Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Sentinel 4 Github package update

This commit is contained in:
NikTripathi 2022-04-25 20:13:50 +05:30
Родитель ee957d29e4
Коммит de1288d76c
8 изменённых файлов: 1703 добавлений и 86 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

Двоичные данные
Solutions/GitHub/Package/1.0.48.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

468
Solutions/GitHub/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,468 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/GitHub.svg\"width=\"75px\"height=\"75px\">\n\n**Important:** _This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 12, **Hunting Queries:** 8\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for GitHub. You can get GitHub custom log data in your Microsoft Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. This data connector creates custom log table(s) in your Microsoft Sentinel / Azure Log Analytics workspace."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
}
},
{
"name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about normalized format",
"uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema"
}
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
},
{
"name": "workbooks",
"label": "Workbooks",
"subLabel": {
"preValidation": "Configure the workbooks",
"postValidation": "Done"
},
"bladeTitle": "Workbooks",
"elements": [
{
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
},
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
"label": "GitHub",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock"
},
{
"name": "workbook1-name",
"type": "Microsoft.Common.TextBox",
"label": "Display Name",
"defaultValue": "GitHub",
"toolTip": "Display name for the workbook.",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a workbook name"
}
}
]
}
]
},
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Microsoft Sentinel Solution installs analytic rules for GitHub that you can enable for custom alert generation in Microsoft Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Microsoft Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "Preview GitHub - A payment method was removed",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detect activities when a payment method was removed. This query runs every day and its severity is Medium."
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "GitHub Activites from a New Country",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detect activities from a location that was not recently or was never visited by the user or by any user in your organization."
}
}
]
},
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
"label": "Preview GitHub - Oauth application - a client secret was removed",
"elements": [
{
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detect activities when a client secret was removed. This query runs every day and its severity is Medium."
}
}
]
},
{
"name": "analytic4",
"type": "Microsoft.Common.Section",
"label": "Preview GitHub - Repository was created",
"elements": [
{
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detect activities when a repository was created. This query runs every day and its severity is Medium."
}
}
]
},
{
"name": "analytic5",
"type": "Microsoft.Common.Section",
"label": "Preview GitHub - Repository was destroyed",
"elements": [
{
"name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detect activities when a repository was destroyed. This query runs every day and its severity is Medium."
}
}
]
},
{
"name": "analytic6",
"type": "Microsoft.Common.Section",
"label": "GitHub Two Factor Auth Disable",
"elements": [
{
"name": "analytic6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. "
}
}
]
},
{
"name": "analytic7",
"type": "Microsoft.Common.Section",
"label": "Preview GitHub - User visibility Was changed",
"elements": [
{
"name": "analytic7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detect activities when a user visibility Was changed. This query runs every day and its severity is Medium."
}
}
]
},
{
"name": "analytic8",
"type": "Microsoft.Common.Section",
"label": "Preview GitHub - User was added to the organization",
"elements": [
{
"name": "analytic8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detect activities when a user was added to the organization. This query runs every day and its severity is Medium."
}
}
]
},
{
"name": "analytic9",
"type": "Microsoft.Common.Section",
"label": "Preview GitHub - User was blocked",
"elements": [
{
"name": "analytic9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detect activities when a user was blocked on the repository. This query runs every day and its severity is Medium."
}
}
]
},
{
"name": "analytic10",
"type": "Microsoft.Common.Section",
"label": "Preview GitHub - User was invited to the repository",
"elements": [
{
"name": "analytic10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detect activities when a user was invited to the repository. This query runs every day and its severity is Medium."
}
}
]
},
{
"name": "analytic11",
"type": "Microsoft.Common.Section",
"label": "Preview GitHub - pull request was created",
"elements": [
{
"name": "analytic11-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detect activities when a pull request was created. This query runs every day and its severity is Medium."
}
}
]
},
{
"name": "analytic12",
"type": "Microsoft.Common.Section",
"label": "Preview GitHub - pull request was merged",
"elements": [
{
"name": "analytic12-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detect activities when a pull request was merged. This query runs every day and its severity is Medium."
}
}
]
}
]
},
{
"name": "huntingqueries",
"label": "Hunting Queries",
"bladeTitle": "Hunting Queries",
"elements": [
{
"name": "huntingqueries-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Microsoft Sentinel Solution installs hunting queries for GitHub that you can run in Microsoft Sentinel. These hunting queries will be deployed in the Hunting gallery of your Microsoft Sentinel workspace. Run these hunting queries to hunt for threats in the Hunting gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/hunting"
}
}
},
{
"name": "huntingquery1",
"type": "Microsoft.Common.Section",
"label": "GitHub First Time Invite Member and Add Member to Repo",
"elements": [
{
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This hunting query identifies a user that add/invite a member to the organization for the first time. This technique can be leveraged by attackers to add stealth account access to the organization. "
}
}
]
},
{
"name": "huntingquery2",
"type": "Microsoft.Common.Section",
"label": "GitHub Inactive or New Account Access or Usage",
"elements": [
{
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This hunting query identifies Accounts that are new or inactive and have accessed or used GitHub that may be a sign of compromise. "
}
}
]
},
{
"name": "huntingquery3",
"type": "Microsoft.Common.Section",
"label": "GitHub Mass Deletion of repos or projects",
"elements": [
{
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This hunting query identifies GitHub activites where there are a large number of deletions that may be a sign of compromise. "
}
}
]
},
{
"name": "huntingquery4",
"type": "Microsoft.Common.Section",
"label": "GitHub OAuth App Restrictions Disabled",
"elements": [
{
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This hunting query identifies GitHub OAuth Apps that have restrictions disabled that may be a sign of compromise. Attacker will want to disable such security tools in order to go undetected. "
}
}
]
},
{
"name": "huntingquery5",
"type": "Microsoft.Common.Section",
"label": "GitHub Update Permissions",
"elements": [
{
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This hunting query identifies GitHub activites where permissions are updated that may be a sign of compromise. "
}
}
]
},
{
"name": "huntingquery6",
"type": "Microsoft.Common.Section",
"label": "GitHub Repo switched from private to public",
"elements": [
{
"name": "huntingquery6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This hunting query identifies GitHub activites where a repo was changed from private to public that may be a sign of compromise. "
}
}
]
},
{
"name": "huntingquery7",
"type": "Microsoft.Common.Section",
"label": "GitHub First Time Repo Delete",
"elements": [
{
"name": "huntingquery7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This hunting query identifies GitHub activites its the first time a user deleted a repo that may be a sign of compromise. "
}
}
]
},
{
"name": "huntingquery8",
"type": "Microsoft.Common.Section",
"label": "GitHub User Grants Access and Other User Grants Access",
"elements": [
{
"name": "huntingquery8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This hunting query identifies Accounts in GitHub that have granted access to another account which then grants access to yet another account that may be a sign of compromise. "
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
"workspace": "[basics('workspace')]",
"workbook1-name": "[steps('workbooks').workbook1.workbook1-name]"
}
}
}

