Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Solutions
История
v-spadarthi b13b976808 Package Creation For Dynamic 365 2022-05-25 03:57:03 +05:30
..
AI Analyst Darktrace
ALC-WebCTRL
ARGOSCloudSecurity
AbnormalSecurity
Agari
Akamai Security Events
Alsid For AD
Apache Log4j Vulnerability Detection
ApacheHTTPServer
ApigeeX
AristaAwakeSecurity
Armorblox
AtlassianConfluenceAudit
AtlassianJiraAudit
Azure Purview
BETTER Mobile Threat Defense (MTD)
Barracuda CloudGen Firewall
Barracuda WAF
Beyond Security beSECURE
Bitglass
BoschAIShield
Box
Broadcom SymantecDLP
CarbonBlack
Check Point
Cisco ISE
Cisco UCS
CiscoACI
CiscoASA/Playbooks
CiscoDuoSecurity
CiscoMeraki
CiscoSEG
CiscoSecureEndpoint
CiscoStealthwatch
CiscoUmbrella
CiscoWSA
Citrix Analytics for Security
Citrix Web App Firewall
Claroty
Cloudflare
Cognni
Contrast Security
Corelight
CrowdStrike Falcon Endpoint Protection
CyberArk Enterprise Password Vault (EPV) Events
CyberArkEPM
Cyberpion
CybersecurityMaturityModelCertification(CMMC)2.0
DEV-0537DetectionandHunting
Delinea Secret Server
DigitalGuardianDLP
Dynamics 365 Package Creation For Dynamic 365 2022-05-25 03:57:03 +05:30
ESETPROTECT
EatonForeseer
ElasticAgent
Eset Security Management Center
Exabeam Advanced Analytics
ExtraHop Reveal(x)
F5 Networks
FalconFriday
Farsight DNSDB/Playbooks
FireEyeNX
FlareSystemsFirework
Forcepoint DLP
Forescout
ForgeRock Common Audit for CEF
Fortinet-FortiGate
GitHub
GitLab
GoogleCloudPlatformDNS
GoogleCloudPlatformIAM
GoogleCloudPlatformMonitor
GoogleWorkspaceReports
Group-IB/Playbooks
HYAS
HolmSecurity/Data Connectors
HoneyTokens
IPQualityScore
Illusive Active Defense
Images
Imperva WAF Gateway
ImpervaCloudWAF
InfoSecGlobal
Infoblox Cloud Data Connector
Infoblox NIOS
InsightVM/Package
IoTOTThreatMonitoringwithDefenderforIoT
IronNet IronDefense
IvantiUEM
JBoss
Joshua-Cyberiskvision
Juniper SRX
JuniperIDP
KasperskySecurityCenter
LastPass
Lookout
MaturityModelForEventLogManagementM2131
McAfee Network Security Platform
McAfeeePO
MicrosoftDefenderForEndpoint
MicrosoftInsiderRiskManagement
Morphisec
NGINX
NISTSP80053
NXLog BSM macOS
NXLog LinuxAudit
NXLogAixAudit
NXLogDnsLogs
Netskope
OCILogs
Okta Single Sign-On
Onapsis Platform
OneIdentity
OracleDatabaseAudit
OracleWebLogicServer
Orca Security Alerts
Package
PaloAlto-PAN-OS
PaloAltoCDL
PaloAltoPrismaCloud
Perimeter 81
PingFederate
ProofPointTap
Pulse Connect Secure
Qualys VM Knowledgebase
QualysVM
Rapid7InsightVM
Recorded Future
Red Canary
ReversingLabs
RiskIQ
SAP
SIGNL4
SOC-Process-Framework
SailPointIdentityNow
Salesforce Service Cloud
SecurID
SecurityBridge
SecurityThreatEssentialSolution
SemperisDirectoryServicesProtector
SenservaPro
SentinelOne
ShadowByte Aria
SlackAudit
Snowflake
SonicWall Firewall
SonraiSecurity
Sophos Cloud Optix
SophosEP
SophosXGFirewall
Squadra Technologies SecRmm
SquidProxy
Symantec Endpoint Protection
SymantecProxySG
Synack
SysmonForLinux/Data Connectors
Teams/Workbooks
Templates
TenableAD
TenableIO
TheHive
ThreatAnalysis&Response
Tomcat
Training/Azure-Sentinel-Training-Lab
Trend Micro Apex One
Trend Micro Cloud App Security
Trend Micro Deep Security
Trend Micro TippingPoint
Trend Micro Vision One
Ubiquiti
VMRay ETD
VMWareESXi
Vectra
WireX Network Forensics Platform
ZeroTrust(TIC3.0)
Zimperium Mobile Threat Defense
Zscaler Private Access (ZPA)
archTIS
iboss
vArmour
README.md
known_issues.md

README.md

Guide to building Microsoft Sentinel solutions

This guide provides an overview of Microsoft Sentinel solutions, and how to build and publish a solution for Microsoft Sentinel.

Microsoft Sentinel solutions provide an in-product experience for central discoverability, single-step deployment, and enablement of end-to-end product, domain, and/or vertical scenarios in Microsoft Sentinel. This experience is powered by:

Providers and partners can deliver combined product, domain, or vertical value via solutions in Microsoft Sentinel in order to productize investments. More details are covered in the Microsoft Sentinel documentation. Review the catalog for complete list of out-of-the-box Microsoft Sentinel solutions.

Microsoft Sentinel solutions include packaged content, integrations, or service offerings for Microsoft Sentinel. This guide focuses on how to build packaged content into solutions, including combinations of data connectors, workbooks, analytic rules, playbooks, hunting queries, parsers, watchlists, and more for Microsoft Sentinel. Reach out to the Microsoft Sentinel Solutions Onboarding Team if you are planning or building another type of integration or service offering, or want to include other types of content in your solution that isn't listed here.

The following image shows the steps in the solution building process, including content creation, packaging, and publishing:

Microsoft Sentinel solutions build process

Step 1 – Create your content

Start with the Get started documentation on the Microsoft Sentinel GitHub Wiki to identify the content types you plan to include in your solution package. For example, supported content types include data connectors, workbooks, analytic rules, playbooks, hunting queries, and more. Each content type has its own contribution guidance for development and validation.

The guidance for each content type in the Wiki describes how to contribute individual pieces of content. However, you want to contribute your content in a packaged solution. Therefore, hold off on submitting your content to the relevant folders as described in the Wiki guidance, and instead place your content in the Solutions folder of the Microsoft Sentinel GitHub repo.

Use the following steps to create your content structure:

  1. In the Microsoft Sentinel Solutions folder, create a new folder with your solution name.

  2. In your solution folder, create a blank folder structure as follows to store the content you've developed:

  • Data Connectors – the data connector json files or Azure Functions, etc. goes in this folder.
  • Workbooks – workbook json files and black and white preview images of the workbook goes here.
  • Analytic Rules – yaml file templates of analytic rules goes in this folder.
  • Hunting queries – yaml file templates of hunting queries goes in this folder.
  • Playbooks – json playbook and Azure Logic Apps custom connectors can go in this folder.
  • Parser – txt file for Kusto Functions or Parsers can go in this folder.

For example, see the folder structure for our Cisco ISE solution.

  1. Store your logo, in SVG format, in the central Logos folder.

  2. Store sample data in the sample data folder, within the relevant content type folder, depending on your data connector type.

  3. Submit a PR with all of your solution content. The PR will go through automated GitHub validation. Address potential errors as needed.

After your content has been succesfully validated, the Microsoft Sentinel team will review your PR and reply with any feedback as needed. You can expect an initial response within five business days.

The PR will be approved and merged after any feedback has been incorportated and the full review is successful.

