Merge pull request #11634 from Azure/v-shukore/PaloAltoPANOS

solution packaged for Removed Custom Entity mappings

Author: v-prasadboke

Solutions/Pulse Connect Secure/Data/Solution_Pulse Connect Secure.json

@@ -17,7 +17,7 @@
     "azuresentinel.azure-sentinel-solution-syslog"
   ],
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Pulse Connect Secure",
-  "Version": "3.0.3",
+  "Version": "3.0.4",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true
 }

Solutions/Pulse Connect Secure/Package/3.0.4.zip

@@ -41,7 +41,7 @@
     "email": "support@microsoft.com",
     "_email": "[variables('email')]",
     "_solutionName": "Pulse Connect Secure",
-    "_solutionVersion": "3.0.3",
+    "_solutionVersion": "3.0.4",
     "solutionId": "azuresentinel.azure-sentinel-solution-pulseconnectsecure",
     "_solutionId": "[variables('solutionId')]",
     "parserObject1": {
@@ -59,18 +59,18 @@
     "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
     "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
     "analyticRuleObject1": {
-      "analyticRuleVersion1": "1.0.3",
+      "analyticRuleVersion1": "1.0.4",
       "_analyticRulecontentId1": "34663177-8abf-4db1-b0a4-5683ab273f44",
       "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '34663177-8abf-4db1-b0a4-5683ab273f44')]",
       "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('34663177-8abf-4db1-b0a4-5683ab273f44')))]",
-      "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','34663177-8abf-4db1-b0a4-5683ab273f44','-', '1.0.3')))]"
+      "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','34663177-8abf-4db1-b0a4-5683ab273f44','-', '1.0.4')))]"
     },
     "analyticRuleObject2": {
-      "analyticRuleVersion2": "1.0.3",
+      "analyticRuleVersion2": "1.0.4",
       "_analyticRulecontentId2": "1fa1528e-f746-4794-8a41-14827f4cb798",
       "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1fa1528e-f746-4794-8a41-14827f4cb798')]",
       "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1fa1528e-f746-4794-8a41-14827f4cb798')))]",
-      "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1fa1528e-f746-4794-8a41-14827f4cb798','-', '1.0.3')))]"
+      "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1fa1528e-f746-4794-8a41-14827f4cb798','-', '1.0.4')))]"
     },
     "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
   },
@@ -84,7 +84,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PulseConnectSecure Data Parser with template version 3.0.3",
+        "description": "PulseConnectSecure Data Parser with template version 3.0.4",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -216,7 +216,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PulseConnectSecure Workbook with template version 3.0.3",
+        "description": "PulseConnectSecure Workbook with template version 3.0.4",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion1')]",
@@ -272,10 +272,6 @@
                       "contentId": "Syslog",
                       "kind": "DataType"
                     },
-                    {
-                      "contentId": "PulseConnectSecure",
-                      "kind": "DataConnector"
-                    },
                     {
                       "contentId": "SyslogAma",
                       "kind": "DataConnector"
@@ -308,7 +304,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PulseConnectSecureVPN-BruteForce_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "PulseConnectSecureVPN-BruteForce_AnalyticalRules Analytics Rule with template version 3.0.4",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -325,7 +321,7 @@
                 "description": "This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server",
                 "displayName": "PulseConnectSecure - Potential Brute Force Attempts",
                 "enabled": false,
-                "query": "let threshold = 20;\nPulseConnectSecure\n| where Messages contains \"Login failed\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\n| where count_ > threshold\n| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP\n",
+                "query": "let threshold = 20;\nPulseConnectSecure\n| where Messages contains \"Login failed\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\n| where count_ > threshold\n",
                 "queryFrequency": "PT1H",
                 "queryPeriod": "PT1H",
                 "severity": "Low",
@@ -336,10 +332,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "SyslogAma",
                     "datatypes": [
                       "Syslog"
-                    ],
-                    "connectorId": "SyslogAma"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -350,22 +346,22 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
-                        "columnName": "AccountCustomEntity"
+                        "columnName": "User"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "identifier": "Address",
-                        "columnName": "IPCustomEntity"
+                        "columnName": "Source_IP"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -421,7 +417,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "PulseConnectSecureVPN-DistinctFailedUserLogin_AnalyticalRules Analytics Rule with template version 3.0.3",
+        "description": "PulseConnectSecureVPN-DistinctFailedUserLogin_AnalyticalRules Analytics Rule with template version 3.0.4",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -438,7 +434,7 @@
                 "description": "This query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server",
                 "displayName": "PulseConnectSecure - Large Number of Distinct Failed User Logins",
                 "enabled": false,
-                "query": "let threshold = 100;\nPulseConnectSecure\n| where Messages startswith \"Login failed\"\n| summarize dcount(User) by Computer, bin(TimeGenerated, 15m)\n| where dcount_User > threshold\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\n",
+                "query": "let threshold = 100;\nPulseConnectSecure\n| where Messages startswith \"Login failed\"\n| summarize dcount(User) by Computer, bin(TimeGenerated, 15m)\n| where dcount_User > threshold\n",
                 "queryFrequency": "PT1H",
                 "queryPeriod": "PT1H",
                 "severity": "Medium",
@@ -449,10 +445,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "SyslogAma",
                     "datatypes": [
                       "Syslog"
-                    ],
-                    "connectorId": "SyslogAma"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -463,13 +459,13 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Host",
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
-                        "columnName": "HostCustomEntity"
+                        "columnName": "Computer"
                       }
-                    ]
+                    ],
+                    "entityType": "Host"
                   }
                 ]
               }
@@ -521,7 +517,7 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.0.3",
+        "version": "3.0.4",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "Pulse Connect Secure",

Solutions/Pulse Connect Secure/Package/mainTemplate.json

@@ -1,5 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                  |
 |-------------|--------------------------------|-----------------------------------------------------|
+| 3.0.4       | 07-01-2025                     | Removed Custom Entity mappings from **Analytic Rule**     |
 | 3.0.3       | 16-12-2024                     | Removed Deprecated **Data Connector**               |
 | 3.0.2       | 01-08-2024                     | Update **Parser** as part of Syslog migration       |
 |             |                                | Deprecating data connectors                         |