diff --git a/.github/workflows/kql-validations.yaml b/.github/workflows/kql-validations.yaml
new file mode 100644
index 00000000000..2e515b8433d
--- /dev/null
+++ b/.github/workflows/kql-validations.yaml
@@ -0,0 +1,29 @@
+name: KQL Validations
+run-name: KQL Validations running on ${{ github.ref_name }}
+on:
+ pull_request:
+ branches:
+ - master
+ # Allows to run workflow manually from the Actions tab
+ workflow_dispatch:
+jobs:
+ KqlValidations:
+ runs-on: ubuntu-latest
+ env:
+ buildConfiguration: Release
+ dotnetSdkVersion: 6.0.x
+ PRNUM: ${{ github.event.pull_request.number }}
+ steps:
+ - uses: actions/checkout@v4
+ - name: Use .NET Core SDK ${{ env.dotnetSdkVersion }}
+ uses: actions/setup-dotnet@v4
+ with:
+ dotnet-version: ${{ env.dotnetSdkVersion }}
+ - name: Run KQL Validation tests
+ run: dotnet test .script/tests/KqlvalidationsTests/Kqlvalidations.Tests.csproj --configuration ${{ env.buildConfiguration }}
+ env:
+ GITHUBAPPID: ${{ secrets.APPLICATION_ID }}
+ GITHUBAPPINSTALLATIONID: ${{ secrets.APPLICATION_INSTALLATION_ID }}
+ GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }}
+ SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }}
+
\ No newline at end of file
diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Rubrik_Events_Data_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Rubrik_Events_Data_CL.json
new file mode 100644
index 00000000000..8a08e349fce
--- /dev/null
+++ b/.script/tests/KqlvalidationsTests/CustomTables/Rubrik_Events_Data_CL.json
@@ -0,0 +1,113 @@
+{
+ "Name":"Rubrik_Events_Data_CL",
+ "Properties":[
+ {
+ "Name": "TenantId",
+ "Type": "string"
+ },
+ {
+ "Name": "SourceSystem",
+ "Type": "string"
+ },
+ {
+ "Name": "MG",
+ "Type": "string"
+ },
+ {
+ "Name": "ManagementGroupName",
+ "Type": "string"
+ },
+ {
+ "Name": "TimeGenerated",
+ "Type": "datetime"
+ },
+ {
+ "Name": "Computer",
+ "Type": "string"
+ },
+ {
+ "Name": "RawData",
+ "Type": "string"
+ },
+ {
+ "Name": "custom_details_objectId_g",
+ "Type": "string"
+ },
+ {
+ "Name": "custom_details_seriesId_g",
+ "Type": "string"
+ },
+ {
+ "Name": "custom_details_id_g",
+ "Type": "string"
+ },
+ {
+ "Name": "custom_details_clusterId_g",
+ "Type": "string"
+ },
+ {
+ "Name": "summary_s",
+ "Type": "string"
+ },
+ {
+ "Name": "source_s",
+ "Type": "string"
+ },
+ {
+ "Name": "severity_s",
+ "Type": "string"
+ },
+ {
+ "Name": "timestamp_s",
+ "Type": "datetime"
+ },
+ {
+ "Name": "class_s",
+ "Type": "string"
+ },
+ {
+ "Name": "custom_details_type_s",
+ "Type": "string"
+ },
+ {
+ "Name": "custom_details_objectId_s",
+ "Type": "string"
+ },
+ {
+ "Name": "custom_details_objectName_s",
+ "Type": "string"
+ },
+ {
+ "Name": "custom_details_objectType_s",
+ "Type": "string"
+ },
+ {
+ "Name": "custom_details_status_s",
+ "Type": "string"
+ },
+ {
+ "Name": "custom_details_clusterName_s",
+ "Type": "string"
+ },
+ {
+ "Name": "custom_details_eventName_s",
+ "Type": "string"
+ },
+ {
+ "Name": "custom_details_auditUserName_s",
+ "Type": "string"
+ },
+ {
+ "Name": "custom_details_auditUserId_s",
+ "Type": "string"
+ },
+ {
+ "Name": "custom_details_location_s",
+ "Type": "string"
+ },
+ {
+ "Name": "_ResourceId",
+ "Type": "string"
+ }
+ ]
+ }
\ No newline at end of file
diff --git a/.script/tests/asimParsersTest/ASimFilteringTest.py b/.script/tests/asimParsersTest/ASimFilteringTest.py
index 3845ee95596..dd98dcfc2a2 100644
--- a/.script/tests/asimParsersTest/ASimFilteringTest.py
+++ b/.script/tests/asimParsersTest/ASimFilteringTest.py
@@ -817,6 +817,20 @@ def send_query(self, query_str):
# For each schema supported by the test there is a mapping between each of the schema's parameter to the column that the parameter filters.
all_schemas_parameters = {
+ "AlertEvent" :
+ {
+ "ipaddr_has_any_prefix" : "DvcIpAddr",
+ "disabled" : "",
+ "endtime" : "EventEndTime",
+ "hostname_has_any" : "DvcHostname",
+ "username_has_any" : "Username",
+ "attacktactics_has_any" : "AttackTactics",
+ "attacktechniques_has_any" : "AttackTechniques",
+ "threatcategory_has_any" : "ThreatCategory",
+ "alertverdict_has_any" : "AlertVerdict",
+ "starttime" : "EventStartTime",
+ "eventseverity_has_any": "EventSeverity"
+ },
"AuditEvent" :
{
"actorusername_has_any" : "ActorUsername",
diff --git a/.script/tests/asimParsersTest/VerifyASimParserTemplate.py b/.script/tests/asimParsersTest/VerifyASimParserTemplate.py
index 7c9abb360b5..2b78f95f9a7 100644
--- a/.script/tests/asimParsersTest/VerifyASimParserTemplate.py
+++ b/.script/tests/asimParsersTest/VerifyASimParserTemplate.py
@@ -15,6 +15,7 @@
# Sentinel Repo URL
SentinelRepoUrl = f"https://github.com/Azure/Azure-Sentinel.git"
SCHEMA_INFO = [
+ {"SchemaName": "AlertEvent", "SchemaVersion": "0.1", "SchemaTitle":"ASIM Alert Event Schema", "SchemaLink": "https://aka.ms/ASimAlertEventDoc"},
{"SchemaName": "AuditEvent", "SchemaVersion": "0.1", "SchemaTitle":"ASIM Audit Event Schema", "SchemaLink": "https://aka.ms/ASimAuditEventDoc"},
{"SchemaName": "Authentication", "SchemaVersion": "0.1.3","SchemaTitle":"ASIM Authentication Schema","SchemaLink": "https://aka.ms/ASimAuthenticationDoc"},
{"SchemaName": "Dns", "SchemaVersion": "0.1.7", "SchemaTitle":"ASIM Dns Schema","SchemaLink": "https://aka.ms/ASimDnsDoc"},
diff --git a/Detections/MultipleDataSources/powershell_MangoSandstorm.yaml b/Detections/MultipleDataSources/powershell_MangoSandstorm.yaml
index 74de969b78a..363073a54bf 100644
--- a/Detections/MultipleDataSources/powershell_MangoSandstorm.yaml
+++ b/Detections/MultipleDataSources/powershell_MangoSandstorm.yaml
@@ -1,5 +1,5 @@
id: ce74dc9a-cb3c-4081-8c2f-7d39f6b7bae1
-name: Identify Mango Sandstorm powershell commands
+name: Identify Mango Sandstorm powershell commands
description: |
'The query below identifies powershell commands used by the threat actor Mango Sandstorm.
Reference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/'
@@ -7,7 +7,7 @@ severity: High
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- - SecurityEvent
+ - SecurityEvent
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
@@ -29,23 +29,22 @@ query: |
| where EventID == 4688
| where Process has_any ("powershell.exe","powershell_ise.exe","pwsh.exe") and CommandLine has_cs "-exec bypass -w 1 -enc"
| where CommandLine contains_cs "UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA"
- | extend DvcHostName = Computer, ProcessID = ProcessId
+ | extend DvcHostname = Computer, ProcessId = tostring(ProcessId), ActorUsername = Account
),
(DeviceProcessEvents
- | where FileName =~ "powershell.exe" and ProcessCommandLine has_cs "-exec bypass -w 1 -enc"
- | where ProcessCommandLine contains_cs "UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA"
- | extend DvcHostName = DeviceName, ProcessID = InitiatingProcessId
+ | where FileName =~ "powershell.exe" and ProcessCommandLine has_cs "-exec bypass -w 1 -enc"
+ | where ProcessCommandLine contains_cs "UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA"
+ | extend DvcHostname = DeviceName, ProcessId = tostring(InitiatingProcessId), ActorUsername = strcat(AccountDomain, @"\", AccountName)
),
(imProcessCreate
| where Process has_any ("powershell.exe","powershell_ise.exe","pwsh.exe") and CommandLine has_cs "-exec bypass -w 1 -enc"
| where CommandLine contains_cs "UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA"
- | extend ProcessID = TargetProcessId
+ | extend ProcessId = tostring(TargetProcessId)
)
)
- | extend AccountName = tostring(split(ActorUsername, "\\")[0]), AccountNTDomain = tostring(split(ActorUsername, "\\")[1]), ProcessID = TargetProcessId
+ | extend AccountName = tostring(split(ActorUsername, "\\")[0]), AccountNTDomain = tostring(split(ActorUsername, "\\")[1])
| extend HostName = tostring(split(DvcHostname, ".")[0]), DomainIndex = toint(indexof(DvcHostname, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DvcHostname, DomainIndex + 1), DvcHostname)
-
entityMappings:
- entityType: Account
fieldMappings:
@@ -53,8 +52,8 @@ entityMappings:
columnName: ActorUsername
- identifier: Name
columnName: AccountName
- - identifier: UPNSuffix
- columnName: AccountUPNSuffix
+ - identifier: NTDomain
+ columnName: AccountNTDomain
- entityType: Host
fieldMappings:
- identifier: FullName
@@ -66,8 +65,8 @@ entityMappings:
- entityType: Process
fieldMappings:
- identifier: ProcessId
- columnName: ProcessID
-version: 1.0.4
+ columnName: ProcessId
+version: 1.0.5
kind: Scheduled
metadata:
source:
diff --git a/Sample Data/Custom/Rubrik_Events_Data_CL.csv b/Sample Data/Custom/Rubrik_Events_Data_CL.csv
new file mode 100644
index 00000000000..4f5db86db9f
--- /dev/null
+++ b/Sample Data/Custom/Rubrik_Events_Data_CL.csv
@@ -0,0 +1,10 @@
+TimeGenerated [UTC],custom_details_objectId_g,custom_details_seriesId_g,custom_details_id_g,custom_details_clusterId_g,summary_s,source_s,severity_s,timestamp_s,class_s,custom_details_type_s,custom_details_objectId_s,custom_details_objectName_s,custom_details_objectType_s,custom_details_status_s,custom_details_clusterName_s,custom_details_eventName_s,custom_details_auditUserName_s,custom_details_auditUserId_s,custom_details_location_s
+"11/8/2024, 5:30:42.136 AM",047ed0bc-6b72-4ea8-b9a0-c7fb89aa5811,01930a3b-e0cf-7b83-b02c-2db1087d3b0d,6617cef8-c37c-41db-988e-d8372bbe90f3,00000000-0000-0000-0000-000000000000,Waiting for 1 snapshot(s) to be available for file recovery.,Rubrik Security Cloud,info,2024-11-08T05:30:40.64979627Z,Index,Event,,use-test,AzureNativeVm,Running,Polaris,CloudNativeIndexSnapshotsWaitForSnappableIndexTaskStarted,,,
+"11/8/2024, 5:30:50.314 AM",047ed0bc-6b72-4ea8-b9a0-c7fb89aa5811,01930a3f-f5ce-7900-8443-8a368f5baa2b,688bc4b0-f17d-4784-a96f-9a8cd387e43d,00000000-0000-0000-0000-000000000000,Successfully replicated snapshot taken at 08 Nov 24 5:00 AM UTC for the use-test Azure virtual machine in the use-test_group resource group in the TM-Lab-EA subscription to the region westus of TM-Lab-EA Azure subscription.,Rubrik Security Cloud,info,2024-11-08T05:29:57.30752593Z,Replication,Event,,use-test,AzureNativeVm,Success,Polaris,CloudNativeReplicateSnapshotsReplicateTaskSucceeded,,,
+"11/8/2024, 5:25:31.234 AM",047ed0bc-6b72-4ea8-b9a0-c7fb89aa5811,01930a3b-e0cf-7b83-b02c-2db1087d3b0d,9cb57a51-4064-4c45-a10b-4693f8b5aaa7,00000000-0000-0000-0000-000000000000,Started indexing of the snapshots of the use-test Azure virtual machine in the use-test_group resource group in the TM-Lab-EA subscription.,Rubrik Security Cloud,info,2024-11-08T05:25:17.200115471Z,Index,Event,,use-test,AzureNativeVm,TaskSuccess,Polaris,CloudNativeIndexSnapshotsJobStarted,,,
+"11/8/2024, 5:17:19.245 AM",,3787cdc1-a7ba-41ed-9c6e-cc5d8d4a2a27,88ece1ed-1a95-43b9-ae38-302cf05c19d8,00000000-0000-0000-0000-000000000000,xyz@gmail.com successfully created the webhook Rubrik-other-events.,Rubrik Security Cloud,info,2024-11-08T05:17:18.370059549Z,Configuration,Audit,auth0|65b91cdc85d3150aa4a1b3d0,xyz@gmail.com,User,Success,Polaris,WebhookCreated,xyz@gmail.com,auth0|65b91cdc85d3150aa4a1b3d0,
+"11/8/2024, 5:18:40.088 AM",,496f42ec-e684-4a04-b191-e6a3a122d49f,efb7669b-8891-4a76-a613-d104f661b856,00000000-0000-0000-0000-000000000000,xyz@gmail.com successfully created the webhook Rubrik-AnomalyOrchestrator.,Rubrik Security Cloud,info,2024-11-08T05:18:39.20837609Z,Configuration,Audit,auth0|65b91cdc85d3150aa4a1b3d0,xyz@gmail.com,User,Success,Polaris,WebhookCreated,xyz@gmail.com,auth0|65b91cdc85d3150aa4a1b3d0,
+"11/8/2024, 5:16:28.396 AM",,,,,Rubrik Polaris webhook test event,Rubrik Security Cloud,info,2024-11-08T05:16:14.067423864Z,Configuration,Event,,,,Succeeded,Rubrik Security Cloud,,,,test-location
+"11/7/2024, 1:25:23.986 PM",,,,,Rubrik Polaris webhook test event,Rubrik Security Cloud,info,2024-11-07T13:25:01.215428023Z,Configuration,Event,,,,Succeeded,Rubrik Security Cloud,,,,test-location
+"11/8/2024, 5:29:22.352 AM",047ed0bc-6b72-4ea8-b9a0-c7fb89aa5811,01930a3b-e0cf-7b83-b02c-2db1087d3b0d,e17bfee9-bed2-4691-b58d-0885322600c0,00000000-0000-0000-0000-000000000000,Started indexing of snapshot taken at 08 Nov 24 5:00 AM UTC.,Rubrik Security Cloud,info,2024-11-08T05:29:20.550468555Z,Index,Event,,use-test,AzureNativeVm,Running,Polaris,CloudNativeIndexSnapshotBegin,,,
+"11/8/2024, 5:21:33.309 AM",,28b3ccfd-6679-4f88-b416-5658d859dc6c,f690f13a-12f9-4b80-a268-48ba26a6e917,00000000-0000-0000-0000-000000000000,xyz@gmail.com successfully created the webhook Rubrik-ThreathuntOrchestrator.,Rubrik Security Cloud,info,2024-11-08T05:21:31.535526647Z,Configuration,Audit,auth0|65b91cdc85d3150aa4a1b3d0,xyz@gmail.com,User,Success,Polaris,WebhookCreated,xyz@gmail.com,auth0|65b91cdc85d3150aa4a1b3d0,
diff --git a/Solutions/Broadcom SymantecDLP/Data/Solution_Broadcom SymantecDLP.json b/Solutions/Broadcom SymantecDLP/Data/Solution_Broadcom SymantecDLP.json
index 228bf8b5707..7a7995ce244 100644
--- a/Solutions/Broadcom SymantecDLP/Data/Solution_Broadcom SymantecDLP.json
+++ b/Solutions/Broadcom SymantecDLP/Data/Solution_Broadcom SymantecDLP.json
@@ -2,11 +2,7 @@
"Name": "Broadcom SymantecDLP",
"Author": "Microsoft - support@microsoft.com",
"Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\")
",
- "Description": "The [Broadcom Symantec Data Loss Prevention (DLP)](https://www.broadcom.com/products/cyber-security/information-protection/data-loss-prevention) connector allows you to easily connect your Symantec DLP with Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.",
- "Data Connectors": [
- "Data Connectors/Connector_Syslog_SymantecDLP.json",
- "Data Connectors/template_SymantecDLPAMA.json"
- ],
+ "Description": "The [Broadcom Symantec Data Loss Prevention (DLP)](https://www.broadcom.com/products/cyber-security/information-protection/data-loss-prevention) connector allows you to easily connect your Symantec DLP with Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector.The existing connectors were deprecated on **Aug 31, 2024**.",
"Parsers": [
"Parsers/SymantecDLP.yaml"
],
@@ -14,7 +10,7 @@
"azuresentinel.azure-sentinel-solution-commoneventformat"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Broadcom SymantecDLP",
- "Version": "3.0.2",
+ "Version": "3.0.3",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false
diff --git a/Solutions/Broadcom SymantecDLP/Package/3.0.3.zip b/Solutions/Broadcom SymantecDLP/Package/3.0.3.zip
new file mode 100644
index 00000000000..e7c7d8f1e99
Binary files /dev/null and b/Solutions/Broadcom SymantecDLP/Package/3.0.3.zip differ
diff --git a/Solutions/Broadcom SymantecDLP/Package/createUiDefinition.json b/Solutions/Broadcom SymantecDLP/Package/createUiDefinition.json
index 8da74faf16a..61581ce8992 100644
--- a/Solutions/Broadcom SymantecDLP/Package/createUiDefinition.json
+++ b/Solutions/Broadcom SymantecDLP/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Broadcom%20SymantecDLP/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Broadcom Symantec Data Loss Prevention (DLP)](https://www.broadcom.com/products/cyber-security/information-protection/data-loss-prevention) connector allows you to easily connect your Symantec DLP with Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Broadcom%20SymantecDLP/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Broadcom Symantec Data Loss Prevention (DLP)](https://www.broadcom.com/products/cyber-security/information-protection/data-loss-prevention) connector allows you to easily connect your Symantec DLP with Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector.The existing connectors were deprecated on **Aug 31, 2024**.\n\n**Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -50,39 +50,7 @@
"visible": true
}
],
- "steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for Broadcom SymantecDLP. You can get Broadcom SymantecDLP CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-parser-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- }
- ],
+ "steps": [{}],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
diff --git a/Solutions/Broadcom SymantecDLP/Package/mainTemplate.json b/Solutions/Broadcom SymantecDLP/Package/mainTemplate.json
index 8596c79a884..0221344a0c7 100644
--- a/Solutions/Broadcom SymantecDLP/Package/mainTemplate.json
+++ b/Solutions/Broadcom SymantecDLP/Package/mainTemplate.json
@@ -33,27 +33,9 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Broadcom SymantecDLP",
- "_solutionVersion": "3.0.2",
+ "_solutionVersion": "3.0.3",
"solutionId": "azuresentinel.azure-sentinel-solution-broadcomsymantecdlp",
"_solutionId": "[variables('solutionId')]",
- "uiConfigId1": "BroadcomSymantecDLP",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "BroadcomSymantecDLP",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
- "uiConfigId2": "BroadcomSymantecDLPAma",
- "_uiConfigId2": "[variables('uiConfigId2')]",
- "dataConnectorContentId2": "BroadcomSymantecDLPAma",
- "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
- "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "_dataConnectorId2": "[variables('dataConnectorId2')]",
- "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
- "dataConnectorVersion2": "1.0.0",
- "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"parserObject1": {
"_parserName1": "[concat(parameters('workspace'),'/','SymantecDLP')]",
"_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'SymantecDLP')]",
@@ -64,688 +46,6 @@
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Broadcom SymantecDLP data connector with template version 3.0.2",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] Broadcom Symantec DLP via Legacy Agent",
- "publisher": "Broadcom",
- "descriptionMarkdown": "The [Broadcom Symantec Data Loss Prevention (DLP)](https://www.broadcom.com/products/cyber-security/information-protection/data-loss-prevention) connector allows you to easily connect your Symantec DLP with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization’s information, where it travels, and improves your security operation capabilities.",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "SymantecDLP",
- "baseQuery": "CommonSecurityLog \n| where DeviceVendor == \"Symantec\" and DeviceProduct == \"DLP\""
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Triggered Activities",
- "query": "SymantecDLP \n | summarize count() by Activity \n| top 10 by count_"
- },
- {
- "description": "Top 10 Filenames",
- "query": "SymantecDLP \n | summarize count() by FileName \n| top 10 by count_"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog \n| where DeviceVendor == \"Symantec\" and DeviceProduct == \"DLP\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)"
- ]
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (SymantecDLP)",
- "lastDataReceivedQuery": "CommonSecurityLog \n| where DeviceVendor == \"Symantec\" and DeviceProduct == \"DLP\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SymantecDLP and load the function code or click [here](https://aka.ms/sentinel-symantecdlp-parser). The function usually takes 10-15 minutes to activate after solution installation/update."
- },
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python –version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Configure Symantec DLP to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://knowledge.broadcom.com/external/article/159509/generating-syslog-messages-from-data-los.html) to configure the Symantec DLP to forward syslog\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.",
- "title": "2. Forward Symantec DLP logs to a Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python –version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Broadcom SymantecDLP",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Broadcom Symantec DLP via Legacy Agent",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Broadcom SymantecDLP",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Broadcom Symantec DLP via Legacy Agent",
- "publisher": "Broadcom",
- "descriptionMarkdown": "The [Broadcom Symantec Data Loss Prevention (DLP)](https://www.broadcom.com/products/cyber-security/information-protection/data-loss-prevention) connector allows you to easily connect your Symantec DLP with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization’s information, where it travels, and improves your security operation capabilities.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "SymantecDLP",
- "baseQuery": "CommonSecurityLog \n| where DeviceVendor == \"Symantec\" and DeviceProduct == \"DLP\""
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (SymantecDLP)",
- "lastDataReceivedQuery": "CommonSecurityLog \n| where DeviceVendor == \"Symantec\" and DeviceProduct == \"DLP\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog \n| where DeviceVendor == \"Symantec\" and DeviceProduct == \"DLP\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Triggered Activities",
- "query": "SymantecDLP \n | summarize count() by Activity \n| top 10 by count_"
- },
- {
- "description": "Top 10 Filenames",
- "query": "SymantecDLP \n | summarize count() by FileName \n| top 10 by count_"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SymantecDLP and load the function code or click [here](https://aka.ms/sentinel-symantecdlp-parser). The function usually takes 10-15 minutes to activate after solution installation/update."
- },
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python –version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Configure Symantec DLP to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://knowledge.broadcom.com/external/article/159509/generating-syslog-messages-from-data-los.html) to configure the Symantec DLP to forward syslog\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.",
- "title": "2. Forward Symantec DLP logs to a Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python –version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId1')]",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution."
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName2')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Broadcom SymantecDLP data connector with template version 3.0.2",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion2')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId2')]",
- "title": "[Deprecated] Broadcom Symantec DLP via AMA",
- "publisher": "Broadcom",
- "descriptionMarkdown": "The [Broadcom Symantec Data Loss Prevention (DLP)](https://www.broadcom.com/products/cyber-security/information-protection/data-loss-prevention) connector allows you to easily connect your Symantec DLP with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization’s information, where it travels, and improves your security operation capabilities.",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "SymantecDLP",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Symantec'\n |where DeviceProduct =~ 'DLP'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Triggered Activities",
- "query": "SymantecDLP \n | summarize count() by Activity \n| top 10 by count_"
- },
- {
- "description": "Top 10 Filenames",
- "query": "SymantecDLP \n | summarize count() by FileName \n| top 10 by count_"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Symantec'\n |where DeviceProduct =~ 'DLP'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (SymantecDLP)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Symantec'\n |where DeviceProduct =~ 'DLP'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SymantecDLP and load the function code or click [here](https://aka.ms/sentinel-symantecdlp-parser). The function usually takes 10-15 minutes to activate after solution installation/update.",
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
- },
- {
- "title": "Step B. Forward Symantec DLP logs to a Syslog agent",
- "description": "Configure Symantec DLP to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://knowledge.broadcom.com/external/article/159509/generating-syslog-messages-from-data-los.html) to configure the Symantec DLP to forward syslog\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address."
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Broadcom SymantecDLP",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Broadcom Symantec DLP via AMA",
- "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
- "id": "[variables('_dataConnectorcontentProductId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId2')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Broadcom SymantecDLP",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Broadcom Symantec DLP via AMA",
- "publisher": "Broadcom",
- "descriptionMarkdown": "The [Broadcom Symantec Data Loss Prevention (DLP)](https://www.broadcom.com/products/cyber-security/information-protection/data-loss-prevention) connector allows you to easily connect your Symantec DLP with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization’s information, where it travels, and improves your security operation capabilities.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "SymantecDLP",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Symantec'\n |where DeviceProduct =~ 'DLP'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (SymantecDLP)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Symantec'\n |where DeviceProduct =~ 'DLP'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Symantec'\n |where DeviceProduct =~ 'DLP'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Triggered Activities",
- "query": "SymantecDLP \n | summarize count() by Activity \n| top 10 by count_"
- },
- {
- "description": "Top 10 Filenames",
- "query": "SymantecDLP \n | summarize count() by FileName \n| top 10 by count_"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SymantecDLP and load the function code or click [here](https://aka.ms/sentinel-symantecdlp-parser). The function usually takes 10-15 minutes to activate after solution installation/update.",
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
- },
- {
- "title": "Step B. Forward Symantec DLP logs to a Syslog agent",
- "description": "Configure Symantec DLP to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://knowledge.broadcom.com/external/article/159509/generating-syslog-messages-from-data-los.html) to configure the Symantec DLP to forward syslog\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address."
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId2')]",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution."
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -755,7 +55,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SymantecDLP Data Parser with template version 3.0.2",
+ "description": "SymantecDLP Data Parser with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -883,12 +183,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.2",
+ "version": "3.0.3",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Broadcom SymantecDLP",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Broadcom Symantec Data Loss Prevention (DLP) connector allows you to easily connect your Symantec DLP with Microsoft Sentinel.
\n\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.
\nData Connectors: 2, Parsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
+ "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Broadcom Symantec Data Loss Prevention (DLP) connector allows you to easily connect your Symantec DLP with Microsoft Sentinel.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector.The existing connectors were deprecated on Aug 31, 2024.
\nParsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
@@ -912,16 +212,6 @@
},
"dependencies": {
"criteria": [
- {
- "kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- },
- {
- "kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- },
{
"kind": "Parser",
"contentId": "[variables('parserObject1').parserContentId1]",
diff --git a/Solutions/Broadcom SymantecDLP/ReleaseNotes.md b/Solutions/Broadcom SymantecDLP/ReleaseNotes.md
index 7e86ef7ef4d..9c0ef0bc6c0 100644
--- a/Solutions/Broadcom SymantecDLP/ReleaseNotes.md
+++ b/Solutions/Broadcom SymantecDLP/ReleaseNotes.md
@@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.0.3 | 27-11-2024 | Removed Deprecated **Data Connectors** |
| 3.0.2 | 08-07-2024 | Deprecated **Data Connector** |
| 3.0.1 | 01-09-2023 | Addition of new Broadcom SymantecDLP AMA **Data Connector** |
| 3.0.0 | 27-07-2023 | Corrected the links in the solution. |
diff --git a/Solutions/Commvault Security IQ/Data Connectors/AzureFunctionCommvaultSecurityIQ/main.py b/Solutions/Commvault Security IQ/Data Connectors/AzureFunctionCommvaultSecurityIQ/main.py
index 2aac639f156..b526130e7aa 100644
--- a/Solutions/Commvault Security IQ/Data Connectors/AzureFunctionCommvaultSecurityIQ/main.py
+++ b/Solutions/Commvault Security IQ/Data Connectors/AzureFunctionCommvaultSecurityIQ/main.py
@@ -1,4 +1,4 @@
-from datetime import datetime, timedelta
+from datetime import datetime, timedelta, timezone
import base64
import hashlib
import hmac
@@ -20,7 +20,7 @@
blob_name = "timestamp"
cs = os.environ.get('ConnectionString')
-
+
customer_id = os.environ.get('AzureSentinelWorkspaceId','')
shared_key = os.environ.get('AzureSentinelSharedKey')
verify = False
@@ -32,7 +32,7 @@
qsdk_token = None
headers = {
"Content-Type": "application/json",
- "Accept": "application/json",
+ "Accept": "application/json"
}
job_details_body = {
@@ -92,17 +92,14 @@
"paths": [{"path": "/**/*"}],
}
-@app.function_name(name="AzureFunctionCommvaultSecurityIQ")
-@app.schedule(schedule="0 */5 * * * *", arg_name="myTimer", run_on_startup=True,
- use_monitor=False)
-def myTimer(myTimer: func.TimerRequest) -> None:
- global qsdk_token,url
- if myTimer.past_due:
- logging.info('The timer is past due!')
+def main(mytimer: func.TimerRequest) -> None:
+ global qsdk_token, url
+ if mytimer.past_due:
+ logging.info('The timer is past due!')
logging.info('Executing Python timer trigger function.')
-
+
pattern = r'https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$'
match = re.match(pattern, str(logAnalyticsUri))
if (not match):
@@ -116,25 +113,40 @@ def myTimer(myTimer: func.TimerRequest) -> None:
url = "https://" + uri + "/commandcenter/api"
secret_name = "access-token"
qsdk_token = client.get_secret(secret_name).value
- headers["authtoken"] = "QSDK "+qsdk_token
- ustring = "/events?level=10&showInfo=false&showMinor=false&showMajor=true&showCritical=false&showAnomalous=true"
+ headers["authtoken"] = "QSDK " + qsdk_token
+ ustring = "/events?level=10&showInfo=false&showMinor=false&showMajor=true&showCritical=true&showAnomalous=true"
f_url = url + ustring
- current_date = datetime.utcnow()
+ current_date = datetime.now(timezone.utc)
to_time = int(current_date.timestamp())
fromtime = read_blob(cs, container_name, blob_name)
if fromtime is None:
fromtime = int((current_date - timedelta(days=2)).timestamp())
-
- logging.info("Starts at: [{}]".format(datetime.now().strftime("%Y-%m-%d %H:%M:%S")))
+ logging.info("From Time : [{}] , since the time read from blob is None".format(fromtime))
+ else:
+ fromtime_dt = datetime.fromtimestamp(fromtime, tz=timezone.utc)
+ time_diff = current_date - fromtime_dt
+ if time_diff > timedelta(days=2):
+ updatedfromtime = int((current_date - timedelta(days=2)).timestamp())
+ logging.info("From Time : [{}] , since the time read from blob : [{}] is older than 2 days".format(updatedfromtime,fromtime))
+ fromtime = updatedfromtime
+ elif time_diff < timedelta(minutes = 5):
+ updatedfromtime = int((current_date - timedelta(minutes=5)).timestamp())
+ logging.info("From Time : [{}] , since the time read from blob : [{}] is less than 5 minutes".format(updatedfromtime,fromtime))
+ fromtime = updatedfromtime
+ max_fetch = 1000
+ headers["pagingInfo"] = f"0,{max_fetch}"
+ logging.info("Starts at: [{}]".format(datetime.now(timezone.utc).strftime("%Y-%m-%d %H:%M:%S")))
event_endpoint = f"{f_url}&fromTime={fromtime}&toTime={to_time}"
+ logging.info("Event endpoint : [{}]".format(event_endpoint))
response = requests.get(event_endpoint, headers=headers, verify=verify)
-
+ logging.info("Response Status Code : " + str(response.status_code))
if response.status_code == 200:
events = response.json()
logging.info("Events Data")
logging.info(events)
data = events.get("commservEvents")
- data = [event for event in data if event.get("eventCodeString") in "7:211|7:212|7:293|7:269|14:337|14:338|69:59|7:333|69:60|35:5575"]
+ data = [event for event in data if
+ event.get("eventCodeString") in "7:211|7:212|7:293|7:269|14:337|14:338|69:59|7:333|69:60|35:5575"]
post_data = []
if data:
for event in data:
@@ -147,7 +159,7 @@ def myTimer(myTimer: func.TimerRequest) -> None:
upload_timestamp_blob(cs, container_name, blob_name, to_time+1)
logging.info("Function App Executed")
else:
- print("No new events found.")
+ print("No new events found.")
else:
logging.error("Failed to get events with status code : "+str(response.status_code))
@@ -195,22 +207,22 @@ def get_backup_anomaly(anomaly_id: int) -> str:
def define_severity(anomaly_sub_type: str) -> str | None:
- """
- Function to get severity from anomaly sub type
-
- Args:
- anomaly_sub_type (str): The sub type of anomaly
-
- Returns:
- str | None: The severity of the anomaly or None if not found
"""
-
- severity = None
- if anomaly_sub_type in ("File Type", "Threat Analysis"):
- severity = Constants.severity_high
- elif anomaly_sub_type == "File Activity":
- severity = Constants.severity_info
- return severity
+Function to get severity from anomaly sub type
+
+Args:
+ anomaly_sub_type (str): The sub type of anomaly
+
+Returns:
+ str | None: The severity of the anomaly or None if not found
+"""
+
+ severity = None
+ if anomaly_sub_type in ("File Type", "Threat Analysis"):
+ severity = Constants.severity_high
+ elif anomaly_sub_type == "File Activity":
+ severity = Constants.severity_info
+ return severity
def if_zero_set_none(value: str | None | int) -> str | None | int:
@@ -365,6 +377,7 @@ def get_job_details(job_id, url, headers):
logging.info(data)
return None
+
def get_user_details(client_name):
"""
Retrieves the user ID and user name associated with a given client name.
@@ -511,7 +524,7 @@ def build_signature(date, content_length, method, content_type, resource):
Returns:
str: The authorization signature
"""
-
+
x_headers = 'x-ms-date:' + date
string_to_hash = method + "\n" + str(content_length) + "\n" + content_type + "\n" + x_headers + "\n" + resource
bytes_to_hash = bytes(string_to_hash, encoding="utf-8")
@@ -584,7 +597,7 @@ def gen_chunks_to_object(data, chunksize=100):
Yields:
_type_: the chunk
- """
+ """
chunk = []
for index, line in enumerate(data):
if (index % chunksize == 0 and index > 0):
@@ -636,7 +649,7 @@ def read_blob(connection_string, container_name, blob_name):
Returns:
int | None: Timestamp or None if not found
"""
-
+
try:
blob_service_client = BlobServiceClient.from_connection_string(connection_string)
blob_client = blob_service_client.get_blob_client(container=container_name, blob=blob_name)
@@ -647,11 +660,11 @@ def read_blob(connection_string, container_name, blob_name):
timestamp = int(content)
logging.info(f"Timestamp read from blob {blob_name}: {timestamp}")
return timestamp
-
+
except ResourceNotFoundError:
logging.info(f"Blob '{blob_name}' does not exist.")
return None
-
+
except Exception as e:
logging.error(f"An error occurred: {str(e)}")
raise e
\ No newline at end of file
diff --git a/Solutions/Commvault Security IQ/Data Connectors/CommvaultSecurityIQDataConnector.zip b/Solutions/Commvault Security IQ/Data Connectors/CommvaultSecurityIQDataConnector.zip
index 40d6e93809b..4e249c30b1e 100644
Binary files a/Solutions/Commvault Security IQ/Data Connectors/CommvaultSecurityIQDataConnector.zip and b/Solutions/Commvault Security IQ/Data Connectors/CommvaultSecurityIQDataConnector.zip differ
diff --git a/Solutions/Commvault Security IQ/Data Connectors/azuredeploy_CommvaultSecurityIQ_FunctionApp.json b/Solutions/Commvault Security IQ/Data Connectors/azuredeploy_CommvaultSecurityIQ_FunctionApp.json
index 417372c700d..3de0d477dea 100644
--- a/Solutions/Commvault Security IQ/Data Connectors/azuredeploy_CommvaultSecurityIQ_FunctionApp.json
+++ b/Solutions/Commvault Security IQ/Data Connectors/azuredeploy_CommvaultSecurityIQ_FunctionApp.json
@@ -160,6 +160,7 @@
"AzureSentinelWorkspaceId": "[parameters('AzureSentinelWorkspaceId')]",
"AzureSentinelSharedKey": "[parameters('AzureSentinelSharedKey')]",
"ConnectionString": "[parameters('ConnectionString')]",
+ "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(parameters('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(parameters('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]",
"KeyVaultName": "[parameters('KeyVaultName')]",
"WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-CommvaultSecurityIQ-functionapp"
}
diff --git a/Solutions/Forcepoint CASB/Data/Solution_ForcepointCASB.json b/Solutions/Forcepoint CASB/Data/Solution_ForcepointCASB.json
index c6aae0c9190..159425d67f3 100644
--- a/Solutions/Forcepoint CASB/Data/Solution_ForcepointCASB.json
+++ b/Solutions/Forcepoint CASB/Data/Solution_ForcepointCASB.json
@@ -2,19 +2,15 @@
"Name": "Forcepoint CASB",
"Author": "Forcepoint",
"Logo": "",
- "Description": "The [Forcepoint CASB](https://www.forcepoint.com/product/casb-cloud-access-security-broker) (Cloud Access Security Broker) Solution for Microsoft Sentinel allows you to automatically export CASB logs and events into Microsoft Sentinel in real-time. This enriches visibility into user activities across locations and cloud applications, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel. \n\nFor more details about this solution refer to [integration documentation](https://forcepoint.github.io/docs/casb_and_azure_sentinel/). \n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.",
+ "Description": "The [Forcepoint CASB](https://www.forcepoint.com/product/casb-cloud-access-security-broker) (Cloud Access Security Broker) Solution for Microsoft Sentinel allows you to automatically export CASB logs and events into Microsoft Sentinel in real-time. This enriches visibility into user activities across locations and cloud applications, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel. \n\nFor more details about this solution refer to [integration documentation](https://forcepoint.github.io/docs/casb_and_azure_sentinel/). \n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.",
"Workbooks": [
"Solutions/Forcepoint CASB/Workbooks/ForcepointCASB.json"
],
- "Data Connectors": [
- "Solutions/Forcepoint CASB/Data Connectors/Forcepoint CASB.json",
- "Solutions/Forcepoint CASB/Data Connectors/template_Forcepoint CASBAMA.json"
- ],
"dependentDomainSolutionIds": [
"azuresentinel.azure-sentinel-solution-commoneventformat"
],
"BasePath": "C:\\Github\\Azure-Sentinel",
- "Version": "3.0.1",
+ "Version": "3.0.2",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
diff --git a/Solutions/Forcepoint CASB/Package/3.0.2.zip b/Solutions/Forcepoint CASB/Package/3.0.2.zip
new file mode 100644
index 00000000000..8aef8f58894
Binary files /dev/null and b/Solutions/Forcepoint CASB/Package/3.0.2.zip differ
diff --git a/Solutions/Forcepoint CASB/Package/createUiDefinition.json b/Solutions/Forcepoint CASB/Package/createUiDefinition.json
index fa4a849d12c..ed5940918a7 100644
--- a/Solutions/Forcepoint CASB/Package/createUiDefinition.json
+++ b/Solutions/Forcepoint CASB/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Forcepoint%20CASB/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Forcepoint CASB](https://www.forcepoint.com/product/casb-cloud-access-security-broker) (Cloud Access Security Broker) Solution for Microsoft Sentinel allows you to automatically export CASB logs and events into Microsoft Sentinel in real-time. This enriches visibility into user activities across locations and cloud applications, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel. \n\nFor more details about this solution refer to [integration documentation](https://forcepoint.github.io/docs/casb_and_azure_sentinel/). \n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Forcepoint%20CASB/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Forcepoint CASB](https://www.forcepoint.com/product/casb-cloud-access-security-broker) (Cloud Access Security Broker) Solution for Microsoft Sentinel allows you to automatically export CASB logs and events into Microsoft Sentinel in real-time. This enriches visibility into user activities across locations and cloud applications, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel. \n\nFor more details about this solution refer to [integration documentation](https://forcepoint.github.io/docs/casb_and_azure_sentinel/). \n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.\n\n**Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -51,30 +51,6 @@
}
],
"steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for Forcepoint CASB. You can get Forcepoint CASB CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- },
{
"name": "workbooks",
"label": "Workbooks",
diff --git a/Solutions/Forcepoint CASB/Package/mainTemplate.json b/Solutions/Forcepoint CASB/Package/mainTemplate.json
index f412804f441..73998664819 100644
--- a/Solutions/Forcepoint CASB/Package/mainTemplate.json
+++ b/Solutions/Forcepoint CASB/Package/mainTemplate.json
@@ -39,7 +39,7 @@
},
"variables": {
"_solutionName": "Forcepoint CASB",
- "_solutionVersion": "3.0.1",
+ "_solutionVersion": "3.0.2",
"solutionId": "microsoftsentinelcommunity.azure-sentinel-solution-forcepoint-casb",
"_solutionId": "[variables('solutionId')]",
"workbookVersion1": "1.0.0",
@@ -49,24 +49,6 @@
"_workbookContentId1": "[variables('workbookContentId1')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
- "uiConfigId1": "ForcepointCasb",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "ForcepointCasb",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
- "uiConfigId2": "ForcepointCasbAma",
- "_uiConfigId2": "[variables('uiConfigId2')]",
- "dataConnectorContentId2": "ForcepointCasbAma",
- "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
- "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "_dataConnectorId2": "[variables('dataConnectorId2')]",
- "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
- "dataConnectorVersion2": "1.0.0",
- "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
@@ -79,7 +61,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ForcepointCASB Workbook with template version 3.0.1",
+ "description": "ForcepointCASB Workbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -140,6 +122,10 @@
{
"contentId": "ForcepointCasbAma",
"kind": "DataConnector"
+ },
+ {
+ "contentId": "CefAma",
+ "kind": "DataConnector"
}
]
}
@@ -160,729 +146,17 @@
"version": "[variables('workbookVersion1')]"
}
},
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Forcepoint CASB data connector with template version 3.0.1",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] Forcepoint CASB via Legacy Agent",
- "publisher": "Forcepoint CASB",
- "descriptionMarkdown": "The Forcepoint CASB (Cloud Access Security Broker) Connector allows you to automatically export CASB logs and events into Microsoft Sentinel in real-time. This enriches visibility into user activities across locations and cloud applications, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "ForcepointCASB",
- "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CASB\"\n"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 5 Users With The Highest Number Of Logs",
- "query": "CommonSecurityLog \n| summarize Count = count() by DestinationUserName\n| top 5 by DestinationUserName\n| render barchart"
- },
- {
- "description": "Top 5 Users by Number of Failed Attempts ",
- "query": "CommonSecurityLog \n| extend outcome = coalesce(column_ifexists(\"EventOutcome\", \"\"), tostring(split(split(AdditionalExtensions, \";\", 2)[0], \"=\", 1)[0]), \"\")\n| extend reason = coalesce(column_ifexists(\"Reason\", \"\"), tostring(split(split(AdditionalExtensions, \";\", 3)[0], \"=\", 1)[0]), \"\")\n| where outcome ==\"Failure\"\n| summarize Count= count() by DestinationUserName\n| render barchart"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (ForcepointCASB)",
- "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CASB\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CASB\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel. This machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.",
- "title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version \n \n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- },
- {
- "description": "To complete the installation of this Forcepoint product integration, follow the guide linked below.\n\n[Installation Guide >](https://frcpnt.com/casb-sentinel)",
- "title": "5. Forcepoint integration installation guide "
- }
- ],
- "metadata": {
- "id": "04f93db2-8f2a-4edc-bb78-9e1e7587faff",
- "version": "1.0.0",
- "kind": "dataConnector",
- "source": {
- "kind": "community"
- },
- "author": {
- "name": "Forcepoint"
- },
- "support": {
- "name": "Forcepoint",
- "link": "https://support.forcepoint.com",
- "tier": "developer"
- }
- }
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Forcepoint CASB",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Forcepoint"
- },
- "support": {
- "tier": "Community",
- "name": "Community",
- "link": "https://github.com/Azure/Azure-Sentinel/issues"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Forcepoint CASB via Legacy Agent",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Forcepoint CASB",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Forcepoint"
- },
- "support": {
- "tier": "Community",
- "name": "Community",
- "link": "https://github.com/Azure/Azure-Sentinel/issues"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Forcepoint CASB via Legacy Agent",
- "publisher": "Forcepoint CASB",
- "descriptionMarkdown": "The Forcepoint CASB (Cloud Access Security Broker) Connector allows you to automatically export CASB logs and events into Microsoft Sentinel in real-time. This enriches visibility into user activities across locations and cloud applications, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "ForcepointCASB",
- "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CASB\"\n"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (ForcepointCASB)",
- "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CASB\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "\nCommonSecurityLog\n| where DeviceVendor == \"Forcepoint CASB\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 5 Users With The Highest Number Of Logs",
- "query": "CommonSecurityLog \n| summarize Count = count() by DestinationUserName\n| top 5 by DestinationUserName\n| render barchart"
- },
- {
- "description": "Top 5 Users by Number of Failed Attempts ",
- "query": "CommonSecurityLog \n| extend outcome = coalesce(column_ifexists(\"EventOutcome\", \"\"), tostring(split(split(AdditionalExtensions, \";\", 2)[0], \"=\", 1)[0]), \"\")\n| extend reason = coalesce(column_ifexists(\"Reason\", \"\"), tostring(split(split(AdditionalExtensions, \";\", 3)[0], \"=\", 1)[0]), \"\")\n| where outcome ==\"Failure\"\n| summarize Count= count() by DestinationUserName\n| render barchart"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel. This machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.",
- "title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version \n \n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- },
- {
- "description": "To complete the installation of this Forcepoint product integration, follow the guide linked below.\n\n[Installation Guide >](https://frcpnt.com/casb-sentinel)",
- "title": "5. Forcepoint integration installation guide "
- }
- ],
- "id": "[variables('_uiConfigId1')]"
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName2')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Forcepoint CASB data connector with template version 3.0.1",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion2')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId2')]",
- "title": "[Deprecated] Forcepoint CASB via AMA",
- "publisher": "Forcepoint CASB",
- "descriptionMarkdown": "The Forcepoint CASB (Cloud Access Security Broker) Connector allows you to automatically export CASB logs and events into Microsoft Sentinel in real-time. This enriches visibility into user activities across locations and cloud applications, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "ForcepointCASB",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CASB'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 5 Users With The Highest Number Of Logs",
- "query": "CommonSecurityLog \n| summarize Count = count() by DestinationUserName\n| top 5 by DestinationUserName\n| render barchart"
- },
- {
- "description": "Top 5 Users by Number of Failed Attempts ",
- "query": "CommonSecurityLog \n| extend outcome = coalesce(column_ifexists(\"EventOutcome\", \"\"), tostring(split(split(AdditionalExtensions, \";\", 2)[0], \"=\", 1)[0]), \"\")\n| extend reason = coalesce(column_ifexists(\"Reason\", \"\"), tostring(split(split(AdditionalExtensions, \";\", 3)[0], \"=\", 1)[0]), \"\")\n| where outcome ==\"Failure\"\n| summarize Count= count() by DestinationUserName\n| render barchart"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (ForcepointCASB)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CASB'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CASB'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine."
- },
- {
- "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
- "description": "Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address."
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- },
- {
- "description": "To complete the installation of this Forcepoint product integration, follow the guide linked below.\n\n[Installation Guide >](https://frcpnt.com/casb-sentinel)",
- "title": "3. Forcepoint integration installation guide "
- }
- ],
- "metadata": {
- "id": "04f93db2-8f2a-4edc-bb78-9e1e7587faff",
- "version": "1.0.0",
- "kind": "dataConnector",
- "source": {
- "kind": "community"
- },
- "author": {
- "name": "Forcepoint"
- },
- "support": {
- "name": "Forcepoint",
- "link": "https://support.forcepoint.com",
- "tier": "developer"
- }
- }
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Forcepoint CASB",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Forcepoint"
- },
- "support": {
- "tier": "Community",
- "name": "Community",
- "link": "https://github.com/Azure/Azure-Sentinel/issues"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Forcepoint CASB via AMA",
- "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
- "id": "[variables('_dataConnectorcontentProductId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId2')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Forcepoint CASB",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Forcepoint"
- },
- "support": {
- "tier": "Community",
- "name": "Community",
- "link": "https://github.com/Azure/Azure-Sentinel/issues"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Forcepoint CASB via AMA",
- "publisher": "Forcepoint CASB",
- "descriptionMarkdown": "The Forcepoint CASB (Cloud Access Security Broker) Connector allows you to automatically export CASB logs and events into Microsoft Sentinel in real-time. This enriches visibility into user activities across locations and cloud applications, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "ForcepointCASB",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CASB'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (ForcepointCASB)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CASB'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Forcepoint CASB'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 5 Users With The Highest Number Of Logs",
- "query": "CommonSecurityLog \n| summarize Count = count() by DestinationUserName\n| top 5 by DestinationUserName\n| render barchart"
- },
- {
- "description": "Top 5 Users by Number of Failed Attempts ",
- "query": "CommonSecurityLog \n| extend outcome = coalesce(column_ifexists(\"EventOutcome\", \"\"), tostring(split(split(AdditionalExtensions, \";\", 2)[0], \"=\", 1)[0]), \"\")\n| extend reason = coalesce(column_ifexists(\"Reason\", \"\"), tostring(split(split(AdditionalExtensions, \";\", 3)[0], \"=\", 1)[0]), \"\")\n| where outcome ==\"Failure\"\n| summarize Count= count() by DestinationUserName\n| render barchart"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine."
- },
- {
- "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent",
- "description": "Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address."
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- },
- {
- "description": "To complete the installation of this Forcepoint product integration, follow the guide linked below.\n\n[Installation Guide >](https://frcpnt.com/casb-sentinel)",
- "title": "3. Forcepoint integration installation guide "
- }
- ],
- "id": "[variables('_uiConfigId2')]"
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.1",
+ "version": "3.0.2",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Forcepoint CASB",
"publisherDisplayName": "Community",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Forcepoint CASB (Cloud Access Security Broker) Solution for Microsoft Sentinel allows you to automatically export CASB logs and events into Microsoft Sentinel in real-time. This enriches visibility into user activities across locations and cloud applications, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.
\nFor more details about this solution refer to integration documentation.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.
\nData Connectors: 2, Workbooks: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
+ "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Forcepoint CASB (Cloud Access Security Broker) Solution for Microsoft Sentinel allows you to automatically export CASB logs and events into Microsoft Sentinel in real-time. This enriches visibility into user activities across locations and cloud applications, enables further correlation with data from Azure workloads and other feeds, and improves monitoring capability with Workbooks inside Microsoft Sentinel.
\nFor more details about this solution refer to integration documentation.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on Aug 31, 2024.
\nWorkbooks: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
@@ -909,16 +183,6 @@
"contentId": "[variables('_workbookContentId1')]",
"version": "[variables('workbookVersion1')]"
},
- {
- "kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- },
- {
- "kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- },
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-commoneventformat"
diff --git a/Solutions/Forcepoint CASB/ReleaseNotes.md b/Solutions/Forcepoint CASB/ReleaseNotes.md
index d7ae8f42f48..1a3460bc3ca 100644
--- a/Solutions/Forcepoint CASB/ReleaseNotes.md
+++ b/Solutions/Forcepoint CASB/ReleaseNotes.md
@@ -1,6 +1,5 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
-| 3.0.1 | 15-07-2024 | Deprecating data connectors |
-| 3.0.0 | 31-08-2023 | Addition of new Forcepoint CASB AMA **Data Connector** | |
-
-
+| 3.0.2 | 27-11-2024 | Removed Deprecated **Data Connectors** |
+| 3.0.1 | 15-07-2024 | Deprecating data connectors |
+| 3.0.0 | 31-08-2023 | Addition of new Forcepoint CASB AMA **Data Connector** |
diff --git a/Solutions/Illumio Core/Data/Solution_IllumioCore.json b/Solutions/Illumio Core/Data/Solution_IllumioCore.json
index 13965c08c61..e3a6cff62c3 100644
--- a/Solutions/Illumio Core/Data/Solution_IllumioCore.json
+++ b/Solutions/Illumio Core/Data/Solution_IllumioCore.json
@@ -2,11 +2,7 @@
"Name": "Illumio Core",
"Author": "Microsoft",
"Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\")
",
- "Description": "The [Illumio Core](https://www.illumio.com/products/) solution allows you to ingest Illumio Core logs into Microsoft Sentinel. \n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.",
- "Data Connectors": [
- "Solutions/Illumio Core/Data Connectors/Connector_IllumioCore_CEF.json",
- "Solutions/Illumio Core/Data Connectors/template_IllumioCoreAMA.json"
- ],
+ "Description": "The [Illumio Core](https://www.illumio.com/products/) solution allows you to ingest Illumio Core logs into Microsoft Sentinel. \n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.",
"Parsers": [
"Solutions/Illumio Core/Parsers/IllumioCoreEvent.yaml"
],
@@ -14,7 +10,7 @@
"azuresentinel.azure-sentinel-solution-commoneventformat"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel",
- "Version": "3.0.2",
+ "Version": "3.0.3",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
diff --git a/Solutions/Illumio Core/Package/3.0.3.zip b/Solutions/Illumio Core/Package/3.0.3.zip
new file mode 100644
index 00000000000..48304c36216
Binary files /dev/null and b/Solutions/Illumio Core/Package/3.0.3.zip differ
diff --git a/Solutions/Illumio Core/Package/createUiDefinition.json b/Solutions/Illumio Core/Package/createUiDefinition.json
index 7e0aed7be15..ccc7bd5b051 100644
--- a/Solutions/Illumio Core/Package/createUiDefinition.json
+++ b/Solutions/Illumio Core/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Illumio%20Core/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Illumio Core](https://www.illumio.com/products/) solution allows you to ingest Illumio Core logs into Microsoft Sentinel. \n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Illumio%20Core/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Illumio Core](https://www.illumio.com/products/) solution allows you to ingest Illumio Core logs into Microsoft Sentinel. \n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.\n\n**Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -50,39 +50,7 @@
"visible": true
}
],
- "steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for Illumio Core. You can get Illumio Core CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-parser-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- }
- ],
+ "steps": [{}],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
diff --git a/Solutions/Illumio Core/Package/mainTemplate.json b/Solutions/Illumio Core/Package/mainTemplate.json
index f03c72affde..87e6ed1635d 100644
--- a/Solutions/Illumio Core/Package/mainTemplate.json
+++ b/Solutions/Illumio Core/Package/mainTemplate.json
@@ -31,27 +31,9 @@
},
"variables": {
"_solutionName": "Illumio Core",
- "_solutionVersion": "3.0.2",
+ "_solutionVersion": "3.0.3",
"solutionId": "azuresentinel.azure-sentinel-solution-illumiocore",
"_solutionId": "[variables('solutionId')]",
- "uiConfigId1": "IllumioCore",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "IllumioCore",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
- "uiConfigId2": "IllumioCoreAma",
- "_uiConfigId2": "[variables('uiConfigId2')]",
- "dataConnectorContentId2": "IllumioCoreAma",
- "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
- "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "_dataConnectorId2": "[variables('dataConnectorId2')]",
- "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
- "dataConnectorVersion2": "1.0.0",
- "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"parserObject1": {
"_parserName1": "[concat(parameters('workspace'),'/','IllumioCoreEvent')]",
"_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'IllumioCoreEvent')]",
@@ -62,668 +44,6 @@
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Illumio Core data connector with template version 3.0.2",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] Illumio Core via Legacy Agent",
- "publisher": "Illumio",
- "descriptionMarkdown": "The [Illumio Core](https://www.illumio.com/products/) data connector provides the capability to ingest Illumio Core logs into Microsoft Sentinel.",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "IllumioCore",
- "baseQuery": "IllumioCoreEvent"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Event Types",
- "query": "IllumioCoreEvent\n | where isnotempty(EventType)\n | summarize count() by EventType\n | top 10 by count_"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (IllumioCore)",
- "lastDataReceivedQuery": "IllumioCoreEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "IllumioCoreEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias IllumioCoreEvent and load the function code or click [here](https://aka.ms/sentinel-IllumioCore-parser).The function usually takes 10-15 minutes to activate after solution installation/update and maps Illumio Core events to Microsoft Sentinel Information Model (ASIM)."
