Merge pull request Azure#11830 from Azure/v-prasadboke-forescout

duplicating PR Azure#11788

Author: v-prasadboke

.script/tests/KqlvalidationsTests/CustomTables/ForescoutComplianceStatus_CL.json

@@ -0,0 +1,37 @@
+{
+    "Name": "ForescoutComplianceStatus_CL",
+    "Properties": [
+        {
+            "Name": "TimeGenerated",
+            "Type": "datetime"
+          },
+          {
+            "name": "TimeGenerated",
+            "type": "datetime"
+          },
+          {
+            "name": "UploadTime",
+            "type": "datetime"
+          },
+          {
+            "name": "Ipv4Addr",
+            "type": "string"
+          },
+          {
+            "name": "Ipv6Addr",
+            "type": "dynamic"
+          },
+          {
+            "name": "MacAddr",
+            "type": "string"
+          },
+          {
+            "name": "EmIpAddr",
+            "type": "string"
+          },
+          {
+            "name": "HostProperties",
+            "type": "dynamic"
+          }
+    ]
+}

.script/tests/KqlvalidationsTests/CustomTables/ForescoutHostProperties_CL.json

@@ -3,27 +3,51 @@
   "Properties": [
     {
       "Name": "HostProperties_DnsniffEvent_s",
-      "Type": "String"
+      "Type": "string"
     },
     {
       "Name": "HostProperties_Ipv4Addr_s",
-      "Type": "String"
+      "Type": "string"
     },
     {
       "Name": "HostProperties_Ipv6Addr_s",
-      "Type": "String"
+      "Type": "string"
     },
     {
       "Name": "HostProperties_IpAddr_s",
-      "Type": "String"
+      "Type": "string"
     },
     {
       "Name": "HostProperties_EmIpAddr_s",
-      "Type": "String"
+      "Type": "string"
     },
     {
       "Name": "TimeGenerated",
       "Type": "datetime"
-    }
+    },
+    {
+      "name": "UploadTime",
+      "type": "datetime"
+    },
+    {
+      "name": "Ipv4Addr",
+      "type": "string"
+    },
+    {
+      "name": "Ipv6Addr",
+      "type": "dynamic"
+    },
+    {
+      "name": "MacAddr",
+      "type": "string"
+    },
+    {
+      "name": "EmIpAddr",
+      "type": "string"
+    },
+    {
+      "name": "HostProperties",
+      "type": "dynamic"
+      }
   ]
 }

.script/tests/KqlvalidationsTests/CustomTables/ForescoutPolicyStatus_CL.json

@@ -0,0 +1,33 @@
+{
+    "Name": "ForescoutPolicyStatus_CL",
+    "Properties": [
+        {
+            "name": "TimeGenerated",
+            "type": "datetime"
+        },
+        {
+            "name": "UploadTime",
+            "type": "datetime"
+        },
+        {
+            "name": "Ipv4Addr",
+            "type": "string"
+        },
+        {
+            "name": "Ipv6Addr",
+            "type": "dynamic"
+        },
+        {
+            "name": "MacAddr",
+            "type": "string"
+        },
+        {
+            "name": "EmIpAddr",
+            "type": "string"
+        },
+        {
+            "name": "HostProperties",
+            "type": "dynamic"
+        }
+    ]
+}

Solutions/ForescoutHostPropertyMonitor/Analytic Rules/ForeScout-DNSSniffEventMonitor.yaml

@@ -11,13 +11,15 @@ tactics: []
 relevantTechniques: []
 query:
   ForescoutHostProperties_CL
-  | where HostProperties_DnsniffEvent_s matches regex "DNS Query Type:.A;DNS Query/Response:.Query"
-  | extend ipaddress = iif(isnotempty(HostProperties_Ipv4Addr_s), HostProperties_Ipv4Addr_s, (iif(isnotempty(HostProperties_Ipv6Addr_s), HostProperties_Ipv6Addr_s, HostProperties_IpAddr_s)))
-  | summarize NumEvents_d =count() by ipaddress, HostProperties_DnsniffEvent_s, HostProperties_EmIpAddr_s
+  | extend  d = parse_json(HostProperties)
+  | where d.DnsniffEvent matches regex "DNS Query Type:.A;DNS Query/Response:.Query"
+  | extend ipaddress = iif(isnotempty(Ipv4Addr), Ipv4Addr, (iif(isnotempty(Ipv6Addr), Ipv6Addr, "")))
+  | where isnotempty(ipaddress) and isnotempty(EmIpAddr)
+  | summarize NumEvents_d =count() by ipaddress, EmIpAddr
   | where NumEvents_d > 2
-  | where isnotempty(ipaddress) and isnotempty(HostProperties_EmIpAddr_s)
   | sort by NumEvents_d asc
-  | project NumEvents_d, ipaddress, HostProperties_EmIpAddr_s
+  | project NumEvents_d, ipaddress, EmIpAddr
+
 entityMappings:
   - entityType: IP
     fieldMappings:
@@ -30,5 +32,5 @@ customDetails:
 alertDetailsOverride:
   alertDisplayNameFormat: Dnsniff-Address-Check
   alertDescriptionFormat: Dnsniff-Address-Check alert
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/ForescoutHostPropertyMonitor/Data Connectors/ForescoutHostPropertyMonitor.json

