NOTE: This data connector has been deprecated, consider moving to the CCF data connector available in the solution which replaces ingestion via the deprecated HTTP Data Collector API.
", "additionalRequirementBanner": ">This data connector depends on a parser based on a Kusto Function to work as expected [**CiscoSecureEndpoint**](https://aka.ms/sentinel-ciscosecureendpoint-parser) which is deployed with the Microsoft Sentinel Solution.", "graphQueries": [ { diff --git a/Solutions/Cisco Secure Endpoint/Data/Solution_CiscoSecureEndpoint.json b/Solutions/Cisco Secure Endpoint/Data/Solution_CiscoSecureEndpoint.json index c5416147711..10575a6f6ab 100644 --- a/Solutions/Cisco Secure Endpoint/Data/Solution_CiscoSecureEndpoint.json +++ b/Solutions/Cisco Secure Endpoint/Data/Solution_CiscoSecureEndpoint.json @@ -2,7 +2,7 @@ "Name": "Cisco Secure Endpoint", "Author": "Microsoft - support@microsoft.com", "Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/cisco-logo-72px.svg\"){kind=logo}
",
- "Description": "The [Cisco Secure Endpoint](https://www.cisco.com/site/us/en/products/security/endpoint-security/secure-endpoint/index.html) (formerly AMP for Endpoints) data connector provides the capability to ingest Cisco Secure Endpoint [audit logs](https://api-docs.amp.cisco.com/api_resources/AuditLog?api_host=api.amp.cisco.com&api_version=v1) and [events](https://api-docs.amp.cisco.com/api_actions/details?api_action=GET+%2Fv1%2Fevents&api_host=api.amp.cisco.com&api_resource=Event&api_version=v1) into Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)",
+ "Description": "The Cisco Secure Endpoint (formerly AMP for Endpoints) data connector provides the capability to ingest Cisco Secure Endpoint [audit logs](https://developer.cisco.com/docs/secure-endpoint/auditlog/) and [events](https://developer.cisco.com/docs/secure-endpoint/v1-api-reference-event/) into Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Log Ingestion API in Azure Monitor](https://aka.ms/Log-Ingestion-API)\r\n\n b. [Microsoft Sentinel Codeless Connector Framework](https://aka.ms/Sentinel-CCP_Platform)\n\nNOTE: Microsoft recommends installation of \"CiscoSecureEndpointLogsCCPDefinition\" (via Codeless Connector Framework). This connector is build on the Codeless Connector Framework (CCF), which uses the Log Ingestion API, which replaces ingestion via the deprecated HTTP Data Collector API. CCF-based data connectors also support Data Collection Rules (DCRs) offering transformations and enrichment.
\n\nImportant: While the updated connector(s) can coexist with their legacy versions, running them together will result in duplicated data ingestion. You can disable the older versions of these connectors to avoid duplication of data..
", "Workbooks": [ "Workbooks/Cisco Secure Endpoint Overview.json" ], @@ -22,6 +22,7 @@ "Hunting Queries/CiscoSEVulnerableApplications.yaml" ], "Data Connectors": [ + "Data Connectors/CiscoSecureEndpointLogs_ccp/CiscoSecureEndpointLogs_ConnectorDefinition.json", "Data Connectors/CiscoSecureEndpoint_API_FunctionApp.json" ], "Analytic Rules": [ diff --git a/Solutions/Cisco Secure Endpoint/Package/3.0.1.zip b/Solutions/Cisco Secure Endpoint/Package/3.0.1.zip new file mode 100644 index 00000000000..52a148c7aff Binary files /dev/null and b/Solutions/Cisco Secure Endpoint/Package/3.0.1.zip differ diff --git a/Solutions/Cisco Secure Endpoint/Package/createUiDefinition.json b/Solutions/Cisco Secure Endpoint/Package/createUiDefinition.json index 1df050df71f..7811b0bbc9e 100644 --- a/Solutions/Cisco Secure Endpoint/Package/createUiDefinition.json +++ b/Solutions/Cisco Secure Endpoint/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cisco%20Secure%20Endpoint/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Cisco Secure Endpoint](https://www.cisco.com/site/us/en/products/security/endpoint-security/secure-endpoint/index.html) (formerly AMP for Endpoints) data connector provides the capability to ingest Cisco Secure Endpoint [audit logs](https://api-docs.amp.cisco.com/api_resources/AuditLog?api_host=api.amp.cisco.com&api_version=v1) and [events](https://api-docs.amp.cisco.com/api_actions/details?api_action=GET+%2Fv1%2Fevents&api_host=api.amp.cisco.com&api_resource=Event&api_version=v1) into Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 11, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cisco%20Secure%20Endpoint/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Cisco Secure Endpoint (formerly AMP for Endpoints) data connector provides the capability to ingest Cisco Secure Endpoint [audit logs](https://developer.cisco.com/docs/secure-endpoint/auditlog/) and [events](https://developer.cisco.com/docs/secure-endpoint/v1-api-reference-event/) into Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Log Ingestion API in Azure Monitor](https://aka.ms/Log-Ingestion-API)\r\n\n b. [Microsoft Sentinel Codeless Connector Framework](https://aka.ms/Sentinel-CCP_Platform)\n\nNOTE: Microsoft recommends installation of \"CiscoSecureEndpointLogsCCPDefinition\" (via Codeless Connector Framework). This connector is build on the Codeless Connector Framework (CCF), which uses the Log Ingestion API, which replaces ingestion via the deprecated HTTP Data Collector API. CCF-based data connectors also support Data Collection Rules (DCRs) offering transformations and enrichment.
\n\nImportant: While the updated connector(s) can coexist with their legacy versions, running them together will result in duplicated data ingestion. You can disable the older versions of these connectors to avoid duplication of data..
\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 11, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -59,6 +59,23 @@ { "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Cisco Secure Endpoint. You can get Cisco Secure Endpoint data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors-link1", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + }, + { + "name": "dataconnectors2-text", + "type": "Microsoft.Common.TextBlock", "options": { "text": "This Solution installs the data connector for Cisco Secure Endpoint. You can get Cisco Secure Endpoint custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } diff --git a/Solutions/Cisco Secure Endpoint/Package/mainTemplate.json b/Solutions/Cisco Secure Endpoint/Package/mainTemplate.json index 5a153fb8cc8..d1fbd491710 100644 --- a/Solutions/Cisco Secure Endpoint/Package/mainTemplate.json +++ b/Solutions/Cisco Secure Endpoint/Package/mainTemplate.json @@ -35,13 +35,27 @@ "metadata": { "description": "Name for the workbook" } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } } }, "variables": { "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Cisco Secure Endpoint", - "_solutionVersion": "3.0.0", + "_solutionVersion": "3.0.1", "solutionId": "azuresentinel.azure-sentinel-solution-ciscosecureendpoint", "_solutionId": "[variables('solutionId')]", "workbookVersion1": "1.0.0", @@ -52,8 +66,8 @@ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", "parserObject1": { - "_parserName1": "[concat(parameters('workspace'),'/','CiscoSecureEndpoint Data Parser')]", - "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'CiscoSecureEndpoint Data Parser')]", + "_parserName1": "[concat(parameters('workspace'),'/','CiscoSecureEndpoint')]", + "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'CiscoSecureEndpoint')]", "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('CiscoSecureEndpoint-Parser')))]", "parserVersion1": "1.0.0", "parserContentId1": "CiscoSecureEndpoint-Parser" @@ -108,15 +122,22 @@ "_huntingQuerycontentId10": "3d3330e9-d11b-4b68-8861-251253950bd2", "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('3d3330e9-d11b-4b68-8861-251253950bd2')))]" }, - "uiConfigId1": "CiscoSecureEndpoint", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "CiscoSecureEndpoint", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "dataConnectorCCPVersion": "1.0.0", + "_dataConnectorContentIdConnectorDefinition1": "CiscoSecureEndpointLogsCCPDefinition", + "dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]", + "_dataConnectorContentIdConnections1": "CiscoSecureEndpointLogsCCPDefinitionConnections", + "dataConnectorTemplateNameConnections1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections1')))]", + "dataCollectionEndpointId1": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]", + "blanks": "[replace('b', 'b', '')]", + "uiConfigId2": "CiscoSecureEndpoint", + "_uiConfigId2": "[variables('uiConfigId2')]", + "dataConnectorContentId2": "CiscoSecureEndpoint", + "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", + "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "_dataConnectorId2": "[variables('dataConnectorId2')]", + "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", + "dataConnectorVersion2": "1.0.0", + "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", "analyticRuleObject1": { "analyticRuleVersion1": "1.0.1", "_analyticRulecontentId1": "4683ebce-07ad-4089-89e3-39d8fe83c011", @@ -206,7 +227,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Cisco Secure Endpoint Overview Workbook with template version 3.0.0", + "description": "Cisco Secure Endpoint Overview Workbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -294,7 +315,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSecureEndpoint Data Parser with template version 3.0.0", + "description": "CiscoSecureEndpoint Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -308,10 +329,10 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "CiscoSecureEndpoint Data Parser", + "displayName": "Parser for CiscoSecureEndpoint", "category": "Microsoft Sentinel Parser", "functionAlias": "CiscoSecureEndpoint", - "query": "CiscoSecureEndpoint_CL\n| extend \n EventVendor = 'Cisco',\n EventProduct = 'Cisco Secure Endpoint'\n| project-rename \n EventSubType = audit_log_type_s,\n SrcUserName = audit_log_user_s,\n DstMacAddr = computer_network_addresses_s,\n DstHostname = computer_hostname_s,\n DstUsername = computer_user_s,\n DstIpAddr = computer_external_ip_s,\n ConnectorGuid = connector_guid_g,\n GroupGuid = group_guids_s,\n DvcId = id_d,\n EventOriginalId = event_type_id_d,\n ThreatName = detection_s,\n ThreatId = detection_id_s,\n ThreatSeverity = severity_s,\n DstDvcHostname = new_attributes_name_s,\n DvcHostname = new_attributes_hostname_s,\n DvcIpAddr = new_attributes_ip_external_s,\n DstDvcOsId = new_attributes_operating_system_id_d,\n EventProductVersion = new_attributes_product_version_id_d,\n SrcDvcId = computer_connector_guid_g,\n ComputerLinksComputer = computer_links_computer_s,\n ComputerLinksTrajectory = computer_links_trajectory_s,\n ComputerLinksGroup = computer_links_group_s,\n IndicatorThreatType = file_disposition_s,\n SrcFileName = file_file_name_s,\n SrcFilePath = file_file_path_s,\n SrcFileMD5 = file_identity_md5_g,\n SrcFileSHA1 = file_identity_sha1_s,\n SrcFileSHA256 = file_identity_sha256_s,\n ParentProcessId = file_parent_process_id_d,\n ParentProcessMD5 = file_parent_identity_md5_g,\n ParentProcessSHA1 = file_parent_identity_sha1_s,\n ParentProcessSHA256 = file_parent_identity_sha256_s,\n ParentProcessName = file_parent_file_name_s,\n ParentProcessFileDescription = file_parent_disposition_s\n| extend\n EventEndTime=iff(isnotempty(created_at_t), created_at_t, date_t),\n EventMessage=iff(isnotempty(event_s), event_s, event_type_s),\n Hostname = DstHostname,\n User = DstUsername\n| project-away \n created_at_t,\n date_t,\n event_s,\n event_type_s\n", + "query": "let CiscoSecureEndpoint_View = view () {\n CiscoSecureEndpoint_CL\n | extend \n EventVendor = 'Cisco',\n EventProduct = 'Cisco Secure Endpoint'\n | extend\n EventSubType = column_ifexists('audit_log_type_s', ''),\n SrcUserName = column_ifexists('audit_log_user_s', ''),\n DstMacAddr = column_ifexists('computer_network_addresses_s', ''),\n DstHostname = column_ifexists('computer_hostname_s', ''),\n DstUsername = column_ifexists('computer_user_s', ''),\n DstIpAddr = column_ifexists('computer_external_ip_s', ''),\n ConnectorGuid = column_ifexists('connector_guid_g', ''),\n GroupGuid = column_ifexists('group_guids_s', ''),\n DvcId = column_ifexists('id_d', ''),\n EventOriginalId = column_ifexists('event_type_id_d', ''),\n ThreatName = column_ifexists('detection_s', ''),\n ThreatId = column_ifexists('detection_id_s', ''),\n ThreatSeverity = column_ifexists('severity_s', ''),\n DstDvcHostname = column_ifexists('new_attributes_name_s', ''),\n DvcHostname = column_ifexists('new_attributes_hostname_s', ''),\n DvcIpAddr = column_ifexists('new_attributes_ip_external_s', ''),\n DstDvcOsId = column_ifexists('new_attributes_operating_system_id_d', ''),\n EventProductVersion = column_ifexists('new_attributes_product_version_id_d', ''),\n SrcDvcId = column_ifexists('computer_connector_guid_g', ''),\n ComputerLinksComputer = column_ifexists('computer_links_computer_s', ''),\n ComputerLinksTrajectory = column_ifexists('computer_links_trajectory_s', ''),\n ComputerLinksGroup = column_ifexists('computer_links_group_s', ''),\n IndicatorThreatType = column_ifexists('file_disposition_s', ''),\n SrcFileName = column_ifexists('file_file_name_s', ''),\n SrcFilePath = column_ifexists('file_file_path_s', ''),\n SrcFileMD5 = column_ifexists('file_identity_md5_g', ''),\n SrcFileSHA1 = column_ifexists('file_identity_sha1_s', ''),\n SrcFileSHA256 = column_ifexists('file_identity_sha256_s', ''),\n ParentProcessId = column_ifexists('file_parent_process_id_d', ''),\n ParentProcessMD5 = column_ifexists('file_parent_identity_md5_g', ''),\n ParentProcessSHA1 = column_ifexists('file_parent_identity_sha1_s', ''),\n ParentProcessSHA256 = column_ifexists('file_parent_identity_sha256_s', ''),\n ParentProcessName = column_ifexists('file_parent_file_name_s', ''),\n ParentProcessFileDescription = column_ifexists('file_parent_disposition_s', '')\n | extend\n EventEndTime=iff(isnotempty(created_at_t), todatetime(created_at_t), todatetime(date_t)),\n EventMessage=iff(isnotempty(event_s), event_s, event_type_s),\n Hostname = DstHostname,\n User = DstUsername\n };\n let CiscoSecureEndpointAudit_View = view () {\n CiscoSecureEndpointAuditLogsV2_CL\n | extend \n EventVendor = 'Cisco',\n EventProduct = 'Cisco Secure Endpoint'\n | extend \n EventSubType = column_ifexists('AuditLogType', ''),\n SrcUserName = column_ifexists('AuditLogUser', ''),\n DstDvcHostname = column_ifexists('NewAttributes.name', ''),\n DvcHostname = column_ifexists('NewAttributes.hostname', ''),\n DvcIpAddr = column_ifexists('NewAttributes.ip_external', ''),\n DstDvcOsId = column_ifexists('NewAttributes.operating_system_id', ''),\n EventProductVersion = column_ifexists('NewAttributes.product_version_id', ''),\n EventEndTime = todatetime(column_ifexists('CreatedAt', '')),\n EventMessage = column_ifexists('Event', '')\n };\n let CiscoSecureEndpointEvent_View = view () {\n CiscoSecureEndpointEventsV2_CL\n | extend \n EventVendor = 'Cisco',\n EventProduct = 'Cisco Secure Endpoint'\n | extend\n DstMacAddr = column_ifexists('ComputerNetworkAddresses', ''),\n DstHostname = column_ifexists('ComputerHostname', ''),\n DstUsername = column_ifexists('ComputerUser', ''),\n DstIpAddr = column_ifexists('ComputerExternalIp', ''),\n ConnectorGuid = column_ifexists('ConnectorGuid', ''),\n GroupGuid = column_ifexists('GroupGuids', ''),\n DvcId = column_ifexists('Id', ''),\n ThreatName = column_ifexists('Detection', ''),\n ThreatId = column_ifexists('DetectionId', ''),\n ThreatSeverity = column_ifexists('Severity', ''),\n EventOriginalId = column_ifexists('EventTypeId', ''),\n SrcDvcId = column_ifexists('ComputerConnectorGuid', ''),\n ComputerLinksComputer = column_ifexists('ComputerLinksComputer', ''),\n ComputerLinksTrajectory = column_ifexists('ComputerLinksTrajectory', ''),\n ComputerLinksGroup = column_ifexists('ComputerLinksGroup', ''),\n IndicatorThreatType = column_ifexists('FileDisposition', ''),\n SrcFileName = column_ifexists('FileFileName', ''),\n SrcFilePath = column_ifexists('FileFilePath', ''),\n SrcFileMD5 = column_ifexists('FileIdentityMd5', ''),\n SrcFileSHA1 = column_ifexists('FileIdentitySha1', ''),\n SrcFileSHA256 = column_ifexists('FileIdentitySha256', ''),\n ParentProcessId = column_ifexists('FileParentProcessId', ''),\n ParentProcessMD5 = column_ifexists('FileParentIdentityMd5', ''),\n ParentProcessSHA1 = column_ifexists('FileParentIdentitySha1', ''),\n ParentProcessSHA256 = column_ifexists('FileParentIdentitySha256', ''),\n ParentProcessName = column_ifexists('FileParentFileName', ''),\n ParentProcessFileDescription = column_ifexists('FileParentDisposition', ''),\n EventEndTime = todatetime(column_ifexists('Date', '')),\n EventMessage = column_ifexists('EventType', '')\n | extend\n Hostname = DstHostname,\n User = DstUsername\n };\n union isfuzzy=true\n (CiscoSecureEndpoint_View),\n (CiscoSecureEndpointAudit_View),\n (CiscoSecureEndpointEvent_View)\n | project\n EventVendor,\n EventProduct,\n EventSubType,\n SrcUserName,\n DstMacAddr,\n DstHostname,\n DstUsername,\n DstIpAddr,\n ConnectorGuid,\n GroupGuid,\n DvcId,\n EventOriginalId,\n ThreatName,\n ThreatId,\n ThreatSeverity,\n DstDvcHostname,\n DvcHostname,\n DvcIpAddr,\n DstDvcOsId,\n EventProductVersion,\n SrcDvcId,\n ComputerLinksComputer,\n ComputerLinksTrajectory,\n ComputerLinksGroup,\n IndicatorThreatType,\n SrcFileName,\n SrcFilePath,\n SrcFileMD5,\n SrcFileSHA1,\n SrcFileSHA256,\n ParentProcessId,\n ParentProcessMD5,\n ParentProcessSHA1,\n ParentProcessSHA256,\n ParentProcessName,\n ParentProcessFileDescription,\n EventEndTime,\n EventMessage,\n Hostname,\n User\n", "functionParameters": "", "version": 2, "tags": [ @@ -330,7 +351,7 @@ "[variables('parserObject1')._parserId1]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'CiscoSecureEndpoint Data Parser')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'CiscoSecureEndpoint')]", "contentId": "[variables('parserObject1').parserContentId1]", "kind": "Parser", "version": "[variables('parserObject1').parserVersion1]", @@ -360,7 +381,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('parserObject1').parserContentId1]", "contentKind": "Parser", - "displayName": "CiscoSecureEndpoint Data Parser", + "displayName": "Parser for CiscoSecureEndpoint", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", "version": "[variables('parserObject1').parserVersion1]" @@ -373,10 +394,10 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "CiscoSecureEndpoint Data Parser", + "displayName": "Parser for CiscoSecureEndpoint", "category": "Microsoft Sentinel Parser", "functionAlias": "CiscoSecureEndpoint", - "query": "CiscoSecureEndpoint_CL\n| extend \n EventVendor = 'Cisco',\n EventProduct = 'Cisco Secure Endpoint'\n| project-rename \n EventSubType = audit_log_type_s,\n SrcUserName = audit_log_user_s,\n DstMacAddr = computer_network_addresses_s,\n DstHostname = computer_hostname_s,\n DstUsername = computer_user_s,\n DstIpAddr = computer_external_ip_s,\n ConnectorGuid = connector_guid_g,\n GroupGuid = group_guids_s,\n DvcId = id_d,\n EventOriginalId = event_type_id_d,\n ThreatName = detection_s,\n ThreatId = detection_id_s,\n ThreatSeverity = severity_s,\n DstDvcHostname = new_attributes_name_s,\n DvcHostname = new_attributes_hostname_s,\n DvcIpAddr = new_attributes_ip_external_s,\n DstDvcOsId = new_attributes_operating_system_id_d,\n EventProductVersion = new_attributes_product_version_id_d,\n SrcDvcId = computer_connector_guid_g,\n ComputerLinksComputer = computer_links_computer_s,\n ComputerLinksTrajectory = computer_links_trajectory_s,\n ComputerLinksGroup = computer_links_group_s,\n IndicatorThreatType = file_disposition_s,\n SrcFileName = file_file_name_s,\n SrcFilePath = file_file_path_s,\n SrcFileMD5 = file_identity_md5_g,\n SrcFileSHA1 = file_identity_sha1_s,\n SrcFileSHA256 = file_identity_sha256_s,\n ParentProcessId = file_parent_process_id_d,\n ParentProcessMD5 = file_parent_identity_md5_g,\n ParentProcessSHA1 = file_parent_identity_sha1_s,\n ParentProcessSHA256 = file_parent_identity_sha256_s,\n ParentProcessName = file_parent_file_name_s,\n ParentProcessFileDescription = file_parent_disposition_s\n| extend\n EventEndTime=iff(isnotempty(created_at_t), created_at_t, date_t),\n EventMessage=iff(isnotempty(event_s), event_s, event_type_s),\n Hostname = DstHostname,\n User = DstUsername\n| project-away \n created_at_t,\n date_t,\n event_s,\n event_type_s\n", + "query": "let CiscoSecureEndpoint_View = view () {\n CiscoSecureEndpoint_CL\n | extend \n EventVendor = 'Cisco',\n EventProduct = 'Cisco Secure Endpoint'\n | extend\n EventSubType = column_ifexists('audit_log_type_s', ''),\n SrcUserName = column_ifexists('audit_log_user_s', ''),\n DstMacAddr = column_ifexists('computer_network_addresses_s', ''),\n DstHostname = column_ifexists('computer_hostname_s', ''),\n DstUsername = column_ifexists('computer_user_s', ''),\n DstIpAddr = column_ifexists('computer_external_ip_s', ''),\n ConnectorGuid = column_ifexists('connector_guid_g', ''),\n GroupGuid = column_ifexists('group_guids_s', ''),\n DvcId = column_ifexists('id_d', ''),\n EventOriginalId = column_ifexists('event_type_id_d', ''),\n ThreatName = column_ifexists('detection_s', ''),\n ThreatId = column_ifexists('detection_id_s', ''),\n ThreatSeverity = column_ifexists('severity_s', ''),\n DstDvcHostname = column_ifexists('new_attributes_name_s', ''),\n DvcHostname = column_ifexists('new_attributes_hostname_s', ''),\n DvcIpAddr = column_ifexists('new_attributes_ip_external_s', ''),\n DstDvcOsId = column_ifexists('new_attributes_operating_system_id_d', ''),\n EventProductVersion = column_ifexists('new_attributes_product_version_id_d', ''),\n SrcDvcId = column_ifexists('computer_connector_guid_g', ''),\n ComputerLinksComputer = column_ifexists('computer_links_computer_s', ''),\n ComputerLinksTrajectory = column_ifexists('computer_links_trajectory_s', ''),\n ComputerLinksGroup = column_ifexists('computer_links_group_s', ''),\n IndicatorThreatType = column_ifexists('file_disposition_s', ''),\n SrcFileName = column_ifexists('file_file_name_s', ''),\n SrcFilePath = column_ifexists('file_file_path_s', ''),\n SrcFileMD5 = column_ifexists('file_identity_md5_g', ''),\n SrcFileSHA1 = column_ifexists('file_identity_sha1_s', ''),\n SrcFileSHA256 = column_ifexists('file_identity_sha256_s', ''),\n ParentProcessId = column_ifexists('file_parent_process_id_d', ''),\n ParentProcessMD5 = column_ifexists('file_parent_identity_md5_g', ''),\n ParentProcessSHA1 = column_ifexists('file_parent_identity_sha1_s', ''),\n ParentProcessSHA256 = column_ifexists('file_parent_identity_sha256_s', ''),\n ParentProcessName = column_ifexists('file_parent_file_name_s', ''),\n ParentProcessFileDescription = column_ifexists('file_parent_disposition_s', '')\n | extend\n EventEndTime=iff(isnotempty(created_at_t), todatetime(created_at_t), todatetime(date_t)),\n EventMessage=iff(isnotempty(event_s), event_s, event_type_s),\n Hostname = DstHostname,\n User = DstUsername\n };\n let CiscoSecureEndpointAudit_View = view () {\n CiscoSecureEndpointAuditLogsV2_CL\n | extend \n EventVendor = 'Cisco',\n EventProduct = 'Cisco Secure Endpoint'\n | extend \n EventSubType = column_ifexists('AuditLogType', ''),\n SrcUserName = column_ifexists('AuditLogUser', ''),\n DstDvcHostname = column_ifexists('NewAttributes.name', ''),\n DvcHostname = column_ifexists('NewAttributes.hostname', ''),\n DvcIpAddr = column_ifexists('NewAttributes.ip_external', ''),\n DstDvcOsId = column_ifexists('NewAttributes.operating_system_id', ''),\n EventProductVersion = column_ifexists('NewAttributes.product_version_id', ''),\n EventEndTime = todatetime(column_ifexists('CreatedAt', '')),\n EventMessage = column_ifexists('Event', '')\n };\n let CiscoSecureEndpointEvent_View = view () {\n CiscoSecureEndpointEventsV2_CL\n | extend \n EventVendor = 'Cisco',\n EventProduct = 'Cisco Secure Endpoint'\n | extend\n DstMacAddr = column_ifexists('ComputerNetworkAddresses', ''),\n DstHostname = column_ifexists('ComputerHostname', ''),\n DstUsername = column_ifexists('ComputerUser', ''),\n DstIpAddr = column_ifexists('ComputerExternalIp', ''),\n ConnectorGuid = column_ifexists('ConnectorGuid', ''),\n GroupGuid = column_ifexists('GroupGuids', ''),\n DvcId = column_ifexists('Id', ''),\n ThreatName = column_ifexists('Detection', ''),\n ThreatId = column_ifexists('DetectionId', ''),\n ThreatSeverity = column_ifexists('Severity', ''),\n EventOriginalId = column_ifexists('EventTypeId', ''),\n SrcDvcId = column_ifexists('ComputerConnectorGuid', ''),\n ComputerLinksComputer = column_ifexists('ComputerLinksComputer', ''),\n ComputerLinksTrajectory = column_ifexists('ComputerLinksTrajectory', ''),\n ComputerLinksGroup = column_ifexists('ComputerLinksGroup', ''),\n IndicatorThreatType = column_ifexists('FileDisposition', ''),\n SrcFileName = column_ifexists('FileFileName', ''),\n SrcFilePath = column_ifexists('FileFilePath', ''),\n SrcFileMD5 = column_ifexists('FileIdentityMd5', ''),\n SrcFileSHA1 = column_ifexists('FileIdentitySha1', ''),\n SrcFileSHA256 = column_ifexists('FileIdentitySha256', ''),\n ParentProcessId = column_ifexists('FileParentProcessId', ''),\n ParentProcessMD5 = column_ifexists('FileParentIdentityMd5', ''),\n ParentProcessSHA1 = column_ifexists('FileParentIdentitySha1', ''),\n ParentProcessSHA256 = column_ifexists('FileParentIdentitySha256', ''),\n ParentProcessName = column_ifexists('FileParentFileName', ''),\n ParentProcessFileDescription = column_ifexists('FileParentDisposition', ''),\n EventEndTime = todatetime(column_ifexists('Date', '')),\n EventMessage = column_ifexists('EventType', '')\n | extend\n Hostname = DstHostname,\n User = DstUsername\n };\n union isfuzzy=true\n (CiscoSecureEndpoint_View),\n (CiscoSecureEndpointAudit_View),\n (CiscoSecureEndpointEvent_View)\n | project\n EventVendor,\n EventProduct,\n EventSubType,\n SrcUserName,\n DstMacAddr,\n DstHostname,\n DstUsername,\n DstIpAddr,\n ConnectorGuid,\n GroupGuid,\n DvcId,\n EventOriginalId,\n ThreatName,\n ThreatId,\n ThreatSeverity,\n DstDvcHostname,\n DvcHostname,\n DvcIpAddr,\n DstDvcOsId,\n EventProductVersion,\n SrcDvcId,\n ComputerLinksComputer,\n ComputerLinksTrajectory,\n ComputerLinksGroup,\n IndicatorThreatType,\n SrcFileName,\n SrcFilePath,\n SrcFileMD5,\n SrcFileSHA1,\n SrcFileSHA256,\n ParentProcessId,\n ParentProcessMD5,\n ParentProcessSHA1,\n ParentProcessSHA256,\n ParentProcessName,\n ParentProcessFileDescription,\n EventEndTime,\n EventMessage,\n Hostname,\n User\n", "functionParameters": "", "version": 2, "tags": [ @@ -396,7 +417,7 @@ "[variables('parserObject1')._parserId1]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'CiscoSecureEndpoint Data Parser')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'CiscoSecureEndpoint')]", "contentId": "[variables('parserObject1').parserContentId1]", "kind": "Parser", "version": "[variables('parserObject1').parserVersion1]", @@ -426,7 +447,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEInfectedHosts_HuntingQueries Hunting Query with template version 3.0.0", + "description": "CiscoSEInfectedHosts_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -511,7 +532,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEInfectedUsers_HuntingQueries Hunting Query with template version 3.0.0", + "description": "CiscoSEInfectedUsers_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -596,7 +617,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSELoginsToConsole_HuntingQueries Hunting Query with template version 3.0.0", + "description": "CiscoSELoginsToConsole_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -681,7 +702,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEMaliciousFiles_HuntingQueries Hunting Query with template version 3.0.0", + "description": "CiscoSEMaliciousFiles_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -766,7 +787,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEModifiedAgent_HuntingQueries Hunting Query with template version 3.0.0", + "description": "CiscoSEModifiedAgent_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -851,7 +872,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSERareFilesScanned_HuntingQueries Hunting Query with template version 3.0.0", + "description": "CiscoSERareFilesScanned_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -936,7 +957,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEScannedFiles_HuntingQueries Hunting Query with template version 3.0.0", + "description": "CiscoSEScannedFiles_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -1021,7 +1042,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSESuspiciousPSDownloads_HuntingQueries Hunting Query with template version 3.0.0", + "description": "CiscoSESuspiciousPSDownloads_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -1080,80 +1101,1785 @@ "tier": "Microsoft", "link": "https://support.microsoft.com" } - } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", + "contentKind": "HuntingQuery", + "displayName": "Cisco SE - Suspicious powershel downloads", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject9').huntingQueryTemplateSpecName9]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CiscoSEUncommonApplicationBehavior_HuntingQueries Hunting Query with template version 3.0.1", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Cisco_Secure_Endpoint_Hunting_Query_9", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Cisco SE - Uncommon application behavior", + "category": "Hunting Queries", + "query": "CiscoSecureEndpoint\n| where TimeGenerated > ago(24h)\n| where ThreatName has 'launched a shell'\n| order by TimeGenerated desc\n| extend HostCustomEntity = DstHostname\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Query searches for uncommon application behavior events." + }, + { + "name": "tactics", + "value": "Execution" + }, + { + "name": "techniques", + "value": "T1204.002" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject9')._huntingQuerycontentId9),'/'))))]", + "properties": { + "description": "Cisco Secure Endpoint Hunting Query 9", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject9')._huntingQuerycontentId9)]", + "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject9').huntingQueryVersion9]", + "source": { + "kind": "Solution", + "name": "Cisco Secure Endpoint", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]", + "contentKind": "HuntingQuery", + "displayName": "Cisco SE - Uncommon application behavior", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject9')._huntingQuerycontentId9,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject9')._huntingQuerycontentId9,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject10').huntingQueryTemplateSpecName10]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CiscoSEVulnerableApplications_HuntingQueries Hunting Query with template version 3.0.1", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Cisco_Secure_Endpoint_Hunting_Query_10", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Cisco SE - Vulnerable applications", + "category": "Hunting Queries", + "query": "CiscoSecureEndpoint\n| where TimeGenerated > ago(24h)\n| where EventMessage =~ 'Vulnerable Application Detected'\n| summarize by DstHostname\n| extend HostCustomEntity = DstHostname\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Query searches for vulnerable applications on hosts." + }, + { + "name": "tactics", + "value": "Execution" + }, + { + "name": "techniques", + "value": "T1204.002" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject10')._huntingQuerycontentId10),'/'))))]", + "properties": { + "description": "Cisco Secure Endpoint Hunting Query 10", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject10')._huntingQuerycontentId10)]", + "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject10').huntingQueryVersion10]", + "source": { + "kind": "Solution", + "name": "Cisco Secure Endpoint", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", + "contentKind": "HuntingQuery", + "displayName": "Cisco SE - Vulnerable applications", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject10')._huntingQuerycontentId10,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject10')._huntingQuerycontentId10,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition1'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", + "displayName": "Cisco Secure Endpoint (via Codeless Connector Framework)", + "contentKind": "DataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "CiscoSecureEndpointLogsCCPDefinition", + "title": "Cisco Secure Endpoint (via Codeless Connector Framework)", + "publisher": "Microsoft", + "descriptionMarkdown": "The Cisco Secure Endpoint (formerly AMP for Endpoints) data connector provides the capability to ingest Cisco Secure Endpoint [audit logs](https://developer.cisco.com/docs/secure-endpoint/auditlog/) and [events](https://developer.cisco.com/docs/secure-endpoint/v1-api-reference-event/) into Microsoft Sentinel.", + "graphQueries": [ + { + "metricName": "Total audit logs received", + "legend": "Cisco Secure Endpoint Audit logs", + "baseQuery": "CiscoSecureEndpointAuditLogsV2_CL" + }, + { + "metricName": "Total events received", + "legend": "Cisco Secure Endpoint Events", + "baseQuery": "CiscoSecureEndpointEventsV2_CL" + } + ], + "sampleQueries": [ + { + "description": "Get a Sample of Cisco Secure Endpoint Audit Logs", + "query": "CiscoSecureEndpointAuditLogsV2_CL\n | take 10" + }, + { + "description": "Get a Sample of Cisco Secure Endpoint Events", + "query": "CiscoSecureEndpointEventsV2_CL\n | take 10" + } + ], + "dataTypes": [ + { + "name": "CiscoSecureEndpointAuditLogsV2_CL", + "lastDataReceivedQuery": "CiscoSecureEndpointAuditLogsV2_CL\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "CiscoSecureEndpointEventsV2_CL", + "lastDataReceivedQuery": "CiscoSecureEndpointEventsV2_CL\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "Cisco Secure Endpoint API Credentials/Regions", + "description": "To create API Credentials and to understand the regions, follow the document link provided here. [Click here](https://github.com/v-gudivya/Cisco-Secure-Endpoint/blob/main/README.md)." + } + ] + }, + "instructionSteps": [ + { + "description": "To ingest data from Cisco Secure Endpoint to Microsoft Sentinel, you have to click on Add Account button below, then you get a pop up to fill the details like Email, Organization, Client ID, API Key and Region, provide the required information and click on Connect. You can see the connected organizations/emails in the below grid.\n>", + "instructions": [ + { + "type": "DataConnectorsGrid", + "parameters": { + "mapping": [ + { + "columnName": "Organization", + "columnValue": "properties.addOnAttributes.Organization" + }, + { + "columnName": "Email", + "columnValue": "properties.addOnAttributes.Email" + }, + { + "columnName": "Endpoint", + "columnValue": "properties.request.apiEndpoint" + } + ], + "menuItems": [ + "DeleteConnector" + ] + } + }, + { + "type": "ContextPane", + "parameters": { + "isPrimary": true, + "label": "Add Account", + "title": "Add Account", + "subtitle": "Add Account", + "contextPaneType": "DataConnectorsContextPane", + "instructionSteps": [ + { + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "Cisco Secure Endpoint Email", + "placeholder": "Enter your Cisco Email", + "type": "text", + "name": "email", + "required": true + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Cisco Secure Endpoint Organization", + "placeholder": "Enter the name of your Organization", + "type": "text", + "name": "organization", + "required": true + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Cisco Secure Endpoint Client ID", + "placeholder": "Enter your Client ID", + "type": "text", + "name": "username", + "required": true + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Cisco Secure Endpoint API Key", + "placeholder": "Enter your API Key", + "type": "password", + "name": "apiKey", + "required": true + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Cisco Secure Endpoint Region", + "placeholder": "Enter the region you want to connect", + "type": "text", + "name": "region", + "required": true, + "description": "For example, if your region is https://api.apjc.amp.cisco.com then enter only apjc.amp in the above field. Follow the link provided in the Cisco Secure Endpoint API Credentials/Regions section for better understanding of the regions." + } + } + ] + } + ] + } + } + ], + "title": "Connect Cisco Secure Endpoint to Microsoft Sentinel" + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "name": "CiscoSecureEndpointDCR", + "apiVersion": "2022-06-01", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "[parameters('workspace-location')]", + "kind": "[variables('blanks')]", + "properties": { + "dataCollectionEndpointId": "[variables('dataCollectionEndpointId1')]", + "streamDeclarations": { + "Custom-CiscoSecureEndpointAuditLogs": { + "columns": [ + { + "name": "event", + "type": "string" + }, + { + "name": "audit_log_type", + "type": "string" + }, + { + "name": "audit_log_id", + "type": "string" + }, + { + "name": "audit_log_user", + "type": "string" + }, + { + "name": "created_at", + "type": "datetime" + }, + { + "name": "item", + "type": "string" + }, + { + "name": "message", + "type": "string" + }, + { + "name": "old_attributes", + "type": "string" + }, + { + "name": "new_attributes", + "type": "string" + } + ] + }, + "Custom-CiscoSecureEndpointEvents": { + "columns": [ + { + "name": "id", + "type": "real" + }, + { + "name": "timestamp", + "type": "real" + }, + { + "name": "timestamp_nanoseconds", + "type": "real" + }, + { + "name": "date", + "type": "datetime" + }, + { + "name": "event_type", + "type": "string" + }, + { + "name": "event_type_id", + "type": "real" + }, + { + "name": "detection", + "type": "string" + }, + { + "name": "detection_id", + "type": "string" + }, + { + "name": "connector_guid", + "type": "string" + }, + { + "name": "group_guids", + "type": "string" + }, + { + "name": "severity", + "type": "string" + }, + { + "name": "tactics", + "type": "string" + }, + { + "name": "techniques", + "type": "string" + }, + { + "name": "hostname", + "type": "string" + }, + { + "name": "vulnerabilities", + "type": "string" + }, + { + "name": "start_timestamp", + "type": "real" + }, + { + "name": "start_date", + "type": "datetime" + }, + { + "name": "error", + "type": "dynamic" + }, + { + "name": "computer", + "type": "dynamic" + }, + { + "name": "file", + "type": "dynamic" + }, + { + "name": "scan", + "type": "dynamic" + }, + { + "name": "bp_data", + "type": "dynamic" + }, + { + "name": "policy", + "type": "dynamic" + }, + { + "name": "product_update", + "type": "dynamic" + }, + { + "name": "isolation", + "type": "dynamic" + }, + { + "name": "forensic_snapshot", + "type": "dynamic" + }, + { + "name": "device_control", + "type": "dynamic" + }, + { + "name": "endpoint_ioc_scan", + "type": "dynamic" + }, + { + "name": "orbital", + "type": "dynamic" + }, + { + "name": "command_line", + "type": "dynamic" + }, + { + "name": "cloud_ioc", + "type": "dynamic" + }, + { + "name": "threat_hunting", + "type": "dynamic" + }, + { + "name": "network_info", + "type": "dynamic" + } + ] + } + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('workspaceResourceId')]", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-CiscoSecureEndpointAuditLogs" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source | extend TimeGenerated = created_at | project-rename Event = event, AuditLogType = audit_log_type, AuditLogId = audit_log_id, AuditLogUser = audit_log_user, CreatedAt = created_at, Item = item, Message = message, OldAttributes = old_attributes, NewAttributes = new_attributes", + "outputStream": "Custom-CiscoSecureEndpointAuditLogsV2_CL" + }, + { + "streams": [ + "Custom-CiscoSecureEndpointEvents" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source | extend Error = parse_json(error) | extend Computer = parse_json(computer) | extend File = parse_json(file) | extend Scan = parse_json(scan) | extend BpData = parse_json(bp_data) | extend Policy = parse_json(policy) | extend ProductUpdate = parse_json(product_update) | extend Isolation = parse_json(isolation) | extend ForensicSnapshot = parse_json(forensic_snapshot) | extend DeviceControl = parse_json(device_control) | extend EndpointIocScan = parse_json(endpoint_ioc_scan) | extend Orbital = parse_json(orbital) | extend CommandLine = parse_json(command_line) | extend CloudIoc = parse_json(cloud_ioc) | extend ThreatHunting = parse_json(threat_hunting) | extend NetworkInfo = parse_json(network_info) | extend Id = id, Timestamp = timestamp, TimestampNanoseconds = timestamp_nanoseconds, TimeGenerated = ['date'], Date = ['date'], EventType = event_type, EventTypeId = event_type_id, Detection = detection, DetectionId = detection_id, ConnectorGuid = connector_guid, GroupGuids = group_guids, Severity = severity, Tactics = tactics, Techniques = techniques, Hostname = hostname, Vulnerabilities = vulnerabilities, StartTimestamp = start_timestamp, StartDate = start_date, ErrorErrorCode = todouble(Error['error_code']), ErrorDescription = tostring(Error['description']), ComputerConnectorGuid = tostring(Computer['connector_guid']), ComputerHostname = tostring(Computer['hostname']), ComputerExternalIp = tostring(Computer['external_ip']), ComputerUser = tostring(Computer['user']), ComputerActive = tobool(Computer['active']), ComputerNetworkAddresses = tostring(Computer['network_addresses']), ComputerLinksComputer = tostring(Computer['links']['computer']), ComputerLinksTrajectory = tostring(Computer['links']['trajectory']), ComputerLinksGroup = tostring(Computer['links']['group']), FileDisposition = tostring(File['disposition']), FileFileName = tostring(File['file_name']), FileFilePath = tostring(File['file_path']), FileIdentitySha256 = tostring(File['identity']['sha256']), FileIdentitySha1 = tostring(File['identity']['sha1']), FileIdentityMd5 = tostring(File['identity']['md5']), FileParentProcessId = todouble(File['parent']['process_id']), FileParentDisposition = tostring(File['parent']['disposition']), FileParentFileName = tostring(File['parent']['file_name']), FileParentIdentitySha256 = tostring(File['parent']['identity']['sha256']), FileParentIdentitySha1 = tostring(File['parent']['identity']['sha1']), FileParentIdentityMd5 = tostring(File['parent']['identity']['md5']), FileAttackDetailsApplication = tostring(File['attack_details']['application']), FileAttackDetailsAttackedModule = tostring(File['attack_details']['attacked_module']), FileAttackDetailsBaseAddress = tostring(File['attack_details']['base_address']), FileAttackDetailsSuspiciousFiles = tostring(File['attack_details']['suspicious_files']), FileAttackDetailsIndicators = tostring(File['attack_details']['indicators']), FileArchivedFileDisposition = tostring(File['archived_file']['disposition']), FileArchivedFileIdentitySha256 = tostring(File['archived_file']['identity']['sha256']), ScanDescription = tostring(Scan['description']), ScanClean = tobool(Scan['clean']), ScanScannedFiles = todouble(Scan['scanned_files']), ScanScannedProcesses = todouble(Scan['scanned_processes']), ScanScannedPaths = todouble(Scan['scanned_paths']), ScanMaliciousDetections = todouble(Scan['malicious_detections']), BpDataPackageManagerPendingVersion = todouble(BpData['package_manager_pending_version']), BpDataPackageManagerSerialNumber = todouble(BpData['package_manager_serial_number']), BpDataSts = todouble(BpData['sts']), BpDataPackageName = tostring(BpData['package_name']), BpDataPackageManagerCurrentVersion = todouble(BpData['package_manager_current_version']), BpDataNormalizedSeverityId = todouble(BpData['normalized']['severity_id']), BpDataAudit = tobool(BpData['audit']), BpDataDetection = tostring(BpData['detection']), BpDataEndTs = todouble(BpData['end_ts']), BpDataEngine = tostring(BpData['engine']), BpDataId = tostring(BpData['id']), BpDataName = tostring(BpData['name']), BpDataRemediated = tobool(BpData['remediated']), BpDataSeverity = tostring(BpData['severity']), BpDataSilent = tobool(BpData['silent']), BpDataStartTs = todouble(BpData['start_ts']), BpDataTactics = tostring(BpData['tactics']), BpDataTechniques = tostring(BpData['techniques']), BpDataType = tostring(BpData['type']), BpDataObservablesFile = tostring(BpData['observables']['file']), BpDataDetailsActions = tostring(BpData['details']['actions']), BpDataDetailsEngEpoch = todouble(BpData['details']['eng_epoch']), BpDataDetailsEngVer = tostring(BpData['details']['eng_ver']), BpDataDetailsSchema = tostring(BpData['details']['schema']), BpDataDetailsSchemaEpoch = todouble(BpData['details']['schema_epoch']), BpDataDetailsSigId = todouble(BpData['details']['sig_id']), BpDataDetailsSigRev = todouble(BpData['details']['sig_rev']), BpDataDetailsSigSetVersion = todouble(BpData['details']['sig_set_version']), BpDataDetailsMatchedActivityEvents = tostring(BpData['details']['matched_activity']['events']), BpDataDetailsMatchedActivityLimited = tobool(BpData['details']['matched_activity']['limited']), BpDataDetailsMatchedActivityMatched = todouble(BpData['details']['matched_activity']['matched']), BpDataDeviceAgentList = tostring(BpData['device']['agent_list']), BpDataDeviceHostname = tostring(BpData['device']['hostname']), BpDataDeviceNetworkInterfaces = tostring(BpData['device']['network_interfaces']), BpDataDeviceOsMachineUuid = tostring(BpData['device']['os_machine_uuid']), BpDataDeviceTypeId = todouble(BpData['device']['type_id']), BpDataDeviceHwInfoBiosManufacturer = tostring(BpData['device']['hw_info']['bios_manufacturer']), BpDataDeviceHwInfoBiosVer = tostring(BpData['device']['hw_info']['bios_ver']), BpDataDeviceHwInfoCpuBits = todouble(BpData['device']['hw_info']['cpu_bits']), BpDataDeviceHwInfoCpuType = tostring(BpData['device']['hw_info']['cpu_type']), BpDataDeviceHwInfoSerialNumber = tostring(BpData['device']['hw_info']['serial_number']), BpDataDeviceHwInfoUuid = tostring(BpData['device']['hw_info']['uuid']), BpDataDeviceHwInfoVendorName = tostring(BpData['device']['hw_info']['vendor_name']), BpDataDeviceOsBuild = tostring(BpData['device']['os']['build']), BpDataDeviceOsEdition = tostring(BpData['device']['os']['edition']), BpDataDeviceOsName = tostring(BpData['device']['os']['name']), BpDataDeviceOsTypeId = todouble(BpData['device']['os']['type_id']), BpDataDeviceOsVersion = tostring(BpData['device']['os']['version']), BpDataNormalizedName = tostring(BpData['normalized']['name']), BpDataNormalizedObservablesAll = tostring(BpData['normalized']['observables']['all']), BpDataNormalizedObservablesFileName = tostring(BpData['normalized']['observables']['file']['name']), BpDataNormalizedObservablesFilePath = tostring(BpData['normalized']['observables']['file']['path']), BpDataErrorCode = todouble(BpData['error_code']), BpDataDemo = tobool(BpData['demo']), BpDataPackageUri = tostring(BpData['package_uri']), BpDataErrorSource = tostring(BpData['source']), BpDataEcx = tostring(BpData['ecx']), PolicySerialNumber = todouble(Policy['serial_number']), ProductUpdateCurrentVersion = tostring(ProductUpdate['current_version']), ProductUpdateUpdateVersion = tostring(ProductUpdate['update_version']), IsolationDuration = todouble(Isolation['duration']), IsolationUser = tostring(Isolation['user']), ForensicSnapshotUrl = tostring(ForensicSnapshot['url']), DeviceControlDataPackageManagerSerialNumber = tostring(DeviceControl['data']['package_manager_serial_number']), DeviceControlDataPackageName = tostring(DeviceControl['data']['package_name']), DeviceControlDataSts = todouble(DeviceControl['data']['sts']), DeviceControlDataNormalizedSeverityId = todouble(DeviceControl['data']['normalized']['severity_id']), DeviceControlDataDemo = tobool(DeviceControl['data']['demo']), DeviceControlDataType = tostring(DeviceControl['data']['type']), DeviceControlDataEngine = tostring(DeviceControl['data']['engine']), DeviceControlDataAudit = tobool(DeviceControl['data']['audit']), DeviceControlDataDetection = tostring(DeviceControl['data']['detection']), DeviceControlDataId = tostring(DeviceControl['data']['id']), DeviceControlDataSilent = tobool(DeviceControl['data']['silent']), DeviceControlDataDetailsEngVersion = tostring(DeviceControl['data']['details']['eng_version']), DeviceControlDataDetailsRulesetVersion = tostring(DeviceControl['data']['details']['ruleset_version']), DeviceControlDataDetailsPhase = tostring(DeviceControl['data']['details']['phase']), DeviceControlDataDetailsRulesetId = tostring(DeviceControl['data']['details']['ruleset_id']), DeviceControlDataDetailsAccess = tostring(DeviceControl['data']['details']['access']), DeviceControlDataDetailsRulesetRev = todouble(DeviceControl['data']['details']['ruleset_rev']), DeviceControlDataDetailsDeviceDataHardwareId = tostring(DeviceControl['data']['details']['device_data']['hardware_id']), DeviceControlDataDetailsDeviceDataVendorId = tostring(DeviceControl['data']['details']['device_data']['vendor_id']), DeviceControlDataDetailsDeviceDataInstanceId = tostring(DeviceControl['data']['details']['device_data']['instance_id']), DeviceControlDataDetailsDeviceDataDeviceSubClass = todouble(DeviceControl['data']['details']['device_data']['device_subClass']), DeviceControlDataDetailsDeviceDataSetupClassId = tostring(DeviceControl['data']['details']['device_data']['setup_class_id']), DeviceControlDataDetailsDeviceDataProductName = tostring(DeviceControl['data']['details']['device_data']['product_name']), DeviceControlDataDetailsDeviceDataDeviceClass = todouble(DeviceControl['data']['details']['device_data']['device_class']), DeviceControlDataDetailsDeviceDataSetupClassName = tostring(DeviceControl['data']['details']['device_data']['setup_class_name']), DeviceControlDataDetailsDeviceDataDeviceProtocol = todouble(DeviceControl['data']['details']['device_data']['device_protocol']), DeviceControlDataDetailsDeviceDataUsbSpec = tostring(DeviceControl['data']['details']['device_data']['usb_spec']), DeviceControlDataDetailsDeviceDataSerialNumberId = tostring(DeviceControl['data']['details']['device_data']['serial_number_id']), DeviceControlDataDetailsDeviceDataProductId = tostring(DeviceControl['data']['details']['device_data']['product_id']), DeviceControlDataDetailsDeviceDataVendorName = tostring(DeviceControl['data']['details']['device_data']['vendor_name']), DeviceControlDataDetailsMatchedRulePriority = todouble(DeviceControl['data']['details']['matched_rule']['priority']), DeviceControlDataDetailsMatchedRuleId = tostring(DeviceControl['data']['details']['matched_rule']['rule_id']), DeviceControlDataDetailsMatchedRuleDisplayName = tostring(DeviceControl['data']['details']['matched_rule']['display_name']), DeviceControlInstanceId = tostring(DeviceControl['instance_id']), DeviceControlDeviceId = tostring(DeviceControl['device_id']), DeviceControlVendorName = tostring(DeviceControl['vendor_name']), DeviceControlVendorId = tostring(DeviceControl['vendor_id']), DeviceControlProductName = tostring(DeviceControl['product_name']), DeviceControlProductId = tostring(DeviceControl['product_id']), DeviceControlSerialNumberId = tostring(DeviceControl['serial_number_id']), DeviceControlAccess = tostring(DeviceControl['access']), DeviceControlRuleId = tostring(DeviceControl['rule_id']), DeviceControlConfigurationId = tostring(DeviceControl['configuration_id']), DeviceControlConfigurationRevision = todouble(DeviceControl['configuration_revision']), EndpointIocScanClean = tobool(EndpointIocScan['clean']), EndpointIocScanDescription = tostring(EndpointIocScan['description']), EndpointIocScanScannedObjects = todouble(EndpointIocScan['scanned_objects']), EndpointIocScanMatchedObjects = todouble(EndpointIocScan['matched_objects']), EndpointIocScanMaliciousDetections = todouble(EndpointIocScan['malicious_detections']), OrbitalVersion = tostring(Orbital['version']), OrbitalOldVersion = tostring(Orbital['old_version']), CommandLineArguments = tostring(CommandLine['arguments']), CloudIocDescription = tostring(CloudIoc['description']), CloudIocShortDescription = tostring(CloudIoc['short_description']), ThreatHuntingIncidentReportGuid = tostring(ThreatHunting['report_guid']), ThreatHuntingIncidentHuntGuid = tostring(ThreatHunting['hunt_guid']), ThreatHuntingIncidentTitle = tostring(ThreatHunting['title']), ThreatHuntingIncidentSummary = tostring(ThreatHunting['summary']), ThreatHuntingIncidentRemediation = tostring(ThreatHunting['remediation']), ThreatHuntingIncidentStartTime = todouble(ThreatHunting['start_time']), ThreatHuntingIncidentEndTime = todouble(ThreatHunting['end_time']), ThreatHuntingTactics = tostring(ThreatHunting['tactics']), ThreatHuntingTechniques = tostring(ThreatHunting['techniques']), ThreatHuntingSeverity = tostring(ThreatHunting['severity']), NetworkInfoDirtyUrl = tostring(NetworkInfo['dirty_url']), NetworkInfoRemoteIp = tostring(NetworkInfo['remote_ip']), NetworkInfoRemotePort = todouble(NetworkInfo['remote_port']), NetworkInfoLocalIp = tostring(NetworkInfo['local_ip']), NetworkInfoLocalPort = todouble(NetworkInfo['local_port']), NetworkInfoNfmDirection = tostring(NetworkInfo['nfm']['direction']), NetworkInfoNfmProtocol = tostring(NetworkInfo['nfm']['protocol']), NetworkInfoParentProcessId = todouble(NetworkInfo['parent']['process_id']), NetworkInfoParentDisposition = tostring(NetworkInfo['parent']['disposition']), NetworkInfoParentFileName = tostring(NetworkInfo['parent']['file_name']), NetworkInfoParentIdentitySha256 = tostring(NetworkInfo['parent']['identity']['sha256']), NetworkInfoParentIdentitySha1 = tostring(NetworkInfo['parent']['identity']['sha1']), NetworkInfoParentIdentityMd5 = tostring(NetworkInfo['parent']['identity']['md5']) | project-away error, computer, file, scan, bp_data, policy, product_update, isolation, forensic_snapshot, device_control, endpoint_ioc_scan, orbital, command_line, cloud_ioc, threat_hunting, network_info", + "outputStream": "Custom-CiscoSecureEndpointEventsV2_CL" + } + ] + } + }, + { + "name": "CiscoSecureEndpointAuditLogsV2_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "CiscoSecureEndpointAuditLogsV2_CL", + "columns": [ + { + "name": "Event", + "type": "string" + }, + { + "name": "AuditLogType", + "type": "string" + }, + { + "name": "AuditLogId", + "type": "string" + }, + { + "name": "AuditLogUser", + "type": "string" + }, + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "CreatedAt", + "type": "datetime" + }, + { + "name": "Item", + "type": "string" + }, + { + "name": "Message", + "type": "string" + }, + { + "name": "OldAttributes", + "type": "string" + }, + { + "name": "NewAttributes", + "type": "string" + } + ] + } + } + }, + { + "name": "CiscoSecureEndpointEventsV2_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "CiscoSecureEndpointEventsV2_CL", + "columns": [ + { + "name": "Id", + "type": "real" + }, + { + "name": "Timestamp", + "type": "real" + }, + { + "name": "TimestampNanoseconds", + "type": "real" + }, + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "Date", + "type": "datetime" + }, + { + "name": "EventType", + "type": "string" + }, + { + "name": "EventTypeId", + "type": "real" + }, + { + "name": "Detection", + "type": "string" + }, + { + "name": "DetectionId", + "type": "string" + }, + { + "name": "ConnectorGuid", + "type": "string" + }, + { + "name": "GroupGuids", + "type": "string" + }, + { + "name": "Severity", + "type": "string" + }, + { + "name": "Tactics", + "type": "string" + }, + { + "name": "Techniques", + "type": "string" + }, + { + "name": "Hostname", + "type": "string" + }, + { + "name": "Vulnerabilities", + "type": "string" + }, + { + "name": "StartTimestamp", + "type": "real" + }, + { + "name": "StartDate", + "type": "datetime" + }, + { + "name": "ErrorErrorCode", + "type": "real" + }, + { + "name": "ErrorDescription", + "type": "string" + }, + { + "name": "ComputerConnectorGuid", + "type": "string" + }, + { + "name": "ComputerHostname", + "type": "string" + }, + { + "name": "ComputerExternalIp", + "type": "string" + }, + { + "name": "ComputerUser", + "type": "string" + }, + { + "name": "ComputerActive", + "type": "boolean" + }, + { + "name": "ComputerNetworkAddresses", + "type": "string" + }, + { + "name": "ComputerLinksComputer", + "type": "string" + }, + { + "name": "ComputerLinksTrajectory", + "type": "string" + }, + { + "name": "ComputerLinksGroup", + "type": "string" + }, + { + "name": "FileDisposition", + "type": "string" + }, + { + "name": "FileFileName", + "type": "string" + }, + { + "name": "FileFilePath", + "type": "string" + }, + { + "name": "FileIdentitySha256", + "type": "string" + }, + { + "name": "FileIdentitySha1", + "type": "string" + }, + { + "name": "FileIdentityMd5", + "type": "string" + }, + { + "name": "FileParentProcessId", + "type": "real" + }, + { + "name": "FileParentDisposition", + "type": "string" + }, + { + "name": "FileParentFileName", + "type": "string" + }, + { + "name": "FileParentIdentitySha256", + "type": "string" + }, + { + "name": "FileParentIdentitySha1", + "type": "string" + }, + { + "name": "FileParentIdentityMd5", + "type": "string" + }, + { + "name": "FileAttackDetailsApplication", + "type": "string" + }, + { + "name": "FileAttackDetailsAttackedModule", + "type": "string" + }, + { + "name": "FileAttackDetailsBaseAddress", + "type": "string" + }, + { + "name": "FileAttackDetailsSuspiciousFiles", + "type": "string" + }, + { + "name": "FileAttackDetailsIndicators", + "type": "string" + }, + { + "name": "FileArchivedFileDisposition", + "type": "string" + }, + { + "name": "FileArchivedFileIdentitySha256", + "type": "string" + }, + { + "name": "ScanDescription", + "type": "string" + }, + { + "name": "ScanClean", + "type": "boolean" + }, + { + "name": "ScanScannedFiles", + "type": "real" + }, + { + "name": "ScanScannedProcesses", + "type": "real" + }, + { + "name": "ScanScannedPaths", + "type": "real" + }, + { + "name": "ScanMaliciousDetections", + "type": "real" + }, + { + "name": "BpDataPackageManagerPendingVersion", + "type": "real" + }, + { + "name": "BpDataPackageManagerSerialNumber", + "type": "real" + }, + { + "name": "BpDataSts", + "type": "real" + }, + { + "name": "BpDataPackageName", + "type": "string" + }, + { + "name": "BpDataPackageManagerCurrentVersion", + "type": "real" + }, + { + "name": "BpDataNormalizedSeverityId", + "type": "real" + }, + { + "name": "BpDataAudit", + "type": "boolean" + }, + { + "name": "BpDataDetection", + "type": "string" + }, + { + "name": "BpDataEndTs", + "type": "real" + }, + { + "name": "BpDataEngine", + "type": "string" + }, + { + "name": "BpDataId", + "type": "string" + }, + { + "name": "BpDataName", + "type": "string" + }, + { + "name": "BpDataRemediated", + "type": "boolean" + }, + { + "name": "BpDataSeverity", + "type": "string" + }, + { + "name": "BpDataSilent", + "type": "boolean" + }, + { + "name": "BpDataStartTs", + "type": "real" + }, + { + "name": "BpDataTactics", + "type": "string" + }, + { + "name": "BpDataTechniques", + "type": "string" + }, + { + "name": "BpDataType", + "type": "string" + }, + { + "name": "BpDataObservablesFile", + "type": "string" + }, + { + "name": "BpDataDetailsActions", + "type": "string" + }, + { + "name": "BpDataDetailsEngEpoch", + "type": "real" + }, + { + "name": "BpDataDetailsEngVer", + "type": "string" + }, + { + "name": "BpDataDetailsSchema", + "type": "string" + }, + { + "name": "BpDataDetailsSchemaEpoch", + "type": "real" + }, + { + "name": "BpDataDetailsSigId", + "type": "real" + }, + { + "name": "BpDataDetailsSigRev", + "type": "real" + }, + { + "name": "BpDataDetailsSigSetVersion", + "type": "real" + }, + { + "name": "BpDataDetailsMatchedActivityEvents", + "type": "string" + }, + { + "name": "BpDataDetailsMatchedActivityLimited", + "type": "boolean" + }, + { + "name": "BpDataDetailsMatchedActivityMatched", + "type": "real" + }, + { + "name": "BpDataDeviceAgentList", + "type": "string" + }, + { + "name": "BpDataDeviceHostname", + "type": "string" + }, + { + "name": "BpDataDeviceNetworkInterfaces", + "type": "string" + }, + { + "name": "BpDataDeviceOsMachineUuid", + "type": "string" + }, + { + "name": "BpDataDeviceTypeId", + "type": "real" + }, + { + "name": "BpDataDeviceHwInfoBiosManufacturer", + "type": "string" + }, + { + "name": "BpDataDeviceHwInfoBiosVer", + "type": "string" + }, + { + "name": "BpDataDeviceHwInfoCpuBits", + "type": "real" + }, + { + "name": "BpDataDeviceHwInfoCpuType", + "type": "string" + }, + { + "name": "BpDataDeviceHwInfoSerialNumber", + "type": "string" + }, + { + "name": "BpDataDeviceHwInfoUuid", + "type": "string" + }, + { + "name": "BpDataDeviceHwInfoVendorName", + "type": "string" + }, + { + "name": "BpDataDeviceOsBuild", + "type": "string" + }, + { + "name": "BpDataDeviceOsEdition", + "type": "string" + }, + { + "name": "BpDataDeviceOsName", + "type": "string" + }, + { + "name": "BpDataDeviceOsTypeId", + "type": "real" + }, + { + "name": "BpDataDeviceOsVersion", + "type": "string" + }, + { + "name": "BpDataNormalizedName", + "type": "string" + }, + { + "name": "BpDataNormalizedObservablesAll", + "type": "string" + }, + { + "name": "BpDataNormalizedObservablesFileName", + "type": "string" + }, + { + "name": "BpDataNormalizedObservablesFilePath", + "type": "string" + }, + { + "name": "BpDataErrorCode", + "type": "real" + }, + { + "name": "BpDataDemo", + "type": "boolean" + }, + { + "name": "BpDataPackageUri", + "type": "string" + }, + { + "name": "BpDataErrorSource", + "type": "string" + }, + { + "name": "BpDataEcx", + "type": "string" + }, + { + "name": "PolicySerialNumber", + "type": "real" + }, + { + "name": "ProductUpdateCurrentVersion", + "type": "string" + }, + { + "name": "ProductUpdateUpdateVersion", + "type": "string" + }, + { + "name": "IsolationDuration", + "type": "real" + }, + { + "name": "IsolationUser", + "type": "string" + }, + { + "name": "ForensicSnapshotUrl", + "type": "string" + }, + { + "name": "DeviceControlDataPackageManagerSerialNumber", + "type": "string" + }, + { + "name": "DeviceControlDataPackageName", + "type": "string" + }, + { + "name": "DeviceControlDataSts", + "type": "real" + }, + { + "name": "DeviceControlDataNormalizedSeverityId", + "type": "real" + }, + { + "name": "DeviceControlDataDemo", + "type": "boolean" + }, + { + "name": "DeviceControlDataType", + "type": "string" + }, + { + "name": "DeviceControlDataEngine", + "type": "string" + }, + { + "name": "DeviceControlDataAudit", + "type": "boolean" + }, + { + "name": "DeviceControlDataDetection", + "type": "string" + }, + { + "name": "DeviceControlDataId", + "type": "string" + }, + { + "name": "DeviceControlDataSilent", + "type": "boolean" + }, + { + "name": "DeviceControlDataDetailsEngVersion", + "type": "string" + }, + { + "name": "DeviceControlDataDetailsRulesetVersion", + "type": "string" + }, + { + "name": "DeviceControlDataDetailsPhase", + "type": "string" + }, + { + "name": "DeviceControlDataDetailsRulesetId", + "type": "string" + }, + { + "name": "DeviceControlDataDetailsAccess", + "type": "string" + }, + { + "name": "DeviceControlDataDetailsRulesetRev", + "type": "real" + }, + { + "name": "DeviceControlDataDetailsDeviceDataHardwareId", + "type": "string" + }, + { + "name": "DeviceControlDataDetailsDeviceDataVendorId", + "type": "string" + }, + { + "name": "DeviceControlDataDetailsDeviceDataInstanceId", + "type": "string" + }, + { + "name": "DeviceControlDataDetailsDeviceDataDeviceSubClass", + "type": "real" + }, + { + "name": "DeviceControlDataDetailsDeviceDataSetupClassId", + "type": "string" + }, + { + "name": "DeviceControlDataDetailsDeviceDataProductName", + "type": "string" + }, + { + "name": "DeviceControlDataDetailsDeviceDataDeviceClass", + "type": "real" + }, + { + "name": "DeviceControlDataDetailsDeviceDataSetupClassName", + "type": "string" + }, + { + "name": "DeviceControlDataDetailsDeviceDataDeviceProtocol", + "type": "real" + }, + { + "name": "DeviceControlDataDetailsDeviceDataUsbSpec", + "type": "string" + }, + { + "name": "DeviceControlDataDetailsDeviceDataSerialNumberId", + "type": "string" + }, + { + "name": "DeviceControlDataDetailsDeviceDataProductId", + "type": "string" + }, + { + "name": "DeviceControlDataDetailsDeviceDataVendorName", + "type": "string" + }, + { + "name": "DeviceControlDataDetailsMatchedRulePriority", + "type": "real" + }, + { + "name": "DeviceControlDataDetailsMatchedRuleId", + "type": "string" + }, + { + "name": "DeviceControlDataDetailsMatchedRuleDisplayName", + "type": "string" + }, + { + "name": "DeviceControlInstanceId", + "type": "string" + }, + { + "name": "DeviceControlDeviceId", + "type": "string" + }, + { + "name": "DeviceControlVendorName", + "type": "string" + }, + { + "name": "DeviceControlVendorId", + "type": "string" + }, + { + "name": "DeviceControlProductName", + "type": "string" + }, + { + "name": "DeviceControlProductId", + "type": "string" + }, + { + "name": "DeviceControlSerialNumberId", + "type": "string" + }, + { + "name": "DeviceControlAccess", + "type": "string" + }, + { + "name": "DeviceControlRuleId", + "type": "string" + }, + { + "name": "DeviceControlConfigurationId", + "type": "string" + }, + { + "name": "DeviceControlConfigurationRevision", + "type": "real" + }, + { + "name": "EndpointIocScanClean", + "type": "boolean" + }, + { + "name": "EndpointIocScanDescription", + "type": "string" + }, + { + "name": "EndpointIocScanScannedObjects", + "type": "real" + }, + { + "name": "EndpointIocScanMatchedObjects", + "type": "real" + }, + { + "name": "EndpointIocScanMaliciousDetections", + "type": "real" + }, + { + "name": "OrbitalVersion", + "type": "string" + }, + { + "name": "OrbitalOldVersion", + "type": "string" + }, + { + "name": "CommandLineArguments", + "type": "string" + }, + { + "name": "CloudIocDescription", + "type": "string" + }, + { + "name": "CloudIocShortDescription", + "type": "string" + }, + { + "name": "ThreatHuntingIncidentReportGuid", + "type": "string" + }, + { + "name": "ThreatHuntingIncidentHuntGuid", + "type": "string" + }, + { + "name": "ThreatHuntingIncidentTitle", + "type": "string" + }, + { + "name": "ThreatHuntingIncidentSummary", + "type": "string" + }, + { + "name": "ThreatHuntingIncidentRemediation", + "type": "string" + }, + { + "name": "ThreatHuntingIncidentStartTime", + "type": "real" + }, + { + "name": "ThreatHuntingIncidentEndTime", + "type": "real" + }, + { + "name": "ThreatHuntingTactics", + "type": "string" + }, + { + "name": "ThreatHuntingTechniques", + "type": "string" + }, + { + "name": "ThreatHuntingSeverity", + "type": "string" + }, + { + "name": "NetworkInfoDirtyUrl", + "type": "string" + }, + { + "name": "NetworkInfoRemoteIp", + "type": "string" + }, + { + "name": "NetworkInfoRemotePort", + "type": "real" + }, + { + "name": "NetworkInfoLocalIp", + "type": "string" + }, + { + "name": "NetworkInfoLocalPort", + "type": "real" + }, + { + "name": "NetworkInfoNfmDirection", + "type": "string" + }, + { + "name": "NetworkInfoNfmProtocol", + "type": "string" + }, + { + "name": "NetworkInfoParentProcessId", + "type": "real" + }, + { + "name": "NetworkInfoParentDisposition", + "type": "string" + }, + { + "name": "NetworkInfoParentFileName", + "type": "string" + }, + { + "name": "NetworkInfoParentIdentitySha256", + "type": "string" + }, + { + "name": "NetworkInfoParentIdentitySha1", + "type": "string" + }, + { + "name": "NetworkInfoParentIdentityMd5", + "type": "string" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition1'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "CiscoSecureEndpointLogsCCPDefinition", + "title": "Cisco Secure Endpoint (via Codeless Connector Framework)", + "publisher": "Microsoft", + "descriptionMarkdown": "The Cisco Secure Endpoint (formerly AMP for Endpoints) data connector provides the capability to ingest Cisco Secure Endpoint [audit logs](https://developer.cisco.com/docs/secure-endpoint/auditlog/) and [events](https://developer.cisco.com/docs/secure-endpoint/v1-api-reference-event/) into Microsoft Sentinel.", + "graphQueries": [ + { + "metricName": "Total audit logs received", + "legend": "Cisco Secure Endpoint Audit logs", + "baseQuery": "CiscoSecureEndpointAuditLogsV2_CL" + }, + { + "metricName": "Total events received", + "legend": "Cisco Secure Endpoint Events", + "baseQuery": "CiscoSecureEndpointEventsV2_CL" + } + ], + "sampleQueries": [ + { + "description": "Get a Sample of Cisco Secure Endpoint Audit Logs", + "query": "CiscoSecureEndpointAuditLogsV2_CL\n | take 10" + }, + { + "description": "Get a Sample of Cisco Secure Endpoint Events", + "query": "CiscoSecureEndpointEventsV2_CL\n | take 10" + } + ], + "dataTypes": [ + { + "name": "CiscoSecureEndpointAuditLogsV2_CL", + "lastDataReceivedQuery": "CiscoSecureEndpointAuditLogsV2_CL\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "CiscoSecureEndpointEventsV2_CL", + "lastDataReceivedQuery": "CiscoSecureEndpointEventsV2_CL\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "Cisco Secure Endpoint API Credentials/Regions", + "description": "To create API Credentials and to understand the regions, follow the document link provided here. [Click here](https://github.com/v-gudivya/Cisco-Secure-Endpoint/blob/main/README.md)." + } + ] + }, + "instructionSteps": [ + { + "description": "To ingest data from Cisco Secure Endpoint to Microsoft Sentinel, you have to click on Add Account button below, then you get a pop up to fill the details like Email, Organization, Client ID, API Key and Region, provide the required information and click on Connect. You can see the connected organizations/emails in the below grid.