Just initialize this new branch for Cohesity internal collaboration/r… #2

yinghuang123 · 2022-12-02T23:57:01Z

…eview.

Required items, please complete

Change(s):

See guidance below

Reason for Change(s):

See guidance below

Version Updated:

Required only for Detections/Analytic Rule templates
See guidance below

Testing Completed:

See guidance below

Checked that the validations are passing and have addressed any issues that are present:

See guidance below

Guidance <- remove section before submitting

Before submitting this PR please ensure that you have read the following sections and filled out the changes, reason for change and testing complete sections:

Thank you for your contribution to the Microsoft Sentinel Github repo.

Details of the code changes in your submitted PR. Providing descriptions for pull requests ensures there is context to changes being made and greatly enhances the code review process. Providing associated Issues that this resolves also easily connects the reason.

Change(s):

Updated syntax for XYZ.yaml

Reason for Change(s):

New schema used for XYZ.yaml
Resolves ISSUE Add Logstash required version to Readme file Azure/Azure-Sentinel#1234

Version updated:

Yes
Detections/Analytic Rule templates are required to have the version updated

The code should have been tested in a Microsoft Sentinel environment that does not have any custom parsers, functions or tables, so that you validate no incorrect syntax and execution functions properly. If your submission requires a custom parser or function, it must be submitted with the PR.

Testing Completed:

Yes/No/Need Help

Note: If updating a detection, you must update the version field.

Before the submission has been made, please look at running the KQL and Yaml Validation Checks locally.
https://github.com/Azure/Azure-Sentinel#run-kql-validation-locally

Checked that the validations are passing and have addressed any issues that are present:

Yes/No/Need Help

Note: Let us know if you have tried fixing the validation error and need help.

References:

Guidance for Detection checks

General contribution guidance

PR validation troubleshooting

eerus

@yinghuang123 , I finished my review. Please submit changes before you submit another round of reviews to Microsoft.

@ishitagupta25 , please chime in, too. In a few comments I specifically tagged you if I think that you should do the change.

Solutions/CohesitySecurity/Analytic Rules/RansomwareAlert.yaml

DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/local.settings.json

eerus · 2022-12-05T21:07:50Z

DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/IncidentConsumer.cs

+         * need to rewrite GetAccessTokenAsync function
+         * as it uses obsolete technology to get the bearer token.
+         */
+        internal async Task<string> GetAccessTokenAsync(string uri)


Rewrite GetAccessTokenAsync function as it uses obsolete technology to get the bearer token. Here's the migration guide to new authentication functions. Please remember that the new authentication mechanism may nit need TenantID, ClientID and and ClientKey, so you'll also have to apply changes in local.settings.json and the corresponding ARM templates.

put this one to lower priority.

You can also check how other pieces of code authenticate, e.g. https://github.com/cohesity/Azure-Sentinel/blob/CohesitySecurity.internal/Tools/Sample%20Code/AzureSentinel-ManagementAPICsharp/AzureSentinel_ManagementAPI/Incidents/IncidentsController.cs.
Also, check how we can put all secrets to the KeyVault to enable key rotation (see example at https://github.com/cohesity/Azure-Sentinel/tree/CohesitySecurity.internal/DataConnectors/AzureStorage#readme)

DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/IncidentConsumer.cs

Solutions/CohesitySecurity/readme.md

Tools/Create-Azure-Sentinel-Solution/input/Solution_CohesitySecurity.json

Added link to the playbook template

Updated link to Azure deployment

First draft of deployment instructions

eerus

Deleted comments about pre-built binaries

Added references to other deployment instructions

Fixed link for the package directory

Typo

Fixed step #1

Escaped URL

Fixing build instructions URL

Fixing URL again

Setting ref line

Deployment steps corrections

Minor fixes

Fixed typos

Added TBD for package directory

Corrected playbook description

Testing ARM

--- ./Solutions/CohesitySecurity/Data Connectors/helios_connector.json +++ ./Solutions/CohesitySecurity/Package/createUiDefinition.json +++ ./Solutions/CohesitySecurity/Package/mainTemplate.json update the build script.

