diff --git a/Solutions/Cyfirma Attack Surface/ReleaseNotes.md b/Solutions/Cyfirma Attack Surface/ReleaseNotes.md index 6aabc8007b9..46a55cd7a50 100644 --- a/Solutions/Cyfirma Attack Surface/ReleaseNotes.md +++ b/Solutions/Cyfirma Attack Surface/ReleaseNotes.md @@ -1,3 +1,4 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|------------------------------------------------------------------------| +| 3.0.1 | 17-06-2025 | Minor changes to **CCF Data Connector**. | | 3.0.0 | 14-04-2025 | Initial Solution Release. | \ No newline at end of file diff --git a/Solutions/Cyfirma Brand Intelligence/ReleaseNotes.md b/Solutions/Cyfirma Brand Intelligence/ReleaseNotes.md index 6aabc8007b9..46a55cd7a50 100644 --- a/Solutions/Cyfirma Brand Intelligence/ReleaseNotes.md +++ b/Solutions/Cyfirma Brand Intelligence/ReleaseNotes.md @@ -1,3 +1,4 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|------------------------------------------------------------------------| +| 3.0.1 | 17-06-2025 | Minor changes to **CCF Data Connector**. | | 3.0.0 | 14-04-2025 | Initial Solution Release. | \ No newline at end of file diff --git a/Solutions/Cyfirma Compromised Accounts/ReleaseNotes.md b/Solutions/Cyfirma Compromised Accounts/ReleaseNotes.md index e69de29bb2d..104185f6046 100644 --- a/Solutions/Cyfirma Compromised Accounts/ReleaseNotes.md +++ b/Solutions/Cyfirma Compromised Accounts/ReleaseNotes.md @@ -0,0 +1,3 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|------------------------------------------------------------------------| +| 3.0.0 | 17-06-2025 | Initial Solution Release. | \ No newline at end of file diff --git a/Solutions/Cyfirma Cyber Intelligence/ReleaseNotes.md b/Solutions/Cyfirma Cyber Intelligence/ReleaseNotes.md index e69de29bb2d..104185f6046 100644 --- a/Solutions/Cyfirma Cyber Intelligence/ReleaseNotes.md +++ b/Solutions/Cyfirma Cyber Intelligence/ReleaseNotes.md @@ -0,0 +1,3 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|------------------------------------------------------------------------| +| 3.0.0 | 17-06-2025 | Initial Solution Release. | \ No newline at end of file diff --git a/Solutions/Cyfirma Digital Risk/ReleaseNotes.md b/Solutions/Cyfirma Digital Risk/ReleaseNotes.md index 6aabc8007b9..46a55cd7a50 100644 --- a/Solutions/Cyfirma Digital Risk/ReleaseNotes.md +++ b/Solutions/Cyfirma Digital Risk/ReleaseNotes.md @@ -1,3 +1,4 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|------------------------------------------------------------------------| +| 3.0.1 | 17-06-2025 | Minor changes to **CCF Data Connector**. | | 3.0.0 | 14-04-2025 | Initial Solution Release. | \ No newline at end of file diff --git a/Solutions/Cyfirma Vulnerabilities Intel/ReleaseNotes.md b/Solutions/Cyfirma Vulnerabilities Intel/ReleaseNotes.md index e69de29bb2d..104185f6046 100644 --- a/Solutions/Cyfirma Vulnerabilities Intel/ReleaseNotes.md +++ b/Solutions/Cyfirma Vulnerabilities Intel/ReleaseNotes.md @@ -0,0 +1,3 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|------------------------------------------------------------------------| +| 3.0.0 | 17-06-2025 | Initial Solution Release. | \ No newline at end of file diff --git