Skip to content

Commit

Permalink
Merge pull request #11634 from Azure/v-shukore/PaloAltoPANOS
Browse files Browse the repository at this point in the history 
solution packaged for Removed Custom Entity mappings
  • Loading branch information
@v-prasadboke
v-prasadboke authored Jan 13, 2025
2 parents 9bd0292 + b8d9e77 commit 66a5975
Show file tree
Hide file tree
Showing 8 changed files with 51 additions and 53 deletions.
2 changes: 1 addition & 1 deletion Solutions/Pulse Connect Secure/Data/Solution_Pulse Connect Secure.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
"azuresentinel.azure-sentinel-solution-syslog"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Pulse Connect Secure",
"Version": "3.0.3",
"Version": "3.0.4",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true
}
Binary file added Solutions/Pulse Connect Secure/Package/3.0.4.zip
View file
Binary file not shown.
54 changes: 25 additions & 29 deletions Solutions/Pulse Connect Secure/Package/mainTemplate.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@
"email": "[email protected]",
"_email": "[variables('email')]",
"_solutionName": "Pulse Connect Secure",
"_solutionVersion": "3.0.3",
"_solutionVersion": "3.0.4",
"solutionId": "azuresentinel.azure-sentinel-solution-pulseconnectsecure",
"_solutionId": "[variables('solutionId')]",
"parserObject1": {
Expand All @@ -59,18 +59,18 @@
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
"analyticRuleObject1": {
"analyticRuleVersion1": "1.0.3",
"analyticRuleVersion1": "1.0.4",
"_analyticRulecontentId1": "34663177-8abf-4db1-b0a4-5683ab273f44",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '34663177-8abf-4db1-b0a4-5683ab273f44')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('34663177-8abf-4db1-b0a4-5683ab273f44')))]",
"_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','34663177-8abf-4db1-b0a4-5683ab273f44','-', '1.0.3')))]"
"_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','34663177-8abf-4db1-b0a4-5683ab273f44','-', '1.0.4')))]"
},
"analyticRuleObject2": {
"analyticRuleVersion2": "1.0.3",
"analyticRuleVersion2": "1.0.4",
"_analyticRulecontentId2": "1fa1528e-f746-4794-8a41-14827f4cb798",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1fa1528e-f746-4794-8a41-14827f4cb798')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1fa1528e-f746-4794-8a41-14827f4cb798')))]",
"_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1fa1528e-f746-4794-8a41-14827f4cb798','-', '1.0.3')))]"
"_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1fa1528e-f746-4794-8a41-14827f4cb798','-', '1.0.4')))]"
},
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
Expand All @@ -84,7 +84,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PulseConnectSecure Data Parser with template version 3.0.3",
"description": "PulseConnectSecure Data Parser with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
Expand Down Expand Up @@ -216,7 +216,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PulseConnectSecure Workbook with template version 3.0.3",
"description": "PulseConnectSecure Workbook with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
Expand Down Expand Up @@ -272,10 +272,6 @@
"contentId": "Syslog",
"kind": "DataType"
},
{
"contentId": "PulseConnectSecure",
"kind": "DataConnector"
},
{
"contentId": "SyslogAma",
"kind": "DataConnector"
Expand Down Expand Up @@ -308,7 +304,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PulseConnectSecureVPN-BruteForce_AnalyticalRules Analytics Rule with template version 3.0.3",
"description": "PulseConnectSecureVPN-BruteForce_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
Expand All @@ -325,7 +321,7 @@
"description": "This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server",
"displayName": "PulseConnectSecure - Potential Brute Force Attempts",
"enabled": false,
"query": "let threshold = 20;\nPulseConnectSecure\n| where Messages contains \"Login failed\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\n| where count_ > threshold\n| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP\n",
"query": "let threshold = 20;\nPulseConnectSecure\n| where Messages contains \"Login failed\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\n| where count_ > threshold\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Low",
Expand All @@ -336,10 +332,10 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "SyslogAma",
"datatypes": [
"Syslog"
],
"connectorId": "SyslogAma"
]
}
],
"tactics": [
Expand All @@ -350,22 +346,22 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "User"
}
]
],
"entityType": "Account"
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
"columnName": "Source_IP"
}
]
],
"entityType": "IP"
}
]
}
Expand Down Expand Up @@ -421,7 +417,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PulseConnectSecureVPN-DistinctFailedUserLogin_AnalyticalRules Analytics Rule with template version 3.0.3",
"description": "PulseConnectSecureVPN-DistinctFailedUserLogin_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
Expand All @@ -438,7 +434,7 @@
"description": "This query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server",
"displayName": "PulseConnectSecure - Large Number of Distinct Failed User Logins",
"enabled": false,
"query": "let threshold = 100;\nPulseConnectSecure\n| where Messages startswith \"Login failed\"\n| summarize dcount(User) by Computer, bin(TimeGenerated, 15m)\n| where dcount_User > threshold\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\n",
"query": "let threshold = 100;\nPulseConnectSecure\n| where Messages startswith \"Login failed\"\n| summarize dcount(User) by Computer, bin(TimeGenerated, 15m)\n| where dcount_User > threshold\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
Expand All @@ -449,10 +445,10 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "SyslogAma",
"datatypes": [
"Syslog"
],
"connectorId": "SyslogAma"
]
}
],
"tactics": [
Expand All @@ -463,13 +459,13 @@
],
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "HostCustomEntity"
"columnName": "Computer"
}
]
],
"entityType": "Host"
}
]
}
Expand Down Expand Up @@ -521,7 +517,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "3.0.3",
"version": "3.0.4",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Pulse Connect Secure",
Expand Down
1 change: 1 addition & 0 deletions Solutions/Pulse Connect Secure/ReleaseNotes.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|-----------------------------------------------------|
| 3.0.4 | 07-01-2025 | Removed Custom Entity mappings from **Analytic Rule** |
| 3.0.3 | 16-12-2024 | Removed Deprecated **Data Connector** |
| 3.0.2 | 01-08-2024 | Update **Parser** as part of Syslog migration |
| | | Deprecating data connectors |
Expand Down
Binary file added Solutions/QualysVM/Package/3.0.1.zip
View file
Binary file not shown.
Loading

0 comments on commit 66a5975

Please sign in to comment.