|
30 | 30 | }, |
31 | 31 | "workbook1-name": { |
32 | 32 | "type": "string", |
33 | | - "defaultValue": null, |
| 33 | + "defaultValue": "AWS Security Hub Compliance Workbook", |
34 | 34 | "minLength": 1, |
35 | 35 | "metadata": { |
36 | 36 | "description": "Name for the workbook" |
|
58 | 58 | "_solutionVersion": "3.0.3", |
59 | 59 | "solutionId": "azuresentinel.azure-sentinel-solution-awssecurityhub", |
60 | 60 | "_solutionId": "[variables('solutionId')]", |
61 | | - "workbookVersion1": "", |
62 | | - "workbookContentId1": "", |
| 61 | + "workbookVersion1": "1.0.0", |
| 62 | + "workbookContentId1": "AWSSecurityHubComplianceWorkbook", |
63 | 63 | "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", |
64 | 64 | "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", |
65 | 65 | "_workbookContentId1": "[variables('workbookContentId1')]", |
|
144 | 144 | "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('d5818873-a2ab-4467-8e97-60fe56ca10cc')))]" |
145 | 145 | }, |
146 | 146 | "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]", |
147 | | - "ComplianceControlId": "ComplianceSecurityControlId", |
| 147 | + "ComplianceControlId": "ComplianceSecurityControlId", |
148 | 148 | "_ComplianceControlId": "[variables('ComplianceControlId')]", |
149 | 149 | "FindingId": "AwsSecurityFindingId", |
150 | 150 | "_FindingId": "[variables('FindingId')]" |
|
173 | 173 | "kind": "shared", |
174 | 174 | "apiVersion": "2021-08-01", |
175 | 175 | "metadata": { |
176 | | - "description": "" |
| 176 | + "description": "Gain insights into AWS Security Hub compliance findings imported into Microsoft Sentinel. View compliance trends, severity distribution, top finding types, and audit logs." |
177 | 177 | }, |
178 | 178 | "properties": { |
179 | 179 | "displayName": "[parameters('workbook1-name')]", |
|
188 | 188 | "apiVersion": "2022-01-01-preview", |
189 | 189 | "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", |
190 | 190 | "properties": { |
191 | | - "description": ".description", |
| 191 | + "description": "@{workbookKey=AWSSecurityHubComplianceWorkbook; logoFileName=Aws.svg; description=Gain insights into AWS Security Hub compliance findings imported into Microsoft Sentinel. View compliance trends, severity distribution, top finding types, and audit logs.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=AWS Security Hub Compliance Workbook; templateRelativePath=AWSSecurityHubComplianceWorkbook.json; subtitle=; provider=AWS Security Hub}.description", |
192 | 192 | "parentId": "[variables('workbookId1')]", |
193 | 193 | "contentId": "[variables('_workbookContentId1')]", |
194 | 194 | "kind": "Workbook", |
|
916 | 916 | } |
917 | 917 | ], |
918 | 918 | "customDetails": { |
919 | | - "ComplianceControlId": "[variables('_ComplianceControlId')]", |
920 | 919 | "Region": "AwsRegion", |
921 | | - "FindingId": "[variables('_FindingId')]" |
| 920 | + "FindingId": "[variables('_FindingId')]", |
| 921 | + "ComplianceControlId": "[variables('_ComplianceControlId')]" |
922 | 922 | }, |
923 | 923 | "alertDetailsOverride": { |
924 | 924 | "alertDescriptionFormat": "AWS CloudTrail trail ({{TrailId}}) lacks customer-managed KMS encryption for Account {{AwsAccountId}}.", |
|
1046 | 1046 | } |
1047 | 1047 | ], |
1048 | 1048 | "customDetails": { |
1049 | | - "OpenHighRiskPorts": "OpenHighRiskPorts", |
1050 | | - "ComplianceControlId": "[variables('_ComplianceControlId')]", |
1051 | 1049 | "Region": "AwsRegion", |
1052 | 1050 | "SecurityGroupId": "SecurityGroupId", |
1053 | | - "FindingId": "[variables('_FindingId')]" |
| 1051 | + "OpenHighRiskPorts": "OpenHighRiskPorts", |
| 1052 | + "FindingId": "[variables('_FindingId')]", |
| 1053 | + "ComplianceControlId": "[variables('_ComplianceControlId')]" |
1054 | 1054 | }, |
1055 | 1055 | "alertDetailsOverride": { |
1056 | 1056 | "alertDescriptionFormat": "EC2 Security group {{SecurityGroupId}} allows unrestricted (0.0.0.0/0 or ::/0) ingress to high-risk ports: {{OpenHighRiskPorts}}. Restrict or remove the offending rules.", |
|
1171 | 1171 | } |
1172 | 1172 | ], |
1173 | 1173 | "customDetails": { |
1174 | | - "ComplianceControlId": "[variables('_ComplianceControlId')]", |
1175 | 1174 | "Region": "AwsRegion", |
1176 | | - "FindingId": "[variables('_FindingId')]" |
| 1175 | + "FindingId": "[variables('_FindingId')]", |
| 1176 | + "ComplianceControlId": "[variables('_ComplianceControlId')]" |
1177 | 1177 | }, |
1178 | 1178 | "alertDetailsOverride": { |
1179 | 1179 | "alertDescriptionFormat": "AWS Account {{AwsAccountId}} has IAM Policy {{IAMPolicyId}} with full administrative privileges.", |
|
1296 | 1296 | } |
1297 | 1297 | ], |
1298 | 1298 | "customDetails": { |
1299 | | - "ComplianceControlId": "[variables('_ComplianceControlId')]", |
1300 | 1299 | "Region": "AwsRegion", |
1301 | 1300 | "RootUserARN": "RootUserARN", |
1302 | | - "FindingId": "[variables('_FindingId')]" |
| 1301 | + "FindingId": "[variables('_FindingId')]", |
| 1302 | + "ComplianceControlId": "[variables('_ComplianceControlId')]" |
1303 | 1303 | }, |
1304 | 1304 | "alertDetailsOverride": { |
1305 | 1305 | "alertDescriptionFormat": "AWS Account {{AwsAccountId}} has root user without MFA (Resource: {{RootUserARN}}).", |
|
1422 | 1422 | } |
1423 | 1423 | ], |
1424 | 1424 | "customDetails": { |
1425 | | - "ComplianceControlId": "[variables('_ComplianceControlId')]", |
1426 | 1425 | "Region": "AwsRegion", |
1427 | 1426 | "RootUserARN": "RootUserARN", |
1428 | | - "FindingId": "[variables('_FindingId')]" |
| 1427 | + "FindingId": "[variables('_FindingId')]", |
| 1428 | + "ComplianceControlId": "[variables('_ComplianceControlId')]" |
1429 | 1429 | }, |
1430 | 1430 | "alertDetailsOverride": { |
1431 | 1431 | "alertDescriptionFormat": "AWS Account {{AwsAccountId}} has a root user access key (Resource: {{RootUserARN}}).", |
|
1552 | 1552 | } |
1553 | 1553 | ], |
1554 | 1554 | "customDetails": { |
1555 | | - "ComplianceControlId": "[variables('_ComplianceControlId')]", |
1556 | 1555 | "Region": "AwsRegion", |
1557 | | - "FindingId": "[variables('_FindingId')]" |
| 1556 | + "FindingId": "[variables('_FindingId')]", |
| 1557 | + "ComplianceControlId": "[variables('_ComplianceControlId')]" |
1558 | 1558 | }, |
1559 | 1559 | "alertDetailsOverride": { |
1560 | 1560 | "alertDescriptionFormat": "AWS Account {{AwsAccountId}} has an SQS queue ({{QueueArn}}) without server-side encryption enabled. Enable KMS encryption to protect message data at rest.", |
|
1680 | 1680 | } |
1681 | 1681 | ], |
1682 | 1682 | "customDetails": { |
1683 | | - "ComplianceControlId": "[variables('_ComplianceControlId')]", |
1684 | 1683 | "Region": "AwsRegion", |
1685 | 1684 | "QueueArn": "QueueArn", |
1686 | | - "FindingId": "[variables('_FindingId')]" |
| 1685 | + "FindingId": "[variables('_FindingId')]", |
| 1686 | + "ComplianceControlId": "[variables('_ComplianceControlId')]" |
1687 | 1687 | }, |
1688 | 1688 | "alertDetailsOverride": { |
1689 | 1689 | "alertDescriptionFormat": "AWS Account {{AwsAccountId}} has an SQS queue ({{QueueArn}}) with a policy permitting public access. Review and restrict the queue access policy.", |
|
1798 | 1798 | } |
1799 | 1799 | ], |
1800 | 1800 | "customDetails": { |
1801 | | - "ComplianceControlId": "[variables('_ComplianceControlId')]", |
1802 | 1801 | "Region": "AwsRegion", |
1803 | | - "FindingId": "[variables('_FindingId')]" |
| 1802 | + "FindingId": "[variables('_FindingId')]", |
| 1803 | + "ComplianceControlId": "[variables('_ComplianceControlId')]" |
1804 | 1804 | }, |
1805 | 1805 | "alertDetailsOverride": { |
1806 | 1806 | "alertDescriptionFormat": "AWS Account {{AwsAccountId}} has SSM documents with public sharing enabled. Disable public sharing setting to prevent unintended exposure of automation documents.", |
|
0 commit comments