Azure / Azure-Sentinel

Cloud-native SIEM for intelligent security analytics for your entire enterprise.

https://azure.microsoft.com/en-us/services/azure-sentinel/

MIT License

4.52k stars 2.97k forks source link

TrendMicro V1 Data Connector Filter Aggressive and Custom WB #10725

Closed V1ManagedServices closed 2 months ago

V1ManagedServices commented 3 months ago

Change(s):

filter aggressive and custom workbench
upgrade python to 3.9
add column_ifexists to sample query

Reason for Change(s):
filter aggressive and custom workbench
upgrade python to 3.9
Some column may not exists in Workbench, add column_ifexists for sample query (Solutions/Trend Micro Vision One/Analytic Rules/Create Incident for XDR Alerts.yaml)

Version Updated:
Yes. Analytic Rule template version: 1.0.4

Testing Completed:
Yes

Checked that the validations are passing and have addressed any issues that are present:
Yes

V1ManagedServices commented 3 months ago

Working Images:

V1ManagedServices commented 2 months ago

Hi @v-shukore, could you please let me know if you have any comments or updates? Thanks.

v-shukore commented 2 months ago

Hi @V1ManagedServices, Thanks for your patience as I was on emergency leave so not able to check on this. Will check and update.

v-shukore commented 2 months ago

Hi @V1ManagedServices as you shared data connector logs could you please share the success function app invocations logs for the same so basis on that we can approve the changes mentioned in this PR. Thanks..!!

V1ManagedServices commented 2 months ago

Hi @v-shukore, We have add a new filter to filter out new aggressive Workbench model and update new Zip file.

Here are the working images:

Data connector

Invocations & logs for each function:

Config

Digested Logs

Thanks.

v-shukore commented 2 months ago

Hi @V1ManagedServices Thanks for sharing the invocation logs with us its looks great. As we can see there is change analytic rule as well so need to repackage this solution. Please repackage the solution to commit the changes using V3 tool please find below link. https://github.com/Azure/Azure-Sentinel/blob/master/Tools/Create-Azure-Sentinel-Solution/V3/README.md Thanks..!!

v-shukore commented 2 months ago

Hi @V1ManagedServices please update on above comment.

Thanks..!!

V1ManagedServices commented 2 months ago

Hi @V1ManagedServices please update on above comment.

Thanks..!!

Hi, we have encounter some error during repackaging the solution. I'll update once we have done, thanks!

V1ManagedServices commented 2 months ago

Hi @V1ManagedServices please update on above comment.

Thanks..!!

Hi @v-shukore, We have repackaged the solution by createSolutionV3.ps1.

Thanks!

v-shukore commented 2 months ago

Hi @V1ManagedServices

Thanks for the update.

v-shukore commented 2 months ago

Hi @V1ManagedServices Could you please resolve validations checks fails. Thanks..!!

V1ManagedServices commented 2 months ago

Hi @V1ManagedServices Could you please resolve validations checks fails. Thanks..!!

Hi @v-shukore, We have encountered "IDs Should Be Derived From ResourceIDs" error.

The invalid Properties were generated by the script "createSolutionV3.ps1" We'd like to ask should we manually modify the file "Package/mainTemplate.json" which is generated by executing the createSolutionV3.ps1?

The validation errors except the "IDs Should Be Derived From ResourceIDs" error are fixed. Thanks.

V1ManagedServices commented 2 months ago

Hi @V1ManagedServices Could you please resolve validations checks fails. Thanks..!!

Hi @v-shukore, In addition, we would like to ask if there is a pre-release build for testing purposes in case the release has any errors?

Thanks.

v-shukore commented 2 months ago

Hi @V1ManagedServices,

You can upload the Package in partner center and publish But don't push the solution to live

Below go live button, you will find preview links You can use those links to test the content

Thanks..!!

v-shukore commented 1 month ago

Hi @V1ManagedServices, Hope this message finds you well. Just want to check, did you get a chance to push the 3.0.0 solution live to get new release available in a Content Hub. I can still see the older version of solution which is 2.0.2 is available. Please let us know if you have any question for us. Thanks!

V1ManagedServices commented 1 month ago

Hi @V1ManagedServices, Hope this message finds you well. Just want to check, did you get a chance to push the 3.0.0 solution live to get new release available in a Content Hub. I can still see the older version of solution which is 2.0.2 is available. Please let us know if you have any question for us. Thanks!

Hi @v-shukore, Thanks for getting back. According to the document (https://github.com/Azure/Azure-Sentinel/blob/master/Tools/Create-Azure-Sentinel-Solution/V3/README.md), we've updated the Analytic Rule template version to 1.0.4 and generated the solution package using the createSolutionV3.ps1 script. This created a ZIP file named "3.0.0.zip" under the folder "Solutions/Trend Micro Vision One/Package". The validation for the package was also successful.

Our question is: Should we delete the older solutions or are there any additional steps required for publishing a solution? Thanks.

v-shukore commented 1 month ago

Hii @V1ManagedServices, as you packaged this solution using V3 tool to 3.0.0 please publish this solution live to partner center. Please refer below steps to publish solution live which is version of 3.0.0. https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/README.md#step-3--publish-your-solution. If you have any question, feel free to contact/reach to us. Thanks...!!