Skip to content

Q2 2024 updates #11049

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
v-prasadboke merged 26 commits into from
Oct 29, 2024
Merged

Q2 2024 updates #11049

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
ed3531b
Update New connectors
nlepagnez Jun 11, 2024
8223190
Merge branch 'Q2-2024' of https://github.com/nlepagnez/Azure-Sentinel…
nlepagnez Jun 11, 2024
134c214
Update data connectors correcting a display bug on Last Received data
nlepagnez Aug 21, 2024
1e5234d
Merge branch 'Azure:master' into Q2-2024
nlepagnez Aug 21, 2024
975d16e
Correct a bug in Option1 Data connectors and DCR
nlepagnez Aug 21, 2024
55dda7a
Merge branches 'Q2-2024' and 'Q2-2024' of https://github.com/nlepagne…
nlepagnez Aug 21, 2024
0ec0a8f
Rename Exchange Admin for Online Workbook to be aligned with naming c…
nlepagnez Aug 22, 2024
570b433
Update Data Connectors using DCR
nlepagnez Aug 26, 2024
fce564d
Update Data Connectors using DCR
nlepagnez Aug 26, 2024
d7cd062
Add Parsers
nlepagnez Aug 30, 2024
ef1d3fb
UpdateWorkbookData
nlepagnez Aug 30, 2024
52114b3
Merge remote-tracking branch 'upstream/master' into Q2-2024
nlepagnez Aug 30, 2024
5864ffd
Update Workbook Metadata after merge
nlepagnez Aug 30, 2024
f15aa28
Packaging Microsoft Exchange Solutions
nlepagnez Aug 30, 2024
223d39c
Update Empty String with text in Data Connector
nlepagnez Aug 30, 2024
ba533c3
Merge branch 'master' into pr/11049
v-prasadboke Sep 23, 2024
e8fdc7c
Correct DataConnector Error
nlepagnez Sep 25, 2024
2fe4acd
Merge remote-tracking branch 'upstream/master' into Q2-2024
nlepagnez Oct 1, 2024
3b22580
Temporary remove special character
nlepagnez Oct 1, 2024
e7bf133
Temporary remove special character
nlepagnez Oct 1, 2024
8a8757b
Non-ASCII characters are needed to compare strings
nlepagnez Oct 1, 2024
8b5303a
Update Typo
nlepagnez Oct 1, 2024
cdf76a7
Update Workbook - Correct display bug.
nlepagnez Oct 2, 2024
acff287
Solution packaged
v-prasadboke Oct 10, 2024
bd39087
Update SkipValidationsTemplates.json
v-prasadboke Oct 11, 2024
3fc5fb5
Merge branch 'master' into pr/11049
v-prasadboke Oct 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions .script/tests/KqlvalidationsTests/SkipValidationsTemplates.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2624,6 +2624,16 @@
"templateName": "InfobloxSOCInsightsDataConnector_API.json",
"validationFailReason": "The name 'insightId_g' does not refer to any known column, table, variable or function."
},
{
"id": "ESI-Opt6ExchangeMessageTrackingLogs",
"templateName": "ESI-Opt6ExchangeMessageTrackingLogs.json",
"validationFailReason": "This is a Azure Monitor Connector which doesnt requires more permissions. Skipping this ID as a check is failing for required permissions for Data Connector template. "
},
{
"id": "ESI-Opt7ExchangeHTTPProxyLogs",
"templateName": "ESI-Opt7ExchangeHTTPProxyLogs.json",
"validationFailReason": "This is a Azure Monitor Connector which doesnt requires more permissions. Skipping this ID as a check is failing for required permissions for Data Connector template. "
},
// Temporarily adding Data connector template id's for KQL Validations - End


