Azure
PCMatic Sentinel Solution
Required items, please complete
Change(s):
- Initial PR
Reason for Change(s):
- NRT analytic rules not converting correctly to json. Have to manually update mainTemplate.json and createUiDefinition.json to validate and deploy
Version Updated:
- Required only for Detections/Analytic Rule templates
- See guidance below
Testing Completed:
- Need help
Checked that the validations are passing and have addressed any issues that are present:
- Need help
@microsoft-github-policy-service agree [company="pcmatic inc"]
John Farley Developer 732-718-6472
On Tue, Dec 6, 2022 at 1:14 PM microsoft-github-policy-service[bot] < @.***> wrote:
@johnpcmatic https://github.com/johnpcmatic please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.
@microsoft-github-policy-service agree [company="{your company}"]
Options:
- (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.
- (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.
Contributor License Agreement Contribution License Agreement
This Contribution License Agreement (“Agreement”) is agreed to by the party signing below (“You”), and conveys certain license rights to Microsoft Corporation and its affiliates (“Microsoft”) for Your contributions to Microsoft open source projects. This Agreement is effective as of the latest signature date below.
- Definitions. “Code” means the computer software code, whether in human-readable or machine-executable form, that is delivered by You to Microsoft under this Agreement. “Project” means any of the projects owned or managed by Microsoft and offered under a license approved by the Open Source Initiative (www.opensource.org). “Submit” is the act of uploading, submitting, transmitting, or distributing code or other content to any Project, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Project for the purpose of discussing and improving that Project, but excluding communication that is conspicuously marked or otherwise designated in writing by You as “Not a Submission.” “Submission” means the Code and any other copyrightable material Submitted by You, including any associated comments and documentation.
- Your Submission. You must agree to the terms of this Agreement before making a Submission to any Project. This Agreement covers any and all Submissions that You, now or in the future (except as described in Section 4 below), Submit to any Project.
- Originality of Work. You represent that each of Your Submissions is entirely Your original work. Should You wish to Submit materials that are not Your original work, You may Submit them separately to the Project if You (a) retain all copyright and license information that was in the materials as You received them, (b) in the description accompanying Your Submission, include the phrase “Submission containing materials of a third party:” followed by the names of the third party and any licenses or other restrictions of which You are aware, and (c) follow any other instructions in the Project’s written guidelines concerning Submissions.
- Your Employer. References to “employer” in this Agreement include Your employer or anyone else for whom You are acting in making Your Submission, e.g. as a contractor, vendor, or agent. If Your Submission is made in the course of Your work for an employer or Your employer has intellectual property rights in Your Submission by contract or applicable law, You must secure permission from Your employer to make the Submission before signing this Agreement. In that case, the term “You” in this Agreement will refer to You and the employer collectively. If You change employers in the future and desire to Submit additional Submissions for the new employer, then You agree to sign a new Agreement and secure permission from the new employer before Submitting those Submissions.
- Licenses.
- Copyright License. You grant Microsoft, and those who receive the Submission directly or indirectly from Microsoft, a perpetual, worldwide, non-exclusive, royalty-free, irrevocable license in the Submission to reproduce, prepare derivative works of, publicly display, publicly perform, and distribute the Submission and such derivative works, and to sublicense any or all of the foregoing rights to third parties.
- Patent License. You grant Microsoft, and those who receive the Submission directly or indirectly from Microsoft, a perpetual, worldwide, non-exclusive, royalty-free, irrevocable license under Your patent claims that are necessarily infringed by the Submission or the combination of the Submission with the Project to which it was Submitted to make, have made, use, offer to sell, sell and import or otherwise dispose of the Submission alone or with the Project.
- Other Rights Reserved. Each party reserves all rights not expressly granted in this Agreement. No additional licenses or rights whatsoever (including, without limitation, any implied licenses) are granted by implication, exhaustion, estoppel or otherwise.
- Representations and Warranties. You represent that You are legally entitled to grant the above licenses. You represent that each of Your Submissions is entirely Your original work (except as You may have disclosed under Section 3). You represent that You have secured permission from Your employer to make the Submission in cases where Your Submission is made in the course of Your work for Your employer or Your employer has intellectual property rights in Your Submission by contract or applicable law. If You are signing this Agreement on behalf of Your employer, You represent and warrant that You have the necessary authority to bind the listed employer to the obligations contained in this Agreement. You are not expected to provide support for Your Submission, unless You choose to do so. UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING, AND EXCEPT FOR THE WARRANTIES EXPRESSLY STATED IN SECTIONS 3, 4, AND 6, THE SUBMISSION PROVIDED UNDER THIS AGREEMENT IS PROVIDED WITHOUT WARRANTY OF ANY KIND, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTY OF NONINFRINGEMENT, MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE.
- Notice to Microsoft. You agree to notify Microsoft in writing of any facts or circumstances of which You later become aware that would make Your representations in this Agreement inaccurate in any respect.
- Information about Submissions. You agree that contributions to Projects and information about contributions may be maintained indefinitely and disclosed publicly, including Your name and other information that You submit with Your Submission.
- Governing Law/Jurisdiction. This Agreement is governed by the laws of the State of Washington, and the parties consent to exclusive jurisdiction and venue in the federal courts sitting in King County, Washington, unless no federal subject matter jurisdiction exists, in which case the parties consent to exclusive jurisdiction and venue in the Superior Court of King County, Washington. The parties waive all defenses of lack of personal jurisdiction and forum non-conveniens.
- Entire Agreement/Assignment. This Agreement is the entire agreement between the parties, and supersedes any and all prior agreements, understandings or communications, written or oral, between the parties relating to the subject matter hereof. This Agreement may be assigned by Microsoft.
— Reply to this email directly, view it on GitHub https://github.com/Azure/Azure-Sentinel/pull/6827#issuecomment-1339781697, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZEA6TFPXVG6RDV45OCCNMTWL57ABANCNFSM6AAAAAASV2PPQQ . You are receiving this because you were mentioned.Message ID: @.***>
@microsoft-github-policy-service agree company="pcmatic inc"
John Farley Developer 732-718-6472
On Tue, Dec 6, 2022 at 1:23 PM microsoft-github-policy-service[bot] < @.***> wrote:
@johnpcmatic https://github.com/johnpcmatic the command you issued was incorrect. Please try again.
Examples are:
@microsoft-github-policy-service agree
and
@microsoft-github-policy-service agree company="your company"
— Reply to this email directly, view it on GitHub https://github.com/Azure/Azure-Sentinel/pull/6827#issuecomment-1339792012, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZEA6TET7KLR4YDPV6G6N7DWL6AAZANCNFSM6AAAAAASV2PPQQ . You are receiving this because you were mentioned.Message ID: @.***>
@johnpcmatic : Please resolve the below comments.
1.Validation is not passed please see below
2.Please describe the below snippet
i) May i know the solution Name is : PCMaticSuperShield or PCMatic SuperShield
ii)If you want to include PCMSS.txt in this solution please include under solution folder
iii)Another solution IoTOTThreatMonitoringwithDefenderforIoT already had 2.0.1 latest package in Partnercenter but, we could see 1.0.11 in your changes ?
iv)What is for keyvault and Assets folders?
3.In solutionmetada file doesn't match the domain categories please change by using below ('-') not matching
Domain categories
"tier" should be Partner
4. Create Data folder under solution folder then Keep the solution input file(Solution_PCMaticSuperShield.json).
Use 2.0.0 version in input file
5.CreateUI definition looks fine
But Anlaytics section we could see empty descriptions
6.Logo extension should be .svg file not .png please change
7.Sample data ingested fine
8.While deploying workbook we could see below please fix it
please change the "Userworkbook" to any other name
9.Please add the workbookmetadata for workbook in below path https://github.com/Azure/Azure-Sentinel/blob/master/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
10.Parser is working fine
After done the above changes please create the package again. Thanks!
Hi,
I have most of these worked out. There were just a couple items that I could not fix. I could not find this line in any of my templates: [image: image.png]
Also, I'm not sure how to remove the
[image: image.png]
John Farley Developer 732-718-6472
On Thu, Dec 8, 2022 at 1:04 AM v-sabiraj @.***> wrote:
@.**** commented on this pull request.
