Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Solution update for CiscoWSA 

Solution update for CiscoWSA
This commit is contained in:
v-sabiraj 2022-01-13 21:22:30 +05:30
Родитель d4248af583
Коммит fe3a981577
5 изменённых файлов: 1815 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

Двоичные данные
Solutions/CiscoWSA/Package/1.0.3.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

485
Solutions/CiscoWSA/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,485 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "**Important:** _This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n[Cisco Web Security Appliance (WSA)](https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html) data connector provides the capability to ingest [Cisco WSA Access Logs](https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa_14-0/User-Guide/b_WSA_UserGuide_14_0/b_WSA_UserGuide_11_7_chapter_010101.html) into Azure Sentinel.\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 11, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for CiscoWSA. You can get CiscoWSA Syslog data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. The logs will be received in the Syslog table in your Azure Sentinel / Azure Log Analytics workspace."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The Solution installs a parser that transforms the ingested data into Azure Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Azure Sentinel."
}
},
{
"name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about normalized format",
"uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema"
}
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
},
{
"name": "workbooks",
"label": "Workbooks",
"subLabel": {
"preValidation": "Configure the workbooks",
"postValidation": "Done"
},
"bladeTitle": "Workbooks",
"elements": [
{
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Azure Sentinel and combine them into unified interactive experiences.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
},
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
"label": "CiscoWSA",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Sets the time name for analysis"
}
},
{
"name": "workbook1-name",
"type": "Microsoft.Common.TextBox",
"label": "Display Name",
"defaultValue": "CiscoWSA",
"toolTip": "Display name for the workbook.",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a workbook name"
}
}
]
}
]
},
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs analytic rules for CiscoWSA that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "Cisco WSA - Access to unwanted site",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when users attempting to access sites from high risk category."
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "Cisco WSA - Unexpected uploads",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects unexpected file uploads."
}
}
]
},
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
"label": "Cisco WSA - Multiple errors to resource from risky category",
"elements": [
{
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects multiple connection errors to resource from risky category."
}
}
]
},
{
"name": "analytic4",
"type": "Microsoft.Common.Section",
"label": "Cisco WSA - Multiple errors to URL",
"elements": [
{
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects multiple connection errors to URL."
}
}
]
},
{
"name": "analytic5",
"type": "Microsoft.Common.Section",
"label": "Cisco WSA - Multiple infected files",
"elements": [
{
"name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects multiple infected files on same source."
}
}
]
},
{
"name": "analytic6",
"type": "Microsoft.Common.Section",
"label": "Cisco WSA - Multiple attempts to download unwanted file",
"elements": [
{
"name": "analytic6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when multiple attempts to download unwanted file occur."
}
}
]
},
{
"name": "analytic7",
"type": "Microsoft.Common.Section",
"label": "Cisco WSA - Suspected protocol abuse",
"elements": [
{
"name": "analytic7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects possible protocol abuse."
}
}
]
},
{
"name": "analytic8",
"type": "Microsoft.Common.Section",
"label": "Cisco WSA - Internet access from public IP",
"elements": [
{
"name": "analytic8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects internet access from public IP."
}
}
]
},
{
"name": "analytic9",
"type": "Microsoft.Common.Section",
"label": "Cisco WSA - Unexpected file type",
"elements": [
{
"name": "analytic9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects unexpected file type."
}
}
]
},
{
"name": "analytic10",
"type": "Microsoft.Common.Section",
"label": "Cisco WSA - Unexpected URL",
"elements": [
{
"name": "analytic10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects unexpected URL."
}
}
]
},
{
"name": "analytic11",
"type": "Microsoft.Common.Section",
"label": "Cisco WSA - Unscannable file or scan error",
"elements": [
{
"name": "analytic11-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects unscanned downloaded file."
}
}
]
}
]
},
{
"name": "huntingqueries",
"label": "Hunting Queries",
"bladeTitle": "Hunting Queries",
"elements": [
{
"name": "huntingqueries-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs hunting queries for CiscoWSA that you can run in Azure Sentinel. These hunting queries will be deployed in the Hunting gallery of your Azure Sentinel workspace. Run these hunting queries to hunt for threats in the Hunting gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/hunting"
}
}
},
{
"name": "huntingquery1",
"type": "Microsoft.Common.Section",
"label": "Cisco WSA - Blocked files",
"elements": [
{
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for blocked files. It depends on the CiscoWSA data connector and CiscoWSAEvent data type and CiscoWSA parser."
}
}
]
},
{
"name": "huntingquery2",
"type": "Microsoft.Common.Section",
"label": "Cisco WSA - Rare aplications",
"elements": [
{
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for rare applications. It depends on the CiscoWSA data connector and CiscoWSAEvent data type and CiscoWSA parser."
}
}
]
},
{
"name": "huntingquery3",
"type": "Microsoft.Common.Section",
"label": "Cisco WSA - Top aplications",
"elements": [
{
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for top applications. It depends on the CiscoWSA data connector and CiscoWSAEvent data type and CiscoWSA parser."
}
}
]
},
{
"name": "huntingquery4",
"type": "Microsoft.Common.Section",
"label": "Cisco WSA - Top URLs",
"elements": [
{
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for top URLs. It depends on the CiscoWSA data connector and CiscoWSAEvent data type and CiscoWSA parser."
}
}
]
},
{
"name": "huntingquery5",
"type": "Microsoft.Common.Section",
"label": "Cisco WSA - Uncategorized URLs",
"elements": [
{
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for uncategorized URLs. It depends on the CiscoWSA data connector and CiscoWSAEvent data type and CiscoWSA parser."
}
}
]
},
{
"name": "huntingquery6",
"type": "Microsoft.Common.Section",
"label": "Cisco WSA - Uploaded files",
"elements": [
{
"name": "huntingquery6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for uploaded files. It depends on the CiscoWSA data connector and CiscoWSAEvent data type and CiscoWSA parser."
}
}
]
},
{
"name": "huntingquery7",
"type": "Microsoft.Common.Section",
"label": "Cisco WSA - Rare URL with error",
"elements": [
{
"name": "huntingquery7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for rare URLs with errors. It depends on the CiscoWSA data connector and CiscoWSAEvent data type and CiscoWSA parser."
}
}
]
},
{
"name": "huntingquery8",
"type": "Microsoft.Common.Section",
"label": "Cisco WSA - URL shorteners",
"elements": [
{
"name": "huntingquery8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches connections to Url shorteners resources. It depends on the CiscoWSA data connector and CiscoWSAEvent data type and CiscoWSA parser."
}
}
]
},
{
"name": "huntingquery9",
"type": "Microsoft.Common.Section",
"label": "Cisco WSA - Potentially risky resources",
"elements": [
{
"name": "huntingquery9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for potentially risky resources. It depends on the CiscoWSA data connector and CiscoWSAEvent data type and CiscoWSA parser."
}
}
]
},
{
"name": "huntingquery10",
"type": "Microsoft.Common.Section",
"label": "Cisco WSA - User errors",
"elements": [
{
"name": "huntingquery10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for user errors during accessing resource. It depends on the CiscoWSA data connector and CiscoWSAEvent data type and CiscoWSA parser."
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(filter.id, toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
"workspace": "[basics('workspace')]",
"workbook1-name": "[steps('workbooks').workbook1.workbook1-name]"
}
}
}