a/Solutions/GoogleCloudPlatformIDS/Data Connectors/GCPCloudIDSLog_CCP/GCPCloudIDSLog_DCR.json b/Solutions/GoogleCloudPlatformIDS/Data Connectors/GCPCloudIDSLog_CCP/GCPCloudIDSLog_DCR.json index ff4d35916e6..afb913f8ed7 100644 --- a/Solutions/GoogleCloudPlatformIDS/Data Connectors/GCPCloudIDSLog_CCP/GCPCloudIDSLog_DCR.json +++ b/Solutions/GoogleCloudPlatformIDS/Data Connectors/GCPCloudIDSLog_CCP/GCPCloudIDSLog_DCR.json @@ -5,49 +5,6 @@ "type": "Microsoft.Insights/dataCollectionRules", "location": "{{location}}", "properties": { - "dataCollectionEndpointId": "{{dataCollectionEndpointId}}", - "streamDeclarations": { - "Custom-GCPCLOUDIDS": { - "columns": [ - { - "name": "insertId", - "type": "string" - }, - { - "name": "logName", - "type": "string" - }, - { - "name": "protoPayload", - "type": "dynamic" - }, - { - "name": "resource", - "type": "dynamic" - }, - { - "name": "severity", - "type": "string" - }, - { - "name": "timestamp", - "type": "datetime" - }, - { - "name": "jsonPayload", - "type": "dynamic" - }, - { - "name": "receiveTimestamp", - "type": "datetime" - }, - { - "name": "operation", - "type": "string" - } - ] - } - }, "destinations": { "logAnalytics": [ { @@ -59,13 +16,12 @@ "dataFlows": [ { "streams": [ - "Custom-GCPCLOUDIDS" + "Microsoft-GCPIDS" ], "destinations": [ "clv2ws1" ], - "transformKql": "source | extend JsonPayloadDynamic = parse_json(jsonPayload) | extend OperationDynamic = parse_json(operation) | extend ProtoPayloadDynamic = parse_json(protoPayload) | extend ResourceDynamic = parse_json(resource) | extend InsertId = insertId, LogName = logName, Severity = severity, Timestamp = timestamp, ReceiveTimestamp = receiveTimestamp, PayloadType = tostring(ProtoPayloadDynamic['@type']), AuthenticationInfoPrincipalEmail = tostring(ProtoPayloadDynamic['authenticationInfo']['principalEmail']), AuthorizationInfo = tostring(ProtoPayloadDynamic['authorizationInfo']), MethodName = tostring(ProtoPayloadDynamic['methodName']), NumResponseItems = tostring(ProtoPayloadDynamic['numResponseItems']), RequestType = tostring(ProtoPayloadDynamic['request']['@type']), RequestName = tostring(ProtoPayloadDynamic['request']['name']), RequestParent = tostring(ProtoPayloadDynamic['request']['parent']), RequestEndpointName = tostring(ProtoPayloadDynamic['request']['endpoint']['name']), RequestEndpointNetwork = tostring(ProtoPayloadDynamic['request']['endpoint']['network']), RequestEndpointSeverity = tostring(ProtoPayloadDynamic['request']['endpoint']['severity']), RequestEndpointTrafficLogs = tostring(ProtoPayloadDynamic['request']['endpoint']['traffic_logs']), RequestEndpointId = tostring(ProtoPayloadDynamic['request']['endpoint_id']), RequestEndpointThreatExceptions = tostring(ProtoPayloadDynamic['request']['endpoint']['threat_exceptions']), RequestUpdateMaskPaths = tostring(ProtoPayloadDynamic['request']['update_mask']['paths']), RequestMetadataCallerIP = tostring(ProtoPayloadDynamic['requestMetadata']['callerIp']), RequestMetadataDestinationAttributes = tostring(ProtoPayloadDynamic['requestMetadata']['destinationAttributes']), RequestMetadataRequestAttributesTime = todatetime(ProtoPayloadDynamic['requestMetadata']['requestAttributes']['time']), RequestMetadataRequestAttributesAuth = tostring(ProtoPayloadDynamic['requestMetadata']['requestAttributes']['auth']), RequestMetadataRequestAttributesReason = tostring(ProtoPayloadDynamic['requestMetadata']['requestAttributes']['reason']), ResourceLocationCurrentLocations = tostring(ProtoPayloadDynamic['resourceLocation']['currentLocations']), ResponseType = tostring(ProtoPayloadDynamic['response']['@type']), ResponseName = tostring(ProtoPayloadDynamic['response']['name']), ResponseNetwork = tostring(ProtoPayloadDynamic['response']['network']), ResponseSeverity = tostring(ProtoPayloadDynamic['response']['severity']), ResponseState = tostring(ProtoPayloadDynamic['response']['state']), ResponseThreatExceptions = tostring(ProtoPayloadDynamic['response']['threatExceptions']), ResponseTrafficLogs = tobool(ProtoPayloadDynamic['response']['trafficLogs']), ResourceName = tostring(ProtoPayloadDynamic['resourceName']), ServiceName = tostring(ProtoPayloadDynamic['serviceName']), Status = tostring(ProtoPayloadDynamic['status']), ResourceLabelsMethod = tostring(ResourceDynamic['labels']['method']), ResourceLabelsProjectId = tostring(ResourceDynamic['labels']['project_id']), ResourceLabelsService = tostring(ResourceDynamic['labels']['service']), ResourceLabelsId = tostring(ResourceDynamic['labels']['id']), ResourceLabelsLocation = tostring(ResourceDynamic['labels']['location']), ResourceLabelsResourceContainer = tostring(ResourceDynamic['labels']['resource_container']), ResourceType = tostring(ResourceDynamic['type']), OperationId = tostring(OperationDynamic['id']), OperationFirst = tobool(OperationDynamic['first']), OperationLast = tobool(OperationDynamic['last']), OperationProducer = tostring(OperationDynamic['producer']), Application = tostring(JsonPayloadDynamic['application']), DestinationIPAddress = tostring(JsonPayloadDynamic['destination_ip_address']), DestinationPort = tostring(JsonPayloadDynamic['destination_port']), ElapsedTime = tostring(JsonPayloadDynamic['elapsed_time']), Network = tostring(JsonPayloadDynamic['network']), RepeatCount = tostring(JsonPayloadDynamic['repeat_count']), SessionId = tostring(JsonPayloadDynamic['session_id']), SourcePort = tostring(JsonPayloadDynamic['source_port']), StartTime = todatetime(JsonPayloadDynamic['start_time']), TotalBytes = tostring(JsonPayloadDynamic['total_bytes']), TotalPackets = tostring(JsonPayloadDynamic['total_packets']), AlertSeverity = tostring(JsonPayloadDynamic['alert_severity']), AlertTime = todatetime(JsonPayloadDynamic['alert_time']), Category = tostring(JsonPayloadDynamic['category']), CVEs = tostring(JsonPayloadDynamic['cves']), Details = tostring(JsonPayloadDynamic['details']), Direction = tostring(JsonPayloadDynamic['direction']), JsonPayloadName = tostring(JsonPayloadDynamic['name']), ThreatId = tostring(JsonPayloadDynamic['threat_id']), JsonPayloadType = tostring(JsonPayloadDynamic['type']), URIOrFilename = tostring(JsonPayloadDynamic['uri_or_filename']), IPProtocol = tostring(JsonPayloadDynamic['ip_protocol']), SourceIPAddress = tostring(JsonPayloadDynamic['source_ip_address']), TimeGenerated = now() | project-away protoPayload, resource, operation, jsonPayload", - "outputStream": "Microsoft-GCPIDS" + "dataCollectionEndpointId": "{{dataCollectionEndpointId}}" } ] } diff --git a/Solutions/GoogleCloudPlatformIDS/Data Connectors/GCPCloudIDSLog_CCP/GCPCloudIDSLog_PollingConfig.json b/Solutions/GoogleCloudPlatformIDS/Data Connectors/GCPCloudIDSLog_CCP/GCPCloudIDSLog_PollingConfig.json index 342546b32d8..7c14eb0b0a8 100644 --- a/Solutions/GoogleCloudPlatformIDS/Data Connectors/GCPCloudIDSLog_CCP/GCPCloudIDSLog_PollingConfig.json +++ b/Solutions/GoogleCloudPlatformIDS/Data Connectors/GCPCloudIDSLog_CCP/GCPCloudIDSLog_PollingConfig.json @@ -9,7 +9,7 @@ "connectorDefinitionName": "GCPCLOUDIDSLogsCCPDefinition", "dataType": "GCPIDS", "dcrConfig": { - "streamName": "Custom-GCPCLOUDIDS", + "streamName": "SENTINEL_GCP_IDS_LOGS", "dataCollectionEndpoint": "{{dataCollectionEndpoint}}", "dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}" }, diff --git a/Solutions/GoogleCloudPlatformIDS/Package/3.0.0.zip b/Solutions/GoogleCloudPlatformIDS/Package/3.0.0.zip index 5bc555b8d6a..0654f1e4ae7 100644 Binary files a/Solutions/GoogleCloudPlatformIDS/Package/3.0.0.zip and b/Solutions/GoogleCloudPlatformIDS/Package/3.0.0.zip differ diff --git a/Solutions/GoogleCloudPlatformIDS/Package/mainTemplate.json b/Solutions/GoogleCloudPlatformIDS/Package/mainTemplate.json index 62a00e001ab..119ec5e22c6 100644 --- a/Solutions/GoogleCloudPlatformIDS/Package/mainTemplate.json +++ b/Solutions/GoogleCloudPlatformIDS/Package/mainTemplate.json @@ -56,7 +56,7 @@ "dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]", "_dataConnectorContentIdConnections1": "GCPCLOUDIDSLogsCCPDefinitionConnections", "dataConnectorTemplateNameConnections1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections1')))]", - "dataCollectionEndpointId1": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]", + "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]", "blanks": "[replace('b', 'b', '')]", "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, @@ -226,49 +226,6 @@ "location": "[parameters('workspace-location')]", "kind": "[variables('blanks')]", "properties": { - "dataCollectionEndpointId": "[variables('dataCollectionEndpointId1')]", - "streamDeclarations": { - "Custom-GCPCLOUDIDS": { - "columns": [ - { - "name": "insertId", - "type": "string" - }, - { - "name": "logName", - "type": "string" - }, - { - "name": "protoPayload", - "type": "dynamic" - }, - { - "name": "resource", - "type": "dynamic" - }, - { - "name": "severity", - "type": "string" - }, - { - "name": "timestamp", - "type": "datetime" - }, - { - "name": "jsonPayload", - "type": "dynamic" - }, - { - "name": "receiveTimestamp", - "type": "datetime" - }, - { - "name": "operation", - "type": "string" - } - ] - } - }, "destinations": { "logAnalytics": [ { @@ -280,15 +237,15 @@ "dataFlows": [ { "streams": [ - "Custom-GCPCLOUDIDS" + "Microsoft-GCPIDS" ], "destinations": [ "clv2ws1" ], - "transformKql": "source | extend JsonPayloadDynamic = parse_json(jsonPayload) | extend OperationDynamic = parse_json(operation) | extend ProtoPayloadDynamic = parse_json(protoPayload) | extend ResourceDynamic = parse_json(resource) | extend InsertId = insertId, LogName = logName, Severity = severity, Timestamp = timestamp, ReceiveTimestamp = receiveTimestamp, PayloadType = tostring(ProtoPayloadDynamic['@type']), AuthenticationInfoPrincipalEmail = tostring(ProtoPayloadDynamic['authenticationInfo']['principalEmail']), AuthorizationInfo = tostring(ProtoPayloadDynamic['authorizationInfo']), MethodName = tostring(ProtoPayloadDynamic['methodName']), NumResponseItems = tostring(ProtoPayloadDynamic['numResponseItems']), RequestType = tostring(ProtoPayloadDynamic['request']['@type']), RequestName = tostring(ProtoPayloadDynamic['request']['name']), RequestParent = tostring(ProtoPayloadDynamic['request']['parent']), RequestEndpointName = tostring(ProtoPayloadDynamic['request']['endpoint']['name']), RequestEndpointNetwork = tostring(ProtoPayloadDynamic['request']['endpoint']['network']), RequestEndpointSeverity = tostring(ProtoPayloadDynamic['request']['endpoint']['severity']), RequestEndpointTrafficLogs = tostring(ProtoPayloadDynamic['request']['endpoint']['traffic_logs']), RequestEndpointId = tostring(ProtoPayloadDynamic['request']['endpoint_id']), RequestEndpointThreatExceptions = tostring(ProtoPayloadDynamic['request']['endpoint']['threat_exceptions']), RequestUpdateMaskPaths = tostring(ProtoPayloadDynamic['request']['update_mask']['paths']), RequestMetadataCallerIP = tostring(ProtoPayloadDynamic['requestMetadata']['callerIp']), RequestMetadataDestinationAttributes = tostring(ProtoPayloadDynamic['requestMetadata']['destinationAttributes']), RequestMetadataRequestAttributesTime = todatetime(ProtoPayloadDynamic['requestMetadata']['requestAttributes']['time']), RequestMetadataRequestAttributesAuth = tostring(ProtoPayloadDynamic['requestMetadata']['requestAttributes']['auth']), RequestMetadataRequestAttributesReason = tostring(ProtoPayloadDynamic['requestMetadata']['requestAttributes']['reason']), ResourceLocationCurrentLocations = tostring(ProtoPayloadDynamic['resourceLocation']['currentLocations']), ResponseType = tostring(ProtoPayloadDynamic['response']['@type']), ResponseName = tostring(ProtoPayloadDynamic['response']['name']), ResponseNetwork = tostring(ProtoPayloadDynamic['response']['network']), ResponseSeverity = tostring(ProtoPayloadDynamic['response']['severity']), ResponseState = tostring(ProtoPayloadDynamic['response']['state']), ResponseThreatExceptions = tostring(ProtoPayloadDynamic['response']['threatExceptions']), ResponseTrafficLogs = tobool(ProtoPayloadDynamic['response']['trafficLogs']), ResourceName = tostring(ProtoPayloadDynamic['resourceName']), ServiceName = tostring(ProtoPayloadDynamic['serviceName']), Status = tostring(ProtoPayloadDynamic['status']), ResourceLabelsMethod = tostring(ResourceDynamic['labels']['method']), ResourceLabelsProjectId = tostring(ResourceDynamic['labels']['project_id']), ResourceLabelsService = tostring(ResourceDynamic['labels']['service']), ResourceLabelsId = tostring(ResourceDynamic['labels']['id']), ResourceLabelsLocation = tostring(ResourceDynamic['labels']['location']), ResourceLabelsResourceContainer = tostring(ResourceDynamic['labels']['resource_container']), ResourceType = tostring(ResourceDynamic['type']), OperationId = tostring(OperationDynamic['id']), OperationFirst = tobool(OperationDynamic['first']), OperationLast = tobool(OperationDynamic['last']), OperationProducer = tostring(OperationDynamic['producer']), Application = tostring(JsonPayloadDynamic['application']), DestinationIPAddress = tostring(JsonPayloadDynamic['destination_ip_address']), DestinationPort = tostring(JsonPayloadDynamic['destination_port']), ElapsedTime = tostring(JsonPayloadDynamic['elapsed_time']), Network = tostring(JsonPayloadDynamic['network']), RepeatCount = tostring(JsonPayloadDynamic['repeat_count']), SessionId = tostring(JsonPayloadDynamic['session_id']), SourcePort = tostring(JsonPayloadDynamic['source_port']), StartTime = todatetime(JsonPayloadDynamic['start_time']), TotalBytes = tostring(JsonPayloadDynamic['total_bytes']), TotalPackets = tostring(JsonPayloadDynamic['total_packets']), AlertSeverity = tostring(JsonPayloadDynamic['alert_severity']), AlertTime = todatetime(JsonPayloadDynamic['alert_time']), Category = tostring(JsonPayloadDynamic['category']), CVEs = tostring(JsonPayloadDynamic['cves']), Details = tostring(JsonPayloadDynamic['details']), Direction = tostring(JsonPayloadDynamic['direction']), JsonPayloadName = tostring(JsonPayloadDynamic['name']), ThreatId = tostring(JsonPayloadDynamic['threat_id']), JsonPayloadType = tostring(JsonPayloadDynamic['type']), URIOrFilename = tostring(JsonPayloadDynamic['uri_or_filename']), IPProtocol = tostring(JsonPayloadDynamic['ip_protocol']), SourceIPAddress = tostring(JsonPayloadDynamic['source_ip_address']), TimeGenerated = now() | project-away protoPayload, resource, operation, jsonPayload", - "outputStream": "Microsoft-GCPIDS" + "dataCollectionEndpointId": "{{dataCollectionEndpointId}}" } - ] + ], + "dataCollectionEndpointId": "[variables('dataCollectionEndpointId')]" } } ] @@ -548,7 +505,7 @@ "connectorDefinitionName": "GCPCLOUDIDSLogsCCPDefinition", "dataType": "GCPIDS", "dcrConfig": { - "streamName": "Custom-GCPCLOUDIDS", + "streamName": "SENTINEL_GCP_IDS_LOGS", "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" }, diff --git a/Tools/Create-Azure-Sentinel-Solution/common/standardLogStreams.ps1 b/Tools/Create-Azure-Sentinel-Solution/common/standardLogStreams.ps1 index 81451b0300b..4078c126cf9 100644 --- a/Tools/Create-Azure-Sentinel-Solution/common/standardLogStreams.ps1 +++ b/Tools/Create-Azure-Sentinel-Solution/common/standardLogStreams.ps1 @@ -60,6 +60,7 @@ $standardStreamMapping += @{ Key = 'TENANTMICROSOFTWINDOWSDEFENDERATP_ADVANCEDHU $standardStreamMapping += @{ Key = 'TENANTMICROSOFTWINDOWSDEFENDERATP_ADVANCEDHUNTINGEMAILEVENTS'; Value = 'Microsoft-EmailEvents'} $standardStreamMapping += @{ Key = 'TENANTMICROSOFTWINDOWSDEFENDERATP_ADVANCEDHUNTINGEMAILPOSTDELIVERYEVENTS'; Value = 'Microsoft-EmailPostDeliveryEvents'} $standardStreamMapping += @{ Key = 'TENANTMICROSOFTWINDOWSDEFENDERATP_ADVANCEDHUNTINGEMAILURLINFO'; Value = 'Microsoft-EmailUrlInfo'} +$standardStreamMapping += @{ Key = 'SENTINEL_GCP_IDS_LOGS'; Value = 'Microsoft-GCPIDS'} $standardStreamMapping += @{ Key = 'SENTINEL_GCP_AUDIT_LOGS'; Value = 'Microsoft-GCPAuditLogs'} $standardStreamMapping += @{ Key = 'SENTINEL_GCP_FIREWALL_LOGS'; Value = 'Microsoft-GCPFirewallLogs'} $standardStreamMapping += @{ Key = 'SENTINEL_GCP_IAM_LOGS'; Value = 'Microsoft-GCPIAM'}