diff --git a/Solutions/Pulse Connect Secure/Data/Solution_Pulse Connect Secure.json b/Solutions/Pulse Connect Secure/Data/Solution_Pulse Connect Secure.json index 79dbbe7329a..c08252049b5 100644 --- a/Solutions/Pulse Connect Secure/Data/Solution_Pulse Connect Secure.json +++ b/Solutions/Pulse Connect Secure/Data/Solution_Pulse Connect Secure.json @@ -17,7 +17,7 @@ "azuresentinel.azure-sentinel-solution-syslog" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Pulse Connect Secure", - "Version": "3.0.3", + "Version": "3.0.4", "Metadata": "SolutionMetadata.json", "TemplateSpec": true } \ No newline at end of file diff --git a/Solutions/Pulse Connect Secure/Package/3.0.4.zip b/Solutions/Pulse Connect Secure/Package/3.0.4.zip new file mode 100644 index 00000000000..e89379fcd14 Binary files /dev/null and b/Solutions/Pulse Connect Secure/Package/3.0.4.zip differ diff --git a/Solutions/Pulse Connect Secure/Package/mainTemplate.json b/Solutions/Pulse Connect Secure/Package/mainTemplate.json index 1ee118fcf30..1fedd30a633 100644 --- a/Solutions/Pulse Connect Secure/Package/mainTemplate.json +++ b/Solutions/Pulse Connect Secure/Package/mainTemplate.json @@ -41,7 +41,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Pulse Connect Secure", - "_solutionVersion": "3.0.3", + "_solutionVersion": "3.0.4", "solutionId": "azuresentinel.azure-sentinel-solution-pulseconnectsecure", "_solutionId": "[variables('solutionId')]", "parserObject1": { @@ -59,18 +59,18 @@ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.3", + "analyticRuleVersion1": "1.0.4", "_analyticRulecontentId1": "34663177-8abf-4db1-b0a4-5683ab273f44", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '34663177-8abf-4db1-b0a4-5683ab273f44')]", "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('34663177-8abf-4db1-b0a4-5683ab273f44')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','34663177-8abf-4db1-b0a4-5683ab273f44','-', '1.0.3')))]" + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','34663177-8abf-4db1-b0a4-5683ab273f44','-', '1.0.4')))]" }, "analyticRuleObject2": { - "analyticRuleVersion2": "1.0.3", + "analyticRuleVersion2": "1.0.4", "_analyticRulecontentId2": "1fa1528e-f746-4794-8a41-14827f4cb798", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1fa1528e-f746-4794-8a41-14827f4cb798')]", "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1fa1528e-f746-4794-8a41-14827f4cb798')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1fa1528e-f746-4794-8a41-14827f4cb798','-', '1.0.3')))]" + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1fa1528e-f746-4794-8a41-14827f4cb798','-', '1.0.4')))]" }, "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, @@ -84,7 +84,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PulseConnectSecure Data Parser with template version 3.0.3", + "description": "PulseConnectSecure Data Parser with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -216,7 +216,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PulseConnectSecure Workbook with template version 3.0.3", + "description": "PulseConnectSecure Workbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -272,10 +272,6 @@ "contentId": "Syslog", "kind": "DataType" }, - { - "contentId": "PulseConnectSecure", - "kind": "DataConnector" - }, { "contentId": "SyslogAma", "kind": "DataConnector" @@ -308,7 +304,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PulseConnectSecureVPN-BruteForce_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "PulseConnectSecureVPN-BruteForce_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -325,7 +321,7 @@ "description": "This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server", "displayName": "PulseConnectSecure - Potential Brute Force Attempts", "enabled": false, - "query": "let threshold = 20;\nPulseConnectSecure\n| where Messages contains \"Login failed\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\n| where count_ > threshold\n| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP\n", + "query": "let threshold = 20;\nPulseConnectSecure\n| where Messages contains \"Login failed\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\n| where count_ > threshold\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "Low", @@ -336,10 +332,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SyslogAma", "datatypes": [ "Syslog" - ], - "connectorId": "SyslogAma" + ] } ], "tactics": [ @@ -350,22 +346,22 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "User" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "Source_IP" } - ] + ], + "entityType": "IP" } ] } @@ -421,7 +417,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PulseConnectSecureVPN-DistinctFailedUserLogin_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "PulseConnectSecureVPN-DistinctFailedUserLogin_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -438,7 +434,7 @@ "description": "This query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server", "displayName": "PulseConnectSecure - Large Number of Distinct Failed User Logins", "enabled": false, - "query": "let threshold = 100;\nPulseConnectSecure\n| where Messages startswith \"Login failed\"\n| summarize dcount(User) by Computer, bin(TimeGenerated, 15m)\n| where dcount_User > threshold\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\n", + "query": "let threshold = 100;\nPulseConnectSecure\n| where Messages startswith \"Login failed\"\n| summarize dcount(User) by Computer, bin(TimeGenerated, 15m)\n| where dcount_User > threshold\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "Medium", @@ -449,10 +445,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "SyslogAma", "datatypes": [ "Syslog" - ], - "connectorId": "SyslogAma" + ] } ], "tactics": [ @@ -463,13 +459,13 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", - "columnName": "HostCustomEntity" + "columnName": "Computer" } - ] + ], + "entityType": "Host" } ] } @@ -521,7 +517,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.3", + "version": "3.0.4", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Pulse Connect Secure", diff --git a/Solutions/Pulse Connect Secure/ReleaseNotes.md b/Solutions/Pulse Connect Secure/ReleaseNotes.md index 2e499ed15d5..c4f756dbc9b 100644 --- a/Solutions/Pulse Connect Secure/ReleaseNotes.md +++ b/Solutions/Pulse Connect Secure/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|-----------------------------------------------------| +| 3.0.4 | 07-01-2025 | Removed Custom Entity mappings from **Analytic Rule** | | 3.0.3 | 16-12-2024 | Removed Deprecated **Data Connector** | | 3.0.2 | 01-08-2024 | Update **Parser** as part of Syslog migration | | | | Deprecating data connectors | diff --git a/Solutions/QualysVM/Package/3.0.1.zip b/Solutions/QualysVM/Package/3.0.1.zip new file mode 100644 index 00000000000..f98cc2fd581 Binary files /dev/null and b/Solutions/QualysVM/Package/3.0.1.zip differ diff --git a/Solutions/QualysVM/Package/mainTemplate.json b/Solutions/QualysVM/Package/mainTemplate.json index 655304376d3..63fe1b82239 100644 --- a/Solutions/QualysVM/Package/mainTemplate.json +++ b/Solutions/QualysVM/Package/mainTemplate.json @@ -41,7 +41,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "QualysVM", - "_solutionVersion": "3.0.0", + "_solutionVersion": "3.0.1", "solutionId": "azuresentinel.azure-sentinel-qualysvm", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "QualysVulnerabilityManagement", @@ -61,11 +61,11 @@ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.1", + "analyticRuleVersion1": "1.0.2", "_analyticRulecontentId1": "3edb7215-250b-40c0-8b46-79093949242d", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3edb7215-250b-40c0-8b46-79093949242d')]", "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3edb7215-250b-40c0-8b46-79093949242d')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3edb7215-250b-40c0-8b46-79093949242d','-', '1.0.1')))]" + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3edb7215-250b-40c0-8b46-79093949242d','-', '1.0.2')))]" }, "analyticRuleObject2": { "analyticRuleVersion2": "1.0.1", @@ -127,7 +127,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "QualysVM data connector with template version 3.0.0", + "description": "QualysVM data connector with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -533,7 +533,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "QualysVMv2 Workbook with template version 3.0.0", + "description": "QualysVMv2 Workbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -621,7 +621,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "HighNumberofVulnDetectedV2_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "HighNumberofVulnDetectedV2_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -638,7 +638,7 @@ "description": "This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.", "displayName": "High Number of Urgent Vulnerabilities Detected", "enabled": false, - "query": "let threshold = 10;\nQualysHostDetectionV2_CL\n| where Severity_s == \"5\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\n| where count_ >= threshold\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\n", + "query": "let threshold = 10;\nQualysHostDetectionV2_CL\n| where Severity_s == \"5\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\n| where count_ >= threshold\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "Medium", @@ -649,10 +649,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "QualysVulnerabilityManagement", "dataTypes": [ "QualysHostDetection_CL" - ], - "connectorId": "QualysVulnerabilityManagement" + ] } ], "tactics": [ @@ -665,8 +665,8 @@ { "fieldMappings": [ { - "columnName": "HostCustomEntity", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "NetBios_s" } ], "entityType": "Host" @@ -674,8 +674,8 @@ { "fieldMappings": [ { - "columnName": "IPCustomEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } ], "entityType": "IP" @@ -734,7 +734,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NewHighSeverityVulnDetectedAcrossMulitpleHostsV2_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "NewHighSeverityVulnDetectedAcrossMulitpleHostsV2_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -762,10 +762,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "QualysVulnerabilityManagement", "dataTypes": [ "QualysHostDetection_CL" - ], - "connectorId": "QualysVulnerabilityManagement" + ] } ], "tactics": [ @@ -827,7 +827,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "QualysCustomConnector Playbook with template version 3.0.0", + "description": "QualysCustomConnector Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -2477,7 +2477,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "QualysVM-GetAssetDetails Playbook with template version 3.0.0", + "description": "QualysVM-GetAssetDetails Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", @@ -2990,7 +2990,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "QualysVM-GetAssets-ByCVEID Playbook with template version 3.0.0", + "description": "QualysVM-GetAssets-ByCVEID Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", @@ -4074,7 +4074,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "QualysVM-GetAssets-ByOpenPort Playbook with template version 3.0.0", + "description": "QualysVM-GetAssets-ByOpenPort Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion4')]", @@ -5033,7 +5033,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "QualysVM-LaunchVMScan-GenerateReport Playbook with template version 3.0.0", + "description": "QualysVM-LaunchVMScan-GenerateReport Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion5')]", @@ -7686,7 +7686,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.0", + "version": "3.0.1", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "QualysVM", diff --git a/Solutions/QualysVM/ReleaseNotes.md b/Solutions/QualysVM/ReleaseNotes.md index 4f50c69d4b2..76c7083fbc1 100644 --- a/Solutions/QualysVM/ReleaseNotes.md +++ b/Solutions/QualysVM/ReleaseNotes.md @@ -1,4 +1,5 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------------------------| +| 3.0.1 | 07-01-2025 | Removed Custom Entity mappings from **Analytic Rule** | | 3.0.0 | 16-04-2024 | Added Deploy to Azure Goverment button for Government portal in **Dataconnector** | diff --git a/Solutions/QualysVM/data/Solution_QualysVM.json b/Solutions/QualysVM/data/Solution_QualysVM.json index 82442397ed1..3b65049611c 100644 --- a/Solutions/QualysVM/data/Solution_QualysVM.json +++ b/Solutions/QualysVM/data/Solution_QualysVM.json @@ -22,7 +22,7 @@ ], "Metadata": "SolutionMetadata.json", "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\QualysVM", - "Version": "3.0.0", + "Version": "3.0.1", "TemplateSpec": true, "Is1PConnector": false } \ No newline at end of file