Azure-Sentinel icon indicating copy to clipboard operation
Azure-Sentinel copied to clipboard

Published 20 hours ago verified publisher icon Azure

BitSight Solution initial submission for certification.

Open jayeshprajapaticrest opened this issue 2 years ago • 34 comments

Required items, please complete

Change(s):

  • Added BitSight Solution for certification.

Reason for Change(s):

  • New product

Version Updated:

  • Initial version

Testing Completed:

  • Yes

Checked that the validations are passing and have addressed any issues that are present:

  • Yes

jayeshprajapaticrest avatar Feb 20 '23 14:02 jayeshprajapaticrest

@jayeshprajapaticrest, can you please remove the keys in analytic rules which are empty, thanks.

v-sabiraj avatar Mar 01 '23 05:03 v-sabiraj

@jayeshprajapaticrest, can you please remove the keys in analytic rules which are empty, thanks.

@v-sabiraj I have removed the empty keys from JSON and updated solution accordingly. Let me know if anything is required.

One request can you please take this PR on priority to as we need this solution publicly as possible we can?

jayeshprajapaticrest avatar Mar 01 '23 09:03 jayeshprajapaticrest

@jayeshprajapaticrest, can you please fix the validation errors, thanks.

v-sabiraj avatar Mar 08 '23 05:03 v-sabiraj

@jayeshprajapaticrest, can you please fix the validation errors, thanks.

@v-sabiraj I have fixed the validation errors. Can you further proceed with the PR merge? Let me know if any other changes required.

jayeshprajapaticrest avatar Mar 09 '23 11:03 jayeshprajapaticrest

@devikamehra, can you please check on the Analytic Rules and approve. Thanks.

v-sabiraj avatar Mar 10 '23 05:03 v-sabiraj

Hi @devikamehra could you please check analytic rules, thanks!

v-vdixit avatar Mar 15 '23 05:03 v-vdixit

There are multiple issues which are common to all the queries

  1. Improve the Name and Description of rules.
  2. queryPeriod and lookback time do not match
  3. Tactic and techniques are missing
  4. All queries are HIGH in severity. Please divide them amongst different severity levels.
  5. There are no Entity or custom details which are getting matched. Try matching atleast one entity wherever possible.

@devikamehra We have fixed all the above common changes to all the Analytics rule. So please confirm and let me know if any other changes required from our end. Thanks

jayeshprajapaticrest avatar Mar 18 '23 06:03 jayeshprajapaticrest

@jayeshprajapaticrest, will check on other things, thanks.

v-sabiraj avatar Mar 29 '23 05:03 v-sabiraj

Hi @jayeshprajapaticrest, please check comments above and act accordingly. Thanks

v-atulyadav avatar Mar 31 '23 04:03 v-atulyadav

Hi @jayeshprajapaticrest, please check comments above and act accordingly. Thanks

@v-atulyadav @devikamehra Will check above and fixing it. Thanks

jayeshprajapaticrest avatar Mar 31 '23 04:03 jayeshprajapaticrest

@devikamehra Regarding the WorFromHome Analytics rule relate question. We have understood your concern, but the actual use case of this analytic rule is as below,

  1. We are using this analytic rule as a sample rule for the users.
  2. We have mapped "Src" field of the ASIM network session parser with customDetails field of analytic rule with the name "ip_address".
  3. The user will add one automation rule after deployment of this analytic rule to run a workflow and that workflow will use our mapped field "ip_address" to fetch the data of BitSight.
  4. Also workflow will store that fetched BitSight data into log analytic workspace and will displaying the data in workbook.

Also by default this rule will be disabled and if user want the data of network session from every configured sources which only has High EventSeverity then user can modify the query of this analytic rule and can access our connected workflow as explained above.

Let me know if you have any questions related this. Thanks.

jayeshprajapaticrest avatar Apr 03 '23 15:04 jayeshprajapaticrest

Hi @jayeshprajapaticrest, please check comments above and act accordingly. Thanks

@v-atulyadav @devikamehra We have fixed/updated the changes as suggested above. Can you please review and let us know any further changes are required?

Request, Can you please take this PR on priority to expediate process? Thanks.

jayeshprajapaticrest avatar Apr 03 '23 16:04 jayeshprajapaticrest

Hi @devikamehra, suggested changes fixed by @jayeshprajapaticrest please have a look. Thanks,

v-atulyadav avatar Apr 05 '23 03:04 v-atulyadav

@devikamehra Regarding the WorFromHome Analytics rule relate question. We have understood your concern, but the actual use case of this analytic rule is as below,

  1. We are using this analytic rule as a sample rule for the users.
  2. We have mapped "Src" field of the ASIM network session parser with customDetails field of analytic rule with the name "ip_address".
  3. The user will add one automation rule after deployment of this analytic rule to run a workflow and that workflow will use our mapped field "ip_address" to fetch the data of BitSight.
  4. Also workflow will store that fetched BitSight data into log analytic workspace and will displaying the data in workbook.

Also by default this rule will be disabled and if user want the data of network session from every configured sources which only has High EventSeverity then user can modify the query of this analytic rule and can access our connected workflow as explained above.

Let me know if you have any questions related this. Thanks.

@jayeshprajapaticrest Thank you explaining this scenario. I understand your concern here but firing a playbook for all the SrcIps will still be a problematic thing. In case we require to fetch IP related information, let's trigger this information for remaining BigSight alerts wherever possible.

devikamehra avatar Apr 06 '23 17:04 devikamehra

@devikamehra @v-atulyadav A gentle request to please provide a final list of changes covering everything related to analytic rule in one go only so I can resolve them at once and we can hasten up the merging process.

jayeshprajapaticrest avatar Apr 07 '23 06:04 jayeshprajapaticrest

@v-atulyadav Please get the other components reviewed. I have reviewed the analytical query.

devikamehra avatar Apr 10 '23 06:04 devikamehra

@jayeshprajapaticrest, can you fix the "Command And Control" to "CommandAndControl", also please check on the other comments.

v-sabiraj avatar Apr 12 '23 05:04 v-sabiraj

@jayeshprajapaticrest, can you fix the "Command And Control" to "CommandAndControl", also please check on the other comments.

@v-sabiraj We have fixed the changes suggested above. Thanks

jayeshprajapaticrest avatar Apr 13 '23 12:04 jayeshprajapaticrest

Hello @v-sabiraj please look into this

v-prasadboke avatar Apr 18 '23 14:04 v-prasadboke

@v-prasadboke @v-sabiraj Is there any update on this PR approval? As we need this solution available to the azure marketplace as early as possible.

jayeshprajapaticrest avatar Apr 19 '23 12:04 jayeshprajapaticrest

Hi @jayeshprajapaticrest, please check below comments.

  1. Metadata should not be in this path, you should update metadata from "Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json". Remove the metadata folder from this solution
  2. The images should be in the Preview folder, which can be found at Workbooks/Images/Preview. Below screenshot is for your reference
image

@v-atulyadav I have completed the changes as suggested above. Thanks Can you please proceed with the PR approval related process?

jayeshprajapaticrest avatar Apr 20 '23 09:04 jayeshprajapaticrest

Hi @jayeshprajapaticrest, can you please fix the validations?

v-rbajaj avatar Apr 24 '23 06:04 v-rbajaj

Hi @jayeshprajapaticrest, can you please fix the validations?

@v-rbajaj Done with the fixing of validations. Can you please proceed it?

jayeshprajapaticrest avatar Apr 24 '23 13:04 jayeshprajapaticrest

@v-atulyadav We have fixed the validation issues. So can you please proceed with the merging the PR as early as possible from your end so we can get our solution publicly available.

jayeshprajapaticrest avatar Apr 25 '23 10:04 jayeshprajapaticrest

Hello @v-sabiraj please prvode your feedback on this

v-prasadboke avatar Apr 25 '23 11:04 v-prasadboke

Hello @jayeshprajapaticrest looking into this

v-prasadboke avatar Apr 25 '23 12:04 v-prasadboke

@v-prasadboke @v-atulyadav We are done with the all the changes and the validation fixings. So can you please expediate the process so we can get the solution available in the azure marketplace as early as we can.

jayeshprajapaticrest avatar Apr 27 '23 05:04 jayeshprajapaticrest

Hi @jayeshprajapaticrest, thanks for your response we will expediate the process.

v-atulyadav avatar Apr 27 '23 05:04 v-atulyadav

hello @jayeshprajapaticrest the tables dont exist by their name after ingesting the sample data, image

Had to rewrite it as BitSightGraphData_CL, But still it doesnt retrieve the data image

v-prasadboke avatar Apr 27 '23 09:04 v-prasadboke

same is the case with BitSightFindingData

v-prasadboke avatar Apr 27 '23 09:04 v-prasadboke