Merge branch 'master' into v-visodadasi/LinkNotWorking

Azure · Nov 28, 2024 · 42cb50c · 42cb50c
2 parents f832c82 + 4df4cd4
commit 42cb50c
Show file tree

Hide file tree

Showing 51 changed files with 4,556 additions and 2,626 deletions.
diff --git a/.github/workflows/kql-validations.yaml b/.github/workflows/kql-validations.yaml
@@ -0,0 +1,29 @@
+name: KQL Validations
+run-name: KQL Validations running on ${{ github.ref_name }}
+on:
+    pull_request:
+        branches:
+            - master
+    # Allows to run workflow manually from the Actions tab
+    workflow_dispatch:
+jobs:
+    KqlValidations:
+      runs-on: ubuntu-latest
+      env:
+        buildConfiguration: Release
+        dotnetSdkVersion: 6.0.x
+        PRNUM: ${{ github.event.pull_request.number }}
+      steps:
+      - uses: actions/checkout@v4
+      - name: Use .NET Core SDK ${{ env.dotnetSdkVersion }}
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: ${{ env.dotnetSdkVersion }}
+      - name: Run KQL Validation tests
+        run: dotnet test .script/tests/KqlvalidationsTests/Kqlvalidations.Tests.csproj --configuration ${{ env.buildConfiguration }}
+        env:
+          GITHUBAPPID: ${{ secrets.APPLICATION_ID }}
+          GITHUBAPPINSTALLATIONID: ${{ secrets.APPLICATION_INSTALLATION_ID }}
+          GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }}
+          SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }}
+
diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Rubrik_Events_Data_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Rubrik_Events_Data_CL.json
@@ -0,0 +1,113 @@
+{
+    "Name":"Rubrik_Events_Data_CL",
+    "Properties":[
+    {
+      "Name": "TenantId",
+      "Type": "string"
+    },
+    {
+      "Name": "SourceSystem",
+      "Type": "string"
+    },
+    {
+      "Name": "MG",
+      "Type": "string"
+    },
+    {
+      "Name": "ManagementGroupName",
+      "Type": "string"
+    },
+    {
+      "Name": "TimeGenerated",
+      "Type": "datetime"
+    },
+    {
+      "Name": "Computer",
+      "Type": "string"
+    },
+    {
+      "Name": "RawData",
+      "Type": "string"
+    },
+    {
+      "Name": "custom_details_objectId_g",
+      "Type": "string"
+    },
+    {
+      "Name": "custom_details_seriesId_g",
+      "Type": "string"
+    },
+    {
+      "Name": "custom_details_id_g",
+      "Type": "string"
+    },
+    {
+      "Name": "custom_details_clusterId_g",
+      "Type": "string"
+    },
+    {
+      "Name": "summary_s",
+      "Type": "string"
+    },
+    {
+      "Name": "source_s",
+      "Type": "string"
+    },
+    {
+      "Name": "severity_s",
+      "Type": "string"
+    },
+    {
+      "Name": "timestamp_s",
+      "Type": "datetime"
+    },
+    {
+      "Name": "class_s",
+      "Type": "string"
+    },
+    {
+      "Name": "custom_details_type_s",
+      "Type": "string"
+    },
+    {
+      "Name": "custom_details_objectId_s",
+      "Type": "string"
+    },
+    {
+      "Name": "custom_details_objectName_s",
+      "Type": "string"
+    },
+    {
+      "Name": "custom_details_objectType_s",
+      "Type": "string"
+    },
+    {
+      "Name": "custom_details_status_s",
+      "Type": "string"
+    },
+    {
+      "Name": "custom_details_clusterName_s",
+      "Type": "string"
+    },
+    {
+      "Name": "custom_details_eventName_s",
+      "Type": "string"
+    },
+    {
+      "Name": "custom_details_auditUserName_s",
+      "Type": "string"
+    },
+    {
+      "Name": "custom_details_auditUserId_s",
+      "Type": "string"
+    },
+    {
+      "Name": "custom_details_location_s",
+      "Type": "string"
+    },
+    {
+      "Name": "_ResourceId",
+      "Type": "string"
+    }
+  ]
+  }
diff --git a/.script/tests/asimParsersTest/ASimFilteringTest.py b/.script/tests/asimParsersTest/ASimFilteringTest.py
@@ -817,6 +817,20 @@ def send_query(self, query_str):
 
 # For each schema supported by the test there is a mapping between each of the schema's parameter to the column that the parameter filters.
 all_schemas_parameters = {
+    "AlertEvent" :
+    {
+		"ipaddr_has_any_prefix" : "DvcIpAddr",
+        "disabled" : "",
+        "endtime" : "EventEndTime",
+        "hostname_has_any" : "DvcHostname",
+		"username_has_any" : "Username",
+        "attacktactics_has_any" : "AttackTactics",
+        "attacktechniques_has_any" : "AttackTechniques",
+        "threatcategory_has_any" : "ThreatCategory",
+        "alertverdict_has_any" : "AlertVerdict",
+        "starttime" : "EventStartTime",
+        "eventseverity_has_any": "EventSeverity"
+    },
     "AuditEvent" :
     {
 		"actorusername_has_any" : "ActorUsername",

diff --git a/.script/tests/asimParsersTest/VerifyASimParserTemplate.py b/.script/tests/asimParsersTest/VerifyASimParserTemplate.py
@@ -15,6 +15,7 @@
 # Sentinel Repo URL
 SentinelRepoUrl = f"https://github.com/Azure/Azure-Sentinel.git"
 SCHEMA_INFO = [
+    {"SchemaName": "AlertEvent", "SchemaVersion": "0.1", "SchemaTitle":"ASIM Alert Event Schema", "SchemaLink": "https://aka.ms/ASimAlertEventDoc"},
     {"SchemaName": "AuditEvent", "SchemaVersion": "0.1", "SchemaTitle":"ASIM Audit Event Schema", "SchemaLink": "https://aka.ms/ASimAuditEventDoc"},
     {"SchemaName": "Authentication", "SchemaVersion": "0.1.3","SchemaTitle":"ASIM Authentication Schema","SchemaLink": "https://aka.ms/ASimAuthenticationDoc"},
     {"SchemaName": "Dns", "SchemaVersion": "0.1.7", "SchemaTitle":"ASIM Dns Schema","SchemaLink": "https://aka.ms/ASimDnsDoc"},

diff --git a/Detections/MultipleDataSources/powershell_MangoSandstorm.yaml b/Detections/MultipleDataSources/powershell_MangoSandstorm.yaml
@@ -1,13 +1,13 @@
 id: ce74dc9a-cb3c-4081-8c2f-7d39f6b7bae1
-name: Identify Mango Sandstorm powershell commands  
+name: Identify Mango Sandstorm powershell commands
 description: |
   'The query below identifies powershell commands used by the threat actor Mango Sandstorm.
   Reference:  https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/'
 severity: High
 requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
-      - SecurityEvent 
+      - SecurityEvent
   - connectorId: MicrosoftThreatProtection
     dataTypes:
       - DeviceProcessEvents
@@ -29,32 +29,31 @@ query: |
   | where EventID == 4688
   | where Process has_any ("powershell.exe","powershell_ise.exe","pwsh.exe") and CommandLine has_cs "-exec bypass -w 1 -enc"
   | where CommandLine  contains_cs "UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA"
-  | extend DvcHostName = Computer, ProcessID = ProcessId
+  | extend DvcHostname = Computer, ProcessId = tostring(ProcessId), ActorUsername = Account
   ),
   (DeviceProcessEvents
-  | where FileName =~ "powershell.exe" and ProcessCommandLine has_cs "-exec bypass -w 1 -enc"  
-  | where ProcessCommandLine contains_cs "UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA" 
-  | extend DvcHostName = DeviceName, ProcessID = InitiatingProcessId
+  | where FileName =~ "powershell.exe" and ProcessCommandLine has_cs "-exec bypass -w 1 -enc"
+  | where ProcessCommandLine contains_cs "UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA"
+  | extend DvcHostname = DeviceName, ProcessId = tostring(InitiatingProcessId), ActorUsername = strcat(AccountDomain, @"\", AccountName)
   ),
   (imProcessCreate
   | where Process has_any ("powershell.exe","powershell_ise.exe","pwsh.exe") and CommandLine has_cs "-exec bypass -w 1 -enc"
   | where CommandLine  contains_cs "UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA"
-  | extend ProcessID = TargetProcessId
+  | extend ProcessId = tostring(TargetProcessId)
   )
   )
-  | extend AccountName = tostring(split(ActorUsername, "\\")[0]), AccountNTDomain = tostring(split(ActorUsername, "\\")[1]), ProcessID = TargetProcessId
+  | extend AccountName = tostring(split(ActorUsername, "\\")[0]), AccountNTDomain = tostring(split(ActorUsername, "\\")[1])
   | extend HostName = tostring(split(DvcHostname, ".")[0]), DomainIndex = toint(indexof(DvcHostname, '.'))
   | extend HostNameDomain = iff(DomainIndex != -1, substring(DvcHostname, DomainIndex + 1), DvcHostname)
- 
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: FullName
         columnName: ActorUsername
       - identifier: Name
         columnName: AccountName
-      - identifier: UPNSuffix
-        columnName: AccountUPNSuffix
+      - identifier: NTDomain
+        columnName: AccountNTDomain
   - entityType: Host
     fieldMappings:
       - identifier: FullName
@@ -66,8 +65,8 @@ entityMappings:
   - entityType: Process
     fieldMappings:
       - identifier: ProcessId
-        columnName: ProcessID
-version: 1.0.4
+        columnName: ProcessId
+version: 1.0.5
 kind: Scheduled
 metadata:
     source:

diff --git a/Sample Data/Custom/Rubrik_Events_Data_CL.csv b/Sample Data/Custom/Rubrik_Events_Data_CL.csv
@@ -0,0 +1,10 @@
+TimeGenerated [UTC],custom_details_objectId_g,custom_details_seriesId_g,custom_details_id_g,custom_details_clusterId_g,summary_s,source_s,severity_s,timestamp_s,class_s,custom_details_type_s,custom_details_objectId_s,custom_details_objectName_s,custom_details_objectType_s,custom_details_status_s,custom_details_clusterName_s,custom_details_eventName_s,custom_details_auditUserName_s,custom_details_auditUserId_s,custom_details_location_s
+"11/8/2024, 5:30:42.136 AM",047ed0bc-6b72-4ea8-b9a0-c7fb89aa5811,01930a3b-e0cf-7b83-b02c-2db1087d3b0d,6617cef8-c37c-41db-988e-d8372bbe90f3,00000000-0000-0000-0000-000000000000,Waiting for 1 snapshot(s) to be available for file recovery.,Rubrik Security Cloud,info,2024-11-08T05:30:40.64979627Z,Index,Event,,use-test,AzureNativeVm,Running,Polaris,CloudNativeIndexSnapshotsWaitForSnappableIndexTaskStarted,,,
+"11/8/2024, 5:30:50.314 AM",047ed0bc-6b72-4ea8-b9a0-c7fb89aa5811,01930a3f-f5ce-7900-8443-8a368f5baa2b,688bc4b0-f17d-4784-a96f-9a8cd387e43d,00000000-0000-0000-0000-000000000000,Successfully replicated snapshot taken at 08 Nov 24 5:00 AM UTC for the use-test Azure virtual machine in the use-test_group resource group in the TM-Lab-EA subscription to the region westus of TM-Lab-EA Azure subscription.,Rubrik Security Cloud,info,2024-11-08T05:29:57.30752593Z,Replication,Event,,use-test,AzureNativeVm,Success,Polaris,CloudNativeReplicateSnapshotsReplicateTaskSucceeded,,,
+"11/8/2024, 5:25:31.234 AM",047ed0bc-6b72-4ea8-b9a0-c7fb89aa5811,01930a3b-e0cf-7b83-b02c-2db1087d3b0d,9cb57a51-4064-4c45-a10b-4693f8b5aaa7,00000000-0000-0000-0000-000000000000,Started indexing of the snapshots of the use-test Azure virtual machine in the use-test_group resource group in the TM-Lab-EA subscription.,Rubrik Security Cloud,info,2024-11-08T05:25:17.200115471Z,Index,Event,,use-test,AzureNativeVm,TaskSuccess,Polaris,CloudNativeIndexSnapshotsJobStarted,,,
+"11/8/2024, 5:17:19.245 AM",,3787cdc1-a7ba-41ed-9c6e-cc5d8d4a2a27,88ece1ed-1a95-43b9-ae38-302cf05c19d8,00000000-0000-0000-0000-000000000000,xyz@gmail.com successfully created the webhook Rubrik-other-events.,Rubrik Security Cloud,info,2024-11-08T05:17:18.370059549Z,Configuration,Audit,auth0|65b91cdc85d3150aa4a1b3d0,xyz@gmail.com,User,Success,Polaris,WebhookCreated,xyz@gmail.com,auth0|65b91cdc85d3150aa4a1b3d0,
+"11/8/2024, 5:18:40.088 AM",,496f42ec-e684-4a04-b191-e6a3a122d49f,efb7669b-8891-4a76-a613-d104f661b856,00000000-0000-0000-0000-000000000000,xyz@gmail.com successfully created the webhook Rubrik-AnomalyOrchestrator.,Rubrik Security Cloud,info,2024-11-08T05:18:39.20837609Z,Configuration,Audit,auth0|65b91cdc85d3150aa4a1b3d0,xyz@gmail.com,User,Success,Polaris,WebhookCreated,xyz@gmail.com,auth0|65b91cdc85d3150aa4a1b3d0,
+"11/8/2024, 5:16:28.396 AM",,,,,Rubrik Polaris webhook test event,Rubrik Security Cloud,info,2024-11-08T05:16:14.067423864Z,Configuration,Event,,,,Succeeded,Rubrik Security Cloud,,,,test-location
+"11/7/2024, 1:25:23.986 PM",,,,,Rubrik Polaris webhook test event,Rubrik Security Cloud,info,2024-11-07T13:25:01.215428023Z,Configuration,Event,,,,Succeeded,Rubrik Security Cloud,,,,test-location
+"11/8/2024, 5:29:22.352 AM",047ed0bc-6b72-4ea8-b9a0-c7fb89aa5811,01930a3b-e0cf-7b83-b02c-2db1087d3b0d,e17bfee9-bed2-4691-b58d-0885322600c0,00000000-0000-0000-0000-000000000000,Started indexing of snapshot taken at 08 Nov 24 5:00 AM UTC.,Rubrik Security Cloud,info,2024-11-08T05:29:20.550468555Z,Index,Event,,use-test,AzureNativeVm,Running,Polaris,CloudNativeIndexSnapshotBegin,,,
+"11/8/2024, 5:21:33.309 AM",,28b3ccfd-6679-4f88-b416-5658d859dc6c,f690f13a-12f9-4b80-a268-48ba26a6e917,00000000-0000-0000-0000-000000000000,xyz@gmail.com successfully created the webhook Rubrik-ThreathuntOrchestrator.,Rubrik Security Cloud,info,2024-11-08T05:21:31.535526647Z,Configuration,Audit,auth0|65b91cdc85d3150aa4a1b3d0,xyz@gmail.com,User,Success,Polaris,WebhookCreated,xyz@gmail.com,auth0|65b91cdc85d3150aa4a1b3d0,
diff --git a/Solutions/Broadcom SymantecDLP/Data/Solution_Broadcom SymantecDLP.json b/Solutions/Broadcom SymantecDLP/Data/Solution_Broadcom SymantecDLP.json
@@ -2,19 +2,15 @@
   "Name": "Broadcom SymantecDLP",
   "Author": "Microsoft - support@microsoft.com",
   "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
-  "Description": "The [Broadcom Symantec Data Loss Prevention (DLP)](https://www.broadcom.com/products/cyber-security/information-protection/data-loss-prevention) connector allows you to easily connect your Symantec DLP with Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.",
-  "Data Connectors": [
-    "Data Connectors/Connector_Syslog_SymantecDLP.json",
-	"Data Connectors/template_SymantecDLPAMA.json"
-	],
+  "Description": "The [Broadcom Symantec Data Loss Prevention (DLP)](https://www.broadcom.com/products/cyber-security/information-protection/data-loss-prevention) connector allows you to easily connect your Symantec DLP with Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector.The existing connectors were deprecated on **Aug 31, 2024**.",
   "Parsers": [
     "Parsers/SymantecDLP.yaml"
   ],
   "dependentDomainSolutionIds": [
     "azuresentinel.azure-sentinel-solution-commoneventformat"
     ],
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Broadcom SymantecDLP",
-  "Version": "3.0.2",
+  "Version": "3.0.3",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "Is1Pconnector": false

diff --git a/Solutions/Broadcom SymantecDLP/Package/3.0.3.zip b/Solutions/Broadcom SymantecDLP/Package/3.0.3.zip
diff --git a/Solutions/Broadcom SymantecDLP/Package/createUiDefinition.json b/Solutions/Broadcom SymantecDLP/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Broadcom%20SymantecDLP/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Broadcom Symantec Data Loss Prevention (DLP)](https://www.broadcom.com/products/cyber-security/information-protection/data-loss-prevention) connector allows you to easily connect your Symantec DLP with Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Broadcom%20SymantecDLP/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Broadcom Symantec Data Loss Prevention (DLP)](https://www.broadcom.com/products/cyber-security/information-protection/data-loss-prevention) connector allows you to easily connect your Symantec DLP with Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector.The existing connectors were deprecated on **Aug 31, 2024**.\n\n**Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -50,39 +50,7 @@
         "visible": true
       }
     ],
-    "steps": [
-      {
-        "name": "dataconnectors",
-        "label": "Data Connectors",
-        "bladeTitle": "Data Connectors",
-        "elements": [
-          {
-            "name": "dataconnectors1-text",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "text": "This Solution installs the data connector for Broadcom SymantecDLP. You can get Broadcom SymantecDLP CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
-            }
-          },
-          {
-            "name": "dataconnectors-parser-text",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
-            }
-          },
-          {
-            "name": "dataconnectors-link2",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "link": {
-                "label": "Learn more about connecting data sources",
-                "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
-              }
-            }
-          }
-        ]
-      }
-    ],
+    "steps": [{}],
     "outputs": {
       "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
       "location": "[location()]",