\n>", + "instructions": [ + { + "type": "DataConnectorsGrid", + "parameters": { + "mapping": [ + { + "columnName": "Organization", + "columnValue": "properties.addOnAttributes.Organization" + }, + { + "columnName": "Email", + "columnValue": "properties.addOnAttributes.Email" + }, + { + "columnName": "Endpoint", + "columnValue": "properties.request.apiEndpoint" + } + ], + "menuItems": [ + "DeleteConnector" + ] + } + }, + { + "type": "ContextPane", + "parameters": { + "isPrimary": true, + "label": "Add Account", + "title": "Add Account", + "subtitle": "Add Account", + "contextPaneType": "DataConnectorsContextPane", + "instructionSteps": [ + { + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "Cisco Secure Endpoint Email", + "placeholder": "Enter your Cisco Email", + "type": "text", + "name": "email", + "required": true + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Cisco Secure Endpoint Organization", + "placeholder": "Enter the name of your Organization", + "type": "text", + "name": "organization", + "required": true + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Cisco Secure Endpoint Client ID", + "placeholder": "Enter your Client ID", + "type": "text", + "name": "username", + "required": true + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Cisco Secure Endpoint API Key", + "placeholder": "Enter your API Key", + "type": "password", + "name": "apiKey", + "required": true + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Cisco Secure Endpoint Region", + "placeholder": "Enter the region you want to connect", + "type": "text", + "name": "region", + "required": true, + "description": "For example, if your region is https://api.apjc.amp.cisco.com then enter only apjc.amp in the above field. Follow the link provided in the Cisco Secure Endpoint API Credentials/Regions section for better understanding of the regions." + } + } + ] + } + ] + } + } + ], + "title": "Connect Cisco Secure Endpoint to Microsoft Sentinel" } ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", - "contentKind": "HuntingQuery", - "displayName": "Cisco SE - Suspicious powershel downloads", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.0')))]", - "version": "1.0.0" + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "kind": "ResourcesDataConnector" + } + ] + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryObject9').huntingQueryTemplateSpecName9]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections1'), variables('dataConnectorCCPVersion'))]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEUncommonApplicationBehavior_HuntingQueries Hunting Query with template version 3.0.0", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "displayName": "Cisco Secure Endpoint (via Codeless Connector Framework)", + "contentKind": "ResourcesDataConnector", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "Cisco_Secure_Endpoint_Hunting_Query_9", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Cisco SE - Uncommon application behavior", - "category": "Hunting Queries", - "query": "CiscoSecureEndpoint\n| where TimeGenerated > ago(24h)\n| where ThreatName has 'launched a shell'\n| order by TimeGenerated desc\n| extend HostCustomEntity = DstHostname\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Query searches for uncommon application behavior events." - }, - { - "name": "tactics", - "value": "Execution" - }, - { - "name": "techniques", - "value": "T1204.002" - } - ] - } + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": { + "guidValue": { + "defaultValue": "[[newGuid()]", + "type": "securestring" + }, + "innerWorkspace": { + "defaultValue": "[parameters('workspace')]", + "type": "securestring" + }, + "connectorDefinitionName": { + "defaultValue": "Cisco Secure Endpoint (via Codeless Connector Framework)", + "type": "securestring", + "minLength": 1 + }, + "workspace": { + "defaultValue": "[parameters('workspace')]", + "type": "securestring" + }, + "dcrConfig": { + "defaultValue": { + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" + }, + "type": "object" + }, + "email": { + "defaultValue": "email", + "type": "securestring", + "minLength": 1 + }, + "organization": { + "defaultValue": "organization", + "type": "securestring", + "minLength": 1 }, + "username": { + "defaultValue": "username", + "type": "securestring", + "minLength": 1 + }, + "apiKey": { + "defaultValue": "apiKey", + "type": "securestring", + "minLength": 1 + }, + "region": { + "defaultValue": "region", + "type": "securestring", + "minLength": 1 + } + }, + "variables": { + "_dataConnectorContentIdConnections1": "[variables('_dataConnectorContentIdConnections1')]" + }, + "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections1')))]", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject9')._huntingQuerycontentId9),'/'))))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "properties": { - "description": "Cisco Secure Endpoint Hunting Query 9", - "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject9')._huntingQuerycontentId9)]", - "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryObject9').huntingQueryVersion9]", + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections1'))]", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "kind": "ResourcesDataConnector", + "version": "[variables('dataConnectorCCPVersion')]", "source": { - "kind": "Solution", - "name": "Cisco Secure Endpoint", - "sourceId": "[variables('_solutionId')]" + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" }, "author": { "name": "Microsoft", @@ -1166,89 +2892,101 @@ "link": "https://support.microsoft.com" } } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]", - "contentKind": "HuntingQuery", - "displayName": "Cisco SE - Uncommon application behavior", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject9')._huntingQuerycontentId9,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject9')._huntingQuerycontentId9,'-', '1.0.0')))]", - "version": "1.0.0" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryObject10').huntingQueryTemplateSpecName10]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CiscoSEVulnerableApplications_HuntingQueries Hunting Query with template version 3.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", - "parameters": {}, - "variables": {}, - "resources": [ + }, { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "Cisco_Secure_Endpoint_Hunting_Query_10", + "name": "[[concat(parameters('innerWorkspace'), '/Microsoft.SecurityInsights', '/CiscoSecureEndpointCCPAuditLogsPoller', parameters('organization'), parameters('guidValue'))]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", "properties": { - "eTag": "*", - "displayName": "Cisco SE - Vulnerable applications", - "category": "Hunting Queries", - "query": "CiscoSecureEndpoint\n| where TimeGenerated > ago(24h)\n| where EventMessage =~ 'Vulnerable Application Detected'\n| summarize by DstHostname\n| extend HostCustomEntity = DstHostname\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "Query searches for vulnerable applications on hosts." - }, - { - "name": "tactics", - "value": "Execution" + "connectorDefinitionName": "CiscoSecureEndpointLogsCCPDefinition", + "dataType": "CiscoSecureEndpointAuditLogsV2_CL", + "addOnAttributes": { + "Organization": "[[parameters('organization')]", + "Email": "[[parameters('email')]" + }, + "dcrConfig": { + "streamName": "Custom-CiscoSecureEndpointAuditLogs", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "Basic", + "userName": "[[parameters('username')]", + "password": "[[parameters('apiKey')]" + }, + "request": { + "apiEndpoint": "[[concat('https://api.',parameters('region'),'.cisco.com/v1/audit_logs')]", + "httpMethod": "GET", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "queryWindowInMin": 10, + "retryCount": 3, + "headers": { + "Accept": "application/json" }, - { - "name": "techniques", - "value": "T1204.002" + "queryParameters": { + "start_time": "{_QueryWindowStartTime}", + "end_time": "{_QueryWindowEndTime}" } - ] + }, + "response": { + "eventsJsonPaths": [ + "$.data" + ], + "format": "json" + }, + "paging": { + "pagingType": "LinkHeader", + "linkHeaderTokenJsonPath": "$.metadata.links.next" + } } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject10')._huntingQuerycontentId10),'/'))))]", + "name": "[[concat(parameters('innerWorkspace'), '/Microsoft.SecurityInsights', '/CiscoSecureEndpointCCPEventsPoller', parameters('organization'), parameters('guidValue'))]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", "properties": { - "description": "Cisco Secure Endpoint Hunting Query 10", - "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject10')._huntingQuerycontentId10)]", - "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryObject10').huntingQueryVersion10]", - "source": { - "kind": "Solution", - "name": "Cisco Secure Endpoint", - "sourceId": "[variables('_solutionId')]" + "connectorDefinitionName": "CiscoSecureEndpointLogsCCPDefinition", + "dataType": "CiscoSecureEndpointEventsV2_CL", + "addOnAttributes": { + "Organization": "[[parameters('organization')]", + "Email": "[[parameters('email')]" }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" + "dcrConfig": { + "streamName": "Custom-CiscoSecureEndpointEvents", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" + "auth": { + "type": "Basic", + "userName": "[[parameters('username')]", + "password": "[[parameters('apiKey')]" + }, + "request": { + "apiEndpoint": "[[concat('https://api.',parameters('region'),'.cisco.com/v1/events')]", + "httpMethod": "GET", + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "queryWindowInMin": 10, + "retryCount": 3, + "headers": { + "Accept": "application/json" + }, + "queryParameters": { + "start_date": "{_QueryWindowStartTime}" + } + }, + "response": { + "eventsJsonPaths": [ + "$.data" + ], + "format": "json" + }, + "paging": { + "pagingType": "LinkHeader", + "linkHeaderTokenJsonPath": "$.metadata.links.next" } } } @@ -1257,44 +2995,40 @@ "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections1'),'-', variables('dataConnectorCCPVersion'))))]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", - "contentKind": "HuntingQuery", - "displayName": "Cisco SE - Vulnerable applications", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject10')._huntingQuerycontentId10,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject10')._huntingQuerycontentId10,'-', '1.0.0')))]", - "version": "1.0.0" + "version": "[variables('dataConnectorCCPVersion')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", + "name": "[variables('dataConnectorTemplateSpecName2')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Cisco Secure Endpoint data connector with template version 3.0.0", + "description": "Cisco Secure Endpoint data connector with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", + "contentVersion": "[variables('dataConnectorVersion2')]", "parameters": {}, "variables": {}, "resources": [ { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", "apiVersion": "2021-03-01-preview", "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", "kind": "GenericUI", "properties": { "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "Cisco Secure Endpoint (AMP) (using Azure Functions)", + "id": "[variables('_uiConfigId2')]", + "title": "[DEPRECATED] Cisco Secure Endpoint (AMP) (using Azure Functions)", "publisher": "Cisco", - "descriptionMarkdown": "The Cisco Secure Endpoint (formerly AMP for Endpoints) data connector provides the capability to ingest Cisco Secure Endpoint [audit logs](https://api-docs.amp.cisco.com/api_resources/AuditLog?api_host=api.amp.cisco.com&api_version=v1) and [events](https://api-docs.amp.cisco.com/api_actions/details?api_action=GET+%2Fv1%2Fevents&api_host=api.amp.cisco.com&api_resource=Event&api_version=v1) into Microsoft Sentinel.", + "descriptionMarkdown": "The Cisco Secure Endpoint (formerly AMP for Endpoints) data connector provides the capability to ingest Cisco Secure Endpoint [audit logs](https://api-docs.amp.cisco.com/api_resources/AuditLog?api_host=api.amp.cisco.com&api_version=v1) and [events](https://api-docs.amp.cisco.com/api_actions/details?api_action=GET+%2Fv1%2Fevents&api_host=api.amp.cisco.com&api_resource=Event&api_version=v1) into Microsoft Sentinel.\n\nNOTE: This data connector has been deprecated, consider moving to the CCF data connector available in the solution which replaces ingestion via the deprecated HTTP Data Collector API.
