diff --git a/Solutions/Okta Single Sign-On/Package/3.1.2.zip b/Solutions/Okta Single Sign-On/Package/3.1.2.zip new file mode 100644 index 00000000000..d1da61efce4 Binary files /dev/null and b/Solutions/Okta Single Sign-On/Package/3.1.2.zip differ diff --git a/Solutions/Okta Single Sign-On/Package/mainTemplate.json b/Solutions/Okta Single Sign-On/Package/mainTemplate.json index e562481ffca..4ede49b10b1 100644 --- a/Solutions/Okta Single Sign-On/Package/mainTemplate.json +++ b/Solutions/Okta Single Sign-On/Package/mainTemplate.json @@ -55,29 +55,29 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Okta Single Sign-On", - "_solutionVersion": "3.1.1", + "_solutionVersion": "3.1.2", "solutionId": "azuresentinel.azure-sentinel-solution-okta", "_solutionId": "[variables('solutionId')]", "analyticRuleObject1": { - "analyticRuleVersion1": "1.1.0", + "analyticRuleVersion1": "1.1.1", "_analyticRulecontentId1": "884be6e7-e568-418e-9c12-89229865ffde", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '884be6e7-e568-418e-9c12-89229865ffde')]", "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('884be6e7-e568-418e-9c12-89229865ffde')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','884be6e7-e568-418e-9c12-89229865ffde','-', '1.1.0')))]" + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','884be6e7-e568-418e-9c12-89229865ffde','-', '1.1.1')))]" }, "analyticRuleObject2": { - "analyticRuleVersion2": "1.1.0", + "analyticRuleVersion2": "1.1.1", "_analyticRulecontentId2": "2954d424-f786-4677-9ffc-c24c44c6e7d5", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2954d424-f786-4677-9ffc-c24c44c6e7d5')]", "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2954d424-f786-4677-9ffc-c24c44c6e7d5')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2954d424-f786-4677-9ffc-c24c44c6e7d5','-', '1.1.0')))]" + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2954d424-f786-4677-9ffc-c24c44c6e7d5','-', '1.1.1')))]" }, "analyticRuleObject3": { - "analyticRuleVersion3": "1.1.0", + "analyticRuleVersion3": "1.1.1", "_analyticRulecontentId3": "e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508", "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508')]", "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508')))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508','-', '1.1.0')))]" + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508','-', '1.1.1')))]" }, "analyticRuleObject4": { "analyticRuleVersion4": "1.1.0", @@ -234,8 +234,6 @@ "parserVersion1": "1.0.2", "parserContentId1": "OktaSSO-Parser" }, - "SessionId": "authenticationContext_externalSessionId_s", - "_SessionId": "[variables('SessionId')]", "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ @@ -248,7 +246,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FailedLoginsFromUnknownOrInvalidUser_AnalyticalRules Analytics Rule with template version 3.1.1", + "description": "FailedLoginsFromUnknownOrInvalidUser_AnalyticalRules Analytics Rule with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -265,7 +263,7 @@ "description": "This query searches for numerous login attempts to the management console with an unknown or invalid user name.", "displayName": "Failed Logins from Unknown or Invalid User", "enabled": false, - "query": "let FailureThreshold = 15;\nlet FailedLogins = OktaSSO\n| where eventType_s =~ \"user.session.start\" and outcome_reason_s =~ \"VERIFICATION_ERROR\"\n| summarize count() by actor_alternateId_s, client_ipAddress_s, bin(TimeGenerated, 5m)\n| where count_ > FailureThreshold\n| project client_ipAddress_s, actor_alternateId_s;\nOktaSSO\n| join kind=inner (FailedLogins) on client_ipAddress_s, actor_alternateId_s\n| where eventType_s =~ \"user.session.start\" and outcome_reason_s =~ \"VERIFICATION_ERROR\"\n| summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = column_ifexists('client_geographicalContext_city_s', \"\"), Country = column_ifexists('client_geographicalContext_country_s', \"\"), column_ifexists('published_t', now())\n| sort by column_ifexists('published_t', now()) desc\n| extend timestamp = column_ifexists('published_t', now()), IPCustomEntity = ClientIP, AccountCustomEntity = actor_alternateId_s\n", + "query": "let FailureThreshold = 15;\nlet FailedLogins = OktaSSO\n| where eventType_s =~ \"user.session.start\" and outcome_reason_s =~ \"VERIFICATION_ERROR\"\n| summarize count() by actor_alternateId_s, client_ipAddress_s, bin(TimeGenerated, 5m)\n| where count_ > FailureThreshold\n| project client_ipAddress_s, actor_alternateId_s;\nOktaSSO\n| join kind=inner (FailedLogins) on client_ipAddress_s, actor_alternateId_s\n| where eventType_s =~ \"user.session.start\" and outcome_reason_s =~ \"VERIFICATION_ERROR\"\n| summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = column_ifexists('client_geographicalContext_city_s', \"\"), Country = column_ifexists('client_geographicalContext_country_s', \"\"), column_ifexists('published_t', now())\n| sort by column_ifexists('published_t', now()) desc\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "Medium", @@ -276,16 +274,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "OktaSSO", "dataTypes": [ "Okta_CL" - ], - "connectorId": "OktaSSO" + ] }, { + "connectorId": "OktaSSOv2", "dataTypes": [ "OktaSSO" - ], - "connectorId": "OktaSSOv2" + ] } ], "tactics": [ @@ -299,7 +297,7 @@ "fieldMappings": [ { "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "actor_alternateId_s" } ], "entityType": "Account" @@ -308,7 +306,7 @@ "fieldMappings": [ { "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "ClientIP" } ], "entityType": "IP" @@ -367,7 +365,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LoginfromUsersfromDifferentCountrieswithin3hours_AnalyticalRules Analytics Rule with template version 3.1.1", + "description": "LoginfromUsersfromDifferentCountrieswithin3hours_AnalyticalRules Analytics Rule with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -384,7 +382,7 @@ "description": "This query searches for successful user logins to the Okta Console from different countries within 3 hours.", "displayName": "User Login from Different Countries within 3 hours", "enabled": false, - "query": "let timeframe = ago(3h);\nlet threshold = 2;\nOktaSSO\n| where column_ifexists('published_t', now()) >= timeframe\n| where eventType_s =~ \"user.session.start\"\n| where outcome_result_s =~ \"SUCCESS\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumOfCountries = dcount(column_ifexists('client_geographicalContext_country_s', int(null))) by actor_alternateId_s\n| where NumOfCountries >= threshold\n| extend timestamp = StartTime, AccountCustomEntity = actor_alternateId_s\n", + "query": "let timeframe = ago(3h);\nlet threshold = 2;\nOktaSSO\n| where column_ifexists('published_t', now()) >= timeframe\n| where eventType_s =~ \"user.session.start\"\n| where outcome_result_s =~ \"SUCCESS\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumOfCountries = dcount(column_ifexists('client_geographicalContext_country_s', int(null))) by actor_alternateId_s\n| where NumOfCountries >= threshold\n", "queryFrequency": "PT3H", "queryPeriod": "PT3H", "severity": "High", @@ -395,21 +393,24 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "OktaSSO", "dataTypes": [ "Okta_CL" - ], - "connectorId": "OktaSSO" + ] }, { + "connectorId": "OktaSSOv2", "dataTypes": [ "OktaSSO" - ], - "connectorId": "OktaSSOv2" + ] } ], "tactics": [ "InitialAccess" ], + "subTechniques": [ + "T1078.004" + ], "techniques": [ "T1078" ], @@ -418,7 +419,7 @@ "fieldMappings": [ { "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "actor_alternateId_s" } ], "entityType": "Account" @@ -477,7 +478,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PasswordSpray_AnalyticalRules Analytics Rule with template version 3.1.1", + "description": "PasswordSpray_AnalyticalRules Analytics Rule with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -494,7 +495,7 @@ "description": "This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack.", "displayName": "Potential Password Spray Attack", "enabled": false, - "query": "let FailureThreshold = 15;\nlet FailedEvents = OktaSSO\n| where eventType_s =~ \"user.session.start\"and outcome_reason_s in (\"VERIFICATION_ERROR\",\"INVALID_CREDENTIALS\")\n| summarize dcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)\n| where dcount_actor_alternateId_s > FailureThreshold\n| project client_ipAddress_s, TimeGenerated;\nOktaSSO\n| where eventType_s =~ \"user.session.start\"and outcome_reason_s in (\"VERIFICATION_ERROR\",\"INVALID_CREDENTIALS\")\n| summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = column_ifexists('client_geographicalContext_city_s', \"\"), Country = column_ifexists('client_geographicalContext_country_s', \"\"), bin(TimeGenerated, 