Azure
diff --git a/‎.script/tests/KqlvalidationsTests/CustomTables/KeeperSecurityEventNewLogs_CL.json‎
Lines changed: 41 additions & 0 deletions b/‎.script/tests/KqlvalidationsTests/CustomTables/KeeperSecurityEventNewLogs_CL.json‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json‎
Lines changed: 1 addition & 0 deletions b/‎.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Solutions/Keeper Security/Analytic Rules/Keeper Security - Alternate Master Password.yaml‎
Lines changed: 42 additions & 0 deletions b/‎Solutions/Keeper Security/Analytic Rules/Keeper Security - Alternate Master Password.yaml‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎Solutions/Keeper Security/Analytic Rules/Keeper Security - User MFA Changed.yaml‎
Lines changed: 42 additions & 0 deletions b/‎Solutions/Keeper Security/Analytic Rules/Keeper Security - User MFA Changed.yaml‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎Solutions/Keeper Security/Data/Solution_KeeperSecurity.json‎
Lines changed: 7 additions & 0 deletions b/‎Solutions/Keeper Security/Data/Solution_KeeperSecurity.json‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎Solutions/Keeper Security/Package/3.0.1.zip‎
11.7 KB b/‎Solutions/Keeper Security/Package/3.0.1.zip‎
11.7 KB
diff --git a/‎Solutions/Keeper Security/Package/createUiDefinition.json‎
Lines changed: 99 additions & 1 deletion b/‎Solutions/Keeper Security/Package/createUiDefinition.json‎
Lines changed: 99 additions & 1 deletion
@@ -0,0 +1,41 @@
+{
+    "Name": "KeeperSecurityEventNewLogs_CL",
+    "Properties": [
+      {
+        "Name": "TimeGenerated",
+        "Type": "datetime"
+      },
+      {
+        "Name": "AuditEvent",
+        "Type": "string"
+      },
+      {
+        "Name": "RemoteAddress",
+        "Type": "string"
+      },
+      {
+        "Name": "Category",
+        "Type": "string"
+      },
+      {
+        "Name": "ClientVersion",
+        "Type": "string"
+      },
+      {
+        "Name": "EnterpriseId",
+        "Type": "int"
+      },
+      {
+        "Name": "Username",
+        "Type": "string"
+      },
+      {
+        "Name": "Timestamp",
+        "Type": "datetime"
+      },
+      {
+        "Name": "Data",
+        "Type": "dynamic"
+      }
+    ]
+  }
@@ -111,6 +111,7 @@
   "JamfProtect",
   "JiraAuditAPI",
   "JuniperSRX",
+  "KeeperSecurityPush2",
   "LastPass",
   "LookoutAPI",
   "McAfeeePO",
 
@@ -0,0 +1,42 @@
+id: f031fbbc-37d8-4667-b795-d386bf2b5ab2
+name: Keeper Security - Password Changed
+description: |
+  'Creates an informational incident based on Keeper Security Password Changed data in Microsoft Sentinel'
+severity: Informational
+status: Available
+requiredDataConnectors:
+  - connectorId: KeeperSecurityPush2
+    dataTypes: 
+      - KeeperSecurityEventNewLogs_CL
+suppressionDuration: PT5H
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+suppressionEnabled: false
+tactics:
+- Persistence
+relevantTechniques:
+- T1556
+query: |
+  KeeperSecurityEventNewLogs_CL
+  | where AuditEvent == "change_master_password"
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: false
+    reopenClosedIncident: false
+    lookbackDuration: PT5H
+    matchingMethod: AllEntities
+alertDetailsOverride:
+  alertDisplayNameFormat: "{{AuditEvent}} on {{RemoteAddress}}"
+  alertDescriptionFormat: "{{AuditEvent}} has been captured in the Keeper Security Event Logs"
+entityMappings:
+- entityType: Account
+  fieldMappings:
+  - identifier: FullName
+    columnName: Username
+- entityType: IP
+  fieldMappings:
+  - identifier: Address
+    columnName: RemoteAddress
+version: 1.0.3
+kind: NRT
@@ -0,0 +1,42 @@
+id: 75ffc8a4-86db-4f48-8506-cb4c049be484
+name: Keeper Security - User MFA Changed
+description: |
+  'Creates an informational incident based on Keeper Security User MFA Changed data in Microsoft Sentinel'
+severity: Informational
+status: Available
+requiredDataConnectors:
+  - connectorId: KeeperSecurityPush2
+    dataTypes: 
+      - KeeperSecurityEventNewLogs_CL
+suppressionDuration: PT5H
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+suppressionEnabled: false
+tactics:
+- Persistence
+relevantTechniques:
+- T1556
+query: |
+  KeeperSecurityEventNewLogs_CL
+  | where AuditEvent in (```set_two_factor_off```, ```set_two_factor_on```)
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: false
+    reopenClosedIncident: false
+    lookbackDuration: PT5H
+    matchingMethod: AllEntities
+alertDetailsOverride:
+  alertDisplayNameFormat: "{{AuditEvent}} on {{RemoteAddress}}"
+  alertDescriptionFormat: "{{AuditEvent}} has been captured in the Keeper Security Event Logs"
+entityMappings:
+- entityType: Account
+  fieldMappings:
