From 8f5efb52c67cb832c3bb9d80602a44c5cbca954f Mon Sep 17 00:00:00 2001 From: XiFneg Date: Thu, 21 Nov 2024 05:40:05 +0000 Subject: [PATCH] Update configuration and templates for SINEC Security Guard solution --- .../data_connector_GenericUI.json | 168 +-- .../Data/Solution_Sinec Security Guard.json | 32 +- .../Package/createUiDefinition.json | 254 ++--- .../Package/mainTemplate.json | 1016 ++++++++--------- 4 files changed, 724 insertions(+), 746 deletions(-) diff --git a/Solutions/SINEC Security Guard/Data Connectors/data_connector_GenericUI.json b/Solutions/SINEC Security Guard/Data Connectors/data_connector_GenericUI.json index a69c1634a90..f666f8f753f 100644 --- a/Solutions/SINEC Security Guard/Data Connectors/data_connector_GenericUI.json +++ b/Solutions/SINEC Security Guard/Data Connectors/data_connector_GenericUI.json @@ -1,84 +1,84 @@ -{ - "id": "SSG", - "title": "SINEC Security Guard", - "publisher": "Siemens AG", - "descriptionMarkdown": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel", - "graphQueriesTableName": "SINECSecurityGuard_CL", - "logo": "SSG.svg", - "graphQueries": [ - { - "metricName": "Total events received", - "legend": "SINECSecurityGuard_CL", - "baseQuery": "SINECSecurityGuard_CL\n | summarize count()" - } - ], - "sampleQueries": [ - { - "description": "List of Attacks", - "query": "SINECSecurityGuard_CL\n | summarize count()" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": ["SINECSecurityGuard_CL\n | summarize lastLogGenerated = max(TimeGenerated) | project IsConnected = lastLogGenerated > ago(30d)"] - } - ], - "dataTypes": [ - { - "name": "SINECSecurityGuard_CL", - "lastDataReceivedQuery": "SINECSecurityGuard_CL\n | summarize Time = max(TimeGenerated) | where isnotempty(Time)" - } - ], - "availability": { - "isPreview": true, - "status": 1 - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "This Data Connector relies on the SINEC Security Guard Sensor Package to be able to receive Sensor events in Microsoft Sentinel. The Sensor Package can be purchased in the Siemens Xcelerator Marketplace.", - "instructions": [ - { - "parameters": { - "title": "1. Please follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Set up the SINEC Security Guard Sensor", - "description": "Detailed step for setting up the sensor." - }, - { - "title": "Create the Data Connector and configure it in the SINEC Security Guard web interface", - "description": "Instructions on configuring the data connector." - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - } - ] -} +{ + "id": "SSG", + "title": "SINEC Security Guard", + "publisher": "Siemens AG", + "descriptionMarkdown": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel", + "graphQueriesTableName": "SINECSecurityGuard_CL", + "logo": "SSG.svg", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "SINECSecurityGuard_CL", + "baseQuery": "SINECSecurityGuard_CL\n | summarize count()" + } + ], + "sampleQueries": [ + { + "description": "List of Attacks", + "query": "SINECSecurityGuard_CL\n | summarize count()" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": ["SINECSecurityGuard_CL\n | summarize lastLogGenerated = max(TimeGenerated) | project IsConnected = lastLogGenerated > ago(30d)"] + } + ], + "dataTypes": [ + { + "name": "SINECSecurityGuard_CL", + "lastDataReceivedQuery": "SINECSecurityGuard_CL\n | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "availability": { + "isPreview": true, + "status": 1 + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "description": "This Data Connector relies on the SINEC Security Guard Sensor Package to be able to receive Sensor events in Microsoft Sentinel. The Sensor Package can be purchased in the Siemens Xcelerator Marketplace.", + "instructions": [ + { + "parameters": { + "title": "1. Please follow the steps to configure the data connector", + "instructionSteps": [ + { + "title": "Set up the SINEC Security Guard Sensor", + "description": "Detailed step for setting up the sensor." + }, + { + "title": "Create the Data Connector and configure it in the SINEC Security Guard web interface", + "description": "Instructions on configuring the data connector." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] +} diff --git a/Solutions/SINEC Security Guard/Data/Solution_Sinec Security Guard.json b/Solutions/SINEC Security Guard/Data/Solution_Sinec Security Guard.json index 3232152f990..c0cb969768f 100644 --- a/Solutions/SINEC Security Guard/Data/Solution_Sinec Security Guard.json +++ b/Solutions/SINEC Security Guard/Data/Solution_Sinec Security Guard.json @@ -1,17 +1,17 @@ -{ - "Name": "SINEC Security Guard", - "Author": "Siemens AG", - "Logo": "", - "Description": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the (SINEC Security Guard)[https://siemens.com/sinec-security-guard] into Microsoft Sentinel", - "Analytic Rules": [ - "Analytic Rules/SSG_Azure_Sentinel_analytic_rule.yaml" - ], - "Data Connectors": [ - "Data Connectors/data_connector_GenericUI.json" - ], - "Metadata": "SolutionMetadata.json", - "BasePath": "D:\\Sentinel_GIT\\Azure-Sentinel\\Solutions\\SINEC Security Guard", - "Version": "3.0.3", - "TemplateSpec": true, - "Is1PConnector": false +{ + "Name": "SINEC Security Guard", + "Author": "Siemens AG", + "Logo": "", + "Description": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel", + "Analytic Rules": [ + "Analytic Rules/SSG_Azure_Sentinel_analytic_rule.yaml" + ], + "Data Connectors": [ + "Data Connectors/data_connector_GenericUI.json" + ], + "Metadata": "SolutionMetadata.json", + "BasePath": "D:\\Sentinel_GIT\\Azure-Sentinel\\Solutions\\SINEC Security Guard", + "Version": "3.0.3", + "TemplateSpec": true, + "Is1PConnector": false } \ No newline at end of file diff --git a/Solutions/SINEC Security Guard/Package/createUiDefinition.json b/Solutions/SINEC Security Guard/Package/createUiDefinition.json index 1a03e23deb2..603c462ee46 100644 --- a/Solutions/SINEC Security Guard/Package/createUiDefinition.json +++ b/Solutions/SINEC Security Guard/Package/createUiDefinition.json @@ -1,127 +1,127 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", - "handler": "Microsoft.Azure.CreateUIDef", - "version": "0.1.2-preview", - "parameters": { - "config": { - "isWizard": false, - "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SINEC%20Security%20Guard/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the (SINEC Security Guard)[https://siemens.com/sinec-security-guard] into Microsoft Sentinel\n\n**Data Connectors:** 1, **Analytic Rules:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", - "subscription": { - "resourceProviders": [ - "Microsoft.OperationsManagement/solutions", - "Microsoft.OperationalInsights/workspaces/providers/alertRules", - "Microsoft.Insights/workbooks", - "Microsoft.Logic/workflows" - ] - }, - "location": { - "metadata": { - "hidden": "Hiding location, we get it from the log analytics workspace" - }, - "visible": false - }, - "resourceGroup": { - "allowExisting": true - } - } - }, - "basics": [ - { - "name": "getLAWorkspace", - "type": "Microsoft.Solutions.ArmApiControl", - "toolTip": "This filters by workspaces that exist in the Resource Group selected", - "condition": "[greater(length(resourceGroup().name),0)]", - "request": { - "method": "GET", - "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" - } - }, - { - "name": "workspace", - "type": "Microsoft.Common.DropDown", - "label": "Workspace", - "placeholder": "Select a workspace", - "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", - "constraints": { - "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", - "required": true - }, - "visible": true - } - ], - "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for SINEC Security Guard. You can get SINEC Security Guard custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-link2", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - }, - { - "name": "analytics", - "label": "Analytics", - "subLabel": { - "preValidation": "Configure the analytics", - "postValidation": "Done" - }, - "bladeTitle": "Analytics", - "elements": [ - { - "name": "analytics-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." - } - }, - { - "name": "analytics-link", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" - } - } - }, - { - "name": "analytic1", - "type": "Microsoft.Common.Section", - "label": "SSG_Security_Incidents", - "elements": [ - { - "name": "analytic1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "The security analytic rule is designed to scrutinize network activity involving private IP addresses within an organization's internal network. By filtering log entries to include only those where either the source or the destination IP is private, the rule focuses on internal communications that could indicate unauthorized access, internal threats, or other security anomalies." - } - } - ] - } - ] - } - ], - "outputs": { - "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", - "location": "[location()]", - "workspace": "[basics('workspace')]" - } - } -} +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Sinec%20Security%20Guard/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel\n\n**Data Connectors:** 1, **Analytic Rules:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for SINEC Security Guard. You can get SINEC Security Guard custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + }, + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." + } + }, + { + "name": "analytics-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "SSG_Security_Incidents", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "The security analytic rule is designed to scrutinize network activity involving private IP addresses within an organization's internal network. By filtering log entries to include only those where either the source or the destination IP is private, the rule focuses on internal communications that could indicate unauthorized access, internal threats, or other security anomalies." + } + } + ] + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} diff --git a/Solutions/SINEC Security Guard/Package/mainTemplate.json b/Solutions/SINEC Security Guard/Package/mainTemplate.json index 4377777a228..d701f103edc 100644 --- a/Solutions/SINEC Security Guard/Package/mainTemplate.json +++ b/Solutions/SINEC Security Guard/Package/mainTemplate.json @@ -1,519 +1,497 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "author": "Siemens AG", - "comments": "Solution template for SINEC Security Guard" - }, - "parameters": { - "location": { - "type": "string", - "minLength": 1, - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" - } - }, - "workspace-location": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" - } - }, - "workspace": { - "defaultValue": "", - "type": "string", - "metadata": { - "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" - } - } - }, - "variables": { - "_solutionName": "SINEC Security Guard", - "_solutionVersion": "3.0.0", - "solutionId": "siemensplmsoftware.azure-sentinel-solution-ssg", - "_solutionId": "[variables('solutionId')]", - "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.0", - "_analyticRulecontentId1": "d41fa731-45a2-4b23-bb1d-29896fbc5298", - "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd41fa731-45a2-4b23-bb1d-29896fbc5298')]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d41fa731-45a2-4b23-bb1d-29896fbc5298')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d41fa731-45a2-4b23-bb1d-29896fbc5298','-', '1.0.0')))]" - }, - "uiConfigId1": "SSG", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "SSG", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "SSG_Azure_Sentinel_analytic_rule_AnalyticalRules Analytics Rule with template version 3.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "apiVersion": "2023-02-01-preview", - "kind": "NRT", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "The security analytic rule is designed to scrutinize network activity involving private IP addresses within an organization's internal network. By filtering log entries to include only those where either the source or the destination IP is private, the rule focuses on internal communications that could indicate unauthorized access, internal threats, or other security anomalies.", - "displayName": "SSG_Security_Incidents", - "enabled": false, - "query": "SINECSecurityGuard_CL\n| where ipv4_is_private(source_ip) or ipv4_is_private(destination_ip)\n| project source_ip, destination_ip, signature_id, signature_name\n", - "severity": "HIGH", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "status": "Available", - "requiredDataConnectors": [], - "tactics": [ - "Impact" - ], - "techniques": [ - "T1486" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "source_ip", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "destination_ip", - "identifier": "Address" - } - ], - "entityType": "IP" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "customDetails": { - "Source_IP": "source_ip" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "Alert {{signature_name}} generated from {{source_ip}} to {{destination_ip}} ", - "alertDynamicProperties": [], - "alertDisplayNameFormat": "{{signature_name}} " - }, - "incidentConfiguration": { - "groupingConfiguration": { - "groupByCustomDetails": [ - "Source_IP" - ], - "groupByEntities": [ - "IP" - ], - "lookbackDuration": "5m", - "matchingMethod": "AnyAlert", - "reopenClosedIncident": false, - "enabled": true - }, - "createIncident": true - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", - "properties": { - "description": "SINEC Security Guard Analytics Rule 1", - "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", - "source": { - "kind": "Solution", - "name": "SINEC Security Guard", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Siemens AG" - }, - "support": { - "name": "Siemens AG", - "email": "ssgsupport.cybersecurity@siemens.com", - "tier": "Partner", - "link": "https://siemens.com/sinec-security-guard" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "contentKind": "AnalyticsRule", - "displayName": "SSG_Security_Incidents", - "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", - "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "SINEC Security Guard data connector with template version 3.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "SINEC Security Guard", - "publisher": "Siemens AG", - "descriptionMarkdown": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel", - "graphQueriesTableName": "SINECSecurityGuard_CL", - "logo": "SSG.svg", - "graphQueries": [ - { - "metricName": "Total events received", - "legend": "SINECSecurityGuard_CL", - "baseQuery": "SINECSecurityGuard_CL\n | summarize count()" - } - ], - "sampleQueries": [ - { - "description": "List of Attacks", - "query": "SINECSecurityGuard_CL\n | summarize count()" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "SINECSecurityGuard_CL\n | summarize lastLogGenerated = max(TimeGenerated) | project IsConnected = lastLogGenerated > ago(30d)" - ] - } - ], - "dataTypes": [ - { - "name": "SINECSecurityGuard_CL", - "lastDataReceivedQuery": "SINECSecurityGuard_CL\n | summarize Time = max(TimeGenerated) | where isnotempty(Time)" - } - ], - "availability": { - "isPreview": false, - "status": 1 - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "This Data Connector relies on the SINEC Security Guard Sensor Package to be able to receive Sensor events in Microsoft Sentinel. The Sensor Package can be purchased in the Siemens Xcelerator Marketplace.", - "instructions": [ - { - "parameters": { - "title": "1. Please follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Set up the SINEC Security Guard Sensor", - "description": "Detailed step for setting up the sensor." - }, - { - "title": "Create the Data Connector and configure it in the SINEC Security Guard web interface", - "description": "Instructions on configuring the data connector." - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "SINEC Security Guard", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Siemens AG" - }, - "support": { - "name": "Siemens AG", - "email": "ssgsupport.cybersecurity@siemens.com", - "tier": "Partner", - "link": "https://siemens.com/sinec-security-guard" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "SINEC Security Guard", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "SINEC Security Guard", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Siemens AG" - }, - "support": { - "name": "Siemens AG", - "email": "ssgsupport.cybersecurity@siemens.com", - "tier": "Partner", - "link": "https://siemens.com/sinec-security-guard" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "SINEC Security Guard", - "publisher": "Siemens AG", - "descriptionMarkdown": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel", - "graphQueries": [ - { - "metricName": "Total events received", - "legend": "SINECSecurityGuard_CL", - "baseQuery": "SINECSecurityGuard_CL\n | summarize count()" - } - ], - "dataTypes": [ - { - "name": "SINECSecurityGuard_CL", - "lastDataReceivedQuery": "SINECSecurityGuard_CL\n | summarize Time = max(TimeGenerated) | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "SINECSecurityGuard_CL\n | summarize lastLogGenerated = max(TimeGenerated) | project IsConnected = lastLogGenerated > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "List of Attacks", - "query": "SINECSecurityGuard_CL\n | summarize count()" - } - ], - "availability": { - "isPreview": false, - "status": 1 - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "This Data Connector relies on the SINEC Security Guard Sensor Package to be able to receive Sensor events in Microsoft Sentinel. The Sensor Package can be purchased in the Siemens Xcelerator Marketplace.", - "instructions": [ - { - "parameters": { - "title": "1. Please follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Set up the SINEC Security Guard Sensor", - "description": "Detailed step for setting up the sensor." - }, - { - "title": "Create the Data Connector and configure it in the SINEC Security Guard web interface", - "description": "Instructions on configuring the data connector." - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - } - ], - "id": "[variables('_uiConfigId1')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", - "apiVersion": "2023-04-01-preview", - "location": "[parameters('workspace-location')]", - "properties": { - "version": "3.0.0", - "kind": "Solution", - "contentSchemaVersion": "3.0.0", - "displayName": "SINEC Security Guard", - "publisherDisplayName": "Siemens AG", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the (SINEC Security Guard)[https://siemens.com/sinec-security-guard] into Microsoft Sentinel

\n