Changed URI

Trying different link

Another URI test

Another link test

URI test

rename cohesity.config to cohesity.json, and update the build.ps1, readme.md. The github/codeql-action/autobuild keeps failing, but DataConnectors/CohesitySecurity/Helios2Sentinel build succeeded, as shown in following log. thus will disable the autobuild work flow. ============================= MSBuild version 17.4.0+18d5aef85 for .NET Determining projects to restore... Restored /Users/ying.huang/workspace/Azure-Sentinel/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/IncidentConsumer.csproj (in 241 ms). Restored /Users/ying.huang/workspace/Azure-Sentinel/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/IncidentProducer.csproj (in 241 ms). /Users/ying.huang/workspace/Azure-Sentinel/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/IncidentProducer.cs(65,34): warning CS1998: This async method lacks 'await' operators and will run synchronously. Consider using the 'await' operator to await non-blocking API calls, or 'await Task.Run(...)' to do CPU-bound work on a background thread. [/Users/ying.huang/workspace/Azure-Sentinel/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/IncidentProducer.csproj] IncidentProducer -> /Users/ying.huang/workspace/Azure-Sentinel/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/bin/Debug/net6.0/Helios2Sentinel.dll /Users/ying.huang/workspace/Azure-Sentinel/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/IncidentConsumer.cs(30,32): warning CS0618: 'AuthenticationContext.AcquireTokenAsync(string, ClientCredential)' is obsolete: 'Microsoft.IdentityModel.Clients.ActiveDirectory is deprecated and replaced with Microsoft.Identity.Client. To migrate a daemon application, or service to service flow, see https://aka.ms/adal-to-msal-net/daemon' [/Users/ying.huang/workspace/Azure-Sentinel/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/IncidentConsumer.csproj] /Users/ying.huang/workspace/Azure-Sentinel/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/IncidentConsumer.cs(39,51): warning SYSLIB0014: 'WebRequest.Create(Uri)' is obsolete: 'WebRequest, HttpWebRequest, ServicePoint, and WebClient are obsolete. Use HttpClient instead.' [/Users/ying.huang/workspace/Azure-Sentinel/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/IncidentConsumer.csproj] IncidentConsumer -> /Users/ying.huang/workspace/Azure-Sentinel/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/bin/Debug/net6.0/IncidentConsumer.dll Build succeeded. /Users/ying.huang/workspace/Azure-Sentinel/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/IncidentProducer.cs(65,34): warning CS1998: This async method lacks 'await' operators and will run synchronously. Consider using the 'await' operator to await non-blocking API calls, or 'await Task.Run(...)' to do CPU-bound work on a background thread. [/Users/ying.huang/workspace/Azure-Sentinel/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentProducer/IncidentProducer.csproj] /Users/ying.huang/workspace/Azure-Sentinel/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/IncidentConsumer.cs(30,32): warning CS0618: 'AuthenticationContext.AcquireTokenAsync(string, ClientCredential)' is obsolete: 'Microsoft.IdentityModel.Clients.ActiveDirectory is deprecated and replaced with Microsoft.Identity.Client. To migrate a daemon application, or service to service flow, see https://aka.ms/adal-to-msal-net/daemon' [/Users/ying.huang/workspace/Azure-Sentinel/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/IncidentConsumer.csproj] /Users/ying.huang/workspace/Azure-Sentinel/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/IncidentConsumer.cs(39,51): warning SYSLIB0014: 'WebRequest.Create(Uri)' is obsolete: 'WebRequest, HttpWebRequest, ServicePoint, and WebClient are obsolete. Use HttpClient instead.' [/Users/ying.huang/workspace/Azure-Sentinel/DataConnectors/CohesitySecurity/Helios2Sentinel/IncidentConsumer/IncidentConsumer.csproj] 3 Warning(s) 0 Error(s) Time Elapsed 00:00:03.65

+++ ./Solutions/CohesitySecurity/Tools/createSolutionV2.ps1

Add test: Match up test between Sentinel and Helios.

…#9) Fetch alerts in a large interval and cache them to avoid missing them Helios can insert alerts because of which Producer may miss alerts because Producer only fetches alerts in the last 5 minutes. This period is now increased to 24 hours and a blob is used to store the previous alert ID to avoid pushing duplicate alerts in to the queue.

* add test cases, to do match up test between sentinel and helios. * hide/remove this file * some small changes according to review feedback. * add these files to parse alert.json +++ ./Solutions/CohesitySecurity/Tests/Alert.py +++ ./Solutions/CohesitySecurity/Tests/Alert.test.py some other small changes. * add/update comments in codes. change from apiKey to api_key * small changes based on review feedback. add/update comments. * rename files. add comments, small changes according to review feedback. * add this renamed file. * remove old file * add the new renamed file. * small changes. * fix the indent issue. * small changes based on feedback. * split the long lines. some renames +++ ./Solutions/CohesitySecurity/Tests/helios.test.py * move recover.json inside Data folder. add comments. * update the variables to be snake case.

"find Solutions/CohesitySecurity -type f -iname \*.py -exec black -l 79 {} \;" to format our py codes.

* add Test for theCohesity_Restore_From_Last_Snapshot playbook some other minor changes. * post resolve some merge conflicts. * add some comments. * small update according to feedback. * small changes according to review feedback.

* add test cases, to do match up test between sentinel and helios. * hide/remove this file * some small changes according to review feedback. * add Test for theCohesity_Restore_From_Last_Snapshot playbook some other minor changes. * post resolve some merge conflicts. * add some comments. * small update according to feedback. * small changes according to review feedback. * add def get_latest_playbook_run, and only use it to test playbooks. * add back some old changes. and small changes according to review feedback. * add back some old changes. and small changes according to review feedback. * small changes according to review feedback. * move the poll of status and assert codes inside playbook_run function. * add timeout to the get_latest_playbook_run loop.

github-advanced-security · 2023-03-31T17:53:17Z

You have successfully added a new CodeQL configuration .github/workflows/codeql-analysis.yml:analyze/language:ruby. As part of the setup process, we have scanned this repository and found no existing alerts. In the future, you will see all code scanning alerts on the repository Security tab.

github-advanced-security · 2023-03-31T17:55:16Z

You have successfully added a new CodeQL configuration .github/workflows/codeql-analysis.yml:analyze/language:javascript. As part of the setup process, we have scanned this repository and found no existing alerts. In the future, you will see all code scanning alerts on the repository Security tab.

github-advanced-security · 2023-03-31T17:56:20Z

You have successfully added a new CodeQL configuration .github/workflows/codeql-analysis.yml:analyze/language:python. As part of the setup process, we have scanned this repository and found 163 existing alerts. Please check the repository Security tab to see all alerts.

Solutions/CohesitySecurity/Tests/az.py

Solutions/CohesitySecurity/Data Connectors/Helios2Sentinel/remove.py

…r related changes.

…o CohesitySecurity.internal