@@ -2,7 +2,7 @@
     "id": "ForescoutHostPropertyMonitor",
     "title": "Forescout Host Property Monitor",
     "publisher": "Forescout",
-    "descriptionMarkdown": "The Forescout Host Property Monitor connector allows you to connect host properties from Forescout platform with Microsoft Sentinel, to view, create custom incidents, and improve investigation. This gives you more insight into your organization network and improves your security operation capabilities.",
+    "descriptionMarkdown": "The Forescout Host Property Monitor connector allows you to connect host/policy/compliance properties from Forescout platform with Microsoft Sentinel, to view, create custom incidents, and improve investigation. This gives you more insight into your organization network and improves your security operation capabilities.",
     "graphQueries": [
         {
             "metricName": "Total data received",
@@ -14,19 +14,37 @@
         {
             "description" : "Get 5 latest host property entries",
             "query": "ForescoutHostProperties_CL | take 5"
+        },
+        {
+            "description" : "Get 5 latest host policy entries",
+            "query": "ForescoutPolicyStatus_CL | take 5"
+        },
+        {
+            "description" : "Get 5 latest host compliance entries",
+            "query": "ForescoutComplianceStatus_CL | take 5"
         }
     ],
     "dataTypes": [
         {
             "name": "ForescoutHostProperties_CL",
             "lastDataReceivedQuery": "ForescoutHostProperties_CL\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+        },
+        {
+            "name": "ForescoutPolicyStatus_CL",
+            "lastDataReceivedQuery": "ForescoutPolicyStatus_CL\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+        },
+        {
+            "name": "ForescoutComplianceStatus_CL",
+            "lastDataReceivedQuery": "ForescoutComplianceStatus_CL\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
         }
     ],
     "connectivityCriterias": [
         {
             "type": "IsConnectedQuery",
             "value": [
-                "ForescoutHostProperties_CL\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(30d)"
+                "ForescoutHostProperties_CL\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(30d)",
+                "ForescoutPolicyStatus_CL\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(30d)",
+                "ForescoutComplianceStatus_CL\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(30d)"
             ]
         }
     ],
@@ -67,7 +85,7 @@
     "instructionSteps": [
         {
             "title": "",
-            "description": "Instructions on how to configure Forescout Microsoft Sentinel plugin are provided at Forescout Documentation Portal (https://docs.forescout.com/bundle/sentinel-1-0-h)",
+            "description": "Instructions on how to configure Forescout Microsoft Sentinel plugin are provided at Forescout Documentation Portal (https://docs.forescout.com/bundle/microsoft-sentinel-module-v2-0-0-h)",
             "instructions": [
                 {
                     "parameters": {
@@ -92,7 +110,7 @@
     ],
     "metadata": {
         "id": "1430b3a9-a48c-40d5-bb81-029f6c63c2ad",
-        "version": "1.0.0",
+        "version": "3.0.0",
         "kind": "dataConnector",
         "source": {
             "kind": "community"

Solutions/ForescoutHostPropertyMonitor/Data/Solution_ForescoutHostProp.json

@@ -1,6 +1,7 @@
 {
   "Name": "ForescoutHostPropertyMonitor",
   "Author": "Julian Wang - [email protected]",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/forescout-logo.svg\" width=\"75px\" height=\"75px\">",
   "Description": "Forescout Host Property Monitor offers host property analysis, incident generation and action dispatching for hosts managed by Forescout Continuum platform.",
   "Analytic Rules": [
     "Analytic Rules/ForeScout-DNSSniffEventMonitor.yaml"
@@ -11,9 +12,12 @@
   "Data Connectors": [
     "Data Connectors/ForescoutHostPropertyMonitor.json"
   ],
+  "Workbooks": [
+    "Workbooks/ForescoutHostPropertyMonitorWorkbook.json"
+  ],
 
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\ForescoutHostPropertyMonitor",
-  "Version": "2.0.1",
+  "Version": "3.0.0",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "Is1PConnector": false

Solutions/ForescoutHostPropertyMonitor/Package/3.0.0.zip

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nForescout Host Property Monitor offers host property analysis, incident generation and action dispatching for hosts managed by Forescout Continuum platform.\n\n**Data Connectors:** 1, **Analytic Rules:** 1, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/forescout-logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ForescoutHostPropertyMonitor/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nForescout Host Property Monitor offers host property analysis, incident generation and action dispatching for hosts managed by Forescout Continuum platform.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 1, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -64,7 +64,7 @@
             }
           },
           {
-            "name": "dataconnectors-link2",
+            "name": "dataconnectors-link1",
             "type": "Microsoft.Common.TextBlock",
             "options": {
               "link": {
@@ -75,6 +75,48 @@
           }
         ]
       },
+      {
+        "name": "workbooks",
+        "label": "Workbooks",
+        "subLabel": {
+          "preValidation": "Configure the workbooks",
+          "postValidation": "Done"
+        },
+        "bladeTitle": "Workbooks",
+        "elements": [
+          {
+            "name": "workbooks-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
+            }
+          },
+          {
+            "name": "workbooks-link",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "link": {
+                "label": "Learn more",
+                "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
+              }
+            }
+          },
+          {
+            "name": "workbook1",
+            "type": "Microsoft.Common.Section",
+            "label": "Forescout Host Property Monitor Workbook",
+            "elements": [
+              {
+                "name": "workbook1-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Gain insights into host properties in Forescout platform"
+                }
+              }
+            ]
+          }
+        ]
+      },
       {
         "name": "analytics",
         "label": "Analytics",
@@ -152,5 +194,4 @@
       "workspace": "[basics('workspace')]"
     }
   }
-  
 }