Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improved BloodHound Enterprise Solution #11445

Merged
merged 71 commits into from
Dec 3, 2024
Merged

Improved BloodHound Enterprise Solution #11445

merged 71 commits into from
Dec 3, 2024

Conversation

daviditkin
Copy link
Contributor

Required items, please complete

Change(s):

  • DCR custom table schema changed to reflect additional information now available from BloodHound.
  • Function App now schedules a golang executable that is connector to BloodHoundEnterprise
  • New Workbooks based on additional information now available from BloodHound
  • Alert rules modified to reflect modifications to schema

Reason for Change(s):

  • New approach to integrating with BloodHoundEnterprise. New endpoints, golang connector.
  • Additional Workbooks based on new data available from BloodHoundEnterprise

Version Updated:

  • Solution updated from 3.0.0 to 3.1.0
  • Alert Rules updated from 1.0.x to 1.1.0 to reflect modification to schema

Testing Completed:

  • Yes

Checked that the validations are passing and have addressed any issues that are present:

  • Need Help

Note: I have run the Test-AzTemplate and it runs without error.
I can not run the kql validation scripts I keep getting dll/version issues and I need help with that test.

ghodum and others added 30 commits October 24, 2024 14:30
@ghodum
test commit
b389b0b
@ghodum
added func zip
a878168
@ghodum
updated zip
be01381
@ghodum
First working deployment scripts
aea8652
@ghodum
Added blog storage for timestamps/cursor
ac71c0d
@ghodum
Updated function with timestamp cursor functionality
6686f6c
@daviditkin
Added workbooks. Registered in Solution_BloodHoundEnterprise.json.
97c2798
@daviditkin
Added event_details column to hold extra event information.
2e5bb57
@daviditkin
Custom table schema mods. All workbook json is gallery export. Tracks…
8f105b5 
… custom table schema mods.
@ghodum
Updated data connector template
0308b98
@daviditkin
Initial wiring of connector code to ingest bhe data. WARN: Currently …
1c8fe58 
…not using persisted timestamp yet so it will duplicate log records. handler is now function.
@daviditkin
Merge branch 'feature-bhe-solution' of github.com:daviditkin/Azure-Se…
e4cfe2d 
…ntinel into feature-bhe-solution
@daviditkin
Batching supported.
dc29545
@daviditkin
zipped up new build
bad35d7
@daviditkin
new funcapp zip
1eb5f25
@daviditkin
fix workbooks, update funcapp zip
6ea8c17
@daviditkin
Set timezone to UTC for bhe compliant time parameters.
099fce4
@daviditkin
Using persisted last ingest time and last analysis time to avoid inge…
3416226 
…st if not needed.
@daviditkin
latest greatest
86e10fa
@daviditkin
Removed dry run. latest funcapp zip
6c55e77
@daviditkin
Working mainTemplate.zip. Edited by hand! Currently cant be generated…
579370b 
… properly from scratch.
@daviditkin
Merge branch 'Azure:master' into feature-bhe-solution
68953ed
@daviditkin
Added label / description strings for workbooks. Not sure why this is…
212b90f 
…n't derived.
@daviditkin
Working mainTemplate. commit to make sure I don't loose changes as I'…
e080f4a 
…m packaging solution
@daviditkin
No validation errors. apiversion warnings.
000fbef
@daviditkin
Fix circular refs. Fix Workbook version and ids.
6871b37
@daviditkin
Remove Hide Filter and update version of workbook template.
08be141
@daviditkin
handle bhe either as url or just domain
e3254b8
@daviditkin
run connector twice a day
54e534a
@daviditkin
Updated solution version to 4.0.0 and major update and prev existing …
eb67b0e 
…resources. Removed Parsers files, Parsers array in Solution already empty.
@daviditkin daviditkin requested a review from a team as a code owner November 22, 2024 16:23
@daviditkin
Copy link
Contributor Author

Hello @daviditkin, Please create a custom schema table named as BloodHoundLogs_CL at location https://github.com/Azure/Azure-Sentinel/tree/master/.script/tests/KqlvalidationsTests/CustomTables

Please add workbook metadata to https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/WorkbooksMetadata.json

Make sure function app zip is updated with all the libraries and functions Also do share working images of function app

Hey @v-prasadboke , thanks for you help. I still getting validation errors, but a different set this time. Any help would be appreciated.

v-prasadboke
v-prasadboke reviewed Nov 25, 2024
View reviewed changes
Workbooks/WorkbooksMetadata.json
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please add workbook images file name in the properties

@daviditkin
Copy link
Contributor Author

@v-prasadboke Thanks for your help. The PR now passes the first set of automated tests.

If you see anything that looks like it can be improved please let me know.

I still have some questions to make sure what I've done is correct:

  1. There are a bunch of resource id errors in mainTemplate.json that I have corrected by hand before adding it to the zip file.
    I am correcting them with this kind of modification:

"workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
"_workbookcontentProductId1": "[variables('workbookcontentProductId1')]",

  1. Is sample data required for the PR. I've not added it.

@v-prasadboke
Copy link
Contributor

Hello @daviditkin, Can you share invocation logs images for the Function app

@daviditkin
Copy link
Contributor Author

Hello @daviditkin, Can you share invocation logs images for the Function app

Hey @v-prasadboke , I'm not sure where you want me to put the images. Here is a log from test runs I just did. Let me know if I should screenshots into my solution's directory or somewhere else? I'm not sure where this screenshot should be placed.

BloodHound Function App Invocation Logs

@v-atulyadav v-atulyadav merged commit 4a082e8 into Azure:master Dec 3, 2024
34 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@v-prasadboke v-prasadboke v-prasadboke approved these changes

@v-atulyadav v-atulyadav v-atulyadav approved these changes

Assignees

@v-prasadboke v-prasadboke

Labels
Connector Connector specialty review needed Parser Parser specialty review needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@daviditkin @v-prasadboke @v-atulyadav @ghodum