5m)\n| join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated\n| sort by TimeGenerated desc\n| extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s\n", + "query": "let FailureThreshold = 15;\nlet FailedEvents = OktaSSO\n| where eventType_s =~ \"user.session.start\"and outcome_reason_s in (\"VERIFICATION_ERROR\",\"INVALID_CREDENTIALS\")\n| summarize dcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)\n| where dcount_actor_alternateId_s > FailureThreshold\n| project client_ipAddress_s, TimeGenerated;\nOktaSSO\n| where eventType_s =~ \"user.session.start\"and outcome_reason_s in (\"VERIFICATION_ERROR\",\"INVALID_CREDENTIALS\")\n| summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = column_ifexists('client_geographicalContext_city_s', \"\"), Country = column_ifexists('client_geographicalContext_country_s', \"\"), bin(TimeGenerated, 5m)\n| join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated\n| sort by TimeGenerated desc\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "Medium", @@ -505,21 +506,24 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "OktaSSO", "dataTypes": [ "Okta_CL" - ], - "connectorId": "OktaSSO" + ] }, { + "connectorId": "OktaSSOv2", "dataTypes": [ "OktaSSO" - ], - "connectorId": "OktaSSOv2" + ] } ], "tactics": [ "CredentialAccess" ], + "subTechniques": [ + "T1110.003" + ], "techniques": [ "T1110" ], @@ -528,7 +532,7 @@ "fieldMappings": [ { "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "client_ipAddress_s" } ], "entityType": "IP" @@ -587,7 +591,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PhishingDetection_AnalyticalRules Analytics Rule with template version 3.1.1", + "description": "PhishingDetection_AnalyticalRules Analytics Rule with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -615,16 +619,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "OktaSSO", "dataTypes": [ "Okta_CL" - ], - "connectorId": "OktaSSO" + ] }, { + "connectorId": "OktaSSOv2", "dataTypes": [ "OktaSSO" - ], - "connectorId": "OktaSSOv2" + ] } ], "tactics": [ @@ -714,7 +718,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NewDeviceLocationCriticalOperation_AnalyticalRules Analytics Rule with template version 3.1.1", + "description": "NewDeviceLocationCriticalOperation_AnalyticalRules Analytics Rule with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -742,16 +746,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "OktaSSO", "dataTypes": [ "Okta_CL" - ], - "connectorId": "OktaSSO" + ] }, { + "connectorId": "OktaSSOv2", "dataTypes": [ "OktaSSO" - ], - "connectorId": "OktaSSOv2" + ] } ], "tactics": [ @@ -787,8 +791,8 @@ } ], "customDetails": { - "SessionId": "[variables('_SessionId')]", - "Location": "Location" + "Location": "Location", + "SessionId": "authenticationContext_externalSessionId_s" }, "alertDetailsOverride": { "alertDescriptionFormat": "This query identifies users seen login from new geo location/country {{Location}} as well as a new device and performing critical operations\n", @@ -847,7 +851,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MFAFatigue_AnalyticalRules Analytics Rule with template version 3.1.1", + "description": "MFAFatigue_AnalyticalRules Analytics Rule with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -875,16 +879,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "OktaSSO", "dataTypes": [ "Okta_CL" - ], - "connectorId": "OktaSSO" + ] }, { + "connectorId": "OktaSSOv2", "dataTypes": [ "OktaSSO" - ], - "connectorId": "OktaSSOv2" + ] } ], "tactics": [ @@ -961,7 +965,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "HighRiskAdminActivity_AnalyticalRules Analytics Rule with template version 3.1.1", + "description": "HighRiskAdminActivity_AnalyticalRules Analytics Rule with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -989,16 +993,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "OktaSSO", "dataTypes": [ "Okta_CL" - ], - "connectorId": "OktaSSO" + ] }, { + "connectorId": "OktaSSOv2", "dataTypes": [ "OktaSSO" - ], - "connectorId": "OktaSSOv2" + ] } ], "tactics": [ @@ -1032,7 +1036,7 @@ } ], "customDetails": { - "SessionId": "[variables('_SessionId')]" + "SessionId": "authenticationContext_externalSessionId_s" } } }, @@ -1087,7 +1091,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DeviceRegistrationMaliciousIP_AnalyticalRules Analytics Rule with template version 3.1.1", + "description": "DeviceRegistrationMaliciousIP_AnalyticalRules Analytics Rule with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -1115,16 +1119,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "OktaSSO", "dataTypes": [ "Okta_CL" - ], - "connectorId": "OktaSSO" + ] }, { + "connectorId": "OktaSSOv2", "dataTypes": [ "OktaSSO" - ], - "connectorId": "OktaSSOv2" + ] } ], "tactics": [ @@ -1210,7 +1214,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UserSessionImpersonation_AnalyticalRules Analytics Rule with template version 3.1.1", + "description": "UserSessionImpersonation_AnalyticalRules Analytics Rule with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -1238,16 +1242,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "OktaSSO", "dataTypes": [ "Okta_CL" - ], - "connectorId": "OktaSSO" + ] }, { + "connectorId": "OktaSSOv2", "dataTypes": [ "OktaSSO" - ], - "connectorId": "OktaSSOv2" + ] } ], "tactics": [ @@ -1328,7 +1332,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Okta Single Sign-On data connector with template version 3.1.1", + "description": "Okta Single Sign-On data connector with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -2569,7 +2573,7 @@ "type": "string", "minLength": 1 }, - "innerWorkspace": { + "workspace": { "defaultValue": "[parameters('workspace')]", "type": "string" }, @@ -2612,7 +2616,7 @@ } }, { - "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/OktaDCV1_', parameters('domainname'))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', '{{innerWorkspace}}/Microsoft.SecurityInsights/OktaDCV1_{{domainname}}')]", "apiVersion": "2023-02-01-preview", "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", @@ -2680,7 +2684,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AdminPrivilegeGrant_HuntingQueries Hunting Query with template version 3.1.1", + "description": "AdminPrivilegeGrant_HuntingQueries Hunting Query with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -2765,7 +2769,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CreateAPIToken_HuntingQueries Hunting Query with template version 3.1.1", + "description": "CreateAPIToken_HuntingQueries Hunting Query with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -2850,7 +2854,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ImpersonationSession_HuntingQueries Hunting Query with template version 3.1.1", + "description": "ImpersonationSession_HuntingQueries Hunting Query with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -2935,7 +2939,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RareMFAOperation_HuntingQueries Hunting Query with template version 3.1.1", + "description": "RareMFAOperation_HuntingQueries Hunting Query with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -3020,7 +3024,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UserPasswordReset_HuntingQueries Hunting Query with template version 3.1.1", + "description": "UserPasswordReset_HuntingQueries Hunting Query with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -3105,7 +3109,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NewDeviceRegistration_HuntingQueries Hunting Query with template version 3.1.1", + "description": "NewDeviceRegistration_HuntingQueries Hunting Query with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -3190,7 +3194,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LoginsVPSProvider_HuntingQueries Hunting Query with template version 3.1.1", + "description": "LoginsVPSProvider_HuntingQueries Hunting Query with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -3275,7 +3279,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LoginNordVPN_HuntingQueries Hunting Query with template version 3.1.1", + "description": "LoginNordVPN_HuntingQueries Hunting Query with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -3360,7 +3364,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LoginFromMultipleLocations_HuntingQueries Hunting Query with template version 3.1.1", + "description": "LoginFromMultipleLocations_HuntingQueries Hunting Query with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -3445,7 +3449,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LegacyAuthentication_HuntingQueries Hunting Query with template version 3.1.1", + "description": "LegacyAuthentication_HuntingQueries Hunting Query with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -3530,7 +3534,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OktaCustomConnector Playbook with template version 3.1.1", + "description": "OktaCustomConnector Playbook with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -4793,7 +4797,7 @@ ], "metadata": { "comments": "This OKTA connector uses okta API to perform different actions on the user accounts.", - "lastUpdateTime": "2024-12-12T16:54:43.628Z", + "lastUpdateTime": "2025-01-06T15:31:31.854Z", "releaseNotes": { "version": "1.0", "title": "[variables('blanks')]", @@ -4825,7 +4829,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Okta-EnrichIncidentWithUserDetails Playbook with template version 3.1.1", + "description": "Okta-EnrichIncidentWithUserDetails Playbook with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", @@ -5184,7 +5188,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Okta-PromptUser Playbook with template version 3.1.1", + "description": "Okta-PromptUser Playbook with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", @@ -5635,7 +5639,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Okta-ResponseFromTeams Playbook with template version 3.1.1", + "description": "Okta-ResponseFromTeams Playbook with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion4')]", @@ -6142,7 +6146,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OktaSingleSignOn Workbook with template version 3.1.1", + "description": "OktaSingleSignOn Workbook with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -6238,7 +6242,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OktaSSO Data Parser with template version 3.1.1", + "description": "OktaSSO Data Parser with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -6366,7 +6370,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.1.1", + "version": "3.1.2", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Okta Single Sign-On", diff --git a/Solutions/Okta Single Sign-On/ReleaseNotes.md b/Solutions/Okta Single Sign-On/ReleaseNotes.md index 96be93b2e4a..08133afd288 100644 --- a/Solutions/Okta Single Sign-On/ReleaseNotes.md +++ b/Solutions/Okta Single Sign-On/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------------------------| +| 3.1.2 | 06-01-2025 | Removing Custom Entity mappings from **Analytic Rule** | | 3.1.1 | 08-11-2024 | Fixed CCP **Data Connector** connection bug | | 3.1.0 | 27-11-2024 | Fixed Solution version in Maintemplate and resolved ARM template error | | 3.0.10 | 08-11-2024 | Updated **Parser** to fix the schema | diff --git a/Solutions/Okta Single Sign-On/data/Solution_Okta.json b/Solutions/Okta Single Sign-On/data/Solution_Okta.json index 83ae77340d8..ff679ecb347 100644 --- a/Solutions/Okta Single Sign-On/data/Solution_Okta.json +++ b/Solutions/Okta Single Sign-On/data/Solution_Okta.json @@ -44,7 +44,7 @@ ], "Metadata": "SolutionMetadata.json", "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Okta Single Sign-On\\", - "Version": "3.0.8", + "Version": "3.1.2", "TemplateSpec": true, "Is1PConnector": false } \ No newline at end of file diff --git a/Solutions/PaloAlto-PAN-OS/Package/3.0.9.zip b/Solutions/PaloAlto-PAN-OS/Package/3.0.9.zip new file mode 100644 index 00000000000..096edaac237 Binary files /dev/null and b/Solutions/PaloAlto-PAN-OS/Package/3.0.9.zip differ diff --git a/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json b/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json index 935a0545101..7ae712e09ec 100644 --- a/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json +++ b/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json @@ -49,7 +49,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "PaloAlto-PAN-OS", - "_solutionVersion": "3.0.8", + "_solutionVersion": "3.0.9", "solutionId": "azuresentinel.azure-sentinel-solution-paloaltopanos", "_solutionId": "[variables('solutionId')]", "huntingQueryObject1": { @@ -90,18 +90,18 @@ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2be4ef67-a93f-4d8a-981a-88158cb73abd','-', '1.3.6')))]" }, "analyticRuleObject3": { - "analyticRuleVersion3": "1.0.5", + "analyticRuleVersion3": "1.0.6", "_analyticRulecontentId3": "f0be259a-34ac-4946-aa15-ca2b115d5feb", "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f0be259a-34ac-4946-aa15-ca2b115d5feb')]", "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f0be259a-34ac-4946-aa15-ca2b115d5feb')))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f0be259a-34ac-4946-aa15-ca2b115d5feb','-', '1.0.5')))]" + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f0be259a-34ac-4946-aa15-ca2b115d5feb','-', '1.0.6')))]" }, "analyticRuleObject4": { - "analyticRuleVersion4": "1.0.7", + "analyticRuleVersion4": "1.0.8", "_analyticRulecontentId4": "5b72f527-e3f6-4a00-9908-8e4fee14da9f", "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5b72f527-e3f6-4a00-9908-8e4fee14da9f')]", "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5b72f527-e3f6-4a00-9908-8e4fee14da9f')))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5b72f527-e3f6-4a00-9908-8e4fee14da9f','-', '1.0.7')))]" + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5b72f527-e3f6-4a00-9908-8e4fee14da9f','-', '1.0.8')))]" }, "PaloAlto_PAN-OS_Rest_API_CustomConnector": "PaloAlto_PAN-OS_Rest_API_CustomConnector", "_PaloAlto_PAN-OS_Rest_API_CustomConnector": "[variables('PaloAlto_PAN-OS_Rest_API_CustomConnector')]", @@ -188,7 +188,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAlto-HighRiskPorts_HuntingQueries Hunting Query with template version 3.0.8", + "description": "PaloAlto-HighRiskPorts_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -269,7 +269,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Palo Alto - potential beaconing detected_HuntingQueries Hunting Query with template version 3.0.8", + "description": "Palo Alto - potential beaconing detected_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -354,7 +354,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoOverview Workbook with template version 3.0.8", + "description": "PaloAltoOverview Workbook with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -442,7 +442,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoNetworkThreat Workbook with template version 3.0.8", + "description": "PaloAltoNetworkThreat Workbook with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -530,7 +530,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAlto-UnusualThreatSignatures_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "PaloAlto-UnusualThreatSignatures_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -641,7 +641,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileHashEntity_Covid19_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "FileHashEntity_Covid19_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -795,7 +795,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAlto-NetworkBeaconing_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "PaloAlto-NetworkBeaconing_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -812,7 +812,7 @@ "description": "Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns.\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing.\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\nReference Blog:\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\nhttps://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586", "displayName": "Palo Alto - potential beaconing detected", "enabled": false, - "query": "let starttime = 2d;\nlet endtime = 1d;\nlet TimeDeltaThreshold = 25;\nlet TotalEventsThreshold = 30;\nlet MostFrequentTimeDeltaThreshold = 25;\nlet PercentBeaconThreshold = 80;\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\" and Activity == \"TRAFFIC\"\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where ipv4_is_private(DestinationIP)== false\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\n| serialize\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\n| extend TimeDeltainSeconds = datetime_diff('second',nextTimeGenerated,TimeGenerated)\n| where SourceIP == nextSourceIP\n//Whitelisting criteria/ threshold criteria\n| where TimeDeltainSeconds > TimeDeltaThreshold\n| summarize count(), sum(ReceivedBytes), sum(SentBytes)\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes)\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\n| where TotalEvents > TotalEventsThreshold and MostFrequentTimeDeltaCount > MostFrequentTimeDeltaThreshold\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\n| where BeaconPercent > PercentBeaconThreshold\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\n", + "query": "let starttime = 2d;\nlet endtime = 1d;\nlet TimeDeltaThreshold = 25;\nlet TotalEventsThreshold = 30;\nlet MostFrequentTimeDeltaThreshold = 25;\nlet PercentBeaconThreshold = 80;\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\" and Activity == \"TRAFFIC\"\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where ipv4_is_private(DestinationIP)== false\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\n| serialize\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\n| extend TimeDeltainSeconds = datetime_diff('second',nextTimeGenerated,TimeGenerated)\n| where SourceIP == nextSourceIP\n//Whitelisting criteria/ threshold criteria\n| where TimeDeltainSeconds > TimeDeltaThreshold\n| summarize count(), sum(ReceivedBytes), sum(SentBytes)\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes)\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\n| where TotalEvents > TotalEventsThreshold and MostFrequentTimeDeltaCount > MostFrequentTimeDeltaThreshold\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\n| where BeaconPercent > PercentBeaconThreshold\n", "queryFrequency": "P1D", "queryPeriod": "P2D", "severity": "Low", @@ -841,7 +841,7 @@ "fieldMappings": [ { "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "SourceUserID" } ], "entityType": "Account" @@ -850,7 +850,7 @@ "fieldMappings": [ { "identifier": "FullName", - "columnName": "HostCustomEntity" + "columnName": "DeviceName" } ], "entityType": "Host" @@ -859,7 +859,7 @@ "fieldMappings": [ { "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "DestinationIP" } ], "entityType": "IP" @@ -918,7 +918,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAlto-PortScanning_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "PaloAlto-PortScanning_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -935,7 +935,7 @@ "description": "Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which results in an \"ApplicationProtocol = incomplete\" designation. The server resets coupled with an \"Incomplete\" ApplicationProtocol designation can be an indication of internal to external port scanning or probing attack.\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK", "displayName": "Palo Alto - possible internal to external port scanning", "enabled": false, - "query": "CommonSecurityLog\n| where isnotempty(DestinationPort) and DeviceAction !in (\"reset-both\", \"deny\")\n// filter out common usage ports. Add ports that are legitimate for your environment\n| where DestinationPort !in (\"443\", \"53\", \"389\", \"80\", \"0\", \"880\", \"8888\", \"8080\")\n| where ApplicationProtocol == \"incomplete\"\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\n| where DestinationPort !between (toint(49512) .. toint(65535))\n| where Computer != \"\"\n| where ipv4_is_private(DestinationIP) == false\n| extend Reason = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(\"reason=(.+?)(;|$)\", 1, AdditionalExtensions),\n \"\"\n )\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out.\n| where Reason !has \"aged-out\"\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\n| where Reason !has \"tcp-fin\"\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\n// | where AdditionalExtensions has \"reason=tcp-rst-from-server\"\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\n// | where AdditionalExtensions has \"reason=tcp-rst-from-client\"\n// Already performed\n//| extend reason = tostring(split(AdditionalExtensions, \";\")[3])\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\n| where count_ >= 10\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\n", + "query": "CommonSecurityLog\n| where isnotempty(DestinationPort) and DeviceAction !in (\"reset-both\", \"deny\")\n// filter out common usage ports. Add ports that are legitimate for your environment\n| where DestinationPort !in (\"443\", \"53\", \"389\", \"80\", \"0\", \"880\", \"8888\", \"8080\")\n| where ApplicationProtocol == \"incomplete\"\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\n| where DestinationPort !between (toint(49512) .. toint(65535))\n| where Computer != \"\"\n| where ipv4_is_private(DestinationIP) == false\n| extend Reason = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(\"reason=(.+?)(;|$)\", 1, AdditionalExtensions),\n \"\"\n )\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out.\n| where Reason !has \"aged-out\"\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\n| where Reason !has \"tcp-fin\"\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\n// | where AdditionalExtensions has \"reason=tcp-rst-from-server\"\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\n// | where AdditionalExtensions has \"reason=tcp-rst-from-client\"\n// Already performed\n//| extend reason = tostring(split(AdditionalExtensions, \";\")[3])\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\n| where count_ >= 10\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "Low", @@ -963,7 +963,7 @@ "fieldMappings": [ { "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "SourceUserID" } ], "entityType": "Account" @@ -972,7 +972,7 @@ "fieldMappings": [ { "identifier": "FullName", - "columnName": "HostCustomEntity" + "columnName": "DeviceName" } ], "entityType": "Host" @@ -981,7 +981,7 @@ "fieldMappings": [ { "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "SourceIP" } ], "entityType": "IP" @@ -1040,7 +1040,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAlto_PAN-OS_Rest_API_CustomConnector Playbook with template version 3.0.8", + "description": "PaloAlto_PAN-OS_Rest_API_CustomConnector Playbook with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -3235,7 +3235,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAlto_PAN-OS_XML_API_CustomConnector Playbook with template version 3.0.8", + "description": "PaloAlto_PAN-OS_XML_API_CustomConnector Playbook with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", @@ -3422,7 +3422,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAlto-PAN-OS-GetSystemInfo Playbook with template version 3.0.8", + "description": "PaloAlto-PAN-OS-GetSystemInfo Playbook with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", @@ -3669,7 +3669,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAlto-PAN-OS-GetThreatPcap Playbook with template version 3.0.8", + "description": "PaloAlto-PAN-OS-GetThreatPcap Playbook with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion4')]", @@ -4205,7 +4205,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAlto-PAN-OS-GetURLCategoryInfo Playbook with template version 3.0.8", + "description": "PaloAlto-PAN-OS-GetURLCategoryInfo Playbook with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion5')]", @@ -4643,7 +4643,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAlto-PAN-OS-BlockIP Playbook with template version 3.0.8", + "description": "PaloAlto-PAN-OS-BlockIP Playbook with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion6')]", @@ -5795,7 +5795,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAlto-PAN-OS-BlockURL Playbook with template version 3.0.8", + "description": "PaloAlto-PAN-OS-BlockURL Playbook with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion7')]", @@ -6947,7 +6947,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAlto-PAN-OS-BlockURL-EntityTrigger Playbook with template version 3.0.8", + "description": "PaloAlto-PAN-OS-BlockURL-EntityTrigger Playbook with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion8')]", @@ -8051,7 +8051,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAlto-PAN-OS-BlockIP-EntityTrigger Playbook with template version 3.0.8", + "description": "PaloAlto-PAN-OS-BlockIP-EntityTrigger Playbook with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion9')]", @@ -9152,7 +9152,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.8", + "version": "3.0.9", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "PaloAlto-PAN-OS", diff --git a/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md b/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md index f061d7ff4f4..0394dc53ccb 100644 --- a/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md +++ b/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.9 | 06-01-2025 | Removing Custom Entity mappings from **Analytic Rule** | | 3.0.8 | 15-11-2024 | Corrected **Data Connector** count in CreateUiDefinition | | 3.0.7 | 11-11-2024 | Removed Deprecated **Data Connector** | | | | Updated **Analytic Rule** for entity mappings | diff --git a/Solutions/PaloAlto-PAN-OS/data/Solution_PaloAlto-PAN-OS.json b/Solutions/PaloAlto-PAN-OS/data/Solution_PaloAlto-PAN-OS.json index fb561bd5ac9..3bfbcf3f35c 100644 --- a/Solutions/PaloAlto-PAN-OS/data/Solution_PaloAlto-PAN-OS.json +++ b/Solutions/PaloAlto-PAN-OS/data/Solution_PaloAlto-PAN-OS.json @@ -33,7 +33,7 @@ ], "BasePath": "C:\\One\\Azure\\Azure-Sentinel", - "Version": "3.0.7", + "Version": "3.0.9", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": false