diff --git a/Solutions/Recorded Future/Data/Solution_RecordedFuture.json b/Solutions/Recorded Future/Data/Solution_RecordedFuture.json index 0c59aec58c3..e1e31bb5a00 100644 --- a/Solutions/Recorded Future/Data/Solution_RecordedFuture.json +++ b/Solutions/Recorded Future/Data/Solution_RecordedFuture.json @@ -42,7 +42,7 @@ "Workbooks/RecordedFutureMalwareThreatHunting.json" ], "BasePath": "Users\\emangsten\\git\\github\\Azure-Sentinel\\Solutions\\Recorded Future", - "Version": "3.2.12", + "Version": "3.2.13", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": false diff --git a/Solutions/Recorded Future/Package/3.2.13.zip b/Solutions/Recorded Future/Package/3.2.13.zip new file mode 100644 index 00000000000..e996acb2cc5 Binary files /dev/null and b/Solutions/Recorded Future/Package/3.2.13.zip differ diff --git a/Solutions/Recorded Future/Package/mainTemplate.json b/Solutions/Recorded Future/Package/mainTemplate.json index 6fab4549fd2..7c145142245 100644 --- a/Solutions/Recorded Future/Package/mainTemplate.json +++ b/Solutions/Recorded Future/Package/mainTemplate.json @@ -97,7 +97,7 @@ "email": "support@recordedfuture.com", "_email": "[variables('email')]", "_solutionName": "Recorded Future", - "_solutionVersion": "3.2.12", + "_solutionVersion": "3.2.13", "solutionId": "recordedfuture1605638642586.recorded_future_sentinel_solution", "_solutionId": "[variables('solutionId')]", "analyticRuleObject1": { @@ -108,11 +108,11 @@ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a1c02815-4248-4728-a9ae-dac73c67db23','-', '1.0.4')))]" }, "analyticRuleObject2": { - "analyticRuleVersion2": "1.0.3", + "analyticRuleVersion2": "1.0.4", "_analyticRulecontentId2": "dffd068f-fdab-440e-bbc0-34c14b623c89", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dffd068f-fdab-440e-bbc0-34c14b623c89')]", "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dffd068f-fdab-440e-bbc0-34c14b623c89')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dffd068f-fdab-440e-bbc0-34c14b623c89','-', '1.0.3')))]" + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dffd068f-fdab-440e-bbc0-34c14b623c89','-', '1.0.4')))]" }, "analyticRuleObject3": { "analyticRuleVersion3": "1.0.2", @@ -136,11 +136,11 @@ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','22cc1dff-14ad-481d-97e1-0602895e429e','-', '1.0.3')))]" }, "analyticRuleObject6": { - "analyticRuleVersion6": "1.0.2", + "analyticRuleVersion6": "1.0.3", "_analyticRulecontentId6": "9acb3664-72c4-4676-80fa-9f81912e347e", "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9acb3664-72c4-4676-80fa-9f81912e347e')]", "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9acb3664-72c4-4676-80fa-9f81912e347e')))]", - "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9acb3664-72c4-4676-80fa-9f81912e347e','-', '1.0.2')))]" + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9acb3664-72c4-4676-80fa-9f81912e347e','-', '1.0.3')))]" }, "analyticRuleObject7": { "analyticRuleVersion7": "1.0.4", @@ -344,7 +344,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RecordedFutureDomainMalwareC2inDNSEvents_AnalyticalRules Analytics Rule with template version 3.2.12", + "description": "RecordedFutureDomainMalwareC2inDNSEvents_AnalyticalRules Analytics Rule with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -483,7 +483,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RecordedFutureDomainMalwareC2inSyslogEvents_AnalyticalRules Analytics Rule with template version 3.2.12", + "description": "RecordedFutureDomainMalwareC2inSyslogEvents_AnalyticalRules Analytics Rule with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -500,7 +500,7 @@ "description": "Identifies a match in Syslog from Recorded Future C2 DNS Name Domains Risklist.", "displayName": "Detection of Malware C2 Domains in Syslog Events", "enabled": false, - "query": "// Identifies a match in Syslog from the Recorded Future DOMAIN Malware C2 DNS Name \nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\n//Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == 'Recorded Future - Domains - Command and Control Activity'\n| where isnotempty(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == 'Recorded Future - Domains - Command and Control Activity'\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n| join (\n Syslog\n | where TimeGenerated > ago(dt_lookBack)\n //Extract domain patterns from syslog message\n | extend domain = extract(\"(([a-z0-9]+(-[a-z0-9]+)*\\\\.)