Initial Release of Dragos Sentinel Solution

[dragosinc-sentinel]

Change(s):

• Adding new Dragos Sentinel Solution

Reason for Change(s):

• Initial release of Dragos Sentinel Solution

Version Updated:

• No. Initial release.

Testing Completed:

• Yes. Tested CCP data connector and parsers used to process CEF data sent via AMA

Checked that the validations are passing and have addressed any issues that are present:

• Yes

[dragosinc-sentinel]

@microsoft-github-policy-service agree company="Dragos Inc."

[dragosinc-sentinel]

I seem to be failing some KQL validations, but the error messages are not helpful. I have been unable to figure out what the issue is as the KQL queries validate and run properly when deployed in Sentinel. There is also an issue with the Analytic Rule that may be related to KQL. Appreciate any help you can provide.

[dragosinc-sentinel]

Resolved the KQL issues and also refactored core Sentinel validations code to support SentinelEntities, this enabled automated validations to pass

[dragosinc-sentinel]

@v-prasadboke or @v-shukore could you please provide some feedback on this PR. Its been a few weeks and we are hoping to get this merged soon.

[v-shukore]

Hi @dragosinc-sentinel, sorry for the delay in response. Already working on it. Will update you soon. Thanks!!

[dragosinc-sentinel]

@v-prasadboke and @v-shukore could you please provide and update or an estimated completion date? I need to coordinate with my colleagues as part of the larger release process that involves this PR along with the Microsoft Partner Center.

[v-shukore]

Hi @dragosinc-sentinel, please update the version to 3.0.0 in the data file and also add the release note file to the solution. Thanks!!

[dragosinc-sentinel]

@v-shukore updated the version and added the release notes. Should hopefully be good to go!

[v-prasadboke]

Just asking, Is there any reasons tactics and techniques were not added

[dragosinc-sentinel]

The Mitre Tactics and Techniques are unique to each alert that we produce. Instead of making them static, we set them at run time using the alertDetailsOverride section of the alert.

alertDetailsOverride:
  alertTacticsColumnName: MitreTactics
  alertDynamicProperties:
    - alertProperty: Techniques
      value: MitreTechniques

[v-prasadboke]

If possible can you share test / demo credentials to test the Data connector.
Share it over [email protected]
else you can share working screenshots of Data connector.

Please share working screenshot of parsers.

Thanks,
Prasad

[dragosinc-sentinel]

Here are screenshots showing the working CCP:

Creating the connector:

Connector is active and shows healthy:

Raw data is in the Log Analytics table:

Incidents are being produced with data from the CCP and the Analytic Rule:

[dragosinc-sentinel]

@v-prasadboke are the screenshots sufficient to demonstrate the working CCP? Is there any other screenshots you would like me to grab?

[v-shukore]

Hi @dragosinc-sentinel, could you please provide working screenshot of parsers. Thanks..!!

[dragosinc-sentinel]

@v-shukore Here are the 3 main parser functions. The last function DragosSeverityToSentinelSeverity is a scaler function and is called by the other parsers listed below. I created a simple query to demonstrate how the DragosSeverityToSentinelSeverity fucntion can be called directly as well

DragosPullNotificationsToSentinel

DragosPushNotificationsToSentinel

DragosNotificationsToSentinel

DragosSeverityToSentinelSeverity