- },
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "2.1 Configure Event Format\n\n 1. From the PCE web console menu, choose **Settings > Event Settings** to view your current settings.\n\n 2. Click **Edit** to change the settings.\n\n 3. Set **Event Format** to CEF.\n\n 4. (Optional) Configure **Event Severity** and **Retention Period**.\n\n2.2 Configure event forwarding to an external syslog server\n\n 1. From the PCE web console menu, choose **Settings > Event Settings**.\n\n 2. Click **Add**.\n\n 3. Click **Add Repository**.\n\n 4. Complete the **Add Repository** dialog.\n\n 5. Click **OK** to save the event forwarding configuration.",
- "title": "2. Configure Ilumio Core to send logs using CEF"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Illumio Core",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft"
- },
- "support": {
- "name": "Microsoft",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Illumio Core via Legacy Agent",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Illumio Core",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft"
- },
- "support": {
- "name": "Microsoft",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Illumio Core via Legacy Agent",
- "publisher": "Illumio",
- "descriptionMarkdown": "The [Illumio Core](https://www.illumio.com/products/) data connector provides the capability to ingest Illumio Core logs into Microsoft Sentinel.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "IllumioCore",
- "baseQuery": "IllumioCoreEvent"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (IllumioCore)",
- "lastDataReceivedQuery": "IllumioCoreEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "IllumioCoreEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Event Types",
- "query": "IllumioCoreEvent\n | where isnotempty(EventType)\n | summarize count() by EventType\n | top 10 by count_"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias IllumioCoreEvent and load the function code or click [here](https://aka.ms/sentinel-IllumioCore-parser).The function usually takes 10-15 minutes to activate after solution installation/update and maps Illumio Core events to Microsoft Sentinel Information Model (ASIM)."
- },
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "2.1 Configure Event Format\n\n 1. From the PCE web console menu, choose **Settings > Event Settings** to view your current settings.\n\n 2. Click **Edit** to change the settings.\n\n 3. Set **Event Format** to CEF.\n\n 4. (Optional) Configure **Event Severity** and **Retention Period**.\n\n2.2 Configure event forwarding to an external syslog server\n\n 1. From the PCE web console menu, choose **Settings > Event Settings**.\n\n 2. Click **Add**.\n\n 3. Click **Add Repository**.\n\n 4. Complete the **Add Repository** dialog.\n\n 5. Click **OK** to save the event forwarding configuration.",
- "title": "2. Configure Ilumio Core to send logs using CEF"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId1')]",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution."
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName2')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Illumio Core data connector with template version 3.0.2",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion2')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId2')]",
- "title": "[Deprecated] Illumio Core via AMA",
- "publisher": "Illumio",
- "descriptionMarkdown": "The [Illumio Core](https://www.illumio.com/products/) data connector provides the capability to ingest Illumio Core logs into Microsoft Sentinel.",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "IllumioCore",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Illumio'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Event Types",
- "query": "IllumioCoreEvent\n | where isnotempty(EventType)\n | summarize count() by EventType\n | top 10 by count_"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (IllumioCore)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Illumio'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Illumio'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias IllumioCoreEvent and load the function code or click [here](https://aka.ms/sentinel-IllumioCore-parser).The function usually takes 10-15 minutes to activate after solution installation/update and maps Illumio Core events to Microsoft Sentinel Information Model (ASIM).",
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine."
- },
- {
- "title": "Step B. Configure Ilumio Core to send logs using CEF",
- "description": "Configure Event Format\n\n 1. From the PCE web console menu, choose **Settings > Event Settings** to view your current settings.\n\n 2. Click **Edit** to change the settings.\n\n 3. Set **Event Format** to CEF.\n\n 4. (Optional) Configure **Event Severity** and **Retention Period**.\n\nConfigure event forwarding to an external syslog server\n\n 1. From the PCE web console menu, choose **Settings > Event Settings**.\n\n 2. Click **Add**.\n\n 3. Click **Add Repository**.\n\n 4. Complete the **Add Repository** dialog.\n\n 5. Click **OK** to save the event forwarding configuration."
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Illumio Core",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft"
- },
- "support": {
- "name": "Microsoft",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Illumio Core via AMA",
- "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
- "id": "[variables('_dataConnectorcontentProductId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId2')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Illumio Core",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft"
- },
- "support": {
- "name": "Microsoft",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Illumio Core via AMA",
- "publisher": "Illumio",
- "descriptionMarkdown": "The [Illumio Core](https://www.illumio.com/products/) data connector provides the capability to ingest Illumio Core logs into Microsoft Sentinel.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "IllumioCore",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Illumio'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (IllumioCore)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Illumio'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Illumio'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Event Types",
- "query": "IllumioCoreEvent\n | where isnotempty(EventType)\n | summarize count() by EventType\n | top 10 by count_"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias IllumioCoreEvent and load the function code or click [here](https://aka.ms/sentinel-IllumioCore-parser).The function usually takes 10-15 minutes to activate after solution installation/update and maps Illumio Core events to Microsoft Sentinel Information Model (ASIM).",
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine."
- },
- {
- "title": "Step B. Configure Ilumio Core to send logs using CEF",
- "description": "Configure Event Format\n\n 1. From the PCE web console menu, choose **Settings > Event Settings** to view your current settings.\n\n 2. Click **Edit** to change the settings.\n\n 3. Set **Event Format** to CEF.\n\n 4. (Optional) Configure **Event Severity** and **Retention Period**.\n\nConfigure event forwarding to an external syslog server\n\n 1. From the PCE web console menu, choose **Settings > Event Settings**.\n\n 2. Click **Add**.\n\n 3. Click **Add Repository**.\n\n 4. Complete the **Add Repository** dialog.\n\n 5. Click **OK** to save the event forwarding configuration."
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId2')]",
- "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution."
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -733,7 +53,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "IllumioCoreEvent Data Parser with template version 3.0.2",
+ "description": "IllumioCoreEvent Data Parser with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -859,12 +179,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.2",
+ "version": "3.0.3",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Illumio Core",
"publisherDisplayName": "Microsoft Sentinel, Microsoft",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Illumio Core solution allows you to ingest Illumio Core logs into Microsoft Sentinel.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.
\nData Connectors: 2, Parsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
+ "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Illumio Core solution allows you to ingest Illumio Core logs into Microsoft Sentinel.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on Aug 31, 2024.
\nParsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
@@ -887,16 +207,6 @@
},
"dependencies": {
"criteria": [
- {
- "kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- },
- {
- "kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- },
{
"kind": "Parser",
"contentId": "[variables('parserObject1').parserContentId1]",
diff --git a/Solutions/Illumio Core/ReleaseNotes.md b/Solutions/Illumio Core/ReleaseNotes.md
index cff014f3840..bd026c66a8b 100644
--- a/Solutions/Illumio Core/ReleaseNotes.md
+++ b/Solutions/Illumio Core/ReleaseNotes.md
@@ -1,6 +1,7 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|-----------------------------------------------------|
-| 3.0.2 | 15-07-2024 | Deprecating data connector |
+| 3.0.3 | 27-11-2024 | Removed Deprecated **Data Connectors** |
+| 3.0.2 | 15-07-2024 | Deprecating data connector |
| 3.0.1 | 12-09-2023 | Addition of new Illumio Core AMA **Data Connector** |
| 3.0.0 | 24-07-2023 | Corrected the links in the solution. |
diff --git a/Solutions/Microsoft Business Applications/Package/3.2.0.zip b/Solutions/Microsoft Business Applications/Package/3.2.0.zip
index 84fbdbfc395..3ba6e83c4cd 100644
Binary files a/Solutions/Microsoft Business Applications/Package/3.2.0.zip and b/Solutions/Microsoft Business Applications/Package/3.2.0.zip differ
diff --git a/Solutions/Microsoft Business Applications/Package/mainTemplate.json b/Solutions/Microsoft Business Applications/Package/mainTemplate.json
index 2d61fea23b4..7af3027f44a 100644
--- a/Solutions/Microsoft Business Applications/Package/mainTemplate.json
+++ b/Solutions/Microsoft Business Applications/Package/mainTemplate.json
@@ -12252,7 +12252,7 @@
"2. An Exchange Online shared mailbox for the SOC.",
"3. Email address for the workload owners to send alert notifications.",
"4. Email address to send escalation notifications if workload owners do not respond.",
- "5. Register a new provider at the [Actionable Email Developer Dashboard](https://aka.ms/publishoam) \n a. Add the SOC mailbox as the sender address. \n b. Add the Teams channel URL as the target URL. \n c. Select the workload owner and escalation email address as test users for validation. \n d. Take note of the Provider Id (originator)."
+ "5. Register a new provider at the [Actionable Email Developer Dashboard](https://learn.microsoft.com/outlook/actionable-messages/email-dev-dashboard) \n a. Add the SOC mailbox as the sender address. \n b. Add the Teams channel URL as the target URL. \n c. Select the workload owner and escalation email address as test users for validation. \n d. Take note of the Provider Id (originator)."
],
"postDeployment": [
"1. In Logic Apps designer view, edit the 'Post adaptive card and wait for a reponse' action.",
diff --git a/Solutions/Microsoft Business Applications/Playbooks/MSBizApps-Incident-From-Alert-Teams/azuredeploy.json b/Solutions/Microsoft Business Applications/Playbooks/MSBizApps-Incident-From-Alert-Teams/azuredeploy.json
index b96341f5420..676aedbe25c 100644
--- a/Solutions/Microsoft Business Applications/Playbooks/MSBizApps-Incident-From-Alert-Teams/azuredeploy.json
+++ b/Solutions/Microsoft Business Applications/Playbooks/MSBizApps-Incident-From-Alert-Teams/azuredeploy.json
@@ -9,7 +9,7 @@
"2. An Exchange Online shared mailbox for the SOC.",
"3. Email address for the workload owners to send alert notifications.",
"4. Email address to send escalation notifications if workload owners do not respond.",
- "5. Register a new provider at the [Actionable Email Developer Dashboard](https://aka.ms/publishoam) \n a. Add the SOC mailbox as the sender address. \n b. Add the Teams channel URL as the target URL. \n c. Select the workload owner and escalation email address as test users for validation. \n d. Take note of the Provider Id (originator)."
+ "5. Register a new provider at the [Actionable Email Developer Dashboard](https://learn.microsoft.com/outlook/actionable-messages/email-dev-dashboard) \n a. Add the SOC mailbox as the sender address. \n b. Add the Teams channel URL as the target URL. \n c. Select the workload owner and escalation email address as test users for validation. \n d. Take note of the Provider Id (originator)."
],
"postDeployment": [
"1. In Logic Apps designer view, edit the 'Post adaptive card and wait for a reponse' action.",
diff --git a/Solutions/Microsoft Business Applications/ReleaseNotes.md b/Solutions/Microsoft Business Applications/ReleaseNotes.md
index 1e49ceef7bc..0c5d315a80c 100644
--- a/Solutions/Microsoft Business Applications/ReleaseNotes.md
+++ b/Solutions/Microsoft Business Applications/ReleaseNotes.md
@@ -1,4 +1,4 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------------------------------|
+| 3.2.0 | 15-11-2024 | - Renamed solution from Power Platform to Microsoft Business Applications.
- Merge Dynamics 365 CE Apps and Dynamics 365 Finance & Operations into a unified solution.
- New analytics rules, playbooks and hunting queries.
- Replace Dynamics 365 Finance and Operations function app using Codeless Connector.
- Retire PPInventory function app.
|
| 3.1.3 | 12-07-2024 |- Removal of Power Apps, Power Platform Connectors, Power Platform DLP data connectors. Associated logs are now ingested via Power Platform Admin Activity data connector.
- Update of analytics rules to utilize PowerPlatfromAdminActivity table.
- Update data connectors DCR properties.
|
-| 3.2.0 | 15-11-2024 | - Renamed solution from Power Platform to Microsoft Business Applications.
- Merge Dynamics 365 CE Apps and Dynamics 365 Finance & Operations into a unified solution.
- New analytics rules, playbooks and hunting queries.
- Replace Dynamics 365 Finance and Operations function app using Codeless Connector.
- Retire PPInventory function app.
|
\ No newline at end of file
diff --git a/Solutions/Okta Single Sign-On/Package/3.1.0.zip b/Solutions/Okta Single Sign-On/Package/3.1.0.zip
index 6fa9ef11fa9..e8fd7d8785c 100644
Binary files a/Solutions/Okta Single Sign-On/Package/3.1.0.zip and b/Solutions/Okta Single Sign-On/Package/3.1.0.zip differ
diff --git a/Solutions/Okta Single Sign-On/Package/mainTemplate.json b/Solutions/Okta Single Sign-On/Package/mainTemplate.json
index 554fd70032a..762419b53a1 100644
--- a/Solutions/Okta Single Sign-On/Package/mainTemplate.json
+++ b/Solutions/Okta Single Sign-On/Package/mainTemplate.json
@@ -55,7 +55,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Okta Single Sign-On",
- "_solutionVersion": "3.0.11",
+ "_solutionVersion": "3.1.0",
"solutionId": "azuresentinel.azure-sentinel-solution-okta",
"_solutionId": "[variables('solutionId')]",
"analyticRuleObject1": {
@@ -234,6 +234,8 @@
"parserVersion1": "1.0.2",
"parserContentId1": "OktaSSO-Parser"
},
+ "SessionId": "authenticationContext_externalSessionId_s",
+ "_SessionId": "[variables('SessionId')]",
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
@@ -246,7 +248,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "FailedLoginsFromUnknownOrInvalidUser_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "FailedLoginsFromUnknownOrInvalidUser_AnalyticalRules Analytics Rule with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -365,7 +367,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "LoginfromUsersfromDifferentCountrieswithin3hours_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "LoginfromUsersfromDifferentCountrieswithin3hours_AnalyticalRules Analytics Rule with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -475,7 +477,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "PasswordSpray_AnalyticalRules Analytics Rule with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -585,7 +587,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PhishingDetection_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "PhishingDetection_AnalyticalRules Analytics Rule with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -712,7 +714,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NewDeviceLocationCriticalOperation_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "NewDeviceLocationCriticalOperation_AnalyticalRules Analytics Rule with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -785,7 +787,7 @@
}
],
"customDetails": {
- "SessionId": "authenticationContext_externalSessionId_s",
+ "SessionId": "[variables('_SessionId')]",
"Location": "Location"
},
"alertDetailsOverride": {
@@ -845,7 +847,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MFAFatigue_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "MFAFatigue_AnalyticalRules Analytics Rule with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -959,7 +961,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "HighRiskAdminActivity_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "HighRiskAdminActivity_AnalyticalRules Analytics Rule with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@@ -1030,7 +1032,7 @@
}
],
"customDetails": {
- "SessionId": "authenticationContext_externalSessionId_s"
+ "SessionId": "[variables('_SessionId')]"
}
}
},
@@ -1085,7 +1087,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DeviceRegistrationMaliciousIP_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "DeviceRegistrationMaliciousIP_AnalyticalRules Analytics Rule with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@@ -1208,7 +1210,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "UserSessionImpersonation_AnalyticalRules Analytics Rule with template version 3.0.11",
+ "description": "UserSessionImpersonation_AnalyticalRules Analytics Rule with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
@@ -1326,7 +1328,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Okta Single Sign-On data connector with template version 3.0.11",
+ "description": "Okta Single Sign-On data connector with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -2678,7 +2680,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AdminPrivilegeGrant_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "AdminPrivilegeGrant_HuntingQueries Hunting Query with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -2763,7 +2765,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CreateAPIToken_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "CreateAPIToken_HuntingQueries Hunting Query with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -2848,7 +2850,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ImpersonationSession_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "ImpersonationSession_HuntingQueries Hunting Query with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@@ -2933,7 +2935,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RareMFAOperation_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "RareMFAOperation_HuntingQueries Hunting Query with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@@ -3018,7 +3020,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "UserPasswordReset_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "UserPasswordReset_HuntingQueries Hunting Query with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@@ -3103,7 +3105,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NewDeviceRegistration_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "NewDeviceRegistration_HuntingQueries Hunting Query with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
@@ -3188,7 +3190,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "LoginsVPSProvider_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "LoginsVPSProvider_HuntingQueries Hunting Query with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
@@ -3273,7 +3275,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "LoginNordVPN_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "LoginNordVPN_HuntingQueries Hunting Query with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
@@ -3358,7 +3360,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "LoginFromMultipleLocations_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "LoginFromMultipleLocations_HuntingQueries Hunting Query with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]",
@@ -3443,7 +3445,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "LegacyAuthentication_HuntingQueries Hunting Query with template version 3.0.11",
+ "description": "LegacyAuthentication_HuntingQueries Hunting Query with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]",
@@ -3528,7 +3530,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OktaCustomConnector Playbook with template version 3.0.11",
+ "description": "OktaCustomConnector Playbook with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
@@ -4823,7 +4825,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Okta-EnrichIncidentWithUserDetails Playbook with template version 3.0.11",
+ "description": "Okta-EnrichIncidentWithUserDetails Playbook with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion2')]",
@@ -5182,7 +5184,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Okta-PromptUser Playbook with template version 3.0.11",
+ "description": "Okta-PromptUser Playbook with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion3')]",
@@ -5633,7 +5635,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Okta-ResponseFromTeams Playbook with template version 3.0.11",
+ "description": "Okta-ResponseFromTeams Playbook with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion4')]",
@@ -6140,7 +6142,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OktaSingleSignOn Workbook with template version 3.0.11",
+ "description": "OktaSingleSignOn Workbook with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -6236,7 +6238,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "OktaSSO Data Parser with template version 3.0.11",
+ "description": "OktaSSO Data Parser with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -6364,7 +6366,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.11",
+ "version": "3.1.0",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Okta Single Sign-On",
diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikAnomalyOrchestrator/__init__.py b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikAnomalyOrchestrator/__init__.py
index 225c85297c9..26de6b4f7db 100644
--- a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikAnomalyOrchestrator/__init__.py
+++ b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikAnomalyOrchestrator/__init__.py
@@ -13,12 +13,12 @@ def orchestrator_function(context: df.DurableOrchestrationContext):
Returns:
str: result of Activity function
"""
- applogger.debug("{} AnomalyOrchestrator function called!".format(LOGS_STARTS_WITH))
+ applogger.info("{} AnomalyOrchestrator function called!".format(LOGS_STARTS_WITH))
json_data = context.get_input()
result1 = yield context.call_activity(
"RubrikActivity", {"data": json_data, "log_type": ANOMALY_LOG_TYPE}
)
- applogger.debug(
+ applogger.info(
"{} AnomalyOrchestrator function completed!".format(LOGS_STARTS_WITH)
)
return result1
diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikEventsOrchestrator/__init__.py b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikEventsOrchestrator/__init__.py
new file mode 100644
index 00000000000..07ac317f781
--- /dev/null
+++ b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikEventsOrchestrator/__init__.py
@@ -0,0 +1,28 @@
+"""This __init__ file will be called by Http Starter function to pass the Other Events data to activity function."""
+import azure.durable_functions as df
+from shared_code.consts import EVENTS_LOG_TYPE, LOGS_STARTS_WITH
+from shared_code.logger import applogger
+
+
+def orchestrator_function(context: df.DurableOrchestrationContext):
+ """Get General data from durable orchestration context and schedule an activity for execution.
+
+ Args:
+ context (df.DurableOrchestrationContext): Context of the durable orchestration execution.
+
+ Returns:
+ str: result of Activity function
+ """
+ applogger.info("{} RubrikEventOrchestrator function called!".format(LOGS_STARTS_WITH))
+ json_data = context.get_input()
+
+ result1 = yield context.call_activity(
+ "RubrikActivity", {"data": json_data, "log_type": EVENTS_LOG_TYPE}
+ )
+ applogger.info(
+ "{} RubrikEventOrchestrator function completed!".format(LOGS_STARTS_WITH)
+ )
+ return result1
+
+
+main = df.Orchestrator.create(orchestrator_function)
diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikEventsOrchestrator/function.json b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikEventsOrchestrator/function.json
new file mode 100644
index 00000000000..82fabb9a853
--- /dev/null
+++ b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikEventsOrchestrator/function.json
@@ -0,0 +1,10 @@
+{
+ "scriptFile": "__init__.py",
+ "bindings": [
+ {
+ "name": "context",
+ "type": "orchestrationTrigger",
+ "direction": "in"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikHttpStarter/__init__.py b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikHttpStarter/__init__.py
index 18e3f5265d9..d6f9694c338 100644
--- a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikHttpStarter/__init__.py
+++ b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikHttpStarter/__init__.py
@@ -23,9 +23,7 @@ def get_data_from_request_body(request):
json_data = json.dumps(data)
return json_data
except ValueError as value_error:
- applogger.error(
- "{}(method={}) {}".format(LOGS_STARTS_WITH, __method_name, value_error)
- )
+ applogger.error("{}(method={}) {}".format(LOGS_STARTS_WITH, __method_name, value_error))
raise RubrikException(value_error)
except Exception as err:
applogger.error("{}(method={}) {}".format(LOGS_STARTS_WITH, __method_name, err))
@@ -63,11 +61,7 @@ async def main(req: func.HttpRequest, starter: str) -> func.HttpResponse:
headers={"Content-Length": str(len(body))},
)
else:
- applogger.info(
- "{}(method={})No required data found.".format(
- LOGS_STARTS_WITH, __method_name
- )
- )
+ applogger.info("{}(method={})No required data found.".format(LOGS_STARTS_WITH, __method_name))
body = "No required data found."
return func.HttpResponse(
body=body,
diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikRansomwareOrchestrator/__init__.py b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikRansomwareOrchestrator/__init__.py
index 3dcd02232a5..95c502770b7 100644
--- a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikRansomwareOrchestrator/__init__.py
+++ b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikRansomwareOrchestrator/__init__.py
@@ -13,14 +13,14 @@ def orchestrator_function(context: df.DurableOrchestrationContext):
Returns:
str: result of Activity function
"""
- applogger.debug(
+ applogger.info(
"{} RansomwareOrchestrator function called!".format(LOGS_STARTS_WITH)
)
json_data = context.get_input()
result1 = yield context.call_activity(
"RubrikActivity", {"data": json_data, "log_type": RANSOMWARE_LOG_TYPE}
)
- applogger.debug(
+ applogger.info(
"{} RansomwareOrchestrator function completed!".format(LOGS_STARTS_WITH)
)
return result1
diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikThreathuntOrchestrator/__init__.py b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikThreathuntOrchestrator/__init__.py
index b8f31d04aec..df9387c8c25 100644
--- a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikThreathuntOrchestrator/__init__.py
+++ b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikThreathuntOrchestrator/__init__.py
@@ -13,14 +13,14 @@ def orchestrator_function(context: df.DurableOrchestrationContext):
Returns:
str: result of Activity function
"""
- applogger.debug(
+ applogger.info(
"{} ThreatHuntOrchestrator function called!".format(LOGS_STARTS_WITH)
)
json_data = context.get_input()
result1 = yield context.call_activity(
"RubrikActivity", {"data": json_data, "log_type": THREATHUNT_LOG_TYPE}
)
- applogger.debug(
+ applogger.info(
"{} ThreatHuntOrchestrator function completed!".format(LOGS_STARTS_WITH)
)
return result1
diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents.zip b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents.zip
index b709ab446e3..4743ed0c7b8 100644
Binary files a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents.zip and b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents.zip differ
diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents_FunctionApp.json b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents_FunctionApp.json
index c79b8167326..834727ab189 100644
--- a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents_FunctionApp.json
+++ b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents_FunctionApp.json
@@ -18,6 +18,11 @@
"metricName": "Total ThreatHunt Event data received",
"legend": "Rubrik_ThreatHunt_Data_CL",
"baseQuery": "Rubrik_ThreatHunt_Data_CL"
+ },
+ {
+ "metricName": "Total Other Events data received",
+ "legend": "Rubrik_Events_Data_CL",
+ "baseQuery": "Rubrik_Events_Data_CL"
}
],
"sampleQueries": [
@@ -32,6 +37,10 @@
{
"description": "Rubrik ThreatHunt Events - Threat Hunt Events for all severity types.",
"query": "Rubrik_ThreatHunt_Data_CL\n | sort by TimeGenerated desc"
+ },
+ {
+ "description": "Rubrik Other Events - Other Events for all severity types.",
+ "query": "Rubrik_Events_Data_CL\n | sort by TimeGenerated desc"
}
],
"dataTypes": [
@@ -46,6 +55,10 @@
{
"name": "Rubrik_ThreatHunt_Data_CL",
"lastDataReceivedQuery": "Rubrik_ThreatHunt_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
+ {
+ "name": "Rubrik_Events_Data_CL",
+ "lastDataReceivedQuery": "Rubrik_Events_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
@@ -66,6 +79,12 @@
"value": [
"Rubrik_ThreatHunt_Data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
+ },
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "Rubrik_Events_Data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
}
],
"availability": {
@@ -137,7 +156,7 @@
},
{
"title": "Option 1 - Azure Resource Manager (ARM) Template",
- "description": "Use this method for automated deployment of the Rubrik connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-RubrikWebhookEvents-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tFunction Name \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tAnomalies_table_name \n\t\tRansomwareAnalysis_table_name \n\t\tThreatHunts_table_name\n\t\tLogLevel \n \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
+ "description": "Use this method for automated deployment of the Rubrik connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-RubrikWebhookEvents-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tFunction Name \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tAnomaliesTableName \n\t\tRansomwareAnalysisTableName \n\t\tThreatHuntsTableName \n\t\tEventsTableName \n\t\tLogLevel \n \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
},
{
"title": "Option 2 - Manual Deployment of Azure Functions",
@@ -149,7 +168,7 @@
},
{
"title": "",
- "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tAnomalies_table_name\n\t\tRansomwareAnalysis_table_name\n\t\tThreatHunts_table_name\n\t\tLogLevel\n\t\tlogAnalyticsUri (optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://.ods.opinsights.azure.us. \n4. Once all application settings have been entered, click **Save**."
+ "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tAnomaliesTableName\n\t\tRansomwareAnalysisTableName\n\t\tThreatHuntsTableName\n\t\tEventsTableName\n\t\tLogLevel\n\t\tlogAnalyticsUri (optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://.ods.opinsights.azure.us. \n4. Once all application settings have been entered, click **Save**."
},
{
"title": "",
@@ -161,11 +180,11 @@
},
{
"title": "2) Add a webhook in RubrikSecurityCloud to send data to Microsoft Sentinel.",
- "description": "Follow the Rubrik User Guide instructions to [Add a Webhook](https://docs.rubrik.com/en-us/saas/saas/common/adding_webhook.html) to begin receiving event information related to Ransomware Anomalies \n 1. Select the Generic as the webhook Provider(This will use CEF formatted event information)\n 2. Enter the URL part from copied Function-url as the webhook URL endpoint and replace **{functionname}** with **\"RubrikAnomalyOrchestrator\"**, for the Rubrik Microsoft Sentinel Solution \n 3. Select the Advanced or Custom Authentication option \n 4. Enter x-functions-key as the HTTP header \n 5. Enter the Function access key(value of code parameter from copied function-url) as the HTTP value(Note: if you change this function access key in Microsoft Sentinel in the future you will need to update this webhook configuration) \n 6. Select the EventType as Anomaly \n 7. Select the following severity levels: Critical, Warning, Informational \n 8. Repeat the same steps to add webhooks for Ransomware Investigation Analysis and Threat Hunt. \n\n NOTE: while adding webhooks for Ransomware Investigation Analysis and Threat Hunt, replace **{functionname}** with **\"RubrikRansomwareOrchestrator\"** and **\"RubrikThreatHuntOrchestrator\"** respectively in copied function-url."
+ "description": "Follow the Rubrik User Guide instructions to [Add a Webhook](https://docs.rubrik.com/en-us/saas/saas/common/adding_webhook.html) to begin receiving event information \n 1. Select the Microsoft Sentinel as the webhook Provider \n 2. Enter the desired Webhook name \n 3. Enter the URL part from copied Function-url as the webhook URL endpoint and replace **{functionname}** with **\"RubrikAnomalyOrchestrator\"**, for the Rubrik Microsoft Sentinel Solution \n 4. Select the EventType as Anomaly \n 5. Select the following severity levels: Critical, Warning, Informational \n 6. Choose multiple log types, if desired, when running **\"RubrikEventsOrchestrator\"** \n 7. Repeat the same steps to add webhooks for Anomaly Detection Analysis, Threat Hunt and Other Events.\n \n\n NOTE: while adding webhooks for Anomaly Detection Analysis, Threat Hunt and Other Events, replace **{functionname}** with **\"RubrikRansomwareOrchestrator\"**, **\"RubrikThreatHuntOrchestrator\"** and **\"RubrikEventsOrchestrator\"** respectively in copied function-url."
},
{
"title": "",
- "description": "*Now we are done with the rubrik Webhook configuration. Once the webhook events triggered , you should be able to see the Anomaly, Ransomware Investigation Analysis, Threat Hunt events from the Rubrik into respective LogAnalytics workspace table called \"Rubrik_Anomaly_Data_CL\", \"Rubrik_Ransomware_Data_CL\", \"Rubrik_ThreatHunt_Data_CL\".*\n\n"
+ "description": "*Now we are done with the rubrik Webhook configuration. Once the webhook events triggered , you should be able to see the Anomaly, Anomaly Detection Analysis, Threat Hunt events and Other Events from the Rubrik into respective LogAnalytics workspace table called \"Rubrik_Anomaly_Data_CL\", \"Rubrik_Ransomware_Data_CL\", \"Rubrik_ThreatHunt_Data_CL\", and \"Rubrik_Events_Data_CL\".*\n\n"
}
]
-}
+}
\ No newline at end of file
diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/azuredeploy_Connector_RubrikWebhookEvents_AzureFunction.json b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/azuredeploy_Connector_RubrikWebhookEvents_AzureFunction.json
index 1c96a7af47b..d4d44e415b7 100644
--- a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/azuredeploy_Connector_RubrikWebhookEvents_AzureFunction.json
+++ b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/azuredeploy_Connector_RubrikWebhookEvents_AzureFunction.json
@@ -24,25 +24,33 @@
},
"AnomaliesTableName": {
"type": "string",
- "defaultValue": "Rubrik_Anomaly_Data_CL",
+ "defaultValue": "Rubrik_Anomaly_Data",
"metadata": {
"description": "Enter name of the table used to store Rubrik Anamaly logs. Default is 'Rubrik_Anomaly_Data_CL'"
}
},
"RansomwareAnalysisTableName": {
"type": "string",
- "defaultValue": "Rubrik_Ransomware_Data_CL",
- "metadata": {
+ "defaultValue": "Rubrik_Ransomware_Data",
+ "metadata": {
"description": "Enter name of the table used to store Rubrik Ransomware logs. Default is 'Rubrik_Ransomware_Data_CL'"
}
},
"ThreatHuntsTableName": {
"type": "string",
- "defaultValue": "Rubrik_ThreatHunt_Data_CL",
- "metadata": {
+ "defaultValue": "Rubrik_ThreatHunt_Data",
+ "metadata": {
"description": "Enter name of the table used to store Rubrik ThreatHunt logs. Default is 'Rubrik_ThreatHunt_Data_CL'"
}
},
+ "EventsTableName": {
+ "type": "string",
+ "defaultValue": "Rubrik_Events_Data",
+ "metadata": {
+ "description": "Enter the table name for types other than Anomaly, Ransomware, and Threat Hunt"
+ }
+ },
+
"LogLevel": {
"type": "string",
"metadata": {
@@ -117,7 +125,6 @@
"keySource": "Microsoft.Storage"
},
"minimumTlsVersion": "TLS1_2"
-
}
},
{
@@ -217,7 +224,7 @@
"alwaysOn": true,
"reserved": true,
"siteConfig": {
- "linuxFxVersion": "python|3.9"
+ "linuxFxVersion": "python|3.11"
}
},
"resources": [
@@ -231,6 +238,7 @@
"properties": {
"FUNCTIONS_EXTENSION_VERSION": "~4",
"FUNCTIONS_WORKER_RUNTIME": "python",
+ "AzureWebJobsDisableHomepage": "True",
"APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]",
"APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]",
"AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]",
@@ -240,6 +248,7 @@
"RansomwareAnalysis_table_name": "[parameters('RansomwareAnalysisTableName')]",
"ThreatHunts_table_name": "[parameters('ThreatHuntsTableName')]",
"Anomalies_table_name": "[parameters('AnomaliesTableName')]",
+ "Events_table_name": "[parameters('EventsTableName')]",
"LogLevel": "[parameters('LogLevel')]",
"WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-RubrikWebhookEvents-functionapp"
}
@@ -283,4 +292,4 @@
}
}
]
-}
+}
\ No newline at end of file
diff --git a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/shared_code/consts.py b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/shared_code/consts.py
index c3bf5967b4a..7ba95d1b91e 100644
--- a/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/shared_code/consts.py
+++ b/Solutions/RubrikSecurityCloud/Data Connectors/RubrikWebhookEvents/shared_code/consts.py
@@ -6,6 +6,7 @@
LOG_LEVEL = os.environ.get("LogLevel", "")
WORKSPACE_ID = os.environ.get("WorkspaceID")
WORKSPACE_KEY = os.environ.get("WorkspaceKey")
-ANOMALY_LOG_TYPE = os.environ.get("Anomalies_table_name")
-RANSOMWARE_LOG_TYPE = os.environ.get("RansomwareAnalysis_table_name")
-THREATHUNT_LOG_TYPE = os.environ.get("ThreatHunts_table_name")
+ANOMALY_LOG_TYPE = os.environ.get("Anomalies_table_name", "Rubrik_Anomaly_Data")
+RANSOMWARE_LOG_TYPE = os.environ.get("RansomwareAnalysis_table_name", "Rubrik_Ransomware_Data")
+THREATHUNT_LOG_TYPE = os.environ.get("ThreatHunts_table_name", "Rubrik_ThreatHunt_Data")
+EVENTS_LOG_TYPE = os.environ.get("Events_table_name", "Rubrik_Events_Data")
diff --git a/Solutions/RubrikSecurityCloud/Data/Solution_RubrikSecurityCloud.json b/Solutions/RubrikSecurityCloud/Data/Solution_RubrikSecurityCloud.json
index dbc33554635..349db6b0b7c 100644
--- a/Solutions/RubrikSecurityCloud/Data/Solution_RubrikSecurityCloud.json
+++ b/Solutions/RubrikSecurityCloud/Data/Solution_RubrikSecurityCloud.json
@@ -16,13 +16,14 @@
"Playbooks/RubrikFileObjectContextAnalysis/azuredeploy.json",
"Playbooks/RubrikUserIntelligenceAnalysis/azuredeploy.json",
"Playbooks/RubrikRetrieveUserIntelligenceInformation/azuredeploy.json",
- "Playbooks/RubrikAnomalyGenerateDownloadableLink/azuredeploy.json"
+ "Playbooks/RubrikAnomalyGenerateDownloadableLink/azuredeploy.json",
+ "Playbooks/RubrikWorkloadAnalysis/azuredeploy.json"
],
"Data Connectors": [
"Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents_FunctionApp.json"
],
"BasePath": "C:\\Azure-Sentinel\\Solutions\\RubrikSecurityCloud",
- "Version": "3.2.1",
+ "Version": "3.3.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
diff --git a/Solutions/RubrikSecurityCloud/Package/3.3.0.zip b/Solutions/RubrikSecurityCloud/Package/3.3.0.zip
new file mode 100644
index 00000000000..d489320b41e
Binary files /dev/null and b/Solutions/RubrikSecurityCloud/Package/3.3.0.zip differ
diff --git a/Solutions/RubrikSecurityCloud/Package/createUiDefinition.json b/Solutions/RubrikSecurityCloud/Package/createUiDefinition.json
index 74b90ec80d9..2a8055f478f 100644
--- a/Solutions/RubrikSecurityCloud/Package/createUiDefinition.json
+++ b/Solutions/RubrikSecurityCloud/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/rubrikLogo.svg\")
\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/RubrikSecurityCloud/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Rubrik Security Cloud](https://www.rubrik.com/) solution enables security operations teams to integrate insights from Rubrik’s Data Observability services into Microsoft Sentinel. \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://learn.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/products/functions/#overview)\n\n**Data Connectors:** 1, **Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 12\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/RubrikSecurityCloud/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Rubrik Security Cloud](https://www.rubrik.com/) solution enables security operations teams to integrate insights from Rubrik’s Data Observability services into Microsoft Sentinel. \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://learn.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/products/functions/#overview)\n\n**Data Connectors:** 1, **Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 13\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
diff --git a/Solutions/RubrikSecurityCloud/Package/mainTemplate.json b/Solutions/RubrikSecurityCloud/Package/mainTemplate.json
index 43459c8a6e0..198e9753d96 100644
--- a/Solutions/RubrikSecurityCloud/Package/mainTemplate.json
+++ b/Solutions/RubrikSecurityCloud/Package/mainTemplate.json
@@ -33,7 +33,7 @@
"email": "ben.meadowcroft@rubrik.com",
"_email": "[variables('email')]",
"_solutionName": "RubrikSecurityCloud",
- "_solutionVersion": "3.2.1",
+ "_solutionVersion": "3.3.0",
"solutionId": "rubrik_inc.rubrik_sentinel",
"_solutionId": "[variables('solutionId')]",
"RubrikCustomConnector": "RubrikCustomConnector",
@@ -44,48 +44,40 @@
"playbookContentId1": "RubrikCustomConnector",
"_playbookContentId1": "[variables('playbookContentId1')]",
"playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-lc-',uniquestring(variables('_playbookContentId1'))))]",
- "playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','lc','-', uniqueString(concat(variables('_solutionId'),'-','LogicAppsCustomConnector','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]",
- "_playbookcontentProductId1": "[variables('playbookcontentProductId1')]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','lc','-', uniqueString(concat(variables('_solutionId'),'-','LogicAppsCustomConnector','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]",
"RubrikAnomalyAnalysis": "RubrikAnomalyAnalysis",
"_RubrikAnomalyAnalysis": "[variables('RubrikAnomalyAnalysis')]",
"playbookVersion2": "1.0",
"playbookContentId2": "RubrikAnomalyAnalysis",
"_playbookContentId2": "[variables('playbookContentId2')]",
"playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]",
- "_playbookId2": "[variables('playbookId2')]",
"playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]",
- "playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]",
- "_playbookcontentProductId2": "[variables('playbookcontentProductId2')]",
+ "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]",
"RubrikAnomalyIncidentResponse": "RubrikAnomalyIncidentResponse",
"_RubrikAnomalyIncidentResponse": "[variables('RubrikAnomalyIncidentResponse')]",
"playbookVersion3": "1.0",
"playbookContentId3": "RubrikAnomalyIncidentResponse",
"_playbookContentId3": "[variables('playbookContentId3')]",
"playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]",
- "_playbookId3": "[variables('playbookId3')]",
"playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]",
- "playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]",
- "_playbookcontentProductId3": "[variables('playbookcontentProductId3')]",
+ "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]",
"RubrikDataObjectDiscovery": "RubrikDataObjectDiscovery",
"_RubrikDataObjectDiscovery": "[variables('RubrikDataObjectDiscovery')]",
"playbookVersion4": "1.0",
"playbookContentId4": "RubrikDataObjectDiscovery",
"_playbookContentId4": "[variables('playbookContentId4')]",
"playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]",
- "_playbookId4": "[variables('playbookId4')]",
"playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))))]",
- "playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]",
- "_playbookcontentProductId4": "[variables('playbookcontentProductId4')]",
+ "_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]",
"RubrikFilesetRansomwareDiscovery": "RubrikFilesetRansomwareDiscovery",
"_RubrikFilesetRansomwareDiscovery": "[variables('RubrikFilesetRansomwareDiscovery')]",
"playbookVersion5": "1.0",
"playbookContentId5": "RubrikFilesetRansomwareDiscovery",
"_playbookContentId5": "[variables('playbookContentId5')]",
"playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]",
- "_playbookId5": "[variables('playbookId5')]",
"playbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5'))))]",
- "playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]",
- "_playbookcontentProductId5": "[variables('playbookcontentProductId5')]",
+ "_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]",
"RubrikIOCScan": "RubrikIOCScan",
"_RubrikIOCScan": "[variables('RubrikIOCScan')]",
"TemplateEmptyObject": "[json('{}')]",
@@ -93,80 +85,72 @@
"playbookContentId6": "RubrikIOCScan",
"_playbookContentId6": "[variables('playbookContentId6')]",
"playbookId6": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId6'))]",
- "_playbookId6": "[variables('playbookId6')]",
"playbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId6'))))]",
- "playbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId6'),'-', variables('playbookVersion6'))))]",
- "_playbookcontentProductId6": "[variables('playbookcontentProductId6')]",
+ "_playbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId6'),'-', variables('playbookVersion6'))))]",
"RubrikPollAsyncResult": "RubrikPollAsyncResult",
"_RubrikPollAsyncResult": "[variables('RubrikPollAsyncResult')]",
"playbookVersion7": "1.0",
"playbookContentId7": "RubrikPollAsyncResult",
"_playbookContentId7": "[variables('playbookContentId7')]",
"playbookId7": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId7'))]",
- "_playbookId7": "[variables('playbookId7')]",
"playbookTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId7'))))]",
- "playbookcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId7'),'-', variables('playbookVersion7'))))]",
- "_playbookcontentProductId7": "[variables('playbookcontentProductId7')]",
+ "_playbookcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId7'),'-', variables('playbookVersion7'))))]",
"RubrikRansomwareDiscoveryAndFileRecovery": "RubrikRansomwareDiscoveryAndFileRecovery",
"_RubrikRansomwareDiscoveryAndFileRecovery": "[variables('RubrikRansomwareDiscoveryAndFileRecovery')]",
"playbookVersion8": "1.0",
"playbookContentId8": "RubrikRansomwareDiscoveryAndFileRecovery",
"_playbookContentId8": "[variables('playbookContentId8')]",
"playbookId8": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId8'))]",
- "_playbookId8": "[variables('playbookId8')]",
"playbookTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId8'))))]",
- "playbookcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId8'),'-', variables('playbookVersion8'))))]",
- "_playbookcontentProductId8": "[variables('playbookcontentProductId8')]",
+ "_playbookcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId8'),'-', variables('playbookVersion8'))))]",
"RubrikRansomwareDiscoveryAndVMRecovery": "RubrikRansomwareDiscoveryAndVMRecovery",
"_RubrikRansomwareDiscoveryAndVMRecovery": "[variables('RubrikRansomwareDiscoveryAndVMRecovery')]",
"playbookVersion9": "1.0",
"playbookContentId9": "RubrikRansomwareDiscoveryAndVMRecovery",
"_playbookContentId9": "[variables('playbookContentId9')]",
"playbookId9": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId9'))]",
- "_playbookId9": "[variables('playbookId9')]",
"playbookTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId9'))))]",
- "playbookcontentProductId9": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId9'),'-', variables('playbookVersion9'))))]",
- "_playbookcontentProductId9": "[variables('playbookcontentProductId9')]",
+ "_playbookcontentProductId9": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId9'),'-', variables('playbookVersion9'))))]",
"RubrikFileObjectContextAnalysis": "RubrikFileObjectContextAnalysis",
"_RubrikFileObjectContextAnalysis": "[variables('RubrikFileObjectContextAnalysis')]",
"playbookVersion10": "1.0",
"playbookContentId10": "RubrikFileObjectContextAnalysis",
"_playbookContentId10": "[variables('playbookContentId10')]",
"playbookId10": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId10'))]",
- "_playbookId10": "[variables('playbookId10')]",
"playbookTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId10'))))]",
- "playbookcontentProductId10": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId10'),'-', variables('playbookVersion10'))))]",
- "_playbookcontentProductId10": "[variables('playbookcontentProductId10')]",
+ "_playbookcontentProductId10": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId10'),'-', variables('playbookVersion10'))))]",
"RubrikUserIntelligenceAnalysis": "RubrikUserIntelligenceAnalysis",
"_RubrikUserIntelligenceAnalysis": "[variables('RubrikUserIntelligenceAnalysis')]",
"playbookVersion11": "1.0",
"playbookContentId11": "RubrikUserIntelligenceAnalysis",
"_playbookContentId11": "[variables('playbookContentId11')]",
"playbookId11": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId11'))]",
- "_playbookId11": "[variables('playbookId11')]",
"playbookTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId11'))))]",
- "playbookcontentProductId11": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId11'),'-', variables('playbookVersion11'))))]",
- "_playbookcontentProductId11": "[variables('playbookcontentProductId11')]",
+ "_playbookcontentProductId11": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId11'),'-', variables('playbookVersion11'))))]",
"RubrikRetrieveUserIntelligenceInformation": "RubrikRetrieveUserIntelligenceInformation",
"_RubrikRetrieveUserIntelligenceInformation": "[variables('RubrikRetrieveUserIntelligenceInformation')]",
"playbookVersion12": "1.0",
"playbookContentId12": "RubrikRetrieveUserIntelligenceInformation",
"_playbookContentId12": "[variables('playbookContentId12')]",
"playbookId12": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId12'))]",
- "_playbookId12": "[variables('playbookId12')]",
"playbookTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId12'))))]",
- "playbookcontentProductId12": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId12'),'-', variables('playbookVersion12'))))]",
- "_playbookcontentProductId12": "[variables('playbookcontentProductId12')]",
+ "_playbookcontentProductId12": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId12'),'-', variables('playbookVersion12'))))]",
"RubrikAnomalyGenerateDownloadableLink": "RubrikAnomalyGenerateDownloadableLink",
"_RubrikAnomalyGenerateDownloadableLink": "[variables('RubrikAnomalyGenerateDownloadableLink')]",
"playbookVersion13": "1.0",
"playbookContentId13": "RubrikAnomalyGenerateDownloadableLink",
"_playbookContentId13": "[variables('playbookContentId13')]",
"playbookId13": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId13'))]",
- "_playbookId13": "[variables('playbookId13')]",
"playbookTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId13'))))]",
- "playbookcontentProductId13": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId13'),'-', variables('playbookVersion13'))))]",
- "_playbookcontentProductId13": "[variables('playbookcontentProductId13')]",
+ "_playbookcontentProductId13": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId13'),'-', variables('playbookVersion13'))))]",
+ "RubrikWorkloadAnalysis": "RubrikWorkloadAnalysis",
+ "_RubrikWorkloadAnalysis": "[variables('RubrikWorkloadAnalysis')]",
+ "playbookVersion14": "1.0",
+ "playbookContentId14": "RubrikWorkloadAnalysis",
+ "_playbookContentId14": "[variables('playbookContentId14')]",
+ "playbookId14": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId14'))]",
+ "playbookTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId14'))))]",
+ "_playbookcontentProductId14": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId14'),'-', variables('playbookVersion14'))))]",
"uiConfigId1": "RubrikSecurityCloudAzureFunctions",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "RubrikSecurityCloudAzureFunctions",
@@ -175,10 +159,8 @@
"_dataConnectorId1": "[variables('dataConnectorId1')]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0.0",
- "dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
- "_dataConnectorcontentProductId1": "[variables('dataConnectorcontentProductId1')]",
- "solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]",
- "_solutioncontentProductId": "[variables('solutioncontentProductId')]"
+ "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
@@ -190,7 +172,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RubrikCustomConnector Playbook with template version 3.2.1",
+ "description": "RubrikCustomConnector Playbook with template version 3.3.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
@@ -356,7 +338,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RubrikAnomalyAnalysis Playbook with template version 3.2.1",
+ "description": "RubrikAnomalyAnalysis Playbook with template version 3.3.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion2')]",
@@ -382,7 +364,7 @@
"DownloadableLinkGeneratePlaybookName": {
"type": "string",
"metadata": {
- "description": "Playbook name that you have given while deployment of playbook RubrikAnomalyGenerateDownloadableLink(e.g.RubrikAnomalyGenerateDownloadableLink)"
+ "description": "Playbook name that you have given while deployment of playbook RubrikGenerateDownloadableLink(e.g.RubrikGenerateDownloadableLink)"
}
}
},
@@ -3317,9 +3299,9 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('_playbookId2'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]",
"properties": {
- "parentId": "[variables('_playbookId2')]",
+ "parentId": "[variables('playbookId2')]",
"contentId": "[variables('_playbookContentId2')]",
"kind": "Playbook",
"version": "[variables('playbookVersion2')]",
@@ -3413,7 +3395,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RubrikAnomalyIncidentResponse Playbook with template version 3.2.1",
+ "description": "RubrikAnomalyIncidentResponse Playbook with template version 3.3.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion3')]",
@@ -4018,9 +4000,9 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('_playbookId3'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]",
"properties": {
- "parentId": "[variables('_playbookId3')]",
+ "parentId": "[variables('playbookId3')]",
"contentId": "[variables('_playbookContentId3')]",
"kind": "Playbook",
"version": "[variables('playbookVersion3')]",
@@ -4067,10 +4049,10 @@
"5. Click Save",
"6. Repeat steps for other connections",
"**b. Configurations in Microsoft Sentinel**",
- "1. In Microsoft Sentinel, analytical rules should be configured to trigger an incident. An incident should have the *ClusterId* - custom entity that contains clusterId of an event generated in rubrik, *ObjectId* - custom entity that contains objectId of an event generated in rubrik, *ObjectType* - custom entity that contains objectType of an event generated in rubrik, *ObjectName* -custom entity that contains objectName of an event generated in rubrik . It can be obtained from the corresponding field in Rubrik Anomaly Event logs. Check the [documentation](https://docs.microsoft.com/azure/sentinel/surface-custom-details-in-alerts) to learn more about adding custom entities to incidents.",
+ "1. In Microsoft sentinel, analytical rules should be configured to trigger an incident. An incident should have the *ClusterId* - custom entity that contains clusterId of an event generated in rubrik, *ObjectId* - custom entity that contains objectId of an event generated in rubrik, *ObjectType* - custom entity that contains objectType of an event generated in rubrik, *ObjectName* -custom entity that contains objectName of an event generated in rubrik . It can be obtained from the corresponding field in Rubrik Anomaly Event logs. Check the [documentation](https://docs.microsoft.com/azure/sentinel/surface-custom-details-in-alerts) to learn more about adding custom entities to incidents.",
"2. Configure the automation rules to trigger the playbook."
],
- "lastUpdateTime": "2024-02-21T10:23:09.173Z",
+ "lastUpdateTime": "2022-01-20T00:00:00Z",
"entities": [
"account",
"url"
@@ -4111,7 +4093,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RubrikDataObjectDiscovery Playbook with template version 3.2.1",
+ "description": "RubrikDataObjectDiscovery Playbook with template version 3.3.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion4')]",
@@ -6626,9 +6608,9 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('_playbookId4'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]",
"properties": {
- "parentId": "[variables('_playbookId4')]",
+ "parentId": "[variables('playbookId4')]",
"contentId": "[variables('_playbookContentId4')]",
"kind": "Playbook",
"version": "[variables('playbookVersion4')]",
@@ -6722,7 +6704,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RubrikFilesetRansomwareDiscovery Playbook with template version 3.2.1",
+ "description": "RubrikFilesetRansomwareDiscovery Playbook with template version 3.3.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion5')]",
@@ -7282,9 +7264,9 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('_playbookId5'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]",
"properties": {
- "parentId": "[variables('_playbookId5')]",
+ "parentId": "[variables('playbookId5')]",
"contentId": "[variables('_playbookContentId5')]",
"kind": "Playbook",
"version": "[variables('playbookVersion5')]",
@@ -7368,7 +7350,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RubrikIOCScan Playbook with template version 3.2.1",
+ "description": "RubrikIOCScan Playbook with template version 3.3.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion6')]",
@@ -9725,9 +9707,9 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('_playbookId6'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId6'),'/'))))]",
"properties": {
- "parentId": "[variables('_playbookId6')]",
+ "parentId": "[variables('playbookId6')]",
"contentId": "[variables('_playbookContentId6')]",
"kind": "Playbook",
"version": "[variables('playbookVersion6')]",
@@ -9821,7 +9803,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RubrikPollAsyncResult Playbook with template version 3.2.1",
+ "description": "RubrikPollAsyncResult Playbook with template version 3.3.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion7')]",
@@ -10590,9 +10572,9 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('_playbookId7'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId7'),'/'))))]",
"properties": {
- "parentId": "[variables('_playbookId7')]",
+ "parentId": "[variables('playbookId7')]",
"contentId": "[variables('_playbookContentId7')]",
"kind": "Playbook",
"version": "[variables('playbookVersion7')]",
@@ -10685,7 +10667,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RubrikRansomwareDiscoveryAndFileRecovery Playbook with template version 3.2.1",
+ "description": "RubrikRansomwareDiscoveryAndFileRecovery Playbook with template version 3.3.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion8')]",
@@ -12514,9 +12496,9 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('_playbookId8'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId8'),'/'))))]",
"properties": {
- "parentId": "[variables('_playbookId8')]",
+ "parentId": "[variables('playbookId8')]",
"contentId": "[variables('_playbookContentId8')]",
"kind": "Playbook",
"version": "[variables('playbookVersion8')]",
@@ -12613,7 +12595,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RubrikRansomwareDiscoveryAndVMRecovery Playbook with template version 3.2.1",
+ "description": "RubrikRansomwareDiscoveryAndVMRecovery Playbook with template version 3.3.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion9')]",
@@ -16635,9 +16617,9 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('_playbookId9'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId9'),'/'))))]",
"properties": {
- "parentId": "[variables('_playbookId9')]",
+ "parentId": "[variables('playbookId9')]",
"contentId": "[variables('_playbookContentId9')]",
"kind": "Playbook",
"version": "[variables('playbookVersion9')]",
@@ -16692,7 +16674,7 @@
"5. Click Save",
"6. Repeat steps for other connections"
],
- "lastUpdateTime": "2024-02-21T10:23:09.173Z",
+ "lastUpdateTime": "2022-01-20T00:00:00Z",
"entities": [
"account",
"url"
@@ -16734,7 +16716,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RubrikFileObjectContextAnalysis Playbook with template version 3.2.1",
+ "description": "RubrikFileObjectContextAnalysis Playbook with template version 3.3.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion10')]",
@@ -19891,9 +19873,9 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('_playbookId10'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId10'),'/'))))]",
"properties": {
- "parentId": "[variables('_playbookId10')]",
+ "parentId": "[variables('playbookId10')]",
"contentId": "[variables('_playbookContentId10')]",
"kind": "Playbook",
"version": "[variables('playbookVersion10')]",
@@ -19949,6 +19931,7 @@
"4. In principal section, search by copied object ID. Click next.",
"5. Click review + create."
