Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Updated solution Trend Micro TippingPoint

This commit is contained in:
v-amolpatil 2024-06-27 14:24:50 +05:30
Родитель ce2a6d7a89
Коммит ebb6c87b20
11 изменённых файлов: 138 добавлений и 100 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
Solutions/Trend Micro Deep Security/Data/Solution_TrendMicroDeepSecurityTemplateSpec.json
Просмотреть файл

@ -2,7 +2,7 @@
"Name": "Trend Micro Deep Security",
"Author": "Trend Micro",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Trend_Micro_Logo.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [Trend Micro Deep Security](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/deep-security.html) solution for Microsoft Sentinel enables you to ingest Deep Security logs into Microsoft Sentinel, using the Common Event Format (CEF) for Security Monitoring.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\r\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
"Description": "The [Trend Micro Deep Security](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/deep-security.html) solution for Microsoft Sentinel enables you to ingest Deep Security logs into Microsoft Sentinel, using the Common Event Format (CEF) for Security Monitoring.\r\n \n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
"Data Connectors": [
"Data Connectors/TrendMicroDeepSecurity.json"
],

Двоичные данные
Solutions/Trend Micro Deep Security/Package/3.0.0.zip
Просмотреть файл

Двоичный файл не отображается.

2
Solutions/Trend Micro Deep Security/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Trend_Micro_Logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Trend%20Micro%20Deep%20Security/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Trend Micro Deep Security](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/deep-security.html) solution for Microsoft Sentinel enables you to ingest Deep Security logs into Microsoft Sentinel, using the Common Event Format (CEF) for Security Monitoring.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\r\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Trend_Micro_Logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Trend%20Micro%20Deep%20Security/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Trend Micro Deep Security](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/deep-security.html) solution for Microsoft Sentinel enables you to ingest Deep Security logs into Microsoft Sentinel, using the Common Event Format (CEF) for Security Monitoring.\r\n \n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",

2
Solutions/Trend Micro Deep Security/Package/mainTemplate.json
Просмотреть файл

@ -787,7 +787,7 @@
"contentSchemaVersion": "3.0.0",
"displayName": "Trend Micro Deep Security",
"publisherDisplayName": "Trend Micro",
"descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Trend%20Micro%20Deep%20Security/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <a href=\"https://www.trendmicro.com/en_us/business/products/hybrid-cloud/deep-security.html\">Trend Micro Deep Security</a> solution for Microsoft Sentinel enables you to ingest Deep Security logs into Microsoft Sentinel, using the Common Event Format (CEF) for Security Monitoring.</p>\n<p><strong>Underlying Microsoft Technologies used:</strong></p>\n<p>This solution takes a dependency on the following technologies, and some of these dependencies either may be in <a href=\"https://azure.microsoft.com/support/legal/preview-supplemental-terms/\">Preview</a> state or might result in additional ingestion or operational costs:</p>\n<ol type=\"a\">\n<li><a href=\"https://docs.microsoft.com/azure/sentinel/connect-common-event-format\">Agent-based log collection (CEF over Syslog)</a></li>\n</ol>\n<p>This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.</p>\n<p><strong>NOTE:</strong> Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by <strong>Aug 31, 2024,</strong> and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost <a href=\"https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate\">more details</a>.</p>\n<p><strong>Data Connectors:</strong> 1, <strong>Parsers:</strong> 1, <strong>Workbooks:</strong> 2</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Trend%20Micro%20Deep%20Security/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <a href=\"https://www.trendmicro.com/en_us/business/products/hybrid-cloud/deep-security.html\">Trend Micro Deep Security</a> solution for Microsoft Sentinel enables you to ingest Deep Security logs into Microsoft Sentinel, using the Common Event Format (CEF) for Security Monitoring.</p>\n\n<p>This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.</p>\n<p><strong>NOTE:</strong> Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by <strong>Aug 31, 2024,</strong> and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost <a href=\"https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate\">more details</a>.</p>\n<p><strong>Data Connectors:</strong> 1, <strong>Parsers:</strong> 1, <strong>Workbooks:</strong> 2</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",

