Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Solution packaged for Removed Custom Entity mappings from Analytic Rule #11684

Merged
merged 4 commits into from
Jan 22, 2025
Merged

Solution packaged for Removed Custom Entity mappings from Analytic Rule #11684

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
fe9ffb9
symantecVIP packaged
v-shukore Jan 20, 2025
6e6a55a
SymantecProxySG packaged
v-shukore Jan 20, 2025
38bef21
Vmware carbon black packaged
v-prasadboke Jan 22, 2025
119660b
Update ReleaseNotes.md
v-shukore Jan 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Solutions/Symantec VIP/Data/Solution_SymantecVIP.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
"azuresentinel.azure-sentinel-solution-syslog"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Symantec VIP",
"Version": "3.0.1",
"Version": "3.0.2",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true
}
Binary file added Solutions/Symantec VIP/Package/3.0.2.zip
View file
Open in desktop
Binary file not shown.
68 changes: 32 additions & 36 deletions Solutions/Symantec VIP/Package/mainTemplate.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@
},
"variables": {
"_solutionName": "Symantec VIP",
"_solutionVersion": "3.0.1",
"_solutionVersion": "3.0.2",
"solutionId": "azuresentinel.azure-sentinel-solution-symantecvip",
"_solutionId": "[variables('solutionId')]",
"workbookVersion1": "1.0.0",
Expand All @@ -50,18 +50,18 @@
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
"analyticRuleObject1": {
"analyticRuleVersion1": "1.0.3",
"analyticRuleVersion1": "1.0.4",
"_analyticRulecontentId1": "a9956d3a-07a9-44a6-a279-081a85020cae",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a9956d3a-07a9-44a6-a279-081a85020cae')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a9956d3a-07a9-44a6-a279-081a85020cae')))]",
"_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a9956d3a-07a9-44a6-a279-081a85020cae','-', '1.0.3')))]"
"_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a9956d3a-07a9-44a6-a279-081a85020cae','-', '1.0.4')))]"
},
"analyticRuleObject2": {
"analyticRuleVersion2": "1.0.3",
"analyticRuleVersion2": "1.0.4",
"_analyticRulecontentId2": "c775a46b-21b1-46d7-afa6-37e3e577a27b",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c775a46b-21b1-46d7-afa6-37e3e577a27b')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c775a46b-21b1-46d7-afa6-37e3e577a27b')))]",
"_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c775a46b-21b1-46d7-afa6-37e3e577a27b','-', '1.0.3')))]"
"_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c775a46b-21b1-46d7-afa6-37e3e577a27b','-', '1.0.4')))]"
},
"parserObject1": {
"_parserName1": "[concat(parameters('workspace'),'/','SymantecVIP')]",
Expand All @@ -82,7 +82,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "SymantecVIP Workbook with template version 3.0.1",
"description": "SymantecVIP Workbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
Expand Down Expand Up @@ -137,10 +137,6 @@
"contentId": "Syslog",
"kind": "DataType"
},
{
"contentId": "SymantecVIP",
"kind": "DataConnector"
},
{
"contentId": "SyslogAma",
"kind": "DataConnector"
Expand Down Expand Up @@ -173,7 +169,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "ClientDeniedAccess_AnalyticalRules Analytics Rule with template version 3.0.1",
"description": "ClientDeniedAccess_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
Expand All @@ -190,7 +186,7 @@
"description": "Creates an incident in the event a Client has an excessive amounts of denied access requests.",
"displayName": "ClientDeniedAccess",
"enabled": false,
"query": "let threshold = 15;\nlet rejectedAccess = SymantecVIP\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)\n| where Total > threshold\n| project ClientIP;\nSymantecVIP\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| join kind=inner rejectedAccess on ClientIP\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User\n| extend timestamp = StartTime, IPCustomEntity = ClientIP, AccountCustomEntity = User\n",
"query": "let threshold = 15;\nlet rejectedAccess = SymantecVIP\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)\n| where Total > threshold\n| project ClientIP;\nSymantecVIP\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| join kind=inner rejectedAccess on ClientIP\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
Expand All @@ -201,10 +197,10 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "SyslogAma",
"datatypes": [
"Syslog"
]
],
"connectorId": "SyslogAma"
}
],
"tactics": [
Expand All @@ -215,22 +211,22 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "FullName"
"identifier": "FullName",
"columnName": "User"
}
]
],
"entityType": "Account"
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
"identifier": "Address",
"columnName": "ClientIP"
}
]
],
"entityType": "IP"
}
]
}
Expand Down Expand Up @@ -285,7 +281,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "ExcessiveFailedAuthenticationsfromInvalidInputs_AnalyticalRules Analytics Rule with template version 3.0.1",
"description": "ExcessiveFailedAuthenticationsfromInvalidInputs_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
Expand All @@ -302,7 +298,7 @@
"description": "Creates an incident in the event that a user generates an excessive amount of failed authentications due to invalid inputs, indications of a potential brute force.",
"displayName": "Excessive Failed Authentication from Invalid Inputs",
"enabled": false,
"query": "let threshold = 15;\nSymantecVIP\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP\n| where Total > threshold\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = User\n",
"query": "let threshold = 15;\nSymantecVIP\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP\n| where Total > threshold\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
Expand All @@ -313,10 +309,10 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "SyslogAma",
"datatypes": [
"Syslog"
]
],
"connectorId": "SyslogAma"
}
],
"tactics": [
Expand All @@ -327,22 +323,22 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "FullName"
"identifier": "FullName",
"columnName": "User"
}
]
],
"entityType": "Account"
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
"identifier": "Address",
"columnName": "ClientIP"
}
]
],
"entityType": "IP"
}
]
}
Expand Down Expand Up @@ -397,7 +393,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "SymantecVIP Data Parser with template version 3.0.1",
"description": "SymantecVIP Data Parser with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
Expand Down Expand Up @@ -523,7 +519,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "3.0.1",
"version": "3.0.2",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Symantec VIP",
Expand Down
1 change: 1 addition & 0 deletions Solutions/Symantec VIP/ReleaseNotes.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|------------------------------------------------|
| 3.0.2 | 20-01-2025 | Removed Custom Entity mappings from **Analytic rules** |
| 3.0.1 | 31-12-2024 | Removed Deprecated **Data connector** |
| 3.0.0 | 01-08-2024 | Update **Parser** as part of Syslog migration |
| | | Deprecating data connectors |
2 changes: 1 addition & 1 deletion Solutions/SymantecProxySG/Data/Solution_SymantecProxySG.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
"azuresentinel.azure-sentinel-solution-syslog"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\SymantecProxySG",
"Version": "3.0.2",
"Version": "3.0.3",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true
}
Binary file added Solutions/SymantecProxySG/Package/3.0.3.zip
View file
Open in desktop
Binary file not shown.
Loading
Loading