diff --git a/Solutions/Network Session Essentials/Data/Solution_NetworkSessionEssentials.json b/Solutions/Network Session Essentials/Data/Solution_NetworkSessionEssentials.json
index 82fe8947b30..63ee1824993 100644
--- a/Solutions/Network Session Essentials/Data/Solution_NetworkSessionEssentials.json
+++ b/Solutions/Network Session Essentials/Data/Solution_NetworkSessionEssentials.json
@@ -50,10 +50,11 @@
"azuresentinel.azure-sentinel-solution-paloaltopanos",
"vectraaiinc.vectra_sentinel_solution",
"watchguard-technologies.watchguard_firebox_mss",
- "zscaler1579058425289.zscaler_internet_access_mss"
+ "zscaler1579058425289.zscaler_internet_access_mss",
+ "illumioinc1629822633689.illumio_sentinel"
],
"BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Network Session Essentials",
- "Version": "3.0.4",
+ "Version": "3.0.5",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
diff --git a/Solutions/Network Session Essentials/Package/3.0.5.zip b/Solutions/Network Session Essentials/Package/3.0.5.zip
new file mode 100644
index 00000000000..f6b78210207
Binary files /dev/null and b/Solutions/Network Session Essentials/Package/3.0.5.zip differ
diff --git a/Solutions/Network Session Essentials/Package/createUiDefinition.json b/Solutions/Network Session Essentials/Package/createUiDefinition.json
index 2acf669d0ad..2a7235d4ad7 100644
--- a/Solutions/Network Session Essentials/Package/createUiDefinition.json
+++ b/Solutions/Network Session Essentials/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\")
\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Network%20Session%20Essentials/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Network Session Essentials](https://aka.ms/NetworkSessionEssential) is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the [ASIM](https://aka.ms/AboutASIM).\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. Amazon Web Services \n 2. Azure Firewall \n 3. Azure Network Security Groups \n 4. Check Point \n 5. Cisco ASA \n 6. Cisco Meraki Security Events \n 7. Corelight \n 8. Fortinet FortiGate \n 9. Microsoft Defender for IoT \n 10. Microsoft Defender for Cloud \n 11. Microsoft Sysmon For Linux \n 12. Windows Firewall \n 13. Palo Alto PANOS \n 14. Vectra AI Stream \n 15. WatchGuard Firebox \n 16. Zscaler Internet Access \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n 2. Logic app for data summarization\n\n**Recommendation :-**\n\nIt is highly recommended to use the **Summarize data** logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.\n\n**Workbooks:** 1, **Analytic Rules:** 9, **Hunting Queries:** 7, **Watchlists:** 1, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Network%20Session%20Essentials/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Network Session Essentials](https://aka.ms/NetworkSessionEssential) is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the [ASIM](https://aka.ms/AboutASIM).\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. Amazon Web Services \n 2. Azure Firewall \n 3. Azure Network Security Groups \n 4. Check Point \n 5. Cisco ASA \n 6. Cisco Meraki Security Events \n 7. Corelight \n 8. Fortinet FortiGate \n 9. Microsoft Defender for IoT \n 10. Microsoft Defender for Cloud \n 11. Microsoft Sysmon For Linux \n 12. Windows Firewall \n 13. Palo Alto PANOS \n 14. Vectra AI Stream \n 15. WatchGuard Firebox \n 16. Zscaler Internet Access \n 17. IllumioSaaS \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n 2. Logic app for data summarization\n\n**Recommendation :-**\n\nIt is highly recommended to use the **Summarize data** logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.\n\n**Workbooks:** 1, **Analytic Rules:** 9, **Hunting Queries:** 7, **Watchlists:** 1, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
diff --git a/Solutions/Network Session Essentials/Package/mainTemplate.json b/Solutions/Network Session Essentials/Package/mainTemplate.json
index df9133f422e..9a5cd1c3a52 100644
--- a/Solutions/Network Session Essentials/Package/mainTemplate.json
+++ b/Solutions/Network Session Essentials/Package/mainTemplate.json
@@ -49,7 +49,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Network Session Essentials",
- "_solutionVersion": "3.0.4",
+ "_solutionVersion": "3.0.5",
"solutionId": "azuresentinel.azure-sentinel-solution-networksession",
"_solutionId": "[variables('solutionId')]",
"workbookVersion1": "1.0.0",
@@ -95,11 +95,11 @@
"_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','156997bd-da0f-4729-b47a-0a3e02dd50c8','-', '1.0.1')))]"
},
"analyticRuleObject6": {
- "analyticRuleVersion6": "1.0.3",
+ "analyticRuleVersion6": "1.0.4",
"_analyticRulecontentId6": "cd8faa84-4464-4b4e-96dc-b22f50c27541",
"analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'cd8faa84-4464-4b4e-96dc-b22f50c27541')]",
"analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('cd8faa84-4464-4b4e-96dc-b22f50c27541')))]",
- "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','cd8faa84-4464-4b4e-96dc-b22f50c27541','-', '1.0.3')))]"
+ "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','cd8faa84-4464-4b4e-96dc-b22f50c27541','-', '1.0.4')))]"
},
"analyticRuleObject7": {
"analyticRuleVersion7": "1.2.7",
@@ -180,7 +180,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NetworkSessionEssentials Workbook with template version 3.0.4",
+ "description": "NetworkSessionEssentials Workbook with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -324,10 +324,6 @@
"contentId": "MicrosoftSysmonForLinux",
"kind": "DataConnector"
},
- {
- "contentId": "PaloAltoNetworks",
- "kind": "DataConnector"
- },
{
"contentId": "AzureMonitor(VMInsights)",
"kind": "DataConnector"
@@ -357,11 +353,11 @@
"kind": "DataConnector"
},
{
- "contentId": "Fortinet",
+ "contentId": "CustomLogsAma",
"kind": "DataConnector"
},
{
- "contentId": "CiscoMeraki",
+ "contentId": "CefAma",
"kind": "DataConnector"
}
]
@@ -392,7 +388,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AnomalyFoundInNetworkSessionTraffic_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "AnomalyFoundInNetworkSessionTraffic_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -546,13 +542,13 @@
"aggregationKind": "AlertPerResult"
},
"customDetails": {
- "Score": "score",
+ "AnomalyFieldValue": "anomalyFieldValue",
"AnomalyFieldType": "anomalyFieldType",
- "AnomalyFieldValue": "anomalyFieldValue"
+ "Score": "score"
},
"alertDetailsOverride": {
- "alertDisplayNameFormat": "Anomaly was observed with {{anomalyFieldValue}} Traffic",
- "alertDescriptionFormat": "Based on past data, anomaly was observed in {{anomalyFieldValue}} Traffic with a score of {{score}}."
+ "alertDescriptionFormat": "Based on past data, anomaly was observed in {{anomalyFieldValue}} Traffic with a score of {{score}}.",
+ "alertDisplayNameFormat": "Anomaly was observed with {{anomalyFieldValue}} Traffic"
}
}
},
@@ -607,7 +603,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Anomaly in SMB Traffic(ASIM Network Session schema)_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "Anomaly in SMB Traffic(ASIM Network Session schema)_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -633,7 +629,6 @@
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"status": "Available",
- "requiredDataConnectors": [],
"tactics": [
"LateralMovement"
],
@@ -646,13 +641,13 @@
],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "SrcIpAddr"
+ "columnName": "SrcIpAddr",
+ "identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
}
],
"eventGroupingSettings": {
@@ -711,7 +706,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Remote Desktop Network Brute force (ASIM Network Session schema)_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "Remote Desktop Network Brute force (ASIM Network Session schema)_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -737,7 +732,6 @@
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"status": "Available",
- "requiredDataConnectors": [],
"tactics": [
"CredentialAccess"
],
@@ -746,13 +740,13 @@
],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "SrcIpAddr"
+ "columnName": "SrcIpAddr",
+ "identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
}
],
"eventGroupingSettings": {
@@ -811,7 +805,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DetectPortMisuseByAnomalyBasedDetection_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "DetectPortMisuseByAnomalyBasedDetection_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -964,16 +958,16 @@
"aggregationKind": "AlertPerResult"
},
"customDetails": {
- "DstPortNumber": "DstPortNumber",
"AllNetworkDirections": "NetworkDirections",
"AllNetworkProtocols": "NetworkProtocols",
- "AllDvcAction": "DvcActions"
+ "AllDvcAction": "DvcActions",
+ "DstPortNumber": "DstPortNumber"
},
"alertDetailsOverride": {
- "alertSeverityColumnName": "Severity",
- "alertDisplayNameFormat": "Detected {{Name}}",
"alertTacticsColumnName": "Tactic",
- "alertDescriptionFormat": "{{Description}}"
+ "alertDescriptionFormat": "{{Description}}",
+ "alertDisplayNameFormat": "Detected {{Name}}",
+ "alertSeverityColumnName": "Severity"
}
}
},
@@ -1028,7 +1022,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DetectPortMisuseByStaticThreshold_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "DetectPortMisuseByStaticThreshold_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -1180,16 +1174,16 @@
"aggregationKind": "AlertPerResult"
},
"customDetails": {
- "DstPortNumber": "DstPortNumber",
"AllNetworkDirections": "NetworkDirections",
"AllNetworkProtocols": "NetworkProtocols",
