Merge pull request #11645 from idoscapa/idoscapa/mdiot_analyticrules_…

…entities Idoscapa/mdiot analyticrules entities
Azure · Jan 9, 2025 · cb54692 · cb54692
2 parents ad992c0 + 5d1d41e
commit cb54692
Show file tree

Hide file tree

Showing 15 changed files with 45 additions and 135 deletions.
diff --git a/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTDenialofService.yaml b/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTDenialofService.yaml
@@ -47,14 +47,8 @@ query: |
     AlertManagementUri,
     Techniques
 entityMappings:
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: SourceDeviceAddress
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: DestDeviceAddress
+sentinelEntitiesMappings:
+  - columnName: Entities
 eventGroupingSettings:
   aggregationKind: AlertPerResult
 customDetails:
@@ -78,5 +72,5 @@ alertDetailsOverride:
       value: ProductComponentName
     - alertProperty: AlertLink
       value: AlertLink
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
diff --git a/...ons/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTExcessiveLoginAttempts.yaml b/...ons/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTExcessiveLoginAttempts.yaml
@@ -47,14 +47,8 @@ query: |
     AlertManagementUri,
     Techniques
 entityMappings:
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: SourceDeviceAddress
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: DestDeviceAddress
+sentinelEntitiesMappings:
+  - columnName: Entities
 eventGroupingSettings:
   aggregationKind: AlertPerResult
 customDetails:
@@ -78,5 +72,5 @@ alertDetailsOverride:
       value: ProductComponentName
     - alertProperty: AlertLink
       value: AlertLink
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
diff --git a/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTFirmwareUpdates.yaml b/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTFirmwareUpdates.yaml
@@ -47,14 +47,8 @@ query: |
     AlertManagementUri,
     Techniques
 entityMappings:
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: SourceDeviceAddress
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: DestDeviceAddress
+sentinelEntitiesMappings:
+  - columnName: Entities
 eventGroupingSettings:
   aggregationKind: AlertPerResult
 customDetails:
@@ -78,5 +72,5 @@ alertDetailsOverride:
       value: ProductComponentName
     - alertProperty: AlertLink
       value: AlertLink
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
diff --git a/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTHighBandwidth.yaml b/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTHighBandwidth.yaml
@@ -47,14 +47,8 @@ query: |
     AlertManagementUri,
     Techniques
 entityMappings:
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: SourceDeviceAddress
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: DestDeviceAddress
+sentinelEntitiesMappings:
+  - columnName: Entities
 eventGroupingSettings:
   aggregationKind: AlertPerResult
 customDetails:
@@ -78,5 +72,5 @@ alertDetailsOverride:
       value: ProductComponentName
     - alertProperty: AlertLink
       value: AlertLink
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
diff --git a/...s/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTINoSensorTrafficDetected.yaml b/...s/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTINoSensorTrafficDetected.yaml
@@ -47,14 +47,8 @@ query: |
     AlertManagementUri,
     Techniques
 entityMappings:
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: SourceDeviceAddress
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: DestDeviceAddress
+sentinelEntitiesMappings:
+  - columnName: Entities
 eventGroupingSettings:
   aggregationKind: AlertPerResult
 customDetails:
@@ -78,5 +72,5 @@ alertDetailsOverride:
       value: ProductComponentName
     - alertProperty: AlertLink
       value: AlertLink
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
diff --git a/...tions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTIllegalFunctionCodes.yaml b/...tions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTIllegalFunctionCodes.yaml
@@ -48,14 +48,8 @@ query: |
     AlertManagementUri,
     Techniques
 entityMappings:
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: SourceDeviceAddress
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: DestDeviceAddress
+sentinelEntitiesMappings:
+  - columnName: Entities
 eventGroupingSettings:
   aggregationKind: AlertPerResult
 customDetails:
@@ -79,5 +73,5 @@ alertDetailsOverride:
       value: ProductComponentName
     - alertProperty: AlertLink
       value: AlertLink
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
diff --git a/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTInsecurePLC.yaml b/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTInsecurePLC.yaml
@@ -47,14 +47,8 @@ query: |
     AlertManagementUri,
     Techniques
 entityMappings:
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: SourceDeviceAddress
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: DestDeviceAddress
+sentinelEntitiesMappings:
+  - columnName: Entities
 eventGroupingSettings:
   aggregationKind: AlertPerResult
 customDetails:
@@ -78,5 +72,5 @@ alertDetailsOverride:
       value: ProductComponentName
     - alertProperty: AlertLink
       value: AlertLink
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
diff --git a/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTInternetAccess.yaml b/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTInternetAccess.yaml
@@ -47,14 +47,8 @@ query: |
     AlertManagementUri,
     Techniques
 entityMappings:
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: SourceDeviceAddress
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: DestDeviceAddress
+sentinelEntitiesMappings:
+  - columnName: Entities
 eventGroupingSettings:
   aggregationKind: AlertPerResult
 customDetails:
@@ -78,5 +72,5 @@ alertDetailsOverride:
       value: ProductComponentName
     - alertProperty: AlertLink
       value: AlertLink
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
diff --git a/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTMalware.yaml b/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTMalware.yaml
@@ -48,14 +48,8 @@ query: |
     AlertManagementUri,
     Techniques
 entityMappings:
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: SourceDeviceAddress
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: DestDeviceAddress
+sentinelEntitiesMappings:
+  - columnName: Entities
 eventGroupingSettings:
   aggregationKind: AlertPerResult
 customDetails:
@@ -79,5 +73,5 @@ alertDetailsOverride:
       value: ProductComponentName
     - alertProperty: AlertLink
       value: AlertLink
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
diff --git a/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTNetworkScanning.yaml b/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTNetworkScanning.yaml
@@ -47,14 +47,8 @@ query: |
     AlertManagementUri,
     Techniques
 entityMappings:
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: SourceDeviceAddress
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: DestDeviceAddress
+sentinelEntitiesMappings:
+  - columnName: Entities
 eventGroupingSettings:
   aggregationKind: AlertPerResult
 customDetails:
@@ -78,5 +72,5 @@ alertDetailsOverride:
       value: ProductComponentName
     - alertProperty: AlertLink
       value: AlertLink
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
diff --git a/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTPLCStopCommand.yaml b/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTPLCStopCommand.yaml
@@ -48,14 +48,8 @@ query: |
     AlertManagementUri,
     Techniques
 entityMappings:
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: SourceDeviceAddress
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: DestDeviceAddress
+sentinelEntitiesMappings:
+  - columnName: Entities
 eventGroupingSettings:
   aggregationKind: AlertPerResult
 customDetails:
@@ -79,5 +73,5 @@ alertDetailsOverride:
       value: ProductComponentName
     - alertProperty: AlertLink
       value: AlertLink
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
diff --git a/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTUnauthorizedDevice.yaml b/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTUnauthorizedDevice.yaml
@@ -47,14 +47,8 @@ query: |
     AlertManagementUri,
     Techniques
 entityMappings:
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: SourceDeviceAddress
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: DestDeviceAddress
+sentinelEntitiesMappings:
+  - columnName: Entities
 eventGroupingSettings:
   aggregationKind: AlertPerResult
 customDetails:
@@ -78,5 +72,5 @@ alertDetailsOverride:
       value: ProductComponentName
     - alertProperty: AlertLink
       value: AlertLink
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
diff --git a/...hreatMonitoringwithDefenderforIoT/Analytic Rules/IoTUnauthorizedNetworkConfiguration.yaml b/...hreatMonitoringwithDefenderforIoT/Analytic Rules/IoTUnauthorizedNetworkConfiguration.yaml
@@ -47,14 +47,8 @@ query: |
     AlertManagementUri,
     Techniques
 entityMappings:
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: SourceDeviceAddress
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: DestDeviceAddress
+sentinelEntitiesMappings:
+  - columnName: Entities
 eventGroupingSettings:
   aggregationKind: AlertPerResult
 customDetails:
@@ -78,5 +72,5 @@ alertDetailsOverride:
       value: ProductComponentName
     - alertProperty: AlertLink
       value: AlertLink
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
diff --git a/...TOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTUnauthorizedPLCModifications.yaml b/...TOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTUnauthorizedPLCModifications.yaml
@@ -49,14 +49,8 @@ query: |
     AlertManagementUri,
     Techniques
 entityMappings:
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: SourceDeviceAddress
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: DestDeviceAddress
+sentinelEntitiesMappings:
+  - columnName: Entities
 eventGroupingSettings:
   aggregationKind: AlertPerResult
 customDetails:
@@ -80,5 +74,5 @@ alertDetailsOverride:
       value: ProductComponentName
     - alertProperty: AlertLink
       value: AlertLink
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
diff --git a/...s/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTUnauthorizedRemoteAccess.yaml b/...s/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTUnauthorizedRemoteAccess.yaml
@@ -47,14 +47,8 @@ query: |
     AlertManagementUri,
     Techniques
 entityMappings:
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: SourceDeviceAddress
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: DestDeviceAddress
+sentinelEntitiesMappings:
+  - columnName: Entities
 eventGroupingSettings:
   aggregationKind: AlertPerResult
 customDetails:
@@ -78,5 +72,5 @@ alertDetailsOverride:
       value: ProductComponentName
     - alertProperty: AlertLink
       value: AlertLink
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled