![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\")
",
- "Description": "The [Claroty](https://claroty.com/) solution for Microsoft Sentinel enables ingestion of [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel.\n\r\n1. **Claroty via AMA** - This data connector helps in ingesting Claroty logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Claroty via Legacy Agent** - This data connector helps in ingesting Claroty logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Claroty via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
+ "Description": "The [Claroty](https://claroty.com/) solution for Microsoft Sentinel enables ingestion of [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.",
"Workbooks": [
"Workbooks/ClarotyOverview.json"
],
@@ -36,11 +36,13 @@
"Analytic Rules/ClarotySuspiciousActivity.yaml",
"Analytic Rules/ClarotySuspiciousFileTransfer.yaml",
"Analytic Rules/ClarotyTreat.yaml"
-
],
+ "dependentDomainSolutionIds": [
+ "azuresentinel.azure-sentinel-solution-commoneventformat"
+ ],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Claroty",
- "Version": "3.0.1",
+ "Version": "3.0.2",
"TemplateSpec": true,
"Is1PConnector": false
}
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyBaselineDeviation.yaml b/Solutions/Claroty/Hunting Queries/ClarotyBaselineDeviation.yaml
index 46d6a2c13a8..4e77850826a 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyBaselineDeviation.yaml
+++ b/Solutions/Claroty/Hunting Queries/ClarotyBaselineDeviation.yaml
@@ -10,6 +10,9 @@ requiredDataConnectors:
- connectorId: ClarotyAma
dataTypes:
- ClarotyEvent
+ - connectorId: CefAma
+ dataTypes:
+ - CommonSecurityLog
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyConflictAssets.yaml b/Solutions/Claroty/Hunting Queries/ClarotyConflictAssets.yaml
index fabacda0da9..e4aa657600c 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyConflictAssets.yaml
+++ b/Solutions/Claroty/Hunting Queries/ClarotyConflictAssets.yaml
@@ -10,6 +10,9 @@ requiredDataConnectors:
- connectorId: ClarotyAma
dataTypes:
- ClarotyEvent
+ - connectorId: CefAma
+ dataTypes:
+ - CommonSecurityLog
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyCriticalEvents.yaml b/Solutions/Claroty/Hunting Queries/ClarotyCriticalEvents.yaml
index f62556d4420..cc40bd5c9e8 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyCriticalEvents.yaml
+++ b/Solutions/Claroty/Hunting Queries/ClarotyCriticalEvents.yaml
@@ -10,6 +10,9 @@ requiredDataConnectors:
- connectorId: ClarotyAma
dataTypes:
- ClarotyEvent
+ - connectorId: CefAma
+ dataTypes:
+ - CommonSecurityLog
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyPLCLogins.yaml b/Solutions/Claroty/Hunting Queries/ClarotyPLCLogins.yaml
index 629cbfbdb07..a5d205d83ec 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyPLCLogins.yaml
+++ b/Solutions/Claroty/Hunting Queries/ClarotyPLCLogins.yaml
@@ -10,6 +10,9 @@ requiredDataConnectors:
- connectorId: ClarotyAma
dataTypes:
- ClarotyEvent
+ - connectorId: CefAma
+ dataTypes:
+ - CommonSecurityLog
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/Claroty/Hunting Queries/ClarotySRAFailedLogins.yaml b/Solutions/Claroty/Hunting Queries/ClarotySRAFailedLogins.yaml
index 87f0c37005f..6d0f6815d75 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotySRAFailedLogins.yaml
+++ b/Solutions/Claroty/Hunting Queries/ClarotySRAFailedLogins.yaml
@@ -10,6 +10,9 @@ requiredDataConnectors:
- connectorId: ClarotyAma
dataTypes:
- ClarotyEvent
+ - connectorId: CefAma
+ dataTypes:
+ - CommonSecurityLog
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyScanSources.yaml b/Solutions/Claroty/Hunting Queries/ClarotyScanSources.yaml
index 7ff4129e235..6b38fca0703 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyScanSources.yaml
+++ b/Solutions/Claroty/Hunting Queries/ClarotyScanSources.yaml
@@ -10,6 +10,9 @@ requiredDataConnectors:
- connectorId: ClarotyAma
dataTypes:
- ClarotyEvent
+ - connectorId: CefAma
+ dataTypes:
+ - CommonSecurityLog
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyScantargets.yaml b/Solutions/Claroty/Hunting Queries/ClarotyScantargets.yaml
index d57bc40237a..2fd4377e5e9 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyScantargets.yaml
+++ b/Solutions/Claroty/Hunting Queries/ClarotyScantargets.yaml
@@ -10,6 +10,9 @@ requiredDataConnectors:
- connectorId: ClarotyAma
dataTypes:
- ClarotyEvent
+ - connectorId: CefAma
+ dataTypes:
+ - CommonSecurityLog
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyUnapprovedAccess.yaml b/Solutions/Claroty/Hunting Queries/ClarotyUnapprovedAccess.yaml
index 7264df96b45..86ec7e0652a 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyUnapprovedAccess.yaml
+++ b/Solutions/Claroty/Hunting Queries/ClarotyUnapprovedAccess.yaml
@@ -10,6 +10,9 @@ requiredDataConnectors:
- connectorId: ClarotyAma
dataTypes:
- ClarotyEvent
+ - connectorId: CefAma
+ dataTypes:
+ - CommonSecurityLog
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyUnresolvedAlerts.yaml b/Solutions/Claroty/Hunting Queries/ClarotyUnresolvedAlerts.yaml
index 7c0d17659e4..456ff9b7138 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyUnresolvedAlerts.yaml
+++ b/Solutions/Claroty/Hunting Queries/ClarotyUnresolvedAlerts.yaml
@@ -10,6 +10,9 @@ requiredDataConnectors:
- connectorId: ClarotyAma
dataTypes:
- ClarotyEvent
+ - connectorId: CefAma
+ dataTypes:
+ - CommonSecurityLog
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyWriteExecuteOperations.yaml b/Solutions/Claroty/Hunting Queries/ClarotyWriteExecuteOperations.yaml
index 8a3968bdecb..a0636b80323 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyWriteExecuteOperations.yaml
+++ b/Solutions/Claroty/Hunting Queries/ClarotyWriteExecuteOperations.yaml
@@ -10,6 +10,9 @@ requiredDataConnectors:
- connectorId: ClarotyAma
dataTypes:
- ClarotyEvent
+ - connectorId: CefAma
+ dataTypes:
+ - CommonSecurityLog
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/Claroty/Package/3.0.2.zip b/Solutions/Claroty/Package/3.0.2.zip
new file mode 100644
index 00000000000..d4eee7cacd8
Binary files /dev/null and b/Solutions/Claroty/Package/3.0.2.zip differ
diff --git a/Solutions/Claroty/Package/createUiDefinition.json b/Solutions/Claroty/Package/createUiDefinition.json
index ee180bf4dbc..e680d7d0720 100644
--- a/Solutions/Claroty/Package/createUiDefinition.json
+++ b/Solutions/Claroty/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Claroty/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Claroty](https://claroty.com/) solution for Microsoft Sentinel enables ingestion of [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection-ctd) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel.\n\r\n1. **Claroty via AMA** - This data connector helps in ingesting Claroty logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Claroty via Legacy Agent** - This data connector helps in ingesting Claroty logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Claroty via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Claroty/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Claroty](https://claroty.com/) solution for Microsoft Sentinel enables ingestion of [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -60,14 +60,14 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This solution installs the data connector for ingesting Continuous Threat Detection and Secure Remote Access events into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ "text": "This Solution installs the data connector for Claroty. You can get Claroty CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the ClarotyEvent Kusto Function alias."
+ "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
}
},
{
@@ -80,7 +80,6 @@
}
}
}
-
]
},
{
@@ -96,7 +95,7 @@
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "The workbook installed with the Claroty help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
+ "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
}
},
{
@@ -324,7 +323,7 @@
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for baseline deviation events. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)"
+ "text": "Query searches for baseline deviation events. This hunting query depends on Claroty ClarotyAma CefAma data connector (ClarotyEvent ClarotyEvent CommonSecurityLog Parser or Table)"
}
}
]
@@ -338,7 +337,7 @@
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for conflicting assets. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)"
+ "text": "Query searches for conflicting assets. This hunting query depends on Claroty ClarotyAma CefAma data connector (ClarotyEvent ClarotyEvent CommonSecurityLog Parser or Table)"
}
}
]
@@ -352,7 +351,7 @@
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for critical severity events. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)"
+ "text": "Query searches for critical severity events. This hunting query depends on Claroty ClarotyAma CefAma data connector (ClarotyEvent ClarotyEvent CommonSecurityLog Parser or Table)"
}
}
]
@@ -366,7 +365,7 @@
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for PLC login security alerts. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)"
+ "text": "Query searches for PLC login security alerts. This hunting query depends on Claroty ClarotyAma CefAma data connector (ClarotyEvent ClarotyEvent CommonSecurityLog Parser or Table)"
}
}
]
@@ -380,7 +379,7 @@
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for login failure events. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)"
+ "text": "Query searches for login failure events. This hunting query depends on Claroty ClarotyAma CefAma data connector (ClarotyEvent ClarotyEvent CommonSecurityLog Parser or Table)"
}
}
]
@@ -394,7 +393,7 @@
"name": "huntingquery6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for sources of network scans. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)"
+ "text": "Query searches for sources of network scans. This hunting query depends on Claroty ClarotyAma CefAma data connector (ClarotyEvent ClarotyEvent CommonSecurityLog Parser or Table)"
}
}
]
@@ -408,7 +407,7 @@
"name": "huntingquery7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for targets of network scans. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)"
+ "text": "Query searches for targets of network scans. This hunting query depends on Claroty ClarotyAma CefAma data connector (ClarotyEvent ClarotyEvent CommonSecurityLog Parser or Table)"
}
}
]
@@ -422,7 +421,7 @@
"name": "huntingquery8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for unapproved access events. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)"
+ "text": "Query searches for unapproved access events. This hunting query depends on Claroty ClarotyAma CefAma data connector (ClarotyEvent ClarotyEvent CommonSecurityLog Parser or Table)"
}
}
]
@@ -436,7 +435,7 @@
"name": "huntingquery9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for alerts with unresolved status. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)"
+ "text": "Query searches for alerts with unresolved status. This hunting query depends on Claroty ClarotyAma CefAma data connector (ClarotyEvent ClarotyEvent CommonSecurityLog Parser or Table)"
}
}
]
@@ -450,7 +449,7 @@
"name": "huntingquery10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Query searches for operations with Write and Execute accesses. This hunting query depends on Claroty data connector (ClarotyEvent Parser or Table)"
+ "text": "Query searches for operations with Write and Execute accesses. This hunting query depends on Claroty ClarotyAma CefAma data connector (ClarotyEvent ClarotyEvent CommonSecurityLog Parser or Table)"
}
}
]
diff --git a/Solutions/Claroty/Package/mainTemplate.json b/Solutions/Claroty/Package/mainTemplate.json
index b766e9683f6..e5ff003865c 100644
--- a/Solutions/Claroty/Package/mainTemplate.json
+++ b/Solutions/Claroty/Package/mainTemplate.json
@@ -38,12 +38,76 @@
}
},
"variables": {
- "solutionId": "azuresentinel.azure-sentinel-solution-claroty",
- "_solutionId": "[variables('solutionId')]",
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Claroty",
- "_solutionVersion": "3.0.1",
+ "_solutionVersion": "3.0.2",
+ "solutionId": "azuresentinel.azure-sentinel-solution-claroty",
+ "_solutionId": "[variables('solutionId')]",
+ "workbookVersion1": "1.0.0",
+ "workbookContentId1": "ClarotyWorkbook",
+ "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
+ "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
+ "_workbookContentId1": "[variables('workbookContentId1')]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
+ "parserObject1": {
+ "_parserName1": "[concat(parameters('workspace'),'/','Claroty Data Parser')]",
+ "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Claroty Data Parser')]",
+ "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('ClarotyEvent-Parser')))]",
+ "parserVersion1": "1.0.0",
+ "parserContentId1": "ClarotyEvent-Parser"
+ },
+ "huntingQueryObject1": {
+ "huntingQueryVersion1": "1.0.0",
+ "_huntingQuerycontentId1": "6b24f3aa-01db-4d26-9d60-538dd9a56391",
+ "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('6b24f3aa-01db-4d26-9d60-538dd9a56391')))]"
+ },
+ "huntingQueryObject2": {
+ "huntingQueryVersion2": "1.0.0",
+ "_huntingQuerycontentId2": "8038c683-f4dc-481e-94c6-f906d880b0ec",
+ "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('8038c683-f4dc-481e-94c6-f906d880b0ec')))]"
+ },
+ "huntingQueryObject3": {
+ "huntingQueryVersion3": "1.0.0",
+ "_huntingQuerycontentId3": "a81f3a44-049c-409d-8b98-b78aa256dacf",
+ "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('a81f3a44-049c-409d-8b98-b78aa256dacf')))]"
+ },
+ "huntingQueryObject4": {
+ "huntingQueryVersion4": "1.0.0",
+ "_huntingQuerycontentId4": "15569b45-4c34-4693-bf99-841e76b5da65",
+ "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('15569b45-4c34-4693-bf99-841e76b5da65')))]"
+ },
+ "huntingQueryObject5": {
+ "huntingQueryVersion5": "1.0.0",
+ "_huntingQuerycontentId5": "917364b7-2925-4c5d-a27c-64137a3b75b5",
+ "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('917364b7-2925-4c5d-a27c-64137a3b75b5')))]"
+ },
+ "huntingQueryObject6": {
+ "huntingQueryVersion6": "1.0.0",
+ "_huntingQuerycontentId6": "6c43a50e-2e59-48d9-848b-825f50927bbf",
+ "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('6c43a50e-2e59-48d9-848b-825f50927bbf')))]"
+ },
+ "huntingQueryObject7": {
+ "huntingQueryVersion7": "1.0.0",
+ "_huntingQuerycontentId7": "8e70ddf9-32c3-4acd-9cb9-59570344335e",
+ "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('8e70ddf9-32c3-4acd-9cb9-59570344335e')))]"
+ },
+ "huntingQueryObject8": {
+ "huntingQueryVersion8": "1.0.0",
+ "_huntingQuerycontentId8": "de0fca32-85f3-45df-872e-41e980e5d8d3",
+ "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('de0fca32-85f3-45df-872e-41e980e5d8d3')))]"
+ },
+ "huntingQueryObject9": {
+ "huntingQueryVersion9": "1.0.0",
+ "_huntingQuerycontentId9": "fad6cb81-9a05-4acb-9c5b-a7c62af28034",
+ "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('fad6cb81-9a05-4acb-9c5b-a7c62af28034')))]"
+ },
+ "huntingQueryObject10": {
+ "huntingQueryVersion10": "1.0.0",
+ "_huntingQuerycontentId10": "3882ffbf-6228-4e1f-ab8f-8d79a26da0fb",
+ "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('3882ffbf-6228-4e1f-ab8f-8d79a26da0fb')))]"
+ },
"uiConfigId1": "Claroty",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "Claroty",
@@ -62,297 +126,122 @@
"dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
"dataConnectorVersion2": "1.0.0",
"_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
- "parserName1": "Claroty Data Parser",
- "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
- "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
- "_parserId1": "[variables('parserId1')]",
- "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]",
- "parserVersion1": "1.0.0",
- "parserContentId1": "ClarotyEvent-Parser",
- "_parserContentId1": "[variables('parserContentId1')]",
- "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]",
- "workbookVersion1": "1.0.0",
- "workbookContentId1": "ClarotyWorkbook",
- "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
- "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
- "_workbookContentId1": "[variables('workbookContentId1')]",
- "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
- "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
- "analyticRuleVersion1": "1.0.1",
- "analyticRulecontentId1": "fd6e3416-0421-4166-adb9-186e555a7008",
- "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
- "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
- "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]",
- "analyticRuleVersion2": "1.0.1",
- "analyticRulecontentId2": "9a8b4321-e2be-449b-8227-a78227441b2a",
- "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
- "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
- "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]",
- "analyticRuleVersion3": "1.0.1",
- "analyticRulecontentId3": "e7dbcbc3-b18f-4635-b27c-718195c369f1",
- "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]",
- "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
- "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]",
- "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]",
- "analyticRuleVersion4": "1.0.1",
- "analyticRulecontentId4": "4b5bb3fc-c690-4f54-9a74-016213d699b4",
- "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]",
- "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]",
- "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]",
- "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]",
- "analyticRuleVersion5": "1.0.1",
- "analyticRulecontentId5": "1c2310ef-19bf-4caf-b2b0-a4c983932fa5",
- "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]",
- "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]",
- "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]",
- "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]",
- "analyticRuleVersion6": "1.0.1",
- "analyticRulecontentId6": "6c29b611-ce69-4016-bf99-eca639fee1f5",
- "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]",
- "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]",
- "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]",
- "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]",
- "analyticRuleVersion7": "1.0.1",
- "analyticRulecontentId7": "3b22ac47-e02c-4599-a37a-57f965de17be",
- "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]",
- "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]",
- "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))))]",
- "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]",
- "analyticRuleVersion8": "1.0.1",
- "analyticRulecontentId8": "99ad9f3c-304c-44c5-a61f-3a17f8b58218",
- "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]",
- "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]",
- "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))))]",
- "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]",
- "analyticRuleVersion9": "1.0.1",
- "analyticRulecontentId9": "5cf35bad-677f-4c23-8927-1611e7ff6f28",
- "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]",
- "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]",
- "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))))]",
- "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]",
- "analyticRuleVersion10": "1.0.1",
- "analyticRulecontentId10": "731e5ac4-7fe1-4b06-9941-532f2e008bb3",
- "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]",
- "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]",
- "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))))]",
- "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId10'),'-', variables('analyticRuleVersion10'))))]",
- "huntingQueryVersion1": "1.0.0",
- "huntingQuerycontentId1": "6b24f3aa-01db-4d26-9d60-538dd9a56391",
- "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]",
- "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]",
- "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))))]",
- "_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]",
- "huntingQueryVersion2": "1.0.0",
- "huntingQuerycontentId2": "8038c683-f4dc-481e-94c6-f906d880b0ec",
- "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]",
- "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]",
- "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))))]",
- "_huntingQuerycontentProductId2": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId2'),'-', variables('huntingQueryVersion2'))))]",
- "huntingQueryVersion3": "1.0.0",
- "huntingQuerycontentId3": "a81f3a44-049c-409d-8b98-b78aa256dacf",
- "_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]",
- "huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]",
- "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3'))))]",
- "_huntingQuerycontentProductId3": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId3'),'-', variables('huntingQueryVersion3'))))]",
- "huntingQueryVersion4": "1.0.0",
- "huntingQuerycontentId4": "15569b45-4c34-4693-bf99-841e76b5da65",
- "_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]",
- "huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]",
- "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4'))))]",
- "_huntingQuerycontentProductId4": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId4'),'-', variables('huntingQueryVersion4'))))]",
- "huntingQueryVersion5": "1.0.0",
- "huntingQuerycontentId5": "917364b7-2925-4c5d-a27c-64137a3b75b5",
- "_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]",
- "huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]",
- "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5'))))]",
- "_huntingQuerycontentProductId5": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId5'),'-', variables('huntingQueryVersion5'))))]",
- "huntingQueryVersion6": "1.0.0",
- "huntingQuerycontentId6": "6c43a50e-2e59-48d9-848b-825f50927bbf",
- "_huntingQuerycontentId6": "[variables('huntingQuerycontentId6')]",
- "huntingQueryId6": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId6'))]",
- "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6'))))]",
- "_huntingQuerycontentProductId6": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId6'),'-', variables('huntingQueryVersion6'))))]",
- "huntingQueryVersion7": "1.0.0",
- "huntingQuerycontentId7": "8e70ddf9-32c3-4acd-9cb9-59570344335e",
- "_huntingQuerycontentId7": "[variables('huntingQuerycontentId7')]",
- "huntingQueryId7": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId7'))]",
- "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7'))))]",
- "_huntingQuerycontentProductId7": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId7'),'-', variables('huntingQueryVersion7'))))]",
- "huntingQueryVersion8": "1.0.0",
- "huntingQuerycontentId8": "de0fca32-85f3-45df-872e-41e980e5d8d3",
- "_huntingQuerycontentId8": "[variables('huntingQuerycontentId8')]",
- "huntingQueryId8": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId8'))]",
- "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8'))))]",
- "_huntingQuerycontentProductId8": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId8'),'-', variables('huntingQueryVersion8'))))]",
- "huntingQueryVersion9": "1.0.0",
- "huntingQuerycontentId9": "fad6cb81-9a05-4acb-9c5b-a7c62af28034",
- "_huntingQuerycontentId9": "[variables('huntingQuerycontentId9')]",
- "huntingQueryId9": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId9'))]",
- "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId9'))))]",
- "_huntingQuerycontentProductId9": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId9'),'-', variables('huntingQueryVersion9'))))]",
- "huntingQueryVersion10": "1.0.0",
- "huntingQuerycontentId10": "3882ffbf-6228-4e1f-ab8f-8d79a26da0fb",
- "_huntingQuerycontentId10": "[variables('huntingQuerycontentId10')]",
- "huntingQueryId10": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId10'))]",
- "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10'))))]",
- "_huntingQuerycontentProductId10": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId10'),'-', variables('huntingQueryVersion10'))))]",
+ "analyticRuleObject1": {
+ "analyticRuleVersion1": "1.0.2",
+ "_analyticRulecontentId1": "fd6e3416-0421-4166-adb9-186e555a7008",
+ "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fd6e3416-0421-4166-adb9-186e555a7008')]",
+ "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fd6e3416-0421-4166-adb9-186e555a7008')))]",
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fd6e3416-0421-4166-adb9-186e555a7008','-', '1.0.2')))]"
+ },
+ "analyticRuleObject2": {
+ "analyticRuleVersion2": "1.0.2",
+ "_analyticRulecontentId2": "9a8b4321-e2be-449b-8227-a78227441b2a",
+ "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9a8b4321-e2be-449b-8227-a78227441b2a')]",
+ "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9a8b4321-e2be-449b-8227-a78227441b2a')))]",
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9a8b4321-e2be-449b-8227-a78227441b2a','-', '1.0.2')))]"
+ },
+ "analyticRuleObject3": {
+ "analyticRuleVersion3": "1.0.2",
+ "_analyticRulecontentId3": "e7dbcbc3-b18f-4635-b27c-718195c369f1",
+ "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e7dbcbc3-b18f-4635-b27c-718195c369f1')]",
+ "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e7dbcbc3-b18f-4635-b27c-718195c369f1')))]",
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e7dbcbc3-b18f-4635-b27c-718195c369f1','-', '1.0.2')))]"
+ },
+ "analyticRuleObject4": {
+ "analyticRuleVersion4": "1.0.2",
+ "_analyticRulecontentId4": "4b5bb3fc-c690-4f54-9a74-016213d699b4",
+ "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4b5bb3fc-c690-4f54-9a74-016213d699b4')]",
+ "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4b5bb3fc-c690-4f54-9a74-016213d699b4')))]",
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4b5bb3fc-c690-4f54-9a74-016213d699b4','-', '1.0.2')))]"
+ },
+ "analyticRuleObject5": {
+ "analyticRuleVersion5": "1.0.2",
+ "_analyticRulecontentId5": "1c2310ef-19bf-4caf-b2b0-a4c983932fa5",
+ "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1c2310ef-19bf-4caf-b2b0-a4c983932fa5')]",
+ "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1c2310ef-19bf-4caf-b2b0-a4c983932fa5')))]",
+ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1c2310ef-19bf-4caf-b2b0-a4c983932fa5','-', '1.0.2')))]"
+ },
+ "analyticRuleObject6": {
+ "analyticRuleVersion6": "1.0.2",
+ "_analyticRulecontentId6": "6c29b611-ce69-4016-bf99-eca639fee1f5",
+ "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6c29b611-ce69-4016-bf99-eca639fee1f5')]",
+ "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6c29b611-ce69-4016-bf99-eca639fee1f5')))]",
+ "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6c29b611-ce69-4016-bf99-eca639fee1f5','-', '1.0.2')))]"
+ },
+ "analyticRuleObject7": {
+ "analyticRuleVersion7": "1.0.2",
+ "_analyticRulecontentId7": "3b22ac47-e02c-4599-a37a-57f965de17be",
+ "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3b22ac47-e02c-4599-a37a-57f965de17be')]",
+ "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3b22ac47-e02c-4599-a37a-57f965de17be')))]",
+ "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3b22ac47-e02c-4599-a37a-57f965de17be','-', '1.0.2')))]"
+ },
+ "analyticRuleObject8": {
+ "analyticRuleVersion8": "1.0.2",
+ "_analyticRulecontentId8": "99ad9f3c-304c-44c5-a61f-3a17f8b58218",
+ "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '99ad9f3c-304c-44c5-a61f-3a17f8b58218')]",
+ "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('99ad9f3c-304c-44c5-a61f-3a17f8b58218')))]",
+ "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','99ad9f3c-304c-44c5-a61f-3a17f8b58218','-', '1.0.2')))]"
+ },
+ "analyticRuleObject9": {
+ "analyticRuleVersion9": "1.0.2",
+ "_analyticRulecontentId9": "5cf35bad-677f-4c23-8927-1611e7ff6f28",
+ "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5cf35bad-677f-4c23-8927-1611e7ff6f28')]",
+ "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5cf35bad-677f-4c23-8927-1611e7ff6f28')))]",
+ "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5cf35bad-677f-4c23-8927-1611e7ff6f28','-', '1.0.2')))]"
+ },
+ "analyticRuleObject10": {
+ "analyticRuleVersion10": "1.0.2",
+ "_analyticRulecontentId10": "731e5ac4-7fe1-4b06-9941-532f2e008bb3",
+ "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '731e5ac4-7fe1-4b06-9941-532f2e008bb3')]",
+ "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('731e5ac4-7fe1-4b06-9941-532f2e008bb3')))]",
+ "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','731e5ac4-7fe1-4b06-9941-532f2e008bb3','-', '1.0.2')))]"
+ },
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
+ "name": "[variables('workbookTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Claroty data connector with template version 3.0.1",
+ "description": "ClarotyOverview Workbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
+ "contentVersion": "[variables('workbookVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "type": "Microsoft.Insights/workbooks",
+ "name": "[variables('workbookContentId1')]",
"location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
+ "kind": "shared",
+ "apiVersion": "2021-08-01",
+ "metadata": {
+ "description": "Sets the time name for analysis"
+ },
"properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] Claroty via Legacy Agent",
- "publisher": "Claroty",
- "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/secure-remote-access/) events into Microsoft Sentinel.",
- "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "Claroty",
- "baseQuery": "ClarotyEvent"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Destinations",
- "query": "ClarotyEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (Claroty)",
- "lastDataReceivedQuery": "ClarotyEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "ClarotyEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution."
- },
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**.",
- "title": "2. Configure Claroty to send logs using CEF"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ]
- }
+ "displayName": "[parameters('workbook1-name')]",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This data connector depends on a parser based on Kusto Function **ClarotyEvent** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-claroty-parser)\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cd8447d9-b096-4673-92d8-2a1e8291a125\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"description\":\"Sets the time name for analysis\",\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":900000},{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events Over Time\",\"color\":\"green\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"60\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"55\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where isnotempty(EventType)\\r\\n| summarize count() by EventType\\r\\n| join kind = inner (ClarotyEvent\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by EventType)\\r\\n on EventType\\r\\n| project-away EventType1, TimeGenerated\",\"size\":3,\"title\":\"Event types\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"EventType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"purple\"}},\"showBorder\":false}},\"customWidth\":\"30\",\"name\":\"query - 0\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where isnotempty(DstIpAddr)\\r\\n| summarize dcount(DstIpAddr)\",\"size\":3,\"title\":\"Total Devices\",\"noDataMessage\":\"0\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where EventOriginalType =~ 'Alert'\\r\\n| summarize dcount(AlertUrl)\",\"size\":3,\"title\":\"Total Alerts\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where EventOriginalType =~ 'Alert'\\r\\n| where ResolvedAs =~ 'Unresolved'\\r\\n| project-rename AlertTime=EventEndTime\\r\\n| join (ClarotyEvent\\r\\n | where EventOriginalType =~ 'Alert'\\r\\n | where ResolvedAs =~ 'Resolved'\\r\\n | project-rename ResolvedTime=EventEndTime) on AlertUrl\\r\\n| where datetime_diff('day',ResolvedTime,AlertTime) > 0 or datetime_diff('hour',ResolvedTime,AlertTime) > 0 or datetime_diff('minute',ResolvedTime,AlertTime) > 0 or datetime_diff('second',ResolvedTime,AlertTime) > 0\\r\\n| summarize dcount(AlertUrl)\\r\\n\",\"size\":3,\"title\":\"Resolved Alerts\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"10\",\"name\":\"group - 9\",\"styleSettings\":{\"maxWidth\":\"100\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize count() by SrcIpAddr\\r\\n| top 10 by count_\",\"size\":3,\"title\":\"Top Sources\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"10\",\"padding\":\"10\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where isnotempty(DstIpAddr)\\r\\n| summarize count() by DstIpAddr\\r\\n| top 10 by count_ \",\"size\":3,\"title\":\"Top Targets\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"TotalEvents\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"TotalEvents\",\"sortOrder\":2}]},\"customWidth\":\"33\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where isnotempty(CategoryAccess)\\r\\n| where CategoryAccess !in ('None', 'Read')\\r\\n| project Destination=DstIpAddr, Source=SrcIpAddr, CategoryAccess\\r\\n\",\"size\":3,\"title\":\"Write and Execute Operations\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"customWidth\":\"34\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where EventOriginalType =~ 'Alert'\\r\\n| order by TimeGenerated\\r\\n| project TimeGenerated, EventType, Target=DstIpAddr, Status=strcat(iff(ResolvedAs =~ 'Resolved', '✅ - Resolved', '❌ - Unresolved')), AlertUrl\",\"size\":0,\"title\":\"Latest Alerts\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":50,\"filter\":true}},\"customWidth\":\"65\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where EventType has 'Login'\\r\\n| extend User = extract(@\\\"User\\\\s(\\\\S+)\\\\s\\\", 1, tostring(EventMessage))\\r\\n| sort by TimeGenerated desc \\r\\n| project TimeGenerated, User\",\"size\":0,\"title\":\"Latest logins to SRA\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":50,\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"33\"}}],\"fromTemplateId\":\"sentinel-ClarotyWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+ "version": "1.0",
+ "sourceId": "[variables('workspaceResourceId')]",
+ "category": "sentinel"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
"properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
+ "description": "@{workbookKey=ClarotyWorkbook; logoFileName=Azure_Sentinel.svg; description=Sets the time name for analysis; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Claroty; templateRelativePath=ClarotyOverview.json; subtitle=; provider=Claroty}.description",
+ "parentId": "[variables('workbookId1')]",
+ "contentId": "[variables('_workbookContentId1')]",
+ "kind": "Workbook",
+ "version": "[variables('workbookVersion1')]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -367,6 +256,23 @@
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "contentId": "CommonSecurityLog",
+ "kind": "DataType"
+ },
+ {
+ "contentId": "Claroty",
+ "kind": "DataConnector"
+ },
+ {
+ "contentId": "ClarotyAma",
+ "kind": "DataConnector"
+ }
+ ]
}
}
}
@@ -377,317 +283,369 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Claroty via Legacy Agent",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
+ "contentId": "[variables('_workbookContentId1')]",
+ "contentKind": "Workbook",
+ "displayName": "[parameters('workbook1-name')]",
+ "contentProductId": "[variables('_workbookcontentProductId1')]",
+ "id": "[variables('_workbookcontentProductId1')]",
+ "version": "[variables('workbookVersion1')]"
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+ "name": "[variables('parserObject1').parserTemplateSpecName1]",
+ "location": "[parameters('workspace-location')]",
"dependsOn": [
- "[variables('_dataConnectorId1')]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
- "location": "[parameters('workspace-location')]",
"properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Claroty",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Claroty via Legacy Agent",
- "publisher": "Claroty",
- "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/secure-remote-access/) events into Microsoft Sentinel.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "Claroty",
- "baseQuery": "ClarotyEvent"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (Claroty)",
- "lastDataReceivedQuery": "ClarotyEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
+ "description": "ClarotyEvent Data Parser with template version 3.0.2",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('parserObject1').parserVersion1]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
{
- "type": "IsConnectedQuery",
- "value": [
- "ClarotyEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
+ "name": "[variables('parserObject1')._parserName1]",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "Claroty Data Parser",
+ "category": "Microsoft Sentinel Parser",
+ "functionAlias": "ClarotyEvent",
+ "query": "CommonSecurityLog\n| where DeviceVendor =~ 'Claroty'\n| extend EventVendor = 'Claroty'\n| extend EventProduct = 'Claroty'\n| extend EventSchemaVersion = 0.2\n| extend EventCount = 1\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3),\n ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"),tostring(ExternalID))\n| extend packed = pack(DeviceCustomNumber1Label, DeviceCustomNumber1\n , DeviceCustomNumber2Label, DeviceCustomNumber2\n , DeviceCustomNumber3Label, DeviceCustomNumber3\n , DeviceCustomString1Label, DeviceCustomString1\n , DeviceCustomString2Label, DeviceCustomString2\n , DeviceCustomString3Label, DeviceCustomString3\n , DeviceCustomString4Label, DeviceCustomString4\n , DeviceCustomString5Label, DeviceCustomString5\n , DeviceCustomString6Label, DeviceCustomString6\n , DeviceCustomDate1Label, DeviceCustomDate1\n , DeviceCustomDate2Label, DeviceCustomDate2)\n| evaluate bag_unpack(packed)\n| parse-kv AdditionalExtensions as (cs7Label:string, cs7:string, cs8Label:string, cs8:string, cs9Label:string, cs9:string, cs10Label:string, cs10:string, cat:string) with (pair_delimiter=';', kv_delimiter='=')\n| extend packed2 = pack(cs7Label, cs7\n , cs8Label, cs8\n , cs9Label, cs9\n , cs10Label, cs10)\n| evaluate bag_unpack(packed2)\n| extend EventEndTime = todatetime(ReceiptTime),\n cat = coalesce(column_ifexists(\"DeviceEventCategory\", \"\"),cat)\n| project-rename EventProductVersion=DeviceVersion\n , EventSubType=cat\n , EventOriginalType=DeviceEventClassID\n , EventSeverity=LogSeverity\n , EventMessage=Message\n , DstPortNumber=DestinationPort\n , DstIpAddr=DestinationIP\n , DstDvcHostname=DestinationHostName\n , DstUserName=DestinationUserName\n , DvcIpAddr=DeviceAddress\n , DvcHostname=DeviceName\n , DstMacAddr=DestinationMACAddress\n , NetworkApplicationProtocol=Protocol\n , SrcPortNumber=SourcePort\n , SrcIpAddr=SourceIP\n , SrcMacAddr=SourceMACAddress\n , EventId=ExternalID\n , SrcDvcHostname=SourceHostName\n| extend EventType=Activity\n| project-away AdditionalExtensions\n , Activity\n , ReceiptTime\n , DeviceVendor\n , DeviceProduct\n , DeviceCustomNumber1\n , DeviceCustomNumber1Label\n , DeviceCustomNumber2\n , DeviceCustomNumber2Label\n , DeviceCustomNumber3\n , DeviceCustomNumber3Label\n , DeviceCustomString1\n , DeviceCustomString1Label\n , DeviceCustomString2\n , DeviceCustomString2Label\n , DeviceCustomString3\n , DeviceCustomString3Label\n , DeviceCustomString4\n , DeviceCustomString4Label\n , DeviceCustomString5\n , DeviceCustomString5Label\n , DeviceCustomString6\n , DeviceCustomString6Label\n , cs7Label\n , cs7\n , cs8Label\n , cs8\n , cs9Label\n , cs9\n , cs10Label\n , cs10\n",
+ "functionParameters": "",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": ""
+ }
+ ]
+ }
+ },
{
- "description": "Top 10 Destinations",
- "query": "ClarotyEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
+ "dependsOn": [
+ "[variables('parserObject1')._parserId1]"
+ ],
+ "properties": {
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Claroty Data Parser')]",
+ "contentId": "[variables('parserObject1').parserContentId1]",
+ "kind": "Parser",
+ "version": "[variables('parserObject1').parserVersion1]",
+ "source": {
+ "name": "Claroty",
+ "kind": "Solution",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
}
}
- ]
- },
- "instructionSteps": [
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('parserObject1').parserContentId1]",
+ "contentKind": "Parser",
+ "displayName": "Claroty Data Parser",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
+ "version": "[variables('parserObject1').parserVersion1]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "[variables('parserObject1')._parserName1]",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "Claroty Data Parser",
+ "category": "Microsoft Sentinel Parser",
+ "functionAlias": "ClarotyEvent",
+ "query": "CommonSecurityLog\n| where DeviceVendor =~ 'Claroty'\n| extend EventVendor = 'Claroty'\n| extend EventProduct = 'Claroty'\n| extend EventSchemaVersion = 0.2\n| extend EventCount = 1\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3),\n ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"),tostring(ExternalID))\n| extend packed = pack(DeviceCustomNumber1Label, DeviceCustomNumber1\n , DeviceCustomNumber2Label, DeviceCustomNumber2\n , DeviceCustomNumber3Label, DeviceCustomNumber3\n , DeviceCustomString1Label, DeviceCustomString1\n , DeviceCustomString2Label, DeviceCustomString2\n , DeviceCustomString3Label, DeviceCustomString3\n , DeviceCustomString4Label, DeviceCustomString4\n , DeviceCustomString5Label, DeviceCustomString5\n , DeviceCustomString6Label, DeviceCustomString6\n , DeviceCustomDate1Label, DeviceCustomDate1\n , DeviceCustomDate2Label, DeviceCustomDate2)\n| evaluate bag_unpack(packed)\n| parse-kv AdditionalExtensions as (cs7Label:string, cs7:string, cs8Label:string, cs8:string, cs9Label:string, cs9:string, cs10Label:string, cs10:string, cat:string) with (pair_delimiter=';', kv_delimiter='=')\n| extend packed2 = pack(cs7Label, cs7\n , cs8Label, cs8\n , cs9Label, cs9\n , cs10Label, cs10)\n| evaluate bag_unpack(packed2)\n| extend EventEndTime = todatetime(ReceiptTime),\n cat = coalesce(column_ifexists(\"DeviceEventCategory\", \"\"),cat)\n| project-rename EventProductVersion=DeviceVersion\n , EventSubType=cat\n , EventOriginalType=DeviceEventClassID\n , EventSeverity=LogSeverity\n , EventMessage=Message\n , DstPortNumber=DestinationPort\n , DstIpAddr=DestinationIP\n , DstDvcHostname=DestinationHostName\n , DstUserName=DestinationUserName\n , DvcIpAddr=DeviceAddress\n , DvcHostname=DeviceName\n , DstMacAddr=DestinationMACAddress\n , NetworkApplicationProtocol=Protocol\n , SrcPortNumber=SourcePort\n , SrcIpAddr=SourceIP\n , SrcMacAddr=SourceMACAddress\n , EventId=ExternalID\n , SrcDvcHostname=SourceHostName\n| extend EventType=Activity\n| project-away AdditionalExtensions\n , Activity\n , ReceiptTime\n , DeviceVendor\n , DeviceProduct\n , DeviceCustomNumber1\n , DeviceCustomNumber1Label\n , DeviceCustomNumber2\n , DeviceCustomNumber2Label\n , DeviceCustomNumber3\n , DeviceCustomNumber3Label\n , DeviceCustomString1\n , DeviceCustomString1Label\n , DeviceCustomString2\n , DeviceCustomString2Label\n , DeviceCustomString3\n , DeviceCustomString3Label\n , DeviceCustomString4\n , DeviceCustomString4Label\n , DeviceCustomString5\n , DeviceCustomString5Label\n , DeviceCustomString6\n , DeviceCustomString6Label\n , cs7Label\n , cs7\n , cs8Label\n , cs8\n , cs9Label\n , cs9\n , cs10Label\n , cs10\n",
+ "functionParameters": "",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": ""
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "location": "[parameters('workspace-location')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
+ "dependsOn": [
+ "[variables('parserObject1')._parserId1]"
+ ],
+ "properties": {
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Claroty Data Parser')]",
+ "contentId": "[variables('parserObject1').parserContentId1]",
+ "kind": "Parser",
+ "version": "[variables('parserObject1').parserVersion1]",
+ "source": {
+ "kind": "Solution",
+ "name": "Claroty",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "ClarotyBaselineDeviation_HuntingQueries Hunting Query with template version 3.0.2",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
{
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution."
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "Claroty_Hunting_Query_1",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "Claroty - Baseline deviation",
+ "category": "Hunting Queries",
+ "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType has 'Baseline Deviation' or EventType has 'Baseline Deviation'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": "Query searches for baseline deviation events."
+ },
+ {
+ "name": "tactics",
+ "value": "InitialAccess"
+ },
+ {
+ "name": "techniques",
+ "value": "T1190"
+ }
+ ]
+ }
},
{
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]",
+ "properties": {
+ "description": "Claroty Hunting Query 1",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]",
+ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryObject1').huntingQueryVersion1]",
+ "source": {
+ "kind": "Solution",
+ "name": "Claroty",
+ "sourceId": "[variables('_solutionId')]"
},
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
}
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**.",
- "title": "2. Configure Claroty to send logs using CEF"
- },
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Claroty - Baseline deviation",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]",
+ "version": "1.0.0"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryObject2').huntingQueryTemplateSpecName2]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "ClarotyConflictAssets_HuntingQueries Hunting Query with template version 3.0.2",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
{
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "Claroty_Hunting_Query_2",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "Claroty - Conflict assets",
+ "category": "Hunting Queries",
+ "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType has 'New Conflict Asset' or EventType has 'New Conflict Asset'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": "Query searches for conflicting assets."
},
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
+ {
+ "name": "tactics",
+ "value": "InitialAccess"
+ },
+ {
+ "name": "techniques",
+ "value": "T1190"
+ }
+ ]
+ }
},
{
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2),'/'))))]",
+ "properties": {
+ "description": "Claroty Hunting Query 2",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2)]",
+ "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryObject2').huntingQueryVersion2]",
+ "source": {
+ "kind": "Solution",
+ "name": "Claroty",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+ }
}
- ],
- "id": "[variables('_uiConfigId1')]",
- "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution."
- }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Claroty - Conflict assets",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName2')]",
+ "name": "[variables('huntingQueryObject3').huntingQueryTemplateSpecName3]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Claroty data connector with template version 3.0.1",
+ "description": "ClarotyCriticalEvents_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion2')]",
+ "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
"parameters": {},
"variables": {},
"resources": [
{
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "Claroty_Hunting_Query_3",
"location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
"properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId2')]",
- "title": "[Recommended] Claroty via AMA",
- "publisher": "Claroty",
- "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/secure-remote-access/) events into Microsoft Sentinel.",
- "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "Claroty",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Destinations",
- "query": "ClarotyEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (Claroty)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
+ "eTag": "*",
+ "displayName": "Claroty - Critical Events",
+ "category": "Hunting Queries",
+ "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventSeverity == '5'\n| extend IPCustomEntity = DstIpAddr\n",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": "Query searches for critical severity events."
},
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
+ {
+ "name": "tactics",
+ "value": "InitialAccess"
},
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution.",
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
-
- },
- {
- "title": "Step B. Configure Claroty to send logs using CEF",
- "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**."
-
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ]
- }
+ {
+ "name": "techniques",
+ "value": "T1190"
+ }
+ ]
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3),'/'))))]",
"properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
+ "description": "Claroty Hunting Query 3",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3)]",
+ "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryObject3').huntingQueryVersion3]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -712,198 +670,53 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "contentKind": "DataConnector",
- "displayName": "[Recommended] Claroty via AMA",
- "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
- "id": "[variables('_dataConnectorcontentProductId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId2')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Claroty",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Recommended] Claroty via AMA",
- "publisher": "Claroty",
- "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/secure-remote-access/) events into Microsoft Sentinel.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "Claroty",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (Claroty)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Destinations",
- "query": "ClarotyEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution.",
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
-
- },
- {
- "title": "Step B. Configure Claroty to send logs using CEF",
- "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**."
-
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId2')]",
- "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution."
- }
+ "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Claroty - Critical Events",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('parserTemplateSpecName1')]",
+ "name": "[variables('huntingQueryObject4').huntingQueryTemplateSpecName4]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyEvent Data Parser with template version 3.0.1",
+ "description": "ClarotyPLCLogins_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('parserVersion1')]",
+ "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
"parameters": {},
"variables": {},
"resources": [
{
- "name": "[variables('_parserName1')]",
+ "type": "Microsoft.OperationalInsights/savedSearches",
"apiVersion": "2022-10-01",
- "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+ "name": "Claroty_Hunting_Query_4",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
- "displayName": "Claroty Data Parser",
- "category": "Microsoft Sentinel Parser",
- "functionAlias": "ClarotyEvent",
- "query": "CommonSecurityLog\n| where DeviceVendor =~ 'Claroty'\n| extend EventVendor = 'Claroty'\n| extend EventProduct = 'Claroty'\n| extend EventSchemaVersion = 0.2\n| extend EventCount = 1\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3),\n ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"),tostring(ExternalID))\n| extend packed = pack(DeviceCustomNumber1Label, DeviceCustomNumber1\n , DeviceCustomNumber2Label, DeviceCustomNumber2\n , DeviceCustomNumber3Label, DeviceCustomNumber3\n , DeviceCustomString1Label, DeviceCustomString1\n , DeviceCustomString2Label, DeviceCustomString2\n , DeviceCustomString3Label, DeviceCustomString3\n , DeviceCustomString4Label, DeviceCustomString4\n , DeviceCustomString5Label, DeviceCustomString5\n , DeviceCustomString6Label, DeviceCustomString6\n , DeviceCustomDate1Label, DeviceCustomDate1\n , DeviceCustomDate2Label, DeviceCustomDate2)\n| evaluate bag_unpack(packed)\n| parse-kv AdditionalExtensions as (cs7Label:string, cs7:string, cs8Label:string, cs8:string, cs9Label:string, cs9:string, cs10Label:string, cs10:string, cat:string) with (pair_delimiter=';', kv_delimiter='=')\n| extend packed2 = pack(cs7Label, cs7\n , cs8Label, cs8\n , cs9Label, cs9\n , cs10Label, cs10)\n| evaluate bag_unpack(packed2)\n| extend EventEndTime = todatetime(ReceiptTime),\n cat = coalesce(column_ifexists(\"DeviceEventCategory\", \"\"),cat)\n| project-rename EventProductVersion=DeviceVersion\n , EventSubType=cat\n , EventOriginalType=DeviceEventClassID\n , EventSeverity=LogSeverity\n , EventMessage=Message\n , DstPortNumber=DestinationPort\n , DstIpAddr=DestinationIP\n , DstDvcHostname=DestinationHostName\n , DstUserName=DestinationUserName\n , DvcIpAddr=DeviceAddress\n , DvcHostname=DeviceName\n , DstMacAddr=DestinationMACAddress\n , NetworkApplicationProtocol=Protocol\n , SrcPortNumber=SourcePort\n , SrcIpAddr=SourceIP\n , SrcMacAddr=SourceMACAddress\n , EventId=ExternalID\n , SrcDvcHostname=SourceHostName\n| extend EventType=Activity\n| project-away AdditionalExtensions\n , Activity\n , ReceiptTime\n , DeviceVendor\n , DeviceProduct\n , DeviceCustomNumber1\n , DeviceCustomNumber1Label\n , DeviceCustomNumber2\n , DeviceCustomNumber2Label\n , DeviceCustomNumber3\n , DeviceCustomNumber3Label\n , DeviceCustomString1\n , DeviceCustomString1Label\n , DeviceCustomString2\n , DeviceCustomString2Label\n , DeviceCustomString3\n , DeviceCustomString3Label\n , DeviceCustomString4\n , DeviceCustomString4Label\n , DeviceCustomString5\n , DeviceCustomString5Label\n , DeviceCustomString6\n , DeviceCustomString6Label\n , cs7Label\n , cs7\n , cs8Label\n , cs8\n , cs9Label\n , cs9\n , cs10Label\n , cs10\n",
- "functionParameters": "",
+ "displayName": "Claroty - PLC logins",
+ "category": "Hunting Queries",
+ "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType =~ 'Alert'\n| where EventType has 'Login'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
"version": 2,
"tags": [
{
"name": "description",
- "value": ""
+ "value": "Query searches for PLC login security alerts."
+ },
+ {
+ "name": "tactics",
+ "value": "InitialAccess"
+ },
+ {
+ "name": "techniques",
+ "value": "T1190"
}
]
}
@@ -911,18 +724,16 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
- "dependsOn": [
- "[variables('_parserName1')]"
- ],
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4),'/'))))]",
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
- "contentId": "[variables('_parserContentId1')]",
- "kind": "Parser",
- "version": "[variables('parserVersion1')]",
+ "description": "Claroty Hunting Query 4",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4)]",
+ "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryObject4').huntingQueryVersion4]",
"source": {
- "name": "Claroty",
"kind": "Solution",
+ "name": "Claroty",
"sourceId": "[variables('_solutionId')]"
},
"author": {
@@ -944,108 +755,67 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_parserContentId1')]",
- "contentKind": "Parser",
- "displayName": "Claroty Data Parser",
- "contentProductId": "[variables('_parsercontentProductId1')]",
- "id": "[variables('_parsercontentProductId1')]",
- "version": "[variables('parserVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
- "apiVersion": "2022-10-01",
- "name": "[variables('_parserName1')]",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "eTag": "*",
- "displayName": "Claroty Data Parser",
- "category": "Microsoft Sentinel Parser",
- "functionAlias": "ClarotyEvent",
- "query": "CommonSecurityLog\n| where DeviceVendor =~ 'Claroty'\n| extend EventVendor = 'Claroty'\n| extend EventProduct = 'Claroty'\n| extend EventSchemaVersion = 0.2\n| extend EventCount = 1\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3),\n ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"),tostring(ExternalID))\n| extend packed = pack(DeviceCustomNumber1Label, DeviceCustomNumber1\n , DeviceCustomNumber2Label, DeviceCustomNumber2\n , DeviceCustomNumber3Label, DeviceCustomNumber3\n , DeviceCustomString1Label, DeviceCustomString1\n , DeviceCustomString2Label, DeviceCustomString2\n , DeviceCustomString3Label, DeviceCustomString3\n , DeviceCustomString4Label, DeviceCustomString4\n , DeviceCustomString5Label, DeviceCustomString5\n , DeviceCustomString6Label, DeviceCustomString6\n , DeviceCustomDate1Label, DeviceCustomDate1\n , DeviceCustomDate2Label, DeviceCustomDate2)\n| evaluate bag_unpack(packed)\n| parse-kv AdditionalExtensions as (cs7Label:string, cs7:string, cs8Label:string, cs8:string, cs9Label:string, cs9:string, cs10Label:string, cs10:string, cat:string) with (pair_delimiter=';', kv_delimiter='=')\n| extend packed2 = pack(cs7Label, cs7\n , cs8Label, cs8\n , cs9Label, cs9\n , cs10Label, cs10)\n| evaluate bag_unpack(packed2)\n| extend EventEndTime = todatetime(ReceiptTime),\n cat = coalesce(column_ifexists(\"DeviceEventCategory\", \"\"),cat)\n| project-rename EventProductVersion=DeviceVersion\n , EventSubType=cat\n , EventOriginalType=DeviceEventClassID\n , EventSeverity=LogSeverity\n , EventMessage=Message\n , DstPortNumber=DestinationPort\n , DstIpAddr=DestinationIP\n , DstDvcHostname=DestinationHostName\n , DstUserName=DestinationUserName\n , DvcIpAddr=DeviceAddress\n , DvcHostname=DeviceName\n , DstMacAddr=DestinationMACAddress\n , NetworkApplicationProtocol=Protocol\n , SrcPortNumber=SourcePort\n , SrcIpAddr=SourceIP\n , SrcMacAddr=SourceMACAddress\n , EventId=ExternalID\n , SrcDvcHostname=SourceHostName\n| extend EventType=Activity\n| project-away AdditionalExtensions\n , Activity\n , ReceiptTime\n , DeviceVendor\n , DeviceProduct\n , DeviceCustomNumber1\n , DeviceCustomNumber1Label\n , DeviceCustomNumber2\n , DeviceCustomNumber2Label\n , DeviceCustomNumber3\n , DeviceCustomNumber3Label\n , DeviceCustomString1\n , DeviceCustomString1Label\n , DeviceCustomString2\n , DeviceCustomString2Label\n , DeviceCustomString3\n , DeviceCustomString3Label\n , DeviceCustomString4\n , DeviceCustomString4Label\n , DeviceCustomString5\n , DeviceCustomString5Label\n , DeviceCustomString6\n , DeviceCustomString6Label\n , cs7Label\n , cs7\n , cs8Label\n , cs8\n , cs9Label\n , cs9\n , cs10Label\n , cs10\n",
- "functionParameters": "",
- "version": 2,
- "tags": [
- {
- "name": "description",
- "value": ""
- }
- ]
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "location": "[parameters('workspace-location')]",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
- "dependsOn": [
- "[variables('_parserId1')]"
- ],
- "properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
- "contentId": "[variables('_parserContentId1')]",
- "kind": "Parser",
- "version": "[variables('parserVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Claroty",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
+ "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Claroty - PLC logins",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('workbookTemplateSpecName1')]",
+ "name": "[variables('huntingQueryObject5').huntingQueryTemplateSpecName5]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyOverviewWorkbook Workbook with template version 3.0.1",
+ "description": "ClarotySRAFailedLogins_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('workbookVersion1')]",
+ "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.Insights/workbooks",
- "name": "[variables('workbookContentId1')]",
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "Claroty_Hunting_Query_5",
"location": "[parameters('workspace-location')]",
- "kind": "shared",
- "apiVersion": "2021-08-01",
- "metadata": {
- "description": "Sets the time name for analysis"
- },
- "properties": {
- "displayName": "[parameters('workbook1-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This data connector depends on a parser based on Kusto Function **ClarotyEvent** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-claroty-parser)\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cd8447d9-b096-4673-92d8-2a1e8291a125\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"description\":\"Sets the time name for analysis\",\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":900000},{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events Over Time\",\"color\":\"green\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"60\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"55\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where isnotempty(EventType)\\r\\n| summarize count() by EventType\\r\\n| join kind = inner (ClarotyEvent\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by EventType)\\r\\n on EventType\\r\\n| project-away EventType1, TimeGenerated\",\"size\":3,\"title\":\"Event types\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"EventType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"purple\"}},\"showBorder\":false}},\"customWidth\":\"30\",\"name\":\"query - 0\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where isnotempty(DstIpAddr)\\r\\n| summarize dcount(DstIpAddr)\",\"size\":3,\"title\":\"Total Devices\",\"noDataMessage\":\"0\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where EventOriginalType =~ 'Alert'\\r\\n| summarize dcount(AlertUrl)\",\"size\":3,\"title\":\"Total Alerts\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where EventOriginalType =~ 'Alert'\\r\\n| where ResolvedAs =~ 'Unresolved'\\r\\n| project-rename AlertTime=EventEndTime\\r\\n| join (ClarotyEvent\\r\\n | where EventOriginalType =~ 'Alert'\\r\\n | where ResolvedAs =~ 'Resolved'\\r\\n | project-rename ResolvedTime=EventEndTime) on AlertUrl\\r\\n| where datetime_diff('day',ResolvedTime,AlertTime) > 0 or datetime_diff('hour',ResolvedTime,AlertTime) > 0 or datetime_diff('minute',ResolvedTime,AlertTime) > 0 or datetime_diff('second',ResolvedTime,AlertTime) > 0\\r\\n| summarize dcount(AlertUrl)\\r\\n\",\"size\":3,\"title\":\"Resolved Alerts\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"10\",\"name\":\"group - 9\",\"styleSettings\":{\"maxWidth\":\"100\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize count() by SrcIpAddr\\r\\n| top 10 by count_\",\"size\":3,\"title\":\"Top Sources\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"10\",\"padding\":\"10\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where isnotempty(DstIpAddr)\\r\\n| summarize count() by DstIpAddr\\r\\n| top 10 by count_ \",\"size\":3,\"title\":\"Top Targets\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"TotalEvents\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"TotalEvents\",\"sortOrder\":2}]},\"customWidth\":\"33\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where isnotempty(CategoryAccess)\\r\\n| where CategoryAccess !in ('None', 'Read')\\r\\n| project Destination=DstIpAddr, Source=SrcIpAddr, CategoryAccess\\r\\n\",\"size\":3,\"title\":\"Write and Execute Operations\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"customWidth\":\"34\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where EventOriginalType =~ 'Alert'\\r\\n| order by TimeGenerated\\r\\n| project TimeGenerated, EventType, Target=DstIpAddr, Status=strcat(iff(ResolvedAs =~ 'Resolved', '✅ - Resolved', '❌ - Unresolved')), AlertUrl\",\"size\":0,\"title\":\"Latest Alerts\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":50,\"filter\":true}},\"customWidth\":\"65\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where EventType has 'Login'\\r\\n| extend User = extract(@\\\"User\\\\s(\\\\S+)\\\\s\\\", 1, tostring(EventMessage))\\r\\n| sort by TimeGenerated desc \\r\\n| project TimeGenerated, User\",\"size\":0,\"title\":\"Latest logins to SRA\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":50,\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"33\"}}],\"fromTemplateId\":\"sentinel-ClarotyWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
- "version": "1.0",
- "sourceId": "[variables('workspaceResourceId')]",
- "category": "sentinel"
+ "properties": {
+ "eTag": "*",
+ "displayName": "Claroty - User failed logins",
+ "category": "Hunting Queries",
+ "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventType has 'Login to SRA'\n| where EventType !has 'succeeded'\n| extend SrcUsername = extract(@'User\\s(.*?)\\sfailed', 1, EventMessage)\n| summarize count() by SrcUsername\n| extend AccountCustomEntity = SrcUsername\n",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": "Query searches for login failure events."
+ },
+ {
+ "name": "tactics",
+ "value": "InitialAccess"
+ },
+ {
+ "name": "techniques",
+ "value": "T1190"
+ }
+ ]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5),'/'))))]",
"properties": {
- "description": "@{workbookKey=ClarotyWorkbook; logoFileName=Azure_Sentinel.svg; description=Sets the time name for analysis; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Claroty; templateRelativePath=ClarotyOverview.json; subtitle=; provider=Claroty}.description",
- "parentId": "[variables('workbookId1')]",
- "contentId": "[variables('_workbookContentId1')]",
- "kind": "Workbook",
- "version": "[variables('workbookVersion1')]",
+ "description": "Claroty Hunting Query 5",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5)]",
+ "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryObject5').huntingQueryVersion5]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -1060,23 +830,6 @@
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
- },
- "dependencies": {
- "operator": "AND",
- "criteria": [
- {
- "contentId": "CommonSecurityLog",
- "kind": "DataType"
- },
- {
- "contentId": "Claroty",
- "kind": "DataConnector"
- },
- {
- "contentId": "ClarotyAma",
- "kind": "DataConnector"
- }
- ]
}
}
}
@@ -1087,78 +840,53 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_workbookContentId1')]",
- "contentKind": "Workbook",
- "displayName": "[parameters('workbook1-name')]",
- "contentProductId": "[variables('_workbookcontentProductId1')]",
- "id": "[variables('_workbookcontentProductId1')]",
- "version": "[variables('workbookVersion1')]"
+ "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Claroty - User failed logins",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName1')]",
+ "name": "[variables('huntingQueryObject6').huntingQueryTemplateSpecName6]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyAssetDown_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "ClarotyScanSources_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion1')]",
+ "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId1')]",
- "apiVersion": "2022-04-01-preview",
- "kind": "Scheduled",
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "Claroty_Hunting_Query_6",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Triggers asset is down.",
- "displayName": "Claroty - Asset Down",
- "enabled": false,
- "query": "ClarotyEvent\n| where EventOriginalType has 'Asset Down' or EventType has 'Asset Down'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
- "queryFrequency": "PT1H",
- "queryPeriod": "PT1H",
- "severity": "High",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
+ "eTag": "*",
+ "displayName": "Claroty - Network scan sources",
+ "category": "Hunting Queries",
+ "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType has_any ('Network Scan', 'TCP Scan', 'UDP Scan') or EventType has_any ('Network Scan', 'TCP Scan', 'UDP Scan')\n| project TimeGenerated, SrcIpAddr\n| extend IPCustomEntity = SrcIpAddr\n",
+ "version": 2,
+ "tags": [
{
- "dataTypes": [
- "ClarotyEvent"
- ],
- "connectorId": "Claroty"
+ "name": "description",
+ "value": "Query searches for sources of network scans."
},
{
- "dataTypes": [
- "ClarotyEvent"
- ],
- "connectorId": "ClarotyAma"
- }
- ],
- "tactics": [
- "Impact"
- ],
- "techniques": [
- "T1529"
- ],
- "entityMappings": [
+ "name": "tactics",
+ "value": "InitialAccess"
+ },
{
- "fieldMappings": [
- {
- "identifier": "Address",
- "columnName": "IPCustomEntity"
- }
- ],
- "entityType": "IP"
+ "name": "techniques",
+ "value": "T1190"
}
]
}
@@ -1166,13 +894,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6),'/'))))]",
"properties": {
- "description": "Claroty Analytics Rule 1",
- "parentId": "[variables('analyticRuleId1')]",
- "contentId": "[variables('_analyticRulecontentId1')]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion1')]",
+ "description": "Claroty Hunting Query 6",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6)]",
+ "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryObject6').huntingQueryVersion6]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -1197,78 +925,53 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId1')]",
- "contentKind": "AnalyticsRule",
- "displayName": "Claroty - Asset Down",
- "contentProductId": "[variables('_analyticRulecontentProductId1')]",
- "id": "[variables('_analyticRulecontentProductId1')]",
- "version": "[variables('analyticRuleVersion1')]"
+ "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Claroty - Network scan sources",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName2')]",
+ "name": "[variables('huntingQueryObject7').huntingQueryTemplateSpecName7]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyCriticalBaselineDeviation_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "ClarotyScantargets_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion2')]",
+ "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId2')]",
- "apiVersion": "2022-04-01-preview",
- "kind": "Scheduled",
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "Claroty_Hunting_Query_7",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Detects when critical deviation from baseline occurs.",
- "displayName": "Claroty - Critical baseline deviation",
- "enabled": false,
- "query": "ClarotyEvent\n| where EventOriginalType has 'Baseline Deviation' or EventType has 'Baseline Deviation'\n| where EventSeverity == '5'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
- "queryFrequency": "PT1H",
- "queryPeriod": "PT1H",
- "severity": "High",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
+ "eTag": "*",
+ "displayName": "Claroty - Network scan targets",
+ "category": "Hunting Queries",
+ "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType has_any ('Network Scan', 'TCP Scan', 'UDP Scan') or EventType has_any ('Network Scan', 'TCP Scan', 'UDP Scan')\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+ "version": 2,
+ "tags": [
{
- "dataTypes": [
- "ClarotyEvent"
- ],
- "connectorId": "Claroty"
+ "name": "description",
+ "value": "Query searches for targets of network scans."
},
{
- "dataTypes": [
- "ClarotyEvent"
- ],
- "connectorId": "ClarotyAma"
- }
- ],
- "tactics": [
- "Impact"
- ],
- "techniques": [
- "T1529"
- ],
- "entityMappings": [
+ "name": "tactics",
+ "value": "InitialAccess"
+ },
{
- "fieldMappings": [
- {
- "identifier": "Address",
- "columnName": "IPCustomEntity"
- }
- ],
- "entityType": "IP"
+ "name": "techniques",
+ "value": "T1190"
}
]
}
@@ -1276,13 +979,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7),'/'))))]",
"properties": {
- "description": "Claroty Analytics Rule 2",
- "parentId": "[variables('analyticRuleId2')]",
- "contentId": "[variables('_analyticRulecontentId2')]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion2')]",
+ "description": "Claroty Hunting Query 7",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7)]",
+ "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryObject7').huntingQueryVersion7]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -1307,79 +1010,53 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId2')]",
- "contentKind": "AnalyticsRule",
- "displayName": "Claroty - Critical baseline deviation",
- "contentProductId": "[variables('_analyticRulecontentProductId2')]",
- "id": "[variables('_analyticRulecontentProductId2')]",
- "version": "[variables('analyticRuleVersion2')]"
+ "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Claroty - Network scan targets",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName3')]",
+ "name": "[variables('huntingQueryObject8').huntingQueryTemplateSpecName8]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyLoginToUncommonSite_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "ClarotyUnapprovedAccess_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion3')]",
+ "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId3')]",
- "apiVersion": "2022-04-01-preview",
- "kind": "Scheduled",
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "Claroty_Hunting_Query_8",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Detects user login to uncommon location.",
- "displayName": "Claroty - Login to uncommon location",
- "enabled": false,
- "query": "let usr_sites = ClarotyEvent\n| where TimeGenerated > ago(14d)\n| where EventType has 'Login to SRA succeeded'\n| extend Site = column_ifexists(\"site_name\",\"\")\n| where isnotempty(Site)\n| extend SrcUsername = extract(@'User\\s(.*?)\\slogged', 1, EventMessage)\n| summarize all_loc = makeset(tostring(Site)) by SrcUsername\n| extend k = 1;\nClarotyEvent\n| where EventType has 'Login to SRA succeeded'\n| extend Site = column_ifexists(\"site_name\",\"\")\n| where isnotempty(Site)\n| extend SrcUsername = extract(@'User\\s(.*?)\\slogged', 1, EventMessage)\n| extend k = 1\n| join kind=innerunique (usr_sites) on k\n| where all_loc !contains Site\n| extend SrcIpAddr\n",
- "queryFrequency": "PT1H",
- "queryPeriod": "P14D",
- "severity": "Medium",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
+ "eTag": "*",
+ "displayName": "Claroty - Unapproved access",
+ "category": "Hunting Queries",
+ "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventSeverity =~ 'Unapproved'\n| where isnotempty(CategoryAccess)\n| extend IPCustomEntity = DstIpAddr\n",
+ "version": 2,
+ "tags": [
{
- "dataTypes": [
- "ClarotyEvent"
- ],
- "connectorId": "Claroty"
+ "name": "description",
+ "value": "Query searches for unapproved access events."
},
{
- "dataTypes": [
- "ClarotyEvent"
- ],
- "connectorId": "ClarotyAma"
- }
- ],
- "tactics": [
- "InitialAccess"
- ],
- "techniques": [
- "T1190",
- "T1133"
- ],
- "entityMappings": [
+ "name": "tactics",
+ "value": "InitialAccess"
+ },
{
- "fieldMappings": [
- {
- "identifier": "Address",
- "columnName": "SrcIpAddr"
- }
- ],
- "entityType": "IP"
+ "name": "techniques",
+ "value": "T1190"
}
]
}
@@ -1387,13 +1064,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject8')._huntingQuerycontentId8),'/'))))]",
"properties": {
- "description": "Claroty Analytics Rule 3",
- "parentId": "[variables('analyticRuleId3')]",
- "contentId": "[variables('_analyticRulecontentId3')]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion3')]",
+ "description": "Claroty Hunting Query 8",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject8')._huntingQuerycontentId8)]",
+ "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryObject8').huntingQueryVersion8]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -1418,79 +1095,53 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId3')]",
- "contentKind": "AnalyticsRule",
- "displayName": "Claroty - Login to uncommon location",
- "contentProductId": "[variables('_analyticRulecontentProductId3')]",
- "id": "[variables('_analyticRulecontentProductId3')]",
- "version": "[variables('analyticRuleVersion3')]"
+ "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Claroty - Unapproved access",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName4')]",
+ "name": "[variables('huntingQueryObject9').huntingQueryTemplateSpecName9]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyMultipleFailedLogin_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "ClarotyUnresolvedAlerts_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion4')]",
+ "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId4')]",
- "apiVersion": "2022-04-01-preview",
- "kind": "Scheduled",
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "Claroty_Hunting_Query_9",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Detects multiple failed logins by same user.",
- "displayName": "Claroty - Multiple failed logins by user",
- "enabled": false,
- "query": "let threshold = 5;\nClarotyEvent\n| where EventType has 'Login to SRA'\n| where EventType !has 'succeeded'\n| extend SrcUsername = extract(@'User\\s(.*?)\\sfailed', 1, EventMessage)\n| summarize count() by SrcUsername, bin(TimeGenerated, 5m)\n| where count_ > threshold\n| extend AccountCustomEntity = SrcUsername\n",
- "queryFrequency": "PT1H",
- "queryPeriod": "PT1H",
- "severity": "High",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
+ "eTag": "*",
+ "displayName": "Claroty - Unresolved alerts",
+ "category": "Hunting Queries",
+ "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType =~ 'Alert'\n| where ResolvedAs =~ 'Unresolved'\n| extend IPCustomEntity = DstIpAddr\n",
+ "version": 2,
+ "tags": [
{
- "dataTypes": [
- "ClarotyEvent"
- ],
- "connectorId": "Claroty"
+ "name": "description",
+ "value": "Query searches for alerts with unresolved status."
},
{
- "dataTypes": [
- "ClarotyEvent"
- ],
- "connectorId": "ClarotyAma"
- }
- ],
- "tactics": [
- "InitialAccess"
- ],
- "techniques": [
- "T1190",
- "T1133"
- ],
- "entityMappings": [
+ "name": "tactics",
+ "value": "InitialAccess"
+ },
{
- "fieldMappings": [
- {
- "identifier": "Name",
- "columnName": "AccountCustomEntity"
- }
- ],
- "entityType": "Account"
+ "name": "techniques",
+ "value": "T1190"
}
]
}
@@ -1498,13 +1149,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject9')._huntingQuerycontentId9),'/'))))]",
"properties": {
- "description": "Claroty Analytics Rule 4",
- "parentId": "[variables('analyticRuleId4')]",
- "contentId": "[variables('_analyticRulecontentId4')]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion4')]",
+ "description": "Claroty Hunting Query 9",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject9')._huntingQuerycontentId9)]",
+ "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryObject9').huntingQueryVersion9]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -1529,79 +1180,53 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId4')]",
- "contentKind": "AnalyticsRule",
- "displayName": "Claroty - Multiple failed logins by user",
- "contentProductId": "[variables('_analyticRulecontentProductId4')]",
- "id": "[variables('_analyticRulecontentProductId4')]",
- "version": "[variables('analyticRuleVersion4')]"
+ "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Claroty - Unresolved alerts",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject9')._huntingQuerycontentId9,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject9')._huntingQuerycontentId9,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName5')]",
+ "name": "[variables('huntingQueryObject10').huntingQueryTemplateSpecName10]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyMultipleFailedLoginsSameDst_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "ClarotyWriteExecuteOperations_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion5')]",
+ "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId5')]",
- "apiVersion": "2022-04-01-preview",
- "kind": "Scheduled",
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "Claroty_Hunting_Query_10",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Detects multiple failed logins to same destinations.",
- "displayName": "Claroty - Multiple failed logins to same destinations",
- "enabled": false,
- "query": "let threshold = 10;\nClarotyEvent\n| where EventType has 'Login to SRA'\n| where EventType !has 'succeeded'\n| extend Site = column_ifexists(\"site_name\",\"\")\n| where isnotempty(Site)\n| extend SrcUsername = extract(@'User\\s(.*?)\\sfailed', 1, EventMessage)\n| summarize count() by Site, bin(TimeGenerated, 5m)\n| where count_ > threshold\n| extend SGCustomEntity = Site\n",
- "queryFrequency": "PT1H",
- "queryPeriod": "PT1H",
- "severity": "High",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
+ "eTag": "*",
+ "displayName": "Claroty - Write and Execute operations",
+ "category": "Hunting Queries",
+ "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(CategoryAccess)\n| where CategoryAccess != 'Read'\n| extend IPCustomEntity = DstIpAddr\n",
+ "version": 2,
+ "tags": [
{
- "dataTypes": [
- "ClarotyEvent"
- ],
- "connectorId": "Claroty"
+ "name": "description",
+ "value": "Query searches for operations with Write and Execute accesses."
},
{
- "dataTypes": [
- "ClarotyEvent"
- ],
- "connectorId": "ClarotyAma"
- }
- ],
- "tactics": [
- "InitialAccess"
- ],
- "techniques": [
- "T1190",
- "T1133"
- ],
- "entityMappings": [
+ "name": "tactics",
+ "value": "InitialAccess"
+ },
{
- "fieldMappings": [
- {
- "identifier": "DistinguishedName",
- "columnName": "SGCustomEntity"
- }
- ],
- "entityType": "SecurityGroup"
+ "name": "techniques",
+ "value": "T1190"
}
]
}
@@ -1609,13 +1234,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject10')._huntingQuerycontentId10),'/'))))]",
"properties": {
- "description": "Claroty Analytics Rule 5",
- "parentId": "[variables('analyticRuleId5')]",
- "contentId": "[variables('_analyticRulecontentId5')]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion5')]",
+ "description": "Claroty Hunting Query 10",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject10')._huntingQuerycontentId10)]",
+ "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryObject10').huntingQueryVersion10]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -1640,93 +1265,166 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId5')]",
- "contentKind": "AnalyticsRule",
- "displayName": "Claroty - Multiple failed logins to same destinations",
- "contentProductId": "[variables('_analyticRulecontentProductId5')]",
- "id": "[variables('_analyticRulecontentProductId5')]",
- "version": "[variables('analyticRuleVersion5')]"
+ "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Claroty - Write and Execute operations",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject10')._huntingQuerycontentId10,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject10')._huntingQuerycontentId10,'-', '1.0.0')))]",
+ "version": "1.0.0"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName6')]",
+ "name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyNewAsset_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "Claroty data connector with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion6')]",
+ "contentVersion": "[variables('dataConnectorVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId6')]",
- "apiVersion": "2022-04-01-preview",
- "kind": "Scheduled",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
"properties": {
- "description": "Triggers when a new asset has been added into the environment.",
- "displayName": "Claroty - New Asset",
- "enabled": false,
- "query": "ClarotyEvent\n| where EventOriginalType has 'New Asset' or EventType has 'New Asset'\n| extend IPCustomEntity = SrcIpAddr\n",
- "queryFrequency": "PT1H",
- "queryPeriod": "PT1H",
- "severity": "High",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
- {
- "dataTypes": [
- "ClarotyEvent"
- ],
- "connectorId": "Claroty"
+ "connectorUiConfig": {
+ "id": "[variables('_uiConfigId1')]",
+ "title": "[Deprecated] Claroty via Legacy Agent",
+ "publisher": "Claroty",
+ "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel.",
+ "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "Claroty",
+ "baseQuery": "ClarotyEvent"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Top 10 Destinations",
+ "query": "ClarotyEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "CommonSecurityLog (Claroty)",
+ "lastDataReceivedQuery": "ClarotyEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "ClarotyEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
},
- {
- "dataTypes": [
- "ClarotyEvent"
- ],
- "connectorId": "ClarotyAma"
- }
- ],
- "tactics": [
- "InitialAccess"
- ],
- "techniques": [
- "T1190",
- "T1133"
- ],
- "entityMappings": [
- {
- "fieldMappings": [
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
}
- ],
- "entityType": "IP"
- }
- ]
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution."
+ },
+ {
+ "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
+ "innerSteps": [
+ {
+ "title": "1.1 Select or create a Linux machine",
+ "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
+ },
+ {
+ "title": "1.2 Install the CEF collector on the Linux machine",
+ "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
+ "instructions": [
+ {
+ "parameters": {
+ "fillWith": [
+ "WorkspaceId",
+ "PrimaryKey"
+ ],
+ "label": "Run the following command to install and apply the CEF collector:",
+ "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ }
+ ],
+ "title": "1. Linux Syslog agent configuration"
+ },
+ {
+ "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**.",
+ "title": "2. Configure Claroty to send logs using CEF"
+ },
+ {
+ "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
+ "instructions": [
+ {
+ "parameters": {
+ "fillWith": [
+ "WorkspaceId"
+ ],
+ "label": "Run the following command to validate your connectivity:",
+ "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
+ },
+ "type": "CopyableLabel"
+ }
+ ],
+ "title": "3. Validate connection"
+ },
+ {
+ "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+ "title": "4. Secure your machine "
+ }
+ ]
+ }
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
- "description": "Claroty Analytics Rule 6",
- "parentId": "[variables('analyticRuleId6')]",
- "contentId": "[variables('_analyticRulecontentId6')]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion6')]",
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -1751,92 +1449,315 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId6')]",
- "contentKind": "AnalyticsRule",
- "displayName": "Claroty - New Asset",
- "contentProductId": "[variables('_analyticRulecontentProductId6')]",
- "id": "[variables('_analyticRulecontentProductId6')]",
- "version": "[variables('analyticRuleVersion6')]"
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "contentKind": "DataConnector",
+ "displayName": "[Deprecated] Claroty via Legacy Agent",
+ "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+ "id": "[variables('_dataConnectorcontentProductId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+ "dependsOn": [
+ "[variables('_dataConnectorId1')]"
+ ],
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Claroty",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "title": "[Deprecated] Claroty via Legacy Agent",
+ "publisher": "Claroty",
+ "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "Claroty",
+ "baseQuery": "ClarotyEvent"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "CommonSecurityLog (Claroty)",
+ "lastDataReceivedQuery": "ClarotyEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "ClarotyEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Top 10 Destinations",
+ "query": "ClarotyEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_"
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution."
+ },
+ {
+ "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
+ "innerSteps": [
+ {
+ "title": "1.1 Select or create a Linux machine",
+ "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
+ },
+ {
+ "title": "1.2 Install the CEF collector on the Linux machine",
+ "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
+ "instructions": [
+ {
+ "parameters": {
+ "fillWith": [
+ "WorkspaceId",
+ "PrimaryKey"
+ ],
+ "label": "Run the following command to install and apply the CEF collector:",
+ "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ }
+ ],
+ "title": "1. Linux Syslog agent configuration"
+ },
+ {
+ "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**.",
+ "title": "2. Configure Claroty to send logs using CEF"
+ },
+ {
+ "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
+ "instructions": [
+ {
+ "parameters": {
+ "fillWith": [
+ "WorkspaceId"
+ ],
+ "label": "Run the following command to validate your connectivity:",
+ "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
+ },
+ "type": "CopyableLabel"
+ }
+ ],
+ "title": "3. Validate connection"
+ },
+ {
+ "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+ "title": "4. Secure your machine "
+ }
+ ],
+ "id": "[variables('_uiConfigId1')]",
+ "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution."
+ }
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName7')]",
+ "name": "[variables('dataConnectorTemplateSpecName2')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyPolicyViolation_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "Claroty data connector with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion7')]",
+ "contentVersion": "[variables('dataConnectorVersion2')]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId7')]",
- "apiVersion": "2022-04-01-preview",
- "kind": "Scheduled",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
"properties": {
- "description": "Detects policy violations.",
- "displayName": "Claroty - Policy violation",
- "enabled": false,
- "query": "ClarotyEvent\n| where EventOriginalType has 'Policy Violation' or EventType has 'Policy Violation'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
- "queryFrequency": "PT1H",
- "queryPeriod": "PT1H",
- "severity": "High",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
- {
- "dataTypes": [
- "ClarotyEvent"
- ],
- "connectorId": "Claroty"
+ "connectorUiConfig": {
+ "id": "[variables('_uiConfigId2')]",
+ "title": "[Deprecated] Claroty via AMA",
+ "publisher": "Claroty",
+ "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel.",
+ "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "Claroty",
+ "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Top 10 Destinations",
+ "query": "ClarotyEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "CommonSecurityLog (Claroty)",
+ "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
},
- {
- "dataTypes": [
- "ClarotyEvent"
- ],
- "connectorId": "ClarotyAma"
- }
- ],
- "tactics": [
- "Discovery"
- ],
- "techniques": [
- "T1018"
- ],
- "entityMappings": [
- {
- "fieldMappings": [
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
}
],
- "entityType": "IP"
- }
- ]
+ "customs": [
+ {
+ "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution.",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "1. Kindly follow the steps to configure the data connector",
+ "instructionSteps": [
+ {
+ "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+ "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
+ },
+ {
+ "title": "Step B. Configure Claroty to send logs using CEF",
+ "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**."
+ },
+ {
+ "title": "Step C. Validate connection",
+ "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+ "instructions": [
+ {
+ "parameters": {
+ "label": "Run the following command to validate your connectivity:",
+ "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+ "title": "2. Secure your machine "
+ }
+ ]
+ }
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
"properties": {
- "description": "Claroty Analytics Rule 7",
- "parentId": "[variables('analyticRuleId7')]",
- "contentId": "[variables('_analyticRulecontentId7')]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion7')]",
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion2')]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -1861,151 +1782,190 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId7')]",
- "contentKind": "AnalyticsRule",
- "displayName": "Claroty - Policy violation",
- "contentProductId": "[variables('_analyticRulecontentProductId7')]",
- "id": "[variables('_analyticRulecontentProductId7')]",
- "version": "[variables('analyticRuleVersion7')]"
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "contentKind": "DataConnector",
+ "displayName": "[Deprecated] Claroty via AMA",
+ "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
+ "id": "[variables('_dataConnectorcontentProductId2')]",
+ "version": "[variables('dataConnectorVersion2')]"
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName8')]",
- "location": "[parameters('workspace-location')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
"dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ "[variables('_dataConnectorId2')]"
],
+ "location": "[parameters('workspace-location')]",
"properties": {
- "description": "ClarotySuspiciousActivity_AnalyticalRules Analytics Rule with template version 3.0.1",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion8')]",
- "parameters": {},
- "variables": {},
- "resources": [
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion2')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Claroty",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "title": "[Deprecated] Claroty via AMA",
+ "publisher": "Claroty",
+ "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel.",
+ "graphQueries": [
{
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId8')]",
- "apiVersion": "2022-04-01-preview",
- "kind": "Scheduled",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "description": "Detects suspicious behavior that is generally indicative of malware.",
- "displayName": "Claroty - Suspicious activity",
- "enabled": false,
- "query": "ClarotyEvent\n| where EventOriginalType has 'Suspicious Activity' or EventType has 'Suspicious Activity'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
- "queryFrequency": "PT1H",
- "queryPeriod": "PT1H",
- "severity": "High",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
- {
- "dataTypes": [
- "ClarotyEvent"
- ],
- "connectorId": "Claroty"
- },
- {
- "dataTypes": [
- "ClarotyEvent"
- ],
- "connectorId": "ClarotyAma"
- }
- ],
- "tactics": [
- "Discovery"
- ],
- "techniques": [
- "T1018"
- ],
- "entityMappings": [
- {
- "fieldMappings": [
- {
- "identifier": "Address",
- "columnName": "IPCustomEntity"
- }
- ],
- "entityType": "IP"
- }
- ]
+ "metricName": "Total data received",
+ "legend": "Claroty",
+ "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "CommonSecurityLog (Claroty)",
+ "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Top 10 Destinations",
+ "query": "ClarotyEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_"
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
}
- },
+ ],
+ "customs": [
+ {
+ "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+ }
+ ]
+ },
+ "instructionSteps": [
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]",
- "properties": {
- "description": "Claroty Analytics Rule 8",
- "parentId": "[variables('analyticRuleId8')]",
- "contentId": "[variables('_analyticRulecontentId8')]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion8')]",
- "source": {
- "kind": "Solution",
- "name": "Claroty",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
+ "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution.",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "1. Kindly follow the steps to configure the data connector",
+ "instructionSteps": [
+ {
+ "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+ "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
+ },
+ {
+ "title": "Step B. Configure Claroty to send logs using CEF",
+ "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**."
+ },
+ {
+ "title": "Step C. Validate connection",
+ "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+ "instructions": [
+ {
+ "parameters": {
+ "label": "Run the following command to validate your connectivity:",
+ "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
}
- }
+ ]
+ },
+ {
+ "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+ "title": "2. Secure your machine "
}
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId8')]",
- "contentKind": "AnalyticsRule",
- "displayName": "Claroty - Suspicious activity",
- "contentProductId": "[variables('_analyticRulecontentProductId8')]",
- "id": "[variables('_analyticRulecontentProductId8')]",
- "version": "[variables('analyticRuleVersion8')]"
+ ],
+ "id": "[variables('_uiConfigId2')]",
+ "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution."
+ }
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName9')]",
+ "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotySuspiciousFileTransfer_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "ClarotyAssetDown_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion9')]",
+ "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId9')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Detects suspicious file transfer activity.",
- "displayName": "Claroty - Suspicious file transfer",
+ "description": "Triggers asset is down.",
+ "displayName": "Claroty - Asset Down",
"enabled": false,
- "query": "ClarotyEvent\n| where EventOriginalType has 'Suspicious File Transfer' or EventType has 'Suspicious File Transfer'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+ "query": "ClarotyEvent\n| where EventOriginalType has 'Asset Down' or EventType has 'Asset Down'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
@@ -2016,33 +1976,39 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "Claroty",
"dataTypes": [
"ClarotyEvent"
- ],
- "connectorId": "Claroty"
+ ]
},
{
+ "connectorId": "ClarotyAma",
"dataTypes": [
"ClarotyEvent"
- ],
- "connectorId": "ClarotyAma"
+ ]
+ },
+ {
+ "connectorId": "CefAma",
+ "dataTypes": [
+ "CommonSecurityLog"
+ ]
}
],
"tactics": [
- "Discovery"
+ "Impact"
],
"techniques": [
- "T1018"
+ "T1529"
],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -2050,13 +2016,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]",
"properties": {
- "description": "Claroty Analytics Rule 9",
- "parentId": "[variables('analyticRuleId9')]",
- "contentId": "[variables('_analyticRulecontentId9')]",
+ "description": "Claroty Analytics Rule 1",
+ "parentId": "[variables('analyticRuleObject1').analyticRuleId1]",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion9')]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -2081,41 +2047,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId9')]",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"contentKind": "AnalyticsRule",
- "displayName": "Claroty - Suspicious file transfer",
- "contentProductId": "[variables('_analyticRulecontentProductId9')]",
- "id": "[variables('_analyticRulecontentProductId9')]",
- "version": "[variables('analyticRuleVersion9')]"
+ "displayName": "Claroty - Asset Down",
+ "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
+ "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName10')]",
+ "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyTreat_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "ClarotyCriticalBaselineDeviation_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion10')]",
+ "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId10')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Detects Collection of known malware commands and control servers.",
- "displayName": "Claroty - Treat detected",
+ "description": "Detects when critical deviation from baseline occurs.",
+ "displayName": "Claroty - Critical baseline deviation",
"enabled": false,
- "query": "ClarotyEvent\n| where EventOriginalType has 'Treat' or EventType has 'Treat'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+ "query": "ClarotyEvent\n| where EventOriginalType has 'Baseline Deviation' or EventType has 'Baseline Deviation'\n| where EventSeverity == '5'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
@@ -2126,33 +2092,39 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "Claroty",
"dataTypes": [
"ClarotyEvent"
- ],
- "connectorId": "Claroty"
+ ]
},
{
+ "connectorId": "ClarotyAma",
"dataTypes": [
"ClarotyEvent"
- ],
- "connectorId": "ClarotyAma"
+ ]
+ },
+ {
+ "connectorId": "CefAma",
+ "dataTypes": [
+ "CommonSecurityLog"
+ ]
}
],
"tactics": [
- "Discovery"
+ "Impact"
],
"techniques": [
- "T1018"
+ "T1529"
],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "IPCustomEntity"
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -2160,13 +2132,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]",
"properties": {
- "description": "Claroty Analytics Rule 10",
- "parentId": "[variables('analyticRuleId10')]",
- "contentId": "[variables('_analyticRulecontentId10')]",
+ "description": "Claroty Analytics Rule 2",
+ "parentId": "[variables('analyticRuleObject2').analyticRuleId2]",
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion10')]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -2191,223 +2163,85 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId10')]",
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"contentKind": "AnalyticsRule",
- "displayName": "Claroty - Treat detected",
- "contentProductId": "[variables('_analyticRulecontentProductId10')]",
- "id": "[variables('_analyticRulecontentProductId10')]",
- "version": "[variables('analyticRuleVersion10')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "ClarotyBaselineDeviation_HuntingQueries Hunting Query with template version 3.0.1",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2022-10-01",
- "name": "Claroty_Hunting_Query_1",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "eTag": "*",
- "displayName": "Claroty - Baseline deviation",
- "category": "Hunting Queries",
- "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType has 'Baseline Deviation' or EventType has 'Baseline Deviation'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
- "version": 2,
- "tags": [
- {
- "name": "description",
- "value": "Query searches for baseline deviation events."
- },
- {
- "name": "tactics",
- "value": "InitialAccess"
- },
- {
- "name": "techniques",
- "value": "T1190"
- }
- ]
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]",
- "properties": {
- "description": "Claroty Hunting Query 1",
- "parentId": "[variables('huntingQueryId1')]",
- "contentId": "[variables('_huntingQuerycontentId1')]",
- "kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Claroty",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId1')]",
- "contentKind": "HuntingQuery",
- "displayName": "Claroty - Baseline deviation",
- "contentProductId": "[variables('_huntingQuerycontentProductId1')]",
- "id": "[variables('_huntingQuerycontentProductId1')]",
- "version": "[variables('huntingQueryVersion1')]"
+ "displayName": "Claroty - Critical baseline deviation",
+ "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
+ "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName2')]",
+ "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyConflictAssets_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "ClarotyLoginToUncommonSite_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion2')]",
+ "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2022-10-01",
- "name": "Claroty_Hunting_Query_2",
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+ "apiVersion": "2023-02-01-preview",
+ "kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "eTag": "*",
- "displayName": "Claroty - Conflict assets",
- "category": "Hunting Queries",
- "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType has 'New Conflict Asset' or EventType has 'New Conflict Asset'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
- "version": 2,
- "tags": [
- {
- "name": "description",
- "value": "Query searches for conflicting assets."
- },
+ "description": "Detects user login to uncommon location.",
+ "displayName": "Claroty - Login to uncommon location",
+ "enabled": false,
+ "query": "let usr_sites = ClarotyEvent\n| where TimeGenerated > ago(14d)\n| where EventType has 'Login to SRA succeeded'\n| extend Site = column_ifexists(\"site_name\",\"\")\n| where isnotempty(Site)\n| extend SrcUsername = extract(@'User\\s(.*?)\\slogged', 1, EventMessage)\n| summarize all_loc = makeset(tostring(Site)) by SrcUsername\n| extend k = 1;\nClarotyEvent\n| where EventType has 'Login to SRA succeeded'\n| extend Site = column_ifexists(\"site_name\",\"\")\n| where isnotempty(Site)\n| extend SrcUsername = extract(@'User\\s(.*?)\\slogged', 1, EventMessage)\n| extend k = 1\n| join kind=innerunique (usr_sites) on k\n| where all_loc !contains Site\n| extend SrcIpAddr\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "severity": "Medium",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
{
- "name": "tactics",
- "value": "InitialAccess"
+ "connectorId": "Claroty",
+ "dataTypes": [
+ "ClarotyEvent"
+ ]
},
{
- "name": "techniques",
- "value": "T1190"
- }
- ]
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]",
- "properties": {
- "description": "Claroty Hunting Query 2",
- "parentId": "[variables('huntingQueryId2')]",
- "contentId": "[variables('_huntingQuerycontentId2')]",
- "kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Claroty",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId2')]",
- "contentKind": "HuntingQuery",
- "displayName": "Claroty - Conflict assets",
- "contentProductId": "[variables('_huntingQuerycontentProductId2')]",
- "id": "[variables('_huntingQuerycontentProductId2')]",
- "version": "[variables('huntingQueryVersion2')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName3')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "ClarotyCriticalEvents_HuntingQueries Hunting Query with template version 3.0.1",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion3')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2022-10-01",
- "name": "Claroty_Hunting_Query_3",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "eTag": "*",
- "displayName": "Claroty - Critical Events",
- "category": "Hunting Queries",
- "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventSeverity == '5'\n| extend IPCustomEntity = DstIpAddr\n",
- "version": 2,
- "tags": [
- {
- "name": "description",
- "value": "Query searches for critical severity events."
+ "connectorId": "ClarotyAma",
+ "dataTypes": [
+ "ClarotyEvent"
+ ]
},
{
- "name": "tactics",
- "value": "InitialAccess"
- },
+ "connectorId": "CefAma",
+ "dataTypes": [
+ "CommonSecurityLog"
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": [
+ "T1190",
+ "T1133"
+ ],
+ "entityMappings": [
{
- "name": "techniques",
- "value": "T1190"
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "columnName": "SrcIpAddr",
+ "identifier": "Address"
+ }
+ ]
}
]
}
@@ -2415,13 +2249,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]",
"properties": {
- "description": "Claroty Hunting Query 3",
- "parentId": "[variables('huntingQueryId3')]",
- "contentId": "[variables('_huntingQuerycontentId3')]",
- "kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion3')]",
+ "description": "Claroty Analytics Rule 3",
+ "parentId": "[variables('analyticRuleObject3').analyticRuleId3]",
+ "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject3').analyticRuleVersion3]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -2446,53 +2280,85 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId3')]",
- "contentKind": "HuntingQuery",
- "displayName": "Claroty - Critical Events",
- "contentProductId": "[variables('_huntingQuerycontentProductId3')]",
- "id": "[variables('_huntingQuerycontentProductId3')]",
- "version": "[variables('huntingQueryVersion3')]"
+ "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Claroty - Login to uncommon location",
+ "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]",
+ "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]",
+ "version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName4')]",
+ "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyPLCLogins_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "ClarotyMultipleFailedLogin_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion4')]",
+ "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2022-10-01",
- "name": "Claroty_Hunting_Query_4",
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
+ "apiVersion": "2023-02-01-preview",
+ "kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "eTag": "*",
- "displayName": "Claroty - PLC logins",
- "category": "Hunting Queries",
- "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType =~ 'Alert'\n| where EventType has 'Login'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
- "version": 2,
- "tags": [
+ "description": "Detects multiple failed logins by same user.",
+ "displayName": "Claroty - Multiple failed logins by user",
+ "enabled": false,
+ "query": "let threshold = 5;\nClarotyEvent\n| where EventType has 'Login to SRA'\n| where EventType !has 'succeeded'\n| extend SrcUsername = extract(@'User\\s(.*?)\\sfailed', 1, EventMessage)\n| summarize count() by SrcUsername, bin(TimeGenerated, 5m)\n| where count_ > threshold\n| extend AccountCustomEntity = SrcUsername\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
{
- "name": "description",
- "value": "Query searches for PLC login security alerts."
+ "connectorId": "Claroty",
+ "dataTypes": [
+ "ClarotyEvent"
+ ]
},
{
- "name": "tactics",
- "value": "InitialAccess"
+ "connectorId": "ClarotyAma",
+ "dataTypes": [
+ "ClarotyEvent"
+ ]
},
{
- "name": "techniques",
- "value": "T1190"
+ "connectorId": "CefAma",
+ "dataTypes": [
+ "CommonSecurityLog"
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": [
+ "T1190",
+ "T1133"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "columnName": "AccountCustomEntity",
+ "identifier": "Name"
+ }
+ ]
}
]
}
@@ -2500,13 +2366,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]",
"properties": {
- "description": "Claroty Hunting Query 4",
- "parentId": "[variables('huntingQueryId4')]",
- "contentId": "[variables('_huntingQuerycontentId4')]",
- "kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion4')]",
+ "description": "Claroty Analytics Rule 4",
+ "parentId": "[variables('analyticRuleObject4').analyticRuleId4]",
+ "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject4').analyticRuleVersion4]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -2531,53 +2397,85 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId4')]",
- "contentKind": "HuntingQuery",
- "displayName": "Claroty - PLC logins",
- "contentProductId": "[variables('_huntingQuerycontentProductId4')]",
- "id": "[variables('_huntingQuerycontentProductId4')]",
- "version": "[variables('huntingQueryVersion4')]"
+ "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Claroty - Multiple failed logins by user",
+ "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]",
+ "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]",
+ "version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName5')]",
+ "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotySRAFailedLogins_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "ClarotyMultipleFailedLoginsSameDst_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion5')]",
+ "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2022-10-01",
- "name": "Claroty_Hunting_Query_5",
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
+ "apiVersion": "2023-02-01-preview",
+ "kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "eTag": "*",
- "displayName": "Claroty - User failed logins",
- "category": "Hunting Queries",
- "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventType has 'Login to SRA'\n| where EventType !has 'succeeded'\n| extend SrcUsername = extract(@'User\\s(.*?)\\sfailed', 1, EventMessage)\n| summarize count() by SrcUsername\n| extend AccountCustomEntity = SrcUsername\n",
- "version": 2,
- "tags": [
+ "description": "Detects multiple failed logins to same destinations.",
+ "displayName": "Claroty - Multiple failed logins to same destinations",
+ "enabled": false,
+ "query": "let threshold = 10;\nClarotyEvent\n| where EventType has 'Login to SRA'\n| where EventType !has 'succeeded'\n| extend Site = column_ifexists(\"site_name\",\"\")\n| where isnotempty(Site)\n| extend SrcUsername = extract(@'User\\s(.*?)\\sfailed', 1, EventMessage)\n| summarize count() by Site, bin(TimeGenerated, 5m)\n| where count_ > threshold\n| extend SGCustomEntity = Site\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
{
- "name": "description",
- "value": "Query searches for login failure events."
+ "connectorId": "Claroty",
+ "dataTypes": [
+ "ClarotyEvent"
+ ]
},
{
- "name": "tactics",
- "value": "InitialAccess"
+ "connectorId": "ClarotyAma",
+ "dataTypes": [
+ "ClarotyEvent"
+ ]
},
{
- "name": "techniques",
- "value": "T1190"
+ "connectorId": "CefAma",
+ "dataTypes": [
+ "CommonSecurityLog"
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": [
+ "T1190",
+ "T1133"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "SecurityGroup",
+ "fieldMappings": [
+ {
+ "columnName": "SGCustomEntity",
+ "identifier": "DistinguishedName"
+ }
+ ]
}
]
}
@@ -2585,13 +2483,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]",
"properties": {
- "description": "Claroty Hunting Query 5",
- "parentId": "[variables('huntingQueryId5')]",
- "contentId": "[variables('_huntingQuerycontentId5')]",
- "kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion5')]",
+ "description": "Claroty Analytics Rule 5",
+ "parentId": "[variables('analyticRuleObject5').analyticRuleId5]",
+ "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject5').analyticRuleVersion5]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -2616,53 +2514,85 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId5')]",
- "contentKind": "HuntingQuery",
- "displayName": "Claroty - User failed logins",
- "contentProductId": "[variables('_huntingQuerycontentProductId5')]",
- "id": "[variables('_huntingQuerycontentProductId5')]",
- "version": "[variables('huntingQueryVersion5')]"
+ "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Claroty - Multiple failed logins to same destinations",
+ "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]",
+ "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]",
+ "version": "[variables('analyticRuleObject5').analyticRuleVersion5]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName6')]",
+ "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyScanSources_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "ClarotyNewAsset_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion6')]",
+ "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2022-10-01",
- "name": "Claroty_Hunting_Query_6",
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+ "apiVersion": "2023-02-01-preview",
+ "kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "eTag": "*",
- "displayName": "Claroty - Network scan sources",
- "category": "Hunting Queries",
- "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType has_any ('Network Scan', 'TCP Scan', 'UDP Scan') or EventType has_any ('Network Scan', 'TCP Scan', 'UDP Scan')\n| project TimeGenerated, SrcIpAddr\n| extend IPCustomEntity = SrcIpAddr\n",
- "version": 2,
- "tags": [
+ "description": "Triggers when a new asset has been added into the environment.",
+ "displayName": "Claroty - New Asset",
+ "enabled": false,
+ "query": "ClarotyEvent\n| where EventOriginalType has 'New Asset' or EventType has 'New Asset'\n| extend IPCustomEntity = SrcIpAddr\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
{
- "name": "description",
- "value": "Query searches for sources of network scans."
+ "connectorId": "Claroty",
+ "dataTypes": [
+ "ClarotyEvent"
+ ]
},
{
- "name": "tactics",
- "value": "InitialAccess"
+ "connectorId": "ClarotyAma",
+ "dataTypes": [
+ "ClarotyEvent"
+ ]
},
{
- "name": "techniques",
- "value": "T1190"
+ "connectorId": "CefAma",
+ "dataTypes": [
+ "CommonSecurityLog"
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": [
+ "T1190",
+ "T1133"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
+ }
+ ]
}
]
}
@@ -2670,13 +2600,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]",
"properties": {
- "description": "Claroty Hunting Query 6",
- "parentId": "[variables('huntingQueryId6')]",
- "contentId": "[variables('_huntingQuerycontentId6')]",
- "kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion6')]",
+ "description": "Claroty Analytics Rule 6",
+ "parentId": "[variables('analyticRuleObject6').analyticRuleId6]",
+ "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject6').analyticRuleVersion6]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -2701,53 +2631,84 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId6')]",
- "contentKind": "HuntingQuery",
- "displayName": "Claroty - Network scan sources",
- "contentProductId": "[variables('_huntingQuerycontentProductId6')]",
- "id": "[variables('_huntingQuerycontentProductId6')]",
- "version": "[variables('huntingQueryVersion6')]"
+ "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Claroty - New Asset",
+ "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]",
+ "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]",
+ "version": "[variables('analyticRuleObject6').analyticRuleVersion6]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName7')]",
+ "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyScantargets_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "ClarotyPolicyViolation_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion7')]",
+ "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2022-10-01",
- "name": "Claroty_Hunting_Query_7",
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
+ "apiVersion": "2023-02-01-preview",
+ "kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "eTag": "*",
- "displayName": "Claroty - Network scan targets",
- "category": "Hunting Queries",
- "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType has_any ('Network Scan', 'TCP Scan', 'UDP Scan') or EventType has_any ('Network Scan', 'TCP Scan', 'UDP Scan')\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
- "version": 2,
- "tags": [
+ "description": "Detects policy violations.",
+ "displayName": "Claroty - Policy violation",
+ "enabled": false,
+ "query": "ClarotyEvent\n| where EventOriginalType has 'Policy Violation' or EventType has 'Policy Violation'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
{
- "name": "description",
- "value": "Query searches for targets of network scans."
+ "connectorId": "Claroty",
+ "dataTypes": [
+ "ClarotyEvent"
+ ]
},
{
- "name": "tactics",
- "value": "InitialAccess"
+ "connectorId": "ClarotyAma",
+ "dataTypes": [
+ "ClarotyEvent"
+ ]
},
{
- "name": "techniques",
- "value": "T1190"
+ "connectorId": "CefAma",
+ "dataTypes": [
+ "CommonSecurityLog"
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": [
+ "T1018"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
+ }
+ ]
}
]
}
@@ -2755,13 +2716,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId7'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]",
"properties": {
- "description": "Claroty Hunting Query 7",
- "parentId": "[variables('huntingQueryId7')]",
- "contentId": "[variables('_huntingQuerycontentId7')]",
- "kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion7')]",
+ "description": "Claroty Analytics Rule 7",
+ "parentId": "[variables('analyticRuleObject7').analyticRuleId7]",
+ "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject7').analyticRuleVersion7]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -2786,53 +2747,84 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId7')]",
- "contentKind": "HuntingQuery",
- "displayName": "Claroty - Network scan targets",
- "contentProductId": "[variables('_huntingQuerycontentProductId7')]",
- "id": "[variables('_huntingQuerycontentProductId7')]",
- "version": "[variables('huntingQueryVersion7')]"
+ "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Claroty - Policy violation",
+ "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]",
+ "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]",
+ "version": "[variables('analyticRuleObject7').analyticRuleVersion7]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName8')]",
+ "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyUnapprovedAccess_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "ClarotySuspiciousActivity_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion8')]",
+ "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2022-10-01",
- "name": "Claroty_Hunting_Query_8",
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
+ "apiVersion": "2023-02-01-preview",
+ "kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "eTag": "*",
- "displayName": "Claroty - Unapproved access",
- "category": "Hunting Queries",
- "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventSeverity =~ 'Unapproved'\n| where isnotempty(CategoryAccess)\n| extend IPCustomEntity = DstIpAddr\n",
- "version": 2,
- "tags": [
+ "description": "Detects suspicious behavior that is generally indicative of malware.",
+ "displayName": "Claroty - Suspicious activity",
+ "enabled": false,
+ "query": "ClarotyEvent\n| where EventOriginalType has 'Suspicious Activity' or EventType has 'Suspicious Activity'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
{
- "name": "description",
- "value": "Query searches for unapproved access events."
+ "connectorId": "Claroty",
+ "dataTypes": [
+ "ClarotyEvent"
+ ]
},
{
- "name": "tactics",
- "value": "InitialAccess"
+ "connectorId": "ClarotyAma",
+ "dataTypes": [
+ "ClarotyEvent"
+ ]
},
{
- "name": "techniques",
- "value": "T1190"
+ "connectorId": "CefAma",
+ "dataTypes": [
+ "CommonSecurityLog"
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": [
+ "T1018"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
+ }
+ ]
}
]
}
@@ -2840,13 +2832,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId8'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]",
"properties": {
- "description": "Claroty Hunting Query 8",
- "parentId": "[variables('huntingQueryId8')]",
- "contentId": "[variables('_huntingQuerycontentId8')]",
- "kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion8')]",
+ "description": "Claroty Analytics Rule 8",
+ "parentId": "[variables('analyticRuleObject8').analyticRuleId8]",
+ "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject8').analyticRuleVersion8]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -2871,53 +2863,84 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId8')]",
- "contentKind": "HuntingQuery",
- "displayName": "Claroty - Unapproved access",
- "contentProductId": "[variables('_huntingQuerycontentProductId8')]",
- "id": "[variables('_huntingQuerycontentProductId8')]",
- "version": "[variables('huntingQueryVersion8')]"
+ "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Claroty - Suspicious activity",
+ "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]",
+ "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]",
+ "version": "[variables('analyticRuleObject8').analyticRuleVersion8]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName9')]",
+ "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyUnresolvedAlerts_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "ClarotySuspiciousFileTransfer_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion9')]",
+ "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2022-10-01",
- "name": "Claroty_Hunting_Query_9",
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
+ "apiVersion": "2023-02-01-preview",
+ "kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "eTag": "*",
- "displayName": "Claroty - Unresolved alerts",
- "category": "Hunting Queries",
- "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType =~ 'Alert'\n| where ResolvedAs =~ 'Unresolved'\n| extend IPCustomEntity = DstIpAddr\n",
- "version": 2,
- "tags": [
+ "description": "Detects suspicious file transfer activity.",
+ "displayName": "Claroty - Suspicious file transfer",
+ "enabled": false,
+ "query": "ClarotyEvent\n| where EventOriginalType has 'Suspicious File Transfer' or EventType has 'Suspicious File Transfer'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
{
- "name": "description",
- "value": "Query searches for alerts with unresolved status."
+ "connectorId": "Claroty",
+ "dataTypes": [
+ "ClarotyEvent"
+ ]
},
{
- "name": "tactics",
- "value": "InitialAccess"
+ "connectorId": "ClarotyAma",
+ "dataTypes": [
+ "ClarotyEvent"
+ ]
},
{
- "name": "techniques",
- "value": "T1190"
+ "connectorId": "CefAma",
+ "dataTypes": [
+ "CommonSecurityLog"
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": [
+ "T1018"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
+ }
+ ]
}
]
}
@@ -2925,13 +2948,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId9'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]",
"properties": {
- "description": "Claroty Hunting Query 9",
- "parentId": "[variables('huntingQueryId9')]",
- "contentId": "[variables('_huntingQuerycontentId9')]",
- "kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion9')]",
+ "description": "Claroty Analytics Rule 9",
+ "parentId": "[variables('analyticRuleObject9').analyticRuleId9]",
+ "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject9').analyticRuleVersion9]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -2956,53 +2979,84 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId9')]",
- "contentKind": "HuntingQuery",
- "displayName": "Claroty - Unresolved alerts",
- "contentProductId": "[variables('_huntingQuerycontentProductId9')]",
- "id": "[variables('_huntingQuerycontentProductId9')]",
- "version": "[variables('huntingQueryVersion9')]"
+ "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Claroty - Suspicious file transfer",
+ "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]",
+ "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]",
+ "version": "[variables('analyticRuleObject9').analyticRuleVersion9]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName10')]",
+ "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyWriteExecuteOperations_HuntingQueries Hunting Query with template version 3.0.1",
+ "description": "ClarotyTreat_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion10')]",
+ "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2022-10-01",
- "name": "Claroty_Hunting_Query_10",
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
+ "apiVersion": "2023-02-01-preview",
+ "kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "eTag": "*",
- "displayName": "Claroty - Write and Execute operations",
- "category": "Hunting Queries",
- "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(CategoryAccess)\n| where CategoryAccess != 'Read'\n| extend IPCustomEntity = DstIpAddr\n",
- "version": 2,
- "tags": [
+ "description": "Detects Collection of known malware commands and control servers.",
+ "displayName": "Claroty - Treat detected",
+ "enabled": false,
+ "query": "ClarotyEvent\n| where EventOriginalType has 'Treat' or EventType has 'Treat'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
{
- "name": "description",
- "value": "Query searches for operations with Write and Execute accesses."
+ "connectorId": "Claroty",
+ "dataTypes": [
+ "ClarotyEvent"
+ ]
},
{
- "name": "tactics",
- "value": "InitialAccess"
+ "connectorId": "ClarotyAma",
+ "dataTypes": [
+ "ClarotyEvent"
+ ]
},
{
- "name": "techniques",
- "value": "T1190"
+ "connectorId": "CefAma",
+ "dataTypes": [
+ "CommonSecurityLog"
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": [
+ "T1018"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "columnName": "IPCustomEntity",
+ "identifier": "Address"
+ }
+ ]
}
]
}
@@ -3010,13 +3064,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId10'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]",
"properties": {
- "description": "Claroty Hunting Query 10",
- "parentId": "[variables('huntingQueryId10')]",
- "contentId": "[variables('_huntingQuerycontentId10')]",
- "kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion10')]",
+ "description": "Claroty Analytics Rule 10",
+ "parentId": "[variables('analyticRuleObject10').analyticRuleId10]",
+ "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject10').analyticRuleVersion10]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -3041,12 +3095,12 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId10')]",
- "contentKind": "HuntingQuery",
- "displayName": "Claroty - Write and Execute operations",
- "contentProductId": "[variables('_huntingQuerycontentProductId10')]",
- "id": "[variables('_huntingQuerycontentProductId10')]",
- "version": "[variables('huntingQueryVersion10')]"
+ "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Claroty - Treat detected",
+ "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]",
+ "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]",
+ "version": "[variables('analyticRuleObject10').analyticRuleVersion10]"
}
},
{
@@ -3054,12 +3108,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.1",
+ "version": "3.0.2",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Claroty",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Claroty solution for Microsoft Sentinel enables ingestion of Continuous Threat Detection and Secure Remote Access events into Microsoft Sentinel.
\nClaroty via AMA - This data connector helps in ingesting Claroty logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.
\nClaroty via Legacy Agent - This data connector helps in ingesting Claroty logs into your Log Analytics Workspace using the legacy Log Analytics agent.
\nNOTE: Microsoft recommends installation of Claroty via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 2, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Claroty solution for Microsoft Sentinel enables ingestion of Continuous Threat Detection and Secure Remote Access events into Microsoft Sentinel.
\n\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.
\nData Connectors: 2, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -3082,127 +3136,130 @@ "link": "https://support.microsoft.com" }, "dependencies": { - "operator": "AND", "criteria": [ { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" + "kind": "Workbook", + "contentId": "[variables('_workbookContentId1')]", + "version": "[variables('workbookVersion1')]" }, { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" + "kind": "Parser", + "contentId": "[variables('parserObject1').parserContentId1]", + "version": "[variables('parserObject1').parserVersion1]" }, { - "kind": "Parser", - "contentId": "[variables('_parserContentId1')]", - "version": "[variables('parserVersion1')]" + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", + "version": "[variables('huntingQueryObject1').huntingQueryVersion1]" }, { - "kind": "Workbook", - "contentId": "[variables('_workbookContentId1')]", - "version": "[variables('workbookVersion1')]" + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", + "version": "[variables('huntingQueryObject2').huntingQueryVersion2]" }, { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId1')]", - "version": "[variables('analyticRuleVersion1')]" + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", + "version": "[variables('huntingQueryObject3').huntingQueryVersion3]" }, { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId2')]", - "version": "[variables('analyticRuleVersion2')]" + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", + "version": "[variables('huntingQueryObject4').huntingQueryVersion4]" }, { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId3')]", - "version": "[variables('analyticRuleVersion3')]" + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", + "version": "[variables('huntingQueryObject5').huntingQueryVersion5]" }, { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId4')]", - "version": "[variables('analyticRuleVersion4')]" + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", + "version": "[variables('huntingQueryObject6').huntingQueryVersion6]" }, { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId5')]", - "version": "[variables('analyticRuleVersion5')]" + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", + "version": "[variables('huntingQueryObject7').huntingQueryVersion7]" }, { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId6')]", - "version": "[variables('analyticRuleVersion6')]" + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", + "version": "[variables('huntingQueryObject8').huntingQueryVersion8]" }, { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId7')]", - "version": "[variables('analyticRuleVersion7')]" + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]", + "version": "[variables('huntingQueryObject9').huntingQueryVersion9]" }, { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId8')]", - "version": "[variables('analyticRuleVersion8')]" + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", + "version": "[variables('huntingQueryObject10').huntingQueryVersion10]" }, { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId9')]", - "version": "[variables('analyticRuleVersion9')]" + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId1')]", + "version": "[variables('dataConnectorVersion1')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId2')]", + "version": "[variables('dataConnectorVersion2')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId10')]", - "version": "[variables('analyticRuleVersion10')]" + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" }, { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId1')]", - "version": "[variables('huntingQueryVersion1')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" }, { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId2')]", - "version": "[variables('huntingQueryVersion2')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" }, { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId3')]", - "version": "[variables('huntingQueryVersion3')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" }, { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId4')]", - "version": "[variables('huntingQueryVersion4')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" }, { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId5')]", - "version": "[variables('huntingQueryVersion5')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" }, { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId6')]", - "version": "[variables('huntingQueryVersion6')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" }, { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId7')]", - "version": "[variables('huntingQueryVersion7')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" }, { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId8')]", - "version": "[variables('huntingQueryVersion8')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" }, { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId9')]", - "version": "[variables('huntingQueryVersion9')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" }, { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId10')]", - "version": "[variables('huntingQueryVersion10')]" + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-commoneventformat" } ] }, diff --git a/Solutions/Claroty/Package/testParameters.json b/Solutions/Claroty/Package/testParameters.json new file mode 100644 index 00000000000..c39c501b091 --- /dev/null +++ b/Solutions/Claroty/Package/testParameters.json @@ -0,0 +1,32 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "Claroty", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } +} diff --git a/Solutions/Claroty/ReleaseNotes.md b/Solutions/Claroty/ReleaseNotes.md index 6c976c5c573..13166bae4d9 100644 --- a/Solutions/Claroty/ReleaseNotes.md +++ b/Solutions/Claroty/ReleaseNotes.md @@ -1,4 +1,5 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|------------------------------------------------| +| 3.0.2 | 10-07-2024 | Deprecated **Data Connector** | | 3.0.1 | 11-09-2023 | Addition of new Claroty AMA **Data Connector** | | 3.0.0 | 27-07-2023 | Corrected the links in the solution. | diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalOrHighSeverityDetectionsByUser.yaml b/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalOrHighSeverityDetectionsByUser.yaml index 2b16f38b9de..9dc6caffe95 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalOrHighSeverityDetectionsByUser.yaml +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalOrHighSeverityDetectionsByUser.yaml @@ -11,6 +11,9 @@ requiredDataConnectors: - connectorId: CrowdStrikeFalconEndpointProtectionAma dataTypes: - CommonSecurityLog + - connectorId: CefAma + dataTypes: + - CommonSecurityLog queryFrequency: 1h queryPeriod: 1h triggerOperator: gt @@ -52,5 +55,5 @@ entityMappings: columnName: FileHashAlgo - identifier: Value columnName: FileHashCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalSeverityDetection.yaml b/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalSeverityDetection.yaml index a75c88e6fd2..6a9d25bea3c 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalSeverityDetection.yaml +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalSeverityDetection.yaml @@ -11,6 +11,9 @@ requiredDataConnectors: - connectorId: CrowdStrikeFalconEndpointProtectionAma dataTypes: - CommonSecurityLog + - connectorId: CefAma + dataTypes: + - CommonSecurityLog queryFrequency: 1h queryPeriod: 1h triggerOperator: gt @@ -44,5 +47,5 @@ entityMappings: columnName: FileHashAlgo - identifier: Value columnName: FileHashCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/template_CrowdStrikeFalconEndpointProtectionAma.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/template_CrowdStrikeFalconEndpointProtectionAma.json index 0d11504b0c5..022416621a6 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/template_CrowdStrikeFalconEndpointProtectionAma.json +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/template_CrowdStrikeFalconEndpointProtectionAma.json @@ -1,6 +1,6 @@ { "id": "CrowdStrikeFalconEndpointProtectionAma", - "title": "[Recommended] CrowdStrike Falcon Endpoint Protection via AMA", + "title": "[Deprecated] CrowdStrike Falcon Endpoint Protection via AMA", "publisher": "CrowdStrike", "descriptionMarkdown": "The [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/endpoint-security-products/) connector allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.", "additionalRequirementBanner":"These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.", diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data/Solution_CrowdStrike.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Data/Solution_CrowdStrike.json index 95b8a2fbace..b5094eeb4e3 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/Data/Solution_CrowdStrike.json +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Data/Solution_CrowdStrike.json @@ -2,7 +2,7 @@ "Name": "CrowdStrike Falcon Endpoint Protection", "Author": "Microsoft - support@microsoft.com", "Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/Data%20Connectors/Logo/crowdstrike.svg\"){kind=logo}
",
- "Description": "The [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/products/) solution allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.\n\r\n1. **CrowdStrike Falcon Endpoint Protection via AMA** - This data connector helps in ingesting CrowdStrike Falcon Endpoint Protection logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **CrowdStrike Falcon Endpoint Protection via Legacy Agent** - This data connector helps in ingesting CrowdStrike Falcon Endpoint Protection logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of CrowdStrike Falcon Endpoint Protection via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
+ "Description": "The [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/products/) solution allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.",
"Data Connectors": [
"Data Connectors/CrowdstrikeReplicator/CrowdstrikeReplicator_API_FunctionApp.json",
"Data Connectors/Connector_Syslog_CrowdStrikeFalconEndpointProtection.json",
@@ -27,8 +27,11 @@
"Playbooks/CrowdStrike_Enrichment_GetDeviceInformation/azuredeploy.json",
"Playbooks/CrowdStrike_ContainHost/azuredeploy.json"
],
+ "dependentDomainSolutionIds": [
+ "azuresentinel.azure-sentinel-solution-commoneventformat"
+ ],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\CrowdStrike Falcon Endpoint Protection",
- "Version": "4.0.0",
+ "Version": "3.0.8",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false
diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/3.0.8.zip b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/3.0.8.zip
new file mode 100644
index 00000000000..85dd6e8fb51
Binary files /dev/null and b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/3.0.8.zip differ
diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/createUiDefinition.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/createUiDefinition.json
index 4a853c6ae60..6b8a7c9ff7b 100644
--- a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/createUiDefinition.json
+++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/products/) solution allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.\n\r\n1. **CrowdStrike Falcon Endpoint Protection via AMA** - This data connector helps in ingesting CrowdStrike Falcon Endpoint Protection logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **CrowdStrike Falcon Endpoint Protection via Legacy Agent** - This data connector helps in ingesting CrowdStrike Falcon Endpoint Protection logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of CrowdStrike Falcon Endpoint Protection via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 5, **Parsers:** 3, **Workbooks:** 1, **Analytic Rules:** 2, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/products/) solution allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 5, **Parsers:** 3, **Workbooks:** 1, **Analytic Rules:** 2, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/mainTemplate.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/mainTemplate.json
index 13b2065808b..6dbaba8a153 100644
--- a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/mainTemplate.json
+++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/mainTemplate.json
@@ -41,7 +41,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "CrowdStrike Falcon Endpoint Protection",
- "_solutionVersion": "3.0.7",
+ "_solutionVersion": "3.0.8",
"solutionId": "azuresentinel.azure-sentinel-solution-crowdstrikefalconep",
"_solutionId": "[variables('solutionId')]",
"uiConfigId1": "CrowdstrikeReplicator",
@@ -118,18 +118,18 @@
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
"analyticRuleObject1": {
- "analyticRuleVersion1": "1.0.2",
+ "analyticRuleVersion1": "1.0.3",
"_analyticRulecontentId1": "4465ebde-b381-45f7-ad08-7d818070a11c",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4465ebde-b381-45f7-ad08-7d818070a11c')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4465ebde-b381-45f7-ad08-7d818070a11c')))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4465ebde-b381-45f7-ad08-7d818070a11c','-', '1.0.2')))]"
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4465ebde-b381-45f7-ad08-7d818070a11c','-', '1.0.3')))]"
},
"analyticRuleObject2": {
- "analyticRuleVersion2": "1.0.2",
+ "analyticRuleVersion2": "1.0.3",
"_analyticRulecontentId2": "f7d298b2-726c-42a5-bbac-0d7f9950f527",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f7d298b2-726c-42a5-bbac-0d7f9950f527')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f7d298b2-726c-42a5-bbac-0d7f9950f527')))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f7d298b2-726c-42a5-bbac-0d7f9950f527','-', '1.0.2')))]"
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f7d298b2-726c-42a5-bbac-0d7f9950f527','-', '1.0.3')))]"
},
"CrowdStrike_Base": "CrowdStrike_Base",
"_CrowdStrike_Base": "[variables('CrowdStrike_Base')]",
@@ -169,7 +169,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.7",
+ "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -520,7 +520,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.7",
+ "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion2')]",
@@ -869,7 +869,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.7",
+ "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion3')]",
@@ -1253,7 +1253,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.7",
+ "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion4')]",
@@ -1269,7 +1269,7 @@
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId4')]",
- "title": "[Recommended] CrowdStrike Falcon Endpoint Protection via AMA",
+ "title": "[Deprecated] CrowdStrike Falcon Endpoint Protection via AMA",
"publisher": "CrowdStrike",
"descriptionMarkdown": "The [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/endpoint-security-products/) connector allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.",
"additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
@@ -1418,7 +1418,7 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_dataConnectorContentId4')]",
"contentKind": "DataConnector",
- "displayName": "[Recommended] CrowdStrike Falcon Endpoint Protection via AMA",
+ "displayName": "[Deprecated] CrowdStrike Falcon Endpoint Protection via AMA",
"contentProductId": "[variables('_dataConnectorcontentProductId4')]",
"id": "[variables('_dataConnectorcontentProductId4')]",
"version": "[variables('dataConnectorVersion4')]"
@@ -1462,7 +1462,7 @@
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
- "title": "[Recommended] CrowdStrike Falcon Endpoint Protection via AMA",
+ "title": "[Deprecated] CrowdStrike Falcon Endpoint Protection via AMA",
"publisher": "CrowdStrike",
"descriptionMarkdown": "The [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/endpoint-security-products/) connector allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.",
"graphQueries": [
@@ -1586,7 +1586,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.7",
+ "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion5')]",
@@ -1917,7 +1917,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CrowdStrikeFalconEventStream Data Parser with template version 3.0.7",
+ "description": "CrowdStrikeFalconEventStream Data Parser with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -2049,7 +2049,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CrowdstrikeReplicator Data Parser with template version 3.0.7",
+ "description": "CrowdstrikeReplicator Data Parser with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject2').parserVersion2]",
@@ -2181,7 +2181,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CrowdStrikeReplicatorV2 Data Parser with template version 3.0.7",
+ "description": "CrowdStrikeReplicatorV2 Data Parser with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject3').parserVersion3]",
@@ -2313,7 +2313,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CrowdStrikeFalconEndpointProtection Workbook with template version 3.0.7",
+ "description": "CrowdStrikeFalconEndpointProtection Workbook with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -2401,7 +2401,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CriticalOrHighSeverityDetectionsByUser_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "CriticalOrHighSeverityDetectionsByUser_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -2439,6 +2439,12 @@
"dataTypes": [
"CommonSecurityLog"
]
+ },
+ {
+ "connectorId": "CefAma",
+ "dataTypes": [
+ "CommonSecurityLog"
+ ]
}
],
"entityMappings": [
@@ -2536,7 +2542,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CriticalSeverityDetection_AnalyticalRules Analytics Rule with template version 3.0.7",
+ "description": "CriticalSeverityDetection_AnalyticalRules Analytics Rule with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -2574,6 +2580,12 @@
"dataTypes": [
"CommonSecurityLog"
]
+ },
+ {
+ "connectorId": "CefAma",
+ "dataTypes": [
+ "CommonSecurityLog"
+ ]
}
],
"entityMappings": [
@@ -2671,7 +2683,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CrowdStrike_Base Playbook with template version 3.0.7",
+ "description": "CrowdStrike_Base Playbook with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
@@ -3048,7 +3060,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Crowdstrike-EndpointEnrichment Playbook with template version 3.0.7",
+ "description": "Crowdstrike-EndpointEnrichment Playbook with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion2')]",
@@ -4503,7 +4515,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Crowdstrike-ContainHost Playbook with template version 3.0.7",
+ "description": "Crowdstrike-ContainHost Playbook with template version 3.0.8",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion3')]",
@@ -5618,12 +5630,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.7",
+ "version": "3.0.8",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "CrowdStrike Falcon Endpoint Protection",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe CrowdStrike Falcon Endpoint Protection solution allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.
\nCrowdStrike Falcon Endpoint Protection via AMA - This data connector helps in ingesting CrowdStrike Falcon Endpoint Protection logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.
\nCrowdStrike Falcon Endpoint Protection via Legacy Agent - This data connector helps in ingesting CrowdStrike Falcon Endpoint Protection logs into your Log Analytics Workspace using the legacy Log Analytics agent.
\nNOTE: Microsoft recommends installation of CrowdStrike Falcon Endpoint Protection via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 5, Parsers: 3, Workbooks: 1, Analytic Rules: 2, Playbooks: 3
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe CrowdStrike Falcon Endpoint Protection solution allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.
\n\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.
\nData Connectors: 5, Parsers: 3, Workbooks: 1, Analytic Rules: 2, Playbooks: 3
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -5646,7 +5658,6 @@ "link": "https://support.microsoft.com" }, "dependencies": { - "operator": "AND", "criteria": [ { "kind": "DataConnector", @@ -5717,6 +5728,10 @@ "kind": "Playbook", "contentId": "[variables('_CrowdStrike_ContainHost')]", "version": "[variables('playbookVersion3')]" + }, + { + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-commoneventformat" } ] }, diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/ReleaseNotes.md b/Solutions/CrowdStrike Falcon Endpoint Protection/ReleaseNotes.md index ea9a0c5e7ff..52f0b05f19c 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/ReleaseNotes.md +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------------------| +| 3.0.8 | 10-07-2024 | Deprecated **Data Connector** | | 3.0.7 | 20-06-2024 | Shortlinks updated for **Data Connector** CrowdStrike Falcon Indicators of Compromise | | 3.0.6 | 06-06-2024 | Renamed **Data Connector** *CrowdStrike Falcon Indicators of Compromise* to *CrowdStrike Falcon Adversary Intelligence* | | 3.0.5 | 30-05-2024 | Added new Function App **Data Connector** CrowdStrike Falcon Indicators of Compromise | diff --git a/Solutions/FireEye Network Security/Data Connectors/template_FireEyeNX_CEFAMA.json b/Solutions/FireEye Network Security/Data Connectors/template_FireEyeNX_CEFAMA.json index 3ae7af8b1e0..bee522e69ef 100644 --- a/Solutions/FireEye Network Security/Data Connectors/template_FireEyeNX_CEFAMA.json +++ b/Solutions/FireEye Network Security/Data Connectors/template_FireEyeNX_CEFAMA.json @@ -1,6 +1,6 @@ { "id": "FireEyeNXAma", - "title": "[Recommended] FireEye Network Security (NX) via AMA", + "title": "[Deprecated] FireEye Network Security (NX) via AMA", "publisher": "FireEye", "descriptionMarkdown": "The [FireEye Network Security (NX)](https://www.fireeye.com/products/network-security.html) data connector provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.", "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**FireEyeNXEvent**](https://aka.ms/sentinel-FireEyeNX-parser) which is deployed with the Microsoft Sentinel Solution.", diff --git a/Solutions/FireEye Network Security/Data/Solution_FireEye Network Security.json b/Solutions/FireEye Network Security/Data/Solution_FireEye Network Security.json index feaac297f04..34c5dd62212 100644 --- a/Solutions/FireEye Network Security/Data/Solution_FireEye Network Security.json +++ b/Solutions/FireEye Network Security/Data/Solution_FireEye Network Security.json @@ -2,7 +2,7 @@ "Name": "FireEye Network Security", "Author": "Microsoft - support@microsoft.com", "Logo": "",
- "Description": "The [FireEye Network Security (NX)](https://www.fireeye.com/products/network-security.html) solution provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.\n\r\n1. **FireEye Network Security via AMA** - This data connector helps in ingesting FireEye Network Security logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **FireEye Network Security via Legacy Agent** - This data connector helps in ingesting FireEye Network Security logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of FireEye Network Security via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
+ "Description": "The [FireEye Network Security (NX)](https://www.fireeye.com/products/network-security.html) solution provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.",
"Data Connectors": [
"Data Connectors/Connector_FireEyeNX_CEF.json",
"Data Connectors/template_FireEyeNX_CEFAMA.json"
@@ -11,8 +11,11 @@
"Parsers": [
"Parsers/FireEyeNXEvent.yaml"
],
+ "dependentDomainSolutionIds": [
+ "azuresentinel.azure-sentinel-solution-commoneventformat"
+ ],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\FireEye Network Security",
- "Version": "3.0.0",
+ "Version": "3.0.1",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false
diff --git a/Solutions/FireEye Network Security/Package/3.0.1.zip b/Solutions/FireEye Network Security/Package/3.0.1.zip
new file mode 100644
index 00000000000..6c10edbca50
Binary files /dev/null and b/Solutions/FireEye Network Security/Package/3.0.1.zip differ
diff --git a/Solutions/FireEye Network Security/Package/createUiDefinition.json b/Solutions/FireEye Network Security/Package/createUiDefinition.json
index fb57b3754be..1368d44edbc 100644
--- a/Solutions/FireEye Network Security/Package/createUiDefinition.json
+++ b/Solutions/FireEye Network Security/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/FireEye%20Network%20Security/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [FireEye Network Security (NX)](https://www.fireeye.com/products/network-security.html) solution provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.\n\r\n1. **FireEye Network Security via AMA** - This data connector helps in ingesting FireEye Network Security logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **FireEye Network Security via Legacy Agent** - This data connector helps in ingesting FireEye Network Security logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of FireEye Network Security via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/FireEye%20Network%20Security/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [FireEye Network Security (NX)](https://www.fireeye.com/products/network-security.html) solution provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -80,7 +80,6 @@
}
}
}
-
]
}
],
diff --git a/Solutions/FireEye Network Security/Package/mainTemplate.json b/Solutions/FireEye Network Security/Package/mainTemplate.json
index a8c0fc5f9df..7022b4c8d14 100644
--- a/Solutions/FireEye Network Security/Package/mainTemplate.json
+++ b/Solutions/FireEye Network Security/Package/mainTemplate.json
@@ -33,7 +33,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "FireEye Network Security",
- "_solutionVersion": "3.0.0",
+ "_solutionVersion": "3.0.1",
"solutionId": "azuresentinel.azure-sentinel-solution-fireeyenx",
"_solutionId": "[variables('solutionId')]",
"uiConfigId1": "FireEyeNX",
@@ -54,15 +54,13 @@
"dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
"dataConnectorVersion2": "1.0.0",
"_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
- "parserName1": "FireEyeNXEvent",
- "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
- "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
- "_parserId1": "[variables('parserId1')]",
- "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]",
- "parserVersion1": "1.0.0",
- "parserContentId1": "FireEyeNXEvent-Parser",
- "_parserContentId1": "[variables('parserContentId1')]",
- "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]",
+ "parserObject1": {
+ "_parserName1": "[concat(parameters('workspace'),'/','FireEyeNXEvent')]",
+ "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'FireEyeNXEvent')]",
+ "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('FireEyeNXEvent-Parser')))]",
+ "parserVersion1": "1.0.0",
+ "parserContentId1": "FireEyeNXEvent-Parser"
+ },
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
@@ -75,7 +73,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "FireEye Network Security data connector with template version 3.0.0",
+ "description": "FireEye Network Security data connector with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -422,7 +420,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "FireEye Network Security data connector with template version 3.0.0",
+ "description": "FireEye Network Security data connector with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion2')]",
@@ -438,7 +436,7 @@
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId2')]",
- "title": "[Recommended] FireEye Network Security (NX) via AMA",
+ "title": "[Deprecated] FireEye Network Security (NX) via AMA",
"publisher": "FireEye",
"descriptionMarkdown": "The [FireEye Network Security (NX)](https://www.fireeye.com/products/network-security.html) data connector provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.",
"additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**FireEyeNXEvent**](https://aka.ms/sentinel-FireEyeNX-parser) which is deployed with the Microsoft Sentinel Solution.",
@@ -516,12 +514,10 @@
{
"title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
"description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
-
},
{
"title": "Step B. Configure FireEye NX to send logs using CEF",
"description": "Complete the following steps to send data using CEF:\n\n2.1. Log into the FireEye appliance with an administrator account\n\n2.2. Click **Settings**\n\n2.3. Click **Notifications**\n\nClick **rsyslog**\n\n2.4. Check the **Event type** check box\n\n2.5. Make sure Rsyslog settings are:\n\n- Default format: CEF\n\n- Default delivery: Per event\n\n- Default send as: Alert"
-
},
{
"title": "Step C. Validate connection",
@@ -585,7 +581,7 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_dataConnectorContentId2')]",
"contentKind": "DataConnector",
- "displayName": "[Recommended] FireEye Network Security (NX) via AMA",
+ "displayName": "[Deprecated] FireEye Network Security (NX) via AMA",
"contentProductId": "[variables('_dataConnectorcontentProductId2')]",
"id": "[variables('_dataConnectorcontentProductId2')]",
"version": "[variables('dataConnectorVersion2')]"
@@ -629,7 +625,7 @@
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
- "title": "[Recommended] FireEye Network Security (NX) via AMA",
+ "title": "[Deprecated] FireEye Network Security (NX) via AMA",
"publisher": "FireEye",
"descriptionMarkdown": "The [FireEye Network Security (NX)](https://www.fireeye.com/products/network-security.html) data connector provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.",
"graphQueries": [
@@ -706,12 +702,10 @@
{
"title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
"description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
-
},
{
"title": "Step B. Configure FireEye NX to send logs using CEF",
"description": "Complete the following steps to send data using CEF:\n\n2.1. Log into the FireEye appliance with an administrator account\n\n2.2. Click **Settings**\n\n2.3. Click **Notifications**\n\nClick **rsyslog**\n\n2.4. Check the **Event type** check box\n\n2.5. Make sure Rsyslog settings are:\n\n- Default format: CEF\n\n- Default delivery: Per event\n\n- Default send as: Alert"
-
},
{
"title": "Step C. Validate connection",
@@ -745,21 +739,21 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('parserTemplateSpecName1')]",
+ "name": "[variables('parserObject1').parserTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "FireEyeNXEvent Data Parser with template version 3.0.0",
+ "description": "FireEyeNXEvent Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('parserVersion1')]",
+ "contentVersion": "[variables('parserObject1').parserVersion1]",
"parameters": {},
"variables": {},
"resources": [
{
- "name": "[variables('_parserName1')]",
+ "name": "[variables('parserObject1')._parserName1]",
"apiVersion": "2022-10-01",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"location": "[parameters('workspace-location')]",
@@ -782,15 +776,15 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
"dependsOn": [
- "[variables('_parserName1')]"
+ "[variables('parserObject1')._parserId1]"
],
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
- "contentId": "[variables('_parserContentId1')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'FireEyeNXEvent')]",
+ "contentId": "[variables('parserObject1').parserContentId1]",
"kind": "Parser",
- "version": "[variables('parserVersion1')]",
+ "version": "[variables('parserObject1').parserVersion1]",
"source": {
"name": "FireEye Network Security",
"kind": "Solution",
@@ -815,18 +809,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_parserContentId1')]",
+ "contentId": "[variables('parserObject1').parserContentId1]",
"contentKind": "Parser",
"displayName": "FireEyeNXEvent",
- "contentProductId": "[variables('_parsercontentProductId1')]",
- "id": "[variables('_parsercontentProductId1')]",
- "version": "[variables('parserVersion1')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
+ "version": "[variables('parserObject1').parserVersion1]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2022-10-01",
- "name": "[variables('_parserName1')]",
+ "name": "[variables('parserObject1')._parserName1]",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
@@ -848,15 +842,15 @@
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
"dependsOn": [
- "[variables('_parserId1')]"
+ "[variables('parserObject1')._parserId1]"
],
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
- "contentId": "[variables('_parserContentId1')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'FireEyeNXEvent')]",
+ "contentId": "[variables('parserObject1').parserContentId1]",
"kind": "Parser",
- "version": "[variables('parserVersion1')]",
+ "version": "[variables('parserObject1').parserVersion1]",
"source": {
"kind": "Solution",
"name": "FireEye Network Security",
@@ -879,12 +873,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.0",
+ "version": "3.0.1",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "FireEye Network Security",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe FireEye Network Security (NX) solution provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.
\nFireEye Network Security via AMA - This data connector helps in ingesting FireEye Network Security logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.
\nFireEye Network Security via Legacy Agent - This data connector helps in ingesting FireEye Network Security logs into your Log Analytics Workspace using the legacy Log Analytics agent.
\nNOTE: Microsoft recommends installation of FireEye Network Security via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 2, Parsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe FireEye Network Security (NX) solution provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.
\n\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.
\nData Connectors: 2, Parsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -907,7 +901,6 @@ "link": "https://support.microsoft.com" }, "dependencies": { - "operator": "AND", "criteria": [ { "kind": "DataConnector", @@ -921,8 +914,12 @@ }, { "kind": "Parser", - "contentId": "[variables('_parserContentId1')]", - "version": "[variables('parserVersion1')]" + "contentId": "[variables('parserObject1').parserContentId1]", + "version": "[variables('parserObject1').parserVersion1]" + }, + { + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-commoneventformat" } ] }, diff --git a/Solutions/FireEye Network Security/Package/testParameters.json b/Solutions/FireEye Network Security/Package/testParameters.json new file mode 100644 index 00000000000..e55ec41a9ac --- /dev/null +++ b/Solutions/FireEye Network Security/Package/testParameters.json @@ -0,0 +1,24 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + } +} diff --git a/Solutions/FireEye Network Security/ReleaseNotes.md b/Solutions/FireEye Network Security/ReleaseNotes.md index 15434339cfa..cee2aec31ee 100644 --- a/Solutions/FireEye Network Security/ReleaseNotes.md +++ b/Solutions/FireEye Network Security/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.1 | 10-07-2024 | Deprecated **Data Connector** | | 3.0.0 | 01-09-2023 | Addition of new FireEye Network Security AMA **Data Connector** | | diff --git a/Solutions/KasperskySecurityCenter/Data Connectors/template_KasperskySCAMA.json b/Solutions/KasperskySecurityCenter/Data Connectors/template_KasperskySCAMA.json index 8e8f9a0232a..7b586cacc91 100644 --- a/Solutions/KasperskySecurityCenter/Data Connectors/template_KasperskySCAMA.json +++ b/Solutions/KasperskySecurityCenter/Data Connectors/template_KasperskySCAMA.json @@ -1,6 +1,6 @@ { "id": "KasperskySCAma", - "title": "[Recommended] Kaspersky Security Center via AMA", + "title": "[Deprecated] Kaspersky Security Center via AMA", "publisher": "KasperskyLab", "descriptionMarkdown": "The [Kaspersky Security Center](https://support.kaspersky.com/KSC/13/en-US/3396.htm) data connector provides the capability to ingest [Kaspersky Security Center logs](https://support.kaspersky.com/KSC/13/en-US/151336.htm) into Microsoft Sentinel.", "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**KasperskySCEvent**](https://aka.ms/sentinel-kasperskysc-parser) which is deployed with the Microsoft Sentinel Solution.", diff --git a/Solutions/KasperskySecurityCenter/Data/Solution_Kaspersky Security Center.json b/Solutions/KasperskySecurityCenter/Data/Solution_Kaspersky Security Center.json index 5a91eb30557..2af5a981c76 100644 --- a/Solutions/KasperskySecurityCenter/Data/Solution_Kaspersky Security Center.json +++ b/Solutions/KasperskySecurityCenter/Data/Solution_Kaspersky Security Center.json @@ -2,7 +2,7 @@ "Name": "KasperskySecurityCenter", "Author": "Microsoft - support@microsoft.com", "Logo": "",
- "Description": "The [Kaspersky Security Center](https://ksc.kaspersky.com/) solution provides the capability to ingest [Kaspersky Security Center logs](https://support.kaspersky.com/KSC/13/en-US/151336.htm) into Microsoft Sentinel.\n\r\n1. **KasperskySecurityCenter via AMA** - This data connector helps in ingesting KasperskySecurityCenter logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **KasperskySecurityCenter via Legacy Agent** - This data connector helps in ingesting KasperskySecurityCenter logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of KasperskySecurityCenter via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
+ "Description": "The [Kaspersky Security Center](https://ksc.kaspersky.com/) solution provides the capability to ingest [Kaspersky Security Center logs](https://support.kaspersky.com/KSC/13/en-US/151336.htm) into Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.",
"Data Connectors": [
"Data Connectors/Connector_KasperskySC_CEF.json",
"Data Connectors/template_KasperskySCAMA.json"
@@ -10,9 +10,12 @@
"Parsers": [
"Parsers/KasperskySCEvent.yaml"
],
+ "dependentDomainSolutionIds": [
+ "azuresentinel.azure-sentinel-solution-commoneventformat"
+ ],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\KasperskySecurityCenter",
- "Version": "3.0.0",
+ "Version": "3.0.1",
"TemplateSpec": true,
"Is1PConnector": false
}
\ No newline at end of file
diff --git a/Solutions/KasperskySecurityCenter/Package/3.0.1.zip b/Solutions/KasperskySecurityCenter/Package/3.0.1.zip
new file mode 100644
index 00000000000..c74f0066a55
Binary files /dev/null and b/Solutions/KasperskySecurityCenter/Package/3.0.1.zip differ
diff --git a/Solutions/KasperskySecurityCenter/Package/createUiDefinition.json b/Solutions/KasperskySecurityCenter/Package/createUiDefinition.json
index bc7d892952f..b1c8a741bab 100644
--- a/Solutions/KasperskySecurityCenter/Package/createUiDefinition.json
+++ b/Solutions/KasperskySecurityCenter/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/KasperskySecurityCenter/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Kaspersky Security Center](https://ksc.kaspersky.com/) solution provides the capability to ingest [Kaspersky Security Center logs](https://support.kaspersky.com/KSC/13/en-US/151336.htm) into Microsoft Sentinel.\n\r\n1. **KasperskySecurityCenter via AMA** - This data connector helps in ingesting KasperskySecurityCenter logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **KasperskySecurityCenter via Legacy Agent** - This data connector helps in ingesting KasperskySecurityCenter logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of KasperskySecurityCenter via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/KasperskySecurityCenter/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Kaspersky Security Center](https://ksc.kaspersky.com/) solution provides the capability to ingest [Kaspersky Security Center logs](https://support.kaspersky.com/KSC/13/en-US/151336.htm) into Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -63,7 +63,6 @@
"text": "This Solution installs the data connector for KasperskySecurityCenter. You can get KasperskySecurityCenter CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
-
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
diff --git a/Solutions/KasperskySecurityCenter/Package/mainTemplate.json b/Solutions/KasperskySecurityCenter/Package/mainTemplate.json
index 6ae5ef4e134..c6ffcfca00d 100644
--- a/Solutions/KasperskySecurityCenter/Package/mainTemplate.json
+++ b/Solutions/KasperskySecurityCenter/Package/mainTemplate.json
@@ -33,7 +33,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "KasperskySecurityCenter",
- "_solutionVersion": "3.0.0",
+ "_solutionVersion": "3.0.1",
"solutionId": "azuresentinel.azure-sentinel-solution-kasperskysc",
"_solutionId": "[variables('solutionId')]",
"uiConfigId1": "KasperskySC",
@@ -54,15 +54,13 @@
"dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
"dataConnectorVersion2": "1.0.0",
"_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
- "parserName1": "KasperskySecurityCenter Data Parser",
- "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
- "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
- "_parserId1": "[variables('parserId1')]",
- "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]",
- "parserVersion1": "1.0.0",
- "parserContentId1": "KasperskySCEvent-Parser",
- "_parserContentId1": "[variables('parserContentId1')]",
- "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]",
+ "parserObject1": {
+ "_parserName1": "[concat(parameters('workspace'),'/','KasperskySecurityCenter Data Parser')]",
+ "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'KasperskySecurityCenter Data Parser')]",
+ "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('KasperskySCEvent-Parser')))]",
+ "parserVersion1": "1.0.0",
+ "parserContentId1": "KasperskySCEvent-Parser"
+ },
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
@@ -75,7 +73,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "KasperskySecurityCenter data connector with template version 3.0.0",
+ "description": "KasperskySecurityCenter data connector with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -422,7 +420,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "KasperskySecurityCenter data connector with template version 3.0.0",
+ "description": "KasperskySecurityCenter data connector with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion2')]",
@@ -438,7 +436,7 @@
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId2')]",
- "title": "[Recommended] Kaspersky Security Center via AMA",
+ "title": "[Deprecated] Kaspersky Security Center via AMA",
"publisher": "KasperskyLab",
"descriptionMarkdown": "The [Kaspersky Security Center](https://support.kaspersky.com/KSC/13/en-US/3396.htm) data connector provides the capability to ingest [Kaspersky Security Center logs](https://support.kaspersky.com/KSC/13/en-US/151336.htm) into Microsoft Sentinel.",
"additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**KasperskySCEvent**](https://aka.ms/sentinel-kasperskysc-parser) which is deployed with the Microsoft Sentinel Solution.",
@@ -516,12 +514,10 @@
{
"title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
"description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
-
},
{
"title": "Step B. Configure Kaspersky Security Center to send logs using CEF",
"description": "[Follow the instructions](https://support.kaspersky.com/KSC/13/en-US/89277.htm) to configure event export from Kaspersky Security Center."
-
},
{
"title": "Step C. Validate connection",
@@ -585,7 +581,7 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_dataConnectorContentId2')]",
"contentKind": "DataConnector",
- "displayName": "[Recommended] Kaspersky Security Center via AMA",
+ "displayName": "[Deprecated] Kaspersky Security Center via AMA",
"contentProductId": "[variables('_dataConnectorcontentProductId2')]",
"id": "[variables('_dataConnectorcontentProductId2')]",
"version": "[variables('dataConnectorVersion2')]"
@@ -629,7 +625,7 @@
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
- "title": "[Recommended] Kaspersky Security Center via AMA",
+ "title": "[Deprecated] Kaspersky Security Center via AMA",
"publisher": "KasperskyLab",
"descriptionMarkdown": "The [Kaspersky Security Center](https://support.kaspersky.com/KSC/13/en-US/3396.htm) data connector provides the capability to ingest [Kaspersky Security Center logs](https://support.kaspersky.com/KSC/13/en-US/151336.htm) into Microsoft Sentinel.",
"graphQueries": [
@@ -706,12 +702,10 @@
{
"title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
"description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
-
},
{
"title": "Step B. Configure Kaspersky Security Center to send logs using CEF",
"description": "[Follow the instructions](https://support.kaspersky.com/KSC/13/en-US/89277.htm) to configure event export from Kaspersky Security Center."
-
},
{
"title": "Step C. Validate connection",
@@ -745,21 +739,21 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('parserTemplateSpecName1')]",
+ "name": "[variables('parserObject1').parserTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "KasperskySCEvent Data Parser with template version 3.0.0",
+ "description": "KasperskySCEvent Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('parserVersion1')]",
+ "contentVersion": "[variables('parserObject1').parserVersion1]",
"parameters": {},
"variables": {},
"resources": [
{
- "name": "[variables('_parserName1')]",
+ "name": "[variables('parserObject1')._parserName1]",
"apiVersion": "2022-10-01",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"location": "[parameters('workspace-location')]",
@@ -782,15 +776,15 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
"dependsOn": [
- "[variables('_parserName1')]"
+ "[variables('parserObject1')._parserId1]"
],
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
- "contentId": "[variables('_parserContentId1')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'KasperskySecurityCenter Data Parser')]",
+ "contentId": "[variables('parserObject1').parserContentId1]",
"kind": "Parser",
- "version": "[variables('parserVersion1')]",
+ "version": "[variables('parserObject1').parserVersion1]",
"source": {
"name": "KasperskySecurityCenter",
"kind": "Solution",
@@ -815,18 +809,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_parserContentId1')]",
+ "contentId": "[variables('parserObject1').parserContentId1]",
"contentKind": "Parser",
"displayName": "KasperskySecurityCenter Data Parser",
- "contentProductId": "[variables('_parsercontentProductId1')]",
- "id": "[variables('_parsercontentProductId1')]",
- "version": "[variables('parserVersion1')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
+ "version": "[variables('parserObject1').parserVersion1]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2022-10-01",
- "name": "[variables('_parserName1')]",
+ "name": "[variables('parserObject1')._parserName1]",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
@@ -848,15 +842,15 @@
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
"dependsOn": [
- "[variables('_parserId1')]"
+ "[variables('parserObject1')._parserId1]"
],
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
- "contentId": "[variables('_parserContentId1')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'KasperskySecurityCenter Data Parser')]",
+ "contentId": "[variables('parserObject1').parserContentId1]",
"kind": "Parser",
- "version": "[variables('parserVersion1')]",
+ "version": "[variables('parserObject1').parserVersion1]",
"source": {
"kind": "Solution",
"name": "KasperskySecurityCenter",
@@ -879,12 +873,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.0",
+ "version": "3.0.1",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "KasperskySecurityCenter",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Kaspersky Security Center solution provides the capability to ingest Kaspersky Security Center logs into Microsoft Sentinel.
\nKasperskySecurityCenter via AMA - This data connector helps in ingesting KasperskySecurityCenter logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.
\nKasperskySecurityCenter via Legacy Agent - This data connector helps in ingesting KasperskySecurityCenter logs into your Log Analytics Workspace using the legacy Log Analytics agent.
\nNOTE: Microsoft recommends installation of KasperskySecurityCenter via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 2, Parsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Kaspersky Security Center solution provides the capability to ingest Kaspersky Security Center logs into Microsoft Sentinel.
\n\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.
\nData Connectors: 2, Parsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -907,7 +901,6 @@ "link": "https://support.microsoft.com" }, "dependencies": { - "operator": "AND", "criteria": [ { "kind": "DataConnector", @@ -921,8 +914,12 @@ }, { "kind": "Parser", - "contentId": "[variables('_parserContentId1')]", - "version": "[variables('parserVersion1')]" + "contentId": "[variables('parserObject1').parserContentId1]", + "version": "[variables('parserObject1').parserVersion1]" + }, + { + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-commoneventformat" } ] }, diff --git a/Solutions/KasperskySecurityCenter/Package/testParameters.json b/Solutions/KasperskySecurityCenter/Package/testParameters.json new file mode 100644 index 00000000000..e55ec41a9ac --- /dev/null +++ b/Solutions/KasperskySecurityCenter/Package/testParameters.json @@ -0,0 +1,24 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + } +} diff --git a/Solutions/KasperskySecurityCenter/ReleaseNotes.md b/Solutions/KasperskySecurityCenter/ReleaseNotes.md index 07660bf906d..ddde748516f 100644 --- a/Solutions/KasperskySecurityCenter/ReleaseNotes.md +++ b/Solutions/KasperskySecurityCenter/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| -| 3.0.0 | 05-09-2023 | Addition of new KasperskySecurityCenter AMA **Data Connector** | | +| 3.0.1 | 10-07-2024 | Deprecated **Data Connector** | +| 3.0.0 | 05-09-2023 | Addition of new KasperskySecurityCenter AMA **Data Connector** | | diff --git a/Solutions/Netwrix Auditor/Data Connectors/template_NetwrixAuditorAMA.json b/Solutions/Netwrix Auditor/Data Connectors/template_NetwrixAuditorAMA.json index 235ea53afd5..aa112d9863a 100644 --- a/Solutions/Netwrix Auditor/Data Connectors/template_NetwrixAuditorAMA.json +++ b/Solutions/Netwrix Auditor/Data Connectors/template_NetwrixAuditorAMA.json @@ -1,6 +1,6 @@ { "id": "NetwrixAma", - "title": "[Recommended] Netwrix Auditor via AMA", + "title": "[Deprecated] Netwrix Auditor via AMA", "publisher": "Netwrix", "descriptionMarkdown": "Netwrix Auditor data connector provides the capability to ingest [Netwrix Auditor (formerly Stealthbits Privileged Activity Manager)](https://www.netwrix.com/auditor.html) events into Microsoft Sentinel. Refer to [Netwrix documentation](https://helpcenter.netwrix.com/) for more information.", "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected. Follow the steps to use this Kusto Function alias **NetwrixAuditor** in queries and workbooks. [Follow steps to get this Kusto Function>](https://aka.ms/sentinel-netwrixauditor-parser)", diff --git a/Solutions/Netwrix Auditor/Data/Solution_Netwrix.json b/Solutions/Netwrix Auditor/Data/Solution_Netwrix.json index 930aa652f9f..ee695385286 100644 --- a/Solutions/Netwrix Auditor/Data/Solution_Netwrix.json +++ b/Solutions/Netwrix Auditor/Data/Solution_Netwrix.json @@ -2,7 +2,7 @@ "Name": "Netwrix Auditor", "Author": "Microsoft - support@microsoft.com", "Logo": "",
- "Description": "The Netwrix Auditor solution provides the capability to ingest [ Netwrix Auditor](https://www.netwrix.com/auditor.html) (formerly Stealthbits Privileged Activity Manager) events into Microsoft Sentinel. Refer to Netwrix [documentation](https://helpcenter.netwrix.com/) for more information.\n\r\n1. **Netwrix Auditor via AMA** - This data connector helps in ingesting Netwrix Auditor logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Netwrix Auditor via Legacy Agent** - This data connector helps in ingesting Netwrix Auditor logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Netwrix Auditor via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
+ "Description": "The Netwrix Auditor solution provides the capability to ingest [ Netwrix Auditor](https://www.netwrix.com/auditor.html) (formerly Stealthbits Privileged Activity Manager) events into Microsoft Sentinel. Refer to Netwrix [documentation](https://helpcenter.netwrix.com/) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.",
"Parsers": [
"Parsers/NetwrixAuditor.yaml"
],
@@ -10,8 +10,11 @@
"Data Connectors/Connector_NetwrixAuditor.json",
"Data Connectors/template_NetwrixAuditorAMA.json"
],
+ "dependentDomainSolutionIds": [
+ "azuresentinel.azure-sentinel-solution-commoneventformat"
+ ],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Netwrix Auditor",
- "Version": "3.0.0",
+ "Version": "3.0.1",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
diff --git a/Solutions/Netwrix Auditor/Package/3.0.1.zip b/Solutions/Netwrix Auditor/Package/3.0.1.zip
new file mode 100644
index 00000000000..be3e26e43c0
Binary files /dev/null and b/Solutions/Netwrix Auditor/Package/3.0.1.zip differ
diff --git a/Solutions/Netwrix Auditor/Package/createUiDefinition.json b/Solutions/Netwrix Auditor/Package/createUiDefinition.json
index 73631c68e75..5a24badfb78 100644
--- a/Solutions/Netwrix Auditor/Package/createUiDefinition.json
+++ b/Solutions/Netwrix Auditor/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Netwrix%20Auditor/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Netwrix Auditor solution provides the capability to ingest [ Netwrix Auditor](https://www.netwrix.com/auditor.html) (formerly Stealthbits Privileged Activity Manager) events into Microsoft Sentinel. Refer to Netwrix [documentation](https://helpcenter.netwrix.com/) for more information.\n\r\n1. **Netwrix Auditor via AMA** - This data connector helps in ingesting Netwrix Auditor logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Netwrix Auditor via Legacy Agent** - This data connector helps in ingesting Netwrix Auditor logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Netwrix Auditor via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Netwrix%20Auditor/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Netwrix Auditor solution provides the capability to ingest [ Netwrix Auditor](https://www.netwrix.com/auditor.html) (formerly Stealthbits Privileged Activity Manager) events into Microsoft Sentinel. Refer to Netwrix [documentation](https://helpcenter.netwrix.com/) for more information.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -60,14 +60,14 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This solution installs the data connector that allows to ingest CEF formatted Netwrix Auditor events into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ "text": "This Solution installs the data connector for Netwrix Auditor. You can get Netwrix Auditor CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
- {
+ {
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the NetwrixAuditor Kusto Function alias."
+ "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
}
},
{
diff --git a/Solutions/Netwrix Auditor/Package/mainTemplate.json b/Solutions/Netwrix Auditor/Package/mainTemplate.json
index 0a2f9e5ae4f..a9225e3bc59 100644
--- a/Solutions/Netwrix Auditor/Package/mainTemplate.json
+++ b/Solutions/Netwrix Auditor/Package/mainTemplate.json
@@ -33,18 +33,16 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Netwrix Auditor",
- "_solutionVersion": "3.0.0",
+ "_solutionVersion": "3.0.1",
"solutionId": "azuresentinel.azure-sentinel-solution-netwrixauditor",
"_solutionId": "[variables('solutionId')]",
- "parserName1": "NetwrixAuditor",
- "_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
- "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
- "_parserId1": "[variables('parserId1')]",
- "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]",
- "parserVersion1": "1.0.0",
- "parserContentId1": "NetwrixAuditor-Parser",
- "_parserContentId1": "[variables('parserContentId1')]",
- "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]",
+ "parserObject1": {
+ "_parserName1": "[concat(parameters('workspace'),'/','NetwrixAuditor')]",
+ "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'NetwrixAuditor')]",
+ "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('NetwrixAuditor-Parser')))]",
+ "parserVersion1": "1.0.0",
+ "parserContentId1": "NetwrixAuditor-Parser"
+ },
"uiConfigId1": "Netwrix",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "Netwrix",
@@ -69,21 +67,21 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('parserTemplateSpecName1')]",
+ "name": "[variables('parserObject1').parserTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NetwrixAuditor Data Parser with template version 3.0.0",
+ "description": "NetwrixAuditor Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('parserVersion1')]",
+ "contentVersion": "[variables('parserObject1').parserVersion1]",
"parameters": {},
"variables": {},
"resources": [
{
- "name": "[variables('_parserName1')]",
+ "name": "[variables('parserObject1')._parserName1]",
"apiVersion": "2022-10-01",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"location": "[parameters('workspace-location')]",
@@ -106,15 +104,15 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
"dependsOn": [
- "[variables('_parserName1')]"
+ "[variables('parserObject1')._parserId1]"
],
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
- "contentId": "[variables('_parserContentId1')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'NetwrixAuditor')]",
+ "contentId": "[variables('parserObject1').parserContentId1]",
"kind": "Parser",
- "version": "[variables('parserVersion1')]",
+ "version": "[variables('parserObject1').parserVersion1]",
"source": {
"name": "Netwrix Auditor",
"kind": "Solution",
@@ -139,18 +137,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_parserContentId1')]",
+ "contentId": "[variables('parserObject1').parserContentId1]",
"contentKind": "Parser",
"displayName": "NetwrixAuditor",
- "contentProductId": "[variables('_parsercontentProductId1')]",
- "id": "[variables('_parsercontentProductId1')]",
- "version": "[variables('parserVersion1')]"
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
+ "version": "[variables('parserObject1').parserVersion1]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2022-10-01",
- "name": "[variables('_parserName1')]",
+ "name": "[variables('parserObject1')._parserName1]",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
@@ -172,15 +170,15 @@
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
"dependsOn": [
- "[variables('_parserId1')]"
+ "[variables('parserObject1')._parserId1]"
],
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
- "contentId": "[variables('_parserContentId1')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'NetwrixAuditor')]",
+ "contentId": "[variables('parserObject1').parserContentId1]",
"kind": "Parser",
- "version": "[variables('parserVersion1')]",
+ "version": "[variables('parserObject1').parserVersion1]",
"source": {
"kind": "Solution",
"name": "Netwrix Auditor",
@@ -207,7 +205,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Netwrix Auditor data connector with template version 3.0.0",
+ "description": "Netwrix Auditor data connector with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -564,7 +562,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Netwrix Auditor data connector with template version 3.0.0",
+ "description": "Netwrix Auditor data connector with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion2')]",
@@ -580,7 +578,7 @@
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId2')]",
- "title": "[Recommended] Netwrix Auditor via AMA",
+ "title": "[Deprecated] Netwrix Auditor via AMA",
"publisher": "Netwrix",
"descriptionMarkdown": "Netwrix Auditor data connector provides the capability to ingest [Netwrix Auditor (formerly Stealthbits Privileged Activity Manager)](https://www.netwrix.com/auditor.html) events into Microsoft Sentinel. Refer to [Netwrix documentation](https://helpcenter.netwrix.com/) for more information.",
"additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected. Follow the steps to use this Kusto Function alias **NetwrixAuditor** in queries and workbooks. [Follow steps to get this Kusto Function>](https://aka.ms/sentinel-netwrixauditor-parser)",
@@ -658,12 +656,10 @@
{
"title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
"description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
-
},
{
"title": "Step B. Configure Netwrix Auditor to send logs using CEF",
"description": "[Follow the instructions](https://www.netwrix.com/download/QuickStart/Netwrix_Auditor_Add-on_for_HPE_ArcSight_Quick_Start_Guide.pdf) to configure event export from Netwrix Auditor."
-
},
{
"title": "Step C. Validate connection",
@@ -743,7 +739,7 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_dataConnectorContentId2')]",
"contentKind": "DataConnector",
- "displayName": "[Recommended] Netwrix Auditor via AMA",
+ "displayName": "[Deprecated] Netwrix Auditor via AMA",
"contentProductId": "[variables('_dataConnectorcontentProductId2')]",
"id": "[variables('_dataConnectorcontentProductId2')]",
"version": "[variables('dataConnectorVersion2')]"
@@ -787,7 +783,7 @@
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
- "title": "[Recommended] Netwrix Auditor via AMA",
+ "title": "[Deprecated] Netwrix Auditor via AMA",
"publisher": "Netwrix",
"descriptionMarkdown": "Netwrix Auditor data connector provides the capability to ingest [Netwrix Auditor (formerly Stealthbits Privileged Activity Manager)](https://www.netwrix.com/auditor.html) events into Microsoft Sentinel. Refer to [Netwrix documentation](https://helpcenter.netwrix.com/) for more information.",
"graphQueries": [
@@ -864,12 +860,10 @@
{
"title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
"description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
-
},
{
"title": "Step B. Configure Netwrix Auditor to send logs using CEF",
"description": "[Follow the instructions](https://www.netwrix.com/download/QuickStart/Netwrix_Auditor_Add-on_for_HPE_ArcSight_Quick_Start_Guide.pdf) to configure event export from Netwrix Auditor."
-
},
{
"title": "Step C. Validate connection",
@@ -905,12 +899,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.0",
+ "version": "3.0.1",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Netwrix Auditor",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Netwrix Auditor solution provides the capability to ingest Netwrix Auditor (formerly Stealthbits Privileged Activity Manager) events into Microsoft Sentinel. Refer to Netwrix documentation for more information.
\nNetwrix Auditor via AMA - This data connector helps in ingesting Netwrix Auditor logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.
\nNetwrix Auditor via Legacy Agent - This data connector helps in ingesting Netwrix Auditor logs into your Log Analytics Workspace using the legacy Log Analytics agent.
\nNOTE: Microsoft recommends installation of Netwrix Auditor via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 2, Parsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Netwrix Auditor solution provides the capability to ingest Netwrix Auditor (formerly Stealthbits Privileged Activity Manager) events into Microsoft Sentinel. Refer to Netwrix documentation for more information.
\n\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.
\nData Connectors: 2, Parsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -933,12 +927,11 @@ "link": "https://support.microsoft.com" }, "dependencies": { - "operator": "AND", "criteria": [ { "kind": "Parser", - "contentId": "[variables('_parserContentId1')]", - "version": "[variables('parserVersion1')]" + "contentId": "[variables('parserObject1').parserContentId1]", + "version": "[variables('parserObject1').parserVersion1]" }, { "kind": "DataConnector", @@ -949,6 +942,10 @@ "kind": "DataConnector", "contentId": "[variables('_dataConnectorContentId2')]", "version": "[variables('dataConnectorVersion2')]" + }, + { + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-commoneventformat" } ] }, diff --git a/Solutions/Netwrix Auditor/Package/testParameters.json b/Solutions/Netwrix Auditor/Package/testParameters.json new file mode 100644 index 00000000000..e55ec41a9ac --- /dev/null +++ b/Solutions/Netwrix Auditor/Package/testParameters.json @@ -0,0 +1,24 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + } +} diff --git a/Solutions/Netwrix Auditor/ReleaseNotes.md b/Solutions/Netwrix Auditor/ReleaseNotes.md index 6cbf46b2261..7774c8f2e99 100644 --- a/Solutions/Netwrix Auditor/ReleaseNotes.md +++ b/Solutions/Netwrix Auditor/ReleaseNotes.md @@ -1,3 +1,4 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| -| 3.0.0 | 29-08-2023 | Addition of new Netwrix Auditor AMA **Data Connector** | \ No newline at end of file +| 3.0.1 | 10-07-2024 | Deprecated **Data Connector** | +| 3.0.0 | 29-08-2023 | Addition of new Netwrix Auditor AMA **Data Connector** | \ No newline at end of file