Merge pull request Azure#12275 from niralishah-crest/ExtraHopSolution

v-atulyadav · web-flow · commit efef14dc3df2 · 2025-06-06T14:59:16.000+05:30
Updated parser and workbook for ExtraHop to fix minor issue
diff --git a/Solutions/ExtraHop/Analytic Rules/ExtraHopSentinelAlerts.yaml b/Solutions/ExtraHop/Analytic Rules/ExtraHopSentinelAlerts.yaml
@@ -30,11 +30,11 @@ alertDetailsOverride:
     alertSeverityColumnName: "Severity"
     alertDynamicProperties:
     - alertProperty: AlertLink
-      columnName: Url
+      value: Url
     - alertProperty: Techniques
-      columnName: TechniqueIds
+      value: TechniqueIds
     - alertProperty: ProductName
-      columnName: EventVendor
+      value: EventVendor
 entityMappings:
   - entityType: Host
     fieldMappings:
@@ -60,5 +60,5 @@ entityMappings:
     fieldMappings:
       - identifier: Name
         columnName: DestinationUsername
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled
diff --git a/Solutions/ExtraHop/Data/Solution_ExtraHop.json b/Solutions/ExtraHop/Data/Solution_ExtraHop.json
@@ -16,7 +16,7 @@
         "Data Connectors/ExtraHopDataConnector/ExtraHop_FunctionApp.json"
     ],
     "BasePath": "C:\\Azure-Sentinel\\Solutions\\ExtraHop",
-    "Version": "3.0.0",
+    "Version": "3.0.1",
     "Metadata": "SolutionMetadata.json",
     "TemplateSpec": true,
     "Is1PConnector": false
diff --git a/Solutions/ExtraHop/Package/3.0.1.zip b/Solutions/ExtraHop/Package/3.0.1.zip
diff --git a/Solutions/ExtraHop/Package/createUiDefinition.json b/Solutions/ExtraHop/Package/createUiDefinition.json
@@ -117,7 +117,7 @@
                 "name": "workbook1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "This Workbook provides immediate insight into the data coming from ExtraHop."
+                  "text": "This workbook provides immediate insight into detection data ingested from ExtraHop."
                 }
               }
             ]
@@ -153,13 +153,13 @@
           {
             "name": "analytic1",
             "type": "Microsoft.Common.Section",
-            "label": "Create alerts based on recommended detections from ExtraHop",
+            "label": "Generate alerts based on ExtraHop detections recommended for triage",
             "elements": [
               {
                 "name": "analytic1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "This Analytic rule will generate alerts in Microsoft Sentinel for Recommended detections from ExtraHop."
+                  "text": "This analytics rule will generate alerts in Microsoft Sentinel for detections from ExtraHop that are recommended for triage."
                 }
               }
             ]
diff --git a/Solutions/ExtraHop/Package/mainTemplate.json b/Solutions/ExtraHop/Package/mainTemplate.json
diff --git a/Solutions/ExtraHop/Parsers/ExtraHopDetections.yaml b/Solutions/ExtraHop/Parsers/ExtraHopDetections.yaml
@@ -1,8 +1,8 @@
 id: a4fddd3e-9993-4c86-b5e8-8e36d8ce1197
 Function:
   Title: Parser for ExtraHopDetections
-  Version: '1.0.0'
-  LastUpdated: '2024-12-10'
+  Version: '1.0.1'
+  LastUpdated: '2025-06-02'
 Category: Microsoft Sentinel Parser
 FunctionName: ExtraHopDetections
 FunctionAlias: ExtraHopDetections
@@ -18,7 +18,7 @@ FunctionQuery: |
             Time = column_ifexists('time_d', long(null))
         | extend ParsedMitreTechniques = parse_json(MitreTechniques)
         | mv-apply ParsedMitreTechniques on (summarize TechniqueIds = make_list(ParsedMitreTechniques.id), TechniqueNames = make_list(ParsedMitreTechniques.name))
-        | extend ParsedMitreTactics = split(mitre_tactics_string_s, ", ")
+        | extend ParsedMitreTactics = split(MitreTactics, ", ")
         | mv-apply tactic = ParsedMitreTactics on 
             (summarize TacticNames = make_list(replace_string(replace(@"TA\d{4}: ", "", tostring(tactic)), " ", "")),
             TacticIds=make_list(extract(@"(TA\d{4})", 1, tostring(tactic))))
@@ -37,6 +37,7 @@ FunctionQuery: |
             SourceIpAddress = column_ifexists('src_ipaddr_s', ''),
             SourceRole = column_ifexists('src_role_s', ''),
             SourceEndpoint = column_ifexists('src_endpoint_s', ''),
