MS Entra Enhancement (#36915)

* Updated template * Updated ModelingRules * Updated MicrosoftEntraID_schema * Updated ParsingRules * Updated README * Updated README * Updated ReleaseNotes * Updated ReleaseNotes * Updated ModelingRules * Updated ModelingRules * Updated ParsingRules * Updated ModelingRules * Updated ModelingRules * Updated ParsingRules * Updated ModelingRules * Updated MicrosoftEntraID_schema * Updated ParsingRules * Updated ParsingRules * Updated ParsingRules * Updated ParsingRules * Updated ParsingRules * Updated ModelingRules * Updated ParsingRules * Update Packs/MicrosoftEntraID/README.md Co-authored-by: ShirleyDenkberg <[email protected]> * Update Packs/MicrosoftEntraID/README.md Co-authored-by: ShirleyDenkberg <[email protected]> * Update Packs/Office365/README.md Co-authored-by: ShirleyDenkberg <[email protected]> * Updated ModelingRules * Updated ModelingRules * Updated ModelingRules * Updated ModelingRules * Updated ModelingRules * Updated ModelingRules * Updated MicrosoftEntraID_schema * Updated pack_metadata * Updated ModelingRules * Updated ModelingRules * Updated MicrosoftEntraID_schema * Updated MicrosoftEntraID_schema * Update pack_metadata.json * Updated ParsingRules * Updated ParsingRules * Updated pack_metadata * Updated pack_metadata * Added Imaged for README * Updated README --------- Co-authored-by: ShirleyDenkberg <[email protected]>
demisto · Nov 13, 2024 · cd5de02 · cd5de02
1 parent bd1e1b4
commit cd5de02
Show file tree

