NetApp
diff --git a/‎Solutions/Lookout/Package/3.0.1.zip‎
12.1 KB b/‎Solutions/Lookout/Package/3.0.1.zip‎
12.1 KB
diff --git a/‎Solutions/Lookout/Package/createUiDefinition.json‎
Lines changed: 143 additions & 10 deletions b/‎Solutions/Lookout/Package/createUiDefinition.json‎
Lines changed: 143 additions & 10 deletions
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Lookout/Workbooks/Images/Logo/lookout.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Lookout/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Lookout](https://lookout.com) solution provides the capability to ingest [Lookout events](https://enterprise.support.lookout.com/hc/articles/115002741773-Mobile-Risk-API-Guide#commoneventfields) into Microsoft Sentinel through the Mobile Risk API. It can get events which helps to examine potential security risks and more. Refer to [API documentation](https://enterprise.support.lookout.com/hc/articles/115002741773-Mobile-Risk-API-Guide) for more information .\n  \n  **Underlying Microsoft Technologies used:** \n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\n  a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \n\n   b. [Microsoft Sentinel Codeless Connector Platform](https://aka.ms/Sentinel-CCP_Platform)\n\n<p><span style='color:red; font-weight:bold;'>NOTE</span>: Microsoft recommends installation of \"LookoutStreaming_Definition\" (via Codeless Connector Framework). This connector is build on the Codeless Connector Framework (CCF), which uses the Log Ingestion API, which replaces ingestion via the <a href='https://aka.ms/Sentinel-Logs_migration' style='color:#1890F1;'>deprecated HTTP Data Collector API</a>. CCF-based data connectors also support <a href='https://aka.ms/Sentinel-DCR_Overview' style='color:#1890F1;'>Data Collection Rules</a> (DCRs) offering transformations and enrichment.</p>\n\n<p><span style='color:red; font-weight:bold;'>Important</span>: While the updated connector(s) can coexist with their legacy versions, running them together will result in duplicated data ingestion. You can disable the older versions of these connectors to avoid duplication of data..</p>\n\n**Data Connectors:** 2, **Workbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Lookout/Workbooks/Images/Logo/lookout.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Lookout/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Lookout](https://lookout.com) solution provides the capability to ingest [Lookout events](https://enterprise.support.lookout.com/hc/articles/115002741773-Mobile-Risk-API-Guide#commoneventfields) into Microsoft Sentinel through the Mobile Risk API. It can get events which helps to examine potential security risks and more. Refer to [API documentation](https://enterprise.support.lookout.com/hc/articles/115002741773-Mobile-Risk-API-Guide) for more information .\n  \n  **Underlying Microsoft Technologies used:** \n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\n  a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \n\n   b. [Microsoft Sentinel Codeless Connector Platform](https://aka.ms/Sentinel-CCP_Platform)\n\n<p><span style='color:red; font-weight:bold;'>NOTE</span>: Microsoft recommends installation of \"LookoutStreaming_Definition\" (via Codeless Connector Framework). This connector is build on the Codeless Connector Framework (CCF), which uses the Log Ingestion API, which replaces ingestion via the <a href='https://aka.ms/Sentinel-Logs_migration' style='color:#1890F1;'>deprecated HTTP Data Collector API</a>. CCF-based data connectors also support <a href='https://aka.ms/Sentinel-DCR_Overview' style='color:#1890F1;'>Data Collection Rules</a> (DCRs) offering transformations and enrichment.</p>\n\n<p><span style='color:red; font-weight:bold;'>Important</span>: While the updated connector(s) can coexist with their legacy versions, running them together will result in duplicated data ingestion. You can disable the older versions of these connectors to avoid duplication of data..</p>\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 5, **Analytic Rules:** 5, **Hunting Queries:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -67,7 +67,7 @@
             "name": "dataconnectors2-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "This Solution installs the data connector for Lookout. You can get Lookout data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+              "text": "This Solution installs the data connector for Lookout Mobile Threat Detection Connector (via Codeless Connector Framework) (Preview). You can get Lookout Mobile Threat Detection Connector (via Codeless Connector Framework) (Preview) data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
             }
           },
           {
@@ -125,27 +125,55 @@
           {
             "name": "workbook2",
             "type": "Microsoft.Common.Section",
-            "label": "Lookout Executive Dashboard",
+            "label": "Lookout Enhanced Security Dashboard",
             "elements": [
               {
                 "name": "workbook2-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Executive-level overview of mobile security posture"
+                  "text": "This workbook leverages the enhanced Lookout Mobile Risk API v2 data with comprehensive field extraction and advanced threat intelligence. It depends on the LookoutEvents parser deployed with the Azure Sentinel Solution."