+            IsSourceExternal = column_ifexists('src_external_b', ''),
             SourceDeviceObjectId = column_ifexists('src_device_oid_d', int(null)),
             SourceDeviceName = column_ifexists('src_device_name_s', ''),
             SourceDeviceIpAddress = column_ifexists('src_device_ipaddrs_s', ''),
@@ -48,6 +49,7 @@ FunctionQuery: |
             DestinationIpAddress = column_ifexists('dst_ipaddr_s', ''),
             DestinationRole = column_ifexists('dst_role_s', ''),
             DestinationEndpoint = column_ifexists('dst_endpoint_s', ''),
+            IsDestinationExternal = column_ifexists('dst_external_b', ''),
             DestinationDeviceObjectId = column_ifexists('dst_device_oid_d', int(null)),
             DestinationDeviceName = column_ifexists('dst_device_name_s', ''),
             DestinationDeviceIpAddress = column_ifexists('dst_device_ipaddrs_s', ''),
@@ -64,6 +66,7 @@ FunctionQuery: |
             IsUserCreated = column_ifexists('is_user_created_b', ''),
             ModificationTime = column_ifexists('mod_time_d', long(null)),
             Status = column_ifexists('status_s', ''),
+            Resolution = column_ifexists('resolution_s', ''),
             TicketId = column_ifexists('ticket_id_d', ''),
             Assignee = column_ifexists('assignee_s', ''),
             Categories = column_ifexists('categories_array_s', ''),
@@ -87,6 +90,7 @@ FunctionQuery: |
                 SourceIpAddress,
                 SourceRole,
                 SourceEndpoint,
+                IsSourceExternal,
                 SourceDeviceObjectId,
                 SourceDeviceName,
                 SourceDeviceIpAddress,
@@ -98,6 +102,7 @@ FunctionQuery: |
                 DestinationIpAddress,
                 DestinationRole,
                 DestinationEndpoint,
+                IsDestinationExternal,
                 DestinationDeviceObjectId,
                 DestinationDeviceName,
                 DestinationDeviceIpAddress,
@@ -117,6 +122,7 @@ FunctionQuery: |
                 IsUserCreated,
                 ModificationTime,
                 Status,
+                Resolution,
                 TicketId,
                 Assignee,
                 Categories,
diff --git a/Solutions/ExtraHop/ReleaseNotes.md b/Solutions/ExtraHop/ReleaseNotes.md
@@ -1,3 +1,4 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                          |
 |-------------|--------------------------------|---------------------------------------------|
-| 3.0.0       | 19-03-2024                     | Initial Solution Release.                    |
+| 3.0.1       | 04-06-2025                     | Updated **Parser** and **Workbook** to fix issue.    |
+| 3.0.0       | 19-03-2025                     | Initial Solution Release.                    |
diff --git a/Solutions/ExtraHop/SolutionMetadata.json b/Solutions/ExtraHop/SolutionMetadata.json
@@ -2,7 +2,7 @@
     "publisherId": "extrahop",
     "offerId": "extrahop_sentinel",
     "firstPublishDate": "2025-02-11",
-    "lastPublishDate": "2025-02-11",
+    "lastPublishDate": "2025-06-04",
     "providers": [
         "ExtraHop"
     ],
@@ -17,4 +17,4 @@
         "tier": "Partner",
         "link": "https://www.extrahop.com/customer-support"
     }
-}
+}
diff --git a/Solutions/ExtraHop/Workbooks/ExtraHopDetectionsOverview.json b/Solutions/ExtraHop/Workbooks/ExtraHopDetectionsOverview.json
@@ -940,25 +940,25 @@
                   "version": "KqlParameterItem/1.0",
                   "name": "AlertSeverity",
                   "type": 2,
-                  "isRequired": true,
                   "multiSelect": true,
                   "quote": "'",
                   "delimiter": ",",
                   "query": "SecurityAlert\r\n| summarize Count = count() by AlertSeverity\r\n| order by Count desc, AlertSeverity asc\r\n| project Value = AlertSeverity, Label = strcat(AlertSeverity, ' - ', Count)",
-                  "value": [
-                    "value::all"
-                  ],
                   "typeSettings": {
                     "additionalResourceOptions": [
                       "value::all"
