Updating 'SonicWall Firewall' Solution to version 3.1.0

[jaimeesc]

Change(s):

• Updating 'SonicWall Firewall' Solution to version 3.1.0
• Adding Analytic Rules, a Hunting Query, and a Workbook.

Reason for Change(s):

• Submitting parsers and other content to the repository.

Version Updated:

• Yes. Updating to version 3.1.0. Added 2 Analytic Rules, 1 Hunting Query, and 1 Workbook.

Testing Completed:

• Yes

Checked that the validations are passing and have addressed any issues that are present:

• Yes

[v-prasadboke]

Hello @jaimeesc,

1. Please resolve validation error for AllowedInboundSSHTelnetRDPConnections.

2. Please add a custom table at '.script/tests/KqlvalidationsTests/CustomTables' and
   .script/tests/KqlvalidationsTests/CustomFunctions with name as ASimNetworkSessionSonicWallFirewall. You can refer to
   any of the tables from the folder for more clarification.

[jaimeesc]

2. script/tests/KqlvalidationsTests/CustomTables

Thanks for your response! Just one question I haven't found an answer to. Should I get the schema from the parser and include all columns (even default ones), or custom columns? The examples seem to have examples of both.

[jaimeesc]

The validations failed and seems unrelated to the changes since the last validation run. Going to try closing/re-opening the PR to kick off the validations again.

[v-prasadboke]

Hello @jaimeesc, I am seeing this kind of Validation error for the first time. Please lend me some time to examine it.

[v-prasadboke]

2. script/tests/KqlvalidationsTests/CustomTables

Thanks for your response! Just one question I haven't found an answer to. Should I get the schema from the parser and include all columns (even default ones), or custom columns? The examples seem to have examples of both.

Yes Columns used in parsers, should be added to the table. and the validation errors are visible now.
please have a look.

[v-prasadboke]

Hello @jaimeesc, All checks are green. I'll review this PR and get back to you by 26 December, 2023.

[v-prasadboke]

Hello @jaimeesc, can you share sample data to test the content of the solution.

[v-prasadboke]

Hello @jaimeesc, please share the sample data and add workbook metadata to this file https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/WorkbooksMetadata.json

[v-prasadboke]

Hello @jaimeesc, can you please share the sample data and add the workbook metadata to the same.

[jaimeesc]

I replaced the contents of my WorkbooksMetadata.json file with the current master's contents. I then added my changes to the file. There should not be a conflict.

[v-prasadboke]

Hello @jaimeesc,
Thanks for marking this PR as ready for review. We will investigate the PR and get back to you by 14 March, 2024

[v-prasadboke]

Hello @jaimeesc. Sorry for the inconvenience. But we are facing react error in the content hub of azure portal.
We are working on it and get back to you.

[v-prasadboke]

Hello @jaimeesc, We are facing an issue while custom deploying the maintemplate.
Content hub is throwing an react error.

Can you try to deploy the maintemplate from your end and check if its working.
Thanks.

[jaimeesc]

I was able to deploy it without the createUiDefition file (custom deployment, pasting in the contents of mainTemplate. I'm looking into the problem with the location when using createUiDefinition.

[v-prasadboke]

Try to access the solution after deploying.
Go to content hub click on your solution name.

You will find manage button in the lower side of right pane.
Check if you can see the content of the solution.
Also please share a screenshot of the same.

[jaimeesc]

It deployed successfully (without the createUiDefition.json file). I can see the solution in content hub.
I'm still trying to work through the issue deploying with createUiDefinition.

When I clicked manage, I got this error. Is this caused by the template?

I can see the workbook template is there.

The hunting query is there.

The analytic rules are there.

The data connectors are there.

[jaimeesc]

I noticed the solution's version number displayed right before the react error is 2.0.6. The current version posted to GitHub is 3.0.0. I double-checked by deploying another Sentinel workspace and checking the content hub. I installed 2.0.6 from the content hub and clicked manage. No react error, but only one connector is installed (as expected for version 2.0.6). The react error seems to occur when I deploy a newer template than 2.0.6, but check content hub and it tries to load version 2.0.6 information. Could the issue be that the content references the solution (which doesn't exist in that version) or the solution references a data connector that was renamed post-2.0.6?

[jaimeesc]

Version 3.0.0 will be published to the Marketplace soon to replace 2.0.6. I think that will address the react error.
I believe I've addressed the issue between the maintemplate an createuidefinition. I can deploy successfully with and without the custom UI.

[v-prasadboke]

This issue I'm facing is for v 3.0.0

If you custom deploy the maintemplate via "deploy a custom template" on azure portal and head towards LA with deployed maintemplate
you see this error after clicking on the manage button

[jaimeesc]

3.0.0 (the current version on github) should publish to the content hub soon. If you notice, the version on the content hub is older. The difference between 2.0.6/2.0.7 and 3.0.0 is the change to the data connector for the upcoming Log Analytics agent retirement. Based on what I've seen, it fails to load the data connector info that is expected by version 2.0.6/2.0.7. I suspect that when 3.0.0 publishes, 3.1.0 will not experience this error. Let's please see if that resolves it in the next day or so when it gets published.

[jaimeesc]

3.0.0 is now published in the content hub. Please go ahead and try again. I was able to deploy 3.1.0 from the maintemplate and can manage from the content hub.

[v-prasadboke]

Proceed with the above mentioned changes and we are good to merge this PR