In Tools/Create-Azure-Sentinel-Solution/input/Solution_PCMaticSuperShield.json https://github.com/Azure/Azure-Sentinel/pull/6827#discussion_r1042960318 :
- "Parsers": [
"Parsers/SuperShieldActivity.txt"- ],
- "Analytic Rules": [
"Analytic Rules/NRTKnownBadProcess.yaml","Analytic Rules/NRTUnknownProcess.yaml","Analytic Rules/NRTAllowedProcess.yaml"- ],
- "Playbooks": [
"Playbooks/BlockAllowProcess/azureDeploy.json","Playbooks/RemoveProcess/azureDeploy.json"- ],
- "Workbooks": [
"Workbooks/PCMaticIncidentOverview.json"- ],
- "Key Vault": [
Hey @johnpcmatic https://github.com/johnpcmatic, you can't directly add the keyvault file in input file, can you please add the raw link of this file in pre requisites of playbooks if it is used there, thanks.
— Reply to this email directly, view it on GitHub https://github.com/Azure/Azure-Sentinel/pull/6827#pullrequestreview-1209503573, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZEA6TEDQ2WYD2XWG5YUCFLWMF27DANCNFSM6AAAAAASV2PPQQ . You are receiving this because you were mentioned.Message ID: @.***>
@johnpcmatic , can you please check and revert the changes from Iotthreatmonitering zip ? thanks.
@johnpcmatic, as suggested please create solution with V2 tool of solution packaging. Please find the guidelines for the same here.
@v-sabiraj, I think I solved the Analytic Rules issue. The query data was nested under a "properties" property. Once I moved the query data outside that property, the rules converted correctly.
John Farley Developer 732-718-6472
On Thu, Dec 15, 2022 at 8:51 AM v-sabiraj @.***> wrote:
@aprakash13 https://github.com/aprakash13, can you please check the Analytic Rules, thanks.
— Reply to this email directly, view it on GitHub https://github.com/Azure/Azure-Sentinel/pull/6827#issuecomment-1353114950, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZEA6TGPBMYIAOCKI42P5XDWNMO5NANCNFSM6AAAAAASV2PPQQ . You are receiving this because you were mentioned.Message ID: @.***>
And just to confirm, the end user should create a Key Vault before deploying the Sentinel solution, correct?
John Farley Developer 732-718-6472
On Thu, Dec 15, 2022 at 10:52 AM John Farley @.***> wrote:
@v-sabiraj, I think I solved the Analytic Rules issue. The query data was nested under a "properties" property. Once I moved the query data outside that property, the rules converted correctly.
John Farley Developer 732-718-6472
On Thu, Dec 15, 2022 at 8:51 AM v-sabiraj @.***> wrote:
@aprakash13 https://github.com/aprakash13, can you please check the Analytic Rules, thanks.
— Reply to this email directly, view it on GitHub https://github.com/Azure/Azure-Sentinel/pull/6827#issuecomment-1353114950, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZEA6TGPBMYIAOCKI42P5XDWNMO5NANCNFSM6AAAAAASV2PPQQ . You are receiving this because you were mentioned.Message ID: @.***>
@johnpcmatic : Please resolve the conflicts and below comments
1.For Logo ,Do not use illegal attributes: data-name, style, xmlns:link and SVG Id should be unique guid
2.In solution input file please change the below highlighted contents
Please update the Logo path and extension
Please use the version 2.0.0 and
Please remove the Keyvault in solution inputfile as suggested by @v-sabiraj and can you please add the raw link of this file in prerequisites of playbooks if it is used there, thanks.
3.For workbook please fix below errors
Please use "fromTemplateId" like below
Azure-Sentinel/Solutions/OracleWebLogicServer/Workbooks/OracleWorkbook.json
Once done above changes please re-create a package with V2 tool of solution packaging. Please find the guidelines for the same here.
Regarding the highlighted workbook activities, those sections are copied from the Microsoft Incident Overview workbook. I believe the tactics, owner and product name come from the selected incident so I'm not sure what I need to fix. Can you please let me know? Thanks!
John Farley Developer 732-718-6472
On Wed, Dec 28, 2022 at 12:06 AM v-spadarthi @.***> wrote:
@johnpcmatic https://github.com/johnpcmatic : Please address the above comments.