+[a-z]{2,})\",1, tolower(SyslogMessage))\n | where isnotempty(domain)\n | extend parts = split(domain, '.')\n //Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend Syslog_TimeGenerated = TimeGenerated\n ) \non $left.DomainName==$right.domain\n| where Syslog_TimeGenerated >= TimeGenerated and Syslog_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\n", + "query": "// Identifies a match in Syslog from the Recorded Future DOMAIN Malware C2 DNS Name \nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\n//Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == 'Recorded Future - Domains - Command and Control Activity'\n| where isnotempty(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == 'Recorded Future - Domains - Command and Control Activity'\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n| join (\n Syslog\n | where TimeGenerated > ago(dt_lookBack)\n //Extract domain patterns from syslog message\n | extend domain = extract(\"(([a-z0-9]+(-[a-z0-9]+)*\\\\.)+[a-z]{2,})\",1, tolower(SyslogMessage))\n | where isnotempty(domain)\n | extend parts = split(domain, '.')\n //Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend Syslog_TimeGenerated = TimeGenerated\n ) \non $left.DomainName==$right.domain\n| where Syslog_TimeGenerated >= TimeGenerated and Syslog_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\n", "queryFrequency": "PT1H", "queryPeriod": "P1D", "severity": "Medium", @@ -536,7 +536,7 @@ { "fieldMappings": [ { - "columnName": "HostCustomEntity", + "columnName": "Computer", "identifier": "FullName" } ], @@ -545,7 +545,7 @@ { "fieldMappings": [ { - "columnName": "IPCustomEntity", + "columnName": "HostIP", "identifier": "Address" } ], @@ -554,7 +554,7 @@ { "fieldMappings": [ { - "columnName": "URLCustomEntity", + "columnName": "Url", "identifier": "Url" } ], @@ -623,7 +623,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RecordedFutureHashObservedInUndergroundinCommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.2.12", + "description": "RecordedFutureHashObservedInUndergroundinCommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -779,7 +779,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RecordedFutureIPMalwareC2inAzureActivityEvents_AnalyticalRules Analytics Rule with template version 3.2.12", + "description": "RecordedFutureIPMalwareC2inAzureActivityEvents_AnalyticalRules Analytics Rule with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -910,7 +910,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RecordedFutureIPMalwareC2inDNSEvents_AnalyticalRules Analytics Rule with template version 3.2.12", + "description": "RecordedFutureIPMalwareC2inDNSEvents_AnalyticalRules Analytics Rule with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -1055,7 +1055,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RecordedFutureUrlReportedbyInsiktGroupinSyslogEvents_AnalyticalRules Analytics Rule with template version 3.2.12", + "description": "RecordedFutureUrlReportedbyInsiktGroupinSyslogEvents_AnalyticalRules Analytics Rule with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -1072,7 +1072,7 @@ "description": "Identifies a match in Syslog from Recorded Future URLs Recently Reported as malicious by Insikt Group.", "displayName": "Detection of Malicious URLs in Syslog Events", "enabled": false, - "query": "// Identifies a match in Syslog from the Recorded Future URLs Recently Reported by Insikt Group\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\nThreatIntelligenceIndicator\n// Picking up only Recorded Future IOC's that have been recently reported as malicious by Insikt Group\n| where Description == 'Recorded Future - URL - Recently Reported by Insikt Group'\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n| join (\n Syslog\n | where TimeGenerated >= ago(dt_lookBack)\n // Extract URL from the Syslog message but only take messages that include URLs\n | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\", 1,SyslogMessage)\n | where isnotempty(Url)\n | extend Syslog_TimeGenerated = TimeGenerated\n ) \non Url\n| where Syslog_TimeGenerated >= TimeGenerated and Syslog_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, AdditionalInformation, HostIP\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\n", + "query": "// Identifies