],
+ "lastUpdateTime": "2024-04-22T00:14:08.736Z",
"entities": [
"account",
"url"
@@ -19959,7 +19942,6 @@
"Security",
"Rubrik"
],
- "lastUpdateTime": "2024-04-22T00:14:08.736Z",
"releaseNotes": {
"version": "1.0",
"title": "[variables('blanks')]",
@@ -19991,7 +19973,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RubrikUserIntelligenceAnalysis Playbook with template version 3.2.1",
+ "description": "RubrikUserIntelligenceAnalysis Playbook with template version 3.3.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion11')]",
@@ -21836,9 +21818,9 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('_playbookId11'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId11'),'/'))))]",
"properties": {
- "parentId": "[variables('_playbookId11')]",
+ "parentId": "[variables('playbookId11')]",
"contentId": "[variables('_playbookContentId11')]",
"kind": "Playbook",
"version": "[variables('playbookVersion11')]",
@@ -21957,7 +21939,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RubrikRetrieveUserIntelligenceInformation Playbook with template version 3.2.1",
+ "description": "RubrikRetrieveUserIntelligenceInformation Playbook with template version 3.3.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion12')]",
@@ -23568,9 +23550,9 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('_playbookId12'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId12'),'/'))))]",
"properties": {
- "parentId": "[variables('_playbookId12')]",
+ "parentId": "[variables('playbookId12')]",
"contentId": "[variables('_playbookContentId12')]",
"kind": "Playbook",
"version": "[variables('playbookVersion12')]",
@@ -23657,7 +23639,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RubrikAnomalyGenerateDownloadableLink Playbook with template version 3.2.1",
+ "description": "RubrikAnomalyGenerateDownloadableLink Playbook with template version 3.3.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion13')]",
@@ -24912,9 +24894,9 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('_playbookId13'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId13'),'/'))))]",
"properties": {
- "parentId": "[variables('_playbookId13')]",
+ "parentId": "[variables('playbookId13')]",
"contentId": "[variables('_playbookContentId13')]",
"kind": "Playbook",
"version": "[variables('playbookVersion13')]",
@@ -25003,173 +24985,2101 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
+ "name": "[variables('playbookTemplateSpecName14')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RubrikSecurityCloud data connector with template version 3.2.1",
+ "description": "RubrikWorkloadAnalysis Playbook with template version 3.3.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
+ "contentVersion": "[variables('playbookVersion14')]",
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "RubrikWorkloadAnalysis",
+ "minLength": 1,
+ "type": "string",
+ "metadata": {
+ "description": "Please do not keep 'Playbook Name' parameter empty, else you will receive validation failure"
+ }
+ },
+ "Keyvault Name": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter name of keyvault where service account credentials are stored(Example: RubrikSentinelKeyVault)"
+ }
+ },
+ "Tenant Id": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter Tenant ID of your Microsoft EntraID where keyvault is available"
+ }
+ },
+ "Rubrik Base URL": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "https://rubrik-tme.my.rubrik.com",
+ "metadata": {
+ "description": "Enter Base URL of the RubrikApi instance (Example: https://rubrik-tme.my.rubrik.com)"
+ }
+ },
+ "IncreaseSeverityLevel": {
+ "defaultValue": 1,
+ "allowedValues": [
+ 1,
+ 2,
+ 3
+ ],
+ "type": "Int",
+ "metadata": {
+ "description": "Enter a value to increase the severity level of the incident.(Example: for value 1 incident severity will change from Low to Medium)"
+ }
+ }
+ },
+ "variables": {
+ "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
+ "KeyvaultConnectionName": "[[concat('Keyvault-', parameters('PlaybookName'))]",
+ "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
+ "_connection-2": "[[variables('connection-2')]",
+ "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Keyvault')]",
+ "_connection-3": "[[variables('connection-3')]",
+ "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+ "workspace-name": "[parameters('workspace')]",
+ "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+ },
"resources": [
{
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
"properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "Rubrik Security Cloud data connector (using Azure Functions)",
- "publisher": "Rubrik, Inc",
- "descriptionMarkdown": "The Rubrik Security Cloud data connector enables security operations teams to integrate insights from Rubrik's Data Observability services into Microsoft Sentinel. The insights include identification of anomalous filesystem behavior associated with ransomware and mass deletion, assess the blast radius of a ransomware attack, and sensitive data operators to prioritize and more rapidly investigate potential incidents.",
- "graphQueries": [
- {
- "metricName": "Total Anomaly Event data received",
- "legend": "Rubrik_Anomaly_Data_CL",
- "baseQuery": "Rubrik_Anomaly_Data_CL"
- },
- {
- "metricName": "Total Ransomware Event data received",
- "legend": "Rubrik_Ransomware_Data_CL",
- "baseQuery": "Rubrik_Ransomware_Data_CL"
- },
- {
- "metricName": "Total ThreatHunt Event data received",
- "legend": "Rubrik_ThreatHunt_Data_CL",
- "baseQuery": "Rubrik_ThreatHunt_Data_CL"
- }
- ],
- "sampleQueries": [
- {
- "description": "Rubrik Anomaly Events - Anomaly Events for all severity types.",
- "query": "Rubrik_Anomaly_Data_CL\n | sort by TimeGenerated desc"
- },
- {
- "description": "Rubrik Ransomware Analysis Events - Ransomware Analysis Events for all severity types.",
- "query": "Rubrik_Ransomware_Data_CL\n | sort by TimeGenerated desc"
- },
- {
- "description": "Rubrik ThreatHunt Events - Threat Hunt Events for all severity types.",
- "query": "Rubrik_ThreatHunt_Data_CL\n | sort by TimeGenerated desc"
- }
- ],
- "dataTypes": [
- {
- "name": "Rubrik_Anomaly_Data_CL",
- "lastDataReceivedQuery": "Rubrik_Anomaly_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ "provisioningState": "Succeeded",
+ "state": "Enabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "$connections": {
+ "type": "Object"
},
- {
- "name": "Rubrik_Ransomware_Data_CL",
- "lastDataReceivedQuery": "Rubrik_Ransomware_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ "Increase_Severity_Level": {
+ "defaultValue": "[[parameters('IncreaseSeverityLevel')]",
+ "type": "Int"
},
- {
- "name": "Rubrik_ThreatHunt_Data_CL",
- "lastDataReceivedQuery": "Rubrik_ThreatHunt_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ "Rubrik_Base_URL": {
+ "defaultValue": "[[trim(parameters('Rubrik Base URL'))]",
+ "type": "String"
}
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "Rubrik_Anomaly_Data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- },
- {
- "type": "IsConnectedQuery",
- "value": [
- "Rubrik_Ransomware_Data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- },
- {
- "type": "IsConnectedQuery",
- "value": [
- "Rubrik_ThreatHunt_Data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
+ },
+ "triggers": {
+ "Microsoft_Sentinel_incident": {
+ "type": "ApiConnectionWebhook",
+ "inputs": {
+ "body": {
+ "callback_url": "@{listCallbackUrl()}"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "path": "/incident-creation"
+ }
}
- ],
- "availability": {
- "status": 1,
- "isPreview": false
},
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions on the workspace are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
+ "actions": {
+ "Check_For_Status_Code_Of_Generating_Access_Token": {
+ "actions": {
+ "Set_Access_Token": {
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Access_Token",
+ "value": "@{body('Get_Access_Token')?['access_token']}"
+ }
}
},
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
+ "runAfter": {
+ "Get_Access_Token": [
+ "Succeeded"
+ ]
+ },
+ "else": {
+ "actions": {
+ "Terminate_Due_To_Authentication_Failure": {
+ "type": "Terminate",
+ "inputs": {
+ "runError": {
+ "code": "@{outputs('Get_Access_Token')['statusCode']}",
+ "message": "@{body('Get_Access_Token')?['message']}"
+ },
+ "runStatus": "Failed"
+ }
+ }
}
- }
- ],
- "customs": [
- {
- "name": "Microsoft.Web/sites permissions",
- "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This connector uses Azure Functions to connect to the Rubrik webhook which push its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
- },
- {
- "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@outputs('Get_Access_Token')['statusCode']",
+ 200
+ ]
+ }
+ ]
+ },
+ "type": "If"
},
- {
- "description": "**STEP 1 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Rubrik Microsoft Sentinel data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available..",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Workspace ID"
- },
- "type": "CopyableLabel"
- },
- {
- "parameters": {
- "fillWith": [
- "PrimaryKey"
- ],
- "label": "Primary Key"
- },
- "type": "CopyableLabel"
+ "Condition_To_Verify_Empty_List_Of_IP_-_Host": {
+ "actions": {
+ "Terminate_Due_Empty_IP_-_Host_List": {
+ "type": "Terminate",
+ "inputs": {
+ "runError": {
+ "code": "404",
+ "message": "IP or Host are not Mapped with Incident"
+ },
+ "runStatus": "Failed"
+ }
}
- ]
- },
- {
- "description": "Use this method for automated deployment of the Rubrik connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-RubrikWebhookEvents-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tFunction Name \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tAnomalies_table_name \n\t\tRansomwareAnalysis_table_name \n\t\tThreatHunts_table_name\n\t\tLogLevel \n \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.",
- "title": "Option 1 - Azure Resource Manager (ARM) Template"
+ },
+ "runAfter": {
+ "For_Hosts_In_Entity_Mapping": [
+ "Succeeded"
+ ]
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@length(variables('IP_Host_List'))",
+ 0
+ ]
+ }
+ ]
+ },
+ "type": "If"
},
- {
- "description": "Use the following step-by-step instructions to deploy the Rubrik Microsoft Sentinel data connector manually with Azure Functions (Deployment via Visual Studio Code).",
- "title": "Option 2 - Manual Deployment of Azure Functions"
+ "Condition_To_Verify_Length_Of_Failed_IP_-_Host_List": {
+ "actions": {
+ "Condition_To_Check_All_Failure": {
+ "else": {
+ "actions": {
+ "Update_Incident_(2)": {
+ "type": "ApiConnection",
+ "inputs": {
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "severity": "@variables('Incident_Severity')"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "put",
+ "path": "/Incidents"
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@length(variables('Failed_IP_Host_List'))",
+ "@length(variables('IP_Host_List'))"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Condition_To_Verify_That_Incident_Comment_Does_Not_Reach_Limit_(2)": {
+ "actions": {
+ "Add_Failed_IP_-_Host_List_Into_Incident_Comment": {
+ "type": "ApiConnection",
+ "inputs": {
+ "body": {
+ "incidentArmId": "@body('Update_Incident_(2)')?['id']",
+ "message": "Failed IP/Host List: @{replace(replace(replace(replace(string(variables('Failed_IP_Host_List')), '\"', ''), '[', ''), ']', ''), ',', ', ')}
"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/Incidents/Comment"
+ }
+ }
+ },
+ "runAfter": {
+ "Condition_To_Check_All_Failure": [
+ "Succeeded"
+ ]
+ },
+ "expression": {
+ "and": [
+ {
+ "less": [
+ "@variables('Comment_Count')",
+ 100
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ },
+ "runAfter": {
+ "For_Each_IP_Or_Host": [
+ "Succeeded"
+ ]
+ },
+ "else": {
+ "actions": {
+ "Update_Incident": {
+ "type": "ApiConnection",
+ "inputs": {
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "severity": "@variables('Incident_Severity')"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "put",
+ "path": "/Incidents"
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "greater": [
+ "@length(variables('Failed_IP_Host_List'))",
+ 0
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "For_Each_Alert_Details": {
+ "foreach": "@triggerBody()?['object']?['properties']?['Alerts']",
+ "actions": {
+ "Condition_To_Verify_Custom_Details_Is_Not_Empty": {
+ "actions": {
+ "Condition_To_Verify_Host_Is_Mapped_In_Custom_Details": {
+ "actions": {
+ "Condition_To_Verify_List_Of_Hosts": {
+ "actions": {
+ "For_Each_Host_In_Custom_Details": {
+ "foreach": "@json(body('Parse_Custom_Details')?['Host'][0])",
+ "actions": {
+ "Append_Host_Into_List": {
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "IP_Host_List",
+ "value": "@items('For_Each_Host_In_Custom_Details')"
+ }
+ }
+ },
+ "type": "Foreach"
+ }
+ },
+ "else": {
+ "actions": {
+ "Append_Host_Into_List_(2)": {
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "IP_Host_List",
+ "value": "@body('Parse_Custom_Details')?['Host'][0]"
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "contains": [
+ "@body('Parse_Custom_Details')?['Host'][0]",
+ "]"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ },
+ "runAfter": {
+ "Set_IP_List_Size_(2)": [
+ "Succeeded"
+ ]
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@empty(body('Parse_Custom_Details')?['Host'])",
+ "@false"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Condition_To_Verify_IP_Is_Mapped_In_Custom_Details": {
+ "actions": {
+ "Condition_To_Verify_List_Of_IPs_(2)": {
+ "actions": {
+ "For_Each_IP_In_Custom_Details": {
+ "foreach": "@json(body('Parse_Custom_Details')?['IP'][0])",
+ "actions": {
+ "Condition_To_Verify_IP_Already_Not_Exist_In_List": {
+ "actions": {
+ "Append_IP_Into_List_(3)": {
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "IP_Host_List",
+ "value": "@items('For_Each_IP_In_Custom_Details')"
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@contains(variables('IP_Host_List'), items('For_Each_IP_In_Custom_Details'))",
+ "@false"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ },
+ "type": "Foreach"
+ }
+ },
+ "else": {
+ "actions": {
+ "Condition_To_Verify_IP_Already_Not_Exist_In_List_(2)": {
+ "actions": {
+ "Append_IP_Into_List_(4)": {
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "IP_Host_List",
+ "value": "@body('Parse_Custom_Details')?['IP'][0]"
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@contains(variables('IP_Host_List'), body('Parse_Custom_Details')?['IP'][0])",
+ "@false"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "contains": [
+ "@body('Parse_Custom_Details')?['IP'][0]",
+ "]"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ },
+ "runAfter": {
+ "Parse_Custom_Details": [
+ "Succeeded"
+ ]
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@empty(body('Parse_Custom_Details')?['IP'])",
+ "@false"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Parse_Custom_Details": {
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@items('For_Each_Alert_Details')?['properties']?['additionalData']?['Custom Details']",
+ "schema": {
+ "properties": {
+ "Host": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "IP": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ }
+ }
+ },
+ "Set_IP_List_Size_(2)": {
+ "runAfter": {
+ "Condition_To_Verify_IP_Is_Mapped_In_Custom_Details": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "IP_List_Size",
+ "value": "@length(variables('IP_Host_List'))"
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@empty(items('For_Each_Alert_Details')?['properties']?['additionalData']?['Custom Details'])",
+ "@false"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ },
+ "runAfter": {
+ "Set_IP_List_Size": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "For_Each_IP_Or_Host": {
+ "foreach": "@variables('IP_Host_List')",
+ "actions": {
+ "Check_For_HTTP_Request_Status_Code": {
+ "actions": {
+ "Condition_To_Check_IP_-_Host_Invalid_Or_Data_Not_Found": {
+ "actions": {
+ "Append_IP_Address_Or_Host_Name_Into_Failed_List_(2)": {
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "Failed_IP_Host_List",
+ "value": "@items('For_Each_IP_Or_Host')"
+ }
+ }
+ },
+ "runAfter": {
+ "Parse_Response": [
+ "Succeeded"
+ ]
+ },
+ "else": {
+ "actions": {
+ "Condition_To_Verify_Incident_Severity_Is_High": {
+ "runAfter": {
+ "Condition_To_Verify_That_Incident_Comment_Does_Not_Reach_Limit": [
+ "Succeeded"
+ ]
+ },
+ "else": {
+ "actions": {
+ "Condition_To_Check_Incident_Updated_By_Increase_Level": {
+ "actions": {
+ "Condition_To_Check_Response_And_Update_Incident_Severity": {
+ "actions": {
+ "Condition_To_Verify_Increase_Level_Is_1": {
+ "actions": {
+ "Switch_Case_For_Update_Incident_Severity": {
+ "cases": {
+ "Case_When_Severity_Is_Informational": {
+ "case": "Informational",
+ "actions": {
+ "Set_Incident_Severity_Updated_To_True": {
+ "runAfter": {
+ "Set_Severity_For_Increase_Level_To_Low": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Incident_Severity_Updated",
+ "value": "@true"
+ }
+ },
+ "Set_Severity_For_Increase_Level_To_Low": {
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Severity_For_Increase_Level",
+ "value": "Low"
+ }
+ }
+ }
+ },
+ "Case_When_Severity_Is_Low": {
+ "case": "Low",
+ "actions": {
+ "Set_Incident_Severity_Updated_To_True_(2)": {
+ "runAfter": {
+ "Set_Severity_For_Increase_Level_To_Medium": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Incident_Severity_Updated",
+ "value": "@true"
+ }
+ },
+ "Set_Severity_For_Increase_Level_To_Medium": {
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Severity_For_Increase_Level",
+ "value": "Medium"
+ }
+ }
+ }
+ },
+ "Case_When_Severity_Is_Medium": {
+ "case": "Medium",
+ "actions": {
+ "Set_Incident_Severity_Updated_To_True_(3)": {
+ "runAfter": {
+ "Set_Severity_For_Increase_Level_To_High": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Incident_Severity_Updated",
+ "value": "@true"
+ }
+ },
+ "Set_Severity_For_Increase_Level_To_High": {
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Severity_For_Increase_Level",
+ "value": "High"
+ }
+ }
+ }
+ }
+ },
+ "expression": "@variables('Severity_For_Increase_Level')",
+ "type": "Switch"
+ }
+ },
+ "else": {
+ "actions": {
+ "Condition_To_Verify_Increase_Level_Is_2_And_Incident_Severity_Is_Informational": {
+ "actions": {
+ "Set_Incident_Severity_Updated_To_True_(4)": {
+ "runAfter": {
+ "Set_Severity_For_Increase_Level_To_Medium_(2)": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Incident_Severity_Updated",
+ "value": "@true"
+ }
+ },
+ "Set_Severity_For_Increase_Level_To_Medium_(2)": {
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Severity_For_Increase_Level",
+ "value": "Medium"
+ }
+ }
+ },
+ "else": {
+ "actions": {
+ "Set_Incident_Severity_Updated_To_True_(5)": {
+ "runAfter": {
+ "Set_Severity_For_Increase_Level_To_High_(2)": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Incident_Severity_Updated",
+ "value": "@true"
+ }
+ },
+ "Set_Severity_For_Increase_Level_To_High_(2)": {
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Severity_For_Increase_Level",
+ "value": "High"
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@variables('Increase_Severity_Level')",
+ 2
+ ]
+ },
+ {
+ "equals": [
+ "@variables('Severity_For_Increase_Level')",
+ "Informational"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@variables('Increase_Severity_Level')",
+ 1
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@or(\r\nif(equals(body('Parse_Response')?['threatHuntInfo']?['latestMaliciousThreatHunt']?['isMalicious'], 'Matches Found'), true, false),\r\nif(equals(body('Parse_Response')?['threatMonitoringInfo']?['latestMaliciousThreatMonitoring']?['isMalicious'], 'Matches Found'), true, false))",
+ "@true"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@variables('Incident_Severity_Updated')",
+ "@false"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Condition_To_Check_Risk_Level": {
+ "actions": {
+ "Set_Severity_For_Risk_Level": {
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Severity_For_RiskLevel",
+ "value": "@{variables('Severity_Mapping')?[toLower(body('Parse_Response')?['sensitiveInfo']?['riskLevel'])]}"
+ }
+ }
+ },
+ "runAfter": {
+ "Condition_To_Check_Incident_Updated_By_Increase_Level": [
+ "Succeeded"
+ ]
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@contains(string(variables('Severity_Mapping')), toLower(body('Parse_Response')?['sensitiveInfo']?['riskLevel']))",
+ "@true"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Condition_To_Verify_High_Severity": {
+ "actions": {
+ "Set_Incident_Severity_To_High": {
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Incident_Severity",
+ "value": "High"
+ }
+ }
+ },
+ "runAfter": {
+ "Switch_Case_For_Anomaly_Severity": [
+ "Succeeded"
+ ]
+ },
+ "else": {
+ "actions": {
+ "Condition_To_Verify_Medium_Severity": {
+ "actions": {
+ "Set_Incident_Severity_To_Medium": {
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Incident_Severity",
+ "value": "Medium"
+ }
+ }
+ },
+ "else": {
+ "actions": {
+ "Condition_To_Verify_Low_Severity": {
+ "actions": {
+ "Set_Incident_Severity_To_Low": {
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Incident_Severity",
+ "value": "Low"
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@or(if(equals(variables('Severity_For_Increase_Level'), 'Low'), true, false), if(equals(variables('Severity_For_RiskLevel'), 'Low'), true, false), if(equals(variables('Anomaly_Severity'), 'Low'), true, false), if(equals(variables('Incident_Severity'), 'Low'), true, false))",
+ "@true"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@or(if(equals(variables('Severity_For_Increase_Level'), 'Medium'), true, false), if(equals(variables('Severity_For_RiskLevel'), 'Medium'), true, false), if(equals(variables('Anomaly_Severity'), 'Medium'), true, false), if(equals(variables('Incident_Severity'), 'Medium'), true, false))",
+ "@true"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@or(if(equals(variables('Severity_For_Increase_Level'), 'High'), true, false), if(equals(variables('Severity_For_RiskLevel'), 'High'), true, false), if(equals(variables('Anomaly_Severity'), 'High'), true, false), if(equals(variables('Incident_Severity'), 'High'), true, false))",
+ "@true"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Switch_Case_For_Anomaly_Severity": {
+ "runAfter": {
+ "Condition_To_Check_Risk_Level": [
+ "Succeeded"
+ ]
+ },
+ "cases": {
+ "Case_When_Anomaly_Severity_Is_Critical": {
+ "case": "critical",
+ "actions": {
+ "Set_Anomaly_Severity_To_High": {
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Anomaly_Severity",
+ "value": "High"
+ }
+ }
+ }
+ },
+ "Case_When_Anomaly_Severity_Is_Informational": {
+ "case": "informational",
+ "actions": {
+ "Set_Anomaly_Severity_To_Informational": {
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Anomaly_Severity",
+ "value": "Informational"
+ }
+ }
+ }
+ },
+ "Case_When_Anomaly_Severity_Is_Warning": {
+ "case": "warning",
+ "actions": {
+ "Set_Anomaly_Severity_To_Medium": {
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Anomaly_Severity",
+ "value": "Medium"
+ }
+ }
+ }
+ }
+ },
+ "expression": "@toLower(body('Parse_Response')?['anomalyInfo']?['severity'])",
+ "type": "Switch"
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@variables('Incident_Severity')",
+ "High"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Condition_To_Verify_That_Incident_Comment_Does_Not_Reach_Limit": {
+ "actions": {
+ "Condition_To_Verify_Length_Of_Detail_Response_To_30000_Characters_Limit": {
+ "actions": {
+ "Add_Detail_Response_Of_IP_To_Incident_Comment": {
+ "type": "ApiConnection",
+ "inputs": {
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "message": "@{variables('Detailed_Response')}
"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/Incidents/Comment"
+ }
+ }
+ },
+ "else": {
+ "actions": {
+ "Add_Comment_For_30000_Characters_Limit": {
+ "type": "ApiConnection",
+ "inputs": {
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "message": "Length of response is exceeded to 30,000 characters for @{items('For_Each_IP_Or_Host')}
"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/Incidents/Comment"
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "less": [
+ "@length(variables('Detailed_Response'))",
+ 30000
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Increment_Comment_Count": {
+ "runAfter": {
+ "Condition_To_Verify_Length_Of_Detail_Response_To_30000_Characters_Limit": [
+ "Succeeded"
+ ]
+ },
+ "type": "IncrementVariable",
+ "inputs": {
+ "name": "Comment_Count",
+ "value": 1
+ }
+ }
+ },
+ "runAfter": {
+ "Set_Detailed_Response": [
+ "Succeeded"
+ ]
+ },
+ "expression": {
+ "and": [
+ {
+ "less": [
+ "@variables('Comment_Count')",
+ 100
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Set_Detailed_Response": {
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Detailed_Response",
+ "value": "\nGeneral Information for the given @{body('Parse_Response')?['sensitiveInfo']?['riskLevel']} risk : @{items('For_Each_IP_Or_Host')}
\n\n \n | FID | \n @{body('Parse_Response')?['generalInfo']?['fid']} | \n
\n \n | Name | \n @{body('Parse_Response')?['generalInfo']?['name']} | \n
\n \n | Object Type | \n @{body('Parse_Response')?['generalInfo']?['objectType']} | \n
\n \n | Protection Status | \n @{body('Parse_Response')?['generalInfo']?['protectionStatus']} | \n
\n \n | Last Snapshot | \n @{body('Parse_Response')?['generalInfo']?['lastSnapshot']} | \n
\n \n | Redirect Link | \n @{body('Parse_Response')?['generalInfo']?['redirectLink']} | \n
\n
\n\n\nSensitive Information
\n\n \n | Risk Level | \n @{body('Parse_Response')?['sensitiveInfo']?['riskLevel']} | \n
\n \n | Sensitive Files | \n \n mediumCount: @{body('Parse_Response')?['sensitiveInfo']?['sensitiveFiles']?['mediumCount']} \n | \n
\n \n | Sensitive Hits | \n @{body('Parse_Response')?['sensitiveInfo']?['sensitiveHits']} | \n
\n \n | Open Access Files | \n @{body('Parse_Response')?['sensitiveInfo']?['openAccessFiles']} | \n
\n \n | Stale Files | \n @{body('Parse_Response')?['sensitiveInfo']?['staleFiles']} | \n
\n \n | Policy Names | \n @{replace(replace(replace(replace(string(body('Parse_Response')?['sensitiveInfo']?['policyNames']), '\"', ''), '[', ''), ']', ''), ',', ', ')} | \n
\n \n | Redirect Link | \n @{body('Parse_Response')?['sensitiveInfo']?['redirectLink']} | \n
\n
\n\n\nAnomaly Information
\n\n \n | Severity | \n @{body('Parse_Response')?['anomalyInfo']?['severity']} | \n
\n \n | Detection Time | \n @{body('Parse_Response')?['anomalyInfo']?['detectionTime']} | \n
\n \n | Created File Count | \n @{body('Parse_Response')?['anomalyInfo']?['createdFileCount']} | \n
\n \n | Deleted File Count | \n @{body('Parse_Response')?['anomalyInfo']?['deletedFileCount']} | \n
\n \n | Modified File Count | \n @{body('Parse_Response')?['anomalyInfo']?['modifiedFileCount']} | \n
\n \n | Suspicious File Count | \n @{body('Parse_Response')?['anomalyInfo']?['suspiciousFileCount']} | \n
\n \n | Redirect Link | \n @{body('Parse_Response')?['anomalyInfo']?['redirectLink']} | \n
\n
\n\n\nThreat Hunt Information
\n\n \n | Latest Threat Hunt | \n \n huntId: @{body('Parse_Response')?['threatHuntInfo']?['latestThreatHunt']?['huntId']} \n huntStartTime: @{body('Parse_Response')?['threatHuntInfo']?['latestThreatHunt']?['huntStartTime']} \n isMalicious: @{body('Parse_Response')?['threatHuntInfo']?['latestThreatHunt']?['isMalicious']} \n | \n
\n \n | Latest Malicious Threat Hunt | \n \n huntId: @{body('Parse_Response')?['threatHuntInfo']?['latestMaliciousThreatHunt']?['huntId']} \n huntStartTime: @{body('Parse_Response')?['threatHuntInfo']?['latestMaliciousThreatHunt']?['huntStartTime']} \n isMalicious: @{body('Parse_Response')?['threatHuntInfo']?['latestMaliciousThreatHunt']?['isMalicious']} \n | \n
\n \n | Redirect Link | \n @{body('Parse_Response')?['threatHuntInfo']?['redirectLink']} | \n
\n
\n\n\nThreat Monitoring Information
\n\n \n | Latest Threat Monitoring | \n \n snapshotFid: @{body('Parse_Response')?['threatMonitoringInfo']?['latestThreatMonitoring']?['snapshotFid']} \n monitoringScanTime: @{body('Parse_Response')?['threatMonitoringInfo']?['latestThreatMonitoring']?['monitoringScanTime']} \n isMalicious: @{body('Parse_Response')?['threatMonitoringInfo']?['latestThreatMonitoring']?['isMalicious']} \n | \n
\n \n | Latest Malicious Threat Monitoring | \n \n snapshotFid: @{body('Parse_Response')?['threatMonitoringInfo']?['latestMaliciousThreatMonitoring']?['snapshotFid']} \n monitoringScanTime: @{body('Parse_Response')?['threatMonitoringInfo']?['latestMaliciousThreatMonitoring']?['monitoringScanTime']} \n isMalicious: @{body('Parse_Response')?['threatMonitoringInfo']?['latestMaliciousThreatMonitoring']?['isMalicious']} \n | \n
\n \n | Redirect Link | \n @{body('Parse_Response')?['threatMonitoringInfo']?['redirectLink']} | \n
\n
"
+ }
+ }
+ }
+ },
+ "expression": {
+ "or": [
+ {
+ "equals": [
+ "@contains(body('Parse_Response')?['generalInfo']?['fid'], 'No Objects Found')",
+ "@true"
+ ]
+ },
+ {
+ "equals": [
+ "@contains(body('Parse_Response')?['generalInfo']?['name'], 'No Objects Found')",
+ "@true"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Parse_Response": {
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Get_Information')",
+ "schema": {
+ "properties": {
+ "anomalyInfo": {
+ "properties": {
+ "createdFileCount": {
+ "type": "string"
+ },
+ "deletedFileCount": {
+ "type": "string"
+ },
+ "detectionTime": {
+ "type": "string"
+ },
+ "modifiedFileCount": {
+ "type": "string"
+ },
+ "redirectLink": {
+ "type": "string"
+ },
+ "severity": {
+ "type": "string"
+ },
+ "suspiciousFileCount": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "generalInfo": {
+ "properties": {
+ "fid": {
+ "type": "string"
+ },
+ "lastSnapshot": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "objectType": {
+ "type": "string"
+ },
+ "protectionStatus": {
+ "type": "string"
+ },
+ "redirectLink": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "sensitiveInfo": {
+ "properties": {
+ "openAccessFiles": {
+ "type": "integer"
+ },
+ "policyNames": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "redirectLink": {
+ "type": "string"
+ },
+ "riskLevel": {
+ "type": "string"
+ },
+ "sensitiveFiles": {
+ "properties": {
+ "mediumCount": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "sensitiveHits": {
+ "type": "integer"
+ },
+ "staleFiles": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "threatHuntInfo": {
+ "properties": {
+ "latestMaliciousThreatHunt": {
+ "properties": {
+ "huntId": {
+ "type": "string"
+ },
+ "huntStartTime": {
+ "type": "string"
+ },
+ "isMalicious": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "latestThreatHunt": {
+ "properties": {
+ "huntId": {
+ "type": "string"
+ },
+ "huntStartTime": {
+ "type": "string"
+ },
+ "isMalicious": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "redirectLink": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "threatMonitoringInfo": {
+ "properties": {
+ "latestMaliciousThreatMonitoring": {
+ "properties": {
+ "isMalicious": {
+ "type": "string"
+ },
+ "monitoringScanTime": {
+ "type": "string"
+ },
+ "snapshotFid": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "latestThreatMonitoring": {
+ "properties": {
+ "isMalicious": {
+ "type": "string"
+ },
+ "monitoringScanTime": {
+ "type": "string"
+ },
+ "snapshotFid": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "redirectLink": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ }
+ }
+ },
+ "runAfter": {
+ "Get_Information": [
+ "Succeeded"
+ ]
+ },
+ "else": {
+ "actions": {
+ "Append_IP_Address_Or_Host_Name_Into_Failed_List": {
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "Failed_IP_Host_List",
+ "value": "@items('For_Each_IP_Or_Host')"
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@outputs('Get_Information')['statusCode']",
+ 200
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Condition_To_Set_Search_Type": {
+ "actions": {
+ "Set_Search_Type_To_name": {
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Search_Type",
+ "value": "name"
+ }
+ }
+ },
+ "else": {
+ "actions": {
+ "Decrement_IP_List_Size_By_1": {
+ "type": "DecrementVariable",
+ "inputs": {
+ "name": "IP_List_Size",
+ "value": 1
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@variables('IP_List_Size')",
+ 0
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Get_Information": {
+ "runAfter": {
+ "Condition_To_Set_Search_Type": [
+ "Succeeded"
+ ]
+ },
+ "type": "Http",
+ "inputs": {
+ "headers": {
+ "Authorization": "Bearer @{variables('Access_Token')}"
+ },
+ "method": "GET",
+ "queries": {
+ "search_string": "@{items('For_Each_IP_Or_Host')}",
+ "search_type": "@variables('Search_Type')"
+ },
+ "uri": "@{variables('Base_URL')}/api/thirdparty/workload_summary"
+ }
+ }
+ },
+ "runAfter": {
+ "Check_For_Status_Code_Of_Generating_Access_Token": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach",
+ "runtimeConfiguration": {
+ "concurrency": {
+ "repetitions": 1
+ }
+ }
+ },
+ "For_Hosts_In_Entity_Mapping": {
+ "foreach": "@triggerBody()?['object']?['properties']?['relatedEntities']",
+ "actions": {
+ "Condition_To_Verify_Host": {
+ "actions": {
+ "Condition_To_Verify_List_Of_Hosts_(2)": {
+ "actions": {
+ "For_Each_Host_In_Entity_Mapping": {
+ "foreach": "@json(items('For_Hosts_In_Entity_Mapping')?['properties']?['hostName'])",
+ "actions": {
+ "Condition_To_Verify_Host_Already_Not_Exist_In_List": {
+ "actions": {
+ "Append_Host_Into_List_(3)": {
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "IP_Host_List",
+ "value": "@items('For_Each_Host_In_Entity_Mapping')"
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@contains(variables('IP_Host_List'), items('For_Each_Host_In_Entity_Mapping'))",
+ "@false"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ },
+ "type": "Foreach"
+ }
+ },
+ "else": {
+ "actions": {
+ "Condition_To_Verify_Host_Already_Not_Exist_In_List_(2)": {
+ "actions": {
+ "Append_Host_Into_List_(4)": {
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "IP_Host_List",
+ "value": "@items('For_Hosts_In_Entity_Mapping')?['properties']?['hostName']"
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@contains(variables('IP_Host_List'), items('For_Hosts_In_Entity_Mapping')?['properties']?['hostName'])",
+ "@false"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "contains": [
+ "@items('For_Hosts_In_Entity_Mapping')?['properties']?['hostName']",
+ "]"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@items('For_Hosts_In_Entity_Mapping')?['kind']",
+ "Host"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ },
+ "runAfter": {
+ "For_Each_Alert_Details": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "For_IPs_In_Entity_Mapping": {
+ "foreach": "@triggerBody()?['object']?['properties']?['relatedEntities']",
+ "actions": {
+ "Condition_To_Verify_IP": {
+ "actions": {
+ "Condition_To_Verify_List_Of_IPs": {
+ "actions": {
+ "For_Each_IP_In_Entity_Mapping": {
+ "foreach": "@json(items('For_IPs_In_Entity_Mapping')?['properties']?['address'])",
+ "actions": {
+ "Append_IP_Into_List": {
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "IP_Host_List",
+ "value": "@items('For_Each_IP_In_Entity_Mapping')"
+ }
+ }
+ },
+ "type": "Foreach"
+ }
+ },
+ "else": {
+ "actions": {
+ "Append_IP_Into_List_(2)": {
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "IP_Host_List",
+ "value": "@items('For_IPs_In_Entity_Mapping')?['properties']?['address']"
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "contains": [
+ "@items('For_IPs_In_Entity_Mapping')?['properties']?['address']",
+ "]"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@items('For_IPs_In_Entity_Mapping')?['kind']",
+ "Ip"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ },
+ "runAfter": {
+ "Initialize_Severity_Mapping": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Get_Access_Token": {
+ "runAfter": {
+ "Condition_To_Verify_Empty_List_Of_IP_-_Host": [
+ "Succeeded"
+ ]
+ },
+ "type": "Http",
+ "inputs": {
+ "body": {
+ "client_id": "@body('Get_Rubrik_Client_ID')?['value']",
+ "client_secret": "@body('Get_Rubrik_Client_Secret')?['value']"
+ },
+ "method": "POST",
+ "uri": "@{variables('Base_URL')}/api/client_token"
+ }
+ },
+ "Get_Rubrik_Client_ID": {
+ "runAfter": {
+ "Initialize_Count_Of_Comments_In_Incident": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['keyvault']['connectionId']"
+ }
+ },
+ "method": "get",
+ "path": "/secrets/@{encodeURIComponent('Rubrik-Client-Id')}/value"
+ }
+ },
+ "Get_Rubrik_Client_Secret": {
+ "runAfter": {
+ "Get_Rubrik_Client_ID": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['keyvault']['connectionId']"
+ }
+ },
+ "method": "get",
+ "path": "/secrets/@{encodeURIComponent('Rubrik-Client-Secret')}/value"
+ }
+ },
+ "Initialize_AccessToken": {
+ "runAfter": {
+ "Initialize_Incident_Severity_Updated": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Access_Token",
+ "type": "string"
+ }
+ ]
+ }
+ },
+ "Initialize_Anomaly_Severity": {
+ "runAfter": {
+ "Initialize_Severity_For_Risk_Level": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Anomaly_Severity",
+ "type": "string",
+ "value": "@triggerBody()?['object']?['properties']?['severity']"
+ }
+ ]
+ }
+ },
+ "Initialize_Base_URL": {
+ "runAfter": {
+ "Initialize_Search_Type": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Base_URL",
+ "type": "string",
+ "value": "@parameters('Rubrik_Base_URL')"
+ }
+ ]
+ }
+ },
+ "Initialize_Count_Of_Comments_In_Incident": {
+ "runAfter": {
+ "Initialize_Base_URL": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Comment_Count",
+ "type": "integer",
+ "value": "@length(triggerBody()?['object']?['properties']?['Comments'])"
+ }
+ ]
+ }
+ },
+ "Initialize_Detailed_Response": {
+ "runAfter": {
+ "Initialize_AccessToken": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Detailed_Response",
+ "type": "string"
+ }
+ ]
+ }
+ },
+ "Initialize_Failed_IP_Address_And_Host_Name_List": {
+ "runAfter": {
+ "Initialize_IP_Address_And_Host_Name_List": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Failed_IP_Host_List",
+ "type": "array"
+ }
+ ]
+ }
+ },
+ "Initialize_IP_Address_And_Host_Name_List": {
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "IP_Host_List",
+ "type": "array"
+ }
+ ]
+ }
+ },
+ "Initialize_IP_List_Size": {
+ "runAfter": {
+ "Initialize_Failed_IP_Address_And_Host_Name_List": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "IP_List_Size",
+ "type": "integer",
+ "value": 0
+ }
+ ]
+ }
+ },
+ "Initialize_Incident_Severity": {
+ "runAfter": {
+ "Get_Rubrik_Client_Secret": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Incident_Severity",
+ "type": "string",
+ "value": "@triggerBody()?['object']?['properties']?['severity']"
+ }
+ ]
+ }
+ },
+ "Initialize_Incident_Severity_Increase_Level": {
+ "runAfter": {
+ "Initialize_Anomaly_Severity": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Increase_Severity_Level",
+ "type": "integer",
+ "value": "@parameters('Increase_Severity_Level')"
+ }
+ ]
+ }
+ },
+ "Initialize_Incident_Severity_Updated": {
+ "runAfter": {
+ "Initialize_Incident_Severity_Increase_Level": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Incident_Severity_Updated",
+ "type": "boolean",
+ "value": "@false"
+ }
+ ]
+ }
+ },
+ "Initialize_Search_Type": {
+ "runAfter": {
+ "Initialize_IP_List_Size": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Search_Type",
+ "type": "string",
+ "value": "ipv4"
+ }
+ ]
+ }
+ },
+ "Initialize_Severity_For_Increase_Level": {
+ "runAfter": {
+ "Initialize_Incident_Severity": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Severity_For_Increase_Level",
+ "type": "string",
+ "value": "@triggerBody()?['object']?['properties']?['severity']"
+ }
+ ]
+ }
+ },
+ "Initialize_Severity_For_Risk_Level": {
+ "runAfter": {
+ "Initialize_Severity_For_Increase_Level": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Severity_For_RiskLevel",
+ "type": "string",
+ "value": "@triggerBody()?['object']?['properties']?['severity']"
+ }
+ ]
+ }
+ },
+ "Initialize_Severity_Mapping": {
+ "runAfter": {
+ "Initialize_Detailed_Response": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Severity_Mapping",
+ "type": "object",
+ "value": {
+ "high": "High",
+ "low": "Low",
+ "medium": "Medium"
+ }
+ }
+ ]
+ }
+ },
+ "Set_IP_List_Size": {
+ "runAfter": {
+ "For_IPs_In_Entity_Mapping": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "IP_List_Size",
+ "value": "@length(variables('IP_Host_List'))"
+ }
+ }
+ }
+ },
+ "parameters": {
+ "$connections": {
+ "value": {
+ "azuresentinel": {
+ "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+ "connectionName": "[[variables('MicrosoftSentinelConnectionName')]",
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
+ "connectionProperties": {
+ "authentication": {
+ "type": "ManagedServiceIdentity"
+ }
+ }
+ },
+ "keyvault": {
+ "connectionId": "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]",
+ "connectionName": "[[variables('KeyvaultConnectionName')]",
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Keyvault')]"
+ }
+ }
+ }
+ }
+ },
+ "name": "[[parameters('PlaybookName')]",
+ "type": "Microsoft.Logic/workflows",
+ "location": "[[variables('workspace-location-inline')]",
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "tags": {
+ "hidden-SentinelTemplateName": "RubrikWorkloadAnalysis",
+ "hidden-SentinelTemplateVersion": "1.0",
+ "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+ },
+ "apiVersion": "2017-07-01",
+ "dependsOn": [
+ "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+ "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]"
+ ]
+ },
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[[variables('MicrosoftSentinelConnectionName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "[[variables('MicrosoftSentinelConnectionName')]",
+ "parameterValueType": "Alternative",
+ "api": {
+ "id": "[[variables('_connection-2')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[[variables('KeyvaultConnectionName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "[[variables('KeyvaultConnectionName')]",
+ "api": {
+ "id": "[[variables('_connection-3')]"
+ },
+ "parameterValues": {
+ "token:TenantId": "[[trim(parameters('Tenant Id'))]",
+ "token:grantType": "code",
+ "vaultName": "[[trim(parameters('Keyvault Name'))]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId14'),'/'))))]",
+ "properties": {
+ "parentId": "[variables('playbookId14')]",
+ "contentId": "[variables('_playbookContentId14')]",
+ "kind": "Playbook",
+ "version": "[variables('playbookVersion14')]",
+ "source": {
+ "kind": "Solution",
+ "name": "RubrikSecurityCloud",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Ben Meadowcroft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Rubrik",
+ "email": "support@rubrik.com",
+ "tier": "Partner",
+ "link": "https://support.rubrik.com"
+ }
+ }
+ }
+ ],
+ "metadata": {
+ "title": "RubrikWorkloadAnalysis",
+ "description": "This playbook retrieves sensitive IP and Host data to enrich the incident details, and adjusts the incident's severity level based on the gathered information.",
+ "prerequisites": [
+ "1. User must have a valid Rubrik Client Id and Client Secret.",
+ "2. Store Service account credentials in Key Vault and obtain keyvault name and tenantId",
+ "a. Create a Key Vault with a unique name",
+ "b. Go to KeyVault -> secrets, click on Generate/import and create 'Rubrik-Client-Id' & 'Rubrik-Client-Secret' for storing client_id and client_secret respectively",
+ "NOTE: Make sure the Permission model in the Access Configuration of Keyvault is selected to the Vault access policy. If not then change it to 'Vault access policy'"
+ ],
+ "postDeployment": [
+ "**a. Authorize connections**",
+ "Once deployment is complete, authorize each connection.",
+ "1. Go to your logic app -> API connections -> Select keyvault connection resource",
+ "2. Go to General -> edit API connection",
+ "3. Click the keyvault connection resource",
+ "4. Click edit API connection",
+ "5. Click Authorize",
+ "6. Sign in",
+ "7. Click Save",
+ "8. Repeat steps for other connections",
+ "**b. Assign Role to add comment in incident**",
+ "After authorizing each connection, assign role to this playbook.",
+ "1. Go to Log Analytics Workspace → → Access Control → Add",
+ "2. Add role assignment",
+ "3. Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role",
+ "4. Members: select managed identity for assigned access to and add your logic app as member",
+ "5. Click on review+assign",
+ "**c. Add Access policy in Keyvault**",
+ "Add access policy for the playbook's managed identity and authorized user to read, and write secrets of key vault.",
+ "1. Go to logic app → → identity → System assigned Managed identity and copy Object (principal) ID.",
+ "2. Go to keyvaults → → Access policies → create.",
+ "3. Select all keys & secrets permissions. Click next.",
+ "4. In the principal section, search by copied object ID. Click next.",
+ "5. Click review + create.",
+ "**d. Configurations in Microsoft Sentinel**",
+ "1. In Microsoft Sentinel, Configure the analytic rules to trigger an incident.",
+ "a. Analytic Rule must contain at least one of the below fields mapped in Entity Mapping or Custom Details to successfully fetch data.",
+ "IP",
+ "Host",
+ "2. In Microsoft Sentinel, Configure the automation rules to trigger the playbook.",
+ "a. Go to Microsoft Sentinel -> -> Automation",
+ "b. Click on Create -> Automation rule",
+ "c. Provide name for your rule",
+ "d. In Analytic rule name condition, select analytic rule which you have created.",
+ "e. In Actions dropdown select Run playbook",
+ "f. In second dropdown select your deployed playbook",
+ "g. Click on Apply",
+ "h. Save the Automation rule.",
+ "NOTE: If you want to manually run the playbook on a particular incident follow the below steps:",
+ "a. Go to Microsoft Sentinel -> -> Incidents",
+ "b. Select an incident.",
+ "c. In the right pane, click on Actions, and from the dropdown select the 'Run Playbook' option.",
+ "d. click on the Run button beside this playbook."
+ ],
+ "lastUpdateTime": "2024-11-08T18:00:00Z",
+ "entities": [
+ "ip",
+ "Host"
+ ],
+ "tags": [
+ "ip",
+ "Host",
+ "Rubrik"
+ ],
+ "releaseNotes": {
+ "version": "1.0",
+ "title": "[variables('blanks')]",
+ "notes": [
+ "Initial version"
+ ]
+ }
+ }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId14')]",
+ "contentKind": "Playbook",
+ "displayName": "RubrikWorkloadAnalysis",
+ "contentProductId": "[variables('_playbookcontentProductId14')]",
+ "id": "[variables('_playbookcontentProductId14')]",
+ "version": "[variables('playbookVersion14')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('dataConnectorTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "RubrikSecurityCloud data connector with template version 3.3.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "[variables('_uiConfigId1')]",
+ "title": "Rubrik Security Cloud data connector (using Azure Functions)",
+ "publisher": "Rubrik, Inc",
+ "descriptionMarkdown": "The Rubrik Security Cloud data connector enables security operations teams to integrate insights from Rubrik's Data Observability services into Microsoft Sentinel. The insights include identification of anomalous filesystem behavior associated with ransomware and mass deletion, assess the blast radius of a ransomware attack, and sensitive data operators to prioritize and more rapidly investigate potential incidents.",
+ "graphQueries": [
+ {
+ "metricName": "Total Anomaly Event data received",
+ "legend": "Rubrik_Anomaly_Data_CL",
+ "baseQuery": "Rubrik_Anomaly_Data_CL"
+ },
+ {
+ "metricName": "Total Ransomware Event data received",
+ "legend": "Rubrik_Ransomware_Data_CL",
+ "baseQuery": "Rubrik_Ransomware_Data_CL"
+ },
+ {
+ "metricName": "Total ThreatHunt Event data received",
+ "legend": "Rubrik_ThreatHunt_Data_CL",
+ "baseQuery": "Rubrik_ThreatHunt_Data_CL"
+ },
+ {
+ "metricName": "Total Other Events data received",
+ "legend": "Rubrik_Events_Data_CL",
+ "baseQuery": "Rubrik_Events_Data_CL"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Rubrik Anomaly Events - Anomaly Events for all severity types.",
+ "query": "Rubrik_Anomaly_Data_CL\n | sort by TimeGenerated desc"
+ },
+ {
+ "description": "Rubrik Ransomware Analysis Events - Ransomware Analysis Events for all severity types.",
+ "query": "Rubrik_Ransomware_Data_CL\n | sort by TimeGenerated desc"
+ },
+ {
+ "description": "Rubrik ThreatHunt Events - Threat Hunt Events for all severity types.",
+ "query": "Rubrik_ThreatHunt_Data_CL\n | sort by TimeGenerated desc"
+ },
+ {
+ "description": "Rubrik Other Events - Other Events for all severity types.",
+ "query": "Rubrik_Events_Data_CL\n | sort by TimeGenerated desc"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "Rubrik_Anomaly_Data_CL",
+ "lastDataReceivedQuery": "Rubrik_Anomaly_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
+ {
+ "name": "Rubrik_Ransomware_Data_CL",
+ "lastDataReceivedQuery": "Rubrik_Ransomware_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
+ {
+ "name": "Rubrik_ThreatHunt_Data_CL",
+ "lastDataReceivedQuery": "Rubrik_ThreatHunt_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
+ {
+ "name": "Rubrik_Events_Data_CL",
+ "lastDataReceivedQuery": "Rubrik_Events_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "Rubrik_Anomaly_Data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ },
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "Rubrik_Ransomware_Data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ },
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "Rubrik_ThreatHunt_Data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ },
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "Rubrik_Events_Data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions on the workspace are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Microsoft.Web/sites permissions",
+ "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">**NOTE:** This connector uses Azure Functions to connect to the Rubrik webhook which push its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
+ },
+ {
+ "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
+ },
+ {
+ "description": "**STEP 1 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Rubrik Microsoft Sentinel data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available..",
+ "instructions": [
+ {
+ "parameters": {
+ "fillWith": [
+ "WorkspaceId"
+ ],
+ "label": "Workspace ID"
+ },
+ "type": "CopyableLabel"
+ },
+ {
+ "parameters": {
+ "fillWith": [
+ "PrimaryKey"
+ ],
+ "label": "Primary Key"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ },
+ {
+ "description": "Use this method for automated deployment of the Rubrik connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-RubrikWebhookEvents-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tFunction Name \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tAnomaliesTableName \n\t\tRansomwareAnalysisTableName \n\t\tThreatHuntsTableName \n\t\tEventsTableName \n\t\tLogLevel \n \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.",
+ "title": "Option 1 - Azure Resource Manager (ARM) Template"
+ },
+ {
+ "description": "Use the following step-by-step instructions to deploy the Rubrik Microsoft Sentinel data connector manually with Azure Functions (Deployment via Visual Studio Code).",
+ "title": "Option 2 - Manual Deployment of Azure Functions"
},
{
"description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-RubrikWebhookEvents-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. RubrikXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
},
{
- "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tAnomalies_table_name\n\t\tRansomwareAnalysis_table_name\n\t\tThreatHunts_table_name\n\t\tLogLevel\n\t\tlogAnalyticsUri (optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://.ods.opinsights.azure.us. \n4. Once all application settings have been entered, click **Save**."
+ "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tAnomaliesTableName\n\t\tRansomwareAnalysisTableName\n\t\tThreatHuntsTableName\n\t\tEventsTableName\n\t\tLogLevel\n\t\tlogAnalyticsUri (optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://.ods.opinsights.azure.us. \n4. Once all application settings have been entered, click **Save**."
},
{
"description": "**Post Deployment steps**\n\n"
@@ -25179,11 +27089,11 @@
"title": "1) Get the Function app endpoint"
},
{
- "description": "Follow the Rubrik User Guide instructions to [Add a Webhook](https://docs.rubrik.com/en-us/saas/saas/common/adding_webhook.html) to begin receiving event information related to Ransomware Anomalies \n 1. Select the Generic as the webhook Provider(This will use CEF formatted event information)\n 2. Enter the URL part from copied Function-url as the webhook URL endpoint and replace **{functionname}** with **\"RubrikAnomalyOrchestrator\"**, for the Rubrik Microsoft Sentinel Solution \n 3. Select the Advanced or Custom Authentication option \n 4. Enter x-functions-key as the HTTP header \n 5. Enter the Function access key(value of code parameter from copied function-url) as the HTTP value(Note: if you change this function access key in Microsoft Sentinel in the future you will need to update this webhook configuration) \n 6. Select the EventType as Anomaly \n 7. Select the following severity levels: Critical, Warning, Informational \n 8. Repeat the same steps to add webhooks for Ransomware Investigation Analysis and Threat Hunt. \n\n NOTE: while adding webhooks for Ransomware Investigation Analysis and Threat Hunt, replace **{functionname}** with **\"RubrikRansomwareOrchestrator\"** and **\"RubrikThreatHuntOrchestrator\"** respectively in copied function-url.",
+ "description": "Follow the Rubrik User Guide instructions to [Add a Webhook](https://docs.rubrik.com/en-us/saas/saas/common/adding_webhook.html) to begin receiving event information \n 1. Select the Microsoft Sentinel as the webhook Provider \n 2. Enter the desired Webhook name \n 3. Enter the URL part from copied Function-url as the webhook URL endpoint and replace **{functionname}** with **\"RubrikAnomalyOrchestrator\"**, for the Rubrik Microsoft Sentinel Solution \n 4. Select the EventType as Anomaly \n 5. Select the following severity levels: Critical, Warning, Informational \n 6. Choose multiple log types, if desired, when running **\"RubrikEventsOrchestrator\"** \n 7. Repeat the same steps to add webhooks for Anomaly Detection Analysis, Threat Hunt and Other Events.\n \n\n NOTE: while adding webhooks for Anomaly Detection Analysis, Threat Hunt and Other Events, replace **{functionname}** with **\"RubrikRansomwareOrchestrator\"**, **\"RubrikThreatHuntOrchestrator\"** and **\"RubrikEventsOrchestrator\"** respectively in copied function-url.",
"title": "2) Add a webhook in RubrikSecurityCloud to send data to Microsoft Sentinel."
},
{
- "description": "*Now we are done with the rubrik Webhook configuration. Once the webhook events triggered , you should be able to see the Anomaly, Ransomware Investigation Analysis, Threat Hunt events from the Rubrik into respective LogAnalytics workspace table called \"Rubrik_Anomaly_Data_CL\", \"Rubrik_Ransomware_Data_CL\", \"Rubrik_ThreatHunt_Data_CL\".*\n\n"
+ "description": "*Now we are done with the rubrik Webhook configuration. Once the webhook events triggered , you should be able to see the Anomaly, Anomaly Detection Analysis, Threat Hunt events and Other Events from the Rubrik into respective LogAnalytics workspace table called \"Rubrik_Anomaly_Data_CL\", \"Rubrik_Ransomware_Data_CL\", \"Rubrik_ThreatHunt_Data_CL\", and \"Rubrik_Events_Data_CL\".*\n\n"
}
]
}
@@ -25286,6 +27196,11 @@
"metricName": "Total ThreatHunt Event data received",
"legend": "Rubrik_ThreatHunt_Data_CL",
"baseQuery": "Rubrik_ThreatHunt_Data_CL"
+ },
+ {
+ "metricName": "Total Other Events data received",
+ "legend": "Rubrik_Events_Data_CL",
+ "baseQuery": "Rubrik_Events_Data_CL"
}
],
"dataTypes": [
@@ -25300,6 +27215,10 @@
{
"name": "Rubrik_ThreatHunt_Data_CL",
"lastDataReceivedQuery": "Rubrik_ThreatHunt_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
+ {
+ "name": "Rubrik_Events_Data_CL",
+ "lastDataReceivedQuery": "Rubrik_Events_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
@@ -25320,6 +27239,12 @@
"value": [
"Rubrik_ThreatHunt_Data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
+ },
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "Rubrik_Events_Data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
}
],
"sampleQueries": [
@@ -25334,6 +27259,10 @@
{
"description": "Rubrik ThreatHunt Events - Threat Hunt Events for all severity types.",
"query": "Rubrik_ThreatHunt_Data_CL\n | sort by TimeGenerated desc"
+ },
+ {
+ "description": "Rubrik Other Events - Other Events for all severity types.",
+ "query": "Rubrik_Events_Data_CL\n | sort by TimeGenerated desc"
}
],
"availability": {
@@ -25401,7 +27330,7 @@
]
},
{
- "description": "Use this method for automated deployment of the Rubrik connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-RubrikWebhookEvents-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tFunction Name \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tAnomalies_table_name \n\t\tRansomwareAnalysis_table_name \n\t\tThreatHunts_table_name\n\t\tLogLevel \n \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.",
+ "description": "Use this method for automated deployment of the Rubrik connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-RubrikWebhookEvents-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tFunction Name \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tAnomaliesTableName \n\t\tRansomwareAnalysisTableName \n\t\tThreatHuntsTableName \n\t\tEventsTableName \n\t\tLogLevel \n \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.",
"title": "Option 1 - Azure Resource Manager (ARM) Template"
},
{
@@ -25412,7 +27341,7 @@
"description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-RubrikWebhookEvents-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. RubrikXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
},
{
- "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tAnomalies_table_name\n\t\tRansomwareAnalysis_table_name\n\t\tThreatHunts_table_name\n\t\tLogLevel\n\t\tlogAnalyticsUri (optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://.ods.opinsights.azure.us. \n4. Once all application settings have been entered, click **Save**."
