Add Vaikora AI Agent Signals to CrowdStrike — Microsoft Sentinel Solution v1.0.0

Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Data/Solution_VaikoraCrowdStrike.json

@@ -0,0 +1,14 @@
+{
+  "Name": "Vaikora-CrowdStrike-AIAgentSecurity",
+  "Author": "Data443 Risk Mitigation, Inc. - support@data443.com",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/data443_logo.svg\" width=\"75px\" height=\"75px\">",
+  "Description": "The Vaikora CrowdStrike AI Agent Security solution polls Vaikora AI agent signals (actions with high/critical risk levels or anomaly detections) and pushes them as Custom IOCs to CrowdStrike Falcon for detection and prevention.",
+  "Playbooks": [
+    "Playbooks/VaikoraToCrowdStrike_Playbook.json"
+  ],
+  "Metadata": "SolutionMetadata.json",
+  "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Vaikora-CrowdStrike-AIAgentSecurity",
+  "Version": "3.0.0",
+  "TemplateSpec": true,
+  "Is1Pconnector": false
+}

Solutions/Vaikora-CrowdStrike-ThreatIntelligence/Package/createUiDefinition.json

@@ -0,0 +1,184 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+  "handler": "Microsoft.Azure.CreateUIDef",
+  "version": "0.1.2-preview",
+  "parameters": {
+    "config": {
+      "isWizard": false,
+      "basics": {
+        "description": "**Note:** Please refer to the following before installing the solution: \n\n\u2022 Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Vaikora-CrowdStrike-AIAgentSecurity/ReleaseNotes.md)\n\n \u2022 There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Vaikora CrowdStrike AI Agent Security solution polls Vaikora AI agent signals (high/critical risk actions and anomaly detections) and pushes them as Custom IOCs to CrowdStrike Falcon for detection and prevention.\n\n**Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "subscription": {
+          "resourceProviders": [
+            "Microsoft.OperationsManagement/solutions",
+            "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+            "Microsoft.Insights/workbooks",
+            "Microsoft.Logic/workflows"
+          ]
+        },
+        "location": {
+          "metadata": {
+            "hidden": "Hiding location, we get it from the log analytics workspace"
+          },
+          "visible": false
+        },
+        "resourceGroup": {
+          "allowExisting": true
+        }
+      }
+    },
+    "basics": [
+      {
+        "name": "getLAWorkspace",
+        "type": "Microsoft.Solutions.ArmApiControl",
+        "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+        "condition": "[greater(length(resourceGroup().name),0)]",
+        "request": {
+          "method": "GET",
+          "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+        }
+      },
+      {
+        "name": "workspace",
+        "type": "Microsoft.Common.DropDown",
+        "label": "Workspace",
+        "placeholder": "Select a workspace",
+        "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+        "constraints": {
+          "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+          "required": true
+        },
+        "visible": true
+      }
+    ],
+    "steps": [
+      {
+        "name": "playbooks",
+        "label": "Playbooks",
+        "subLabel": {
+          "preValidation": "Configure the playbooks",
+          "postValidation": "Done"
+        },
+        "bladeTitle": "Playbooks",
+        "elements": [
+          {
+            "name": "playbooks-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub."
+            }
+          },
+          {
+            "name": "playbooks-link",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "link": {
+                "label": "Learn more",
+                "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+              }
+            }
+          },
+          {
+            "name": "vaikora-section",
+            "type": "Microsoft.Common.Section",
+            "label": "Vaikora API Settings",
+            "elements": [
+              {
+                "name": "VaikoraApiKey",
+                "type": "Microsoft.Common.PasswordBox",
+                "label": {
+                  "password": "Vaikora API Key",
+                  "confirmPassword": "Confirm Vaikora API Key"
+                },
+                "toolTip": "Vaikora API key used in the X-API-Key request header",
+                "constraints": {
+                  "required": true
+                },
+                "options": {
+                  "hideConfirmation": false
+                },
+                "visible": true
+              },
+              {
+                "name": "VaikoraAgentId",
+                "type": "Microsoft.Common.TextBox",
+                "label": "Vaikora Agent ID",
+                "defaultValue": "",
+                "toolTip": "The agent_id to poll for AI signal actions from the Vaikora API",
+                "constraints": {
+                  "required": true,
+                  "regex": "^[a-zA-Z0-9_\\-]+$",
+                  "validationMessage": "Agent ID must contain only alphanumeric characters, hyphens, and underscores"
+                },
+                "visible": true
+              }
+            ],
+            "visible": true
+          },
+          {
+            "name": "crowdstrike-section",
+            "type": "Microsoft.Common.Section",
+            "label": "CrowdStrike Falcon API Settings",
+            "elements": [
+              {
+                "name": "CrowdStrike_BaseUrl",
+                "type": "Microsoft.Common.TextBox",
+                "label": "CrowdStrike API Base URL",
+                "defaultValue": "https://api.crowdstrike.com",
+                "toolTip": "CrowdStrike Falcon API base URL. Use https://api.us-2.crowdstrike.com for US-2 cloud or https://api.eu-1.crowdstrike.com for EU-1.",
+                "constraints": {
+                  "required": true,
+                  "regex": "^.+$",
+                  "validationMessage": "This field is required."
+                },
+                "visible": true
+              },
+              {
+                "name": "CrowdStrike_ClientId",
+                "type": "Microsoft.Common.PasswordBox",
+                "label": {
+                  "password": "CrowdStrike Client ID",
+                  "confirmPassword": "Confirm CrowdStrike Client ID"
+                },
+                "toolTip": "CrowdStrike OAuth2 Client ID with Indicators (IOCs) write permission",
+                "constraints": {
+                  "required": true
+                },
+                "options": {
+                  "hideConfirmation": false
+                },
+                "visible": true
+              },
+              {
+                "name": "CrowdStrike_ClientSecret",
+                "type": "Microsoft.Common.PasswordBox",
+                "label": {
+                  "password": "CrowdStrike Client Secret",
+                  "confirmPassword": "Confirm CrowdStrike Client Secret"
+                },
+                "toolTip": "CrowdStrike OAuth2 Client Secret corresponding to the Client ID above",
+                "constraints": {
+                  "required": true
+                },
+                "options": {
+                  "hideConfirmation": false
+                },
+                "visible": true
+              }
+            ],
+            "visible": true
+          }
+        ]
+      }
+    ],
+    "outputs": {
+      "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+      "location": "[location()]",
+      "workspace": "[basics('workspace')]",
+      "VaikoraApiKey": "[steps('playbooks').vaikora-section.VaikoraApiKey]",
+      "VaikoraAgentId": "[steps('playbooks').vaikora-section.VaikoraAgentId]",
+      "CrowdStrike_BaseUrl": "[steps('playbooks').crowdstrike-section.CrowdStrike_BaseUrl]",
+      "CrowdStrike_ClientId": "[steps('playbooks').crowdstrike-section.CrowdStrike_ClientId]",
+      "CrowdStrike_ClientSecret": "[steps('playbooks').crowdstrike-section.CrowdStrike_ClientSecret]"
+    }
+  }
+}