", "additionalRequirementBanner": ">This data connector depends on a parser based on a Kusto Function to work as expected [**CiscoSecureEndpoint**](https://aka.ms/sentinel-ciscosecureendpoint-parser) which is deployed with the Microsoft Sentinel Solution.", "graphQueries": [ { @@ -1418,12 +3152,12 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "contentId": "[variables('_dataConnectorContentId2')]", "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", + "version": "[variables('dataConnectorVersion2')]", "source": { "kind": "Solution", "name": "Cisco Secure Endpoint", @@ -1448,27 +3182,27 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", + "contentId": "[variables('_dataConnectorContentId2')]", "contentKind": "DataConnector", - "displayName": "Cisco Secure Endpoint (AMP) (using Azure Functions)", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" + "displayName": "[DEPRECATED] Cisco Secure Endpoint (AMP) (using Azure Functions)", + "contentProductId": "[variables('_dataConnectorcontentProductId2')]", + "id": "[variables('_dataConnectorcontentProductId2')]", + "version": "[variables('dataConnectorVersion2')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", "dependsOn": [ - "[variables('_dataConnectorId1')]" + "[variables('_dataConnectorId2')]" ], "location": "[parameters('workspace-location')]", "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "contentId": "[variables('_dataConnectorContentId2')]", "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", + "version": "[variables('dataConnectorVersion2')]", "source": { "kind": "Solution", "name": "Cisco Secure Endpoint", @@ -1487,16 +3221,16 @@ } }, { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", "apiVersion": "2021-03-01-preview", "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", "kind": "GenericUI", "properties": { "connectorUiConfig": { - "title": "Cisco Secure Endpoint (AMP) (using Azure Functions)", + "title": "[DEPRECATED] Cisco Secure Endpoint (AMP) (using Azure Functions)", "publisher": "Cisco", - "descriptionMarkdown": "The Cisco Secure Endpoint (formerly AMP for Endpoints) data connector provides the capability to ingest Cisco Secure Endpoint [audit logs](https://api-docs.amp.cisco.com/api_resources/AuditLog?api_host=api.amp.cisco.com&api_version=v1) and [events](https://api-docs.amp.cisco.com/api_actions/details?api_action=GET+%2Fv1%2Fevents&api_host=api.amp.cisco.com&api_resource=Event&api_version=v1) into Microsoft Sentinel.", + "descriptionMarkdown": "The Cisco Secure Endpoint (formerly AMP for Endpoints) data connector provides the capability to ingest Cisco Secure Endpoint [audit logs](https://api-docs.amp.cisco.com/api_resources/AuditLog?api_host=api.amp.cisco.com&api_version=v1) and [events](https://api-docs.amp.cisco.com/api_actions/details?api_action=GET+%2Fv1%2Fevents&api_host=api.amp.cisco.com&api_resource=Event&api_version=v1) into Microsoft Sentinel.\n\nNOTE: This data connector has been deprecated, consider moving to the CCF data connector available in the solution which replaces ingestion via the deprecated HTTP Data Collector API.
", "graphQueries": [ { "metricName": "Cisco Secure Endpoint logs", @@ -1613,7 +3347,7 @@ "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tCISCO_SE_API_API_HOST\n\t\tCISCO_SE_API_CLIENT_ID\n\t\tCISCO_SE_API_KEY\n\t\tWORKSPACE_ID\n\t\tSHARED_KEY\n\t\tlogAnalyticsUri (Optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://WORKSPACE_ID.ods.opinsights.azure.us`. \n4. Once all application settings have been entered, click **Save**." } ], - "id": "[variables('_uiConfigId1')]", + "id": "[variables('_uiConfigId2')]", "additionalRequirementBanner": ">This data connector depends on a parser based on a Kusto Function to work as expected [**CiscoSecureEndpoint**](https://aka.ms/sentinel-ciscosecureendpoint-parser) which is deployed with the Microsoft Sentinel Solution." } } @@ -1627,7 +3361,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoEndpointHighAlert_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "CiscoEndpointHighAlert_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -1655,10 +3389,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "CiscoSecureEndpoint", "dataTypes": [ "CiscoSecureEndpoint_CL" - ] + ], + "connectorId": "CiscoSecureEndpoint" } ], "tactics": [ @@ -1674,31 +3408,31 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "columnName": "NetworkAddresses_ip", - "identifier": "Address" + "identifier": "Address", + "columnName": "NetworkAddresses_ip" } - ], - "entityType": "IP" + ] }, { + "entityType": "Host", "fieldMappings": [ { - "columnName": "computer_hostname_s", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "computer_hostname_s" } - ], - "entityType": "Host" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "columnName": "computer_links_trajectory_s", - "identifier": "Url" + "identifier": "Url", + "columnName": "computer_links_trajectory_s" } - ], - "entityType": "URL" + ] } ] } @@ -1754,7 +3488,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEC2Connection_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "CiscoSEC2Connection_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -1782,10 +3516,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "CiscoSecureEndpoint", "dataTypes": [ "CiscoSecureEndpoint" - ] + ], + "connectorId": "CiscoSecureEndpoint" } ], "tactics": [ @@ -1796,22 +3530,22 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "HostCustomEntity", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostCustomEntity" } - ], - "entityType": "Host" + ] }, { + "entityType": "Malware", "fieldMappings": [ { - "columnName": "MalwareCustomEntity", - "identifier": "Name" + "identifier": "Name", + "columnName": "MalwareCustomEntity" } - ], - "entityType": "Malware" + ] } ] } @@ -1867,7 +3601,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEDropperActivity_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "CiscoSEDropperActivity_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -1895,10 +3629,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "CiscoSecureEndpoint", "dataTypes": [ "CiscoSecureEndpoint" - ] + ], + "connectorId": "CiscoSecureEndpoint" } ], "tactics": [ @@ -1912,22 +3646,22 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "HostCustomEntity", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostCustomEntity" } - ], - "entityType": "Host" + ] }, { + "entityType": "Malware", "fieldMappings": [ { - "columnName": "MalwareCustomEntity", - "identifier": "Name" + "identifier": "Name", + "columnName": "MalwareCustomEntity" } - ], - "entityType": "Malware" + ] } ] } @@ -1983,7 +3717,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEGenIoC_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "CiscoSEGenIoC_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -2011,10 +3745,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "CiscoSecureEndpoint", "dataTypes": [ "CiscoSecureEndpoint" - ] + ], + "connectorId": "CiscoSecureEndpoint" } ], "tactics": [ @@ -2028,22 +3762,22 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "HostCustomEntity", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostCustomEntity" } - ], - "entityType": "Host" + ] }, { + "entityType": "Malware", "fieldMappings": [ { - "columnName": "MalwareCustomEntity", - "identifier": "Name" + "identifier": "Name", + "columnName": "MalwareCustomEntity" } - ], - "entityType": "Malware" + ] } ] } @@ -2099,7 +3833,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEMalwareExecution_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "CiscoSEMalwareExecution_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -2127,10 +3861,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "CiscoSecureEndpoint", "dataTypes": [ "CiscoSecureEndpoint" - ] + ], + "connectorId": "CiscoSecureEndpoint" } ], "tactics": [ @@ -2144,22 +3878,22 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "HostCustomEntity", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostCustomEntity" } - ], - "entityType": "Host" + ] }, { + "entityType": "Malware", "fieldMappings": [ { - "columnName": "MalwareCustomEntity", - "identifier": "Name" + "identifier": "Name", + "columnName": "MalwareCustomEntity" } - ], - "entityType": "Malware" + ] } ] } @@ -2215,7 +3949,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEMalwareOutbreak_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "CiscoSEMalwareOutbreak_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -2243,10 +3977,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "CiscoSecureEndpoint", "dataTypes": [ "CiscoSecureEndpoint" - ] + ], + "connectorId": "CiscoSecureEndpoint" } ], "tactics": [ @@ -2258,13 +3992,13 @@ ], "entityMappings": [ { + "entityType": "Malware", "fieldMappings": [ { - "columnName": "MalwareCustomEntity", - "identifier": "Name" + "identifier": "Name", + "columnName": "MalwareCustomEntity" } - ], - "entityType": "Malware" + ] } ] } @@ -2320,7 +4054,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEMultipleMalwareOnHost_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "CiscoSEMultipleMalwareOnHost_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -2348,10 +4082,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "CiscoSecureEndpoint", "dataTypes": [ "CiscoSecureEndpoint" - ] + ], + "connectorId": "CiscoSecureEndpoint" } ], "tactics": [ @@ -2363,13 +4097,13 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "HostCustomEntity", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostCustomEntity" } - ], - "entityType": "Host" + ] } ] } @@ -2425,7 +4159,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEPolicyUpdateFailure_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "CiscoSEPolicyUpdateFailure_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -2453,10 +4187,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "CiscoSecureEndpoint", "dataTypes": [ "CiscoSecureEndpoint" - ] + ], + "connectorId": "CiscoSecureEndpoint" } ], "tactics": [ @@ -2467,13 +4201,13 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "HostCustomEntity", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostCustomEntity" } - ], - "entityType": "Host" + ] } ] } @@ -2529,7 +4263,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSERansomwareActivityOnHost copy_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "CiscoSERansomwareActivityOnHost copy_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -2557,10 +4291,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "CiscoSecureEndpoint", "dataTypes": [ "CiscoSecureEndpoint" - ] + ], + "connectorId": "CiscoSecureEndpoint" } ], "tactics": [ @@ -2571,22 +4305,22 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "HostCustomEntity", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostCustomEntity" } - ], - "entityType": "Host" + ] }, { + "entityType": "Malware", "fieldMappings": [ { - "columnName": "MalwareCustomEntity", - "identifier": "Name" + "identifier": "Name", + "columnName": "MalwareCustomEntity" } - ], - "entityType": "Malware" + ] } ] } @@ -2642,7 +4376,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEUnexpectedBinary_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "CiscoSEUnexpectedBinary_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -2670,10 +4404,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "CiscoSecureEndpoint", "dataTypes": [ "CiscoSecureEndpoint" - ] + ], + "connectorId": "CiscoSecureEndpoint" } ], "tactics": [ @@ -2685,13 +4419,13 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "HostCustomEntity", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostCustomEntity" } - ], - "entityType": "Host" + ] } ] } @@ -2747,7 +4481,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEWebshell_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "CiscoSEWebshell_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", @@ -2775,10 +4509,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "CiscoSecureEndpoint", "dataTypes": [ "CiscoSecureEndpoint" - ] + ], + "connectorId": "CiscoSecureEndpoint" } ], "tactics": [ @@ -2789,22 +4523,22 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "columnName": "HostCustomEntity", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostCustomEntity" } - ], - "entityType": "Host" + ] }, { + "entityType": "Malware", "fieldMappings": [ { - "columnName": "MalwareCustomEntity", - "identifier": "Name" + "identifier": "Name", + "columnName": "MalwareCustomEntity" } - ], - "entityType": "Malware" + ] } ] } @@ -2856,12 +4590,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.0", + "version": "3.0.1", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Cisco Secure Endpoint", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Cisco Secure Endpoint (formerly AMP for Endpoints) data connector provides the capability to ingest Cisco Secure Endpoint audit logs and events into Microsoft Sentinel.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\nData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 11, Hunting Queries: 10
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Cisco Secure Endpoint (formerly AMP for Endpoints) data connector provides the capability to ingest Cisco Secure Endpoint audit logs and events into Microsoft Sentinel.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\nNOTE: Microsoft recommends installation of \"CiscoSecureEndpointLogsCCPDefinition\" (via Codeless Connector Framework). This connector is build on the Codeless Connector Framework (CCF), which uses the Log Ingestion API, which replaces ingestion via the deprecated HTTP Data Collector API. CCF-based data connectors also support Data Collection Rules (DCRs) offering transformations and enrichment.
\nImportant: While the updated connector(s) can coexist with their legacy versions, running them together will result in duplicated data ingestion. You can disable the older versions of these connectors to avoid duplication of data..
\nData Connectors: 2, Parsers: 1, Workbooks: 1, Analytic Rules: 11, Hunting Queries: 10
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -2948,8 +4682,13 @@ }, { "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "version": "[variables('dataConnectorCCPVersion')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId2')]", + "version": "[variables('dataConnectorVersion2')]" }, { "kind": "AnalyticsRule", diff --git a/Solutions/Cisco Secure Endpoint/Package/testParameters.json b/Solutions/Cisco Secure Endpoint/Package/testParameters.json index c9391a6a315..c42729f7d87 100644 --- a/Solutions/Cisco Secure Endpoint/Package/testParameters.json +++ b/Solutions/Cisco Secure Endpoint/Package/testParameters.json @@ -28,5 +28,19 @@ "metadata": { "description": "Name for the workbook" } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } } } diff --git a/Solutions/Cisco Secure Endpoint/Parsers/CiscoSecureEndpoint.yaml b/Solutions/Cisco Secure Endpoint/Parsers/CiscoSecureEndpoint.yaml index e236f34cb2d..1650f51ecb4 100644 --- a/Solutions/Cisco Secure Endpoint/Parsers/CiscoSecureEndpoint.yaml +++ b/Solutions/Cisco Secure Endpoint/Parsers/CiscoSecureEndpoint.yaml @@ -7,52 +7,149 @@ Category: Microsoft Sentinel Parser FunctionName: CiscoSecureEndpoint FunctionAlias: CiscoSecureEndpoint FunctionQuery: | + let CiscoSecureEndpoint_View = view () { CiscoSecureEndpoint_CL | extend EventVendor = 'Cisco', EventProduct = 'Cisco Secure Endpoint' - | project-rename - EventSubType = audit_log_type_s, - SrcUserName = audit_log_user_s, - DstMacAddr = computer_network_addresses_s, - DstHostname = computer_hostname_s, - DstUsername = computer_user_s, - DstIpAddr = computer_external_ip_s, - ConnectorGuid = connector_guid_g, - GroupGuid = group_guids_s, - DvcId = id_d, - EventOriginalId = event_type_id_d, - ThreatName = detection_s, - ThreatId = detection_id_s, - ThreatSeverity = severity_s, - DstDvcHostname = new_attributes_name_s, - DvcHostname = new_attributes_hostname_s, - DvcIpAddr = new_attributes_ip_external_s, - DstDvcOsId = new_attributes_operating_system_id_d, - EventProductVersion = new_attributes_product_version_id_d, - SrcDvcId = computer_connector_guid_g, - ComputerLinksComputer = computer_links_computer_s, - ComputerLinksTrajectory = computer_links_trajectory_s, - ComputerLinksGroup = computer_links_group_s, - IndicatorThreatType = file_disposition_s, - SrcFileName = file_file_name_s, - SrcFilePath = file_file_path_s, - SrcFileMD5 = file_identity_md5_g, - SrcFileSHA1 = file_identity_sha1_s, - SrcFileSHA256 = file_identity_sha256_s, - ParentProcessId = file_parent_process_id_d, - ParentProcessMD5 = file_parent_identity_md5_g, - ParentProcessSHA1 = file_parent_identity_sha1_s, - ParentProcessSHA256 = file_parent_identity_sha256_s, - ParentProcessName = file_parent_file_name_s, - ParentProcessFileDescription = file_parent_disposition_s | extend - EventEndTime=iff(isnotempty(created_at_t), created_at_t, date_t), + EventSubType = column_ifexists('audit_log_type_s', ''), + SrcUserName = column_ifexists('audit_log_user_s', ''), + DstMacAddr = column_ifexists('computer_network_addresses_s', ''), + DstHostname = column_ifexists('computer_hostname_s', ''), + DstUsername = column_ifexists('computer_user_s', ''), + DstIpAddr = column_ifexists('computer_external_ip_s', ''), + ConnectorGuid = column_ifexists('connector_guid_g', ''), + GroupGuid = column_ifexists('group_guids_s', ''), + DvcId = column_ifexists('id_d', ''), + EventOriginalId = column_ifexists('event_type_id_d', ''), + ThreatName = column_ifexists('detection_s', ''), + ThreatId = column_ifexists('detection_id_s', ''), + ThreatSeverity = column_ifexists('severity_s', ''), + DstDvcHostname = column_ifexists('new_attributes_name_s', ''), + DvcHostname = column_ifexists('new_attributes_hostname_s', ''), + DvcIpAddr = column_ifexists('new_attributes_ip_external_s', ''), + DstDvcOsId = column_ifexists('new_attributes_operating_system_id_d', ''), + EventProductVersion = column_ifexists('new_attributes_product_version_id_d', ''), + SrcDvcId = column_ifexists('computer_connector_guid_g', ''), + ComputerLinksComputer = column_ifexists('computer_links_computer_s', ''), + ComputerLinksTrajectory = column_ifexists('computer_links_trajectory_s', ''), + ComputerLinksGroup = column_ifexists('computer_links_group_s', ''), + IndicatorThreatType = column_ifexists('file_disposition_s', ''), + SrcFileName = column_ifexists('file_file_name_s', ''), + SrcFilePath = column_ifexists('file_file_path_s', ''), + SrcFileMD5 = column_ifexists('file_identity_md5_g', ''), + SrcFileSHA1 = column_ifexists('file_identity_sha1_s', ''), + SrcFileSHA256 = column_ifexists('file_identity_sha256_s', ''), + ParentProcessId = column_ifexists('file_parent_process_id_d', ''), + ParentProcessMD5 = column_ifexists('file_parent_identity_md5_g', ''), + ParentProcessSHA1 = column_ifexists('file_parent_identity_sha1_s', ''), + ParentProcessSHA256 = column_ifexists('file_parent_identity_sha256_s', ''), + ParentProcessName = column_ifexists('file_parent_file_name_s', ''), + ParentProcessFileDescription = column_ifexists('file_parent_disposition_s', '') + | extend + EventEndTime=iff(isnotempty(created_at_t), todatetime(created_at_t), todatetime(date_t)), EventMessage=iff(isnotempty(event_s), event_s, event_type_s), Hostname = DstHostname, User = DstUsername - | project-away - created_at_t, - date_t, - event_s, - event_type_s \ No newline at end of file + }; + let CiscoSecureEndpointAudit_View = view () { + CiscoSecureEndpointAuditLogsV2_CL + | extend + EventVendor = 'Cisco', + EventProduct = 'Cisco Secure Endpoint' + | extend + EventSubType = column_ifexists('AuditLogType', ''), + SrcUserName = column_ifexists('AuditLogUser', ''), + DstDvcHostname = column_ifexists('NewAttributes.name', ''), + DvcHostname = column_ifexists('NewAttributes.hostname', ''), + DvcIpAddr = column_ifexists('NewAttributes.ip_external', ''), + DstDvcOsId = column_ifexists('NewAttributes.operating_system_id', ''), + EventProductVersion = column_ifexists('NewAttributes.product_version_id', ''), + EventEndTime = todatetime(column_ifexists('CreatedAt', '')), + EventMessage = column_ifexists('Event', '') + }; + let CiscoSecureEndpointEvent_View = view () { + CiscoSecureEndpointEventsV2_CL + | extend + EventVendor = 'Cisco', + EventProduct = 'Cisco Secure Endpoint' + | extend + DstMacAddr = column_ifexists('ComputerNetworkAddresses', ''), + DstHostname = column_ifexists('ComputerHostname', ''), + DstUsername = column_ifexists('ComputerUser', ''), + DstIpAddr = column_ifexists('ComputerExternalIp', ''), + ConnectorGuid = column_ifexists('ConnectorGuid', ''), + GroupGuid = column_ifexists('GroupGuids', ''), + DvcId = column_ifexists('Id', ''), + ThreatName = column_ifexists('Detection', ''), + ThreatId = column_ifexists('DetectionId', ''), + ThreatSeverity = column_ifexists('Severity', ''), + EventOriginalId = column_ifexists('EventTypeId', ''), + SrcDvcId = column_ifexists('ComputerConnectorGuid', ''), + ComputerLinksComputer = column_ifexists('ComputerLinksComputer', ''), + ComputerLinksTrajectory = column_ifexists('ComputerLinksTrajectory', ''), + ComputerLinksGroup = column_ifexists('ComputerLinksGroup', ''), + IndicatorThreatType = column_ifexists('FileDisposition', ''), + SrcFileName = column_ifexists('FileFileName', ''), + SrcFilePath = column_ifexists('FileFilePath', ''), + SrcFileMD5 = column_ifexists('FileIdentityMd5', ''), + SrcFileSHA1 = column_ifexists('FileIdentitySha1', ''), + SrcFileSHA256 = column_ifexists('FileIdentitySha256', ''), + ParentProcessId = column_ifexists('FileParentProcessId', ''), + ParentProcessMD5 = column_ifexists('FileParentIdentityMd5', ''), + ParentProcessSHA1 = column_ifexists('FileParentIdentitySha1', ''), + ParentProcessSHA256 = column_ifexists('FileParentIdentitySha256', ''), + ParentProcessName = column_ifexists('FileParentFileName', ''), + ParentProcessFileDescription = column_ifexists('FileParentDisposition', ''), + EventEndTime = todatetime(column_ifexists('Date', '')), + EventMessage = column_ifexists('EventType', '') + | extend + Hostname = DstHostname, + User = DstUsername + }; + union isfuzzy=true + (CiscoSecureEndpoint_View), + (CiscoSecureEndpointAudit_View), + (CiscoSecureEndpointEvent_View) + | project + EventVendor, + EventProduct, + EventSubType, + SrcUserName, + DstMacAddr, + DstHostname, + DstUsername, + DstIpAddr, + ConnectorGuid, + GroupGuid, + DvcId, + EventOriginalId, + ThreatName, + ThreatId, + ThreatSeverity, + DstDvcHostname, + DvcHostname, + DvcIpAddr, + DstDvcOsId, + EventProductVersion, + SrcDvcId, + ComputerLinksComputer, + ComputerLinksTrajectory, + ComputerLinksGroup, + IndicatorThreatType, + SrcFileName, + SrcFilePath, + SrcFileMD5, + SrcFileSHA1, + SrcFileSHA256, + ParentProcessId, + ParentProcessMD5, + ParentProcessSHA1, + ParentProcessSHA256, + ParentProcessName, + ParentProcessFileDescription, + EventEndTime, + EventMessage, + Hostname, + User \ No newline at end of file diff --git a/Solutions/Cisco Secure Endpoint/ReleaseNotes.md b/Solutions/Cisco Secure Endpoint/ReleaseNotes.md index 7c77a4562f1..f664544787f 100644 --- a/Solutions/Cisco Secure Endpoint/ReleaseNotes.md +++ b/Solutions/Cisco Secure Endpoint/ReleaseNotes.md @@ -1,4 +1,4 @@ | **Version** | **Date Modified (DD-MM-YYYY)**| **ChangeHistory** | |-------------|-------------------------------|-----------------------------------------------| -| 3.0.0 | 28-08-2024 | Updated the python runtime version to 3.11 | - +| 3.0.1 | 23-06-2025 | Adding a new **CCF Data Connector** - *Cisco Secure Endpoint* and updates the **Parser** to handle the newly introduced table. | +| 3.0.0 | 28-08-2024 | Updated the python runtime version to 3.11. |