1136
Solutions/GitHub/Package/mainTemplate.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

15
Solutions/GitHub/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"publisherId": "microsoftcorporation1622712991604",
"offerId": "sentinel4github",
"firstPublishDate": "2021-10-18",
"providers": ["Microsoft"],
"categories": {
"domains" : ["DevOps"]
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}

42
Solutions/GitHub/data/Solution_GitHub.json Normal file
Просмотреть файл

@ -0,0 +1,42 @@
{
"Name": "GitHub",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/GitHub.svg\"width=\"75px\"height=\"75px\">",
"Description": "",
"Workbooks": [
"Workbooks/GithubWorkbook.json"
],
"Analytic Rules": [
"Detections/(Preview) GitHub - A payment method was removed.yaml",
"Detections/(Preview) GitHub - Activities from Infrequent Country.yaml",
"Detections/(Preview) GitHub - Oauth application - a client secret was removed.yaml",
"Detections/(Preview) GitHub - Repository was created.yaml",
"Detections/(Preview) GitHub - Repository was destroyed.yaml",
"Detections/(Preview) GitHub - Two Factor Authentication Disabled in GitHub.yaml",
"Detections/(Preview) GitHub - User visibility Was changed.yaml",
"Detections/(Preview) GitHub - User was added to the organization.yaml",
"Detections/(Preview) GitHub - User was blocked.yaml",
"Detections/(Preview) GitHub - User was invited to the repository .yaml",
"Detections/(Preview) GitHub - pull request was created.yaml",
"Detections/(Preview) GitHub - pull request was merged.yaml"
],
"Hunting Queries": [
"Hunting Queries/First Time User Invite and Add Member to Org.yaml",
"Hunting Queries/Inactive or New Account Usage.yaml",
"Hunting Queries/Mass Deletion of Repositories .yaml",
"Hunting Queries/Oauth App Restrictions Disabled.yaml",
"Hunting Queries/Org Repositories Default Permissions Change.yaml",
"Hunting Queries/Repository Permission Switched to Public.yaml",
"Hunting Queries/User First Time Repository Delete Activity.yaml",
"Hunting Queries/User Grant Access and Grants Other Access.yaml"
],
"Parsers": [
"Parsers/GitHubAuditData.txt"
],
"Data Connectors": [
"Data Connectors/azuredeploy_GitHub_native_poller_connector.json"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\GitHub",
"Version": "1.0.48"
}