Step 2 – Package your content

The solution content package is called a solution template, and has the following files:

  • mainTemplate.json: The Azure Resource Manager (ARM) template that includes the resources offered by the solution. Each piece of content that you want to package in your solution must first be converted to ARM format. The mainTemplate file is the overall ARM template file that combines each invididual ARM content file.

  • createUIDefinition.json: The deployment experience definition provided to customers installing your solution. This is a step-by-step wizard experience.

For more information, see the solution template documentation (deployment package).

After creating both the mainTemplate.json and the createUIDefinition.json files, validate them, and package them into a .zip file that you can upload as part of the publishing process (Step 3).

Use the package creation tool to help you create and validate the package, following the solutions packaging tool guidance to use the tool and package your content.

Updating your solution

If you already have an Microsoft Sentinel solution and want to update your package, use the package creation tool with updated content to create a new version of the package.

For your solution's versioning format, always use {Major}.{Minor}.{Revision} syntax, such as 1.0.1, to align with the Azure Marketplace recommendation and versioning support.

When updating your package, make sure to raise the version value, regardless of how small or trivial the change is, including typo fixes in a content or solution definition file.

For example, if your original package version is 1.0.1, you might update your versions as follows:

  • Major updates might have a new version of 2.0.0
  • Minor updates, like changes in a few pieces of content in the package, might have a new version of 1.1.0
  • Very minor revisions, such as those scoped to a single piece of content, might have a new version of 1.0.2

Since solutions use ARM templates, you can customize the solution text as well as tabs as needed to cater to specific scenarios.

Step 3 – Publish your solution

The Microsoft Sentinel solution publishing experience is powered by the Microsoft Partner Center.

Registration (one-time)

If you or your company is a first-time app publisher on Azure Marketplace, follow the steps to register and create a Commercial Marketplace account in Partner Center. This process provides you with a unique Publisher ID and access to the Commercial Marketplace authoring and publishing experience, where you'll create, certify, and publish your solution.

Author and publish a solution offer

The following steps reference the Partner Center's more detailed documentation.

  1. Create an Azure application type offer and configure the offer setup details as per the relevant guidance.

  2. Configure the Offer properties.

  3. Configure the Offer listing details, including the title, description, pictures, videos, support information, and so on.

    • As one of your search keywords, add f1de974b-f438-4719-b423-8bf704ba2aef to have your solution appear in the Microsoft Sentinel content hub.
    • Ensure to provide CSP (Cloud Solution Provider) Program contact and relevant CSP information as requested. This will enable you to offer the solution to CSP subscriptions and increased visibility and adoption of your solution.
    • If you want to start your solution in Preview (Public Preview), you can do so by appending "(Preview)" in the solution / offer title. This will ensure your offer gets tagged with Preview tag in Microsoft Sentinel Content hub.

  4. Create a plan and select Solution Template as the plan type.

    • If your offer needs to be available for customers from U.S. federal, state, local, or tribal entities, follow the steps to select the Azure Government check box and subsquent guidance.

  5. Configure the Solutions template plan. This is where youll upload the zip file that you'd created in step two and set a version for your package. Make sure to follow the versioning guidance described in step 2, above.

  6. Enable CSP for your offer by going to the Resell through CSPs tab in Partner Center and selecting Any partner in the CSP program. This will enable you to offer the solution to CSP subscriptions and increased visibility and adoption of your solution.

  7. Validate and test your solution offer.

  8. After the validation passes, publish the offer live. This will trigger the certification process, which can take up to 3 business days.

Note: The Microsoft Sentinel team will need to modify your files so that your solution appears in the Microsoft Sentinel content hub. Therefore, before going live, email the Azure Sentinel Solutions Onboarding Team with your solutions offer ID and your Publisher ID so that we can make the required changes.

Note: You must make the offer public in order for it to show up in the Microsoft Sentinel content hub so that customers can find it.

Feedback

Email Azure Sentinel Solutions Onboarding Team with any feedback on this process, for new scenarios not covered in this guide, or with any constraints you may encounter.