Merge pull request Azure#13600 from versasec/master

Required analysis rule added to Versasec CMS Solution

Author: v-dvedak

.script/tests/KqlvalidationsTests/CustomTables/VersasecCmsErrorLogs.json

@@ -0,0 +1,57 @@
+{
+    "Name": "VersasecCmsErrorLogs",
+    "Properties": [
+        {
+            "name": "TimeGenerated",
+            "type": "datetime"
+        },
+        {
+            "name": "EventVendor",
+            "type": "string"
+        },
+        {
+            "name": "EventProduct",
+            "type": "string"
+        },
+        {
+            "name": "CmsErrorID",
+            "type": "real"
+        },
+        {
+            "name": "ErrorCode",
+            "type": "string"
+        },
+        {
+            "name": "CmsErrorIDStrg",
+            "type": "string"
+        },
+        {
+            "name": "ErrorId",
+            "type": "real"
+        },
+        {
+            "name": "ComputerName",
+            "type": "string"
+        },
+        {
+            "name": "ClientId",
+            "type": "string"
+        },
+        {
+            "name": "ErrorMessage",
+            "type": "string"
+        },
+        {
+            "name": "TargetUsername",
+            "type": "real"
+        },
+        {
+            "name": "SupportTicket",
+            "type": "string"
+        },
+        {
+            "name": "TicketReference",
+            "type": "string"
+        }
+    ]
+}

.script/tests/KqlvalidationsTests/CustomTables/VersasecCmsErrorLogs_CL.json

@@ -0,0 +1,39 @@
+{
+    "Name": "VersasecCmsErrorLogs_CL",
+    "Properties": [
+		{
+            "name": "TimeGenerated",
+            "type": "datetime"
+        }, {
+            "name": "CmsErrorID",
+            "type": "real"
+        }, {
+            "name": "CmsErrorIDCode",
+            "type": "string"
+        }, {
+            "name": "CmsErrorIDStrg",
+            "type": "string"
+        }, {
+            "name": "ID",
+            "type": "real"
+        }, {
+            "name": "ComputerName",
+            "type": "string"
+        }, {
+            "name": "CLID",
+            "type": "string"
+        }, {
+            "name": "ErrorStrg",
+            "type": "string"
+        }, {
+            "name": "UserID",
+            "type": "real"
+        }, {
+            "name": "SupportTicket",
+            "type": "string"
+        }, {
+            "name": "TicketRef",
+            "type": "string"
+        }
+    ]
+}

.script/tests/KqlvalidationsTests/CustomTables/VersasecCmsSysLogs.json

@@ -0,0 +1,53 @@
+{
+    "Name": "VersasecCmsSysLogs",
+    "Properties": [
+        {
+            "name": "TimeGenerated",
+            "type": "datetime"
+        },
+		{
+            "name": "EventVendor",
+            "type": "string"
+        },
+		{
+            "name": "EventProduct",
+            "type": "string"
+        },
+        {
+            "name": "EventId",
+            "type": "real"
+        },
+        {
+            "name": "EventResult",
+            "type": "string"
+        },
+        {
+            "name": "ActivitySummary",
+            "type": "string"
+        },
+        {
+            "name": "SyslogID",
+            "type": "real"
+        },
+        {
+            "name": "ComputerName",
+            "type": "string"
+        },
+        {
+            "name": "TargetUsername",
+            "type": "string"
+        },
+        {
+            "name": "Parameter",
+            "type": "string"
+        },
+        {
+            "name": "UserID",
+            "type": "real"
+        },
+        {
+            "name": "TicketReference",
+            "type": "string"
+        }
+    ]
+}

.script/tests/KqlvalidationsTests/CustomTables/VersasecCmsSysLogs_CL.json

@@ -0,0 +1,45 @@
+{
+    "Name": "VersasecCmsSysLogs_CL",
+    "Properties": [
+        {
+            "name": "TimeGenerated",
+            "type": "datetime"
+        },
+        {
+            "name": "SyslogID",
+            "type": "real"
+        },
+        {
+            "name": "SyslogIDCode",
+            "type": "string"
+        },
+        {
+            "name": "SyslogIDStrg",
+            "type": "string"
+        },
+        {
+            "name": "ID",
+            "type": "real"
+        },
+        {
+            "name": "ComputerName",
+            "type": "string"
+        },
+        {
+            "name": "CLID",
+            "type": "string"
+        },
+        {
+            "name": "Param1",
+            "type": "string"
+        },
+        {
+            "name": "UserID",
+            "type": "real"
+        },
+        {
+            "name": "TicketRef",
+            "type": "string"
+        }
+    ]
+}

