Merge pull request Azure#12816 from Azure/v-atulyadav/gsa

v-atulyadav · web-flow · commit f1617bfc4013 · 2025-09-16T17:57:56.000+05:30
Fix Rule logic for abnormal protocol
diff --git a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml
@@ -38,7 +38,7 @@ query: |
     | summarize AlertTimeCount = count() by AlertTimeDstPort = DestinationPort, AlertTimeProtocol = TransportProtocol, SourceIp, DestinationFqdn;
   AlertTimePortToProtocol
     | join kind=leftouter (LearningPortToProtocol) on $left.AlertTimeDstPort == $right.LearningTimeDstPort and $left.SourceIp == $right.SourceIp and $left.DestinationFqdn == $right.DestinationFqdn
-    | where isnull(LearningTimeProtocol) or LearningTimeProtocol != AlertTimeProtocol
+    | where LearningTimeProtocol != "" and AlertTimeProtocol != "" and LearningTimeProtocol != AlertTimeProtocol
     | project AlertTimeDstPort, AlertTimeProtocol, LearningTimeProtocol, SourceIp, DestinationFqdn
     | extend IPCustomEntity = SourceIp, FqdnCustomEntity = DestinationFqdn
 entityMappings:
@@ -50,5 +50,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: FqdnCustomEntity
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
diff --git a/Solutions/Global Secure Access/Data/Solution_GlobalSecureAccess.json b/Solutions/Global Secure Access/Data/Solution_GlobalSecureAccess.json
@@ -19,7 +19,7 @@
    
