Merge branch 'master' into pr/11467

Hunting Queries/BehaviorAnalytics/Anomalous AAD Account Manipulation.yaml

@@ -1,4 +1,4 @@
 id: 078a6526-e94e-4cf1-a08e-83bc0186479f
 name: Anomalous Entra ID Account Manipulation
 description: |
-  'As part of content migration, this file is moved to new location. You can find here https://githubusercontent.com/Azure/Azure-Sentinel/blob/master/Solutions/UEBA%20Essentials/Hunting%20Queries/Anomalous%20AAD%20Account%20Manipulation.yaml'
+  'As part of content migration, this file is moved to new location. You can find here https://raw.githubusercontent.com/Azure/Azure-Sentinel/refs/heads/master/Solutions/UEBA%20Essentials/Hunting%20Queries/Anomalous%20AAD%20Account%20Manipulation.yaml'

Solutions/DNS Essentials/Analytic Rules/MultipleErrorsReportedForSameDNSQueryStaticThresholdBased.yaml

@@ -35,7 +35,7 @@ query: |
     | mv-expand ResourceIds  
     | extend ResourceId = tostring(ResourceIds)  
     | extend Dvc = strcat(split(Dvc, ".")[0])
-    | summarize Start=min(TimeGenerated), End=max(TimeGenerated) by SrcIP, Dvc, ResourceId, DnsQuery, DomainName
+    | summarize Start=min(TimeGenerated), End=max(TimeGenerated) by SrcIP, Dvc, ResourceId, DnsQuery, DomainName, SrcIPs = tostring(SrcIPs), IPCountthreshold = threshold, TotalIPs
     | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
     | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
 entityMappings: 
@@ -70,5 +70,5 @@ customDetails:
 alertDetailsOverride:
   alertDisplayNameFormat: "[Static threshold] Multiple errors for the same DNS query has been detected - '{{DnsQuery}}'"
   alertDescriptionFormat: "Multiple errors were detected on different clients for the same DNS query. These unsuccessful responses can be an indication of C2 communication. \n\nThreshold for total clients reporting errors: '{{IPCountthreshold}}'\n\nCurrent count of clients reporting errors for this DNS query: '{{TotalIPs}}'\n\nClients requesting this DNSQuery include:\n\n'{{SrcIPs}}'"
-version: 1.0.3
+version: 1.0.4
 kind: Scheduled

Solutions/DNS Essentials/Data/Solution_DNS.json

@@ -33,7 +33,7 @@
     "Hunting Queries/UnexpectedTopLevelDomains.yaml"
   ],
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\DNS Essentials",
-  "Version": "3.0.2",
+  "Version": "3.0.3",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "Is1PConnector": false

Solutions/DNS Essentials/ReleaseNotes.md

@@ -1,5 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                 |
 |-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.0.3       | 28-11-2024                     | Update **Analytic Rule** MultipleErrorsReportedForSameDNSQueryStaticThresholdBased.yaml to fix bug |
 | 3.0.2       | 29-07-2024                     | Update **Hunting Queries** to fix TTP						        |
 | 3.0.1       | 31-01-2023                     | Updated the solution to fix **Analytic Rules** deployment issue        |
 | 3.0.2		  | 12-03-2024					   | Added new **Analytic rule** and repackaged solution					|

Solutions/SonicWall Firewall/Analytic Rules/CaptureATPMaliciousFileDetection.yaml

@@ -7,12 +7,6 @@ description: |
 severity: Medium
 status: Experimental
 requiredDataConnectors:
-  - connectorId: CEF
-    dataTypes:
-      - CommonSecurityLog
-  - connectorId: SonicWallFirewall
-    dataTypes:
-      - CommonSecurityLog
   - connectorId: CefAma
     dataTypes:
       - CommonSecurityLog
@@ -62,5 +56,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: SrcIpAddr
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/SonicWall Firewall/Data/Solution_SonicWall Firewall.json

@@ -2,11 +2,7 @@
   "Name": "SonicWall Firewall",
   "Author": "SonicWall",
   "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/sonicwall_logo.svg\" width=\"75px\" height=\"75px\">",
-  "Description": "The [SonicWall Firewall](https://www.sonicwall.com/products/firewalls/) solution for Microsoft Sentinel enables ingestion of events using the Common Event Format (CEF) into Microsoft Sentinel for [SonicWall Firewalls](https://www.sonicwall.com/support/technical-documentation/?q=CEF&language=English).\n\r\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.",
-  "Data Connectors": [
-    "Data Connectors/SonicwallFirewall.JSON",
-    "Data Connectors/template_SonicwallFirewallAMA.JSON"
-  ],
+  "Description": "The [SonicWall Firewall](https://www.sonicwall.com/products/firewalls/) solution for Microsoft Sentinel enables ingestion of events using the Common Event Format (CEF) into Microsoft Sentinel for [SonicWall Firewalls](https://www.sonicwall.com/support/technical-documentation/?q=CEF&language=English).\n\r\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.",
   "Workbooks": [
 	"Workbooks/SonicWallFirewall.json"
   ],
@@ -22,7 +18,7 @@
   ],
   "Metadata": "SolutionMetadata.json",
   "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\SonicWall Firewall",
-  "Version": "3.1.1",
+  "Version": "3.1.2",
   "TemplateSpec": true,
   "Is1PConnector": false
 }

Solutions/SonicWall Firewall/Hunting Queries/OutboundSSHConnections.yaml

@@ -3,9 +3,6 @@ name: Outbound SSH/SCP Connections
 description: |
   'This query looks for outbound SSH/SCP connections identified by the expected port number (22) or by the SonicWall Deep Packet Inspection services. This query leverages the SonicWall Firewall ASIM Network Session parser.'
 requiredDataConnectors:
-  - connectorId: CEF
-    dataTypes:
-      - CommonSecurityLog
   - connectorId: SonicWallFirewall
     dataTypes:
       - CommonSecurityLog

Solutions/SonicWall Firewall/Package/createUiDefinition.json

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/sonicwall_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SonicWall%20Firewall/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [SonicWall Firewall](https://www.sonicwall.com/products/firewalls/) solution for Microsoft Sentinel enables ingestion of events using the Common Event Format (CEF) into Microsoft Sentinel for [SonicWall Firewalls](https://www.sonicwall.com/support/technical-documentation/?q=CEF&language=English).\n\r\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Workbooks:** 1, **Analytic Rules:** 2, **Hunting Queries:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/sonicwall_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SonicWall%20Firewall/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [SonicWall Firewall](https://www.sonicwall.com/products/firewalls/) solution for Microsoft Sentinel enables ingestion of events using the Common Event Format (CEF) into Microsoft Sentinel for [SonicWall Firewalls](https://www.sonicwall.com/support/technical-documentation/?q=CEF&language=English).\n\r\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.\n\n**Workbooks:** 1, **Analytic Rules:** 2, **Hunting Queries:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -51,30 +51,6 @@
       }
     ],
     "steps": [
-      {
-        "name": "dataconnectors",
-        "label": "Data Connectors",
-        "bladeTitle": "Data Connectors",
-        "elements": [
-          {
-            "name": "dataconnectors1-text",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "text": "This Solution installs the data connector for SonicWall Firewall. You can get SonicWall Firewall CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
-            }
-          },
-          {
-            "name": "dataconnectors-link2",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "link": {
-                "label": "Learn more about connecting data sources",
-                "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
-              }
-            }
-          }
-        ]
-      },
       {
         "name": "workbooks",
         "label": "Workbooks",
@@ -204,7 +180,7 @@
                 "name": "huntingquery1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "This query looks for outbound SSH/SCP connections identified by the expected port number (22) or by the SonicWall Deep Packet Inspection services. This query leverages the SonicWall Firewall ASIM Network Session parser. This hunting query depends on CEF SonicWallFirewall CefAma data connector (CommonSecurityLog CommonSecurityLog CommonSecurityLog Parser or Table)"
+                  "text": "This query looks for outbound SSH/SCP connections identified by the expected port number (22) or by the SonicWall Deep Packet Inspection services. This query leverages the SonicWall Firewall ASIM Network Session parser. This hunting query depends on SonicWallFirewall CefAma data connector (CommonSecurityLog CommonSecurityLog Parser or Table)"
                 }
               }
             ]