Add Vaikora AI Agent Signals to SentinelOne — Microsoft Sentinel Solution v1.0.0

Solutions/Vaikora-SentinelOne-ThreatIntelligence/Data/Solution_VaikoraSentinelOne.json

@@ -0,0 +1,14 @@
+{
+  "Name": "Vaikora-SentinelOne-ThreatIntelligence",
+  "Author": "Data443 Risk Mitigation, Inc. - support@data443.com",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/data443_logo.svg\" width=\"75px\" height=\"75px\">",
+  "Description": "The Vaikora SentinelOne Threat Intelligence solution polls the Vaikora AI Agent Security API for high-severity and anomaly actions and pushes indicators of compromise (IOCs) to SentinelOne's Threat Intelligence API for automated detection and response.",
+  "Playbooks": [
+    "Playbooks/VaikoraToSentinelOne_Playbook.json"
+  ],
+  "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Vaikora-SentinelOne-ThreatIntelligence",
+  "Version": "3.0.0",
+  "Metadata": "SolutionMetadata.json",
+  "TemplateSpec": true,
+  "Is1Pconnector": false
+}

Solutions/Vaikora-SentinelOne-ThreatIntelligence/Package/createUiDefinition.json

@@ -0,0 +1,165 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+  "handler": "Microsoft.Azure.CreateUIDef",
+  "version": "0.1.2-preview",
+  "parameters": {
+    "config": {
+      "isWizard": false,
+      "basics": {
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/data443_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n\u2022 Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Vaikora-SentinelOne-ThreatIntelligence/ReleaseNotes.md)\n\n \u2022 There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Vaikora SentinelOne Threat Intelligence solution polls the Vaikora AI Agent Security API for high-severity and anomaly agent actions, then pushes indicators of compromise (IOCs) to SentinelOne's Threat Intelligence API for automated detection and response.\n\n**Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "subscription": {
+          "resourceProviders": [
+            "Microsoft.OperationsManagement/solutions",
+            "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+            "Microsoft.Insights/workbooks",
+            "Microsoft.Logic/workflows"
+          ]
+        },
+        "location": {
+          "metadata": {
+            "hidden": "Hiding location, we get it from the log analytics workspace"
+          },
+          "visible": false
+        },
+        "resourceGroup": {
+          "allowExisting": true
+        }
+      }
+    },
+    "basics": [
+      {
+        "name": "getLAWorkspace",
+        "type": "Microsoft.Solutions.ArmApiControl",
+        "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+        "condition": "[greater(length(resourceGroup().name),0)]",
+        "request": {
+          "method": "GET",
+          "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+        }
+      },
+      {
+        "name": "workspace",
+        "type": "Microsoft.Common.DropDown",
+        "label": "Workspace",
+        "placeholder": "Select a workspace",
+        "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+        "constraints": {
+          "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+          "required": true
+        },
+        "visible": true
+      }
+    ],
+    "steps": [
+      {
+        "name": "playbooks",
+        "label": "Playbooks",
+        "subLabel": {
+          "preValidation": "Configure the playbooks",
+          "postValidation": "Done"
+        },
+        "bladeTitle": "Playbooks",
+        "elements": [
+          {
+            "name": "playbooks-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub."
+            }
+          },
+          {
+            "name": "playbooks-link",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "link": {
+                "label": "Learn more",
+                "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+              }
+            }
+          },
+          {
+            "name": "VaikoraApiKey",
+            "type": "Microsoft.Common.PasswordBox",
+            "label": {
+              "password": "Vaikora API Key",
+              "confirmPassword": "Confirm Vaikora API Key"
+            },
+            "toolTip": "The Vaikora API Key used for X-API-Key authentication when polling agent actions.",
+            "constraints": {
+              "required": true
+            },
+            "options": {
+              "hideConfirmation": false
+            },
+            "visible": true
+          },
+          {
+            "name": "VaikoraAgentId",
+            "type": "Microsoft.Common.TextBox",
+            "label": "Vaikora Agent ID",
+            "defaultValue": "",
+            "toolTip": "The Vaikora Agent ID to poll for security actions.",
+            "constraints": {
+              "required": true,
+              "regex": "^[a-zA-Z0-9_-]+$",
+              "validationMessage": "Agent ID must contain only alphanumeric characters, hyphens, or underscores."
+            },
+            "visible": true
+          },
+          {
+            "name": "SentinelOne_BaseUrl",
+            "type": "Microsoft.Common.TextBox",
+            "label": "SentinelOne Console URL",
+            "defaultValue": "",
+            "toolTip": "Your SentinelOne console URL (e.g. https://usea1-021.sentinelone.net). Log in to SentinelOne and copy the URL from your browser address bar.",
+            "constraints": {
+              "required": true,
+              "regex": "^https://.*sentinelone\\.net$",
+              "validationMessage": "Enter the full SentinelOne console URL (e.g. https://usea1-021.sentinelone.net)."
+            },
+            "visible": true
+          },
+          {
+            "name": "SentinelOne_ApiToken",
+            "type": "Microsoft.Common.PasswordBox",
+            "label": {
+              "password": "SentinelOne API Token",
+              "confirmPassword": "Confirm SentinelOne API Token"
+            },
+            "toolTip": "SentinelOne API Token for authenticating IOC push requests.",
+            "constraints": {
+              "required": true
+            },
+            "options": {
+              "hideConfirmation": false
+            },
+            "visible": true
+          },
+          {
+            "name": "SentinelOne_AccountId",
+            "type": "Microsoft.Common.TextBox",
+            "label": "SentinelOne Account ID",
+            "defaultValue": "",
+            "toolTip": "SentinelOne Account ID. Required for all IOC push requests (filter.accountIds).",
+            "constraints": {
+              "required": true,
+              "regex": "^[0-9]+$",
+              "validationMessage": "Account ID must be numeric."
+            },
+            "visible": true
+          }
+        ]
+      }
+    ],
+    "outputs": {
+      "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+      "location": "[location()]",
+      "workspace": "[basics('workspace')]",
+      "VaikoraApiKey": "[steps('playbooks').VaikoraApiKey]",
+      "VaikoraAgentId": "[steps('playbooks').VaikoraAgentId]",
+      "SentinelOne_BaseUrl": "[steps('playbooks').SentinelOne_BaseUrl]",
+      "SentinelOne_ApiToken": "[steps('playbooks').SentinelOne_ApiToken]",
+      "SentinelOne_AccountId": "[steps('playbooks').SentinelOne_AccountId]"
+    }
+  }
+}