a match in Syslog from the Recorded Future URLs Recently Reported by Insikt Group\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\nThreatIntelligenceIndicator\n// Picking up only Recorded Future IOC's that have been recently reported as malicious by Insikt Group\n| where Description == 'Recorded Future - URL - Recently Reported by Insikt Group'\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n| join (\n Syslog\n | where TimeGenerated >= ago(dt_lookBack)\n // Extract URL from the Syslog message but only take messages that include URLs\n | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\", 1,SyslogMessage)\n | where isnotempty(Url)\n | extend Syslog_TimeGenerated = TimeGenerated\n ) \non Url\n| where Syslog_TimeGenerated >= TimeGenerated and Syslog_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, AdditionalInformation, HostIP\n", "queryFrequency": "PT1H", "queryPeriod": "P1D", "severity": "Medium", @@ -1106,7 +1106,7 @@ { "fieldMappings": [ { - "columnName": "HostCustomEntity", + "columnName": "Computer", "identifier": "FullName" } ], @@ -1115,7 +1115,7 @@ { "fieldMappings": [ { - "columnName": "IPCustomEntity", + "columnName": "HostIP", "identifier": "Address" } ], @@ -1124,7 +1124,7 @@ { "fieldMappings": [ { - "columnName": "URLCustomEntity", + "columnName": "Url", "identifier": "Url" } ], @@ -1184,7 +1184,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RecordedFutureThreatHuntingHashAllActors_AnalyticalRules Analytics Rule with template version 3.2.12", + "description": "RecordedFutureThreatHuntingHashAllActors_AnalyticalRules Analytics Rule with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -1250,23 +1250,23 @@ "ActorInformation": "RecordedFuturePortalLink" }, "alertDetailsOverride": { + "alertDisplayNameFormat": "{{Description}}", "alertDescriptionFormat": "**{{Description}}**\\n\\nCorrelation found on {{Hash}} from the {{Type}} table.\\n", "alertDynamicProperties": [ { "alertProperty": "AlertLink", "value": "RecordedFuturePortalLink" } - ], - "alertDisplayNameFormat": "{{Description}}" + ] }, "incidentConfiguration": { + "createIncident": true, "groupingConfiguration": { - "matchingMethod": "AllEntities", - "reopenClosedIncident": false, "lookbackDuration": "1h", - "enabled": true - }, - "createIncident": true + "reopenClosedIncident": false, + "enabled": true, + "matchingMethod": "AllEntities" + } } } }, @@ -1321,7 +1321,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RecordedFutureThreatHuntingIPAllActors_AnalyticalRules Analytics Rule with template version 3.2.12", + "description": "RecordedFutureThreatHuntingIPAllActors_AnalyticalRules Analytics Rule with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -1381,23 +1381,23 @@ "ActorInformation": "RecordedFuturePortalLink" }, "alertDetailsOverride": { + "alertDisplayNameFormat": "{{Description}}", "alertDescriptionFormat": "**{{Description}}**\\n\\nCorrelation found on {{NetworkIP}} from the {{Type}} table.\\n", "alertDynamicProperties": [ { "alertProperty": "AlertLink", "value": "RecordedFuturePortalLink" } - ], - "alertDisplayNameFormat": "{{Description}}" + ] }, "incidentConfiguration": { + "createIncident": true, "groupingConfiguration": { - "matchingMethod": "AllEntities", - "reopenClosedIncident": false, "lookbackDuration": "1h", - "enabled": true - }, - "createIncident": true + "reopenClosedIncident": false, + "enabled": true, + "matchingMethod": "AllEntities" + } } } }, @@ -1452,7 +1452,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RecordedFutureThreatHuntingDomainAllActors_AnalyticalRules Analytics Rule with template version 3.2.12", + "description": "RecordedFutureThreatHuntingDomainAllActors_AnalyticalRules Analytics Rule with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -1512,23 +1512,23 @@ "ActorInformation": "RecordedFuturePortalLink" }, "alertDetailsOverride": { + "alertDisplayNameFormat": "{{Description}}", "alertDescriptionFormat": "**{{Description}}**\\n\\nCorrelation found on {{DomainName}} from the {{Type}} table.