.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json

@@ -285,5 +285,6 @@
   "TacitRedThreatIntel",
   "CyrenThreatIntel",
   "CybleVisionAlerts",
+  "VersasecCms",
   "VisaThreatIntelligence"
 ]

Solutions/VersasecCMS/Analytic Rules/VersasecCmsOperatorLoginFailed.yaml

@@ -0,0 +1,41 @@
+id: B1DB8B7E-9D74-48C3-9683-74483CBEFF4E
+name: Versasec CMS - Multiple Failed Login Attempts
+description: |
+  Detects when Operator login failed to often.
+severity: High
+status: Available
+requiredDataConnectors:
+  - connectorId: VersasecCms
+    dataTypes:
+      - VersasecCmsSysLogs
+queryFrequency: 5m
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 5
+tactics:
+  - CredentialAccess
+relevantTechniques:
+  - T1110 # Brute Force
+query: |
+  let threshold = 5;
+  VersasecCmsSysLogs 
+  | where EventId == 2 
+  | sort by ComputerName asc, TimeGenerated asc
+  | extend TimeDiff = datetime_diff('minute', TimeGenerated, prev(TimeGenerated))
+  | where TimeDiff <= threshold and ComputerName == prev(ComputerName)
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: ComputerName
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: false
+    reopenClosedIncident: false
+    lookbackDuration: 5m
+    matchingMethod: AllEntities
+version: 1.0.1
+kind: Scheduled

…CMS_CCF/VersasecCMS_Table_ErrorLogs.json …cCMS_CCF/VersasecCMSErrorLogs_Table.jsonSolutions/VersasecCMS/Data Connectors/VersasecCMS_CCF/VersasecCMS_Table_ErrorLogs.json renamed to Solutions/VersasecCMS/Data Connectors/VersasecCMS_CCF/VersasecCMSErrorLogs_Table.json Solutions/VersasecCMS/Data Connectors/VersasecCMS_CCF/VersasecCMS_Table_ErrorLogs.json renamed to Solutions/VersasecCMS/Data Connectors/VersasecCMS_CCF/VersasecCMSErrorLogs_Table.json

@@ -1,8 +1,9 @@
 {
 	"name": "VersasecCmsErrorLogs_CL",
     "type": "Microsoft.OperationalInsights/workspaces/tables",
-    "apiVersion": "2022-10-01",
-	"tags": {},
+    "apiVersion": "2021-03-01-privatepreview",
+	"location": "{{location}}",
+	"kind": null,
     "properties": {
         "schema": {
             "name": "VersasecCmsErrorLogs_CL",

…ecCMS_CCF/VersasecCMS_Table_SysLogs.json …secCMS_CCF/VersasecCMSSysLogs_Table.jsonSolutions/VersasecCMS/Data Connectors/VersasecCMS_CCF/VersasecCMS_Table_SysLogs.json renamed to Solutions/VersasecCMS/Data Connectors/VersasecCMS_CCF/VersasecCMSSysLogs_Table.json Solutions/VersasecCMS/Data Connectors/VersasecCMS_CCF/VersasecCMS_Table_SysLogs.json renamed to Solutions/VersasecCMS/Data Connectors/VersasecCMS_CCF/VersasecCMSSysLogs_Table.json

@@ -1,8 +1,9 @@
 {
 	"name": "VersasecCmsSysLogs_CL",
     "type": "Microsoft.OperationalInsights/workspaces/tables",
-    "apiVersion": "2022-10-01",
-	"tags": {},
+    "apiVersion": "2021-03-01-privatepreview",
+	"location": "{{location}}",
+	"kind": null,
     "properties": {
         "schema": {
             "name": "VersasecCmsSysLogs_CL",

Solutions/VersasecCMS/Data Connectors/VersasecCMS_CCF/VersasecCMS_ConnectorDefinition.json

@@ -3,6 +3,7 @@
     "type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
     "apiVersion": "2022-09-01-preview",
     "kind": "Customizable",
+	"location": "{{location}}",
     "properties": {
         "connectorUiConfig": {
             "id": "VersasecCmsCCPDefinition",

Solutions/VersasecCMS/Data Connectors/VersasecCMS_CCF/VersasecCMS_DCR.json

@@ -1,6 +1,6 @@
 {
     "type": "Microsoft.Insights/dataCollectionRules",
-    "apiVersion": "2022-06-01",
+    "apiVersion": "2023-03-11",
     "name": "VersasecCms-DCR",
     "location": "{{location}}",
     "dependsOn": [