Skip to content

Solution packaged for Removed Custom Entity mappings from Analytic Rule #11657

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
v-prasadboke merged 2 commits into from
Jan 20, 2025
Merged

Solution packaged for Removed Custom Entity mappings from Analytic Rule #11657

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
41e1498
Recorded future packaged.
v-shukore Jan 13, 2025
409980b
SEP packaged
v-shukore Jan 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Solutions/Recorded Future/Data/Solution_RecordedFuture.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@
"Workbooks/RecordedFutureMalwareThreatHunting.json"
],
"BasePath": "Users\\emangsten\\git\\github\\Azure-Sentinel\\Solutions\\Recorded Future",
"Version": "3.2.12",
"Version": "3.2.13",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false
Expand Down
Binary file added Solutions/Recorded Future/Package/3.2.13.zip
View file
Open in desktop
Binary file not shown.
148 changes: 74 additions & 74 deletions Solutions/Recorded Future/Package/mainTemplate.json
View file
Open in desktop

Large diffs are not rendered by default.

1 change: 1 addition & 0 deletions Solutions/Recorded Future/ReleaseNotes.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
| 3.2.13 | 08-01-2025 | Removed Custom Entity mappings from **Analytic rules** |
| 3.2.12 | 28-11-2024 | Fix API connection bug in RecordedFuture-AlertImporter |
| 3.2.11 | 31-10-2024 | Fix API connection bug in RecordedFuture-ThreatMap-Importer, documentation improvements |
| 3.2.10 | 01-10-2024 | Updated install README for multiple playbooks, added protocol check for URL enrichments in RecordedFuture-IOC_Enrichment **Playbook**, moved parameters from important to advanced and internal in RecordedFuture-CustomConnector|
Expand Down
2 changes: 1 addition & 1 deletion Solutions/Symantec Endpoint Protection/Data/Solution_Symantec.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
"azuresentinel.azure-sentinel-solution-syslog"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Symantec Endpoint Protection",
"Version": "3.0.4",
"Version": "3.0.5",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true
}
Binary file added Solutions/Symantec Endpoint Protection/Package/3.0.5.zip
View file
Open in desktop
Binary file not shown.
52 changes: 30 additions & 22 deletions Solutions/Symantec Endpoint Protection/Package/mainTemplate.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,22 +41,22 @@
"email": "[email protected]",
"_email": "[variables('email')]",
"_solutionName": "Symantec Endpoint Protection",
"_solutionVersion": "3.0.4",
"_solutionVersion": "3.0.5",
"solutionId": "azuresentinel.azure-sentinel-solution-symantecendpointprotection",
"_solutionId": "[variables('solutionId')]",
"analyticRuleObject1": {
"analyticRuleVersion1": "1.0.2",
"analyticRuleVersion1": "1.0.3",
"_analyticRulecontentId1": "fa0ab69c-7124-4f62-acdd-61017cf6ce89",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fa0ab69c-7124-4f62-acdd-61017cf6ce89')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fa0ab69c-7124-4f62-acdd-61017cf6ce89')))]",
"_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fa0ab69c-7124-4f62-acdd-61017cf6ce89','-', '1.0.2')))]"
"_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fa0ab69c-7124-4f62-acdd-61017cf6ce89','-', '1.0.3')))]"
},
"analyticRuleObject2": {
"analyticRuleVersion2": "1.0.2",
"analyticRuleVersion2": "1.0.3",
"_analyticRulecontentId2": "072ee087-17e1-474d-b162-bbe38bcab9f9",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '072ee087-17e1-474d-b162-bbe38bcab9f9')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('072ee087-17e1-474d-b162-bbe38bcab9f9')))]",
"_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','072ee087-17e1-474d-b162-bbe38bcab9f9','-', '1.0.2')))]"
"_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','072ee087-17e1-474d-b162-bbe38bcab9f9','-', '1.0.3')))]"
},
"workbookVersion1": "1.0.0",
"workbookContentId1": "SymantecEndpointProtection",
Expand Down Expand Up @@ -84,7 +84,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "ExcessiveBlockedTrafficGeneratedbyUser_AnalyticalRules Analytics Rule with template version 3.0.4",
"description": "ExcessiveBlockedTrafficGeneratedbyUser_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
Expand All @@ -101,7 +101,7 @@
"description": "Creates an incident when a Symantec Endpoint Proection agent detects excessive amounts of blocked traffic generated by a single user.",
"displayName": "Excessive Blocked Traffic Events Generated by User",
"enabled": false,
"query": "let threshold = 15;\nlet NoteableEvents = SymantecEndpointProtection\n| where LogType == \"Agent Traffic Logs\"\n| where Action =~ \"Blocked\"\n| summarize TotalBlockedEvents = count() by UserName\n| where TotalBlockedEvents > threshold;\nSymantecEndpointProtection\n| where LogType =~ \"Agent Traffic Logs\"\n| where Action =~ \"Blocked\"\n| join kind=inner (NoteableEvents) on UserName\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Total = count() by UserName, RuleName, ServerName, LocalHostIpAddr, LocalPortNumber, TrafficDirection, RemoteHostIpAddr, RemotePortNumber, ApplicationName\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserName, HostCustomEntity = ServerName, IPCustomEntity = LocalHostIpAddr\n",
"query": "let threshold = 15;\nlet NoteableEvents = SymantecEndpointProtection\n| where LogType == \"Agent Traffic Logs\"\n| where Action =~ \"Blocked\"\n| summarize TotalBlockedEvents = count() by UserName\n| where TotalBlockedEvents > threshold;\nSymantecEndpointProtection\n| where LogType =~ \"Agent Traffic Logs\"\n| where Action =~ \"Blocked\"\n| join kind=inner (NoteableEvents) on UserName\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Total = count() by UserName, RuleName, ServerName, LocalHostIpAddr, LocalPortNumber, TrafficDirection, RemoteHostIpAddr, RemotePortNumber, ApplicationName\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
Expand Down Expand Up @@ -134,7 +134,7 @@
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "UserName"
}
],
"entityType": "Account"
Expand All @@ -143,7 +143,16 @@
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
"columnName": "LocalHostIpAddr"
}
],
"entityType": "IP"
},
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "RemoteHostIpAddr"
}
],
"entityType": "IP"
Expand All @@ -152,7 +161,7 @@
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "HostCustomEntity"
"columnName": "ServerName"
}
],
"entityType": "Host"
Expand Down Expand Up @@ -211,7 +220,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "MalwareDetected_AnalyticalRules Analytics Rule with template version 3.0.4",
"description": "MalwareDetected_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
Expand All @@ -228,7 +237,7 @@
"description": "Creates an incident when a Symantec Endpoint Proection agent detects malware and the malware was not cleaned.",
"displayName": "Malware Detected",
"enabled": false,
"query": "SymantecEndpointProtection\n| where LogType == \"Agent Risk Logs\"\n| where CategorySet == \"Malware\"\n| where ActualAction !contains \"Cleaned\"\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SrcIpAddr, SrcHostName, UserName, FilePath, ActualAction, CategorySet, CategoryType\n| extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr, HostCustomEntity = SrcHostName, AccountCustomEntity = UserName\n",
"query": "SymantecEndpointProtection\n| where LogType == \"Agent Risk Logs\"\n| where CategorySet == \"Malware\"\n| where ActualAction !contains \"Cleaned\"\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SrcIpAddr, SrcHostName, UserName, FilePath, ActualAction, CategorySet, CategoryType\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
Expand All @@ -248,6 +257,9 @@
"tactics": [
"Execution"
],
"subTechniques": [
"T1204.002"
],
"techniques": [
"T1204"
],
Expand All @@ -256,7 +268,7 @@
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "UserName"
}
],
"entityType": "Account"
Expand All @@ -265,7 +277,7 @@
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
"columnName": "SrcIpAddr"
}
],
"entityType": "IP"
Expand All @@ -274,7 +286,7 @@
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "HostCustomEntity"
"columnName": "SrcHostName"
}
],
"entityType": "Host"
Expand Down Expand Up @@ -333,7 +345,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "SymantecEndpointProtection Workbook with template version 3.0.4",
"description": "SymantecEndpointProtection Workbook with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
Expand Down Expand Up @@ -389,10 +401,6 @@
"contentId": "SymantecEndpointProtection",
"kind": "DataType"
},
{
"contentId": "SymantecEndpointProtection",
"kind": "DataConnector"
},
{
"contentId": "SyslogAma",
"kind": "DataConnector"
Expand Down Expand Up @@ -425,7 +433,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "SymantecEndpointProtection Data Parser with template version 3.0.4",
"description": "SymantecEndpointProtection Data Parser with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
Expand Down Expand Up @@ -553,7 +561,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "3.0.4",
"version": "3.0.5",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Symantec Endpoint Protection",
Expand Down
15 changes: 8 additions & 7 deletions Solutions/Symantec Endpoint Protection/ReleaseNotes.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
| 3.0.4 | 17-12-2024 | Removed Deprecated **Data connectors** |
| 3.0.3 | 01-08-2024 |Update **Parser** as part of Syslog migration |
| | |Deprecating data connectors |
| 3.0.2 | 26-04-2024 | Repackaged for fix on parser in maintemplate to have old parsername and parentid |
| 3.0.1 | 18-04-2024 | Repackaged for fix in parser in maintemplate |
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|----------------------------------------------------------------------------------------|
| 3.0.5 | 13-01-2025 | Removed Custom Entity mappings from **Analytic rules** |
| 3.0.4 | 17-12-2024 | Removed Deprecated **Data connectors** |
| 3.0.3 | 01-08-2024 | Update **Parser** as part of Syslog migration |
| | | Deprecating data connectors |
| 3.0.2 | 26-04-2024 | Repackaged for fix on parser in maintemplate to have old parsername and parentid |
| 3.0.1 | 18-04-2024 | Repackaged for fix in parser in maintemplate |
| 3.0.0 | 15-04-2024 | Updated **Parser** SymantecEndpointProtection.yaml to automatic update applicable logs |
Loading