Repackage - SonicWall Forewall

Azure · Nov 28, 2024 · 646c23d · 646c23d
1 parent 7aeab39
commit 646c23d
Show file tree

Hide file tree

Showing 8 changed files with 48 additions and 839 deletions.
diff --git a/Solutions/SonicWall Firewall/Analytic Rules/CaptureATPMaliciousFileDetection.yaml b/Solutions/SonicWall Firewall/Analytic Rules/CaptureATPMaliciousFileDetection.yaml
@@ -7,12 +7,6 @@ description: |
 severity: Medium
 status: Experimental
 requiredDataConnectors:
-  - connectorId: CEF
-    dataTypes:
-      - CommonSecurityLog
-  - connectorId: SonicWallFirewall
-    dataTypes:
-      - CommonSecurityLog
   - connectorId: CefAma
     dataTypes:
       - CommonSecurityLog
@@ -62,5 +56,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: SrcIpAddr
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled
diff --git a/Solutions/SonicWall Firewall/Data/Solution_SonicWall Firewall.json b/Solutions/SonicWall Firewall/Data/Solution_SonicWall Firewall.json
@@ -2,11 +2,7 @@
   "Name": "SonicWall Firewall",
   "Author": "SonicWall",
   "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/sonicwall_logo.svg\" width=\"75px\" height=\"75px\">",
-  "Description": "The [SonicWall Firewall](https://www.sonicwall.com/products/firewalls/) solution for Microsoft Sentinel enables ingestion of events using the Common Event Format (CEF) into Microsoft Sentinel for [SonicWall Firewalls](https://www.sonicwall.com/support/technical-documentation/?q=CEF&language=English).\n\r\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.",
-  "Data Connectors": [
-    "Data Connectors/SonicwallFirewall.JSON",
-    "Data Connectors/template_SonicwallFirewallAMA.JSON"
-  ],
+  "Description": "The [SonicWall Firewall](https://www.sonicwall.com/products/firewalls/) solution for Microsoft Sentinel enables ingestion of events using the Common Event Format (CEF) into Microsoft Sentinel for [SonicWall Firewalls](https://www.sonicwall.com/support/technical-documentation/?q=CEF&language=English).\n\r\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.",
   "Workbooks": [
 	"Workbooks/SonicWallFirewall.json"
   ],
@@ -22,7 +18,7 @@
   ],
   "Metadata": "SolutionMetadata.json",
   "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\SonicWall Firewall",
-  "Version": "3.1.1",
+  "Version": "3.1.2",
   "TemplateSpec": true,
   "Is1PConnector": false
 }
diff --git a/Solutions/SonicWall Firewall/Hunting Queries/OutboundSSHConnections.yaml b/Solutions/SonicWall Firewall/Hunting Queries/OutboundSSHConnections.yaml
@@ -3,9 +3,6 @@ name: Outbound SSH/SCP Connections
 description: |
   'This query looks for outbound SSH/SCP connections identified by the expected port number (22) or by the SonicWall Deep Packet Inspection services. This query leverages the SonicWall Firewall ASIM Network Session parser.'
 requiredDataConnectors:
-  - connectorId: CEF
-    dataTypes:
-      - CommonSecurityLog
   - connectorId: SonicWallFirewall
     dataTypes:
       - CommonSecurityLog

diff --git a/Solutions/SonicWall Firewall/Package/3.1.2.zip b/Solutions/SonicWall Firewall/Package/3.1.2.zip
diff --git a/Solutions/SonicWall Firewall/Package/createUiDefinition.json b/Solutions/SonicWall Firewall/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/sonicwall_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SonicWall%20Firewall/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [SonicWall Firewall](https://www.sonicwall.com/products/firewalls/) solution for Microsoft Sentinel enables ingestion of events using the Common Event Format (CEF) into Microsoft Sentinel for [SonicWall Firewalls](https://www.sonicwall.com/support/technical-documentation/?q=CEF&language=English).\n\r\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Workbooks:** 1, **Analytic Rules:** 2, **Hunting Queries:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/sonicwall_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SonicWall%20Firewall/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [SonicWall Firewall](https://www.sonicwall.com/products/firewalls/) solution for Microsoft Sentinel enables ingestion of events using the Common Event Format (CEF) into Microsoft Sentinel for [SonicWall Firewalls](https://www.sonicwall.com/support/technical-documentation/?q=CEF&language=English).\n\r\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024**.\n\n**Workbooks:** 1, **Analytic Rules:** 2, **Hunting Queries:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -51,30 +51,6 @@
       }
     ],
     "steps": [
-      {
-        "name": "dataconnectors",
-        "label": "Data Connectors",
-        "bladeTitle": "Data Connectors",
-        "elements": [
-          {
-            "name": "dataconnectors1-text",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "text": "This Solution installs the data connector for SonicWall Firewall. You can get SonicWall Firewall CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
-            }
-          },
-          {
-            "name": "dataconnectors-link2",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "link": {
-                "label": "Learn more about connecting data sources",
-                "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
-              }
-            }
-          }
-        ]
-      },
       {
         "name": "workbooks",
         "label": "Workbooks",
@@ -204,7 +180,7 @@
                 "name": "huntingquery1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "This query looks for outbound SSH/SCP connections identified by the expected port number (22) or by the SonicWall Deep Packet Inspection services. This query leverages the SonicWall Firewall ASIM Network Session parser. This hunting query depends on CEF SonicWallFirewall CefAma data connector (CommonSecurityLog CommonSecurityLog CommonSecurityLog Parser or Table)"
+                  "text": "This query looks for outbound SSH/SCP connections identified by the expected port number (22) or by the SonicWall Deep Packet Inspection services. This query leverages the SonicWall Firewall ASIM Network Session parser. This hunting query depends on SonicWallFirewall CefAma data connector (CommonSecurityLog CommonSecurityLog Parser or Table)"
                 }
               }
             ]