2
Solutions/Trend Micro TippingPoint/Data Connectors/TrendMicroTippingPoint.json
Просмотреть файл

@ -1,6 +1,6 @@
{
"id": "TrendMicroTippingPoint",
"title": "Trend Micro TippingPoint",
"title": "[Deprecated] Trend Micro TippingPoint via Legacy",
"publisher": "Trend Micro",
"descriptionMarkdown": "The Trend Micro TippingPoint connector allows you to easily connect your TippingPoint SMS IPS events with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's networks/systems and improves your security operation capabilities.",
"additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",

9
Solutions/Trend Micro TippingPoint/Data/Solution_Trend Micro TippingPoint.json
Просмотреть файл

@ -2,15 +2,18 @@
"Name": "Trend Micro TippingPoint",
"Author": "Trend Micro",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Trend_Micro_Logo.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [Trend Micro](https://www.trendmicro.com/en_in/business.html) TippingPoint Microsoft Sentinel Solution allows you to easily connect your [TippingPoint](https://www.trendmicro.com/en_us/business/products/network/intrusion-prevention/tipping-point-threat-protection-system.html) SMS IPS events with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Agent-based log collection (CEF)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format) ",
"Description": "The [Trend Micro](https://www.trendmicro.com/en_in/business.html) TippingPoint Microsoft Sentinel Solution allows you to easily connect your [TippingPoint](https://www.trendmicro.com/en_us/business/products/network/intrusion-prevention/tipping-point-threat-protection-system.html) SMS IPS events with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
"Data Connectors": [
"Data Connectors/TrendMicroTippingPoint.json"
],
"Parsers": [
"Parsers/TrendMicroTippingPoint"
"Parsers/TrendMicroTippingPoint.yaml"
],
"dependentDomainSolutionIds": [
"azuresentinel.azure-sentinel-solution-commoneventformat"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Trend Micro TippingPoint",
"Version": "2.0.2",
"Version": "3.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false

Двоичные данные
Solutions/Trend Micro TippingPoint/Package/3.0.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

6
Solutions/Trend Micro TippingPoint/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Trend_Micro_Logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Trend Micro](https://www.trendmicro.com/en_in/business.html) TippingPoint Microsoft Sentinel Solution allows you to easily connect your [TippingPoint](https://www.trendmicro.com/en_us/business/products/network/intrusion-prevention/tipping-point-threat-protection-system.html) SMS IPS events with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Agent-based log collection (CEF)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format) \n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Trend_Micro_Logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Trend%20Micro%20TippingPoint/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Trend Micro](https://www.trendmicro.com/en_in/business.html) TippingPoint Microsoft Sentinel Solution allows you to easily connect your [TippingPoint](https://www.trendmicro.com/en_us/business/products/network/intrusion-prevention/tipping-point-threat-protection-system.html) SMS IPS events with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation.\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@ -60,14 +60,14 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the data connector for ingesting Trend Micro TippingPoint. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
"text": "This Solution installs the data connector for Trend Micro TippingPoint. You can get Trend Micro TippingPoint CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The solution also installs a parser that transforms ingested data. The transformed logs can be accessed using the TrendMicroTippingPoint Kusto Function alias."
"text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
}
},
{

186
Solutions/Trend Micro TippingPoint/Package/mainTemplate.json
Просмотреть файл

@ -30,55 +30,39 @@
}
},
"variables": {
"_solutionName": "Trend Micro TippingPoint",
"_solutionVersion": "3.0.0",
"solutionId": "trendmicro.trend_micro_tippingpoint_mss",
"_solutionId": "[variables('solutionId')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"uiConfigId1": "TrendMicroTippingPoint",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "TrendMicroTippingPoint",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0.0",
"parserVersion1": "1.0.0",
"parserContentId1": "TrendMicroTippingPoint-Parser",
"_parserContentId1": "[variables('parserContentId1')]",
"parserName1": "TrendMicroTippingPoint",
"_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
"parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"_parserId1": "[variables('parserId1')]",
"parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]"
"_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"parserObject1": {
"_parserName1": "[concat(parameters('workspace'),'/','TrendMicroTippingPoint')]",
"_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'TrendMicroTippingPoint')]",
"parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('TrendMicroTippingPoint-Parser')))]",
"parserVersion1": "1.0.0",
"parserContentId1": "TrendMicroTippingPoint-Parser"
},
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2022-02-01",
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "DataConnector"
},
"properties": {
"description": "Trend Micro TippingPoint data connector with template",
"displayName": "Trend Micro TippingPoint template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2022-02-01",
"name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "DataConnector"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Trend Micro TippingPoint data connector with template version 2.0.2",
"description": "Trend Micro TippingPoint data connector with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@ -94,7 +78,7 @@
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
"title": "Trend Micro TippingPoint",
"title": "[Deprecated] Trend Micro TippingPoint via Legacy",
"publisher": "Trend Micro",
"descriptionMarkdown": "The Trend Micro TippingPoint connector allows you to easily connect your TippingPoint SMS IPS events with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's networks/systems and improves your security operation capabilities.",
"additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
@ -242,7 +226,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
@ -265,12 +249,23 @@
}
}
]
}
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_dataConnectorContentId1')]",
"contentKind": "DataConnector",
"displayName": "[Deprecated] Trend Micro TippingPoint via Legacy",
"contentProductId": "[variables('_dataConnectorcontentProductId1')]",
"id": "[variables('_dataConnectorcontentProductId1')]",
"version": "[variables('dataConnectorVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
@ -304,7 +299,7 @@
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "Trend Micro TippingPoint",
"title": "[Deprecated] Trend Micro TippingPoint via Legacy",
"publisher": "Trend Micro",
"descriptionMarkdown": "The Trend Micro TippingPoint connector allows you to easily connect your TippingPoint SMS IPS events with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's networks/systems and improves your security operation capabilities.",
"graphQueries": [
@ -436,55 +431,38 @@
}
},
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2022-02-01",
"name": "[variables('parserTemplateSpecName1')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('parserObject1').parserTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "Parser"
},
"properties": {
"description": "TrendMicroTippingPoint Data Parser with template",
"displayName": "TrendMicroTippingPoint Data Parser template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2022-02-01",
"name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "Parser"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "TrendMicroTippingPoint Data Parser with template version 2.0.2",
"description": "TrendMicroTippingPoint Data Parser with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserVersion1')]",
"contentVersion": "[variables('parserObject1').parserVersion1]",
"parameters": {},
"variables": {},
"resources": [
{
"name": "[variables('_parserName1')]",
"apiVersion": "2020-08-01",
"name": "[variables('parserObject1')._parserName1]",
"apiVersion": "2022-10-01",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "TrendMicroTippingPoint",
"category": "Samples",
"category": "Microsoft Sentinel Parser",
"functionAlias": "TrendMicroTippingPoint",
"query": "\n\r\nCommonSecurityLog\r\n| where DeviceProduct == \"UnityOne\"\r\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\r\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\r\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3)\r\n| extend DeviceVendor = iff(DeviceVendor == \"TippingPoint\", \"Trend Micro\", DeviceVendor)\r\n| extend DeviceProduct = iff(DeviceProduct == \"UnityOne\", \"TippingPoint\", DeviceProduct)\r\n| parse AdditionalExtensions with \"cat=\" cat\r\n| extend cat = coalesce(column_ifexists(\"DeviceEventCategory\",\"\"),cat)\r\n| project-rename TippingPointVLAN = DeviceCustomNumber1, TippingPointTaxonomy = DeviceCustomNumber2, TippingPointPacketTrace = DeviceCustomNumber3, TippingPointProfileName = DeviceCustomString1, TippingPointPolicyUUID = DeviceCustomString2, TippingPointSignatureUUID = DeviceCustomString3, TippingPointZoneNames = DeviceCustomString4, TippingPointSMSName = DeviceCustomString5, TippingPointFilterMessageParms = DeviceCustomString6\r\n| project-away DeviceCustomIPv6Address1Label, DeviceCustomIPv6Address2Label, DeviceCustomIPv6Address3Label, DeviceCustomNumber1Label, DeviceCustomNumber2Label, DeviceCustomNumber3Label, DeviceCustomString1Label, DeviceCustomString2Label, DeviceCustomString3Label, DeviceCustomString4Label, DeviceCustomString5Label, DeviceCustomString6Label",
"version": 1,
"query": "// REFERENCES: \n// Using functions in Azure monitor log queries: https://docs.microsoft.com/azure/azure-monitor/log-query/functions\n// TippingPoint SMS User Guide: https://docs.trendmicro.com/all/tip/sms/v5.4.0/en-us/sms_5.4.0_ug.pdf\n// \nCommonSecurityLog\n| where DeviceProduct == \"UnityOne\"\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3)\n| extend DeviceVendor = iff(DeviceVendor == \"TippingPoint\", \"Trend Micro\", DeviceVendor)\n| extend DeviceProduct = iff(DeviceProduct == \"UnityOne\", \"TippingPoint\", DeviceProduct)\n| parse AdditionalExtensions with \"cat=\" cat\n| extend cat = coalesce(column_ifexists(\"DeviceEventCategory\",\"\"),cat)\n| project-rename TippingPointVLAN = DeviceCustomNumber1, TippingPointTaxonomy = DeviceCustomNumber2, TippingPointPacketTrace = DeviceCustomNumber3, TippingPointProfileName = DeviceCustomString1, TippingPointPolicyUUID = DeviceCustomString2, TippingPointSignatureUUID = DeviceCustomString3, TippingPointZoneNames = DeviceCustomString4, TippingPointSMSName = DeviceCustomString5, TippingPointFilterMessageParms = DeviceCustomString6\n| project-away DeviceCustomIPv6Address1Label, DeviceCustomIPv6Address2Label, DeviceCustomIPv6Address3Label, DeviceCustomNumber1Label, DeviceCustomNumber2Label, DeviceCustomNumber3Label, DeviceCustomString1Label, DeviceCustomString2Label, DeviceCustomString3Label, DeviceCustomString4Label, DeviceCustomString5Label, DeviceCustomString6Label\n",
"functionParameters": "",
"version": 2,
"tags": [
{
"name": "description",
"value": "TrendMicroTippingPoint"
"value": ""
}
]
}
@ -492,15 +470,15 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
"dependsOn": [
"[variables('_parserName1')]"
"[variables('parserObject1')._parserId1]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"contentId": "[variables('_parserContentId1')]",
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'TrendMicroTippingPoint')]",
"contentId": "[variables('parserObject1').parserContentId1]",
"kind": "Parser",
"version": "[variables('parserVersion1')]",
"version": "[variables('parserObject1').parserVersion1]",
"source": {
"name": "Trend Micro TippingPoint",
"kind": "Solution",
@ -517,36 +495,54 @@
}
}
]
}
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('parserObject1').parserContentId1]",
"contentKind": "Parser",
"displayName": "TrendMicroTippingPoint",
"contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
"id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
"version": "[variables('parserObject1').parserVersion1]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2021-06-01",
"name": "[variables('_parserName1')]",
"apiVersion": "2022-10-01",
"name": "[variables('parserObject1')._parserName1]",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "TrendMicroTippingPoint",
"category": "Samples",
"category": "Microsoft Sentinel Parser",
"functionAlias": "TrendMicroTippingPoint",
"query": "\n\r\nCommonSecurityLog\r\n| where DeviceProduct == \"UnityOne\"\r\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\r\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\r\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3)\r\n| extend DeviceVendor = iff(DeviceVendor == \"TippingPoint\", \"Trend Micro\", DeviceVendor)\r\n| extend DeviceProduct = iff(DeviceProduct == \"UnityOne\", \"TippingPoint\", DeviceProduct)\r\n| parse AdditionalExtensions with \"cat=\" cat\r\n| extend cat = coalesce(column_ifexists(\"DeviceEventCategory\",\"\"),cat)\r\n| project-rename TippingPointVLAN = DeviceCustomNumber1, TippingPointTaxonomy = DeviceCustomNumber2, TippingPointPacketTrace = DeviceCustomNumber3, TippingPointProfileName = DeviceCustomString1, TippingPointPolicyUUID = DeviceCustomString2, TippingPointSignatureUUID = DeviceCustomString3, TippingPointZoneNames = DeviceCustomString4, TippingPointSMSName = DeviceCustomString5, TippingPointFilterMessageParms = DeviceCustomString6\r\n| project-away DeviceCustomIPv6Address1Label, DeviceCustomIPv6Address2Label, DeviceCustomIPv6Address3Label, DeviceCustomNumber1Label, DeviceCustomNumber2Label, DeviceCustomNumber3Label, DeviceCustomString1Label, DeviceCustomString2Label, DeviceCustomString3Label, DeviceCustomString4Label, DeviceCustomString5Label, DeviceCustomString6Label",
