Skip to content

Commit 1faaab4

Browse files
author
Your Name
committed
Update Lookout solution v3.0.2: version alignment, install wizard improvements
- Updated all 13 template version description strings from 3.0.1 to 3.0.2 in mainTemplate.json - Added Parsers and Notebooks steps to createUiDefinition.json for improved discoverability - Added Notebooks count to solution description summary - Added standalone parser ARM template (LookoutEvents_ARM.json) - Added Package/3.0.1 archive folder - Updated ReleaseNotes.md with all changes
1 parent e3e72e1 commit 1faaab4

File tree

5 files changed

+545
-15
lines changed

5 files changed

+545
-15
lines changed

Solutions/Lookout/Package/3.0.1/createUiDefinition.json

Lines changed: 326 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,326 @@
1+
{
2+
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
3+
"handler": "Microsoft.Azure.CreateUIDef",
4+
"version": "0.1.2-preview",
5+
"parameters": {
6+
"config": {
7+
"isWizard": false,
8+
"basics": {
9+
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Lookout/Workbooks/Images/Logo/lookout.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Lookout/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Lookout](https://lookout.com) solution provides the capability to ingest [Lookout events](https://www.lookout.com/products/mobile-endpoint-security) into Microsoft Sentinel through the Mobile Risk API. It can get events which helps to examine potential security risks and more. Refer to [API documentation](https://www.lookout.com/products/mobile-endpoint-security) for more information.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Microsoft Sentinel Codeless Connector Platform](https://aka.ms/Sentinel-CCP_Platform)\n\n<p><span style='color:red; font-weight:bold;'>NOTE</span>: Microsoft recommends installation of \"LookoutStreaming_Definition\" (via Codeless Connector Framework). This connector is build on the Codeless Connector Framework (CCF), which uses the Log Ingestion API, which replaces ingestion via the <a href='https://aka.ms/Sentinel-Logs_migration' style='color:#1890F1;'>deprecated HTTP Data Collector API</a>. CCF-based data connectors also support <a href='https://aka.ms/Sentinel-DCR_Overview' style='color:#1890F1;'>Data Collection Rules</a> (DCRs) offering transformations and enrichment.</p>\n\n<p><span style='color:red; font-weight:bold;'>Important</span>: While the updated connector(s) can coexist with their legacy versions, running them together will result in duplicated data ingestion. You can disable the older versions of these connectors to avoid duplication of data.</p>\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 5, **Analytic Rules:** 5, **Hunting Queries:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
10+
"subscription": {
11+
"resourceProviders": [
12+
"Microsoft.OperationsManagement/solutions",
13+
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
14+
"Microsoft.Insights/workbooks",
15+
"Microsoft.Logic/workflows"
16+
]
17+
},
18+
"location": {
19+
"metadata": {
20+
"hidden": "Hiding location, we get it from the log analytics workspace"
21+
},
22+
"visible": false
23+
},
24+
"resourceGroup": {
25+
"allowExisting": true
26+
}
27+
}
28+
},
29+
"basics": [
30+
{
31+
"name": "getLAWorkspace",
32+
"type": "Microsoft.Solutions.ArmApiControl",
33+
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
34+
"condition": "[greater(length(resourceGroup().name),0)]",
35+
"request": {
36+
"method": "GET",
37+
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
38+
}
39+
},
40+
{
41+
"name": "workspace",
42+
"type": "Microsoft.Common.DropDown",
43+
"label": "Workspace",
44+
"placeholder": "Select a workspace",
45+
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
46+
"constraints": {
47+
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
48+
"required": true
49+
},
50+
"visible": true
51+
}
52+
],
53+
"steps": [
54+
{
55+
"name": "dataconnectors",
56+
"label": "Data Connectors",
57+
"bladeTitle": "Data Connectors",
58+
"elements": [
59+
{
60+
"name": "dataconnectors1-text",
61+
"type": "Microsoft.Common.TextBlock",
62+
"options": {
63+
"text": "This Solution installs the data connector for Lookout. You can get Lookout custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
64+
}
65+
},
66+
{
67+
"name": "dataconnectors2-text",
68+
"type": "Microsoft.Common.TextBlock",
69+
"options": {
70+
"text": "This Solution installs the data connector for Lookout Mobile Threat Detection Connector (via Codeless Connector Framework) (Preview). You can get Lookout Mobile Threat Detection Connector (via Codeless Connector Framework) (Preview) data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
71+
}
72+
},
73+
{
74+
"name": "dataconnectors-link2",
75+
"type": "Microsoft.Common.TextBlock",
76+
"options": {
77+
"link": {
78+
"label": "Learn more about connecting data sources",
79+
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
80+
}
81+
}
82+
}
83+
]
84+
},
85+
{
86+
"name": "workbooks",
87+
"label": "Workbooks",
88+
"subLabel": {
89+
"preValidation": "Configure the workbooks",
90+
"postValidation": "Done"
91+
},
92+
"bladeTitle": "Workbooks",
93+
"elements": [
94+
{
95+
"name": "workbooks-text",
96+
"type": "Microsoft.Common.TextBlock",
97+
"options": {
98+
"text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
99+
}
100+
},
101+
{
102+
"name": "workbooks-link",
103+
"type": "Microsoft.Common.TextBlock",
104+
"options": {
105+
"link": {
106+
"label": "Learn more",
107+
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
108+
}
109+
}
110+
},
111+
{
112+
"name": "workbook1",
113+
"type": "Microsoft.Common.Section",
114+
"label": "Lookout",
115+
"elements": [
116+
{
117+
"name": "workbook1-text",
118+
"type": "Microsoft.Common.TextBlock",
119+
"options": {
120+
"text": "Sets the time name for analysis"
121+
}
122+
}
123+
]
124+
},
125+
{
126+
"name": "workbook2",
127+
"type": "Microsoft.Common.Section",
128+
"label": "Lookout Enhanced Security Dashboard",
129+
"elements": [
130+
{
131+
"name": "workbook2-text",
132+
"type": "Microsoft.Common.TextBlock",
133+
"options": {
134+
"text": "This workbook leverages the enhanced Lookout Mobile Risk API v2 data with comprehensive field extraction and advanced threat intelligence. It depends on the LookoutEvents parser deployed with the Microsoft Sentinel Solution."
135+
}
136+
}
137+
]
138+
},
139+
{
140+
"name": "workbook3",
141+
"type": "Microsoft.Common.Section",
142+
"label": "Lookout Security Investigation Dashboard",
143+
"elements": [
144+
{
145+
"name": "workbook3-text",
146+
"type": "Microsoft.Common.TextBlock",
147+
"options": {
148+
"text": "Real-time mobile threat investigation and incident response"
149+
}
150+
}
151+
]
152+
},
153+
{
154+
"name": "workbook4",
155+
"type": "Microsoft.Common.Section",
156+
"label": "Lookout Executive Dashboard",
157+
"elements": [
158+
{
159+
"name": "workbook4-text",
160+
"type": "Microsoft.Common.TextBlock",
161+
"options": {
162+
"text": "Real-time mobile threat detection and device security monitoring"
163+
}
164+
}
165+
]
166+
},
167+
{
168+
"name": "workbook5",
169+
"type": "Microsoft.Common.Section",
170+
"label": "Lookout IOA Investigation Dashboard",
171+
"elements": [
172+
{
173+
"name": "workbook5-text",
174+
"type": "Microsoft.Common.TextBlock",
175+
"options": {
176+
"text": "Comprehensive mobile threat intelligence, device investigation, and security posture monitoring"
177+
}
178+
}
179+
]
180+
}
181+
]
182+
},
183+
{
184+
"name": "analytics",
185+
"label": "Analytics",
186+
"subLabel": {
187+
"preValidation": "Configure the analytics",
188+
"postValidation": "Done"
189+
},
190+
"bladeTitle": "Analytics",
191+
"elements": [
192+
{
193+
"name": "analytics-text",
194+
"type": "Microsoft.Common.TextBlock",
195+
"options": {
196+
"text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
197+
}
198+
},
199+
{
200+
"name": "analytics-link",
201+
"type": "Microsoft.Common.TextBlock",
202+
"options": {
203+
"link": {
204+
"label": "Learn more",
205+
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
206+
}
207+
}
208+
},
209+
{
210+
"name": "analytic1",
211+
"type": "Microsoft.Common.Section",
212+
"label": "Lookout - New Threat events found.",
213+
"elements": [
214+
{
215+
"name": "analytic1-text",
216+
"type": "Microsoft.Common.TextBlock",
217+
"options": {
218+
"text": "Created to detect new Threat events from the data which is recently synced by Lookout Solution."
219+
}
220+
}
221+
]
222+
},
223+
{
224+
"name": "analytic2",
225+
"type": "Microsoft.Common.Section",
226+
"label": "Lookout - High Severity Mobile Threats Detected (v2)",
227+
"elements": [
228+
{
229+
"name": "analytic2-text",
230+
"type": "Microsoft.Common.TextBlock",
231+
"options": {
232+
"text": "Detects high severity mobile threats from Lookout Mobile Risk API v2 with enhanced threat intelligence and device context. This rule leverages the comprehensive v2 field set to provide detailed threat classification, risk assessment, and device compliance status for improved security monitoring."
233+
}
234+
}
235+
]
236+
},
237+
{
238+
"name": "analytic3",
239+
"type": "Microsoft.Common.Section",
240+
"label": "Lookout - Device Compliance and Security Status Changes (v2)",
241+
"elements": [
242+
{
243+
"name": "analytic3-text",
244+
"type": "Microsoft.Common.TextBlock",
245+
"options": {
246+
"text": "Monitors device compliance status changes and security posture degradation using Lookout Mobile Risk API v2 enhanced device fields. Detects devices becoming non-compliant, security status changes, and potential device compromise indicators with detailed device context and MDM integration data."
247+
}
248+
}
249+
]
250+
},
251+
{
252+
"name": "analytic4",
253+
"type": "Microsoft.Common.Section",
254+
"label": "Lookout - Critical Smishing and Phishing Alerts (v2)",
255+
"elements": [
256+
{
257+
"name": "analytic4-text",
258+
"type": "Microsoft.Common.TextBlock",
259+
"options": {
260+
"text": "Detects critical smishing (SMS phishing) and phishing alerts from Lookout Mobile Risk API v2. This rule identifies sophisticated social engineering attacks including CEO fraud, credential harvesting, and malicious link campaigns targeting mobile devices. Leverages enhanced v2 smishing detection capabilities for comprehensive mobile threat protection."
261+
}
262+
}
263+
]
264+
},
265+
{
266+
"name": "analytic5",
267+
"type": "Microsoft.Common.Section",
268+
"label": "Lookout - Critical Audit and Policy Changes (v2)",
269+
"elements": [
270+
{
271+
"name": "analytic5-text",
272+
"type": "Microsoft.Common.TextBlock",
273+
"options": {
274+
"text": "Monitors critical audit events and policy changes from Lookout Mobile Risk API v2. Detects unauthorized configuration changes, policy modifications, security setting adjustments, and administrative actions that could impact mobile security posture. Provides comprehensive audit trail for compliance and security governance."
275+
}
276+
}
277+
]
278+
}
279+
]
280+
},
281+
{
282+
"name": "huntingqueries",
283+
"label": "Hunting Queries",
284+
"bladeTitle": "Hunting Queries",
285+
"elements": [
286+
{
287+
"name": "huntingqueries-text",
288+
"type": "Microsoft.Common.TextBlock",
289+
"options": {
290+
"text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. "
291+
}
292+
},
293+
{
294+
"name": "huntingqueries-link",
295+
"type": "Microsoft.Common.TextBlock",
296+
"options": {
297+
"link": {
298+
"label": "Learn more",
299+
"uri": "https://docs.microsoft.com/azure/sentinel/hunting"
300+
}
301+
}
302+
},
303+
{
304+
"name": "huntingquery1",
305+
"type": "Microsoft.Common.Section",
306+
"label": "Lookout Advanced Threat Hunting - Multi-Vector Attacks",
307+
"elements": [
308+
{
309+
"name": "huntingquery1-text",
310+
"type": "Microsoft.Common.TextBlock",
311+
"options": {
312+
"text": "Identifies devices experiencing multiple threat types within a short timeframe, indicating coordinated attacks This hunting query depends on LookoutAPI data connector (LookoutEvents Parser or Table)"
313+
}
314+
}
315+
]
316+
}
317+
]
318+
}
319+
],
320+
"outputs": {
321+
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
322+
"location": "[location()]",
323+
"workspace": "[basics('workspace')]"
324+
}
325+
}
326+
}

0 commit comments

Comments
 (0)