Data Connectors: 1, Analytic Rules: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", - "contentKind": "Solution", - "contentProductId": "[variables('_solutioncontentProductId')]", - "id": "[variables('_solutioncontentProductId')]", - "icon": "", - "contentId": "[variables('_solutionId')]", - "parentId": "[variables('_solutionId')]", - "source": { - "kind": "Solution", - "name": "SINEC Security Guard", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Siemens AG" - }, - "support": { - "name": "Siemens AG", - "email": "ssgsupport.cybersecurity@siemens.com", - "tier": "Partner", - "link": "https://siemens.com/sinec-security-guard" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - ] - }, - "firstPublishDate": "2024-07-15", - "providers": [ - "Siemens AG" - ], - "categories": { - "domains": [ - "Security - Network" - ], - "verticals": [ - "Manufacturing" - ] - } - }, - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" - } - ], - "outputs": {} -} +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Siemens AG", + "comments": "Solution template for SINEC Security Guard" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + } + }, + "variables": { + "_solutionName": "SINEC Security Guard", + "_solutionVersion": "3.0.3", + "solutionId": "siemensplmsoftware.azure-sentinel-solution-ssg", + "_solutionId": "[variables('solutionId')]", + "analyticRuleObject1": { + "analyticRuleVersion1": "1.0.0", + "_analyticRulecontentId1": "d41fa731-45a2-4b23-bb1d-29896fbc5298", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd41fa731-45a2-4b23-bb1d-29896fbc5298')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d41fa731-45a2-4b23-bb1d-29896fbc5298')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d41fa731-45a2-4b23-bb1d-29896fbc5298','-', '1.0.0')))]" + }, + "uiConfigId1": "SSG", + "_uiConfigId1": "[variables('uiConfigId1')]", + "dataConnectorContentId1": "SSG", + "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", + "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "_dataConnectorId1": "[variables('dataConnectorId1')]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", + "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SSG_Azure_Sentinel_analytic_rule_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "apiVersion": "2023-02-01-preview", + "kind": "NRT", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "The security analytic rule is designed to scrutinize network activity involving private IP addresses within an organization's internal network. By filtering log entries to include only those where either the source or the destination IP is private, the rule focuses on internal communications that could indicate unauthorized access, internal threats, or other security anomalies.", + "displayName": "SSG_Security_Incidents", + "enabled": false, + "query": "SINECSecurityGuard_CL\n| where ipv4_is_private(source_ip) or ipv4_is_private(destination_ip)\n| project source_ip, destination_ip, signature_id, signature_name\n", + "severity": "HIGH", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "status": "Available", + "requiredDataConnectors": [], + "tactics": [ + "Impact" + ], + "techniques": [ + "T1486" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "source_ip", + "identifier": "Address" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "destination_ip", + "identifier": "Address" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "Source_IP": "source_ip" + }, + "alertDetailsOverride": { + "alertDynamicProperties": [], + "alertDisplayNameFormat": "{{signature_name}} ", + "alertDescriptionFormat": "Alert {{signature_name}} generated from {{source_ip}} to {{destination_ip}} " + }, + "incidentConfiguration": { + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "matchingMethod": "AnyAlert", + "groupByEntities": [ + "IP" + ], + "lookbackDuration": "5m", + "groupByCustomDetails": [ + "Source_IP" + ] + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", + "properties": { + "description": "SINEC Security Guard Analytics Rule 1", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "source": { + "kind": "Solution", + "name": "SINEC Security Guard", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Siemens AG" + }, + "support": { + "name": "Siemens AG", + "email": "ssgsupport.cybersecurity@siemens.com", + "tier": "Partner", + "link": "https://siemens.com/sinec-security-guard" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "contentKind": "AnalyticsRule", + "displayName": "SSG_Security_Incidents", + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SINEC Security Guard data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId1')]", + "title": "SINEC Security Guard", + "publisher": "Siemens AG", + "descriptionMarkdown": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel", + "graphQueriesTableName": "SINECSecurityGuard_CL", + "logo": "SSG.svg", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "SINECSecurityGuard_CL", + "baseQuery": "SINECSecurityGuard_CL\n | summarize count()" + } + ], + "sampleQueries": [ + { + "description": "List of Attacks", + "query": "SINECSecurityGuard_CL\n | summarize count()" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": "SINECSecurityGuard_CL\n | summarize lastLogGenerated = max(TimeGenerated) | project IsConnected = lastLogGenerated > ago(30d)" + } + ], + "dataTypes": [ + { + "name": "SINECSecurityGuard_CL", + "lastDataReceivedQuery": "SINECSecurityGuard_CL\n | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "availability": { + "isPreview": false, + "status": 1 + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ] + }, + "instructionSteps": [ + { + "description": "This Data Connector relies on the SINEC Security Guard Sensor Package to be able to receive Sensor events in Microsoft Sentinel. The Sensor Package can be purchased in the Siemens Xcelerator Marketplace.", + "instructions": [ + { + "parameters": { + "title": "1. Please follow the steps to configure the data connector", + "instructionSteps": [ + { + "title": "Set up the SINEC Security Guard Sensor", + "description": "Detailed step for setting up the sensor." + }, + { + "title": "Create the Data Connector and configure it in the SINEC Security Guard web interface", + "description": "Instructions on configuring the data connector." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "SINEC Security Guard", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Siemens AG" + }, + "support": { + "name": "Siemens AG", + "email": "ssgsupport.cybersecurity@siemens.com", + "tier": "Partner", + "link": "https://siemens.com/sinec-security-guard" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "SINEC Security Guard", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId1')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "SINEC Security Guard", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Siemens AG" + }, + "support": { + "name": "Siemens AG", + "email": "ssgsupport.cybersecurity@siemens.com", + "tier": "Partner", + "link": "https://siemens.com/sinec-security-guard" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "SINEC Security Guard", + "publisher": "Siemens AG", + "descriptionMarkdown": "The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "SINECSecurityGuard_CL", + "baseQuery": "SINECSecurityGuard_CL\n | summarize count()" + } + ], + "dataTypes": [ + { + "name": "SINECSecurityGuard_CL", + "lastDataReceivedQuery": "SINECSecurityGuard_CL\n | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": "SINECSecurityGuard_CL\n | summarize lastLogGenerated = max(TimeGenerated) | project IsConnected = lastLogGenerated > ago(30d)" + } + ], + "sampleQueries": [ + { + "description": "List of Attacks", + "query": "SINECSecurityGuard_CL\n | summarize count()" + } + ], + "availability": { + "isPreview": false, + "status": 1 + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ] + }, + "instructionSteps": [ + { + "description": "This Data Connector relies on the SINEC Security Guard Sensor Package to be able to receive Sensor events in Microsoft Sentinel. The Sensor Package can be purchased in the Siemens Xcelerator Marketplace.", + "instructions": [ + { + "parameters": { + "title": "1. Please follow the steps to configure the data connector", + "instructionSteps": [ + { + "title": "Set up the SINEC Security Guard Sensor", + "description": "Detailed step for setting up the sensor." + }, + { + "title": "Create the Data Connector and configure it in the SINEC Security Guard web interface", + "description": "Instructions on configuring the data connector." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ], + "id": "[variables('_uiConfigId1')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "SINEC Security Guard", + "publisherDisplayName": "Siemens AG", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel

\n

Data Connectors: 1, Analytic Rules: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "SINEC Security Guard", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Siemens AG" + }, + "support": { + "name": "Siemens AG", + "email": "ssgsupport.cybersecurity@siemens.com", + "tier": "Partner", + "link": "https://siemens.com/sinec-security-guard" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + ] + }, + "firstPublishDate": "2024-07-15", + "providers": [ + "Siemens AG" + ], + "categories": { + "domains": [ + "Security - Network" + ], + "verticals": [ + "Manufacturing" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +}