diff --git a/Solutions/Symantec VIP/Data/Solution_SymantecVIP.json b/Solutions/Symantec VIP/Data/Solution_SymantecVIP.json index 6e6adf912a1..37532b78383 100644 --- a/Solutions/Symantec VIP/Data/Solution_SymantecVIP.json +++ b/Solutions/Symantec VIP/Data/Solution_SymantecVIP.json @@ -17,7 +17,7 @@ "azuresentinel.azure-sentinel-solution-syslog" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Symantec VIP", - "Version": "3.0.1", + "Version": "3.0.2", "Metadata": "SolutionMetadata.json", "TemplateSpec": true } \ No newline at end of file diff --git a/Solutions/Symantec VIP/Package/3.0.2.zip b/Solutions/Symantec VIP/Package/3.0.2.zip new file mode 100644 index 00000000000..eac6bd14df7 Binary files /dev/null and b/Solutions/Symantec VIP/Package/3.0.2.zip differ diff --git a/Solutions/Symantec VIP/Package/mainTemplate.json b/Solutions/Symantec VIP/Package/mainTemplate.json index 15ca9633496..2faee8c016e 100644 --- a/Solutions/Symantec VIP/Package/mainTemplate.json +++ b/Solutions/Symantec VIP/Package/mainTemplate.json @@ -39,7 +39,7 @@ }, "variables": { "_solutionName": "Symantec VIP", - "_solutionVersion": "3.0.1", + "_solutionVersion": "3.0.2", "solutionId": "azuresentinel.azure-sentinel-solution-symantecvip", "_solutionId": "[variables('solutionId')]", "workbookVersion1": "1.0.0", @@ -50,18 +50,18 @@ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.3", + "analyticRuleVersion1": "1.0.4", "_analyticRulecontentId1": "a9956d3a-07a9-44a6-a279-081a85020cae", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a9956d3a-07a9-44a6-a279-081a85020cae')]", "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a9956d3a-07a9-44a6-a279-081a85020cae')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a9956d3a-07a9-44a6-a279-081a85020cae','-', '1.0.3')))]" + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a9956d3a-07a9-44a6-a279-081a85020cae','-', '1.0.4')))]" }, "analyticRuleObject2": { - "analyticRuleVersion2": "1.0.3", + "analyticRuleVersion2": "1.0.4", "_analyticRulecontentId2": "c775a46b-21b1-46d7-afa6-37e3e577a27b", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c775a46b-21b1-46d7-afa6-37e3e577a27b')]", "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c775a46b-21b1-46d7-afa6-37e3e577a27b')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c775a46b-21b1-46d7-afa6-37e3e577a27b','-', '1.0.3')))]" + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c775a46b-21b1-46d7-afa6-37e3e577a27b','-', '1.0.4')))]" }, "parserObject1": { "_parserName1": "[concat(parameters('workspace'),'/','SymantecVIP')]", @@ -82,7 +82,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SymantecVIP Workbook with template version 3.0.1", + "description": "SymantecVIP Workbook with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -137,10 +137,6 @@ "contentId": "Syslog", "kind": "DataType" }, - { - "contentId": "SymantecVIP", - "kind": "DataConnector" - }, { "contentId": "SyslogAma", "kind": "DataConnector" @@ -173,7 +169,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClientDeniedAccess_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "ClientDeniedAccess_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -190,7 +186,7 @@ "description": "Creates an incident in the event a Client has an excessive amounts of denied access requests.", "displayName": "ClientDeniedAccess", "enabled": false, - "query": "let threshold = 15;\nlet rejectedAccess = SymantecVIP\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)\n| where Total > threshold\n| project ClientIP;\nSymantecVIP\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| join kind=inner rejectedAccess on ClientIP\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User\n| extend timestamp = StartTime, IPCustomEntity = ClientIP, AccountCustomEntity = User\n", + "query": "let threshold = 15;\nlet rejectedAccess = SymantecVIP\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)\n| where Total > threshold\n| project ClientIP;\nSymantecVIP\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| join kind=inner rejectedAccess on ClientIP\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "Medium", @@ -201,10 +197,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SyslogAma", "datatypes": [ "Syslog" - ] + ], + "connectorId": "SyslogAma" } ], "tactics": [ @@ -215,22 +211,22 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountCustomEntity", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "User" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IPCustomEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } - ] + ], + "entityType": "IP" } ] } @@ -285,7 +281,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExcessiveFailedAuthenticationsfromInvalidInputs_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "ExcessiveFailedAuthenticationsfromInvalidInputs_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -302,7 +298,7 @@ "description": "Creates an incident in the event that a user generates an excessive amount of failed authentications due to invalid inputs, indications of a potential brute force.", "displayName": "Excessive Failed Authentication from Invalid Inputs", "enabled": false, - "query": "let threshold = 15;\nSymantecVIP\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP\n| where Total > threshold\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = User\n", + "query": "let threshold = 15;\nSymantecVIP\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP\n| where Total > threshold\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "Medium", @@ -313,10 +309,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SyslogAma", "datatypes": [ "Syslog" - ] + ], + "connectorId": "SyslogAma" } ], "tactics": [ @@ -327,22 +323,22 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountCustomEntity", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "User" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "IPCustomEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } - ] + ], + "entityType": "IP" } ] } @@ -397,7 +393,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SymantecVIP Data Parser with template version 3.0.1", + "description": "SymantecVIP Data Parser with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -523,7 +519,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.1", + "version": "3.0.2", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Symantec VIP", diff --git a/Solutions/Symantec VIP/ReleaseNotes.md b/Solutions/Symantec VIP/ReleaseNotes.md index e006062a44c..eb526bf4eab 100644 --- a/Solutions/Symantec VIP/ReleaseNotes.md +++ b/Solutions/Symantec VIP/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|------------------------------------------------| +| 3.0.2 | 20-01-2025 | Removed Custom Entity mappings from **Analytic rules** | | 3.0.1 | 31-12-2024 | Removed Deprecated **Data connector** | | 3.0.0 | 01-08-2024 | Update **Parser** as part of Syslog migration | | | | Deprecating data connectors | diff --git a/Solutions/SymantecProxySG/Data/Solution_SymantecProxySG.json b/Solutions/SymantecProxySG/Data/Solution_SymantecProxySG.json index 854e8a06c65..f11cb73fe1a 100644 --- a/Solutions/SymantecProxySG/Data/Solution_SymantecProxySG.json +++ b/Solutions/SymantecProxySG/Data/Solution_SymantecProxySG.json @@ -17,7 +17,7 @@ "azuresentinel.azure-sentinel-solution-syslog" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\SymantecProxySG", - "Version": "3.0.2", + "Version": "3.0.3", "Metadata": "SolutionMetadata.json", "TemplateSpec": true } \ No newline at end of file diff --git a/Solutions/SymantecProxySG/Package/3.0.3.zip b/Solutions/SymantecProxySG/Package/3.0.3.zip new file mode 100644 index 00000000000..6a5e83a5346 Binary files /dev/null and b/Solutions/SymantecProxySG/Package/3.0.3.zip differ diff --git a/Solutions/SymantecProxySG/Package/mainTemplate.json b/Solutions/SymantecProxySG/Package/mainTemplate.json index 1983bb8b699..2996df837e1 100644 --- a/Solutions/SymantecProxySG/Package/mainTemplate.json +++ b/Solutions/SymantecProxySG/Package/mainTemplate.json @@ -41,7 +41,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "SymantecProxySG", - "_solutionVersion": "3.0.2", + "_solutionVersion": "3.0.3", "solutionId": "azuresentinel.azure-sentinel-symantec-proxysg", "_solutionId": "[variables('solutionId')]", "parserObject1": { @@ -59,18 +59,18 @@ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.4", + "analyticRuleVersion1": "1.0.5", "_analyticRulecontentId1": "7a58b253-0ef2-4248-b4e5-c350f15a8346", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7a58b253-0ef2-4248-b4e5-c350f15a8346')]", "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7a58b253-0ef2-4248-b4e5-c350f15a8346')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7a58b253-0ef2-4248-b4e5-c350f15a8346','-', '1.0.4')))]" + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7a58b253-0ef2-4248-b4e5-c350f15a8346','-', '1.0.5')))]" }, "analyticRuleObject2": { - "analyticRuleVersion2": "1.0.4", + "analyticRuleVersion2": "1.0.5", "_analyticRulecontentId2": "fb0f4a93-d8ad-4b54-9931-85bdb7550f90", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fb0f4a93-d8ad-4b54-9931-85bdb7550f90')]", "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fb0f4a93-d8ad-4b54-9931-85bdb7550f90')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fb0f4a93-d8ad-4b54-9931-85bdb7550f90','-', '1.0.4')))]" + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fb0f4a93-d8ad-4b54-9931-85bdb7550f90','-', '1.0.5')))]" }, "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, @@ -84,7 +84,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SymantecProxySG Data Parser with template version 3.0.2", + "description": "SymantecProxySG Data Parser with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -216,7 +216,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SymantecProxySG Workbook with template version 3.0.2", + "description": "SymantecProxySG Workbook with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -272,10 +272,6 @@ "contentId": "Syslog", "kind": "DataType" }, - { - "contentId": "SymantecProxySG", - "kind": "DataConnector" - }, { "contentId": "SyslogAma", "kind": "DataConnector" @@ -308,7 +304,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExcessiveDeniedProxyTraffic_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "ExcessiveDeniedProxyTraffic_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -325,7 +321,7 @@ "description": "This alert creates an incident when a client generates an excessive amounts of denied proxy traffic.", "displayName": "Excessive Denied Proxy Traffic", "enabled": false, - "query": "let threshold = 100;\nSymantecProxySG\n| where sc_filter_result =~ \"DENIED\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by c_ip, cs_host\n| where count_ > threshold\n| extend timestamp = StartTime, HostCustomEntity = cs_host, IPCustomEntity = c_ip\n", + "query": "let threshold = 100;\nSymantecProxySG\n| where sc_filter_result =~ \"DENIED\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by c_ip, cs_host\n| where count_ > threshold\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "Low", @@ -336,10 +332,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SyslogAma", "datatypes": [ "Syslog" - ] + ], + "connectorId": "SyslogAma" } ], "tactics": [ @@ -355,7 +351,7 @@ "fieldMappings": [ { "identifier": "FullName", - "columnName": "HostCustomEntity" + "columnName": "cs_host" } ], "entityType": "Host" @@ -364,7 +360,7 @@ "fieldMappings": [ { "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "c_ip" } ], "entityType": "IP" @@ -423,7 +419,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UserAccessedSuspiciousURLCategories_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "UserAccessedSuspiciousURLCategories_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -440,7 +436,7 @@ "description": "Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.", "displayName": "User Accessed Suspicious URL Categories", "enabled": false, - "query": "SymantecProxySG\n| mv-expand cs_categories\n| where cs_categories has_any (\"Suspicious\",\"phishing\", \"hacking\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer, tostring(cs_categories)\n| extend timestamp = StartTime, AccountCustomEntity = cs_userdn, IPCustomEntity = c_ip, HostCustomEntity = Computer\n", + "query": "SymantecProxySG\n| mv-expand cs_categories\n| where cs_categories has_any (\"Suspicious\",\"phishing\", \"hacking\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer, tostring(cs_categories)\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "Medium", @@ -451,10 +447,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SyslogAma", "datatypes": [ "Syslog" - ] + ], + "connectorId": "SyslogAma" } ], "tactics": [ @@ -470,7 +466,7 @@ "fieldMappings": [ { "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "cs_userdn" } ], "entityType": "Account" @@ -479,7 +475,7 @@ "fieldMappings": [ { "identifier": "FullName", - "columnName": "HostCustomEntity" + "columnName": "Computer" } ], "entityType": "Host" @@ -488,7 +484,7 @@ "fieldMappings": [ { "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "c_ip" } ], "entityType": "IP" @@ -543,7 +539,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.2", + "version": "3.0.3", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "SymantecProxySG", diff --git a/Solutions/SymantecProxySG/ReleaseNotes.md b/Solutions/SymantecProxySG/ReleaseNotes.md index 9edb7dd9cad..d4ffa38dd8a 