+ "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tAnomaliesTableName\n\t\tRansomwareAnalysisTableName\n\t\tThreatHuntsTableName\n\t\tEventsTableName\n\t\tLogLevel\n\t\tlogAnalyticsUri (optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://.ods.opinsights.azure.us. \n4. Once all application settings have been entered, click **Save**."
},
{
"description": "**Post Deployment steps**\n\n"
@@ -25422,11 +27351,11 @@
"title": "1) Get the Function app endpoint"
},
{
- "description": "Follow the Rubrik User Guide instructions to [Add a Webhook](https://docs.rubrik.com/en-us/saas/saas/common/adding_webhook.html) to begin receiving event information related to Ransomware Anomalies \n 1. Select the Generic as the webhook Provider(This will use CEF formatted event information)\n 2. Enter the URL part from copied Function-url as the webhook URL endpoint and replace **{functionname}** with **\"RubrikAnomalyOrchestrator\"**, for the Rubrik Microsoft Sentinel Solution \n 3. Select the Advanced or Custom Authentication option \n 4. Enter x-functions-key as the HTTP header \n 5. Enter the Function access key(value of code parameter from copied function-url) as the HTTP value(Note: if you change this function access key in Microsoft Sentinel in the future you will need to update this webhook configuration) \n 6. Select the EventType as Anomaly \n 7. Select the following severity levels: Critical, Warning, Informational \n 8. Repeat the same steps to add webhooks for Ransomware Investigation Analysis and Threat Hunt. \n\n NOTE: while adding webhooks for Ransomware Investigation Analysis and Threat Hunt, replace **{functionname}** with **\"RubrikRansomwareOrchestrator\"** and **\"RubrikThreatHuntOrchestrator\"** respectively in copied function-url.",
+ "description": "Follow the Rubrik User Guide instructions to [Add a Webhook](https://docs.rubrik.com/en-us/saas/saas/common/adding_webhook.html) to begin receiving event information \n 1. Select the Microsoft Sentinel as the webhook Provider \n 2. Enter the desired Webhook name \n 3. Enter the URL part from copied Function-url as the webhook URL endpoint and replace **{functionname}** with **\"RubrikAnomalyOrchestrator\"**, for the Rubrik Microsoft Sentinel Solution \n 4. Select the EventType as Anomaly \n 5. Select the following severity levels: Critical, Warning, Informational \n 6. Choose multiple log types, if desired, when running **\"RubrikEventsOrchestrator\"** \n 7. Repeat the same steps to add webhooks for Anomaly Detection Analysis, Threat Hunt and Other Events.\n \n\n NOTE: while adding webhooks for Anomaly Detection Analysis, Threat Hunt and Other Events, replace **{functionname}** with **\"RubrikRansomwareOrchestrator\"**, **\"RubrikThreatHuntOrchestrator\"** and **\"RubrikEventsOrchestrator\"** respectively in copied function-url.",
"title": "2) Add a webhook in RubrikSecurityCloud to send data to Microsoft Sentinel."
},
{
- "description": "*Now we are done with the rubrik Webhook configuration. Once the webhook events triggered , you should be able to see the Anomaly, Ransomware Investigation Analysis, Threat Hunt events from the Rubrik into respective LogAnalytics workspace table called \"Rubrik_Anomaly_Data_CL\", \"Rubrik_Ransomware_Data_CL\", \"Rubrik_ThreatHunt_Data_CL\".*\n\n"
+ "description": "*Now we are done with the rubrik Webhook configuration. Once the webhook events triggered , you should be able to see the Anomaly, Anomaly Detection Analysis, Threat Hunt events and Other Events from the Rubrik into respective LogAnalytics workspace table called \"Rubrik_Anomaly_Data_CL\", \"Rubrik_Ransomware_Data_CL\", \"Rubrik_ThreatHunt_Data_CL\", and \"Rubrik_Events_Data_CL\".*\n\n"
}
],
"id": "[variables('_uiConfigId1')]"
@@ -25438,12 +27367,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.2.1",
+ "version": "3.3.0",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "RubrikSecurityCloud",
"publisherDisplayName": "Rubrik",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Rubrik Security Cloud solution enables security operations teams to integrate insights from Rubrik’s Data Observability services into Microsoft Sentinel.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\nAzure Monitor HTTP Data Collector API
\nAzure Functions
\n
\nData Connectors: 1, Custom Azure Logic Apps Connectors: 1, Playbooks: 12
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
+ "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Rubrik Security Cloud solution enables security operations teams to integrate insights from Rubrik’s Data Observability services into Microsoft Sentinel.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\nAzure Monitor HTTP Data Collector API
\nAzure Functions
\n
\nData Connectors: 1, Custom Azure Logic Apps Connectors: 1, Playbooks: 13
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
@@ -25533,6 +27462,11 @@
"contentId": "[variables('_RubrikAnomalyGenerateDownloadableLink')]",
"version": "[variables('playbookVersion13')]"
},
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_RubrikWorkloadAnalysis')]",
+ "version": "[variables('playbookVersion14')]"
+ },
{
"kind": "DataConnector",
"contentId": "[variables('_dataConnectorContentId1')]",
@@ -25541,7 +27475,7 @@
]
},
"firstPublishDate": "2022-07-19",
- "lastPublishDate": "2024-03-17",
+ "lastPublishDate": "2024-11-19",
"providers": [
"Rubrik"
],
diff --git a/Solutions/RubrikSecurityCloud/Playbooks/RubrikWorkloadAnalysis/Images/RubrikWorkloadAnalysis.png b/Solutions/RubrikSecurityCloud/Playbooks/RubrikWorkloadAnalysis/Images/RubrikWorkloadAnalysis.png
new file mode 100644
index 00000000000..b8d5b616e27
Binary files /dev/null and b/Solutions/RubrikSecurityCloud/Playbooks/RubrikWorkloadAnalysis/Images/RubrikWorkloadAnalysis.png differ
diff --git a/Solutions/RubrikSecurityCloud/Playbooks/RubrikWorkloadAnalysis/README.md b/Solutions/RubrikSecurityCloud/Playbooks/RubrikWorkloadAnalysis/README.md
new file mode 100644
index 00000000000..1df37cf45e6
--- /dev/null
+++ b/Solutions/RubrikSecurityCloud/Playbooks/RubrikWorkloadAnalysis/README.md
@@ -0,0 +1,66 @@
+# RubrikWorkloadAnalysis
+## Summary
+This playbook retrieves sensitive IP and Host data to enrich the incident details, and adjusts the incident's severity level based on the gathered information.
+### Prerequisites
+1. User must have a valid Rubrik Client ID and Client Secret.
+2. Store Service account credentials in Key Vault and obtain keyvault name and tenantId
+ * Create a Key Vault with a unique name
+ * Go to KeyVault -> secrets, click on Generate/import and create 'Rubrik--Client-Id' & 'Rubrik-Client-Secret' for storing client_id and client_secret respectively
+ **NOTE:** Make sure the Permission model in the Access Configuration of Keyvault is selected to the Vault access policy. If not then change it to **'Vault access policy'**
+### Deployment instructions
+1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
+2. Fill in the required parameters:
+* Playbook Name: Enter the playbook name here.
+* Keyvault Name: Enter name of keyvault where service account credentials are stored(e.g. RubrikSentinelKeyVault).
+* Tenant ID: Enter Tenant ID of your Microsoft EntraID where keyvault is available.
+* Rubrik Base URL: Enter Base URL of the RubrikApi instance (Example: https://rubrik-tme.my.rubrik.com).
+* Increase Severity Level: Enter a value to increase the severity level of the incident.(Example: for value 1 incident severity will change from Low to Medium)
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRubrikSecurityCloud%2FPlaybooks%2FRubrikWorkloadAnalysis%2Fazuredeploy.json) [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRubrikSecurityCloud%2FPlaybooks%2FRubrikWorkloadAnalysis%2Fazuredeploy.json)
+
+### Post-Deployment instructions
+#### a. Authorize connections
+Once deployment is complete, authorize each connection like keyvault, azureloganalytics.
+1. Go to your logic app -> API connections -> Select keyvault connection resource
+2. Go to General -> edit API connection
+3. Click the keyvault connection resource
+4. Click edit API connection
+5. Click Authorize
+6. Sign in
+7. Click Save
+8. Repeat steps for other connections
+#### b. Assign Role to add a comment in the incident
+After authorizing each connection, assign a role to this playbook.
+1. Go to Log Analytics Workspace → → Access Control → Add
+2. Add role assignment
+3. Assignment type: Job function roles
+4. Role: Microsoft Sentinel Contributor
+5. Members: select managed identity for "assigned access to" and add your logic app as a member.
+6. Click on review+assign
+#### c. Add Access policy in Keyvault
+Add access policy for the playbook's managed identity to read, and write secrets of key vault.
+1. Go to the logic app → → identity → System assigned Managed identity and copy Object (principal) ID.
+2. Go to keyvaults → → Access policies → create.
+3. Select all keys & secrets permissions. Click next.
+4. In the principal section, search by copied object ID. Click next.
+5. Click review + create.
+#### d. Configurations in Microsoft Sentinel
+1. In Microsoft Sentinel, Configure the analytic rules to trigger an incident.
+ * Analytic Rule must contain at least one of the below fields mapped in Custom Details to successfully run this playbook.
+ * IP
+ * Host
+2. In Microsoft Sentinel, Configure the automation rules to trigger the playbook.
+ * Go to Microsoft Sentinel -> -> Automation
+ * Click on **Create** -> **Automation rule**
+ * Provide a name for your rule
+ * In the Analytic rule name condition, select the analytic rule that you have created.
+ * In Actions dropdown select **Run playbook**
+ * In the second dropdown select your deployed playbook
+ * Click on **Apply**
+ * Save the Automation rule.
+**NOTE:** If you want to manually run the playbook on a particular incident follow the below steps:
+
+- Go to Microsoft Sentinel -> -> Incidents
+- Select an incident.
+- In the right pane, click on Actions, and from the dropdown select the 'Run Playbook' option.
+- click on the Run button beside this playbook.
\ No newline at end of file
diff --git a/Solutions/RubrikSecurityCloud/Playbooks/RubrikWorkloadAnalysis/azuredeploy.json b/Solutions/RubrikSecurityCloud/Playbooks/RubrikWorkloadAnalysis/azuredeploy.json
new file mode 100644
index 00000000000..3abb0c2338f
--- /dev/null
+++ b/Solutions/RubrikSecurityCloud/Playbooks/RubrikWorkloadAnalysis/azuredeploy.json
@@ -0,0 +1,1923 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "title": "RubrikWorkloadAnalysis",
+ "description": "This playbook retrieves sensitive IP and Host data to enrich the incident details, and adjusts the incident's severity level based on the gathered information.",
+ "prerequisites": [
+ "1. User must have a valid Rubrik Client Id and Client Secret.",
+ "2. Store Service account credentials in Key Vault and obtain keyvault name and tenantId",
+ "a. Create a Key Vault with a unique name",
+ "b. Go to KeyVault -> secrets, click on Generate/import and create 'Rubrik-Client-Id' & 'Rubrik-Client-Secret' for storing client_id and client_secret respectively",
+ "NOTE: Make sure the Permission model in the Access Configuration of Keyvault is selected to the Vault access policy. If not then change it to 'Vault access policy'"
+ ],
+ "postDeployment": [
+ "**a. Authorize connections**",
+ "Once deployment is complete, authorize each connection.",
+ "1. Go to your logic app -> API connections -> Select keyvault connection resource",
+ "2. Go to General -> edit API connection",
+ "3. Click the keyvault connection resource",
+ "4. Click edit API connection",
+ "5. Click Authorize",
+ "6. Sign in",
+ "7. Click Save",
+ "8. Repeat steps for other connections",
+ "**b. Assign Role to add comment in incident**",
+ "After authorizing each connection, assign role to this playbook.",
+ "1. Go to Log Analytics Workspace → → Access Control → Add",
+ "2. Add role assignment",
+ "3. Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role",
+ "4. Members: select managed identity for assigned access to and add your logic app as member",
+ "5. Click on review+assign",
+ "**c. Add Access policy in Keyvault**",
+ "Add access policy for the playbook's managed identity and authorized user to read, and write secrets of key vault.",
+ "1. Go to logic app → → identity → System assigned Managed identity and copy Object (principal) ID.",
+ "2. Go to keyvaults → → Access policies → create.",
+ "3. Select all keys & secrets permissions. Click next.",
+ "4. In the principal section, search by copied object ID. Click next.",
+ "5. Click review + create.",
+ "**d. Configurations in Microsoft Sentinel**",
+ "1. In Microsoft Sentinel, Configure the analytic rules to trigger an incident.",
+ "a. Analytic Rule must contain at least one of the below fields mapped in Entity Mapping or Custom Details to successfully fetch data.",
+ "IP",
+ "Host",
+ "2. In Microsoft Sentinel, Configure the automation rules to trigger the playbook.",
+ "a. Go to Microsoft Sentinel -> -> Automation",
+ "b. Click on Create -> Automation rule",
+ "c. Provide name for your rule",
+ "d. In Analytic rule name condition, select analytic rule which you have created.",
+ "e. In Actions dropdown select Run playbook",
+ "f. In second dropdown select your deployed playbook",
+ "g. Click on Apply",
+ "h. Save the Automation rule.",
+ "NOTE: If you want to manually run the playbook on a particular incident follow the below steps:",
+ "a. Go to Microsoft Sentinel -> -> Incidents",
+ "b. Select an incident.",
+ "c. In the right pane, click on Actions, and from the dropdown select the 'Run Playbook' option.",
+ "d. click on the Run button beside this playbook."
+ ],
+ "lastUpdateTime": "2024-11-08T18:00:00.000Z",
+ "entities": [
+ "ip",
+ "Host"
+ ],
+ "tags": [
+ "ip",
+ "Host",
+ "Rubrik"
+ ],
+ "support": {
+ "tier": "Community",
+ "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
+ },
+ "author": {
+ "name": "Rubrik"
+ }
+ },
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "RubrikWorkloadAnalysis",
+ "minLength": 1,
+ "type": "string",
+ "metadata": {
+ "description": "Please do not keep 'Playbook Name' parameter empty, else you will receive validation failure"
+ }
+ },
+ "Keyvault Name": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter name of keyvault where service account credentials are stored(Example: RubrikSentinelKeyVault)"
+ }
+ },
+ "Tenant Id": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter Tenant ID of your Microsoft EntraID where keyvault is available"
+ }
+ },
+ "Rubrik Base URL": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "https://rubrik-tme.my.rubrik.com",
+ "metadata": {
+ "description": "Enter Base URL of the RubrikApi instance (Example: https://rubrik-tme.my.rubrik.com)"
+ }
+ },
+ "IncreaseSeverityLevel": {
+ "defaultValue": 1,
+ "allowedValues": [
+ 1,
+ 2,
+ 3
+ ],
+ "type": "Int",
+ "metadata": {
+ "description": "Enter a value to increase the severity level of the incident.(Example: for value 1 incident severity will change from Low to Medium)"
+ }
+ }
+ },
+ "variables": {
+ "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
+ "KeyvaultConnectionName": "[concat('Keyvault-', parameters('PlaybookName'))]"
+ },
+ "resources": [
+ {
+ "properties": {
+ "provisioningState": "Succeeded",
+ "state": "Enabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "$connections": {
+ "defaultValue": {
+ },
+ "type": "Object"
+ },
+ "Increase_Severity_Level": {
+ "defaultValue": "[parameters('IncreaseSeverityLevel')]",
+ "type": "Int"
+ },
+ "Rubrik_Base_URL": {
+ "defaultValue": "[trim(parameters('Rubrik Base URL'))]",
+ "type": "String"
+ }
+ },
+ "triggers": {
+ "Microsoft_Sentinel_incident": {
+ "type": "ApiConnectionWebhook",
+ "inputs": {
+ "body": {
+ "callback_url": "@{listCallbackUrl()}"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "path": "/incident-creation"
+ }
+ }
+ },
+ "actions": {
+ "Check_For_Status_Code_Of_Generating_Access_Token": {
+ "actions": {
+ "Set_Access_Token": {
+ "runAfter": {},
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Access_Token",
+ "value": "@{body('Get_Access_Token')?['access_token']}"
+ }
+ }
+ },
+ "runAfter": {
+ "Get_Access_Token": [
+ "Succeeded"
+ ]
+ },
+ "else": {
+ "actions": {
+ "Terminate_Due_To_Authentication_Failure": {
+ "runAfter": {},
+ "type": "Terminate",
+ "inputs": {
+ "runError": {
+ "code": "@{outputs('Get_Access_Token')['statusCode']}",
+ "message": "@{body('Get_Access_Token')?['message']}"
+ },
+ "runStatus": "Failed"
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@outputs('Get_Access_Token')['statusCode']",
+ 200
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Condition_To_Verify_Empty_List_Of_IP_-_Host": {
+ "actions": {
+ "Terminate_Due_Empty_IP_-_Host_List": {
+ "runAfter": {},
+ "type": "Terminate",
+ "inputs": {
+ "runError": {
+ "code": "404",
+ "message": "IP or Host are not Mapped with Incident"
+ },
+ "runStatus": "Failed"
+ }
+ }
+ },
+ "runAfter": {
+ "For_Hosts_In_Entity_Mapping": [
+ "Succeeded"
+ ]
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@length(variables('IP_Host_List'))",
+ 0
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Condition_To_Verify_Length_Of_Failed_IP_-_Host_List": {
+ "actions": {
+ "Condition_To_Check_All_Failure": {
+ "actions": {},
+ "runAfter": {},
+ "else": {
+ "actions": {
+ "Update_Incident_(2)": {
+ "runAfter": {},
+ "type": "ApiConnection",
+ "inputs": {
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "severity": "@variables('Incident_Severity')"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "put",
+ "path": "/Incidents"
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@length(variables('Failed_IP_Host_List'))",
+ "@length(variables('IP_Host_List'))"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Condition_To_Verify_That_Incident_Comment_Does_Not_Reach_Limit_(2)": {
+ "actions": {
+ "Add_Failed_IP_-_Host_List_Into_Incident_Comment": {
+ "runAfter": {},
+ "type": "ApiConnection",
+ "inputs": {
+ "body": {
+ "incidentArmId": "@body('Update_Incident_(2)')?['id']",
+ "message": "Failed IP/Host List: @{replace(replace(replace(replace(string(variables('Failed_IP_Host_List')), '\"', ''), '[', ''), ']', ''), ',', ', ')}
"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/Incidents/Comment"
+ }
+ }
+ },
+ "runAfter": {
+ "Condition_To_Check_All_Failure": [
+ "Succeeded"
+ ]
+ },
+ "expression": {
+ "and": [
+ {
+ "less": [
+ "@variables('Comment_Count')",
+ 100
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ },
+ "runAfter": {
+ "For_Each_IP_Or_Host": [
+ "Succeeded"
+ ]
+ },
+ "else": {
+ "actions": {
+ "Update_Incident": {
+ "runAfter": {},
+ "type": "ApiConnection",
+ "inputs": {
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "severity": "@variables('Incident_Severity')"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "put",
+ "path": "/Incidents"
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "greater": [
+ "@length(variables('Failed_IP_Host_List'))",
+ 0
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "For_Each_Alert_Details": {
+ "foreach": "@triggerBody()?['object']?['properties']?['Alerts']",
+ "actions": {
+ "Condition_To_Verify_Custom_Details_Is_Not_Empty": {
+ "actions": {
+ "Condition_To_Verify_Host_Is_Mapped_In_Custom_Details": {
+ "actions": {
+ "Condition_To_Verify_List_Of_Hosts": {
+ "actions": {
+ "For_Each_Host_In_Custom_Details": {
+ "foreach": "@json(body('Parse_Custom_Details')?['Host'][0])",
+ "actions": {
+ "Append_Host_Into_List": {
+ "runAfter": {},
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "IP_Host_List",
+ "value": "@items('For_Each_Host_In_Custom_Details')"
+ }
+ }
+ },
+ "runAfter": {},
+ "type": "Foreach"
+ }
+ },
+ "runAfter": {},
+ "else": {
+ "actions": {
+ "Append_Host_Into_List_(2)": {
+ "runAfter": {},
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "IP_Host_List",
+ "value": "@body('Parse_Custom_Details')?['Host'][0]"
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "contains": [
+ "@body('Parse_Custom_Details')?['Host'][0]",
+ "]"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ },
+ "runAfter": {
+ "Set_IP_List_Size_(2)": [
+ "Succeeded"
+ ]
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@empty(body('Parse_Custom_Details')?['Host'])",
+ "@false"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Condition_To_Verify_IP_Is_Mapped_In_Custom_Details": {
+ "actions": {
+ "Condition_To_Verify_List_Of_IPs_(2)": {
+ "actions": {
+ "For_Each_IP_In_Custom_Details": {
+ "foreach": "@json(body('Parse_Custom_Details')?['IP'][0])",
+ "actions": {
+ "Condition_To_Verify_IP_Already_Not_Exist_In_List": {
+ "actions": {
+ "Append_IP_Into_List_(3)": {
+ "runAfter": {},
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "IP_Host_List",
+ "value": "@items('For_Each_IP_In_Custom_Details')"
+ }
+ }
+ },
+ "runAfter": {},
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@contains(variables('IP_Host_List'), items('For_Each_IP_In_Custom_Details'))",
+ "@false"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ },
+ "runAfter": {},
+ "type": "Foreach"
+ }
+ },
+ "runAfter": {},
+ "else": {
+ "actions": {
+ "Condition_To_Verify_IP_Already_Not_Exist_In_List_(2)": {
+ "actions": {
+ "Append_IP_Into_List_(4)": {
+ "runAfter": {},
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "IP_Host_List",
+ "value": "@body('Parse_Custom_Details')?['IP'][0]"
+ }
+ }
+ },
+ "runAfter": {},
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@contains(variables('IP_Host_List'), body('Parse_Custom_Details')?['IP'][0])",
+ "@false"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "contains": [
+ "@body('Parse_Custom_Details')?['IP'][0]",
+ "]"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ },
+ "runAfter": {
+ "Parse_Custom_Details": [
+ "Succeeded"
+ ]
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@empty(body('Parse_Custom_Details')?['IP'])",
+ "@false"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Parse_Custom_Details": {
+ "runAfter": {},
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@items('For_Each_Alert_Details')?['properties']?['additionalData']?['Custom Details']",
+ "schema": {
+ "properties": {
+ "Host": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "IP": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ }
+ }
+ },
+ "Set_IP_List_Size_(2)": {
+ "runAfter": {
+ "Condition_To_Verify_IP_Is_Mapped_In_Custom_Details": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "IP_List_Size",
+ "value": "@length(variables('IP_Host_List'))"
+ }
+ }
+ },
+ "runAfter": {},
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@empty(items('For_Each_Alert_Details')?['properties']?['additionalData']?['Custom Details'])",
+ "@false"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ },
+ "runAfter": {
+ "Set_IP_List_Size": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "For_Each_IP_Or_Host": {
+ "foreach": "@variables('IP_Host_List')",
+ "actions": {
+ "Check_For_HTTP_Request_Status_Code": {
+ "actions": {
+ "Condition_To_Check_IP_-_Host_Invalid_Or_Data_Not_Found": {
+ "actions": {
+ "Append_IP_Address_Or_Host_Name_Into_Failed_List_(2)": {
+ "runAfter": {},
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "Failed_IP_Host_List",
+ "value": "@items('For_Each_IP_Or_Host')"
+ }
+ }
+ },
+ "runAfter": {
+ "Parse_Response": [
+ "Succeeded"
+ ]
+ },
+ "else": {
+ "actions": {
+ "Condition_To_Verify_Incident_Severity_Is_High": {
+ "actions": {},
+ "runAfter": {
+ "Condition_To_Verify_That_Incident_Comment_Does_Not_Reach_Limit": [
+ "Succeeded"
+ ]
+ },
+ "else": {
+ "actions": {
+ "Condition_To_Check_Incident_Updated_By_Increase_Level": {
+ "actions": {
+ "Condition_To_Check_Response_And_Update_Incident_Severity": {
+ "actions": {
+ "Condition_To_Verify_Increase_Level_Is_1": {
+ "actions": {
+ "Switch_Case_For_Update_Incident_Severity": {
+ "runAfter": {},
+ "cases": {
+ "Case_When_Severity_Is_Informational": {
+ "case": "Informational",
+ "actions": {
+ "Set_Incident_Severity_Updated_To_True": {
+ "runAfter": {
+ "Set_Severity_For_Increase_Level_To_Low": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Incident_Severity_Updated",
+ "value": "@true"
+ }
+ },
+ "Set_Severity_For_Increase_Level_To_Low": {
+ "runAfter": {},
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Severity_For_Increase_Level",
+ "value": "Low"
+ }
+ }
+ }
+ },
+ "Case_When_Severity_Is_Low": {
+ "case": "Low",
+ "actions": {
+ "Set_Incident_Severity_Updated_To_True_(2)": {
+ "runAfter": {
+ "Set_Severity_For_Increase_Level_To_Medium": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Incident_Severity_Updated",
+ "value": "@true"
+ }
+ },
+ "Set_Severity_For_Increase_Level_To_Medium": {
+ "runAfter": {},
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Severity_For_Increase_Level",
+ "value": "Medium"
+ }
+ }
+ }
+ },
+ "Case_When_Severity_Is_Medium": {
+ "case": "Medium",
+ "actions": {
+ "Set_Incident_Severity_Updated_To_True_(3)": {
+ "runAfter": {
+ "Set_Severity_For_Increase_Level_To_High": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Incident_Severity_Updated",
+ "value": "@true"
+ }
+ },
+ "Set_Severity_For_Increase_Level_To_High": {
+ "runAfter": {},
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Severity_For_Increase_Level",
+ "value": "High"
+ }
+ }
+ }
+ }
+ },
+ "expression": "@variables('Severity_For_Increase_Level')",
+ "type": "Switch"
+ }
+ },
+ "runAfter": {},
+ "else": {
+ "actions": {
+ "Condition_To_Verify_Increase_Level_Is_2_And_Incident_Severity_Is_Informational": {
+ "actions": {
+ "Set_Incident_Severity_Updated_To_True_(4)": {
+ "runAfter": {
+ "Set_Severity_For_Increase_Level_To_Medium_(2)": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Incident_Severity_Updated",
+ "value": "@true"
+ }
+ },
+ "Set_Severity_For_Increase_Level_To_Medium_(2)": {
+ "runAfter": {},
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Severity_For_Increase_Level",
+ "value": "Medium"
+ }
+ }
+ },
+ "runAfter": {},
+ "else": {
+ "actions": {
+ "Set_Incident_Severity_Updated_To_True_(5)": {
+ "runAfter": {
+ "Set_Severity_For_Increase_Level_To_High_(2)": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Incident_Severity_Updated",
+ "value": "@true"
+ }
+ },
+ "Set_Severity_For_Increase_Level_To_High_(2)": {
+ "runAfter": {},
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Severity_For_Increase_Level",
+ "value": "High"
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@variables('Increase_Severity_Level')",
+ 2
+ ]
+ },
+ {