43
Tools/Create-Azure-Sentinel-Solution/input/Solution_CiscoWSA.json
Просмотреть файл

@ -1,43 +0,0 @@
{
"Name": "CiscoWSA",
"Author": "Sanmit Biraj - v-sabiraj@microsoft.com",
"WorkbookDescription": "Sets the time name for analysis",
"Description": "[Cisco Web Security Appliance (WSA)](https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html) data connector provides the capability to ingest [Cisco WSA Access Logs](https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa_14-0/User-Guide/b_WSA_UserGuide_14_0/b_WSA_UserGuide_11_7_chapter_010101.html) into Azure Sentinel.",
"Workbooks": [
"Workbooks/CiscoWSA.json"
],
"Analytic Rules": [
"Analytic Rules/CiscoWSAAccessToUnwantedSite.yaml",
"Analytic Rules/CiscoWSADataExfiltration.yaml",
"Analytic Rules/CiscoWSAMultipleErrorsToUnwantedCategory.yaml",
"Analytic Rules/CiscoWSAMultipleErrorsToUrl.yaml",
"Analytic Rules/CiscoWSAMultipleInfectedFiles.yaml",
"Analytic Rules/CiscoWSAMultipleUnwantedFileTypes.yaml",
"Analytic Rules/CiscoWSAProtocolAbuse.yaml",
"Analytic Rules/CiscoWSAPublicIPSource.yaml",
"Analytic Rules/CiscoWSAUnexpectedFileType.yaml",
"Analytic Rules/CiscoWSAUnexpectedUrl.yaml",
"Analytic Rules/CiscoWSAUnscannableFile.yaml"
],
"Hunting Queries": [
"Hunting Queries/CiscoWSABlockedFiles.yaml",
"Hunting Queries/CiscoWSARareApplications.yaml",
"Hunting Queries/CiscoWSATopApplications.yaml",
"Hunting Queries/CiscoWSATopResources.yaml",
"Hunting Queries/CiscoWSAUncategorizedResources.yaml",
"Hunting Queries/CiscoWSAUploadedFiles.yaml",
"Hunting Queries/CiscoWSAUrlRareErrorUrl.yaml",
"Hunting Queries/CiscoWSAUrlShortenerLinks.yaml",
"Hunting Queries/CiscoWSAUrlSuspiciousResources.yaml",
"Hunting Queries/CiscoWSAUrlUsersWithErrors.yaml"
],
"Parsers": [
"Parsers/CiscoWSAEvent.txt"
],
"Data Connectors": [
"Data Connectors/Connector_WSA_Syslog.json"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure\\Solutions\\CiscoWSA",
"Version": "1.0.5"
}

42
Tools/Create-Azure-Sentinel-Solution/input/Solution_GitHub.json Normal file
Просмотреть файл

@ -0,0 +1,42 @@
{
"Name": "GitHub",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/GitHub.svg\"width=\"75px\"height=\"75px\">",
"Description": "",
"Workbooks": [
"Workbooks/GithubWorkbook.json"
],
"Analytic Rules": [
"Detections/(Preview) GitHub - A payment method was removed.yaml",
"Detections/(Preview) GitHub - Activities from Infrequent Country.yaml",
"Detections/(Preview) GitHub - Oauth application - a client secret was removed.yaml",
"Detections/(Preview) GitHub - Repository was created.yaml",
"Detections/(Preview) GitHub - Repository was destroyed.yaml",
"Detections/(Preview) GitHub - Two Factor Authentication Disabled in GitHub.yaml",
"Detections/(Preview) GitHub - User visibility Was changed.yaml",
"Detections/(Preview) GitHub - User was added to the organization.yaml",
"Detections/(Preview) GitHub - User was blocked.yaml",
"Detections/(Preview) GitHub - User was invited to the repository .yaml",
"Detections/(Preview) GitHub - pull request was created.yaml",
"Detections/(Preview) GitHub - pull request was merged.yaml"
],
"Hunting Queries": [
"Hunting Queries/First Time User Invite and Add Member to Org.yaml",
"Hunting Queries/Inactive or New Account Usage.yaml",
"Hunting Queries/Mass Deletion of Repositories .yaml",
"Hunting Queries/Oauth App Restrictions Disabled.yaml",
"Hunting Queries/Org Repositories Default Permissions Change.yaml",
"Hunting Queries/Repository Permission Switched to Public.yaml",
"Hunting Queries/User First Time Repository Delete Activity.yaml",
"Hunting Queries/User Grant Access and Grants Other Access.yaml"
],
"Parsers": [
"Parsers/GitHubAuditData.txt"
],
"Data Connectors": [
"Data Connectors/azuredeploy_GitHub_native_poller_connector.json"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\GitHub",
"Version": "1.0.48"
}

43
Tools/Create-Azure-Sentinel-Solution/input/Solution_PaloAltoPrismaCloud.json
Просмотреть файл

@ -1,43 +0,0 @@
{
"Name": "PaloAltoPrismaCloud",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/PaloAltoPrismaCloud/Workbooks/Images/Logo/paloalto_logo.svg\" width=\"75px\" height=\"75px\">",
"Description": "[Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud) is the industry's only comprehensive Cloud Native Security Platform that delivers full lifecycle security and full stack protection for multi- and hybrid-cloud environments.",
"WorkbookDescription": "The Palo Alto Prisma Cloud Workbook provides users with an executive dashboard and reporting capabilities.",
"Workbooks": [
"Workbooks/PaloAltoPrismaCloudOverview.json"
],
"Analytic Rules": [
"Analytic Rules/PaloAltoPrismaCloudAclAccessKeysNotRotated.yaml",
"Analytic Rules/PaloAltoPrismaCloudAclAllowAllOut.yaml",
"Analytic Rules/PaloAltoPrismaCloudAclAllowInToAdminPort.yaml",
"Analytic Rules/PaloAltoPrismaCloudAclInAllowAll.yaml",
"Analytic Rules/PaloAltoPrismaCloudAnomalousApiKeyActivity.yaml",
"Analytic Rules/PaloAltoPrismaCloudHighRiskScoreAlert.yaml",
"Analytic Rules/PaloAltoPrismaCloudHighSeverityAlertOpenedForXDays.yaml",
"Analytic Rules/PaloAltoPrismaCloudIamAdminGroup.yaml",
"Analytic Rules/PaloAltoPrismaCloudInactiveUser.yaml",
"Analytic Rules/PaloAltoPrismaCloudMaxRiskScoreAlert.yaml",
"Analytic Rules/PaloAltoPrismaCloudMultipleFailedLoginsUser.yaml"
],
"Parsers":[
"Parsers/PaloAltoPrismaCloud.txt"
],
"Hunting Queries": [
"Hunting Queries/PaloAltoPrismaCloudAccessKeysUsed.yaml",
"Hunting Queries/PaloAltoPrismaCloudFailedLoginsSources.yaml",
"Hunting Queries/PaloAltoPrismaCloudFailedLoginsUsers.yaml",
"Hunting Queries/PaloAltoPrismaCloudHighRiskScoreOpenedAlerts.yaml",
"Hunting Queries/PaloAltoPrismaCloudHighSeverityAlerts.yaml",
"Hunting Queries/PaloAltoPrismaCloudNewUsers.yaml",
"Hunting Queries/PaloAltoPrismaCloudOpenedAlerts.yaml",
"Hunting Queries/PaloAltoPrismaCloudTopResources.yaml",
"Hunting Queries/PaloAltoPrismaCloudUpdatedResources.yaml"
],
"Data Connectors": [
"Data Connectors/PrismaCloud_API_FunctionApp.json"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\PaloAltoPrismaCloud",
"Version": "1.0.5"
}