Merge pull request #11640 from NCstevenB/NetCleanUpdates

Net clean updates

Author: v-atulyadav

.script/tests/KqlvalidationsTests/CustomTables/Netclean_Incidents_CL.json

@@ -18,30 +18,30 @@ tactics:
 relevantTechniques:
   - T1083
 query: |
-  Netclean_Incidents_CL |  where version_s == 1
+  Netclean_Incidents_CL |  where value_incidentVersion_d == 1
 entityMappings:
   - entityType: FileHash
     fieldMappings:
       - identifier: Value
-        columnName: sha1_s
+        columnName: value_file_calculatedHashes_sha1_s
       - identifier: Algorithm
-        columnName: detectionMethod_s
+        columnName: value_detectionHashType_s
   - entityType: DNS
     fieldMappings:
       - identifier: DomainName
-        columnName: domain_s
+        columnName: value_file_owner_computerUser_domain_s
   - entityType: Host
     fieldMappings:
       - identifier: HostName
-        columnName: Hostname_s
+        columnName: value_device_machineName_s
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: externalIP_s
+        columnName: value_device_networkInterfaces_s
 alertDetailsOverride:
-  alertDisplayNameFormat: NetClean {{agentType_s}} {{type_s}}
-  alertDescriptionFormat: A new NetClean {{agentType_s}} {{type_s}} has been Created {{TimeGenerated}}
-version: 1.0.1
+  alertDisplayNameFormat: NetClean {{value_agent_type_s}} {{type_s}}
+  alertDescriptionFormat: A new NetClean {{value_agent_type_s}} {{key_type_s}} has been Created {{TimeGenerated}}
+version: 1.0.2
 kind: Scheduled
 
 

Sample Data/Custom/Netclean_Incidents_CL.json

@@ -62,7 +62,7 @@
     "instructionSteps": [
         {
             "title": "",
-            "description": ">**NOTE:** The data connector relies on Azure Logic Apps to receive and push data to Log Analytics This might result in additional data ingestion costs.\n It's possible to test this without Logic Apps or NetClean Proactive see option 2",
+            "description": ">**NOTE:** NetClean ProActive uses a Webhook to expose incident data, Azure Logic Apps is used to receive and push data to Log Analytics This might result in additional data ingestion costs.\n It's possible to test this without Logic Apps or NetClean Proactive see option 2",
             "instructions": [
                 {
                     "parameters": {
@@ -86,11 +86,11 @@
 