Expand Down Expand Up @@ -2819,6 +2829,11 @@
"templateName": "ExchangeConfiguration.yaml",
"validationFailReason": "Temporarily Added for Parser KQL Queries validation"
},
{
"id": "0a0f4ea0-6b94-4420-892e-41ca985f2f01",
"templateName": "MESCompareDataOnPMRA.yaml",
"validationFailReason": "Temporarily Added for Parser KQL Queries validation"
},
{
"id": "1acab329-1c11-42a7-b5ea-41264947947a",
"templateName": "ExchangeEnvironmentList.yaml",
Expand Down
5 changes: 5 additions & 0 deletions .script/tests/NonAsciiValidationsTests/SkipValidationsTemplates.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,11 @@
"id": "39f51672-8c63-4600-882a-5db8275f798f",
"templateName": "Microsoft Exchange Security - MESCompareDataMRA parser",
"validationFailReason": "Non-ASCII characters are required to test comparison of strings with non-ASCII characters"
},
{
"id": "0a0f4ea0-6b94-4420-892e-41ca985f2f01",
"templateName": "Microsoft Exchange Security - MESCompareDataOnPMRA parser",
"validationFailReason": "Non-ASCII characters are required to test comparison of strings with non-ASCII characters"
}
]

Expand Down
81 changes: 49 additions & 32 deletions ...ange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeAdminAuditLogEvents.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
{
"id": "ESI-ExchangeAdminAuditLogEvents",
"title": "Microsoft Exchange Logs and Events",
"title": "[Deprecated] Microsoft Exchange Logs and Events",
"publisher": "Microsoft",
"descriptionMarkdown": "You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment",
"descriptionMarkdown": "Deprecated, use the 'ESI-Opt' dataconnectors. You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment",
"graphQueries": [
{
"metricName": "Total data received",
Expand Down Expand Up @@ -100,35 +100,14 @@
"customs": [
{
"description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
}
},
{
"name": "Detailled documentation",
"description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
}
]
},
"instructionSteps": [
{
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)",
"instructions": [
{
"parameters": {
"title": "Parser deployment (When using Microsoft Exchange Security Solution, Parsers are automatically deployed)",
"instructionSteps": [
{
"title": "1. Download the Parser file",
"description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)"
},
{
"title": "2. Create Parser **ExchangeAdminAuditLogs** function",
"description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer"
},
{
"title": "3. Save Parser **ExchangeAdminAuditLogs** function",
"description": "Click on save button.\n No parameter is needed for this parser.\nClick save again."
}
]
},
"type": "InstructionStepsGroup"
}
]
},
{
"description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)"
},
Expand Down Expand Up @@ -209,7 +188,7 @@
"instructionSteps": [
{
"title": "A. Create DCR, Type Event log",
"description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MS Exchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**."
"description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MSExchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**."
}
]
},
Expand All @@ -229,7 +208,7 @@
},
{
"title": "Data Collection Rules - When the legacy Azure Log Analytics Agent is used",
"description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1. Under workspace **Legacy agents management**, select **Windows Event logs**.\n2. Click **Add Windows event log** and enter **MS Exchange Management** as log name.\n3. Collect Error, Warning and Information types\n4. Click **Save**.",
"description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1. Under workspace **Legacy agents management**, select **Windows Event logs**.\n2. Click **Add Windows event log** and enter **MSExchange Management** as log name.\n3. Collect Error, Warning and Information types\n4. Click **Save**.",
"instructions": [
{
"parameters": {
Expand Down Expand Up @@ -689,15 +668,53 @@
"type": "InstructionStepsGroup"
}
]
},
{
"title": "",
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)",
"instructions": [
{
"parameters": {
"title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below",
"instructionSteps": [
{
"title": "Manual Parser Deployment",
"instructions": [
{
"parameters": {
"instructionSteps": [
{
"title": "1. Download the Parser file",
"description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)"
},
{
"title": "2. Create Parser **ExchangeAdminAuditLogs** function",
"description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer"