— Reply to this email directly, view it on GitHub https://github.com/Azure/Azure-Sentinel/pull/6827#issuecomment-1366371902, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZEA6TB4TY2EM7WID7NFJ2TWPPDHBANCNFSM6AAAAAASV2PPQQ . You are receiving this because you were mentioned.Message ID: @.***>
@johnpcmatic for creating the playbooks arm template kindly use the playbook arm template generator tool for creating the playbook template and then fill out all the necessary meta data ,
Kindly check below link for arm template generator https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator
kindly check below link for reference on metadata details https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ThreatXCloud/Playbooks/ThreatXPlaybooks/ThreatX-BlockIP-URL
And kindly create readme.md file for both the playbooks, kindly take the reference of below link https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ThreatXCloud/Playbooks/ThreatXPlaybooks/ThreatX-BlockIP-URL
@.***, thank you. *
Is it typical to have to go through maintemplate.json and createUiDefinition.json and fix the errors manually? Most of the errors seem to be introduced by createSolutionV2.ps1 when it creates unreferenced variables.
John Farley Developer 732-718-6472
On Thu, Jan 5, 2023 at 3:30 AM aprakash13 @.***> wrote:
@.**** requested changes on this pull request.
The query logic are simple and look straightforward. However,
- For the sake of uniformity can we please have the analytic rule template's fields ordered to something similar to this: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AristaAwakeSecurity/Analytic%20Rules/HighMatchCountsByDevice.yaml
- Please fix the validation errors that we are currently getting.
— Reply to this email directly, view it on GitHub https://github.com/Azure/Azure-Sentinel/pull/6827#pullrequestreview-1236999277, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZEA6TG6EULNIN2FA74N4Z3WQ2BB3ANCNFSM6AAAAAASV2PPQQ . You are receiving this because you were mentioned.Message ID: @.***>
The query logic are simple and look straightforward. However,
- For the sake of uniformity can we please have the analytic rule template's fields ordered to something similar to this: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AristaAwakeSecurity/Analytic%20Rules/HighMatchCountsByDevice.yaml
- Please fix the validation errors that we are currently getting.
To give a little additional context on the validation errors. Below are the errors that we are getting:
- "Errors: The name 'SuperShieldActivity' does not refer to any known table, tabular variable or function."
We probably need to define the schema of the SuperShieldActivity table here: https://github.com/Azure/Azure-Sentinel/tree/master/.script/tests/KqlvalidationsTests/CustomTables as json - read here https://github.com/Azure/Azure-Sentinel#pull-request-kql-validation-check
- Error: " In template NRTKnownBadProcess.yaml/ NRTUnknownProcess.yaml/ NRTAllowedProcess.yaml there was an error while parsing: Invalid data model. Missing required identifiers in 'EntityMappings' for type 'FileHash'. Required identifiers are one of the following combinations: Algorithm, Value, but found System.Exception with message "Invalid data model. Missing required identifiers in 'EntityMappings' for type 'FileHash'. Required identifiers are one of the following combinations: Algorithm, Value"
In the entity mapping of the analytical rule - we probably need to change how the FileHash entity type is mapped. It should be something similar to below where we have both the identifiers - Algorithm, Value
entityType: FileHash fieldMappings: - identifier: Value columnName: FileHashValue - identifier: Algorithm columnName: FileHashType
Thanks for making the changes. I still see a bunch of validation errors. Could you please look into these as well?
##[error]Content Validation check Failed: Please update text from 'Azure Sentinel' to 'Microsoft Sentinel' in file '.github/workflows/sentinel-deploy-fc73a920-ad71-42b0-ab9a-2cd8ed01205c.yml'
##[error]Incorrect Json file. File path: Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json. Error message: Unexpected string in JSON at position 166177
##[error]Error: File 'Solutions/PCMatic SuperShield/Data/Solution_PCMaticSuperShield.json' has a total of '1' broken hyperlinks. Please review and rectify the following hyperlinks: https://raw.githubusercontent.com/Azure-Sentinel/pcm-sentinel/Solutions/PCMatic%20SuperShield/Logo/pcmatic-green-outline.png
@johnpcmatic , we still waiting for fix of raw link check for the dimensions here.
please see below FYR
Thank you. I thought that by updating the dimensions in the solution.json file it would update the createuidefinition.json file. I manually updated the createuidefinition.
John Farley Developer 732-718-6472
On Tue, Jan 24, 2023 at 11:25 PM v-atulyadav @.***> wrote:
@johnpcmatic https://github.com/johnpcmatic , we still waiting for fix of raw link check for the dimensions here https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Create-Azure-Sentinel-Solution/V2. [image: image] https://user-images.githubusercontent.com/104008048/213972741-649dbaec-c4f7-4f67-be80-07db4bf9f47a.png
please see below FYR [image: image] https://user-images.githubusercontent.com/104008048/214479632-4e92e706-d166-49e6-84ab-e3d7405b19b3.png
— Reply to this email directly, view it on GitHub https://github.com/Azure/Azure-Sentinel/pull/6827#issuecomment-1403081309, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZEA6TANBWF6N64G5F3NG23WUCTLZANCNFSM6AAAAAASV2PPQQ . You are receiving this because you were mentioned.Message ID: @.***>
Hi @johnpcmatic, I could see the following error when deploying the workbook. Could you please fix it? or you can paste screenshots of the working workbook here. Thanks.
Hi All,
Sorry, I have been pulled off onto another project temporarily. I will get back to this soon. Thanks!
John Farley Developer 732-718-6472
On Tue, Feb 7, 2023 at 3:57 AM Manish Kumar @.***> wrote:
@.**** commented on this pull request.
In Solutions/PCMatic SuperShield/Playbooks/RemoveProcess/readme.md https://github.com/Azure/Azure-Sentinel/pull/6827#discussion_r1098363428 :
IMPORTANT NOTE
- The following instructions apply only to the Logic Apps. For comprehensive, detailed instructions, please use the documentation at - PC Matic Sentinel Solution support documentation
+### Prerequisites +1. API credentials. To get API credentials, login into the PC Matic portal and navigate to Account Settings --> User Management. Click the 'Add User' button and create a new user with the 'API Credentials' user role. +3. [Important step]Store the API username and password as a secret in Key vault. Format the secret as a colon-separated pair, e.g. @.***:passw0rd.Provide the name of the stored secret during deployment. + +### Deployment instructions +1. Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard. + +[
](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FPCMatic https://aka.ms/deploytoazurebutton)%5D(https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FPCMatic SuperShield%2FPlaybooks%2FRemoveProcess%2Fazuredeploy.json) +[
](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FPCMatic https://aka.ms/deploytoazuregovbutton)%5D(https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FPCMatic SuperShield%2FPlaybooks%2FRemoveProcess%2Fazuredeploy.json) + +2. Fill in the required parameters:
- Keyvault name : Enter the key vault name where secret key is stored .
- PC Matic API Credentials Secret name : Your Key name for the stored api secret .
Same here , Keyvault name is not getting asked
[image: image] https://user-images.githubusercontent.com/97503740/217198315-bc0b6a25-8a10-455e-8c78-43e00dd28953.png
— Reply to this email directly, view it on GitHub https://github.com/Azure/Azure-Sentinel/pull/6827#pullrequestreview-1286663536, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZEA6TDMNGAJZM5VSWXCDHLWWIFAHANCNFSM6AAAAAASV2PPQQ . You are receiving this because you were mentioned.Message ID: @.***>
Hi @johnpcmatic, can you please assign someone who will take care of this PR?
Hi Atul,
I believe Sherry was closing this PR for now.
John Farley Developer 732-718-6472
On Tue, Feb 14, 2023 at 11:39 PM v-atulyadav @.***> wrote:
Hi @johnpcmatic https://github.com/johnpcmatic, can you please assign someone who will take care of this PR?
— Reply to this email directly, view it on GitHub https://github.com/Azure/Azure-Sentinel/pull/6827#issuecomment-1430746359, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZEA6TH6EX355SBIZNWEO6DWXRMY5ANCNFSM6AAAAAASV2PPQQ . You are receiving this because you were mentioned.Message ID: @.***>
Hi Atul,
Sorry... I think I forgot to mention that PC Matic PR #6827 will need to be closed temporarily. They will reopen it when they have a bit more time.
Thanks, Sherry