             },
         {
-            "description" : "1. Download and install the Logic app here:\n https://portal.azure.com/#create/netcleantechnologiesab1651557549734.netcleanlogicappnetcleanproactivelogicapp)\n2. Go to your newly created logic app \n  In your Logic app designer, click +New Step and search for “Azure Log Analytics Data Collector” click it and select “Send Data”  \n Enter the Custom Log Name: Netclean_Incidents and a dummy value in the Json request body and click save \n Go to code view on the top ribbon and scroll down to line ~100  it should start with \"Body\"  \n replace the line entirly with: \n \n \"body\": \"{\\n\\\"Hostname\\\":\\\"@{variables('machineName')}\\\",\\n\\\"agentType\\\":\\\"@{triggerBody()['value']['agent']['type']}\\\",\\n\\\"Identifier\\\":\\\"@{triggerBody()?['key']?['identifier']}\\\",\\n\\\"type\\\":\\\"@{triggerBody()?['key']?['type']}\\\",\\n\\\"version\\\":\\\"@{triggerBody()?['value']?['incidentVersion']}\\\",\\n\\\"foundTime\\\":\\\"@{triggerBody()?['value']?['foundTime']}\\\",\\n\\\"detectionMethod\\\":\\\"@{triggerBody()?['value']?['detectionHashType']}\\\",\\n\\\"agentInformatonIdentifier\\\":\\\"@{triggerBody()?['value']?['device']?['identifier']}\\\",\\n\\\"osVersion\\\":\\\"@{triggerBody()?['value']?['device']?['operatingSystemVersion']}\\\",\\n\\\"machineName\\\":\\\"@{variables('machineName')}\\\",\\n\\\"microsoftCultureId\\\":\\\"@{triggerBody()?['value']?['device']?['microsoftCultureId']}\\\",\\n\\\"timeZoneId\\\":\\\"@{triggerBody()?['value']?['device']?['timeZoneName']}\\\",\\n\\\"microsoftGeoId\\\":\\\"@{triggerBody()?['value']?['device']?['microsoftGeoId']}\\\",\\n\\\"domainname\\\":\\\"@{variables('domain')}\\\",\\n\\\"Agentversion\\\":\\\"@{triggerBody()['value']['agent']['version']}\\\",\\n\\\"Agentidentifier\\\":\\\"@{triggerBody()['value']['identifier']}\\\",\\n\\\"loggedOnUsers\\\":\\\"@{variables('Usernames')}\\\",\\n\\\"size\\\":\\\"@{triggerBody()?['value']?['file']?['size']}\\\",\\n\\\"creationTime\\\":\\\"@{triggerBody()?['value']?['file']?['creationTime']}\\\",\\n\\\"lastAccessTime\\\":\\\"@{triggerBody()?['value']?['file']?['lastAccessTime']}\\\",\\n\\\"lastWriteTime\\\":\\\"@{triggerBody()?['value']?['file']?['lastModifiedTime']}\\\",\\n\\\"sha1\\\":\\\"@{triggerBody()?['value']?['file']?['calculatedHashes']?['sha1']}\\\",\\n\\\"nearbyFiles_sha1\\\":\\\"@{variables('nearbyFiles_sha1s')}\\\",\\n\\\"externalIP\\\":\\\"@{triggerBody()?['value']?['device']?['resolvedExternalIp']}\\\",\\n\\\"domain\\\":\\\"@{variables('domain')}\\\",\\n\\\"hasCollectedNearbyFiles\\\":\\\"@{variables('hasCollectedNearbyFiles')}\\\",\\n\\\"filePath\\\":\\\"@{replace(triggerBody()['value']['file']['path'], '\\\\', '\\\\\\\\')}\\\",\\n\\\"m365WebUrl\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['webUrl']}\\\",\\n\\\"m365CreatedBymail\\\":\\\"@{triggerBody()?['value']?['file']?['createdBy']?['graphIdentity']?['user']?['mail']}\\\",\\n\\\"m365LastModifiedByMail\\\":\\\"@{triggerBody()?['value']?['file']?['lastModifiedBy']?['graphIdentity']?['user']?['mail']}\\\",\\n\\\"m365LibraryId\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['library']?['id']}\\\",\\n\\\"m365LibraryDisplayName\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['library']?['displayName']}\\\",\\n\\\"m365Librarytype\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['library']?['type']}\\\",\\n\\\"m365siteid\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['site']?['id']}\\\",\\n\\\"m365sitedisplayName\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['site']?['displayName']}\\\",\\n\\\"m365sitename\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['parent']?['name']}\\\",\\n\\\"countOfAllNearByFiles\\\":\\\"@{variables('countOfAllNearByFiles')}\\\",\\n\\n}\",  \n click save   \n3. Copy the HTTP POST URL\n4. Go to your NetClean ProActive web console, and go to settings, Under Webhook configure a new webhook using the URL copied from step 3 \n 5. Verify functionality by triggering a Demo Incident.",
-            "title":" Option 1: deploy Logic app (requires NetClean Proactive)"
+            "description" : "1. Create a new logic app\n Use When a HTTP request is recived as the Trigger and save it. It will now have generated a URL that can be used in the ProActive webconsole configuration.\n Add an action:\n Select the Azure Log Analytics Data Collector and choose Send Data\n Enter Connection Name, Workspace ID and Workspace Key, you will find the information needed in your Log Analytics workspace under Settings-->Agents-->Log Analytics agent instructions.\n In JSON Request body add @triggerBody(). in Custom Log Name add Netclean_Incidents.",
+            "title":" Option 1: Logic app"
         },
         {
-            "description":"Ingest data using a api function. please use the script found on\n https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell \nReplace the CustomerId and SharedKey values with your values\nReplace the content in $json variable to the sample data.\nSet the LogType varible to **Netclean_Incidents_CL**\nRun the script",
+            "description":"Ingest data using a api function. please use the script found on\n https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell \nReplace the CustomerId and SharedKey values with your values\nReplace the content in $json variable to the sample data found here: https://github.com/Azure/Azure-Sentinel/blob/master/Sample%20Data/Custom/Netclean_Incidents_CL.json .\nSet the LogType varible to **Netclean_Incidents_CL**\nRun the script",
             "title":" Option 2 (Testing only)"
         }
     ],

Solutions/NetClean ProActive/Analytic Rules/NetClean_Sentinel_analytic_rule.yaml

@@ -13,7 +13,7 @@
     "Workbooks/NetCleanProActiveWorkbook.json"
   ],
   "BasePath": "C:\\git\\Azure-Sentinel\\Solutions\\NetClean ProActive",
-  "Version": "3.0.1",
+  "Version": "3.0.2",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "Is1Pconnector": false

Solutions/NetClean ProActive/Data Connectors/Connector_NetClean.json

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/NetCleanImpactLogo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/NetClean%20ProActive/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution.\n\nThe [NetClean](https://www.netclean.com/) ProActive for Microsoft Sentinel solution gives you the ability to connect the [NetClean ProActive](https://www.netclean.com/proactive/) Incident logs with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution might take a dependency on the other technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\n1. [Azure Logic Apps](https://azure.microsoft.com/services/logic-apps/#overview)\r\n\n OR \r\n\n2. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/NetCleanImpactLogo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/NetClean%20ProActive/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [NetClean](https://www.netclean.com/) ProActive for Microsoft Sentinel solution gives you the ability to connect the [NetClean ProActive](https://www.netclean.com/proactive/) Incident logs with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution might take a dependency on the other technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\n1. [Azure Logic Apps](https://azure.microsoft.com/services/logic-apps/#overview)\r\n\n OR \r\n\n2. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",