                 }
               }
             ]
           },
           {
             "name": "workbook3",
             "type": "Microsoft.Common.Section",
-            "label": "Lookout Comprehensive Dashboard",
+            "label": "Lookout Security Investigation Dashboard",
             "elements": [
               {
                 "name": "workbook3-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Detailed analysis and metrics for mobile threat detection"
+                  "text": "Real-time mobile threat investigation and incident response"
+                }
+              }
+            ]
+          },
+          {
+            "name": "workbook4",
+            "type": "Microsoft.Common.Section",
+            "label": "Lookout Executive Dashboard",
+            "elements": [
+              {
+                "name": "workbook4-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Real-time mobile threat detection and device security monitoring"
+                }
+              }
+            ]
+          },
+          {
+            "name": "workbook5",
+            "type": "Microsoft.Common.Section",
+            "label": "Lookout IOA Investigation Dashboard",
+            "elements": [
+              {
+                "name": "workbook5-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Comprehensive mobile threat intelligence, device investigation, and security posture monitoring"
                 }
               }
             ]
@@ -177,17 +205,122 @@
                 "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
               }
             }
+          },
+          {
+            "name": "analytic1",
+            "type": "Microsoft.Common.Section",
+            "label": "Lookout - New Threat events found.",
+            "elements": [
+              {
+                "name": "analytic1-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Created to detect new Threat events from the data which is recently synced by Lookout Solution."
+                }
+              }
+            ]
+          },
+          {
+            "name": "analytic2",
+            "type": "Microsoft.Common.Section",
+            "label": "Lookout - High Severity Mobile Threats Detected (v2)",
+            "elements": [
+              {
+                "name": "analytic2-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Detects high severity mobile threats from Lookout Mobile Risk API v2 with enhanced threat intelligence and device context. This rule leverages the comprehensive v2 field set to provide detailed threat classification, risk assessment, and device compliance status for improved security monitoring."
+                }
+              }
+            ]
+          },
+          {
+            "name": "analytic3",
+            "type": "Microsoft.Common.Section",
+            "label": "Lookout - Device Compliance and Security Status Changes (v2)",
+            "elements": [
+              {
+                "name": "analytic3-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Monitors device compliance status changes and security posture degradation using Lookout Mobile Risk API v2 enhanced device fields. Detects devices becoming non-compliant, security status changes, and potential device compromise indicators with detailed device context and MDM integration data."
+                }
+              }
+            ]
+          },
+          {
+            "name": "analytic4",
+            "type": "Microsoft.Common.Section",
+            "label": "Lookout - Critical Smishing and Phishing Alerts (v2)",
+            "elements": [
+              {
+                "name": "analytic4-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Detects critical smishing (SMS phishing) and phishing alerts from Lookout Mobile Risk API v2. This rule identifies sophisticated social engineering attacks including CEO fraud, credential harvesting, and malicious link campaigns targeting mobile devices. Leverages enhanced v2 smishing detection capabilities for comprehensive mobile threat protection."
+                }
+              }
+            ]
+          },
+          {
+            "name": "analytic5",
+            "type": "Microsoft.Common.Section",
+            "label": "Lookout - Critical Audit and Policy Changes (v2)",
+            "elements": [
+              {
+                "name": "analytic5-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Monitors critical audit events and policy changes from Lookout Mobile Risk API v2. Detects unauthorized configuration changes, policy modifications, security setting adjustments, and administrative actions that could impact mobile security posture. Provides comprehensive audit trail for compliance and security governance."
+                }
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "name": "huntingqueries",
+        "label": "Hunting Queries",
+        "bladeTitle": "Hunting Queries",
+        "elements": [
+          {
+            "name": "huntingqueries-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. "
+            }
+          },
+          {
+            "name": "huntingqueries-link",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "link": {
+                "label": "Learn more",
+                "uri": "https://docs.microsoft.com/azure/sentinel/hunting"
+              }
+            }
+          },
+          {
+            "name": "huntingquery1",
+            "type": "Microsoft.Common.Section",
+            "label": "Lookout Advanced Threat Hunting - Multi-Vector Attacks",
+            "elements": [
+              {
+                "name": "huntingquery1-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Identifies devices experiencing multiple threat types within a short timeframe, indicating coordinated attacks This hunting query depends on LookoutAPI data connector (LookoutEvents Parser or Table)"
+                }
+              }
+            ]
           }
         ]
       }
     ],
     "outputs": {
       "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
       "location": "[location()]",
-      "workspace": "[basics('workspace')]",
-      "workbook1-name": "Lookout",
-      "workbook2-name": "LookoutEventsV2",
-      "workbook3-name": "LookoutSecurityInvestigationDashboard"
+      "workspace": "[basics('workspace')]"
     }
   }
 }