- "AllDvcAction": "DvcActions"
+ "AllDvcAction": "DvcActions",
+ "DstPortNumber": "DstPortNumber"
},
"alertDetailsOverride": {
- "alertSeverityColumnName": "Severity",
- "alertDisplayNameFormat": "Detected {{Name}}",
"alertTacticsColumnName": "Tactic",
- "alertDescriptionFormat": "{{Description}}"
+ "alertDescriptionFormat": "{{Description}}",
+ "alertDisplayNameFormat": "Detected {{Name}}",
+ "alertSeverityColumnName": "Severity"
}
}
},
@@ -1244,7 +1238,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NetworkPortSweepFromExternalNetwork_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "NetworkPortSweepFromExternalNetwork_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -1382,8 +1376,13 @@
}
],
"tactics": [
+ "Reconnaissance",
"Discovery"
],
+ "techniques": [
+ "T1590",
+ "T1046"
+ ],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
@@ -1391,8 +1390,8 @@
"AllDstIpAddr": "set_DstIpAddr"
},
"alertDetailsOverride": {
- "alertDisplayNameFormat": "Network Port Sweep detected on {{DstPortNumber}}",
- "alertDescriptionFormat": "Network Port Sweep was detection by multiple IPs"
+ "alertDescriptionFormat": "Network Port Sweep was detection by multiple IPs",
+ "alertDisplayNameFormat": "Network Port Sweep detected on {{DstPortNumber}}"
}
}
},
@@ -1447,7 +1446,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ExcessiveHTTPFailuresFromSource_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "ExcessiveHTTPFailuresFromSource_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@@ -1592,21 +1591,21 @@
],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "SrcIpAddr"
+ "columnName": "SrcIpAddr",
+ "identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
}
],
"customDetails": {
"NumberOfDenies": "Count"
},
"alertDetailsOverride": {
- "alertDisplayNameFormat": "Excessive number of failed connections from {{SrcIpAddr}}",
- "alertDescriptionFormat": "The client at address {{SrcIpAddr}} generated more than {{threshold}} failures over a 5 minutes time window, which may indicate malicious activity."
+ "alertDescriptionFormat": "The client at address {{SrcIpAddr}} generated more than {{threshold}} failures over a 5 minutes time window, which may indicate malicious activity.",
+ "alertDisplayNameFormat": "Excessive number of failed connections from {{SrcIpAddr}}"
}
}
},
@@ -1661,7 +1660,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PortScan_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "PortScan_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@@ -1806,21 +1805,21 @@
],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "SrcIpAddr"
+ "columnName": "SrcIpAddr",
+ "identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
}
],
"customDetails": {
"AttemptedPortsCount": "AttemptedPortsCount"
},
"alertDetailsOverride": {
- "alertDisplayNameFormat": "Potential port scan from {{SrcIpAddr}}",
- "alertDescriptionFormat": "A port scan has been performed from address {{SrcIpAddr}} over {{AttemptedPortsCount}} ports within 5 minutes. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system."
+ "alertDescriptionFormat": "A port scan has been performed from address {{SrcIpAddr}} over {{AttemptedPortsCount}} ports within 5 minutes. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.",
+ "alertDisplayNameFormat": "Potential port scan from {{SrcIpAddr}}"
}
}
},
@@ -1875,7 +1874,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PossibleBeaconingActivity_AnalyticalRules Analytics Rule with template version 3.0.4",
+ "description": "PossibleBeaconingActivity_AnalyticalRules Analytics Rule with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
@@ -2021,33 +2020,33 @@
],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "SrcIpAddr"
+ "columnName": "SrcIpAddr",
+ "identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
- "identifier": "Address",
- "columnName": "DstIpAddr"
+ "columnName": "DstIpAddr",
+ "identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
}
],
"customDetails": {
+ "FrequencyCount": "TotalSrcBytes",
"TotalDstBytes": "TotalDstBytes",
- "FrequencyTime": "MostFrequentTimeDeltaCount",
"DstPortNumber": "DstPortNumber",
- "FrequencyCount": "TotalSrcBytes"
+ "FrequencyTime": "MostFrequentTimeDeltaCount"
},
"alertDetailsOverride": {
- "alertDisplayNameFormat": "Potential beaconing from {{SrcIpAddr}} to {{DstIpAddr}}",
- "alertDescriptionFormat": "Potential beaconing pattern from a client at address {{SrcIpAddr}} to a server at address {{DstIpAddr}} over port {{DstPortNumber}} identified. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/). The recurring frequency, reported as FrequencyTime in the custom details, and the total transferred volume reported as TotalDstBytes in the custom details, can help to determine the significance of this incident."
+ "alertDescriptionFormat": "Potential beaconing pattern from a client at address {{SrcIpAddr}} to a server at address {{DstIpAddr}} over port {{DstPortNumber}} identified. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/). The recurring frequency, reported as FrequencyTime in the custom details, and the total transferred volume reported as TotalDstBytes in the custom details, can help to determine the significance of this incident.",
+ "alertDisplayNameFormat": "Potential beaconing from {{SrcIpAddr}} to {{DstIpAddr}}"
}
}
},
@@ -2102,7 +2101,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SummarizeData_NSE Playbook with template version 3.0.4",
+ "description": "SummarizeData_NSE Playbook with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
@@ -3559,7 +3558,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Detect Outbound LDAP Traffic(ASIM Network Session schema)_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "Detect Outbound LDAP Traffic(ASIM Network Session schema)_HuntingQueries Hunting Query with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -3644,7 +3643,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DetectPortMisuseByAnomalyHunting_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "DetectPortMisuseByAnomalyHunting_HuntingQueries Hunting Query with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -3729,7 +3728,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DetectPortMisuseByStaticThresholdHunting_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "DetectPortMisuseByStaticThresholdHunting_HuntingQueries Hunting Query with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@@ -3814,7 +3813,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DetectsSeveralUsersWithTheSameMACAddress_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "DetectsSeveralUsersWithTheSameMACAddress_HuntingQueries Hunting Query with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@@ -3895,7 +3894,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MismatchBetweenDestinationAppNameAndDestinationPort_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "MismatchBetweenDestinationAppNameAndDestinationPort_HuntingQueries Hunting Query with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@@ -3976,7 +3975,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Protocols passing authentication in cleartext (ASIM Network Session schema)_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "Protocols passing authentication in cleartext (ASIM Network Session schema)_HuntingQueries Hunting Query with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
@@ -4061,7 +4060,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Remote Desktop Network Traffic(ASIM Network Session schema)_HuntingQueries Hunting Query with template version 3.0.4",
+ "description": "Remote Desktop Network Traffic(ASIM Network Session schema)_HuntingQueries Hunting Query with template version 3.0.5",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
@@ -4159,7 +4158,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.4",
+ "version": "3.0.5",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Network Session Essentials",
@@ -4281,7 +4280,7 @@
{
"kind": "Watchlist",
"contentId": "[variables('_NetworkSession Monitor Configuration')]",
- "version": "3.0.4"
+ "version": "3.0.5"
},
{
"kind": "Solution",
@@ -4346,6 +4345,10 @@
{
"kind": "Solution",
"contentId": "zscaler1579058425289.zscaler_internet_access_mss"
+ },
+ {
+ "kind": "Solution",
+ "contentId": "illumioinc1629822633689.illumio_sentinel"
}
]
},
diff --git a/Solutions/Network Session Essentials/ReleaseNotes.md b/Solutions/Network Session Essentials/ReleaseNotes.md
index 64f1424dc36..9ff59ff1c50 100644
--- a/Solutions/Network Session Essentials/ReleaseNotes.md
+++ b/Solutions/Network Session Essentials/ReleaseNotes.md
@@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|-----------------------------------------------------------------------|
+| 3.0.5 | 12-12-2024 | Added IllumioSaaS solution in a domain solution list |
| 3.0.4 | 03-06-2024 | Added missing AMA **Data Connector** reference in **Analytical rule** and **Hunting Query** |
| 3.0.3 | 12-03-2024 | Added 3 new **Hunting Queries** and 2 new **Analytic Rules** |
| 3.0.2 | 07-02-2024 | Updated **Analytic Rule** (DetectPortMisuseByAnomalyBasedDetection)
Updated solution description |