\\n", "alertDynamicProperties": [ { "alertProperty": "AlertLink", "value": "RecordedFuturePortalLink" } - ], - "alertDisplayNameFormat": "{{Description}}" + ] }, "incidentConfiguration": { + "createIncident": true, "groupingConfiguration": { - "matchingMethod": "AllEntities", - "reopenClosedIncident": false, "lookbackDuration": "1h", - "enabled": true - }, - "createIncident": true + "reopenClosedIncident": false, + "enabled": true, + "matchingMethod": "AllEntities" + } } } }, @@ -1583,7 +1583,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RecordedFutureThreatHuntingUrlAllActors_AnalyticalRules Analytics Rule with template version 3.2.12", + "description": "RecordedFutureThreatHuntingUrlAllActors_AnalyticalRules Analytics Rule with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -1641,23 +1641,23 @@ "ActorInformation": "RecordedFuturePortalLink" }, "alertDetailsOverride": { + "alertDisplayNameFormat": "{{Description}}", "alertDescriptionFormat": "*{{Description}}**\\n\\nCorrelation found on {{Url}} from the {{Type}} table.\\n", "alertDynamicProperties": [ { "alertProperty": "AlertLink", "value": "RecordedFuturePortalLink" } - ], - "alertDisplayNameFormat": "{{Description}}" + ] }, "incidentConfiguration": { + "createIncident": true, "groupingConfiguration": { - "matchingMethod": "AllEntities", - "reopenClosedIncident": false, "lookbackDuration": "1h", - "enabled": true - }, - "createIncident": true + "reopenClosedIncident": false, + "enabled": true, + "matchingMethod": "AllEntities" + } } } }, @@ -1712,7 +1712,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RecordedFuture-IOC_Enrichment Playbook with template version 3.2.12", + "description": "RecordedFuture-IOC_Enrichment Playbook with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -2386,7 +2386,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RecordedFuture-Playbook-Alert-Importer Playbook with template version 3.2.12", + "description": "RecordedFuture-Playbook-Alert-Importer Playbook with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", @@ -2756,7 +2756,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RecordedFuture-AlertImporter Playbook with template version 3.2.12", + "description": "RecordedFuture-AlertImporter Playbook with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", @@ -3218,7 +3218,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RecordedFuture-ThreatIntelligenceImport Playbook with template version 3.2.12", + "description": "RecordedFuture-ThreatIntelligenceImport Playbook with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion4')]", @@ -3447,7 +3447,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RecordedFuture-Domain-IndicatorImport Playbook with template version 3.2.12", + "description": "RecordedFuture-Domain-IndicatorImport Playbook with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion5')]", @@ -3738,7 +3738,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RecordedFuture-Hash-IndicatorImport Playbook with template version 3.2.12", + "description": "RecordedFuture-Hash-IndicatorImport Playbook with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion6')]", @@ -4029,7 +4029,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RecordedFuture-IP-IndicatorImport Playbook with template version 3.2.12", + "description": "RecordedFuture-IP-IndicatorImport Playbook with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion7')]", @@ -4322,7 +4322,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RecordedFuture-URL-IndicatorImport Playbook with template version 3.2.12", + "description": "RecordedFuture-URL-IndicatorImport Playbook with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion8')]", @@ -4613,7 +4613,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RecordedFuture-Sandbox_Enrichment-Url Playbook with template version 3.2.12", + "description": "RecordedFuture-Sandbox_Enrichment-Url Playbook with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion9')]", @@ -4998,7 +4998,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RecordedFuture-CustomConnector Playbook with template version 3.2.12", + "description": "RecordedFuture-CustomConnector Playbook with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion10')]", @@ -7626,7 +7626,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RecordedFuture-ThreatMap-Importer Playbook with template version 3.2.12", + "description": "RecordedFuture-ThreatMap-Importer Playbook with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion11')]", @@ -8005,7 +8005,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RecordedFuture-MalwareThreatMap-Importer Playbook with template version 