Azure-Sentinel Jamf protect for Microsoft Sentinel v2.1

Required items, please complete

Change(s):

Updated Jamf Protect Workbook including Endpoint Telemetry and Network Event Stream
Added 3 new Analytic Rule templates

Reason for Change(s):

Mapping Jamf Protect features into Jamf Protect for Microsoft Sentinel
Expanding the Jamf Protect for Microsoft Sentinel solution with Analytic Rules for Incident creation

Version Updated:

No
3 new Analytic Rule templates, starting with version 1.0.0

Testing Completed:

Yes

Checked that the validations are passing and have addressed any issues that are present:

Yes

Dec 22 '22 13:12 txhaflaire

@txhaflaire :Please resolve the below validation errors Please remove the below content from workbook We couldn't see the changes related to Analytics rules in Main template Please re-create package again and please add correctly analytics content in solutioninput file

Dec 23 '22 10:12 v-spadarthi

@v-spadarthi Fixed both workbooks and Analytic Rules. Please review 👍

Dec 23 '22 12:12 txhaflaire

@txhaflaire : Please fix the Validation errors

Dec 26 '22 05:12 v-spadarthi

@v-spadarthi @aprakash13 Please review the following.

In this failed validation it seems that Value is not being recognized, but it's actually an existing value. ** Seems to be fixed now** Screenshot 2022-12-27 at 11 31 43

It' fails with the fact that the jamfprotect_CL table is not being recognized, but it's because it's a custom table created via the IngestionAPI. - **fixed by adding CustomTables for jamfprotect_CL in the kqlvalidations folder, no review required.**

Dec 27 '22 10:12 txhaflaire

For the sake of uniformity can we please have the analytic rule template's fields ordered to something similar to this: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AristaAwakeSecurity/Analytic%20Rules/HighMatchCountsByDevice.yaml

They seem to be missing the mandatory fields like requiredDataConnectors connectorId dataTypes Could we please include them as well.

Also, please fix the validation issues that are currently present. Feel free to reach out if help is needed. Thanks.

@v-spadarthi @aprakash13 Added the missing mandatory fields and changed the fields order to match the example. Please review the validation errors as they are not related to the Analytics Rules in this PR.

Thanks in advance!

Dec 30 '22 12:12 txhaflaire

@v-spadarthi @aprakash13 Added a valid and working Data Connector as well; please review the KQLValidations as the errors are not related to this particular PR. 2.1.0.zip works as expected when uploading Partner Center and testing it in Preview mode.

Jan 02 '23 14:01 txhaflaire

@v-spadarthi @aprakash13 @v-mchatla tagging all of you to check if there is availability to help out on this PR or either https://github.com/Azure/Azure-Sentinel/pull/7020

Jan 04 '23 09:01 txhaflaire

@v-spadarthi @aprakash13 @v-mchatla tagging all of you to check if there is availability to help out on this PR or either #7020

Thanks for making the changes. Looking into the KQL validation errors.

Jan 05 '23 08:01 aprakash13

Hi @aprakash13, any progress on KQL validation errors. Thanks.

Jan 11 '23 05:01 v-atulyadav

Hi @aprakash13 @v-dvedak Any progress on the KQLValidation errors? Anything i can do to speed up the process?

Jan 12 '23 14:01 txhaflaire

Hi @txhaflaire, we're looking for someone who can help us with our KQL validations. Please give us some time to resolve this issue. Thanks.

Jan 20 '23 03:01 v-atulyadav

Hi @txhaflaire, can you please brief us why crowdstrike Maintemplate.json is included in this PR? if not required then delete this file.

I would also like to request a sample data set, as the workbook query fails, or you can paste screenshots of the working workbook here

Jan 23 '23 10:01 v-atulyadav

@v-atulyadav Removed the CrowdStrike Maintemplate. (Accidentally that file maked it into my PR).