+ "equals": [
+ "@variables('Severity_For_Increase_Level')",
+ "Informational"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@variables('Increase_Severity_Level')",
+ 1
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ },
+ "runAfter": {},
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@or(\r\nif(equals(body('Parse_Response')?['threatHuntInfo']?['latestMaliciousThreatHunt']?['isMalicious'], 'Matches Found'), true, false),\r\nif(equals(body('Parse_Response')?['threatMonitoringInfo']?['latestMaliciousThreatMonitoring']?['isMalicious'], 'Matches Found'), true, false))",
+ "@true"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ },
+ "runAfter": {},
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@variables('Incident_Severity_Updated')",
+ "@false"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Condition_To_Check_Risk_Level": {
+ "actions": {
+ "Set_Severity_For_Risk_Level": {
+ "runAfter": {},
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Severity_For_RiskLevel",
+ "value": "@{variables('Severity_Mapping')?[toLower(body('Parse_Response')?['sensitiveInfo']?['riskLevel'])]}"
+ }
+ }
+ },
+ "runAfter": {
+ "Condition_To_Check_Incident_Updated_By_Increase_Level": [
+ "Succeeded"
+ ]
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@contains(string(variables('Severity_Mapping')), toLower(body('Parse_Response')?['sensitiveInfo']?['riskLevel']))",
+ "@true"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Condition_To_Verify_High_Severity": {
+ "actions": {
+ "Set_Incident_Severity_To_High": {
+ "runAfter": {},
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Incident_Severity",
+ "value": "High"
+ }
+ }
+ },
+ "runAfter": {
+ "Switch_Case_For_Anomaly_Severity": [
+ "Succeeded"
+ ]
+ },
+ "else": {
+ "actions": {
+ "Condition_To_Verify_Medium_Severity": {
+ "actions": {
+ "Set_Incident_Severity_To_Medium": {
+ "runAfter": {},
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Incident_Severity",
+ "value": "Medium"
+ }
+ }
+ },
+ "runAfter": {},
+ "else": {
+ "actions": {
+ "Condition_To_Verify_Low_Severity": {
+ "actions": {
+ "Set_Incident_Severity_To_Low": {
+ "runAfter": {},
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Incident_Severity",
+ "value": "Low"
+ }
+ }
+ },
+ "runAfter": {},
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@or(if(equals(variables('Severity_For_Increase_Level'), 'Low'), true, false), if(equals(variables('Severity_For_RiskLevel'), 'Low'), true, false), if(equals(variables('Anomaly_Severity'), 'Low'), true, false), if(equals(variables('Incident_Severity'), 'Low'), true, false))",
+ "@true"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@or(if(equals(variables('Severity_For_Increase_Level'), 'Medium'), true, false), if(equals(variables('Severity_For_RiskLevel'), 'Medium'), true, false), if(equals(variables('Anomaly_Severity'), 'Medium'), true, false), if(equals(variables('Incident_Severity'), 'Medium'), true, false))",
+ "@true"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@or(if(equals(variables('Severity_For_Increase_Level'), 'High'), true, false), if(equals(variables('Severity_For_RiskLevel'), 'High'), true, false), if(equals(variables('Anomaly_Severity'), 'High'), true, false), if(equals(variables('Incident_Severity'), 'High'), true, false))",
+ "@true"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Switch_Case_For_Anomaly_Severity": {
+ "runAfter": {
+ "Condition_To_Check_Risk_Level": [
+ "Succeeded"
+ ]
+ },
+ "cases": {
+ "Case_When_Anomaly_Severity_Is_Critical": {
+ "case": "critical",
+ "actions": {
+ "Set_Anomaly_Severity_To_High": {
+ "runAfter": {},
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Anomaly_Severity",
+ "value": "High"
+ }
+ }
+ }
+ },
+ "Case_When_Anomaly_Severity_Is_Informational": {
+ "case": "informational",
+ "actions": {
+ "Set_Anomaly_Severity_To_Informational": {
+ "runAfter": {},
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Anomaly_Severity",
+ "value": "Informational"
+ }
+ }
+ }
+ },
+ "Case_When_Anomaly_Severity_Is_Warning": {
+ "case": "warning",
+ "actions": {
+ "Set_Anomaly_Severity_To_Medium": {
+ "runAfter": {},
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Anomaly_Severity",
+ "value": "Medium"
+ }
+ }
+ }
+ }
+ },
+ "expression": "@toLower(body('Parse_Response')?['anomalyInfo']?['severity'])",
+ "type": "Switch"
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@variables('Incident_Severity')",
+ "High"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Condition_To_Verify_That_Incident_Comment_Does_Not_Reach_Limit": {
+ "actions": {
+ "Condition_To_Verify_Length_Of_Detail_Response_To_30000_Characters_Limit": {
+ "actions": {
+ "Add_Detail_Response_Of_IP_To_Incident_Comment": {
+ "runAfter": {},
+ "type": "ApiConnection",
+ "inputs": {
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "message": "@{variables('Detailed_Response')}
"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/Incidents/Comment"
+ }
+ }
+ },
+ "runAfter": {},
+ "else": {
+ "actions": {
+ "Add_Comment_For_30000_Characters_Limit": {
+ "runAfter": {},
+ "type": "ApiConnection",
+ "inputs": {
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "message": "Length of response is exceeded to 30,000 characters for @{items('For_Each_IP_Or_Host')}
"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/Incidents/Comment"
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "less": [
+ "@length(variables('Detailed_Response'))",
+ 30000
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Increment_Comment_Count": {
+ "runAfter": {
+ "Condition_To_Verify_Length_Of_Detail_Response_To_30000_Characters_Limit": [
+ "Succeeded"
+ ]
+ },
+ "type": "IncrementVariable",
+ "inputs": {
+ "name": "Comment_Count",
+ "value": 1
+ }
+ }
+ },
+ "runAfter": {
+ "Set_Detailed_Response": [
+ "Succeeded"
+ ]
+ },
+ "expression": {
+ "and": [
+ {
+ "less": [
+ "@variables('Comment_Count')",
+ 100
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Set_Detailed_Response": {
+ "runAfter": {},
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Detailed_Response",
+ "value": "\nGeneral Information for the given @{body('Parse_Response')?['sensitiveInfo']?['riskLevel']} risk : @{items('For_Each_IP_Or_Host')}
\n\n \n | FID | \n @{body('Parse_Response')?['generalInfo']?['fid']} | \n
\n \n | Name | \n @{body('Parse_Response')?['generalInfo']?['name']} | \n
\n \n | Object Type | \n @{body('Parse_Response')?['generalInfo']?['objectType']} | \n
\n \n | Protection Status | \n @{body('Parse_Response')?['generalInfo']?['protectionStatus']} | \n
\n \n | Last Snapshot | \n @{body('Parse_Response')?['generalInfo']?['lastSnapshot']} | \n
\n \n | Redirect Link | \n @{body('Parse_Response')?['generalInfo']?['redirectLink']} | \n
\n
\n\n\nSensitive Information
\n\n \n | Risk Level | \n @{body('Parse_Response')?['sensitiveInfo']?['riskLevel']} | \n
\n \n | Sensitive Files | \n \n mediumCount: @{body('Parse_Response')?['sensitiveInfo']?['sensitiveFiles']?['mediumCount']} \n | \n
\n \n | Sensitive Hits | \n @{body('Parse_Response')?['sensitiveInfo']?['sensitiveHits']} | \n
\n \n | Open Access Files | \n @{body('Parse_Response')?['sensitiveInfo']?['openAccessFiles']} | \n
\n \n | Stale Files | \n @{body('Parse_Response')?['sensitiveInfo']?['staleFiles']} | \n
\n \n | Policy Names | \n @{replace(replace(replace(replace(string(body('Parse_Response')?['sensitiveInfo']?['policyNames']), '\"', ''), '[', ''), ']', ''), ',', ', ')} | \n
\n \n | Redirect Link | \n @{body('Parse_Response')?['sensitiveInfo']?['redirectLink']} | \n
\n
\n\n\nAnomaly Information
\n\n \n | Severity | \n @{body('Parse_Response')?['anomalyInfo']?['severity']} | \n
\n \n | Detection Time | \n @{body('Parse_Response')?['anomalyInfo']?['detectionTime']} | \n
\n \n | Created File Count | \n @{body('Parse_Response')?['anomalyInfo']?['createdFileCount']} | \n
\n \n | Deleted File Count | \n @{body('Parse_Response')?['anomalyInfo']?['deletedFileCount']} | \n
\n \n | Modified File Count | \n @{body('Parse_Response')?['anomalyInfo']?['modifiedFileCount']} | \n
\n \n | Suspicious File Count | \n @{body('Parse_Response')?['anomalyInfo']?['suspiciousFileCount']} | \n
\n \n | Redirect Link | \n @{body('Parse_Response')?['anomalyInfo']?['redirectLink']} | \n
\n
\n\n\nThreat Hunt Information
\n\n \n | Latest Threat Hunt | \n \n huntId: @{body('Parse_Response')?['threatHuntInfo']?['latestThreatHunt']?['huntId']} \n huntStartTime: @{body('Parse_Response')?['threatHuntInfo']?['latestThreatHunt']?['huntStartTime']} \n isMalicious: @{body('Parse_Response')?['threatHuntInfo']?['latestThreatHunt']?['isMalicious']} \n | \n
\n \n | Latest Malicious Threat Hunt | \n \n huntId: @{body('Parse_Response')?['threatHuntInfo']?['latestMaliciousThreatHunt']?['huntId']} \n huntStartTime: @{body('Parse_Response')?['threatHuntInfo']?['latestMaliciousThreatHunt']?['huntStartTime']} \n isMalicious: @{body('Parse_Response')?['threatHuntInfo']?['latestMaliciousThreatHunt']?['isMalicious']} \n | \n
\n \n | Redirect Link | \n @{body('Parse_Response')?['threatHuntInfo']?['redirectLink']} | \n
\n
\n\n\nThreat Monitoring Information
\n\n \n | Latest Threat Monitoring | \n \n snapshotFid: @{body('Parse_Response')?['threatMonitoringInfo']?['latestThreatMonitoring']?['snapshotFid']} \n monitoringScanTime: @{body('Parse_Response')?['threatMonitoringInfo']?['latestThreatMonitoring']?['monitoringScanTime']} \n isMalicious: @{body('Parse_Response')?['threatMonitoringInfo']?['latestThreatMonitoring']?['isMalicious']} \n | \n
\n \n | Latest Malicious Threat Monitoring | \n \n snapshotFid: @{body('Parse_Response')?['threatMonitoringInfo']?['latestMaliciousThreatMonitoring']?['snapshotFid']} \n monitoringScanTime: @{body('Parse_Response')?['threatMonitoringInfo']?['latestMaliciousThreatMonitoring']?['monitoringScanTime']} \n isMalicious: @{body('Parse_Response')?['threatMonitoringInfo']?['latestMaliciousThreatMonitoring']?['isMalicious']} \n | \n
\n \n | Redirect Link | \n @{body('Parse_Response')?['threatMonitoringInfo']?['redirectLink']} | \n
\n
"
+ }
+ }
+ }
+ },
+ "expression": {
+ "or": [
+ {
+ "equals": [
+ "@contains(body('Parse_Response')?['generalInfo']?['fid'], 'No Objects Found')",
+ "@true"
+ ]
+ },
+ {
+ "equals": [
+ "@contains(body('Parse_Response')?['generalInfo']?['name'], 'No Objects Found')",
+ "@true"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Parse_Response": {
+ "runAfter": {},
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Get_Information')",
+ "schema": {
+ "properties": {
+ "anomalyInfo": {
+ "properties": {
+ "createdFileCount": {
+ "type": "string"
+ },
+ "deletedFileCount": {
+ "type": "string"
+ },
+ "detectionTime": {
+ "type": "string"
+ },
+ "modifiedFileCount": {
+ "type": "string"
+ },
+ "redirectLink": {
+ "type": "string"
+ },
+ "severity": {
+ "type": "string"
+ },
+ "suspiciousFileCount": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "generalInfo": {
+ "properties": {
+ "fid": {
+ "type": "string"
+ },
+ "lastSnapshot": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "objectType": {
+ "type": "string"
+ },
+ "protectionStatus": {
+ "type": "string"
+ },
+ "redirectLink": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "sensitiveInfo": {
+ "properties": {
+ "openAccessFiles": {
+ "type": "integer"
+ },
+ "policyNames": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "redirectLink": {
+ "type": "string"
+ },
+ "riskLevel": {
+ "type": "string"
+ },
+ "sensitiveFiles": {
+ "properties": {
+ "mediumCount": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "sensitiveHits": {
+ "type": "integer"
+ },
+ "staleFiles": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "threatHuntInfo": {
+ "properties": {
+ "latestMaliciousThreatHunt": {
+ "properties": {
+ "huntId": {
+ "type": "string"
+ },
+ "huntStartTime": {
+ "type": "string"
+ },
+ "isMalicious": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "latestThreatHunt": {
+ "properties": {
+ "huntId": {
+ "type": "string"
+ },
+ "huntStartTime": {
+ "type": "string"
+ },
+ "isMalicious": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "redirectLink": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "threatMonitoringInfo": {
+ "properties": {
+ "latestMaliciousThreatMonitoring": {
+ "properties": {
+ "isMalicious": {
+ "type": "string"
+ },
+ "monitoringScanTime": {
+ "type": "string"
+ },
+ "snapshotFid": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "latestThreatMonitoring": {
+ "properties": {
+ "isMalicious": {
+ "type": "string"
+ },
+ "monitoringScanTime": {
+ "type": "string"
+ },
+ "snapshotFid": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "redirectLink": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ }
+ }
+ },
+ "runAfter": {
+ "Get_Information": [
+ "Succeeded"
+ ]
+ },
+ "else": {
+ "actions": {
+ "Append_IP_Address_Or_Host_Name_Into_Failed_List": {
+ "runAfter": {},
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "Failed_IP_Host_List",
+ "value": "@items('For_Each_IP_Or_Host')"
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@outputs('Get_Information')['statusCode']",
+ 200
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Condition_To_Set_Search_Type": {
+ "actions": {
+ "Set_Search_Type_To_name": {
+ "runAfter": {},
+ "type": "SetVariable",
+ "inputs": {
+ "name": "Search_Type",
+ "value": "name"
+ }
+ }
+ },
+ "runAfter": {},
+ "else": {
+ "actions": {
+ "Decrement_IP_List_Size_By_1": {
+ "runAfter": {},
+ "type": "DecrementVariable",
+ "inputs": {
+ "name": "IP_List_Size",
+ "value": 1
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@variables('IP_List_Size')",
+ 0
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ },
+ "Get_Information": {
+ "runAfter": {
+ "Condition_To_Set_Search_Type": [
+ "Succeeded"
+ ]
+ },
+ "type": "Http",
+ "inputs": {
+ "headers": {
+ "Authorization": "Bearer @{variables('Access_Token')}"
+ },
+ "method": "GET",
+ "queries": {
+ "search_string": "@{items('For_Each_IP_Or_Host')}",
+ "search_type": "@variables('Search_Type')"
+ },
+ "uri": "@{variables('Base_URL')}/api/thirdparty/workload_summary"
+ }
+ }
+ },
+ "runAfter": {
+ "Check_For_Status_Code_Of_Generating_Access_Token": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach",
+ "runtimeConfiguration": {
+ "concurrency": {
+ "repetitions": 1
+ }
+ }
+ },
+ "For_Hosts_In_Entity_Mapping": {
+ "foreach": "@triggerBody()?['object']?['properties']?['relatedEntities']",
+ "actions": {
+ "Condition_To_Verify_Host": {
+ "actions": {
+ "Condition_To_Verify_List_Of_Hosts_(2)": {
+ "actions": {
+ "For_Each_Host_In_Entity_Mapping": {
+ "foreach": "@json(items('For_Hosts_In_Entity_Mapping')?['properties']?['hostName'])",
+ "actions": {
+ "Condition_To_Verify_Host_Already_Not_Exist_In_List": {
+ "actions": {
+ "Append_Host_Into_List_(3)": {
+ "runAfter": {},
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "IP_Host_List",
+ "value": "@items('For_Each_Host_In_Entity_Mapping')"
+ }
+ }
+ },
+ "runAfter": {},
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@contains(variables('IP_Host_List'), items('For_Each_Host_In_Entity_Mapping'))",
+ "@false"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ },
+ "runAfter": {},
+ "type": "Foreach"
+ }
+ },
+ "runAfter": {},
+ "else": {
+ "actions": {
+ "Condition_To_Verify_Host_Already_Not_Exist_In_List_(2)": {
+ "actions": {
+ "Append_Host_Into_List_(4)": {
+ "runAfter": {},
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "IP_Host_List",
+ "value": "@items('For_Hosts_In_Entity_Mapping')?['properties']?['hostName']"
+ }
+ }
+ },
+ "runAfter": {},
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@contains(variables('IP_Host_List'), items('For_Hosts_In_Entity_Mapping')?['properties']?['hostName'])",
+ "@false"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "contains": [
+ "@items('For_Hosts_In_Entity_Mapping')?['properties']?['hostName']",
+ "]"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ },
+ "runAfter": {},
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@items('For_Hosts_In_Entity_Mapping')?['kind']",
+ "Host"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ },
+ "runAfter": {
+ "For_Each_Alert_Details": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "For_IPs_In_Entity_Mapping": {
+ "foreach": "@triggerBody()?['object']?['properties']?['relatedEntities']",
+ "actions": {
+ "Condition_To_Verify_IP": {
+ "actions": {
+ "Condition_To_Verify_List_Of_IPs": {
+ "actions": {
+ "For_Each_IP_In_Entity_Mapping": {
+ "foreach": "@json(items('For_IPs_In_Entity_Mapping')?['properties']?['address'])",
+ "actions": {
+ "Append_IP_Into_List": {
+ "runAfter": {},
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "IP_Host_List",
+ "value": "@items('For_Each_IP_In_Entity_Mapping')"
+ }
+ }
+ },
+ "runAfter": {},
+ "type": "Foreach"
+ }
+ },
+ "runAfter": {},
+ "else": {
+ "actions": {
+ "Append_IP_Into_List_(2)": {
+ "runAfter": {},
+ "type": "AppendToArrayVariable",
+ "inputs": {
+ "name": "IP_Host_List",
+ "value": "@items('For_IPs_In_Entity_Mapping')?['properties']?['address']"
+ }
+ }
+ }
+ },
+ "expression": {
+ "and": [
+ {
+ "contains": [
+ "@items('For_IPs_In_Entity_Mapping')?['properties']?['address']",
+ "]"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ },
+ "runAfter": {},
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@items('For_IPs_In_Entity_Mapping')?['kind']",
+ "Ip"
+ ]
+ }
+ ]
+ },
+ "type": "If"
+ }
+ },
+ "runAfter": {
+ "Initialize_Severity_Mapping": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Get_Access_Token": {
+ "runAfter": {
+ "Condition_To_Verify_Empty_List_Of_IP_-_Host": [
+ "Succeeded"
+ ]
+ },
+ "type": "Http",
+ "inputs": {
+ "body": {
+ "client_id": "@body('Get_Rubrik_Client_ID')?['value']",
+ "client_secret": "@body('Get_Rubrik_Client_Secret')?['value']"
+ },
+ "method": "POST",
+ "uri": "@{variables('Base_URL')}/api/client_token"
+ }
+ },
+ "Get_Rubrik_Client_ID": {
+ "runAfter": {
+ "Initialize_Count_Of_Comments_In_Incident": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['keyvault']['connectionId']"
+ }
+ },
+ "method": "get",
+ "path": "/secrets/@{encodeURIComponent('Rubrik-Client-Id')}/value"
+ }
+ },
+ "Get_Rubrik_Client_Secret": {
+ "runAfter": {
+ "Get_Rubrik_Client_ID": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['keyvault']['connectionId']"
+ }
+ },
+ "method": "get",
+ "path": "/secrets/@{encodeURIComponent('Rubrik-Client-Secret')}/value"
+ }
+ },
+ "Initialize_AccessToken": {
+ "runAfter": {
+ "Initialize_Incident_Severity_Updated": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Access_Token",
+ "type": "string"
+ }
+ ]
+ }
+ },
+ "Initialize_Anomaly_Severity": {
+ "runAfter": {
+ "Initialize_Severity_For_Risk_Level": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Anomaly_Severity",
+ "type": "string",
+ "value": "@triggerBody()?['object']?['properties']?['severity']"
+ }
+ ]
+ }
+ },
+ "Initialize_Base_URL": {
+ "runAfter": {
+ "Initialize_Search_Type": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Base_URL",
+ "type": "string",
+ "value": "@parameters('Rubrik_Base_URL')"
+ }
+ ]
+ }
+ },
+ "Initialize_Count_Of_Comments_In_Incident": {
+ "runAfter": {
+ "Initialize_Base_URL": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Comment_Count",
+ "type": "integer",
+ "value": "@length(triggerBody()?['object']?['properties']?['Comments'])"
+ }
+ ]
+ }
+ },
+ "Initialize_Detailed_Response": {
+ "runAfter": {
+ "Initialize_AccessToken": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Detailed_Response",
+ "type": "string"
+ }
+ ]
+ }
+ },
+ "Initialize_Failed_IP_Address_And_Host_Name_List": {
+ "runAfter": {
+ "Initialize_IP_Address_And_Host_Name_List": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Failed_IP_Host_List",
+ "type": "array"
+ }
+ ]
+ }
+ },
+ "Initialize_IP_Address_And_Host_Name_List": {
+ "runAfter": {},
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "IP_Host_List",
+ "type": "array"
+ }
+ ]
+ }
+ },
+ "Initialize_IP_List_Size": {
+ "runAfter": {
+ "Initialize_Failed_IP_Address_And_Host_Name_List": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "IP_List_Size",
+ "type": "integer",
+ "value": 0
+ }
+ ]
+ }
+ },
+ "Initialize_Incident_Severity": {
+ "runAfter": {
+ "Get_Rubrik_Client_Secret": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Incident_Severity",
+ "type": "string",
+ "value": "@triggerBody()?['object']?['properties']?['severity']"
+ }
+ ]
+ }
+ },
+ "Initialize_Incident_Severity_Increase_Level": {
+ "runAfter": {
+ "Initialize_Anomaly_Severity": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Increase_Severity_Level",
+ "type": "integer",
+ "value": "@parameters('Increase_Severity_Level')"
+ }
+ ]
+ }
+ },
+ "Initialize_Incident_Severity_Updated": {
+ "runAfter": {
+ "Initialize_Incident_Severity_Increase_Level": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Incident_Severity_Updated",
+ "type": "boolean",
+ "value": "@false"
+ }
+ ]
+ }
+ },
+ "Initialize_Search_Type": {
+ "runAfter": {
+ "Initialize_IP_List_Size": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Search_Type",
+ "type": "string",
+ "value": "ipv4"
+ }
+ ]
+ }
+ },
+ "Initialize_Severity_For_Increase_Level": {
+ "runAfter": {
+ "Initialize_Incident_Severity": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Severity_For_Increase_Level",
+ "type": "string",
+ "value": "@triggerBody()?['object']?['properties']?['severity']"
+ }
+ ]
+ }
+ },
+ "Initialize_Severity_For_Risk_Level": {
+ "runAfter": {
+ "Initialize_Severity_For_Increase_Level": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Severity_For_RiskLevel",
+ "type": "string",
+ "value": "@triggerBody()?['object']?['properties']?['severity']"
+ }
+ ]
+ }
+ },
+ "Initialize_Severity_Mapping": {
+ "runAfter": {
+ "Initialize_Detailed_Response": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable",
+ "inputs": {
+ "variables": [
+ {
+ "name": "Severity_Mapping",
+ "type": "object",
+ "value": {
+ "high": "High",
+ "low": "Low",
+ "medium": "Medium"
+ }
+ }
+ ]
+ }
+ },
+ "Set_IP_List_Size": {
+ "runAfter": {
+ "For_IPs_In_Entity_Mapping": [
+ "Succeeded"
+ ]
+ },
+ "type": "SetVariable",
+ "inputs": {
+ "name": "IP_List_Size",
+ "value": "@length(variables('IP_Host_List'))"
+ }
+ }
+ },
+ "outputs": {
+ }
+ },
+ "parameters": {
+ "$connections": {
+ "value": {
+ "azuresentinel": {
+ "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+ "connectionName": "[variables('MicrosoftSentinelConnectionName')]",
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]",
+ "connectionProperties": {
+ "authentication": {
+ "type": "ManagedServiceIdentity"
+ }
+ }
+ },
+ "keyvault": {
+ "connectionId": "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]",
+ "connectionName": "[variables('KeyvaultConnectionName')]",
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]"
+ }
+ }
+ }
+ }
+ },
+ "name": "[parameters('PlaybookName')]",
+ "type": "Microsoft.Logic/workflows",
+ "location": "[resourceGroup().location]",
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "tags": {
+ "hidden-SentinelTemplateName": "RubrikWorkloadAnalysis",
+ "hidden-SentinelTemplateVersion": "1.0"
+ },
+ "apiVersion": "2017-07-01",
+ "dependsOn": [
+ "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
+ "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]"
+ ]
+ },
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[variables('MicrosoftSentinelConnectionName')]",
+ "location": "[resourceGroup().location]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "[variables('MicrosoftSentinelConnectionName')]",
+ "customParameterValues": {
+ },
+ "parameterValueType": "Alternative",
+ "api": {
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[variables('KeyvaultConnectionName')]",
+ "location": "[resourceGroup().location]",
+ "kind": "V1",
+ "properties": {
+ "displayName": "[variables('KeyvaultConnectionName')]",
+ "customParameterValues": {
+ },
+ "api": {
+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]"
+ },
+ "parameterValues": {
+ "token:TenantId": "[trim(parameters('Tenant Id'))]",
+ "token:grantType": "code",
+ "vaultName": "[trim(parameters('Keyvault Name'))]"
+ }
+ }
+ }
+ ]
+}
diff --git a/Solutions/RubrikSecurityCloud/ReleaseNotes.md b/Solutions/RubrikSecurityCloud/ReleaseNotes.md
index 6dc9ee7d3e2..25ea79e3dd3 100644
--- a/Solutions/RubrikSecurityCloud/ReleaseNotes.md
+++ b/Solutions/RubrikSecurityCloud/ReleaseNotes.md
@@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
+| 3.3.0 | 19-11-2024 | Added one new Playbook(RubrikWorkloadAnalysis) and updated the RubrikWebhookEvents Data Connector to add a new Orchestrator for Rubrik Events.
| 3.2.1 | 11-11-2024 | Fixed the issue of Custom Connector id parameter in RubrikRansomwareDiscoveryAndVmRecovery playbook. |
| 3.2.0 | 24-02-2024 | Added 3 new Playbooks(RubrikFileObjectContextAnalysis, RubrikUserIntelligenceAnalysis, RubrikRetrieveUserIntelligenceInformation) for FileObject and User, fixed clusterLocation issue of Collect_IOC_Scan_Data adaptive card in RubrikRansomwareDiscoveryAndVmRecovery playbook and updated python packages to fix vulnerability CVE-2023-50782 of cryptography module. Enhanced Anomaly Analysis playbook and added RubrikAnomalyGenerateDownloadableLink playbook. |
| 3.1.0 | 20-10-2023 | Updated the **DataConnector** code by implementing Durable Function App. |
diff --git a/Solutions/RubrikSecurityCloud/SolutionMetadata.json b/Solutions/RubrikSecurityCloud/SolutionMetadata.json
index 55e43e2cdfa..276b41e2b97 100644
--- a/Solutions/RubrikSecurityCloud/SolutionMetadata.json
+++ b/Solutions/RubrikSecurityCloud/SolutionMetadata.json
@@ -2,7 +2,7 @@
"publisherId": "rubrik_inc",
"offerId": "rubrik_sentinel",
"firstPublishDate": "2022-07-19",
- "lastPublishDate": "2024-03-17",
+ "lastPublishDate": "2024-11-19",
"providers": [
"Rubrik"
],
diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
index 4c04cbd03c8..cf1c0706f79 100644
--- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
+++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
@@ -1040,8 +1040,7 @@
"CommonSecurityLog"
],
"dataConnectorsDependencies": [
- "ForcepointCasb",
- "ForcepointCasbAma"
+ "CefAma"
],
"previewImagesFileNames": [
"ForcepointCASBWhite.png",
diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json
index 903118b9495..2cb8aec8e43 100644
--- a/Workbooks/WorkbooksMetadata.json
+++ b/Workbooks/WorkbooksMetadata.json
@@ -1357,8 +1357,6 @@
"CommonSecurityLog"
],
"dataConnectorsDependencies": [
- "ForcepointCasb",
- "ForcepointCasbAma",
"CefAma"
],
"previewImagesFileNames": [