Merge branch 'master' of github.com:VirusTotal/Azure-Sentinel into Go…

…ogleThreatIntelligence
Azure · Nov 15, 2024 · f7d73b0 · f7d73b0
2 parents bb87534 + eb08305
commit f7d73b0
Show file tree

Hide file tree

Showing 832 changed files with 30,677 additions and 20,669 deletions.
diff --git a/.github/workflows/ScanSecrets.yaml b/.github/workflows/ScanSecrets.yaml
@@ -13,6 +13,5 @@ jobs:
         fetch-depth: 0
     - name: Secret Scanning
       uses: trufflesecurity/trufflehog@main
-      continue-on-error: true
       with:
         extra_args: --exclude-paths=.script/SecretScanning/Excludepathlist --only-verified
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -42,7 +42,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -54,7 +54,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -68,4 +68,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
diff --git a/.github/workflows/convertKqlFunctionYamlToArmTemplate.yaml b/.github/workflows/convertKqlFunctionYamlToArmTemplate.yaml
@@ -15,6 +15,7 @@ on:
        - 'Parsers/ASimRegistryEvent/Parsers/**'
        - 'Parsers/ASimUserManagement/Parsers/**'
        - 'Parsers/ASimDhcpEvent/Parsers/**'
+       - 'Parsers/ASimAlertEvent/Parsers/**'
 
 env:
   GITHUB_APPS_ID: "${{ secrets.APPLICATION_ID }}"

diff --git a/.github/workflows/runAsimSchemaAndDataTesters.yaml b/.github/workflows/runAsimSchemaAndDataTesters.yaml
@@ -17,6 +17,7 @@ on:
     - 'Parsers/ASimRegistryEvent/Parsers/**'
     - 'Parsers/ASimUserManagement/Parsers/**'
     - 'Parsers/ASimDhcpEvent/Parsers/**'
+    - 'Parsers/ASimAlertEvent/Parsers/**'
 
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:

diff --git a/.script/dataConnectorValidator.ts b/.script/dataConnectorValidator.ts
@@ -26,7 +26,11 @@ export async function IsValidDataConnectorSchema(filePath: string): Promise<Exit
 
         /* Disabling temporarily till we get confirmation from PM*/
         // isValidFileName(filePath
-        isValidPermissions(jsonFile.permissions, connectorCategory);
+        /* Skip validation for Solution Microsoft Exchange Security - Exchange On-Premises Solution */
+        if (!filePath.includes('Microsoft Exchange Security - Exchange On-Premises')) 
+        {
+          isValidPermissions(jsonFile.permissions, connectorCategory);
+        }
       }
       else{
         console.warn(`Skipping File as it is of type Events : ${filePath}`)
@@ -173,4 +177,4 @@ let CheckOptions = {
   },
 };
 
-runCheckOverChangedFiles(CheckOptions, fileKinds, fileTypeSuffixes, filePathFolderPrefixes);
+runCheckOverChangedFiles(CheckOptions, fileKinds, fileTypeSuffixes, filePathFolderPrefixes);
diff --git a/.script/getModifiedASimSchemas.ps1 b/.script/getModifiedASimSchemas.ps1
@@ -1,5 +1,5 @@
 function getModifiedAsimSchemas() {
-    $schemas = ("ASimDns", "ASimWebSession", "ASimNetworkSession", "ASimProcessEvent", "ASimAuditEvent", "ASimAuthentication", "ASimFileEvent", "ASimRegistryEvent","ASimUserManagement","ASimDhcpEvent")
+    $schemas = ("ASimDns", "ASimWebSession", "ASimNetworkSession", "ASimProcessEvent", "ASimAuditEvent", "ASimAuthentication", "ASimFileEvent", "ASimRegistryEvent","ASimUserManagement","ASimDhcpEvent","ASimAlertEvent")
     $modifiedSchemas = @()
     foreach ($schema in $schemas) {
         $filesThatWereChanged= Invoke-Expression "git diff origin/master  --name-only -- $($PSScriptRoot)/../Parsers/$($schema)/Parsers"

diff --git a/.script/tests/KqlvalidationsTests/CustomTables/IntegrationTable_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/IntegrationTable_CL.json
@@ -0,0 +1,61 @@
+{
+    "Name": "IntegrationTable_CL",
+    "Properties": [
+        {
+          "name": "TimeGenerated",
+          "type": "datetime"
+        },
+        {
+          "name": "typeName",
+          "type": "string"
+        },
+        {
+          "name": "objectName",
+          "type": "string"
+        },
+        {
+          "name": "networkCommunication",
+          "type": "dynamic"
+        },
+        {
+          "name": "customUuid",
+          "type": "string"
+        },
+        {
+          "name": "objectTypeName",
+          "type": "string"
+        },
+        {
+          "name": "occurTime",
+          "type": "string"
+        },
+        {
+          "name": "displayName",
+          "type": "string"
+        },
+        {
+          "name": "responses",
+          "type": "dynamic"
+        },
+        {
+          "name": "objectHashSha1",
+          "type": "string"
+        },
+        {
+          "name": "severityLevel",
+          "type": "string"
+        },
+        {
+          "name": "category",
+          "type": "string"
+        },
+        {
+          "name": "objectUrl",
+          "type": "string"
+        },
+        {
+          "name": "context",
+          "type": "dynamic"
+        }
+    ]
+}
diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Tenable_VM_Compliance_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Tenable_VM_Compliance_CL.json
@@ -0,0 +1,201 @@
+{
+  "Name":"Tenable_VM_Compliance_CL",
+  "Properties":[
+  {
+    "Name": "TenantId",
+    "Type": "string"
+  },
+  {
+    "Name": "SourceSystem",
+    "Type": "string"
+  },
+  {
+    "Name": "MG",
+    "Type": "string"
+  },
+  {
+    "Name": "ManagementGroupName",
+    "Type": "string"
+  },
+  {
+    "Name": "TimeGenerated",
+    "Type": "datetime"
+  },
+  {
+    "Name": "Computer",
+    "Type": "string"
+  },
+  {
+    "Name": "RawData",
+    "Type": "string"
+  },
+  {
+    "Name": "asset_uuid_g",
+    "Type": "string"
+  },
+  {
+    "Name": "first_seen_t",
+    "Type": "datetime"
+  },
+  {
+    "Name": "last_seen_t",
+    "Type": "datetime"
+  },
+  {
+    "Name": "audit_file_s",
+    "Type": "string"
+  },
+  {
+    "Name": "check_id_s",
+    "Type": "string"
+  },
+  {
+    "Name": "check_name_s",
+    "Type": "string"
+  },
+  {
+    "Name": "check_info_s",
+    "Type": "string"
+  },
+  {
+    "Name": "expected_value_s",
+    "Type": "string"
+  },
+  {
+    "Name": "actual_value_s",
+    "Type": "string"
+  },
+  {
+    "Name": "status_s",
+    "Type": "string"
+  },
+  {
+    "Name": "reference_s",
+    "Type": "string"
+  },
+  {
+    "Name": "see_also_s",
+    "Type": "string"
+  },
+  {
+    "Name": "solution_s",
+    "Type": "string"
+  },
+  {
+    "Name": "plugin_id_d",
+    "Type": "real"
+  },
+  {
+    "Name": "state_s",
+    "Type": "string"
+  },
+  {
+    "Name": "description_s",
+    "Type": "string"
+  },
+  {
+    "Name": "compliance_benchmark_name_s",
+    "Type": "string"
+  },
+  {
+    "Name": "compliance_benchmark_version_s",
+    "Type": "string"
+  },
+  {
+    "Name": "compliance_control_id_s",
+    "Type": "string"
+  },
+  {
+    "Name": "compliance_full_id_s",
+    "Type": "string"
+  },
+  {
+    "Name": "compliance_functional_id_s",
+    "Type": "string"
+  },
+  {
+    "Name": "compliance_informational_id_s",
+    "Type": "string"
+  },
+  {
+    "Name": "synopsis_s",
+    "Type": "string"
+  },
+  {
+    "Name": "last_observed_t",
+    "Type": "datetime"
+  },
+  {
+    "Name": "metadata_id_s",
+    "Type": "string"
+  },
+  {
+    "Name": "uname_output_s",
+    "Type": "string"
+  },
+  {
+    "Name": "indexed_at_t",
+    "Type": "datetime"
+  },
+  {
+    "Name": "plugin_name_s",
+    "Type": "string"
+  },
+  {
+    "Name": "asset_id_g",
+    "Type": "string"
+  },
+  {
+    "Name": "asset_ipv4_addresses_s",
+    "Type": "string"
+  },
+  {
+    "Name": "asset_ipv6_addresses_s",
+    "Type": "string"
+  },
+  {
+    "Name": "asset_fqdns_s",
+    "Type": "string"
+  },
+  {
+    "Name": "asset_name_s",
+    "Type": "string"
+  },
+  {
+    "Name": "asset_agent_uuid_g",
+    "Type": "string"
+  },
+  {
+    "Name": "asset_tags_s",
+    "Type": "string"
+  },
+  {
+    "Name": "asset_mac_addresses_s",
+    "Type": "string"
+  },
+  {
+    "Name": "asset_operating_systems_s",
+    "Type": "string"
+  },
+  {
+    "Name": "asset_system_type_s",
+    "Type": "string"
+  },
+  {
+    "Name": "asset_network_id_g",
+    "Type": "string"
+  },
+  {
+    "Name": "asset_agent_name_s",
+    "Type": "string"
+  },
+  {
+    "Name": "Type",
+    "Type": "string"
+  },
+  {
+    "Name": "_ResourceId",
+    "Type": "string"
+  }
+]
+}
diff --git a/.script/tests/KqlvalidationsTests/KqlValidationTests.cs b/.script/tests/KqlvalidationsTests/KqlValidationTests.cs
@@ -314,7 +314,7 @@ public void Validate_CommonFunctions_HaveValidKql(string fileName, string encode
         [ClassData(typeof(SolutionParsersYamlFilesTestData))]
         public void Validate_SolutionParsersFunctions_HaveValidKql(string fileName, string encodedFilePath)
         {
-            if (fileName == "NoFile.yaml")
+            if (fileName == "NoFile.yaml" || fileName == "ASIM_FillNull.yaml")
             {
                 Assert.True(true);
                 return;

