Improved BloodHound Enterprise Solution

Azure / Azure-Sentinel

Cloud-native SIEM for intelligent security analytics for your entire enterprise.

https://azure.microsoft.com/en-us/services/azure-sentinel/

MIT License

4.62k stars 3.03k forks source link

Improved BloodHound Enterprise Solution #11445

Open daviditkin opened 1 week ago

daviditkin commented 1 week ago

Required items, please complete

Change(s):

DCR custom table schema changed to reflect additional information now available from BloodHound.
Function App now schedules a golang executable that is connector to BloodHoundEnterprise
New Workbooks based on additional information now available from BloodHound
Alert rules modified to reflect modifications to schema

Reason for Change(s):
New approach to integrating with BloodHoundEnterprise. New endpoints, golang connector.
Additional Workbooks based on new data available from BloodHoundEnterprise

Version Updated:
Solution updated from 3.0.0 to 3.1.0
Alert Rules updated from 1.0.x to 1.1.0 to reflect modification to schema

Testing Completed:
Yes

Checked that the validations are passing and have addressed any issues that are present:
Need Help

Note: I have run the Test-AzTemplate and it runs without error.
I can not run the kql validation scripts I keep getting dll/version issues and I need help with that test.

daviditkin commented 5 days ago

In https://github.com/Azure/Azure-Sentinel/pull/11445 I see many kql validation errors.

I need some help understanding why these are validation issues. Obviously the custom table is not being referred to / defined correctly, but the Solution when tested does work.

For example in the logs I'm seeing:

Kqlvalidations.Tests.KqlValidationTests.Validate_DetectionQueries_HaveValidKql(fileName: "BloodHoundEnterpriseExposure.yaml", encodedFilePath: "L2hvbWUvdnN0cy93b3JrLzEvcy9Tb2x1dGlvbnMvQmxvb2RIb3"...)

Template Id: b1f6aed2-ebb9-4fe4-bd7c-6657d02a0cc8 is not valid in Line: 1 col: 1
                    Errors: The name 'BloodHoundLogs_CL' does not refer to any known table, tabular variable or function., Code: 'KS204', Severity: 'Error', Location: '0..17'
Expected: True
Actual:   False

there are many more issues but I am starting here. Thanks.

v-prasadboke commented 4 days ago

Hello @daviditkin, Please create a custom schema table named as BloodHoundLogs_CL at location https://github.com/Azure/Azure-Sentinel/tree/master/.script/tests/KqlvalidationsTests/CustomTables

Please add workbook metadata to https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/WorkbooksMetadata.json

Make sure function app zip is updated with all the libraries and functions Also do share working images of function app

daviditkin commented 3 days ago

Hello @daviditkin, Please create a custom schema table named as BloodHoundLogs_CL at location https://github.com/Azure/Azure-Sentinel/tree/master/.script/tests/KqlvalidationsTests/CustomTables

Please add workbook metadata to https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/WorkbooksMetadata.json

Make sure function app zip is updated with all the libraries and functions Also do share working images of function app

Hey @v-prasadboke , thanks for you help. I still getting validation errors, but a different set this time. Any help would be appreciated.