Skip to content

Commit

Permalink
Solution packaged
Browse files Browse the repository at this point in the history
  • Loading branch information
@v-prasadboke
v-prasadboke committed Nov 28, 2024
1 parent 9d5572d commit 7848bf5
Show file tree
Hide file tree
Showing 3 changed files with 36 additions and 36 deletions.
Binary file modified Solutions/Threat Intelligence/Package/3.0.8.zip
View file
Binary file not shown.
2 changes: 1 addition & 1 deletion Solutions/Threat Intelligence/Package/createUiDefinition.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Threat%20Intelligence/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Threat Intelligence solution contains data connectors for import of threat indicators into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.\n\n**Data Connectors:** 5, **Workbooks:** 1, **Analytic Rules:** 52, **Hunting Queries:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Threat%20Intelligence/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Threat Intelligence solution contains data connectors for import of supported STIX objects into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.\n\n**Data Connectors:** 5, **Workbooks:** 1, **Analytic Rules:** 52, **Hunting Queries:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
Expand Down
70 changes: 35 additions & 35 deletions Solutions/Threat Intelligence/Package/mainTemplate.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -516,7 +516,7 @@
"id": "[variables('_uiConfigId1')]",
"title": "Threat intelligence - TAXII",
"publisher": "Microsoft",
"descriptionMarkdown": "Microsoft Sentinel integrates with TAXII 2.0 and 2.1 data sources to enable monitoring, alerting, and hunting using your threat intelligence. Use this connector to send threat indicators from TAXII servers to Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes. For more information, see the [Microsoft Sentinel documentation >](https://go.microsoft.com/fwlink/p/?linkid=2224105&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
"descriptionMarkdown": "Microsoft Sentinel integrates with TAXII 2.0 and 2.1 data sources to enable monitoring, alerting, and hunting using your threat intelligence. Use this connector to send the supported STIX object types from TAXII servers to Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes. For more information, see the [Microsoft Sentinel documentation >](https://go.microsoft.com/fwlink/p/?linkid=2224105&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
"graphQueries": [
{
"metricName": "Total data received",
Expand Down Expand Up @@ -622,7 +622,7 @@
"connectorUiConfig": {
"title": "Threat intelligence - TAXII",
"publisher": "Microsoft",
"descriptionMarkdown": "Microsoft Sentinel integrates with TAXII 2.0 and 2.1 data sources to enable monitoring, alerting, and hunting using your threat intelligence. Use this connector to send threat indicators from TAXII servers to Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes. For more information, see the [Microsoft Sentinel documentation >](https://go.microsoft.com/fwlink/p/?linkid=2224105&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
"descriptionMarkdown": "Microsoft Sentinel integrates with TAXII 2.0 and 2.1 data sources to enable monitoring, alerting, and hunting using your threat intelligence. Use this connector to send the supported STIX object types from TAXII servers to Microsoft Sentinel. Threat indicators can include IP addresses, domains, URLs, and file hashes. For more information, see the [Microsoft Sentinel documentation >](https://go.microsoft.com/fwlink/p/?linkid=2224105&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
"graphQueries": [
{
"metricName": "Total data received",
Expand Down Expand Up @@ -832,7 +832,7 @@
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId3')]",
"title": "Threat Intelligence Upload Indicators API (Preview)",
"title": "Threat Intelligence Upload API (Preview)",
"publisher": "Microsoft",
"descriptionMarkdown": "Microsoft Sentinel offers a data plane API to bring in threat intelligence from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, or other integrated applications. Threat indicators can include IP addresses, domains, URLs, file hashes and email addresses. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2269830&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
"graphQueries": [
Expand Down Expand Up @@ -894,8 +894,8 @@