diff --git a/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json b/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json
@@ -2624,6 +2624,16 @@
     "templateName": "InfobloxSOCInsightsDataConnector_API.json",
     "validationFailReason": "The name 'insightId_g' does not refer to any known column, table, variable or function."
   },
+  {
+    "id": "ESI-Opt6ExchangeMessageTrackingLogs",
+    "templateName": "ESI-Opt6ExchangeMessageTrackingLogs.json",
+    "validationFailReason": "This is a Azure Monitor Connector which doesnt requires more permissions. Skipping this ID as a check is failing for required permissions for Data Connector template. "
+  },
+  {
+    "id": "ESI-Opt7ExchangeHTTPProxyLogs",
+    "templateName": "ESI-Opt7ExchangeHTTPProxyLogs.json",
+    "validationFailReason": "This is a Azure Monitor Connector which doesnt requires more permissions. Skipping this ID as a check is failing for required permissions for Data Connector template. "
+  },
   // Temporarily adding Data connector template id's for KQL Validations - End
 
 
@@ -2819,6 +2829,11 @@
     "templateName": "ExchangeConfiguration.yaml",
     "validationFailReason": "Temporarily Added for Parser KQL Queries validation"
   },
+  {
+    "id": "0a0f4ea0-6b94-4420-892e-41ca985f2f01",
+    "templateName": "MESCompareDataOnPMRA.yaml",
+    "validationFailReason": "Temporarily Added for Parser KQL Queries validation"
+  },
   {
     "id": "1acab329-1c11-42a7-b5ea-41264947947a",
     "templateName": "ExchangeEnvironmentList.yaml",

diff --git a/.script/tests/NonAsciiValidationsTests/SkipValidationsTemplates.json b/.script/tests/NonAsciiValidationsTests/SkipValidationsTemplates.json
@@ -28,6 +28,11 @@
     "id": "39f51672-8c63-4600-882a-5db8275f798f",
     "templateName": "Microsoft Exchange Security - MESCompareDataMRA parser",
     "validationFailReason": "Non-ASCII characters are required to test comparison of strings with non-ASCII characters"
+  },
+  {
+    "id": "0a0f4ea0-6b94-4420-892e-41ca985f2f01",
+    "templateName": "Microsoft Exchange Security - MESCompareDataOnPMRA parser",
+    "validationFailReason": "Non-ASCII characters are required to test comparison of strings with non-ASCII characters"
   }
 ]