Dragos 3.1.2 release#14138
Open
dragosinc-sentinel wants to merge 4 commits into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Updates the Dragos Sentinel solution for the 3.1.2 release, focusing on parser/query adjustments to better support multiple Dragos Cloud Sitestores and incident enrichment.
Changes:
- Updated solution and content versions to 3.1.2 / 1.1.x across solution artifacts.
- Enhanced parsers to populate separate Source/Destination IP address fields for incidents.
- Updated release notes to document the 3.1.2 changes.
Reviewed changes
Copilot reviewed 11 out of 12 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| Solutions/Dragos/ReleaseNotes.md | Adds 3.1.2 entry to document the release. |
| Solutions/Dragos/Parsers/DragosPushNotificationsToSentinel.yaml | Updates parser version and enriches output with separate source/destination IP arrays. |
| Solutions/Dragos/Parsers/DragosPullNotificationsToSentinel.yaml | Updates parser version and separates IPs by directionality (source/destination/uncategorized). |
| Solutions/Dragos/Parsers/DragosNotificationsToSentinel.yaml | Updates wrapper parser version and de-dupes by keeping latest per id. |
| Solutions/Dragos/Package/mainTemplate.json | Skipped (ignored path per repo instructions). |
| Solutions/Dragos/Package/createUiDefinition.json | Skipped (ignored path per repo instructions). |
| Solutions/Dragos/Data/Solution_Dragos.json | Bumps solution version to 3.1.2. |
| Solutions/Dragos/Data Connectors/DragosSiteStore_CCP/dragosSitestoreDataConnectorDefinition.json | Skipped (ignored path per repo instructions). |
| Solutions/Dragos/Data Connectors/DragosSiteStore_CCP/dcr.json | Skipped (ignored path per repo instructions). |
| Solutions/Dragos/Data Connectors/DragosSiteStore_CCP/dataPoller.json | Skipped (ignored path per repo instructions). |
| Solutions/Dragos/Analytic Rules/DragosNotifiction.yaml | Adds SourceIP/DestinationIP custom details and bumps rule version. |
Contributor
|
Please review the comments above. |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Contributor
Author
|
Ack. I think the automatic PR comments have been resolved. Waiting on the PR checks to complete. |
Contributor
Author
|
@v-maheshbh @v-shukore could I please get some help with the failing PR validation checks. From what I can tell there aren't issues directly related to my changes:
|
Contributor
|
The current Content Hub version is 3.0.0; please update the next package version to 3.0.1 for minor changes or 3.1.0 for significant updates. Review the KQL function/query blocks in both YAMLs and update the expressions around the reported lines so they return scalars. The failure is most likely caused by an ID change validation issue on the modified parser: Thanks! |
Contributor
Author
|
@v-maheshbh I think I've addressed everything except for the KQL validations. That change is more complicated as we must re-test and validate the app prior to pushing an update. I'd like to verify we have all other issues resolved before committing time to testing KQL changes |
| | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | | ||
| |-------------|--------------------------------|------------------------------------------------| | ||
| | 3.0.0 | 10-01-2025 | Initial solution release. | No newline at end of file | ||
| | 3.1.0 | 05-01-2025 | Support for pulling data from multiple Dragos Cloud Sitestores. Adding additional IP Address Source and Dest fields to Sentinel Incidents, instead of a single IP Address field. | |
Comment on lines
1324
to
1332
| "connectorDefinitionName": { | ||
| "defaultValue": " Dragos Notifications via Cloud Sitestore", | ||
| "type": "string", | ||
| "defaultValue": "Dragos Notifications via Cloud Sitestore", | ||
| "type": "securestring", | ||
| "minLength": 1 | ||
| }, | ||
| "workspace": { | ||
| "defaultValue": "[parameters('workspace')]", | ||
| "type": "string" | ||
| "type": "securestring" | ||
| }, |
| "minLength": 4 | ||
| "guidValue": { | ||
| "defaultValue": "[[newGuid()]", | ||
| "type": "securestring" |
| // Format IP addresses into the proper Sentinel Entity format | ||
| let IpAddresses = CommonSecurityLog | ||
| | where DeviceVendor == 'Dragos' and DeviceProduct == 'Platform' and DeviceVersion == '2' | ||
| | where DeviceVendor == 'Dragos' and DeviceProduct == 'Platform' |
| // Format Hosts into the proper Sentinel format | ||
| let Hosts = CommonSecurityLog | ||
| | where DeviceVendor == 'Dragos' and DeviceProduct == 'Platform' and DeviceVersion == '2' | ||
| | where DeviceVendor == 'Dragos' and DeviceProduct == 'Platform' |
| | summarize SentinelHosts = make_list(SentinelHost, 250), Hosts = make_list(Host, 250) by ExtID; | ||
| CommonSecurityLog | ||
| | where DeviceVendor == 'Dragos' and DeviceProduct == 'Platform' and DeviceVersion == '2' | ||
| | where DeviceVendor == 'Dragos' and DeviceProduct == 'Platform' |
| }, | ||
| { | ||
| "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'dataPoller')]", | ||
| "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'dragosDataPoller', parameters('guidValue'))]", |
| Title: Dragos Pull Notifications Sentinel Incidents | ||
| Version: '1.0.0' | ||
| Version: '1.1.1' | ||
| LastUpdated: '2024-08-25' |
Comment on lines
+12
to
+15
| "Hostname": "[[parameters('dragosSitestoreHostname')]", | ||
| "MinSeverity": "[[parameters('minSeverity')]", | ||
| "MaxSeverity": "[[parameters('maxSeverity')]" | ||
| }, |
Contributor
|
Kindly address the required review comments if required. Thanks! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Change(s):
Reason for Change(s):
Version updated:
Testing Completed:
Checked that the validations are passing and have addressed any issues that are present: