Azure · skeerthivasan · Oct 15, 2024
@@ -0,0 +1,44 @@
+id: a8130dcc-3617-41c0-a7ac-5f352bcfffaf
+name: External Fabric Module XFM1 is unhealthy
+version: 1.0.0
+kind: NRT
+description: External Fabric Module XFM1 is unhealthy
+severity: High
+tactics:
+- Execution
+relevantTechniques:
+- T0871
+query: |2-
+  Syslog
+  | where SyslogMessage has "purity.alert"
+  | extend Message = replace_string(SyslogMessage, "#012", "\n")
+  | extend UTCTime = extract(@"UTC Time:\s*(\d{4}\s\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2})\sUTC", 1, SyslogMessage)
+  | extend PureAlertID = extract(@"Alert ID: ([\w-]+)", 1, SyslogMessage)
+  | extend PureMessage = extract(@"\(Alert ID: [\w-]+\)\s(.*?)\s\[\d+\]", 1, SyslogMessage)
+  | extend PureSeverity = extract(@"\s(\w+)\s", 1, SyslogMessage)
+  | extend PureAlertState = extract(@"purity\.alert:\s\w+\s(\w+)", 1, SyslogMessage)
+  | extend PureObjectName = extract(@"\s(\S+):", 1, SyslogMessage)
+  | extend PureProcessID = extract(@"\[(\d+)\]", 1, SyslogMessage)
+  | extend PureAction = extract(@"Suggested Action:\s*(.*?)(?:\s*Knowledge Base Article:|$)", 1, SyslogMessage)
+  | extend PureUrl = extract(@"Knowledge Base Article:\s*(.*)", 1, SyslogMessage)
+  | project  PureMessage, TimeGenerated, PureProcessID, HostIP, Computer, PureObjectName, PureSeverity, PureAlertID, PureAlertState, PureAction, PureUrl
+  | where PureMessage matches regex @"(External Fabric Module XFM1 is unhealthy)"
+entityMappings:
+- entityType: IP
+  fieldMappings:
+  - identifier: Address
+    columnName: HostIP
+suppressionEnabled: false
+suppressionDuration: 5h
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: false
+    reopenClosedIncident: false
+    lookbackDuration: 5h
+    matchingMethod: AllEntities
+    groupByEntities: []
+    groupByAlertDetails: []
+    groupByCustomDetails: []
+eventGroupingSettings:
+  aggregationKind: SingleAlert
@@ -3,15 +3,20 @@
     "Author": "Pure Storage - [email protected]",
     "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/purestorage_logo.svg\" width=\"75px\" height=\"75px\">",
     "Description": "Solution for Microsoft Sentinel to ingest logs from PureStorage arrays",
-    "Parsers": ["Parsers/PureStorageParser.yaml"],
+    "Parsers": [
+      "Parsers/PureStorageFlashArrayParser.yaml",
+      "Parsers/PureStorageFlashBladeParser.yaml"
+    ],
     "Analytic Rules": [
       "Analytic Rules/PureFailedLogin.yaml",
-      "Analytic Rules/PureControllerFailed.yaml"
+      "Analytic Rules/PureControllerFailed.yaml",
+      "Analytic Rules/FB-FabricModuleUnhealthy.yaml"
      ],
     "Playbooks": [
       "Playbooks/Pure-Storage-User-Delete/azuredeploy.json",
       "Playbooks/Pure-Storage-Volumes-Snapshot/azuredeploy.json",
-      "Playbooks/Pure-Storage-Protection-Groups-Snapshot/azuredeploy.json"
+      "Playbooks/Pure-Storage-Protection-Groups-Snapshot/azuredeploy.json",
+      "Playbooks/Pure-Storage-FlashBlade-File-System-Snapshot/azuredeploy.json"
     ],
     "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Pure Storage",
     "Version": "3.0.1",

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/purestorage_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Pure%20Storage/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nSolution for Microsoft Sentinel to ingest logs from PureStorage arrays\n\n**Parsers:** 1, **Analytic Rules:** 2, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/purestorage_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Pure%20Storage/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nSolution for Microsoft Sentinel to ingest logs from PureStorage arrays\n\n**Parsers:** 2, **Analytic Rules:** 3, **Playbooks:** 4\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -104,6 +104,20 @@
                 }
               }
             ]
+          },
+          {
+            "name": "analytic3",
+            "type": "Microsoft.Common.Section",
+            "label": "External Fabric Module XFM1 is unhealthy",
+            "elements": [
+              {
+                "name": "analytic3-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "External Fabric Module XFM1 is unhealthy"
+                }
+              }
+            ]
           }
         ]
       },