100644 --- a/Solutions/SymantecProxySG/ReleaseNotes.md +++ b/Solutions/SymantecProxySG/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.0.3 | 20-01-2025 | Removed Custom Entity mappings from **Analytic rules** | | 3.0.2 | 24-12-2024 |Removed Deprecated **Data Connector** | | 3.0.1 | 01-08-2024 |Update **Parser** as part of Syslog migration | | | |Deprecating data connectors | diff --git a/Solutions/VMware Carbon Black Cloud/Package/3.0.5.zip b/Solutions/VMware Carbon Black Cloud/Package/3.0.5.zip new file mode 100644 index 00000000000..b8d4481f2c9 Binary files /dev/null and b/Solutions/VMware Carbon Black Cloud/Package/3.0.5.zip differ diff --git a/Solutions/VMware Carbon Black Cloud/Package/mainTemplate.json b/Solutions/VMware Carbon Black Cloud/Package/mainTemplate.json index 42538e6f27e..e2068c64e11 100644 --- a/Solutions/VMware Carbon Black Cloud/Package/mainTemplate.json +++ b/Solutions/VMware Carbon Black Cloud/Package/mainTemplate.json @@ -55,7 +55,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "VMware Carbon Black Cloud", - "_solutionVersion": "3.0.4", + "_solutionVersion": "3.0.5", "solutionId": "azuresentinel.azure-sentinel-solution-vmwarecarbonblack", "_solutionId": "[variables('solutionId')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", @@ -76,18 +76,18 @@ "dataConnectorVersion2": "1.0.0", "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.1", + "analyticRuleVersion1": "1.0.2", "_analyticRulecontentId1": "2ca4e7fc-c61a-49e5-9736-5da8035c47e0", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2ca4e7fc-c61a-49e5-9736-5da8035c47e0')]", "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2ca4e7fc-c61a-49e5-9736-5da8035c47e0')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2ca4e7fc-c61a-49e5-9736-5da8035c47e0','-', '1.0.1')))]" + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2ca4e7fc-c61a-49e5-9736-5da8035c47e0','-', '1.0.2')))]" }, "analyticRuleObject2": { - "analyticRuleVersion2": "1.0.1", + "analyticRuleVersion2": "1.0.2", "_analyticRulecontentId2": "9f86885f-f31f-4e66-a39d-352771ee789e", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9f86885f-f31f-4e66-a39d-352771ee789e')]", "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9f86885f-f31f-4e66-a39d-352771ee789e')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9f86885f-f31f-4e66-a39d-352771ee789e','-', '1.0.1')))]" + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9f86885f-f31f-4e66-a39d-352771ee789e','-', '1.0.2')))]" }, "workbookVersion1": "1.0.0", "workbookContentId1": "VMwareCarbonBlack", @@ -2628,7 +2628,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "VMware Carbon Black Cloud data connector with template version 3.0.4", + "description": "VMware Carbon Black Cloud data connector with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion2')]", @@ -3041,7 +3041,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CriticalThreatDetected_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "CriticalThreatDetected_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -3058,7 +3058,7 @@ "description": "This creates an incident in the event a critical threat was identified on a Carbon Black managed endpoint.", "displayName": "Critical Threat Detected", "enabled": false, - "query": "let threshold = 8;\nCarbonBlackNotifications_CL\n| where threatHunterInfo_score_d >= threshold\n| extend eventTime = datetime(1970-01-01) + tolong(threatHunterInfo_time_d/1000) * 1sec\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, Threat_Name = threatHunterInfo_reportName_s, Device_Name = deviceInfo_deviceName_s, Internal_IP = deviceInfo_internalIpAddress_s, External_IP = deviceInfo_externalIpAddress_s, Threat_Score = threatHunterInfo_score_d\n| project-away count_\n| extend timestamp = StartTime, HostCustomEntity = Device_Name, IPCustomEntity = Internal_IP\n", + "query": "let threshold = 8;\nCarbonBlackNotifications_CL\n| where threatHunterInfo_score_d >= threshold\n| extend eventTime = datetime(1970-01-01) + tolong(threatHunterInfo_time_d/1000) * 1sec\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, Threat_Name = threatHunterInfo_reportName_s, Device_Name = deviceInfo_deviceName_s, Internal_IP = deviceInfo_internalIpAddress_s, External_IP = deviceInfo_externalIpAddress_s, Threat_Score = threatHunterInfo_score_d\n| project-away count_\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "Medium", @@ -3085,7 +3085,7 @@ { "fieldMappings": [ { - "columnName": "HostCustomEntity", + "columnName": "Device_Name", "identifier": "FullName" } ], @@ -3094,7 +3094,7 @@ { "fieldMappings": [ { - "columnName": "IPCustomEntity", + "columnName": "Internal_IP", "identifier": "Address" } ], @@ -3154,7 +3154,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "KnownMalwareDetected_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "KnownMalwareDetected_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -3171,7 +3171,7 @@ "description": "This creates an incident when a known Malware is detected on a endpoint managed by a Carbon Black.", "displayName": "Known Malware Detected", "enabled": false, - "query": "CarbonBlackEvents_CL\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\n| where targetApp_effectiveReputation_s =~ \"KNOWN_MALWARE\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, deviceDetails_deviceName_s, deviceDetails_deviceIpAddress_s, processDetails_fullUserName_s, processDetails_targetName_s\n| extend timestamp = StartTime, AccountCustomEntity = processDetails_fullUserName_s, HostCustomEntity = deviceDetails_deviceName_s, IPCustomEntity = deviceDetails_deviceIpAddress_s\n", + "query": "CarbonBlackEvents_CL\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\n| where targetApp_effectiveReputation_s =~ \"KNOWN_MALWARE\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, deviceDetails_deviceName_s, deviceDetails_deviceIpAddress_s, processDetails_fullUserName_s, processDetails_targetName_s\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "Medium", @@ -3198,7 +3198,7 @@ { "fieldMappings": [ { - "columnName": "AccountCustomEntity", + "columnName": "processDetails_fullUserName_s", "identifier": "FullName" } ], @@ -3207,7 +3207,7 @@ { "fieldMappings": [ { - "columnName": "HostCustomEntity", + "columnName": "deviceDetails_deviceName_s", "identifier": "FullName" } ], @@ -3216,7 +3216,7 @@ { "fieldMappings": [ { - "columnName": "IPCustomEntity", + "columnName": "deviceDetails_deviceIpAddress_s", "identifier": "Address" } ], @@ -3276,7 +3276,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "VMwareCarbonBlack Workbook with template version 3.0.4", + "description": "VMwareCarbonBlack Workbook with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -3372,7 +3372,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CarbonBlackConnector Playbook with template version 3.0.4", + "description": "CarbonBlackConnector Playbook with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -5006,7 +5006,7 @@ ], "metadata": { "comments": "This connector used to perform different actions on alerts , device and threats using CarbonBlack cloud endpoint API.", - "lastUpdateTime": "2024-11-19T15:06:50.446Z", + "lastUpdateTime": "2025-01-22T11:36:36.320Z", "releaseNotes": { "version": "1.0", "title": "[variables('blanks')]", @@ -5038,7 +5038,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EndpointTakeActionFromTeams-CarbonBlack Playbook with template version 3.0.4", + "description": "EndpointTakeActionFromTeams-CarbonBlack Playbook with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", @@ -6841,7 +6841,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IsolateEndpoint-CarbonBlack Playbook with template version 3.0.4", + "description": "IsolateEndpoint-CarbonBlack Playbook with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", @@ -7584,7 +7584,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EndpointEnrichment-CarbonBlack Playbook with template version 3.0.4", + "description": "EndpointEnrichment-CarbonBlack Playbook with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion4')]", @@ -8008,7 +8008,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.4", + "version": "3.0.5", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "VMware Carbon Black Cloud", diff --git a/Solutions/VMware Carbon Black Cloud/ReleaseNotes.md b/Solutions/VMware Carbon Black Cloud/ReleaseNotes.md index c21d2f75395..7c9bf345869 100644 --- a/Solutions/VMware Carbon Black Cloud/ReleaseNotes.md +++ b/Solutions/VMware Carbon Black Cloud/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|-----------------------------------------------------------| +| 3.0.5 | 22-01-2025 | Removed Custom Entity mappings from **Analytic rules** | | 3.0.4 | 19-11-2024 | Modified TransformKQL queries of CCP **Data Connector** | | 3.0.3 | 28-10-2024 | Added Sample Queries to the CCP **Data Connector** template | | 3.0.2 | 15-10-2024 | Added new CCP **Data Connector** to the Solution |