3.2.12", + "description": "RecordedFuture-MalwareThreatMap-Importer Playbook with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion12')]", @@ -8380,7 +8380,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ActorThreatHunt-IndicatorImport Playbook with template version 3.2.12", + "description": "ActorThreatHunt-IndicatorImport Playbook with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion13')]", @@ -8616,7 +8616,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MalwareThreatHunt-IndicatorImport Playbook with template version 3.2.12", + "description": "MalwareThreatHunt-IndicatorImport Playbook with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion14')]", @@ -8853,7 +8853,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RecordedFuturePlaybookAlertOverview Workbook with template version 3.2.12", + "description": "RecordedFuturePlaybookAlertOverview Workbook with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -8937,7 +8937,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RecordedFutureAlertOverview Workbook with template version 3.2.12", + "description": "RecordedFutureAlertOverview Workbook with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -9021,7 +9021,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RecordedFutureDomainCorrelation Workbook with template version 3.2.12", + "description": "RecordedFutureDomainCorrelation Workbook with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion3')]", @@ -9105,7 +9105,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RecordedFutureHashCorrelation Workbook with template version 3.2.12", + "description": "RecordedFutureHashCorrelation Workbook with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion4')]", @@ -9189,7 +9189,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RecordedFutureIPCorrelation Workbook with template version 3.2.12", + "description": "RecordedFutureIPCorrelation Workbook with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion5')]", @@ -9273,7 +9273,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RecordedFutureURLCorrelation Workbook with template version 3.2.12", + "description": "RecordedFutureURLCorrelation Workbook with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion6')]", @@ -9357,7 +9357,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RecordedFutureThreatActorHunting Workbook with template version 3.2.12", + "description": "RecordedFutureThreatActorHunting Workbook with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion7')]", @@ -9441,7 +9441,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RecordedFutureMalwareThreatHunting Workbook with template version 3.2.12", + "description": "RecordedFutureMalwareThreatHunting Workbook with template version 3.2.13", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion8')]", @@ -9521,7 +9521,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.2.12", + "version": "3.2.13", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Recorded Future", diff --git a/Solutions/Recorded Future/ReleaseNotes.md b/Solutions/Recorded Future/ReleaseNotes.md index 41b3ca870f0..e84c2ea2d57 100644 --- a/Solutions/Recorded Future/ReleaseNotes.md +++ b/Solutions/Recorded Future/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.2.13 | 08-01-2025 | Removed Custom Entity mappings from **Analytic rules** | | 3.2.12 | 28-11-2024 | Fix API connection bug in RecordedFuture-AlertImporter | | 3.2.11 | 31-10-2024 | Fix API connection bug in RecordedFuture-ThreatMap-Importer, documentation improvements | | 3.2.10 | 01-10-2024 | Updated install README for multiple playbooks, added protocol check for URL enrichments in RecordedFuture-IOC_Enrichment **Playbook**, moved parameters from important to advanced and internal in RecordedFuture-CustomConnector| diff --git a/Solutions/Symantec Endpoint Protection/Data/Solution_Symantec.json b/Solutions/Symantec Endpoint Protection/Data/Solution_Symantec.json index f33ba41fc46..4b09e8e58a3 100644 --- a/Solutions/Symantec Endpoint Protection/Data/Solution_Symantec.json +++ b/Solutions/Symantec Endpoint Protection/Data/Solution_Symantec.json @@ -17,7 +17,7 @@ "azuresentinel.azure-sentinel-solution-syslog" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Symantec Endpoint Protection", - "Version": "3.0.4", + "Version": "3.0.5", "Metadata": "SolutionMetadata.json", "TemplateSpec": true } \ No newline at end of file diff --git a/Solutions/Symantec Endpoint Protection/Package/3.0.5.zip b/Solutions/Symantec Endpoint Protection/Package/3.0.5.zip new file mode 100644 index 00000000000..2d1d3ec9cd6 Binary files /dev/null and b/Solutions/Symantec Endpoint Protection/Package/3.0.5.zip differ diff --git a/Solutions/Symantec Endpoint Protection/Package/mainTemplate.json b/Solutions/Symantec Endpoint Protection/Package/mainTemplate.json index 558c0d806f2..01f055e6640 100644 --- a/Solutions/Symantec Endpoint Protection/Package/mainTemplate.json +++ b/Solutions/Symantec Endpoint Protection/Package/mainTemplate.json @@ -41,22 +41,22 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Symantec Endpoint Protection", - "_solutionVersion": "3.0.4", + "_solutionVersion": "3.0.5", "solutionId": "azuresentinel.azure-sentinel-solution-symantecendpointprotection", "_solutionId": "[variables('solutionId')]", "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.2", + "analyticRuleVersion1": "1.0.3", "_analyticRulecontentId1": "fa0ab69c-7124-4f62-acdd-61017cf6ce89", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fa0ab69c-7124-4f62-acdd-61017cf6ce89')]", "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fa0ab69c-7124-4f62-acdd-61017cf6ce89')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fa0ab69c-7124-4f62-acdd-61017cf6ce89','-', '1.0.2')))]" + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fa0ab69c-7124-4f62-acdd-61017cf6ce89','-', '1.0.3')))]" }, "analyticRuleObject2": { - "analyticRuleVersion2": "1.0.2", + "analyticRuleVersion2": "1.0.3", "_analyticRulecontentId2": "072ee087-17e1-474d-b162-bbe38bcab9f9", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '072ee087-17e1-474d-b162-bbe38bcab9f9')]", "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('072ee087-17e1-474d-b162-bbe38bcab9f9')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','072ee087-17e1-474d-b162-bbe38bcab9f9','-', '1.0.2')))]" + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','072ee087-17e1-474d-b162-bbe38bcab9f9','-', '1.0.3')))]" }, "workbookVersion1": "1.0.0", "workbookContentId1": "SymantecEndpointProtection", @@ -84,7 +84,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExcessiveBlockedTrafficGeneratedbyUser_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "ExcessiveBlockedTrafficGeneratedbyUser_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -101,7 +101,7 @@ "description": "Creates an incident when a Symantec Endpoint Proection agent detects excessive amounts of blocked traffic generated by a single user.", "displayName": "Excessive Blocked Traffic Events Generated by User", "enabled": false, - "query": "let threshold = 15;\nlet NoteableEvents = SymantecEndpointProtection\n| where LogType == \"Agent Traffic Logs\"\n| where Action =~ \"Blocked\"\n| summarize TotalBlockedEvents = count() by UserName\n| where TotalBlockedEvents > threshold;\nSymantecEndpointProtection\n| where LogType =~ \"Agent Traffic Logs\"\n| where Action =~ \"Blocked\"\n| join kind=inner (NoteableEvents) on UserName\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Total = count() by UserName, RuleName, ServerName, LocalHostIpAddr, LocalPortNumber, TrafficDirection, RemoteHostIpAddr, RemotePortNumber, ApplicationName\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserName, HostCustomEntity = ServerName, IPCustomEntity = LocalHostIpAddr\n", + "query": "let threshold = 15;\nlet NoteableEvents = SymantecEndpointProtection\n| where LogType == \"Agent Traffic Logs\"\n| where Action =~ \"Blocked\"\n| summarize TotalBlockedEvents = count() by UserName\n| where TotalBlockedEvents > threshold;\nSymantecEndpointProtection\n| where LogType =~ \"Agent Traffic Logs\"\n| where Action =~ \"Blocked\"\n| join kind=inner (NoteableEvents) on UserName\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Total = count() by UserName, RuleName, ServerName, LocalHostIpAddr, LocalPortNumber, TrafficDirection, RemoteHostIpAddr, RemotePortNumber, ApplicationName\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "Medium", @@ -134,7 +134,7 @@ "fieldMappings": [ { "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "UserName" } ], "entityType": "Account" @@ -143,7 +143,16 @@ "fieldMappings": [ { "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "LocalHostIpAddr" + } + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "RemoteHostIpAddr" } ], "entityType": "IP" @@ -152,7 +161,7 @@ "fieldMappings": [ { "identifier": "FullName", - "columnName": "HostCustomEntity" + "columnName": "ServerName" } ], "entityType": "Host" @@ -211,7 +220,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MalwareDetected_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "MalwareDetected_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -228,7 +237,7 @@ "description": "Creates an incident when a Symantec Endpoint Proection agent detects malware and the malware was not cleaned.", "displayName": "Malware Detected", "enabled": false, - "query": "SymantecEndpointProtection\n| where LogType == \"Agent Risk Logs\"\n| where CategorySet == \"Malware\"\n| where ActualAction !contains \"Cleaned\"\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SrcIpAddr, SrcHostName, UserName, FilePath, ActualAction, CategorySet, CategoryType\n| extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr, HostCustomEntity = SrcHostName, AccountCustomEntity = UserName\n", + "query": "SymantecEndpointProtection\n| where LogType == \"Agent Risk Logs\"\n| where CategorySet == \"Malware\"\n| where ActualAction !contains \"Cleaned\"\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SrcIpAddr, SrcHostName, UserName, FilePath, ActualAction, CategorySet, CategoryType\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "Medium", @@ -248,6 +257,9 @@ "tactics": [ "Execution" ], + "subTechniques": [ + "T1204.002" + ], "techniques": [ "T1204" ], @@ -256,7 +268,7 @@ "fieldMappings": [ { "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "UserName" } ], "entityType": "Account" @@ -265,7 +277,7 @@ "fieldMappings": [ { "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "SrcIpAddr" } ], "entityType": "IP" @@ -274,7 +286,7 @@ "fieldMappings": [ { "identifier": "FullName", - "columnName": "HostCustomEntity" + "columnName": "SrcHostName" } ], "entityType": "Host" @@ -333,7 +345,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SymantecEndpointProtection Workbook with template version 3.0.4", + "description": "SymantecEndpointProtection Workbook with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -389,10 +401,6 @@ "contentId": "SymantecEndpointProtection", "kind": "DataType" }, - { - "contentId": "SymantecEndpointProtection", - "kind": "DataConnector" - }, { "contentId": "SyslogAma", "kind": "DataConnector" @@ -425,7 +433,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SymantecEndpointProtection Data Parser with template version 3.0.4", + "description": "SymantecEndpointProtection Data Parser with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -553,7 +561,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.4", + "version": "3.0.5", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Symantec Endpoint Protection", diff --git a/Solutions/Symantec Endpoint Protection/ReleaseNotes.md b/Solutions/Symantec Endpoint Protection/ReleaseNotes.md index ba998b03dc8..b5065e32c4e 100644 --- a/Solutions/Symantec Endpoint Protection/ReleaseNotes.md +++ b/Solutions/Symantec Endpoint Protection/ReleaseNotes.md @@ -1,8 +1,9 @@ -| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | -|-------------|--------------------------------|---------------------------------------------| -| 3.0.4 | 17-12-2024 | Removed Deprecated **Data connectors** | -| 3.0.3 | 01-08-2024 |Update **Parser** as part of Syslog migration | -| | |Deprecating data connectors | -| 3.0.2 | 26-04-2024 | Repackaged for fix on parser in maintemplate to have old parsername and parentid | -| 3.0.1 | 18-04-2024 | Repackaged for fix in parser in maintemplate | +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|----------------------------------------------------------------------------------------| +| 3.0.5 | 13-01-2025 | Removed Custom Entity mappings from **Analytic rules** | +| 3.0.4 | 17-12-2024 | Removed Deprecated **Data connectors** | +| 3.0.3 | 01-08-2024 | Update **Parser** as part of Syslog migration | +| | | Deprecating data connectors | +| 3.0.2 | 26-04-2024 | Repackaged for fix on parser in maintemplate to have old parsername and parentid | +| 3.0.1 | 18-04-2024 | Repackaged for fix in parser in maintemplate | | 3.0.0 | 15-04-2024 | Updated **Parser** SymantecEndpointProtection.yaml to automatic update applicable logs |