"version": 1
"query": "// REFERENCES: \n// Using functions in Azure monitor log queries: https://docs.microsoft.com/azure/azure-monitor/log-query/functions\n// TippingPoint SMS User Guide: https://docs.trendmicro.com/all/tip/sms/v5.4.0/en-us/sms_5.4.0_ug.pdf\n// \nCommonSecurityLog\n| where DeviceProduct == \"UnityOne\"\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3)\n| extend DeviceVendor = iff(DeviceVendor == \"TippingPoint\", \"Trend Micro\", DeviceVendor)\n| extend DeviceProduct = iff(DeviceProduct == \"UnityOne\", \"TippingPoint\", DeviceProduct)\n| parse AdditionalExtensions with \"cat=\" cat\n| extend cat = coalesce(column_ifexists(\"DeviceEventCategory\",\"\"),cat)\n| project-rename TippingPointVLAN = DeviceCustomNumber1, TippingPointTaxonomy = DeviceCustomNumber2, TippingPointPacketTrace = DeviceCustomNumber3, TippingPointProfileName = DeviceCustomString1, TippingPointPolicyUUID = DeviceCustomString2, TippingPointSignatureUUID = DeviceCustomString3, TippingPointZoneNames = DeviceCustomString4, TippingPointSMSName = DeviceCustomString5, TippingPointFilterMessageParms = DeviceCustomString6\n| project-away DeviceCustomIPv6Address1Label, DeviceCustomIPv6Address2Label, DeviceCustomIPv6Address3Label, DeviceCustomNumber1Label, DeviceCustomNumber2Label, DeviceCustomNumber3Label, DeviceCustomString1Label, DeviceCustomString2Label, DeviceCustomString3Label, DeviceCustomString4Label, DeviceCustomString5Label, DeviceCustomString6Label\n",
"functionParameters": "",
"version": 2,
"tags": [
{
"name": "description",
"value": ""
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
"dependsOn": [
"[variables('_parserId1')]"
"[variables('parserObject1')._parserId1]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"contentId": "[variables('_parserContentId1')]",
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'TrendMicroTippingPoint')]",
"contentId": "[variables('parserObject1').parserContentId1]",
"kind": "Parser",
"version": "[variables('parserVersion1')]",
"version": "[variables('parserObject1').parserVersion1]",
"source": {
"kind": "Solution",
"name": "Trend Micro TippingPoint",
@ -563,13 +559,20 @@
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "2.0.2",
"version": "3.0.0",
"kind": "Solution",
"contentSchemaVersion": "2.0.0",
"contentSchemaVersion": "3.0.0",
"displayName": "Trend Micro TippingPoint",
"publisherDisplayName": "Trend Micro",
"descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Trend%20Micro%20TippingPoint/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <a href=\"https://www.trendmicro.com/en_in/business.html\">Trend Micro</a> TippingPoint Microsoft Sentinel Solution allows you to easily connect your <a href=\"https://www.trendmicro.com/en_us/business/products/network/intrusion-prevention/tipping-point-threat-protection-system.html\">TippingPoint</a> SMS IPS events with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation.</p>\n<p>This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.</p>\n<p><strong>NOTE:</strong> Microsoft recommends installation of CEF via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by <strong>Aug 31, 2024,</strong> and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost <a href=\"https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate\">more details</a>.</p>\n<p><strong>Data Connectors:</strong> 1, <strong>Parsers:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
"icon": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Trend_Micro_Logo.svg\" width=\"75px\" height=\"75px\">",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
@ -586,7 +589,6 @@
"link": "https://success.trendmicro.com/dcx/s/contactus?language=en_US"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "DataConnector",
@ -595,8 +597,12 @@
},
{
"kind": "Parser",
"contentId": "[variables('_parserContentId1')]",
"version": "[variables('parserVersion1')]"
"contentId": "[variables('parserObject1').parserContentId1]",
"version": "[variables('parserObject1').parserVersion1]"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-commoneventformat"
}
]
},

24
Solutions/Trend Micro TippingPoint/Package/testParameters.json Normal file
Просмотреть файл

@ -0,0 +1,24 @@
{
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
}
}

5
Solutions/Trend Micro TippingPoint/ReleaseNotes.md Normal file
Просмотреть файл

@ -0,0 +1,5 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
| 3.0.0 | 27-06-2024 | OMS Data Connector Migration |
| 2.0.2 | 30-05-2023 | Updated Package |
| 2.0.1 | 11-11-2022 | Initial Release |