"title": "1. Get Microsoft Entra ID Access Token"
},
{
"description": "You can send indicators by calling our Upload Indicators API. For more information about the API, click [here](https://learn.microsoft.com/azure/sentinel/upload-indicators-api). \n\n>HTTP method: POST \n\n>Endpoint: https://api.ti.sentinel.azure.com/workspaces/[WorkspaceID]/threatintelligenceindicators:upload?api-version=2022-07-01 \n\n>WorkspaceID: the workspace that the indicators are uploaded to. \n\n\n>Header Value 1: \"Authorization\" = \"Bearer [Microsoft Entra ID Access Token from step 1]\" \n\n\n> Header Value 2: \"Content-Type\" = \"application/json\" \n \n>Body: The body is a JSON object containing an array of indicators in STIX format.",
"title": "2. Send indicators to Sentinel"
"description": "You can send the supported STIX object types by calling our Upload API. For more information about the API, click [here](https://learn.microsoft.com/azure/sentinel/upload-indicators-api). \n\n>HTTP method: POST \n\n>Endpoint: https://api.ti.sentinel.azure.com/workspaces/[WorkspaceID]/threatintelligence-stix-objects:upload?api-version=2024-02-01 \n\n>WorkspaceID: the workspace that the STIX objects are uploaded to. \n\n\n>Header Value 1: \"Authorization\" = \"Bearer [Microsoft Entra ID Access Token from step 1]\" \n\n\n> Header Value 2: \"Content-Type\" = \"application/json\" \n \n>Body: The body is a JSON object containing an array of STIX objects.",
"title": "2. Send STIX objects to Sentinel"
}
]
}
Expand Down Expand Up @@ -936,7 +936,7 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_dataConnectorContentId3')]",
"contentKind": "DataConnector",
"displayName": "Threat Intelligence Upload Indicators API (Preview)",
"displayName": "Threat Intelligence Upload API (Preview)",
"contentProductId": "[variables('_dataConnectorcontentProductId3')]",
"id": "[variables('_dataConnectorcontentProductId3')]",
"version": "[variables('dataConnectorVersion3')]"
Expand Down Expand Up @@ -980,7 +980,7 @@
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "Threat Intelligence Upload Indicators API (Preview)",
"title": "Threat Intelligence Upload API (Preview)",
"publisher": "Microsoft",
"descriptionMarkdown": "Microsoft Sentinel offers a data plane API to bring in threat intelligence from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MineMeld, MISP, or other integrated applications. Threat indicators can include IP addresses, domains, URLs, file hashes and email addresses. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2269830&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
"graphQueries": [
Expand Down Expand Up @@ -1042,8 +1042,8 @@
"title": "1. Get Microsoft Entra ID Access Token"
},
{
"description": "You can send indicators by calling our Upload Indicators API. For more information about the API, click [here](https://learn.microsoft.com/azure/sentinel/upload-indicators-api). \n\n>HTTP method: POST \n\n>Endpoint: https://api.ti.sentinel.azure.com/workspaces/[WorkspaceID]/threatintelligenceindicators:upload?api-version=2022-07-01 \n\n>WorkspaceID: the workspace that the indicators are uploaded to. \n\n\n>Header Value 1: \"Authorization\" = \"Bearer [Microsoft Entra ID Access Token from step 1]\" \n\n\n> Header Value 2: \"Content-Type\" = \"application/json\" \n \n>Body: The body is a JSON object containing an array of indicators in STIX format.",
"title": "2. Send indicators to Sentinel"
"description": "You can send the supported STIX object types by calling our Upload API. For more information about the API, click [here](https://learn.microsoft.com/azure/sentinel/upload-indicators-api). \n\n>HTTP method: POST \n\n>Endpoint: https://api.ti.sentinel.azure.com/workspaces/[WorkspaceID]/threatintelligence-stix-objects:upload?api-version=2024-02-01 \n\n>WorkspaceID: the workspace that the STIX objects are uploaded to. \n\n\n>Header Value 1: \"Authorization\" = \"Bearer [Microsoft Entra ID Access Token from step 1]\" \n\n\n> Header Value 2: \"Content-Type\" = \"application/json\" \n \n>Body: The body is a JSON object containing an array of STIX objects.",
"title": "2. Send STIX objects to Sentinel"
}
],
"id": "[variables('_uiConfigId3')]"
Expand Down Expand Up @@ -2785,12 +2785,12 @@
],
"customDetails": {
"IoCExpirationTime": "ExpirationDateTime",
"EventTime": "Event_TimeGenerated",
"IoCDescription": "Description",
"ActivityGroupNames": "ActivityGroupNames",
"ThreatType": "ThreatType",
"IndicatorId": "IndicatorId",
"IoCConfidenceScore": "ConfidenceScore",
"IndicatorId": "IndicatorId"
"IoCDescription": "Description",
"ThreatType": "ThreatType",
"EventTime": "Event_TimeGenerated"
},
"alertDetailsOverride": {
"alertDescriptionFormat": "A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.",
Expand Down Expand Up @@ -6309,12 +6309,12 @@
],
"customDetails": {
"IoCExpirationTime": "ExpirationDateTime",
"EventTime": "imNWS_TimeGenerated",
"IoCDescription": "Description",
"ActivityGroupNames": "ActivityGroupNames",
"ThreatType": "ThreatType",
"IndicatorId": "IndicatorId",
"IoCConfidenceScore": "ConfidenceScore",
"IndicatorId": "IndicatorId"
"IoCDescription": "Description",
"ThreatType": "ThreatType",
"EventTime": "imNWS_TimeGenerated"
},
"alertDetailsOverride": {
"alertDescriptionFormat": "The source address {{SrcIpAddr}} of the web request for the URL {{Url}} matches a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence feed for more information about the indicator.",
Expand Down Expand Up @@ -8398,16 +8398,16 @@
],
"customDetails": {
"LatestIndicatorTime": "LatestIndicatorTime",
"SourceIPAddress": "SrcIpAddr",
"DnsQuery": "DnsQuery",
"ExpirationDateTime": "ExpirationDateTime",
"Description": "Description",
"DnsQuery": "DnsQuery",
"SourceIPAddress": "SrcIpAddr",
"ConfidenceScore": "ConfidenceScore",
"ActivityGroupNames": "ActivityGroupNames",
"ThreatType": "ThreatType",
"IndicatorId": "IndicatorId",
"QueryType": "DnsQueryType",
"DNSRequestTime": "DNS_TimeGenerated",
"ConfidenceScore": "ConfidenceScore",
"IndicatorId": "IndicatorId"
"ThreatType": "ThreatType",
"DNSRequestTime": "DNS_TimeGenerated"
}
}
},
Expand Down Expand Up @@ -8593,15 +8593,15 @@
],
"customDetails": {
"LatestIndicatorTime": "LatestIndicatorTime",
"SourceIPAddress": "SrcIpAddr",
"DnsQuery": "DnsQuery",
"ExpirationDateTime": "ExpirationDateTime",
"Description": "Description",
"DnsQuery": "DnsQuery",
"SourceIPAddress": "SrcIpAddr",
"ConfidenceScore": "ConfidenceScore",
"ActivityGroupNames": "ActivityGroupNames",
"IndicatorId": "IndicatorId",
"ThreatType": "ThreatType",
"DNSRequestTime": "imDns_mintime",
"ConfidenceScore": "ConfidenceScore",
"IndicatorId": "IndicatorId"
"DNSRequestTime": "imDns_mintime"
},
"alertDetailsOverride": {
"alertDescriptionFormat": "The response address {{IoC}} to a DNS query matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.",
Expand Down Expand Up @@ -8815,15 +8815,15 @@
}
],
"customDetails": {
"EventStartTime": "imNWS_mintime",
"IoCExpirationTime": "ExpirationDateTime",
"IoCIPDirection": "IoCDirection",
"IoCDescription": "Description",
"IoCExpirationTime": "ExpirationDateTime",
"IndicatorId": "IndicatorId",
"ActivityGroupNames": "ActivityGroupNames",
"ThreatType": "ThreatType",
"IoCConfidenceScore": "ConfidenceScore",
"EventStartTime": "imNWS_mintime",
"EventEndTime": "imNWS_maxtime",
"IndicatorId": "IndicatorId"
"IoCDescription": "Description",
"ThreatType": "ThreatType",
"IoCConfidenceScore": "ConfidenceScore"
},
"alertDetailsOverride": {
"alertDescriptionFormat": "The {{IoCDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.",
Expand Down Expand Up @@ -9678,7 +9678,7 @@
"contentSchemaVersion": "3.0.0",
"displayName": "Threat Intelligence",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
"descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Threat%20Intelligence/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The Threat Intelligence solution contains data connectors for import of threat indicators into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.</p>\n<p><strong>Data Connectors:</strong> 5, <strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 52, <strong>Hunting Queries:</strong> 5</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Threat%20Intelligence/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The Threat Intelligence solution contains data connectors for import of supported STIX objects into Microsoft Sentinel, analytic rules for matching TI data with event data, workbook, and hunting queries. Threat indicators can be malicious IP's, URL's, filehashes, domains, email addresses etc.</p>\n<p><strong>Data Connectors:</strong> 5, <strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 52, <strong>Hunting Queries:</strong> 5</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
Expand Down

0 comments on commit 7848bf5

Please sign in to comment.