1272
Solutions/CiscoWSA/Package/mainTemplate.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

15
Solutions/CiscoWSA/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"publisherId": "azuresentinel",
"offerId": "azure-sentinel-solution-ciscowsa",
"firstPublishDate": "2021-06-29",
"providers": ["Cisco"],
"categories": {
"domains" : ["Security – Network"]
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}

43
Tools/Create-Azure-Sentinel-Solution/input/Solution_CiscoWSA.json Normal file
Просмотреть файл

@ -0,0 +1,43 @@
{
"Name": "CiscoWSA",
"Author": "Sanmit Biraj - v-sabiraj@microsoft.com",
"WorkbookDescription": "Sets the time name for analysis",
"Description": "[Cisco Web Security Appliance (WSA)](https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html) data connector provides the capability to ingest [Cisco WSA Access Logs](https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa_14-0/User-Guide/b_WSA_UserGuide_14_0/b_WSA_UserGuide_11_7_chapter_010101.html) into Azure Sentinel.",
"Workbooks": [
"Workbooks/CiscoWSA.json"
],
"Analytic Rules": [
"Analytic Rules/CiscoWSAAccessToUnwantedSite.yaml",
"Analytic Rules/CiscoWSADataExfiltration.yaml",
"Analytic Rules/CiscoWSAMultipleErrorsToUnwantedCategory.yaml",
"Analytic Rules/CiscoWSAMultipleErrorsToUrl.yaml",
"Analytic Rules/CiscoWSAMultipleInfectedFles.yaml",
"Analytic Rules/CiscoWSAMultipleUnwantedFileTypes.yaml",
"Analytic Rules/CiscoWSAProtocolAbuse.yaml",
"Analytic Rules/CiscoWSAPublicIPSource.yaml",
"Analytic Rules/CiscoWSAUnexpectedFileType.yaml",
"Analytic Rules/CiscoWSAUnexpectedUrl.yaml",
"Analytic Rules/CiscoWSAUnscannableFile.yaml"
],
"Hunting Queries": [
"Hunting Queries/CiscoWSABlockedFiles.yaml",
"Hunting Queries/CiscoWSARareApplications.yaml",
"Hunting Queries/CiscoWSATopApplications.yaml",
"Hunting Queries/CiscoWSATopResources.yaml",
"Hunting Queries/CiscoWSAUncategorizedResources.yaml",
"Hunting Queries/CiscoWSAUploadedFiles.yaml",
"Hunting Queries/CiscoWSAUrlRareErrorUrl.yaml",
"Hunting Queries/CiscoWSAUrlShortenerLinks.yaml",
"Hunting Queries/CiscoWSAUrlSuspiciousResources.yaml",
"Hunting Queries/CiscoWSAUrlUsersWithErrors.yaml"
],
"Parsers": [
"Parsers/CiscoWSAEvent.txt"
],
"Data Connectors": [
"Data Connectors/Connector_WSA_Syslog.json"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\CiscoWSA",
"Version": "1.0.3"
}