Merge remote-tracking branch 'upstream2/master' into users/sivang/parsersKqlValidator
This commit is contained in:
Коммит
ec49b58bee
Двоичные данные
DataConnectors/AWS-S3/ConfigAwsS3DataConnectorScripts.zip
Двоичные данные
DataConnectors/AWS-S3/ConfigAwsS3DataConnectorScripts.zip
Двоичный файл не отображается.
|
@ -139,17 +139,25 @@ function Get-GuardDutyAndRoleKmsPolicy
|
|||
return $kmsPolicy.Replace("'",'"')
|
||||
}
|
||||
|
||||
function Enable-GuardDuty
|
||||
function Enable-GuardDuty-ForRegion
|
||||
{
|
||||
<#
|
||||
.SYNOPSIS
|
||||
Enables GuardDuty based on specified configuration
|
||||
.PARAMETER Region
|
||||
Specifies the region
|
||||
#>
|
||||
|
||||
Write-Log -Message "Enabling GuardDuty" -LogFileName $LogFileName -LinePadding 1
|
||||
param (
|
||||
[Parameter()]
|
||||
[ValidateNotNullOrEmpty()][string]
|
||||
$Region
|
||||
)
|
||||
|
||||
Write-Log -Message "Enabling GuardDuty for region $region" -LogFileName $LogFileName -LinePadding 1
|
||||
Set-RetryAction({
|
||||
Write-Log -Message "Executing: aws guardduty create-detector --enable --finding-publishing-frequency FIFTEEN_MINUTES 2>&1" -LogFileName $LogFileName -Severity Verbose
|
||||
$newGuarduty = aws guardduty create-detector --enable --finding-publishing-frequency FIFTEEN_MINUTES 2>&1
|
||||
$newGuarduty = aws --region $region guardduty create-detector --enable --finding-publishing-frequency FIFTEEN_MINUTES 2>&1
|
||||
|
||||
$isGuardutyEnabled = $lastexitcode -ne 0
|
||||
if ($isGuardutyEnabled)
|
||||
|
@ -157,10 +165,8 @@ function Enable-GuardDuty
|
|||
Write-Output `n
|
||||
Write-Log -Message 'A detector already exists for the current account.' -LogFileName $LogFileName
|
||||
Write-Log -Message "Executing: aws guardduty list-detectors" -LogFileName $LogFileName -Severity Verbose
|
||||
$detectors = (aws guardduty list-detectors | ConvertFrom-Json)."DetectorIds" -join ', '
|
||||
Write-Log -Message "List of existing detectors: $detectors" -LogFileName $LogFileName
|
||||
|
||||
$script:detectorId = Read-ValidatedHost 'Please enter detector Id from the above list'
|
||||
$script:detectorId = (aws --region $region guardduty list-detectors | ConvertFrom-Json)."DetectorIds" -join ', '
|
||||
Write-Log -Message "Detector Id: $detectorId" -LogFileName $LogFileName
|
||||
}
|
||||
else
|
||||
|
@ -169,7 +175,7 @@ function Enable-GuardDuty
|
|||
}
|
||||
|
||||
Write-Log -Message "Executing: aws guardduty list-publishing-destinations --detector-id $detectorId 2>&1" -LogFileName $LogFileName -Severity Verbose
|
||||
$script:currentDestinations = aws guardduty list-publishing-destinations --detector-id $detectorId 2>&1
|
||||
$script:currentDestinations = aws --region $region guardduty list-publishing-destinations --detector-id $detectorId 2>&1
|
||||
Write-Log $currentDestinations -LogFileName $LogFileName -Severity Verbose
|
||||
})
|
||||
}
|
||||
|
@ -179,19 +185,27 @@ function Set-GuardDutyPublishDestinationBucket
|
|||
<#
|
||||
.SYNOPSIS
|
||||
Configures GuardDuty to publish logs to destination bucket
|
||||
.PARAMETER Region
|
||||
Specifies the region
|
||||
#>
|
||||
|
||||
param (
|
||||
[Parameter()]
|
||||
[ValidateNotNullOrEmpty()][string]
|
||||
$Region
|
||||
)
|
||||
|
||||
$currentDestinationsObject = $currentDestinations | ConvertFrom-Json
|
||||
$currentS3Destinations = $currentDestinationsObject.Destinations | Where-Object DestinationType -eq S3
|
||||
if ($null -eq $currentS3Destinations)
|
||||
{
|
||||
Write-Log -Message "Executing: aws guardduty create-publishing-destination --detector-id $detectorId --destination-type S3 --destination-properties DestinationArn=arn:aws:s3:::$bucketName,KmsKeyArn=$kmsArn | Out-Null" -LogFileName $LogFileName -Severity Verbose
|
||||
aws guardduty create-publishing-destination --detector-id $detectorId --destination-type S3 --destination-properties DestinationArn=arn:aws:s3:::$bucketName,KmsKeyArn=$kmsArn | Out-Null
|
||||
aws --region $Region guardduty create-publishing-destination --detector-id $detectorId --destination-type S3 --destination-properties DestinationArn=arn:aws:s3:::$bucketName,KmsKeyArn=$kmsArn | Out-Null
|
||||
}
|
||||
else
|
||||
{
|
||||
Write-Log "Executing: aws guardduty describe-publishing-destination --detector-id $detectorId --destination-id $currentS3Destinations.DestinationId | ConvertFrom-Json" -LogFileName $LogFileName -Severity Verbose
|
||||
$destinationDescriptionObject = aws guardduty describe-publishing-destination --detector-id $detectorId --destination-id $currentS3Destinations.DestinationId | ConvertFrom-Json
|
||||
$destinationDescriptionObject = aws --region $Region guardduty describe-publishing-destination --detector-id $detectorId --destination-id $currentS3Destinations.DestinationId | ConvertFrom-Json
|
||||
$destinationArn = $destinationDescriptionObject.DestinationProperties.DestinationArn
|
||||
|
||||
Write-Log -Message "GuardDuty is already configured for bucket arn '$destinationArn'" -LogFileName $LogFileName -LinePadding 2
|
||||
|
@ -199,7 +213,7 @@ function Set-GuardDutyPublishDestinationBucket
|
|||
if ($guardDutyBucketConfirmation -eq 'y')
|
||||
{
|
||||
Write-Log -Message "Executing: aws guardduty update-publishing-destination --detector-id $detectorId --destination-id $currentS3Destinations.DestinationId --destination-properties DestinationArn=arn:aws:s3:::$bucketName,KmsKeyArn=$kmsArn | Out-Null" -LogFileName $LogFileName -Severity Verbose
|
||||
aws guardduty update-publishing-destination --detector-id $detectorId --destination-id $currentS3Destinations.DestinationId --destination-properties DestinationArn=arn:aws:s3:::$bucketName,KmsKeyArn=$kmsArn | Out-Null
|
||||
aws --region $Region guardduty update-publishing-destination --detector-id $detectorId --destination-id $currentS3Destinations.DestinationId --destination-properties DestinationArn=arn:aws:s3:::$bucketName,KmsKeyArn=$kmsArn | Out-Null
|
||||
}
|
||||
else
|
||||
{
|
||||
|
@ -208,6 +222,48 @@ function Set-GuardDutyPublishDestinationBucket
|
|||
}
|
||||
}
|
||||
|
||||
function Enable-GuardDuty
|
||||
{
|
||||
<#
|
||||
.SYNOPSIS
|
||||
Enables GuardDuty based on specified configuration
|
||||
#>
|
||||
|
||||
[String[]]$allRegionsArray = (aws ec2 describe-regions | ConvertFrom-Json)."Regions".RegionName
|
||||
$regionConfirmation = Read-ValidatedHost 'Do you want enable guardduty for all regions? [y/n]' -ValidationType Confirm
|
||||
if ($regionConfirmation -eq 'y')
|
||||
{
|
||||
for($i = 0; $i -lt $allRegionsArray.length; $i++)
|
||||
{
|
||||
Enable-GuardDuty-ForRegion -Region $allRegionsArray[$i]
|
||||
Set-GuardDutyPublishDestinationBucket -Region $allRegionsArray[$i]
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
[String[]]$selectedRegionsArray = Read-ValidatedHost -Prompt "Please enter list of regions seperated by space"
|
||||
$selectedRegionsArray = $selectedRegionsArray.Split(' ') | Select-Object -Unique
|
||||
|
||||
for($i = 0; $i -lt $selectedRegionsArray.length; $i++)
|
||||
{
|
||||
if (-not($allRegionsArray -contains $selectedRegionsArray[$i]))
|
||||
{
|
||||
$notValidRegion = $selectedRegionsArray[$i]
|
||||
$selectedRegionsArray = $selectedRegionsArray | ? {$_ -ne $notValidRegion}
|
||||
Write-Log -Message "Region $notValidRegion doesn't exist" -LogFileName $LogFileName -LinePadding 2
|
||||
}
|
||||
}
|
||||
for($i = 0; $i -lt $selectedRegionsArray.length; $i++)
|
||||
{
|
||||
Enable-GuardDuty-ForRegion -Region $selectedRegionsArray[$i]
|
||||
Set-GuardDutyPublishDestinationBucket -Region $selectedRegionsArray[$i]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
# *********** Main Flow ***********
|
||||
|
||||
# Validate AWS configuration
|
||||
|
@ -255,7 +311,7 @@ Update-S3Policy -RequiredPolicy $s3RequiredPolicy -CustomMessage $customMessage
|
|||
Enable-S3EventNotification -DefaultEventNotificationPrefix "AWSLogs/${callerAccount}/GuardDuty/"
|
||||
|
||||
Enable-GuardDuty
|
||||
Set-GuardDutyPublishDestinationBucket
|
||||
|
||||
|
||||
# Output information needed to configure Sentinel data connector
|
||||
Write-RequiredConnectorDefinitionInfo -DestinationTable AWSGuardDuty
|
|
@ -26,7 +26,7 @@
|
|||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "ASimDnsVectraAI",
|
||||
"name": "vimDnsVectraAI",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
|
||||
],
|
||||
|
@ -34,10 +34,10 @@
|
|||
"etag": "*",
|
||||
"displayName": "DNS ASIM parser for Vectra AI Steams",
|
||||
"category": "ASIM",
|
||||
"FunctionAlias": "ASimDnsVectraAI",
|
||||
"FunctionAlias": "vimDnsVectraAI",
|
||||
"query": "let parser=\n(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr:string='*',\n domain_has_any:dynamic=dynamic([]),\n responsecodename:string='*', \n response_has_ipv4:string='*',\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string='Query',\n disabled:bool=false\n) \n{\n let NetworkProtocolLookup = datatable(proto_d:real, NetworkProtocol:string)[\n 6, 'TCP',\n 17, 'UDP'];\n let DnsClassLookup = datatable(DnsQueryClass:int, DnsQueryClassName: string)[\n 0, 'Reserved',\n 1, 'IN',\n 2, 'Unassigned',\n 3, 'CH',\n 4, 'HS',\n 254, 'None',\n 255, 'Any'\n ];\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\n VectraStream_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where metadata_type_s == 'metadata_dns'\n | where (srcipaddr == '*' or id_orig_h_s == srcipaddr)\n | where (array_length(domain_has_any) == 0 or query_s has_any(domain_has_any))\n | where (responsecodename == '*' or rcode_name_s =~ responsecodename)\n | where (response_has_ipv4 == '*' or has_ipv4(answers_s, response_has_ipv4))\n | where (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(answers_s, response_has_any_prefix))\n | where (eventtype == '*' or eventtype in~ ('Query', 'lookup'))\n | project-rename\n DvcDescription = hostname_s,\n DstDescription = resp_hostname_s,\n SrcDescription = orig_hostname_s,\n DnsFlagsAuthoritative = AA_b,\n DnsFlagsRecursionAvailable = RA_b,\n DnsFlagsRecursionDesired = RD_b,\n DnsFlagsTruncated = TC_b,\n DnsResponseName = answers_s,\n DnsQuery = query_s,\n DnsQueryTypeName = qtype_name_s,\n DstIpAddr = id_resp_h_s,\n DnsSessionId = community_id_s,\n SrcIpAddr = id_orig_h_s,\n DstDvcId = resp_huid_s,\n SrcDvcId = orig_huid_s,\n DvcId = sensor_uid_s,\n EventOriginalUid = uid_s\n | extend\n DstHostname = iff (DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\", DstDescription),\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\n NetworkProtocolVersion = toupper(id_ip_ver_s),\n DnsResponseCode = toint(rcode_d),\n DnsResponseCodeName = toupper(rcode_name_s),\n DnsQueryClass = toint(qclass_d),\n DnsQueryType = toint(qtype_d),\n DstPortNumber = toint(id_resp_p_d),\n EventCount = toint(1),\n EventEndTime = unixtime_milliseconds_todatetime(ts_d),\n EventOriginalSubType = split(metadata_type_s, '_')[1],\n EventProduct = 'Vectra Stream',\n EventResult = case(tolong(rcode_d) > 0, \"Failure\", \"Success\"),\n EventSchema = 'Dns', \n EventSchemaVersion='0.1.3',\n EventType = 'Query',\n EventVendor = 'Vectra AI',\n SrcDvcIdType = 'VectraId',\n DstDvcIdType = 'VectraId',\n DvcIdType = 'VectraId',\n SrcPortNumber = toint(id_orig_p_d),\n TransactionIdHex = tostring(toint(trans_id_d)),\n EventSubType = iff (saw_reply_b, \"response\", \"request\")\n | lookup DnsClassLookup on DnsQueryClass\n | lookup NetworkProtocolLookup on proto_d\n | extend\n EventResultDetails = DnsResponseCodeName,\n EventStartTime = EventEndTime,\n SessionId = DnsSessionId,\n Domain = DnsQuery,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Dvc = coalesce (DvcId, DvcDescription),\n Src = SrcIpAddr,\n Dst = DstIpAddr\n | project-away\n *_d, *_s, *_b, *_g\n };\nparser(starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)",
|
||||
"version": 1,
|
||||
"functionParameters": "disabled:bool=False"
|
||||
"functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr:string='*', domain_has_any:dynamic=dynamic([]), responsecodename:string='*', response_has_ipv4:string='*', response_has_any_prefix:dynamic=dynamic([]), eventtype:string='Query', disabled:bool=False"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
|
@ -14,9 +14,33 @@ References:
|
|||
Link: https://aka.ms/AboutASIM
|
||||
Description: |
|
||||
This ASIM parser supports normalizing Vectra AI Steams logs to the ASIM DNS normalized schema.
|
||||
ParserName: ASimDnsVectraAI
|
||||
EquivalentBuiltInParser: _ASim_Dns_VectraAI
|
||||
ParserName: vimDnsVectraAI
|
||||
EquivalentBuiltInParser: _Im_Dns_VectraAI
|
||||
ParserParams:
|
||||
- Name: starttime
|
||||
Type: datetime
|
||||
Default: datetime(null)
|
||||
- Name: endtime
|
||||
Type: datetime
|
||||
Default: datetime(null)
|
||||
- Name: srcipaddr
|
||||
Type: string
|
||||
Default: '*'
|
||||
- Name: domain_has_any
|
||||
Type: dynamic
|
||||
Default: dynamic([])
|
||||
- Name: responsecodename
|
||||
Type: string
|
||||
Default: '*'
|
||||
- Name: response_has_ipv4
|
||||
Type: string
|
||||
Default: '*'
|
||||
- Name: response_has_any_prefix
|
||||
Type: dynamic
|
||||
Default: dynamic([])
|
||||
- Name: eventtype
|
||||
Type: string
|
||||
Default: 'Query'
|
||||
- Name: disabled
|
||||
Type: bool
|
||||
Default: false
|
||||
|
|
|
@ -1,4 +1,88 @@
|
|||
#!/bin/bash
|
||||
|
||||
function pause() {
|
||||
if [ ! "$CONFIRMALL" ]; then
|
||||
read -r -p "$*"
|
||||
fi
|
||||
}
|
||||
|
||||
function check_package() {
|
||||
if ! which "$1" >/dev/null 2>&1; then
|
||||
echo "Binary $1 not found"
|
||||
echo "Please install $1 and run the upgrade script again"
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
#global
|
||||
dockerimage=mcr.microsoft.com/azure-sentinel/solutions/sapcon
|
||||
sdkfileloc=/sapcon-app/inst/
|
||||
CONTAINERNAMES=()
|
||||
|
||||
while [[ $# -gt 0 ]]; do
|
||||
case $1 in
|
||||
--confirm-all-prompts)
|
||||
CONFIRMALL=1
|
||||
shift 1
|
||||
;;
|
||||
--no-testrun)
|
||||
NOTESTRUN=1
|
||||
shift 1
|
||||
;;
|
||||
--sdk)
|
||||
SDKFILELOC="$2"
|
||||
SDKFILELOC="${SDKFILELOC/#\~/$HOME}"
|
||||
shift 2
|
||||
;;
|
||||
--containername)
|
||||
CONTAINERNAMES+=("$2")
|
||||
shift 2
|
||||
;;
|
||||
--devmode)
|
||||
DEVMODE=1
|
||||
shift 1
|
||||
;;
|
||||
--dev-acr)
|
||||
DEVURL="$2"
|
||||
shift 2
|
||||
;;
|
||||
--dev-acr-login)
|
||||
DEVACRLOGIN="$2"
|
||||
shift 2
|
||||
;;
|
||||
--dev-acr-pwd)
|
||||
DEVACRPWD="$2"
|
||||
shift 2
|
||||
;;
|
||||
--preview)
|
||||
PREVIEW=1
|
||||
shift 1
|
||||
;;
|
||||
--force)
|
||||
FORCE=1
|
||||
shift 1
|
||||
;;
|
||||
--script-debug)
|
||||
set -x
|
||||
shift 1
|
||||
;;
|
||||
-*)
|
||||
echo "Unknown option $1"
|
||||
echo "Valid options are"
|
||||
echo "--confirm-all-prompts"
|
||||
echo "--preview"
|
||||
echo "--script-debug"
|
||||
echo "--no-testrun"
|
||||
echo "--sdk <filepath>"
|
||||
echo "--containername <containername> [--containername <containername>]..."
|
||||
exit 1
|
||||
;;
|
||||
*)
|
||||
POSITIONAL_ARGS+=("$1") # save positional arg
|
||||
shift # past argument
|
||||
;;
|
||||
esac
|
||||
done
|
||||
#Copyright (c) Microsoft Corporation. All rights reserved.
|
||||
echo 'Microsoft Azure Sentinel SAP Continuous Threat Monitoring.
|
||||
SAP ABAP Logs Connector - Preview
|
||||
|
@ -7,88 +91,178 @@ Copyright (c) Microsoft Corporation.
|
|||
You may use this preview software internally and only in accordance with the Azure preview terms, located at https://azure.microsoft.com/support/legal/preview-supplemental-terms/
|
||||
|
||||
Microsoft reserves all other rights
|
||||
****'
|
||||
function pause(){
|
||||
read -p "$*"
|
||||
}
|
||||
****
|
||||
|
||||
|
||||
#global
|
||||
dockerimage=mcr.microsoft.com/azure-sentinel/solutions/sapcon
|
||||
tagver=":latest-preview"
|
||||
olddockerimage=sentinel4sapprivateprview.azurecr.io/sapcon
|
||||
containername=sapcon
|
||||
sysconf=systemconfig.ini
|
||||
acr=sentinel4sapprivateprview.azurecr.io
|
||||
sdkfileloc=/sapcon-app/inst/
|
||||
|
||||
echo '
|
||||
-----Update All MS SAPcon instances----
|
||||
This process will download the latest version of Sentinel SAP Connector, Updates current image and containers. A currently running version of the instance will be stopped and automatically start after the process.
|
||||
In order to process you will need the following prerequisites:
|
||||
'
|
||||
# Parameter validation
|
||||
if [ -n "$SDKFILELOC" ] && [ ! -f "$SDKFILELOC" ]; then
|
||||
echo 'Invalid SDK path'
|
||||
exit 1
|
||||
fi
|
||||
# Image selection
|
||||
if [ $DEVMODE ]; then
|
||||
dockerimage=$(echo "$DEVURL" | awk -F: '{print $1}')
|
||||
acr=$(echo "$DEVURL" | awk -F/ '{print $1}')
|
||||
sudo docker login "$acr" -u "$DEVACRLOGIN" -p "$DEVACRPWD"
|
||||
tagver=$(echo "$DEVURL" | awk -F: '{print ":"$2}')
|
||||
else
|
||||
dockerimage=mcr.microsoft.com/azure-sentinel/solutions/sapcon
|
||||
if [ $PREVIEW ]; then
|
||||
tagver=":latest-preview"
|
||||
else
|
||||
tagver=":latest"
|
||||
fi
|
||||
fi
|
||||
|
||||
check_package docker
|
||||
check_package jq
|
||||
|
||||
echo 'Starting Docker image Pull'
|
||||
docker pull $dockerimage$tagver
|
||||
if [ $? -eq 1 ];
|
||||
then
|
||||
if [ $? -eq 1 ]; then
|
||||
echo 'There is an error with the docker image - please Check network connection'
|
||||
exit 1
|
||||
fi
|
||||
pause '
|
||||
Image has been downloaded - Press <Enter> key to continue with the Update'
|
||||
repoimageid=$(docker inspect "$dockerimage$tagver" --format '{{.Id}}')
|
||||
|
||||
contlist=$(docker container ls -a | awk 'NR!=1 {print $1}')
|
||||
while IFS= read -r contid; do
|
||||
containerlabel=$(docker inspect "$contid" | jq '.[].Config.Labels."com.visualstudio.msazure.image.build.repository.name"')
|
||||
if [ "$containerlabel" == '"ASI-Sentinel4SAP"' ]; then
|
||||
contimg=$(docker inspect --format='{{.Image}}' "$contid")
|
||||
contname=$(docker inspect --format '{{.Name}}' "$contid")
|
||||
contname="${contname:1}"
|
||||
if [[ -z ${CONTAINERNAMES[*]} ]] || [[ ${CONTAINERNAMES[*]} =~ $contname ]]; then
|
||||
echo "Checking if upgrade is necessary for container $contname"
|
||||
if [ ! "$contimg" = "$repoimageid" ] || [ $FORCE = 1 ]; then
|
||||
echo "Updating $contname"
|
||||
if [ -n "$contid" ]; then
|
||||
sysfileloc=$(docker inspect -f '{{ .Mounts }}' $contname | awk 'NR==1 {print $2}')
|
||||
if [ -z "$sysfileloc" ]; then
|
||||
echo "Container $contname cannot be updated - The mount point is empty"
|
||||
exit 1
|
||||
fi
|
||||
last=${sysfileloc: -1}
|
||||
|
||||
while IFS= read -r contid
|
||||
do
|
||||
contimg=$(docker inspect --format='{{.Config.Image}}' $contid)
|
||||
contname=$(docker ps -a --filter id=$contid --format '{{.Names}}')
|
||||
if [ "$last" != "/" ]; then
|
||||
sysfileloc="$sysfileloc/"
|
||||
fi
|
||||
|
||||
if [[ "$contimg" = *"$dockerimage"* ]] || [[ "$contimg" = *"$olddockerimage"* ]]
|
||||
then
|
||||
echo ' '
|
||||
echo Updating $contname...
|
||||
if [ ! -z $contid ]
|
||||
then
|
||||
sysfileloc=$(docker inspect -f '{{ .Mounts }}' $contname | awk 'NR==1 {print $2}')
|
||||
if [ ! -z $sysfileloc ]
|
||||
then
|
||||
last=${sysfileloc: -1}
|
||||
read -r -a containervariables <<<"$(docker inspect $contname -f '{{.Config.Env}}' | tr -d '[' | tr -d ']' | tr ' ' ' ')"
|
||||
envstring=""
|
||||
for variable in "${containervariables[@]}"; do
|
||||
if [[ ! $variable == PATH=* ]] &&
|
||||
[[ ! $variable == LANG=* ]] &&
|
||||
[[ ! $variable == GPG_KEY=* ]] &&
|
||||
[[ ! $variable == PYTHON_VERSION=* ]] &&
|
||||
[[ ! $variable == PYTHON_PIP_VERSION=* ]] &&
|
||||
[[ ! $variable == PYTHON_SETUPTOOLS_VERSION=* ]] &&
|
||||
[[ ! $variable == PYTHON_GET_PIP_URL=* ]] &&
|
||||
[[ ! $variable == PYTHON_GET_PIP_SHA256=* ]]; then
|
||||
envstring+="-e $variable "
|
||||
fi
|
||||
done
|
||||
|
||||
if [ "$last" != "/" ];
|
||||
then
|
||||
sysfileloc="$sysfileloc/"
|
||||
isRunning=$(docker inspect --format='{{.State.Running}}' "$contname")
|
||||
if [ "$isRunning" == "true" ]; then
|
||||
docker stop "$contname"
|
||||
fi
|
||||
mkdir -p /tmp/sapcon-update/ >/dev/null 2>&1
|
||||
sudo rm -rf "/tmp/sapcon-update/$contname" >/dev/null 2>&1
|
||||
mkdir "/tmp/sapcon-update/$contname" >/dev/null 2>&1
|
||||
|
||||
#renaming the container, creating a new test container
|
||||
oldname="$contname-OLD"
|
||||
docker container rename "$contname" "$oldname" >/dev/null
|
||||
|
||||
#Extract SDK from old container, or use a newly supplied one
|
||||
if [ -n "$SDKFILELOC" ]; then
|
||||
mkdir -p "/tmp/sapcon-update/$contname/inst"
|
||||
cp "$SDKFILELOC" "/tmp/sapcon-update/$contname/inst/"
|
||||
else
|
||||
docker cp "$oldname":$sdkfileloc "/tmp/sapcon-update/$contname"
|
||||
fi
|
||||
sdkfilename=$(ls -1r /tmp/sapcon-update/$contname/inst/nwrfc*.zip | head -n 1)
|
||||
|
||||
if [ ! $NOTESTRUN ]; then
|
||||
# If test run is required
|
||||
docker create -v "$sysfileloc:/sapcon-app/sapcon/config/system" $envstring --name "$contname" $dockerimage$tagver --sapconinstanceupdate >/dev/null
|
||||
|
||||
docker cp "$sdkfilename" "$contname":$sdkfileloc
|
||||
docker start "$contname" >/dev/null
|
||||
|
||||
let timeelapsed=0
|
||||
dryruninprogress="true"
|
||||
echo -n "Starting container test run..."
|
||||
while [ "$dryruninprogress" == "true" ] && [ $timeelapsed -le 120 ]; do
|
||||
dryruninprogress=$(docker inspect --format='{{.State.Running}}' "$contname")
|
||||
if [ "$dryruninprogress" == "false" ]; then
|
||||
containerexitcode=$(docker container inspect --format '{{.State.ExitCode}}' "$contname")
|
||||
printf "\nContainer dry run exited. Exit code $containerexitcode"
|
||||
if [ "$containerexitcode" == 0 ]; then
|
||||
dryrunsuccess=1
|
||||
docker rm "$contname" >/dev/null
|
||||
docker create -v "$sysfileloc:/sapcon-app/sapcon/config/system" $envstring --name "$contname" $dockerimage$tagver >/dev/null
|
||||
docker cp $sdkfilename "$contname":"$sdkfileloc"
|
||||
elif [ "$containerexitcode" == 7 ]; then
|
||||
printf "\nInsufficient authorizations in SAP"
|
||||
dryrunsuccess=0
|
||||
break
|
||||
elif [ "$containerexitcode" == 8 ]; then
|
||||
printf "\nContainer runtime error"
|
||||
dryrunsuccess=0
|
||||
break
|
||||
else
|
||||
printf "\nContainer exited with code $containerexitcode"
|
||||
dryrunsuccess=0
|
||||
break
|
||||
fi
|
||||
fi
|
||||
sleep 1
|
||||
let timeelapsed=timeelapsed+1
|
||||
echo -n "."
|
||||
done
|
||||
if [ "$dryruninprogress" == "true" ]; then
|
||||
# container did not exit after 60 seconds
|
||||
printf "\nContainer is running after timeout period expired"
|
||||
docker stop "$contname" >/dev/null
|
||||
fi
|
||||
|
||||
if [ "$dryrunsuccess" == 1 ]; then
|
||||
printf "\nTest run successful, removing old container"
|
||||
docker rm "$oldname" >/dev/null
|
||||
else
|
||||
printf "\nTest run NOT successful, removing new container, renaming the old container to original name"
|
||||
echo "----Container debug logs START----"
|
||||
docker logs "$contname"
|
||||
echo "----Container debug logs END----"
|
||||
docker rm "$contname" >/dev/null
|
||||
docker rename "$oldname" "$contname" >/dev/null
|
||||
fi
|
||||
else
|
||||
docker create -v "$sysfileloc:/sapcon-app/sapcon/config/system" $envstring --name "$contname" $dockerimage$tagver >/dev/null
|
||||
docker cp "$sdkfilename" "$contname":"$sdkfileloc"
|
||||
docker rm "$oldname"
|
||||
fi
|
||||
sudo rm -rf /tmp/sapcon-update >/dev/null 2>&1
|
||||
fi
|
||||
|
||||
contstate=$(docker inspect --format='{{.State.Running}}' $contname )
