').playbook1.playbook1-PlaybookName]",
"playbook2-PlaybookName": "[steps('playbooks').playbook2.playbook2-PlaybookName]"
"workspace": "[basics('workspace')]"
}
}
}

4436
Solutions/IronNet IronDefense/Package/mainTemplate.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны