Aliter Consulting SOD Reporting for Sentinel Threat Monitoring for SAP

[gajackson1963]

Required items, please complete

Change(s):

• See guidance below

Reason for Change(s):

• See guidance below

Version Updated:

• Required only for Detections/Analytic Rule templates
• See guidance below

Testing Completed:

• See guidance below

Checked that the validations are passing and have addressed any issues that are present:

• See guidance below

Guidance <- remove section before submitting

---

Before submitting this PR please ensure that you have read the following sections and filled out the changes, reason for change and testing complete sections:

Thank you for your contribution to the Microsoft Sentinel Github repo.

Details of the code changes in your submitted PR. Providing descriptions for pull requests ensures there is context to changes being made and greatly enhances the code review process. Providing associated Issues that this resolves also easily connects the reason.

Change(s):

• Updated syntax for XYZ.yaml

Reason for Change(s):

• New schema used for XYZ.yaml
• Resolves ISSUE #1234

Version updated:

• Yes
• Detections/Analytic Rule templates are required to have the version updated

The code should have been tested in a Microsoft Sentinel environment that does not have any custom parsers, functions or tables, so that you validate no incorrect syntax and execution functions properly. If your submission requires a custom parser or function, it must be submitted with the PR.

Testing Completed:

• Yes/No/Need Help

Note: If updating a detection, you must update the version field.

Before the submission has been made, please look at running the KQL and Yaml Validation Checks locally. https://github.com/Azure/Azure-Sentinel#run-kql-validation-locally

Checked that the validations are passing and have addressed any issues that are present:

• Yes/No/Need Help

Note: Let us know if you have tried fixing the validation error and need help.

References:

• Guidance for Detection checks
• General contribution guidance
• PR validation troubleshooting

---

[ghost]

All CLA requirements met.

[gajackson1963]

Hello - do you have an estimated time for this to be reviewed, please?

[v-spadarthi]

@gajackson1963 : Could you please resolve the below comments, While checking the workbook after deployment in our environment i'm seeing the empty workbook. It is mandatory for there are at least 4 charts / graphs in the workbook. If you want to add any images into your workbook please follow the process "previewImagesFileNames" includes location to the black and white png files and these are in the PR in the right locations Workbook\Images\Preview folder and also have the right names metadata name = the actual file names. There can be multiple dark and light background images for the same workbook and this can be represented in the format example [ "BarracudaWhite1.png", "BarracudaBlack1.png", "BarracudaWhite2.png", "BarracudaBlack2.png" ]

I have verified Logos/AliterConsulting.svg looks fine but, you can remove the AliterConsulting.svg file.

[gajackson1963]

Hello, when you say the workbook is empty, are you saying you're trying to analyse the data the workbook is designed for? The workbook has 2 charts and 2 graphs but data will only appear if you have Sentinel for SAP deployed and it's collecting data from the attached SAP systems. Please confirm. Also, not sure why I need to add images to the workbook - is this something that's expected of us. Sorry for all these questions but I'm new to this process.

[gajackson1963]

@v-spadarthi Hello, when you say the workbook is empty, are you saying you're trying to analyse the data the workbook is designed for? The workbook has 2 charts and 2 graphs but data will only appear if you have Sentinel for SAP deployed and it's collecting data from the attached SAP systems. Please confirm. Also, not sure why I need to add images to the workbook - is this something that's expected of us. Sorry for all these questions but I'm new to this process.

[v-mchatla]

Hi @gajackson1963 We are not able to see any graphs or charts. Just getting the blank page. Can you please recheck and confirm. Thanks

[NikTripathi]

@gajackson1963 Can you please make the required changes? Thanks

[v-spadarthi]

@gajackson1963: Can you please make the required changes. Thanks!!

[gajackson1963]

I will revert as soon as possible. But have you installed the SAP threat detection content onto your Sentinel and connected to an SAP system? The workbooks are dependent on this being deployed.

[v-sabiraj]

Hey @gajackson1963, the actual workbook content starts from line 34 and ends at line 626, can you please remove other code as we are expecting just the workbook content. Can you please add the images for workbook once it runs sucessfully, thanks.

[v-spadarthi]

@gajackson1963 : Please do the modifications suggested by @v-sabiraj

[gajackson1963]

Updates made as requested

[v-spadarthi]

@gajackson1963 : Could you please fix the validation errors. Thanks!!

[v-spadarthi]

@gajackson1963: Could you please remove the content in workbook "workbookContent": after that i have deployed in our workspace looks like below Please add some images and deploy into your workspace and let us know. For example, please refer below workbook and give images and charts if you have any https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ARGOSCloudSecurity/Workbooks/ARGOSCloudSecurityWorkbook.json

[v-spadarthi]

@gajackson1963 : Please follow the instructions suggested by me and do the changes accordingly.

[v-mchatla]

Hi @gajackson1963 Please refer the sample workbook shared by @v-spadarthi and make necessary changes. Thanks

[v-amolpatil]

Hi @gajackson1963 , Please refer the sample workbook shared by @v-spadarthi in previous comments and make necessary changes. Thanks

[v-spadarthi]

@gajackson1963 : Please follow the instructions suggested by me and do the changes accordingly.

[gajackson1963]

I will look at the changes this evening. I have been unavailable for the past month so am just catching up.

[v-spadarthi]

@gajackson1963 : Please have a look and provide an update. Thanks!

[v-spadarthi]

@gajackson1963 : Please have a look and provide an update. Thanks!

[v-spadarthi]

@gajackson1963 : Please fix the below validation error

[NikTripathi]

Hi @gajackson1963 Can you please add the watchlists in .json format. You can refer the watchlist template available on https://github.com/Azure/Azure-Sentinel/blob/master/Watchlists/Templates/WatchlistTemplate.json

[v-spadarthi]

@gajackson1963 : Please resolve the validation errors and suggested by @NikTripathi comments as well

[v-laanjana]

@gajackson1963 : we have some validation errors please fix them.

[NikTripathi]

Hi @gajackson1963 Watchlist are containing duplicate values. Can you please fix them.

[v-spadarthi]

@gajackson1963 : Please fix the below validation error

[gajackson1963]

Which line of code is it complaining about now?

[v-spadarthi]

@gajackson1963: Please remove the fallbackresourceID and keep the fromTemplateId. like below Please follow the below workbook template to build workbook For example : https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection/Workbooks/42CrunchAPIProtectionWorkbook.json

Please add the workbook meta data for a workbook in below path https://github.com/Azure/Azure-Sentinel/blob/master/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json

[v-spadarthi]

@gajackson1963 : Please address the above comments suggested by me and Nikhil as well.