},
{
"title": "3. Save Parser **ExchangeAdminAuditLogs** function",
"description": "Click on save button.\n No parameter is needed for this parser.\nClick save again."
}
]
},
"type": "InstructionStepsGroup"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
]
}
],
"metadata": {
"id": "5738bef7-b6c0-4fec-ba0b-ac728bef83a9",
"version": "2.2.1",
"version": "2.2.2",
"kind": "dataConnector",
"source": {
"kind": "solution",
"name": "ESI - Exchange Security Configuration Analyzer"
"name": "Microsoft Exchange Security - Exchange On-Premises"
},
"support": {
"name": "Community",
Expand Down
78 changes: 45 additions & 33 deletions ...ange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeOnPremisesCollector.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
"dataTypes": [
{
"name": "ESIExchangeConfig_CL",
"lastDataReceivedQuery": "ESIExchangeConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time)"
"lastDataReceivedQuery": "ESIExchangeConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time) |summarize Time = max(Time) | project Time"
}
],
"connectivityCriterias": [
Expand Down Expand Up @@ -61,40 +61,14 @@
{
"name": "Service Account with Organization Management role",
"description": "The service Account that launch the script as scheduled task needs to be Organization Management to be able to retrieve all the needed security Information."
}
},
{
"name": "Detailled documentation",
"description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)"
}
]
},
"instructionSteps": [
{
"title": "Parser deployment **(When using Microsoft Exchange Security Solution, Parsers are automatically deployed)**",
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps for each Parser to create the Kusto Functions alias : [**ExchangeConfiguration**](https://aka.ms/sentinel-ESI-ExchangeConfiguration-OnPrem-parser) and [**ExchangeEnvironmentList**](https://aka.ms/sentinel-ESI-ExchangeEnvironmentList-OnPrem-parser)",
"instructions": [
{
"parameters": {
"title": "Parsers deployment",
"instructionSteps": [
{
"title": "1. Download the Parser files",
"description": "The latest version of the 2 files [**ExchangeConfiguration.yaml**](https://aka.ms/sentinel-ESI-ExchangeConfiguration-OnPrem-parser) and [**ExchangeEnvironmentList.yaml**](https://aka.ms/sentinel-ESI-ExchangeEnvironmentList-OnPrem-parser)"
},
{
"title": "2. Create Parser **ExchangeConfiguration** function",
"description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer"
},
{
"title": "3. Save Parser **ExchangeConfiguration** function",
"description": "Click on save button.\n Define the parameters as asked on the header of the parser file.\nClick save again."
},
{
"title": "4. Reproduce the same steps for Parser **ExchangeEnvironmentList**",
"description": "Reproduce the step 2 and 3 with the content of 'ExchangeEnvironmentList.yaml' file"
}
]
},
"type": "InstructionStepsGroup"
}
]
},
{
"title": "1. Install the ESI Collector Script on a server with Exchange Admin PowerShell console",
"description": "This is the script that will collect Exchange Information to push content in Microsoft Sentinel.\n ",
Expand Down Expand Up @@ -152,11 +126,49 @@
{
"title": "3. Schedule the ESI Collector Script (If not done by the Install Script due to lack of permission or ignored during installation)",
"description": "The script needs to be scheduled to send Exchange configuration to Microsoft Sentinel.\n We recommend to schedule the script once a day.\n The account used to launch the Script needs to be member of the group Organization Management"
},
{
"title": "",
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)",
"instructions": [
{
"parameters": {
"title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below",
"instructionSteps": [
{
"title": "Manual Parser Deployment",
"instructions": [
{
"parameters": {
"instructionSteps": [
{
"title": "1. Download the Parser file",
"description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)"
},
{
"title": "2. Create Parser **ExchangeAdminAuditLogs** function",
"description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer"
},
{
"title": "3. Save Parser **ExchangeAdminAuditLogs** function",
"description": "Click on save button.\n No parameter is needed for this parser.\nClick save again."
}
]
},
"type": "InstructionStepsGroup"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
]
}
],
"metadata": {
"id": "ed950fd7-e457-4a59-88f0-b9c949aa280d",
"version": "1.2.1",
"version": "1.2.2",
"kind": "dataConnector",
"source": {
"kind": "solution",
Expand Down
Loading