Merge pull request #4793 from Azure/v-ntripathi/MaturityModelForEventLogManagementM2131SolutionPackage1.0.3

MaturityModelForEventLogManagementM2131 solution package 1.0.3
2022-05-05 16:54:42 +05:30 · 2022-05-05 16:54:42 +05:30 · f29d1cb2f2
--- a/Solutions/MaturityModelForEventLogManagementM2131/Package/1.0.3.zip
+++ b/Solutions/MaturityModelForEventLogManagementM2131/Package/1.0.3.zip
--- a/Solutions/MaturityModelForEventLogManagementM2131/Package/createUiDefinition.json
+++ b/Solutions/MaturityModelForEventLogManagementM2131/Package/createUiDefinition.json
@ -6,7 +6,7 @@
    "config": {
      "isWizard": false,
      "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThis solution is designed to enable Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to increase visibility before, during, and after a cybersecurity incident. The solution includes (1) workbook, (4) hunting queries, (8) analytics rules, and (3) playbooks providing a comprehensive approach to design, build, monitoring, and response in logging architectures. Information from logs on information systems1 (for both on-premises systems and connections hosted by third parties, such as cloud services providers (CSPs) is invaluable in the detection, investigation, and remediation of cyber threats. Executive Order 14028, Improving the Nation's Cybersecurity, directs decisive action to improve the Federal Government’s investigative and remediation capabilities. This memorandum was developed in accordance with and addresses the requirements in section 8 of the Executive Order for logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center (SOC) of each agency. In addition, this memorandum establishes requirements for agencies3 to increase the sharing of such information, as needed and appropriate, to accelerate incident response efforts and to enable more effective defense of Federal information and executive branch departments and agencies.For more information, see (💡Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents (M-21-31))[https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf].\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Workbooks:** 1, **Analytic Rules:** 8, **Hunting Queries:** 4, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThis solution is designed to enable Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to increase visibility before, during, and after a cybersecurity incident. The solution includes (1) workbook, (4) hunting queries, (8) analytics rules, and (3) playbooks providing a comprehensive approach to design, build, monitoring, and response in logging architectures. Information from logs on information systems1 (for both on-premises systems and connections hosted by third parties, such as cloud services providers (CSPs) is invaluable in the detection, investigation, and remediation of cyber threats. Executive Order 14028, Improving the Nation's Cybersecurity, directs decisive action to improve the Federal Government’s investigative and remediation capabilities. This memorandum was developed in accordance with and addresses the requirements in section 8 of the Executive Order for logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center (SOC) of each agency. In addition, this memorandum establishes requirements for agencies3 to increase the sharing of such information, as needed and appropriate, to accelerate incident response efforts and to enable more effective defense of Federal information and executive branch departments and agencies.For more information, see (💡[Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents (M-21-31)](https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)).\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Workbooks:** 1, **Analytic Rules:** 8, **Hunting Queries:** 4, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
        "subscription": {
          "resourceProviders": [
            "Microsoft.OperationsManagement/solutions",
@ -44,7 +44,7 @@
        "placeholder": "Select a workspace",
        "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
        "constraints": {
-          "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+          "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
          "required": true
        },
        "visible": true
@ -442,7 +442,7 @@
      }
    ],
    "outputs": {
-      "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(filter.id, toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+      "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
      "location": "[location()]",
      "workspace": "[basics('workspace')]",
      "workbook1-name": "[steps('workbooks').workbook1.workbook1-name]",
--- a/Solutions/MaturityModelForEventLogManagementM2131/Package/mainTemplate.json
+++ b/Solutions/MaturityModelForEventLogManagementM2131/Package/mainTemplate.json
--- a/Solutions/MaturityModelForEventLogManagementM2131/data/Solution_MaturityModelForEventLogManagementM2131.json
+++ b/Solutions/MaturityModelForEventLogManagementM2131/data/Solution_MaturityModelForEventLogManagementM2131.json
@ -30,5 +30,5 @@
  ],
  "Metadata": "SolutionMetadata.json",
  "BasePath": "C:\\GitHub\\azure\\Solutions\\MaturityModelForEventLogManagementM2131",
-  "Version": "1.0.1"
+  "Version": "1.0.3"
 }
--- a/Tools/Create-Azure-Sentinel-Solution/input/Solution_MaturityModelForEventLogManagementM2131.json
+++ b/Tools/Create-Azure-Sentinel-Solution/input/Solution_MaturityModelForEventLogManagementM2131.json
@ -0,0 +1,34 @@
+
+{
+  "Name": "MaturityModelForEventLogManagementM2131",
+  "Author": "TJ Banasik - thomas.banasik@microsoft.com",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
+  "Description": "This solution is designed to enable Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to increase visibility before, during, and after a cybersecurity incident. The solution includes (1) workbook, (4) hunting queries, (8) analytics rules, and (3) playbooks providing a comprehensive approach to design, build, monitoring, and response in logging architectures. Information from logs on information systems1 (for both on-premises systems and connections hosted by third parties, such as cloud services providers (CSPs) is invaluable in the detection, investigation, and remediation of cyber threats. Executive Order 14028, Improving the Nation's Cybersecurity, directs decisive action to improve the Federal Government’s investigative and remediation capabilities. This memorandum was developed in accordance with and addresses the requirements in section 8 of the Executive Order for logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center (SOC) of each agency. In addition, this memorandum establishes requirements for agencies3 to increase the sharing of such information, as needed and appropriate, to accelerate incident response efforts and to enable more effective defense of Federal information and executive branch departments and agencies.For more information, see (💡Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents (M-21-31))[https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf].",
+  "Workbooks": [
+  "Workbooks/MaturityModelForEventLogManagement_M2131.json"
+  ],
+  "Playbooks": [
+  "Playbooks/Notify_LogManagementTeam.json",
+  "Playbooks/Open_DevOpsTaskRecommendation.json",
+  "Playbooks/Open_JIRATicketRecommendation.json"
+  ],
+  "Analytic Rules": [
+  "Analytic Rules/M2131AssetStoppedLogging.yaml",
+  "Analytic Rules/M2131DataConnectorAddedChangedRemoved.yaml",
+  "Analytic Rules/M2131EventLogManagementPostureChangedEL0.yaml",
+  "Analytic Rules/M2131EventLogManagementPostureChangedEL1.yaml",
+  "Analytic Rules/M2131EventLogManagementPostureChangedEL2.yaml",
+  "Analytic Rules/M2131EventLogManagementPostureChangedEL3.yaml",
+  "Analytic Rules/M2131LogRetentionLessThan1Year.yaml",
+  "Analytic Rules/M2131RecommendedDatatableUnhealthy.yaml"
+  ],
+  "Hunting Queries": [
+  "Hunting Queries/M2131RecommendedDatatableNotLoggedEL0.yaml",
+  "Hunting Queries/M2131RecommendedDatatableNotLoggedEL1.yaml",
+  "Hunting Queries/M2131RecommendedDatatableNotLoggedEL2.yaml",
+  "Hunting Queries/M2131RecommendedDatatableNotLoggedEL3.yaml"
+  ],
+  "Metadata": "SolutionMetadata.json",
+  "BasePath": "C:\\GitHub\\azure\\Solutions\\MaturityModelForEventLogManagementM2131",
+  "Version": "1.0.3"
+}