Updating 'SonicWall Firewall' Solution to version 3.1.0

[jaimeesc]

Change(s):

• Updating 'SonicWall Firewall' Solution to version 3.1.0
• Adding Analytic Rules, a Hunting Query, and a Workbook.

Reason for Change(s):

• Submitting parsers and other content to the repository.

Version Updated:

• Yes. Updating to version 3.1.0. Added 2 Analytic Rules, 1 Hunting Query, and 1 Workbook.

Testing Completed:

• Yes

Checked that the validations are passing and have addressed any issues that are present:

• Yes

[v-prasadboke]

Hello @jaimeesc,

1. Please resolve validation error for AllowedInboundSSHTelnetRDPConnections.

2. Please add a custom table at '.script/tests/KqlvalidationsTests/CustomTables' and .script/tests/KqlvalidationsTests/CustomFunctions with name as ASimNetworkSessionSonicWallFirewall. You can refer to any of the tables from the folder for more clarification.

[jaimeesc]

2. script/tests/KqlvalidationsTests/CustomTables

Thanks for your response! Just one question I haven't found an answer to. Should I get the schema from the parser and include all columns (even default ones), or custom columns? The examples seem to have examples of both.

[jaimeesc]

The validations failed and seems unrelated to the changes since the last validation run. Going to try closing/re-opening the PR to kick off the validations again.

[v-prasadboke]

Hello @jaimeesc, I am seeing this kind of Validation error for the first time. Please lend me some time to examine it.

[v-prasadboke]

2. script/tests/KqlvalidationsTests/CustomTables

Thanks for your response! Just one question I haven't found an answer to. Should I get the schema from the parser and include all columns (even default ones), or custom columns? The examples seem to have examples of both.

Yes Columns used in parsers, should be added to the table. and the validation errors are visible now. please have a look.

[v-prasadboke]

Hello @jaimeesc, All checks are green. I'll review this PR and get back to you by 26 December, 2023.

[v-prasadboke]

Hello @jaimeesc, can you share sample data to test the content of the solution.

[v-prasadboke]

Hello @jaimeesc, please share the sample data and add workbook metadata to this file https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/WorkbooksMetadata.json

[v-prasadboke]

Hello @jaimeesc, can you please share the sample data and add the workbook metadata to the same.

[jaimeesc]

Hello @jaimeesc, can you share sample data to test the content of the solution.

My apologies for the delay. The sample data is in the PR for the ASIM parser. https://github.com/Azure/Azure-Sentinel/pull/9592

I will add the sample data to this PR as well.

[jaimeesc]

Hello @jaimeesc, please share the sample data and add workbook metadata to this file https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/WorkbooksMetadata.json

I assume I need to duplicate and include the workbook JSON file as well? I did not see any other entries in the metadata file that pointed to the Solutions folder.

[jaimeesc]

I see all validations passed. Should be good to go. What happens next?

[v-prasadboke]

Hello @jaimeesc, Thanks for commiting the required changes. I'll take a look at it and come back to you by 08 January, 2024.

[v-prasadboke]

Hello @jaimeesc, There is no such any parser at mentioned location in Hunting Query Description

[jaimeesc]

Hello @jaimeesc, There is no such any parser at mentioned location in Hunting Query Description

Hi,

I was asked to split the parsers into different PRs, so this PR does not contain the parsers. https://github.com/Azure/Azure-Sentinel/pull/9592 https://github.com/Azure/Azure-Sentinel/pull/9593

[v-prasadboke]

I guess, We would have to get those above mentioned PR merged first. Solution gets deployed but as these parser is not tested yet by the respective reviewer from the above PR's we cannot proceed for this one.

[jaimeesc]

Any chance you can help look at the other 2 PRs? I haven't received a response and they've been validated for much longer than this one :).

[v-prasadboke]

Sure @jaimeesc, I'll ask the respective reviewer.

[jaimeesc]

Just a quick FYI. I am making the recommended changes on the other PRs. I'll be updating this one as well to reflect some differences in the parsers.

[v-prasadboke]

Sure @jaimeesc, No worries

[jaimeesc]

I'm working on some updates to the queries since I've made some large changes to the parsers in my other 2 PRs. I'll be updating this PR soon.

[jaimeesc]

More changes coming... I'm updating on the queries in the workbook in accordance with the parser updates. I will also look at the WorkbooksMetadata.json conflict.

[v-prasadboke]

Thanks for the update @jaimeesc

[v-prasadboke]

Hello @jaimeesc, Its been too long we havent heard anything from you yet. Can you please share any updates regarding commits

[jaimeesc]

Hello @jaimeesc, Its been too long we havent heard anything from you yet. Can you please share any updates regarding commits

Hello. Per my conversation with Atul Yadav, we're focusing on one PR at a time as each PR will have many of the same points to address. I updated https://github.com/Azure/Azure-Sentinel/pull/9592 last week. Hopefully we're close to accepting that one so I can move on to the next.

[v-prasadboke]

If its ok can you move this PR to draft state

[v-prasadboke]

Thank you @jaimeesc for moving this PR to draft state

[jaimeesc]

The Network Session and Web Session PRs have been updated. I'll update this PR soon.

[jaimeesc]

SonicWall's Network Session parser has merged. I'm waiting for review on the Web Session parser PR. The Analytic Rules and Hunting Queries in this PR use either CommonSecurityLog or the ASimNetworkSessionSonicWallFirewall parser. FYI, the Workbook has queries that use the Web Session parser, so we may see an error validating that.

[jaimeesc]

I replaced the contents of my WorkbooksMetadata.json file with the current master's contents. I then added my changes to the file. There should not be a conflict.