Hide file tree

Showing 9 changed files with 447 additions and 13 deletions.
diff --git a/Packs/MicrosoftEntraID/ModelingRules/MicrosoftEntraID/MicrosoftEntraID.xif b/Packs/MicrosoftEntraID/ModelingRules/MicrosoftEntraID/MicrosoftEntraID.xif
diff --git a/Packs/MicrosoftEntraID/ModelingRules/MicrosoftEntraID/MicrosoftEntraID_schema.json b/Packs/MicrosoftEntraID/ModelingRules/MicrosoftEntraID/MicrosoftEntraID_schema.json
@@ -1,6 +1,18 @@
 {
   "msft_azure_raw": {
-      "callerIpAddress": {
+    "level": {
+        "type": "string",
+        "is_array": false
+    },
+    "identity": {
+        "type": "string",
+        "is_array": false
+    },
+    "resourceId": {
+        "type": "string",
+        "is_array": false
+    },      
+     "callerIpAddress": {
           "type": "string",
           "is_array": false
       },
@@ -44,5 +56,213 @@
           "type": "string",
           "is_array": false
       }
-  }
+  },
+  "msft_azure_ad_raw": {
+    "originalRequestId": {
+        "type": "string",
+        "is_array": false
+    },
+    "ProcessingTimeInMilliseconds": {
+        "type": "string",
+        "is_array": false
+    },
+    "riskLevelDuringSignIn": {
+        "type": "string",
+        "is_array": false
+    },
+    "ipAddress": {
+        "type": "string",
+        "is_array": false
+    },
+    "ipAddressFromResourceProvider": {
+        "type": "string",
+        "is_array": false
+    },
+    "operatingSystem": {
+        "type": "string",
+        "is_array": false
+    },
+    "deviceDetail": {
+        "type": "string",
+        "is_array": false
+    },
+    "conditionalAccessStatus": {
+        "type": "string",
+        "is_array": false
+    },
+    "id": {
+        "type": "string",
+        "is_array": false
+    },
+    "userDisplayName": {
+        "type": "string",
+        "is_array": false
+    },
+    "userPrincipalName": {
+        "type": "string",
+        "is_array": false
+    },
+    "userId": {
+        "type": "string",
+        "is_array": false
+    },
+    "servicePrincipalName": {
+        "type": "string",
+        "is_array": false
+    },
+    "appDisplayName": {
+        "type": "string",
+        "is_array": false
+    },
+    "clientAppUsed": {
+        "type": "string",
+        "is_array": false
+    },
+    "userAgent": {
+        "type": "string",
+        "is_array": false
+    },
+    "correlationId": {
+        "type": "string",
+        "is_array": false
+    },
+    "tokenIssuerType": {
+        "type": "string",
+        "is_array": false
+    },
+    "authenticationProtocol": {
+        "type": "string",
+        "is_array": false
+    },
+    "clientCredentialType": {
+        "type": "string",
+        "is_array": false
+    },
+    "riskDetail": {
+        "type": "string",
+        "is_array": false
+    },
+    "riskLevelAggregated": {
+        "type": "string",
+        "is_array": false
+    },
+    "riskState": {
+        "type": "string",
+        "is_array": false
+    },
+    "riskEventTypes_v2": {
+        "type": "string",
+        "is_array": false
+    },
+    "resourceDisplayName": {
+        "type": "string",
+        "is_array": false
+    },
+    "resourceId": {
+        "type": "string",
+        "is_array": false
+    },
+    "resourceTenantId": {
+        "type": "string",
+        "is_array": false
+    },
+    "homeTenantId": {
+        "type": "string",
+        "is_array": false
+    },
+    "homeTenantName": {
+        "type": "string",
+        "is_array": false
+    },
+    "authenticationMethodsUsed": {
+        "type": "string",
+        "is_array": false
+    },
+    "authenticationRequirement": {
+        "type": "string",
+        "is_array": false
+    },
+    "signInEventTypes": {
+        "type": "string",
+        "is_array": false
+    },
+    "userType": {
+        "type": "string",
+        "is_array": false
+    },
+    "autonomousSystemNumber": {
+        "type": "int",
+        "is_array": false
+    },
+    "status": {
+        "type": "string",
+        "is_array": false
+    },
+    "appliedConditionalAccessPolicies": {
+        "type": "string",
+        "is_array": false
+    },
+    "authenticationProcessingDetails": {
+        "type": "string",
+        "is_array": false
+    },
+    "networkLocationDetails": {
+        "type": "string",
+        "is_array": false
+    },
+    "authenticationDetails": {
+        "type": "string",
+        "is_array": false
+    }      
+},
+"msft_azure_ad_audit_raw": {
+    "additionalDetails": {
+        "type": "string",
+        "is_array": false
+    },
+    "parsed_fields": {
+        "type": "string",
+        "is_array": false
+    },
+    "initiatedBy": {
+        "type": "string",
+        "is_array": false
+    },
+    "id": {
+        "type": "string",
+        "is_array": false
+    },
+    "result": {
+        "type": "string",
+        "is_array": false
+    },
+    "category": {
+        "type": "string",
+        "is_array": false
+    },
+    "resultReason": {
+        "type": "string",
+        "is_array": false
+    },
+    "correlationId": {
+        "type": "string",
+        "is_array": false
+    },
+    "operationType": {
+        "type": "string",
+        "is_array": false
+    },
+    "loggedByService": {
+        "type": "string",
+        "is_array": false
+    },
+    "targetResources": {
+        "type": "string",
+        "is_array": false
+    },
+    "activityDisplayName": {
+        "type": "string",
+        "is_array": false
+    }
+}  
 }
diff --git a/Packs/MicrosoftEntraID/ParsingRules/MicrosoftEntraID/MicrosoftEntraID.xif b/Packs/MicrosoftEntraID/ParsingRules/MicrosoftEntraID/MicrosoftEntraID.xif
@@ -6,4 +6,20 @@ filter category in("AuditLogs", "SignInLogs", "NonInteractiveUserSignInLogs", "S
         tmp_time = arrayindex(regextract(tmp_time, "(\d{4}-\d{2}-\d{2}[T\s]\d{1,2}:\d{1,2}:\d{1,2}\.?\d{0,3})"), 0)
 | alter
         _time = parse_timestamp("%Y-%m-%dT%H:%M:%E*S", tmp_time)
-| fields -tmp_time;
+| fields -tmp_time;
+
+
+[INGEST:vendor="msft", product="Azure AD", target_dataset="msft_azure_ad_raw", no_hit=keep]
+filter to_string(createdDateTime) ~= ".*\d{2}:\d{2}:\d{2}.*"
+| alter
+    _time = createdDateTime;
+
+[INGEST:vendor="msft", product="Azure AD Audit", target_dataset="msft_azure_ad_audit_raw", no_hit=keep]
+filter to_string(activityDateTime) ~= ".*\d{2}:\d{2}:\d{2}.*"
+| alter 
+    tmp_get_keys = rtrim(arraystring(arraymap(arraymap(to_string(additionalDetails) -> [], "@element" -> key), concat("(?P<", "@element", ">[^|]+)?\|")), ""), "\|"),
+    tmp_get_values = replex(replex(arraystring(arraymap(to_string(additionalDetails) -> [], if("@element" -> value = "" or "@element" -> value = null, "null", "@element" -> value)), "|"), "(?:^|)null(?:\||$)", "|"), "\|$", "")
+| alter
+    parsed_fields = if(tmp_get_values = null or tmp_get_values ~= "^\s*$", null, regexcapture(tmp_get_values, tmp_get_keys)),
+    _time = parse_timestamp("%Y-%m-%dT%H:%M:%E*SZ", to_string(activityDateTime))
+| fields -tmp_*;
diff --git a/Packs/MicrosoftEntraID/README.md b/Packs/MicrosoftEntraID/README.md
@@ -1,7 +1,10 @@
 <~XSIAM>
 
 ### This pack includes:
-- Log Normalization - XDM mapping for key event types.
+- Log Normalization - XDM mapping for the following datasets:
+  - msft_azure_raw
+  - msft_azure_ad_raw
+  - msft_azure_ad_audit_raw
 
 ### Supported Event Types:
 - AuditLogs
@@ -17,8 +20,9 @@
 - ServicePrincipalRiskEvents
 
 ### Supported Timestamp Formats:
-- YYYY-MM-DDTHH:MM:SS.S* (UTC)
-- YYYY-MM-DDTH:M:S.S* (UTC)
+* For *msft_azure_ad_raw*, timestamp ingestion is according to the **createdDateTime** field in UTC (00:00) time zone.
+* For *msft_azure_ad_audit_raw*, timestamp ingestion is according to the **ActivityDateTime** field in UTC (00:00) time zone.
+* For *msft_azure_raw*, depending on the **category** timestamp, ingestion is according to the **createdDateTime** and **ActivityDateTime** fields in UTC (00:00) time zone.
 
 ***
 
@@ -51,6 +55,23 @@ To connect Cortex XSIAM to the Azure Event Hub, follow the below steps.
 
 More information can be found [here](https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Administrator-Guide/Ingest-Logs-from-Microsoft-Azure-Event-Hub?tocId=yjPDSlvRYtlNncGBLHOzvw).
 
+![MicrosoftEntraID_Azure_Event_Hub](../../doc_files/MicrosoftEntraID_Azure_Event_Hub.png)
+
+#### Native O365 Collector
+
+To collect logs for the **msft_azure_ad_raw** and **msft_azure_ad_audit_raw** datasets, you will need to create or configure the Office 365 collector.
+Use the information described [here](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Documentation/Ingest-logs-from-Microsoft-Office-365).
+
+To access the Office 365 Native Collector on your Cortex XSIAM tenant:
+1.  On the left panel, click **Settings** &rarr; **Data Sources**
+2.  At the top-right corner, click **Add Data Source**
+3.  Search for **Office 365** and click **Connect**.
+4.  Input the mandatory and required credentials for **Azure AD** and **Azure AD Audit**:
+    * Mark the **Azure AD Authentication Logs** &rarr; **Collect all sign-in event types** checkbox.
+    * Mark the **Azure AD Audit Logs** checkbox.
+
+![MicrosoftEntraID_Office_365](../../doc_files/MicrosoftEntraID_Office_365.png)
+
 </~XSIAM>
 
 
diff --git a/Packs/MicrosoftEntraID/ReleaseNotes/1_0_1.md b/Packs/MicrosoftEntraID/ReleaseNotes/1_0_1.md
@@ -0,0 +1,17 @@
+
+#### Modeling Rules
+
+##### Microsoft Entra ID Modeling Rule
+
+Updated the Modeling Rules:
+  - Added XDM mapping for Azure AD logs (msft_azure_ad_raw).
+  - Added XDM mapping for Azure AD Audit logs (msft_azure_ad_audit_raw). 
+
+#### Parsing Rules
+
+##### Microsoft Entra ID Parsing Rule
+
+Updated the Parsing Rules:
+  - Added timestamp ingestion for Azure AD logs (msft_azure_ad_raw).
+  - Added timestamp ingestion for Azure AD Audit logs (msft_azure_ad_audit_raw).
+  - Added fields ingestion from the additionalDetails field to a JSON format, Azure AD Audit logs (msft_azure_ad_audit_raw).
diff --git a/Packs/MicrosoftEntraID/doc_files/MicrosoftEntraID_Azure_Event_Hub.png b/Packs/MicrosoftEntraID/doc_files/MicrosoftEntraID_Azure_Event_Hub.png
diff --git a/Packs/MicrosoftEntraID/doc_files/MicrosoftEntraID_Office_365.png b/Packs/MicrosoftEntraID/doc_files/MicrosoftEntraID_Office_365.png
diff --git a/Packs/MicrosoftEntraID/pack_metadata.json b/Packs/MicrosoftEntraID/pack_metadata.json
@@ -1,8 +1,8 @@
 {
-    "name": "Microsoft Entra ID (formerly Azure Active Directory)",
-    "description": "Microsoft Entra ID (formerly Azure Active Directory) is a cloud-based identity and access management service, that can be used to access both internal and external resources.",
+    "name": "Azure Logs",
+    "description": "This pack use the Azure Event Hub Integration, providing XDM mapping for tenant logs (audit & sign-in), EntraID and a default mapping for resource logs. In addition, the same cover is provided with the equivalent checkboxes under the O365 collector",
     "support": "xsoar",
-    "currentVersion": "1.0.0",
+    "currentVersion": "1.0.1",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
@@ -11,8 +11,14 @@
     ],
     "tags": [],
     "useCases": [],
-    "keywords": ["EntraID", "AAD", "Azure", "Active Directory"],
+    "keywords": [
+        "Entra",
+        "EntraID",
+        "AAD",
+        "Azure",
+        "Active Directory"
+    ],
     "marketplaces": [
         "marketplacev2"
     ]
-}
+}
diff --git a/Packs/Office365/README.md b/Packs/Office365/README.md
@@ -11,10 +11,13 @@ To access the Office 365 Native Collector on your Cortex XSIAM tenant:
 2.  At the top-right corner, click **Add Data Source**
 3.  Search for **Office 365** and click **Connect**.
 
+**Pay Attention**:
+In order to normalize **Azure AD** (msft_azure_ad_raw) and **Azure AD Audit** (msft_azure_ad_audit_raw) logs, install the Microsoft Entra ID pack.
+
 ![Office_365_Collector_Settings](https://raw.githubusercontent.com/demisto/content/cd66df26a298fa4abc7cb2c1a8bbeb12eafaad0b/Packs/Office365/doc_files/Office_365_Collector_Settings.png)
 
-**Pay Attention:**
-Timestamp ingestion for Office 365 logs is currently available for the following datasets:
+**Timestamp Ingestion:**
+Ingestion for Office 365 logs is currently available for the following datasets:
 * General &rarr; `msft_o365_general_raw`
 * Exchange Online &rarr; `msft_o365_exchange_online_raw`
 * SharePoint Online &rarr; `msft_o365_sharepoint_online_raw`