-                    ]
+                    ],
+                    "selectAllValue": "*",
+                    "showDefault": false
                   },
                   "timeContext": {
                     "durationMs": 0
                   },
                   "timeContextFromParameter": "TimeRange",
+                  "defaultValue": "value::all",
                   "queryType": 0,
-                  "resourceType": "microsoft.operationalinsights/workspaces"
+                  "resourceType": "microsoft.operationalinsights/workspaces",
+                  "label": "Alert Severity"
                 },
                 {
                   "id": "9636b674-c842-4c91-b7a8-68c297b21754",
@@ -973,6 +973,7 @@
                     "additionalResourceOptions": [
                       "value::all"
                     ],
+                    "selectAllValue": "*",
                     "showDefault": false
                   },
                   "timeContext": {
@@ -981,7 +982,8 @@
                   "timeContextFromParameter": "TimeRange",
                   "defaultValue": "value::all",
                   "queryType": 0,
-                  "resourceType": "microsoft.operationalinsights/workspaces"
+                  "resourceType": "microsoft.operationalinsights/workspaces",
+                  "label": "MITRE Technique"
                 },
                 {
                   "id": "d6ab142d-62c9-4c21-befc-b9107d5d8187",
@@ -996,6 +998,7 @@
                     "additionalResourceOptions": [
                       "value::all"
                     ],
+                    "selectAllValue": "*",
                     "showDefault": false
                   },
                   "timeContext": {
@@ -1004,7 +1007,8 @@
                   "timeContextFromParameter": "TimeRange",
                   "defaultValue": "value::all",
                   "queryType": 0,
-                  "resourceType": "microsoft.operationalinsights/workspaces"
+                  "resourceType": "microsoft.operationalinsights/workspaces",
+                  "label": "MITRE Tactic"
                 }
               ],
               "style": "pills",
diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json
@@ -8867,7 +8867,7 @@
 	{
 		"workbookKey": "ExtraHopDetectionsOverview",
 		"logoFileName": "ExtraHop.svg",
-		"description": "This Workbook provides immediate insight into the data coming from ExtraHop.",
+		"description": "This workbook provides immediate insight into detection data ingested from ExtraHop.",
 		"dataTypesDependencies": [
 		  "ExtraHop_Detections_CL"
 		   ],
@@ -8881,7 +8881,7 @@
 		  "ExtraHopDetectionsOverviewWhite2.png"
 		   ],
 		"version": "1.0.0",
-		"title": "ExtraHop Detections Ovevriew",
+		"title": "ExtraHop Detections Overview",
 		"templateRelativePath": "ExtraHopDetectionsOverview.json",
 		"provider": "ExtraHop"
 	},

Original file line number	Diff line number	Diff line change
`@@ -117,7 +117,7 @@`
`117`	`117`	`"name": "workbook1-text",`
`118`	`118`	`"type": "Microsoft.Common.TextBlock",`
`119`	`119`	`"options": {`
`120`		`- "text": "This Workbook provides immediate insight into the data coming from ExtraHop."`
	`120`	`+ "text": "This workbook provides immediate insight into detection data ingested from ExtraHop."`
`121`	`121`	`}`
`122`	`122`	`}`
`123`	`123`	`]`
`@@ -153,13 +153,13 @@`
`153`	`153`	`{`
`154`	`154`	`"name": "analytic1",`
`155`	`155`	`"type": "Microsoft.Common.Section",`
`156`		`- "label": "Create alerts based on recommended detections from ExtraHop",`
	`156`	`+ "label": "Generate alerts based on ExtraHop detections recommended for triage",`
`157`	`157`	`"elements": [`
`158`	`158`	`{`
`159`	`159`	`"name": "analytic1-text",`
`160`	`160`	`"type": "Microsoft.Common.TextBlock",`
`161`	`161`	`"options": {`
`162`		`- "text": "This Analytic rule will generate alerts in Microsoft Sentinel for Recommended detections from ExtraHop."`
	`162`	`+ "text": "This analytics rule will generate alerts in Microsoft Sentinel for detections from ExtraHop that are recommended for triage."`
`163`	`163`	`}`
`164`	`164`	`}`
`165`	`165`	`]`