|
||||
|
||||
# pause 'press enter'
|
||||
if [ $contstate == "false" ]
|
||||
then
|
||||
docker cp $contname:$sdkfileloc $(pwd)
|
||||
docker container rm $contname >/dev/null
|
||||
docker create -v $sysfileloc:/sapcon-app/sapcon/config/system --name $contname $dockerimage$tagver >/dev/null
|
||||
docker cp "$(pwd)/inst/" $contname:/sapcon-app/ >/dev/null
|
||||
echo 'Container "'"$contname"'" was updated - please start the app by running "docker start '"$contname"'"'
|
||||
echo ''
|
||||
else
|
||||
docker cp $contname:$sdkfileloc $(pwd)
|
||||
docker stop $contname >/dev/null
|
||||
docker container rm $contname >/dev/null
|
||||
docker create -v $sysfileloc:/sapcon-app/sapcon/config/system --name $contname $dockerimage$tagver >/dev/null
|
||||
docker cp "$(pwd)/inst/" $contname:/sapcon-app/ >/dev/null
|
||||
docker start $contname >/dev/null
|
||||
echo 'Container "'"$contname"'" was updated'
|
||||
echo ''
|
||||
if [ "$isRunning" == "true" ]; then
|
||||
echo "Starting container $contname"
|
||||
docker start "$contname" >/dev/null
|
||||
fi
|
||||
else
|
||||
echo 'Container "'"$contname"'" cannot be updated - The mount point is empty'
|
||||
echo ' '
|
||||
echo "Container image for container $contname is identical to the one in the repo"
|
||||
fi
|
||||
else
|
||||
echo ''
|
||||
echo "Skipping container $contname as it is not specified in --containername list"
|
||||
fi
|
||||
|
||||
else
|
||||
echo "Skipping container id $contid as it does not appear to be a sapcon container"
|
||||
fi
|
||||
done <<< "$contlist"
|
||||
done \
|
||||
<<<"$contlist"
|
||||
|
|
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
Двоичные данные
Solutions/SecurityBridge/Package/1.0.0.zip
Двоичные данные
Solutions/SecurityBridge/Package/1.0.0.zip
Двоичный файл не отображается.
Двоичный файл не отображается.
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
@ -18,6 +18,6 @@
|
|||
"Data Connectors/Connector_SecurityBridge.json"
|
||||
],
|
||||
"BasePath": "https://raw.githubusercontent.com/frozenstrawberries/Azure-Sentinel/master/Solutions/SecurityBridge/",
|
||||
"Version": "1.0.0",
|
||||
"Version": "1.0.1",
|
||||
"Metadata": "SolutionMetadata.json"
|
||||
}
|
|
@ -20,7 +20,7 @@
|
|||
"type": 4,
|
||||
"isRequired": true,
|
||||
"value": {
|
||||
"durationMs": 604800000
|
||||
"durationMs": 5184000000
|
||||
},
|
||||
"typeSettings": {
|
||||
"selectableValues": [
|
||||
|
@ -87,7 +87,8 @@
|
|||
"additionalResourceOptions": [],
|
||||
"showDefault": false
|
||||
},
|
||||
"jsonData": "[{ \"value\": \"Yes\", \"label\": \"Yes\"},\r\n {\"value\": \"No\", \"label\": \"No\", \"selected\":true }]"
|
||||
"jsonData": "[{ \"value\": \"Yes\", \"label\": \"Yes\"},\r\n {\"value\": \"No\", \"label\": \"No\", \"selected\":true }]",
|
||||
"value": "Yes"
|
||||
},
|
||||
{
|
||||
"id": "51cb8cb1-3d50-47f4-9485-2519a992c735",
|
||||
|
@ -145,9 +146,6 @@
|
|||
"query": "SecurityBridgeLogs\r\n| extend Severity = tostring(Severity)\r\n| summarize Count = count() by Severity\r\n| extend SeverityNumber = case(Severity == \"Low\", 3, Severity == \"Medium\", 7, Severity == \"High\", 9, Severity == \"Critical\", 10, 0)\r\n| sort by SeverityNumber",
|
||||
"size": 4,
|
||||
"title": "Events by Severity",
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
|
@ -253,7 +251,7 @@
|
|||
"showDefault": false
|
||||
},
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
"durationMs": 7776000000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"defaultValue": "value::all",
|
||||
|
@ -277,7 +275,7 @@
|
|||
"showDefault": false
|
||||
},
|
||||
"timeContext": {
|
||||
"durationMs": 0
|
||||
"durationMs": 7776000000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"defaultValue": "value::all",
|
||||
|
@ -302,8 +300,9 @@
|
|||
"showDefault": false
|
||||
},
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"defaultValue": "value::all",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
|
@ -325,8 +324,9 @@
|
|||
"showDefault": false
|
||||
},
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"defaultValue": "value::all",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
|
@ -348,8 +348,9 @@
|
|||
"showDefault": false
|
||||
},
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"defaultValue": "value::all",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
|
@ -371,8 +372,9 @@
|
|||
"showDefault": false
|
||||
},
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"defaultValue": "value::all",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces"
|
||||
|
@ -391,9 +393,7 @@
|
|||
"query": "SecurityBridgeLogs\r\n| where Severity in ({Severity})\r\n| where duser in ({User}) or \"*\" in ({User})\r\n| where SAPsid in ({SAPSID}) or \"*\" in ({SAPSID})\r\n| where shost in ({Terminal}) or \"*\" in ({Terminal})\r\n| where DeviceEventClassID in ({Listener}) or \"*\" in ({Listener})\r\n| where Name in ({Action}) or \"*\" in ({Action})\r\n| project TimeGenerated, Severity, DeviceEventClassID, Name, msg, [\"Link to Event\"]= strcat(({urlprefix}), externalid), shost, duser, SAPsid, SAPclient\r\n| sort by TimeGenerated",
|
||||
"size": 0,
|
||||
"title": "Event by Selected Filters",
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"gridSettings": {
|
||||
|
@ -467,9 +467,6 @@
|
|||
"quote": "'",
|
||||
"delimiter": ",",
|
||||
"query": "SecurityBridgeLogs\r\n| distinct SAPsid",
|
||||
"value": [
|
||||
"value::all"
|
||||
],
|
||||
"typeSettings": {
|
||||
"additionalResourceOptions": [
|
||||
"value::all"
|
||||
|
@ -477,7 +474,7 @@
|
|||
"showDefault": false
|
||||
},
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
"durationMs": 0
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"defaultValue": "value::all",
|
||||
|
@ -511,9 +508,7 @@
|
|||
"query": "SecurityBridgeLogs\r\n| where SAPsid in ({SAPSID}) or \"*\" in ({SAPSID})\r\n| summarize count() by Name",
|
||||
"size": 0,
|
||||
"title": "Events by Event Name",
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "barchart",
|
||||
|
@ -551,9 +546,6 @@
|
|||
"query": "SecurityBridgeLogs\r\n| where SAPsid in ({SAPSID}) or \"*\" in ({SAPSID})\r\n| summarize [\"Number of Events\"] = count() by bin(todatetime(rt), 1d)",
|
||||
"size": 1,
|
||||
"title": "Events Ingestion by Time",
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
|
@ -597,9 +589,6 @@
|
|||
"query": "SecurityBridgeLogs\r\n| where SAPsid in ({SAPSID}) or \"*\" in ({SAPSID})\r\n| summarize count() by bin(todatetime(rt), 1h), Severity",
|
||||
"size": 1,
|
||||
"title": "Events by Time with respect to Severity",
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
|
@ -662,9 +651,6 @@
|
|||
"query": "SecurityBridgeLogs\r\n| where SAPsid in ({SAPSID}) or \"*\" in ({SAPSID})\r\n| summarize count() by SAPsid",
|
||||
"size": 1,
|
||||
"title": "Events Ingestion by Time",
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
|
@ -688,9 +674,6 @@
|
|||
"query": "SecurityBridgeLogs\r\n| where SAPsid in ({SAPSID}) or \"*\" in ({SAPSID})\r\n| summarize count() by Severity",
|
||||
"size": 0,
|
||||
"title": "Events by Severity",
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
|
@ -710,9 +693,6 @@
|
|||
"query": "SecurityBridgeLogs\r\n| where SAPsid in ({SAPSID}) or \"*\" in ({SAPSID})\r\n| summarize count() by duser\r\n| sort by count_\r\n| take 5",
|
||||
"size": 0,
|
||||
"title": "Top 5 Users",
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
|
@ -732,9 +712,6 @@
|
|||
"query": "SecurityBridgeLogs\r\n| where SAPsid in ({SAPSID}) or \"*\" in ({SAPSID})\r\n| summarize count() by dhost\r\n| sort by count_\r\n| take 5",
|
||||
"size": 0,
|
||||
"title": "Top 5 Workstations",
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
|
@ -754,9 +731,6 @@
|
|||
"query": "SecurityBridgeLogs\r\n| where SAPsid in ({SAPSID}) or \"*\" in ({SAPSID})\r\n| summarize count() by duser\r\n| join (\r\nSecurityBridgeLogs\r\n| where SAPsid in ({SAPSID}) or \"*\" in ({SAPSID})\r\n| extend user = duser\r\n| make-series TrendList = count() on todatetime(rt) in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by duser ) on duser\r\n| project duser, [\"Total events\"] = count_, TrendLine = TrendList\r\n| top 10 by [\"Total events\"] desc",
|
||||
"size": 0,
|
||||
"title": "Event Stats by Users",
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
|
@ -787,9 +761,6 @@
|
|||
"query": "SecurityBridgeLogs\r\n| where SAPsid in ({SAPSID}) or \"*\" in ({SAPSID})\r\n| summarize count() by dhost\r\n| join (\r\nSecurityBridgeLogs\r\n| where SAPsid in ({SAPSID}) or \"*\" in ({SAPSID})\r\n| extend user = dhost\r\n| make-series TrendList = count() on todatetime(rt) in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by dhost ) on dhost\r\n| project dhost, [\"Total events\"] = count_, TrendLine = TrendList\r\n| top 10 by [\"Total events\"] desc",
|
||||
"size": 0,
|
||||
"title": "Event Stats by Host",
|
||||
"timeContext": {
|
||||
"durationMs": 604800000
|
||||
},
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
|
|
Загрузка…
Ссылка в новой задаче