+  - identifier: FullName
+    columnName: Username
+- entityType: IP
+  fieldMappings:
+  - identifier: Address
+    columnName: RemoteAddress
+version: 1.0.3
+kind: NRT
@@ -3,9 +3,16 @@
     "Author": "Joao Paulo Oliveira Santos - jsantos@keepersecurity.com",
     "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/keeper_security.svg\" width=\"75px\" height=\"75px\">",
     "Description": "The [Keeper Security](https://keepersecurity.com/) solution for Microsoft Sentinel enables you to ingest [Keeper Security](https://keepersecurity.com/) forwarded into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.",
+    "Analytic Rules": [
+      "Analytic Rules/Keeper Security - Alternate Master Password.yaml",
+      "Analytic Rules/Keeper Security - User MFA Changed.yaml"
+    ],
     "Data Connectors": [
       "Data Connectors/KeeperSecurity_ccp/KepperSecurity_Definition.json"
     ],
+    "Workbooks": [
+      "Workbooks/KeeperSecurityDashboard.json"
+    ],
     "BasePath": "/Users/joaopaulooliveriasantos/Projects/Azure-Sentinel/Solutions/KeeperSecurity",
     "Version": "3.0.0",
     "Metadata": "SolutionMetadata.json",
 
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/keeper_security.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Keeper%20Security/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Keeper Security](https://keepersecurity.com/) solution for Microsoft Sentinel enables you to ingest [Keeper Security](https://keepersecurity.com/) forwarded into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/keeper_security.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Keeper%20Security/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Keeper Security](https://keepersecurity.com/) solution for Microsoft Sentinel enables you to ingest [Keeper Security](https://keepersecurity.com/) forwarded into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -74,6 +74,104 @@
             }
           }
         ]
+      },
+      {
+        "name": "workbooks",
+        "label": "Workbooks",
+        "subLabel": {
+          "preValidation": "Configure the workbooks",
+          "postValidation": "Done"
+        },
+        "bladeTitle": "Workbooks",
+        "elements": [
+          {
+            "name": "workbooks-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
+            }
+          },
+          {
+            "name": "workbooks-link",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "link": {
+                "label": "Learn more",
+                "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
+              }
+            }
+          },
+          {
+            "name": "workbook1",
+            "type": "Microsoft.Common.Section",
+            "label": "Keeper Security Dashboard",
+            "elements": [
+              {
+                "name": "workbook1-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "This workbook contains visualizations and insights in the Keeper Security environment."
+                }
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "name": "analytics",
+        "label": "Analytics",
+        "subLabel": {
+          "preValidation": "Configure the analytics",
+          "postValidation": "Done"
+        },
+        "bladeTitle": "Analytics",
+        "elements": [
+          {
+            "name": "analytics-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
+            }
+          },
+          {
+            "name": "analytics-link",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "link": {
+                "label": "Learn more",
+                "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+              }
+            }
+          },
+          {
+            "name": "analytic1",
+            "type": "Microsoft.Common.Section",
+            "label": "Keeper Security - Password Changed",
+            "elements": [
+              {
+                "name": "analytic1-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Creates an informational incident based on Keeper Security Password Changed data in Microsoft Sentinel"
+                }
+              }
+            ]
+          },
+          {
+            "name": "analytic2",
+            "type": "Microsoft.Common.Section",
+            "label": "Keeper Security - User MFA Changed",
+            "elements": [
+              {
+                "name": "analytic2-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Creates an informational incident based on Keeper Security User MFA Changed data in Microsoft Sentinel"
+                }
+              }
+            ]
+          }
+        ]
       }
     ],
     "outputs": {