Merge pull request Azure#9587 from CTM360-Integrations/ctm360-HV-CBS-…

…azurefunctionapp

CTM360-hv-cbs-integration-FunctionApp

.script/tests/KqlvalidationsTests/CustomTables/CBSLog_Azure_1_CL.json

@@ -0,0 +1,57 @@
+{
+    "Name": "CBSLog_Azure_1_CL",
+    "Properties": [
+        {
+            "Name": "brand_s",
+            "Type": "String"
+        },
+        {
+            "Name": "TenantId",
+            "Type": "Guid"
+        },
+        {
+            "Name": "class_s",
+            "Type": "String"
+        },
+        {
+            "Name": "TimeGenerated",
+            "Type": "Datetime"
+        },
+        {
+            "Name": "coa_s",
+            "Type": "String"
+        },
+        {
+            "Name": "created_date_s",
+            "Type": "String"
+        },
+        {
+            "Name": "id_s",
+            "Type": "String"
+        },
+        {
+            "Name": "remarks_s",
+            "Type": "String"
+        },
+        {
+            "Name": "severity_s",
+            "Type": "String"
+        },
+        {
+            "Name": "status_s",
+            "Type": "String"
+        },
+        {
+            "Name": "subject_s",
+            "Type": "String"
+        },
+        {
+            "Name": "type_s",
+            "Type": "String"
+        },
+        {
+            "Name": "updated_date_s",
+            "Type": "String"
+        }
+    ]
+}

.script/tests/KqlvalidationsTests/CustomTables/HackerViewLog_Azure_1_CL.json

@@ -0,0 +1,141 @@
+{
+    "Name": "HackerViewLog_Azure_1_CL",
+    "Properties": [
+        {
+            "Name": "MG",
+            "Type": "String"
+        },
+        {
+            "Name": "ManagementGroupName",
+            "Type": "String"
+        },
+        {
+            "Name": "TimeGenerated",
+            "Type": "DateTime"
+        },
+        {
+            "Name": "assigned_to_s",
+            "Type": "String"
+        },
+        {
+            "Name": "cwe_s",
+            "Type": "String"
+        },
+        {
+            "Name": "detail_s",
+            "Type": "String"
+        },
+        {
+            "Name": "fixing_effort_s",
+            "Type": "String"
+        },
+        {
+            "Name": "hackerview_link_s",
+            "Type": "String"
+        },
+        {
+            "Name": "issue_category_s",
+            "Type": "String"
+        },
+        {
+            "Name": "issue_name_s",
+            "Type": "String"
+        },
+        {
+            "Name": "issue_type_s",
+            "Type": "String"
+        },
+        {
+            "Name": "_ResourceId",
+            "Type": "String"
+        },
+        {
+            "Name": "meta_asset_s",
+            "Type": "String"
+        },
+        {
+            "Name": "meta_asset_type_s",
+            "Type": "String"
+        },
+        {
+            "Name": "meta_brand_s",
+            "Type": "String"
+        },
+        {
+            "Name": "meta_business_unit_s",
+            "Type": "String"
+        },
+        {
+            "Name": "meta_discovery_source_s",
+            "Type": "String"
+        },
+        {
+            "Name": "meta_domain_s",
+            "Type": "String"
+        },
+        {
+            "Name": "meta_environments_s",
+            "Type": "String"
+        },
+        {
+            "Name": "meta_first_seen_s",
+            "Type": "String"
+        },
+        {
+            "Name": "meta_host_s",
+            "Type": "String"
+        },
+        {
+            "Name": "meta_host_type_s",
+            "Type": "String"
+        },
+        {
+            "Name": "meta_hosts_s",
+            "Type": "String"
+        },
+        {
+            "Name": "meta_ip_s",
+            "Type": "String"
+        },
+        {
+            "Name": "meta_ip_type_s",
+            "Type": "String"
+        },
+        {
+            "Name": "meta_last_seen_s",
+            "Type": "String"
+        },
+        {
+            "Name": "meta_resolved_ip_s",
+            "Type": "String"
+        },
+        {
+            "Name": "meta_technologies_s",
+            "Type": "String"
+        },
+        {
+            "Name": "meta_ticket_id_s",
+            "Type": "String"
+        },
+        {
+            "Name": "potential_attack_type_s",
+            "Type": "String"
+        },
+        {
+            "Name": "potential_impact_s",
+            "Type": "String"
+        },
+        {
+            "Name": "progress_status_s",
+            "Type": "String"
+        },
+        {
+            "Name": "severity_s",
+            "Type": "String"
+        },
+        {
+            "Name": "status_s",
+            "Type": "String"
+        }
+    ]
+}

.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json

@@ -222,5 +222,8 @@
   "PrancerLogData",
   "MicrosoftDefenderForCloudTenantBased",
   "RidgeBotDataConnector",
-  "ValenceSecurity"
+  "ValenceSecurity",
+  "HVPollingIDAzureFunctions",
+  "CBSPollingIDAzureFunctions"
+
 ]

Sample Data/ctm360CCP-cbs.json

@@ -0,0 +1,28 @@
+[
+        {
+            "id": "COMX411658944654",
+            "subject": "asdasd.exmple.org",
+            "severity": "Low",
+            "type": "Subdomain Infringement",
+            "class": "Domain",
+            "status": "Monitoring",
+            "coa": "Monitoring",
+            "remarks": "New Subdomain Infringement with severity Low found",
+            "created_date": "19-10-2023 01:00:00 PM",
+            "updated_date": "19-10-2023 01:00:00 PM",
+            "brand": "ISS Enterprise"
+        },
+        {
+            "id": "COMX415237121212",
+            "subject": "https://asdasdadsadasd.com",
+            "severity": "High",
+            "type": "Brand Abuse",
+            "class": "URL",
+            "status": "Resolved",
+            "coa": "Takedown",
+            "remarks": "New Brand Abuse with severity High found",
+            "created_date": "19-10-2023 01:00:00 PM",
+            "updated_date": "19-10-2023 02:48:23 PM",
+            "brand": "ISS Enterprise"
+        }
+    ]

Solutions/CTM360/Analytic Rules/AutoGeneratedPage.yaml

@@ -0,0 +1,36 @@
+id: abe1a662-d00d-482e-aa68-9394622ae03e
+name: Auto Generated Page
+description: |
+  'New auto_generated_page with severity Low found'
+severity: Low
+status: Available
+requiredDataConnectors:
+  - connectorId: CBSPollingIDAzureFunctions
+    dataTypes:
+      - CBSLog_Azure_1_CL 
+queryFrequency: 5h
+queryPeriod: 5h
+triggerOperator: gt
+triggerThreshold: 0
+query: CBSLog_Azure_1_CL | where severity_s == "Low" | where type_s == "Auto Generated Page" | where status_s != "Closed" or status_s != "Resolved" | where remarks_s == "New auto_generated_page with severity Low found"
+suppressionEnabled: false
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: false
+    reopenClosedIncident: false
+    lookbackDuration: 5h
+    matchingMethod: AllEntities
+    groupByEntities: []
+    groupByAlertDetails: []
+    groupByCustomDetails: []
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+entityMappings:
+- entityType: URL
+  fieldMappings:
+  - identifier: Url
+    columnName: subject_s
+suppressionDuration: 5h
+version: 1.0.0
+kind: Scheduled

Solutions/CTM360/Analytic Rules/BrandAbuse.yaml

@@ -0,0 +1,43 @@
+id: 6e9e1975-6d85-4387-bd30-3881c66e302e
+name: Brand Abuse
+description: |
+  'New Brand Abuse with severity High found'
+severity: High
+status: Available
+requiredDataConnectors:
+  - connectorId: CBSPollingIDAzureFunctions
+    dataTypes:
+      - CBSLog_Azure_1_CL
+queryFrequency: 5m
+queryPeriod: 5m
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+- DefenseEvasion
+query: |-
+  CBSLog_Azure_1_CL
+  | where severity_s == "High"
+  | where type_s == "Brand Abuse"
+  | where status_s != "Closed" or status_s != "Resolved" 
+  | where remarks_s == "New Brand Abuse with severity High found"
+suppressionEnabled: false
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: true
+    reopenClosedIncident: false
+    lookbackDuration: 5h
+    matchingMethod: AllEntities
+    groupByEntities: []
+    groupByAlertDetails: []
+    groupByCustomDetails: []
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+entityMappings:
+- entityType: URL
+  fieldMappings:
+  - identifier: Url
+    columnName: subject_s
+suppressionDuration: 5h
+version: 1.0.0
+kind: Scheduled

Solutions/CTM360/Analytic Rules/BrandImpersonationHIGH.yaml

@@ -0,0 +1,37 @@
+id: bf93bd26-cad8-40a3-bde0-71acb874d595
+name: Brand Impersonation - HIGH
+description: |
+  'New brand_impersonation with severity High found'
+severity: High
+status: Available
+requiredDataConnectors:
+  - connectorId: CBSPollingIDAzureFunctions
+    dataTypes:
+      - CBSLog_Azure_1_CL
+queryFrequency: 5m
+queryPeriod: 5m
+triggerOperator: gt
+triggerThreshold: 0
+query: |+
+  CBSLog_Azure_1_CL | where severity_s == "High" | where type_s == "Brand Impersonation" | where status_s != "Closed" or status_s != "Resolved" | where remarks_s == "New brand_impersonation with severity High found"
+suppressionEnabled: false
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: false
+    reopenClosedIncident: false
+    lookbackDuration: 5h
+    matchingMethod: AllEntities
+    groupByEntities: []
+    groupByAlertDetails: []
+    groupByCustomDetails: []
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+entityMappings:
+- entityType: URL
+  fieldMappings:
+  - identifier: Url
+    columnName: subject_s
+suppressionDuration: 5h
+version: 1.0.0
+kind: Scheduled