   ],
   "BasePath": "C:\\git\\Azure-Sentinel\\Azure-Sentinel\\Solutions\\Global Secure Access",
-  "Version": "3.0.0",
+  "Version": "3.0.1",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "StaticDataConnectorIds": [
diff --git a/Solutions/Global Secure Access/Package/3.0.1.zip b/Solutions/Global Secure Access/Package/3.0.1.zip
diff --git a/Solutions/Global Secure Access/Package/mainTemplate.json b/Solutions/Global Secure Access/Package/mainTemplate.json
@@ -49,7 +49,7 @@
     "email": "support@microsoft.com",
     "_email": "[variables('email')]",
     "_solutionName": "Global Secure Access",
-    "_solutionVersion": "3.0.0",
+    "_solutionVersion": "3.0.1",
     "solutionId": "azuresentinel.azure-sentinel-solution-globalsecureaccess",
     "_solutionId": "[variables('solutionId')]",
     "workbookVersion1": "1.0.1",
@@ -80,11 +80,11 @@
       "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b','-', '1.0.2')))]"
     },
     "analyticRuleObject3": {
-      "analyticRuleVersion3": "1.0.2",
+      "analyticRuleVersion3": "1.0.3",
       "_analyticRulecontentId3": "f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a",
       "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a')]",
       "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a')))]",
-      "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a','-', '1.0.2')))]"
+      "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a','-', '1.0.3')))]"
     },
     "analyticRuleObject4": {
       "analyticRuleVersion4": "1.0.2",
@@ -105,7 +105,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "GSAM365EnrichedEvents Workbook with template version 3.0.0",
+        "description": "GSAM365EnrichedEvents Workbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion1')]",
@@ -189,7 +189,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "GSANetworkTraffic Workbook with template version 3.0.0",
+        "description": "GSANetworkTraffic Workbook with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion2')]",
@@ -273,7 +273,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "Identity - AfterHoursActivity_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "Identity - AfterHoursActivity_AnalyticalRules Analytics Rule with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -301,10 +301,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "NetworkAccessTrafficLogs"
-                    ]
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
@@ -387,7 +387,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SWG - Abnormal Deny Rate_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "SWG - Abnormal Deny Rate_AnalyticalRules Analytics Rule with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -415,10 +415,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "NetworkAccessTrafficLogs"
-                    ]
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
@@ -499,7 +499,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SWG - Abnormal Port to Protocol_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "SWG - Abnormal Port to Protocol_AnalyticalRules Analytics Rule with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -516,7 +516,7 @@
                 "description": "Identifies changes in the protocol used for specific destination ports, comparing the current runtime with a learned baseline.\nThis can indicate potential protocol misuse or configuration changes.\nConfigurable Parameters:\n- Learning period: The time range to establish the baseline. Default is set to 7 days.\n- Run time: The time range for current analysis. Default is set to 1 day.",
                 "displayName": "GSA - Detect Protocol Changes for Destination Ports",
                 "enabled": false,
-                "query": "let LearningPeriod = 7d;\nlet RunTime = 1d;\nlet StartLearningPeriod = ago(LearningPeriod + RunTime);\nlet EndRunTime = ago(RunTime);\nlet LearningPortToProtocol = \n  NetworkAccessTraffic\n  | where TimeGenerated between (StartLearningPeriod .. EndRunTime)\n  | where isnotempty(DestinationPort)\n  | summarize LearningTimeCount = count() by LearningTimeDstPort = DestinationPort, LearningTimeProtocol = TransportProtocol, SourceIp, DestinationFqdn;\nlet AlertTimePortToProtocol = \n  NetworkAccessTraffic\n  | where TimeGenerated between (EndRunTime .. now())\n  | where isnotempty(DestinationPort)\n  | summarize AlertTimeCount = count() by AlertTimeDstPort = DestinationPort, AlertTimeProtocol = TransportProtocol, SourceIp, DestinationFqdn;\nAlertTimePortToProtocol\n  | join kind=leftouter (LearningPortToProtocol) on $left.AlertTimeDstPort == $right.LearningTimeDstPort and $left.SourceIp == $right.SourceIp and $left.DestinationFqdn == $right.DestinationFqdn\n  | where isnull(LearningTimeProtocol) or LearningTimeProtocol != AlertTimeProtocol\n  | project AlertTimeDstPort, AlertTimeProtocol, LearningTimeProtocol, SourceIp, DestinationFqdn\n  | extend IPCustomEntity = SourceIp, FqdnCustomEntity = DestinationFqdn\n",
+                "query": "let LearningPeriod = 7d;\nlet RunTime = 1d;\nlet StartLearningPeriod = ago(LearningPeriod + RunTime);\nlet EndRunTime = ago(RunTime);\nlet LearningPortToProtocol = \n  NetworkAccessTraffic\n  | where TimeGenerated between (StartLearningPeriod .. EndRunTime)\n  | where isnotempty(DestinationPort)\n  | summarize LearningTimeCount = count() by LearningTimeDstPort = DestinationPort, LearningTimeProtocol = TransportProtocol, SourceIp, DestinationFqdn;\nlet AlertTimePortToProtocol = \n  NetworkAccessTraffic\n  | where TimeGenerated between (EndRunTime .. now())\n  | where isnotempty(DestinationPort)\n  | summarize AlertTimeCount = count() by AlertTimeDstPort = DestinationPort, AlertTimeProtocol = TransportProtocol, SourceIp, DestinationFqdn;\nAlertTimePortToProtocol\n  | join kind=leftouter (LearningPortToProtocol) on $left.AlertTimeDstPort == $right.LearningTimeDstPort and $left.SourceIp == $right.SourceIp and $left.DestinationFqdn == $right.DestinationFqdn\n  | where LearningTimeProtocol != \"\" and AlertTimeProtocol != \"\" and LearningTimeProtocol != AlertTimeProtocol\n  | project AlertTimeDstPort, AlertTimeProtocol, LearningTimeProtocol, SourceIp, DestinationFqdn\n  | extend IPCustomEntity = SourceIp, FqdnCustomEntity = DestinationFqdn\n",
                 "queryFrequency": "PT1H",
                 "queryPeriod": "P8D",
                 "severity": "Medium",
@@ -527,10 +527,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "NetworkAccessTrafficLogs"
-                    ]
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
@@ -611,7 +611,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SWG - Source IP Port Scan_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "SWG - Source IP Port Scan_AnalyticalRules Analytics Rule with template version 3.0.1",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -639,10 +639,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "AzureActiveDirectory",
                     "dataTypes": [
                       "NetworkAccessTrafficLogs"
-                    ]
+                    ],
+                    "connectorId": "AzureActiveDirectory"
                   }
                 ],
                 "tactics": [
@@ -720,7 +720,7 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.0.0",
+        "version": "3.0.1",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "Global Secure Access",
diff --git a/Solutions/Global Secure Access/ReleaseNotes.md b/Solutions/Global Secure Access/ReleaseNotes.md
@@ -1,6 +1,7 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                                       |
 |-------------|--------------------------------|------------------------------------------------------------------------------------------|
-| 3.0.0       | 01-08-2025                     | Updates to the workbook to improve the clarity and consistency of titles for visualizations								                                  |
+| 3.0.1       | 16-09-2025                     | Made an update to the logic of the Abnormal Port-to-Protocol **Analytic Rule** |
+| 3.0.0       | 01-08-2025                     | Updates to the workbook to improve the clarity and consistency of titles for visualizations |
 
 
 
