SEP packaged

Azure · Jan 13, 2025 · 409980b · 409980b
1 parent 41e1498
commit 409980b
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 30 deletions.
diff --git a/Solutions/Symantec Endpoint Protection/Data/Solution_Symantec.json b/Solutions/Symantec Endpoint Protection/Data/Solution_Symantec.json
@@ -17,7 +17,7 @@
     "azuresentinel.azure-sentinel-solution-syslog"
   ],
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Symantec Endpoint Protection",
-  "Version": "3.0.4",
+  "Version": "3.0.5",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true
 }
diff --git a/Solutions/Symantec Endpoint Protection/Package/3.0.5.zip b/Solutions/Symantec Endpoint Protection/Package/3.0.5.zip
diff --git a/Solutions/Symantec Endpoint Protection/Package/mainTemplate.json b/Solutions/Symantec Endpoint Protection/Package/mainTemplate.json
@@ -41,22 +41,22 @@
     "email": "support@microsoft.com",
     "_email": "[variables('email')]",
     "_solutionName": "Symantec Endpoint Protection",
-    "_solutionVersion": "3.0.4",
+    "_solutionVersion": "3.0.5",
     "solutionId": "azuresentinel.azure-sentinel-solution-symantecendpointprotection",
     "_solutionId": "[variables('solutionId')]",
     "analyticRuleObject1": {
-      "analyticRuleVersion1": "1.0.2",
+      "analyticRuleVersion1": "1.0.3",
       "_analyticRulecontentId1": "fa0ab69c-7124-4f62-acdd-61017cf6ce89",
       "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fa0ab69c-7124-4f62-acdd-61017cf6ce89')]",
       "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fa0ab69c-7124-4f62-acdd-61017cf6ce89')))]",
-      "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fa0ab69c-7124-4f62-acdd-61017cf6ce89','-', '1.0.2')))]"
+      "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fa0ab69c-7124-4f62-acdd-61017cf6ce89','-', '1.0.3')))]"
     },
     "analyticRuleObject2": {
-      "analyticRuleVersion2": "1.0.2",
+      "analyticRuleVersion2": "1.0.3",
       "_analyticRulecontentId2": "072ee087-17e1-474d-b162-bbe38bcab9f9",
       "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '072ee087-17e1-474d-b162-bbe38bcab9f9')]",
       "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('072ee087-17e1-474d-b162-bbe38bcab9f9')))]",
-      "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','072ee087-17e1-474d-b162-bbe38bcab9f9','-', '1.0.2')))]"
+      "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','072ee087-17e1-474d-b162-bbe38bcab9f9','-', '1.0.3')))]"
     },
     "workbookVersion1": "1.0.0",
     "workbookContentId1": "SymantecEndpointProtection",
@@ -84,7 +84,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "ExcessiveBlockedTrafficGeneratedbyUser_AnalyticalRules Analytics Rule with template version 3.0.4",
+        "description": "ExcessiveBlockedTrafficGeneratedbyUser_AnalyticalRules Analytics Rule with template version 3.0.5",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -101,7 +101,7 @@
                 "description": "Creates an incident when a Symantec Endpoint Proection agent detects excessive amounts of blocked traffic generated by a single user.",
                 "displayName": "Excessive Blocked Traffic Events Generated by User",
                 "enabled": false,
-                "query": "let threshold = 15;\nlet NoteableEvents = SymantecEndpointProtection\n| where LogType == \"Agent Traffic Logs\"\n| where Action =~ \"Blocked\"\n| summarize TotalBlockedEvents = count() by UserName\n| where TotalBlockedEvents > threshold;\nSymantecEndpointProtection\n| where LogType =~ \"Agent Traffic Logs\"\n| where Action =~ \"Blocked\"\n| join kind=inner (NoteableEvents) on UserName\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Total = count() by UserName, RuleName, ServerName, LocalHostIpAddr, LocalPortNumber, TrafficDirection, RemoteHostIpAddr, RemotePortNumber, ApplicationName\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserName, HostCustomEntity = ServerName, IPCustomEntity = LocalHostIpAddr\n",
+                "query": "let threshold = 15;\nlet NoteableEvents = SymantecEndpointProtection\n| where LogType == \"Agent Traffic Logs\"\n| where Action =~ \"Blocked\"\n| summarize TotalBlockedEvents = count() by UserName\n| where TotalBlockedEvents > threshold;\nSymantecEndpointProtection\n| where LogType =~ \"Agent Traffic Logs\"\n| where Action =~ \"Blocked\"\n| join kind=inner (NoteableEvents) on UserName\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Total = count() by UserName, RuleName, ServerName, LocalHostIpAddr, LocalPortNumber, TrafficDirection, RemoteHostIpAddr, RemotePortNumber, ApplicationName\n",
                 "queryFrequency": "PT1H",
                 "queryPeriod": "PT1H",
                 "severity": "Medium",
@@ -134,7 +134,7 @@
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
-                        "columnName": "AccountCustomEntity"
+                        "columnName": "UserName"
                       }
                     ],
                     "entityType": "Account"
@@ -143,7 +143,16 @@
                     "fieldMappings": [
                       {
                         "identifier": "Address",
-                        "columnName": "IPCustomEntity"
+                        "columnName": "LocalHostIpAddr"
+                      }
+                    ],
+                    "entityType": "IP"
+                  },
+                  {
+                    "fieldMappings": [
+                      {
+                        "identifier": "Address",
+                        "columnName": "RemoteHostIpAddr"
                       }
                     ],
                     "entityType": "IP"
@@ -152,7 +161,7 @@
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
-                        "columnName": "HostCustomEntity"
+                        "columnName": "ServerName"
                       }
                     ],
                     "entityType": "Host"
@@ -211,7 +220,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "MalwareDetected_AnalyticalRules Analytics Rule with template version 3.0.4",
+        "description": "MalwareDetected_AnalyticalRules Analytics Rule with template version 3.0.5",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -228,7 +237,7 @@
                 "description": "Creates an incident when a Symantec Endpoint Proection agent detects malware and the malware was not cleaned.",
                 "displayName": "Malware Detected",
                 "enabled": false,
-                "query": "SymantecEndpointProtection\n| where LogType == \"Agent Risk Logs\"\n| where CategorySet == \"Malware\"\n| where ActualAction !contains \"Cleaned\"\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SrcIpAddr, SrcHostName, UserName, FilePath, ActualAction, CategorySet, CategoryType\n| extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr, HostCustomEntity = SrcHostName, AccountCustomEntity = UserName\n",
+                "query": "SymantecEndpointProtection\n| where LogType == \"Agent Risk Logs\"\n| where CategorySet == \"Malware\"\n| where ActualAction !contains \"Cleaned\"\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SrcIpAddr, SrcHostName, UserName, FilePath, ActualAction, CategorySet, CategoryType\n",
                 "queryFrequency": "PT1H",
                 "queryPeriod": "PT1H",
                 "severity": "Medium",
@@ -248,6 +257,9 @@
                 "tactics": [
                   "Execution"
                 ],
+                "subTechniques": [
+                  "T1204.002"
+                ],
                 "techniques": [
                   "T1204"
                 ],
@@ -256,7 +268,7 @@
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
-                        "columnName": "AccountCustomEntity"
+                        "columnName": "UserName"
                       }
                     ],
                     "entityType": "Account"
@@ -265,7 +277,7 @@
                     "fieldMappings": [
                       {
                         "identifier": "Address",
-                        "columnName": "IPCustomEntity"
+                        "columnName": "SrcIpAddr"
                       }
                     ],
                     "entityType": "IP"
@@ -274,7 +286,7 @@
                     "fieldMappings": [
                       {
                         "identifier": "FullName",
-                        "columnName": "HostCustomEntity"
+                        "columnName": "SrcHostName"
                       }
                     ],
                     "entityType": "Host"
@@ -333,7 +345,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SymantecEndpointProtection Workbook with template version 3.0.4",
+        "description": "SymantecEndpointProtection Workbook with template version 3.0.5",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('workbookVersion1')]",
@@ -389,10 +401,6 @@
                       "contentId": "SymantecEndpointProtection",
                       "kind": "DataType"
                     },
-                    {
-                      "contentId": "SymantecEndpointProtection",
-                      "kind": "DataConnector"
-                    },
                     {
                       "contentId": "SyslogAma",
                       "kind": "DataConnector"
@@ -425,7 +433,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "SymantecEndpointProtection Data Parser with template version 3.0.4",
+        "description": "SymantecEndpointProtection Data Parser with template version 3.0.5",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -553,7 +561,7 @@
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "3.0.4",
+        "version": "3.0.5",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
         "displayName": "Symantec Endpoint Protection",

diff --git a/Solutions/Symantec Endpoint Protection/ReleaseNotes.md b/Solutions/Symantec Endpoint Protection/ReleaseNotes.md
@@ -1,8 +1,9 @@
-| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                          |
-|-------------|--------------------------------|---------------------------------------------|
-| 3.0.4       | 17-12-2024                     | Removed Deprecated **Data connectors**      | 
-| 3.0.3       | 01-08-2024                     |Update **Parser** as part of Syslog migration                         |
-|             |                                |Deprecating data connectors                                           |
-| 3.0.2       | 26-04-2024                     | Repackaged for fix on parser in maintemplate to have old parsername and parentid                    |
-| 3.0.1       | 18-04-2024                     | Repackaged for fix in parser in maintemplate |
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                											      	    |
+|-------------|--------------------------------|----------------------------------------------------------------------------------------|
+| 3.0.5       | 13-01-2025                     | Removed Custom Entity mappings from **Analytic rules**									|
+| 3.0.4       | 17-12-2024                     | Removed Deprecated **Data connectors**    											  	| 
+| 3.0.3       | 01-08-2024                     | Update **Parser** as part of Syslog migration                         					|
+|             |                                | Deprecating data connectors                                           					|
+| 3.0.2       | 26-04-2024                     | Repackaged for fix on parser in maintemplate to have old parsername and parentid       |
+| 3.0.1       | 18-04-2024                     | Repackaged for fix in parser in maintemplate 											|
 | 3.0.0       | 15-04-2024                     | Updated **Parser** SymantecEndpointProtection.yaml to automatic update applicable logs |