Here with the screenshots as attached; there is already sample data located in. https://github.com/Azure/Azure-Sentinel/blob/master/Sample%20Data/JamfProtectExampleData.csv

Screenshot 2023-01-23 at 11 11 41

Jan 23 '23 10:01 txhaflaire

Hi @txhaflaire, it has been determined that the validation is failing in data connector because a custom blank array is defined. Could you please remove the following blank property from data connector and repackage the solution?

Jan 24 '23 06:01 v-atulyadav

Hi @txhaflaire, it has been determined that the validation is failing in data connector because a custom blank array is defined. Could you please remove the following blank property from data connector and repackage the solution?

Hi @v-atulyadav First of all, thank-you for all your amazing help. I have removed the blank array, re-created the package. see commit https://github.com/Azure/Azure-Sentinel/pull/6953/commits/69d161e6e9fbcec517106a55fbc0adcc73808c0c

Thanks!

Jan 24 '23 08:01 txhaflaire

Hi @txhaflaire, could you please check whether we removed or assigned some values to the blank properties in the analytical rule below. Also repackage after this change. Thanks

Jan 24 '23 09:01 v-atulyadav

Hi @txhaflaire, could you please check whether we removed or assigned some values to the blank properties in the analytical rule below. Also repackage after this change. Thanks

@v-atulyadav That did the trick, to remove those blank pairs. (I could not find this my self in the ARM-TTK error logs, apologise!)

Jan 24 '23 13:01 txhaflaire

@devikamehra Are you able to provide me with an update?

Jan 30 '23 10:01 txhaflaire

@v-atulyadav Could you review and approve / merge if all reviews have been passed?

Jan 30 '23 17:01 txhaflaire

@devikamehra Thanks for all your reviewing! i have resolved your latest comments.

Jan 31 '23 15:01 txhaflaire

@devikamehra @v-dvedak @aprakash13 Please provide me with an update. This PR is already running since 22th of December.

Feb 02 '23 11:02 txhaflaire

@txhaflaire Only one change. Also, just a quick check, you removed tactics in the last commit. Can we add it back? Remember the tactics are MITRE tactics without spaces.

Feb 02 '23 15:02 devikamehra

@txhaflaire Only one change. Also, just a quick check, you removed tactics in the last commit. Can we add it back? Remember the tactics are MITRE tactics without spaces.

@devikamehra For JamfProtectAlerts.yaml and JamfProtectNetworkThreats.yaml alertTacticsColumnName is populated.

Can we use values from the query in the tactics?

Feb 02 '23 15:02 txhaflaire

@v-spadarthi @v-atulyadav Please validate if all the fields are getting mapped in deployment. @txhaflaire Please make sure the package is updated with all the changes before we test.

Feb 02 '23 17:02 devikamehra

@v-atulyadav Alright i will add the 2.0.0 package in the repository. Are we sure we want to use 2.0.1? it includes major updates and added Analytic Rules and a Data Connector, those were not int 2.0.0. If possible 2.1.0 makes more sense, then if there are minor tweaks to the existing package then indeed 2.1.1 or 2.0.1 would make sense

Feb 06 '23 07:02 txhaflaire

Hi @txhaflaire, I am not able to see 2.0.0 zip file in this PR? please guide me on this.

Feb 07 '23 03:02 v-atulyadav

@v-atulyadav If you review the files changed for the last commit it will show up - guessing it's not showing up as the file itself has not been changed compared the one on the repo it self.

Feb 07 '23 07:02 txhaflaire

Hi @txhaflaire, thanks for your clarification on above. Can you Please explain why ispreview:true is set in data connector availability, since this property is always set to false in the solution.

Feb 07 '23 07:02 v-atulyadav

@v-atulyadav Changed isPreview in DataConnector from true to false, updated package.

Feb 07 '23 08:02 txhaflaire

@v-atulyadav Good morning / afternoon / evening! Any other changes required from my side to have the PR merged?

Feb 08 '23 07:02 txhaflaire