Merge dev into main: Sentinel Solution packaging, analytics rules, playbooks, and CI improvements#82
Conversation
…nt, isolate host) Implements RetailShield-Containment playbook — triggered by Sentinel incident, extracts IP/Account/Host entities, blocks IPs in NSG via Managed Identity, disables AAD accounts, and isolates hosts via Defender for Endpoint API. Closes #30
… VirusTotal) Implements RetailShield-ThreatIntelEnrich playbook — checks each IP entity against AbuseIPDB (confidence >= 75) and VirusTotal (malicious engines >= 3), raises incident severity to High on any positive hit, and posts enrichment table as an incident comment. Closes #31
Implements RetailShield-TriageClassify playbook — classifies Sentinel incidents by title pattern (MFA abuse, social engineering, privilege escalation, supplier compromise, POS fraud, gift-card fraud), tags the incident with classification labels, and posts an auto-triage comment. Closes #32
Covers prerequisites, per-playbook deployment commands, post-deployment Managed Identity role assignments, API key setup, and Sentinel automation rule wiring for all three RetailShield playbooks. Closes #33
…detection rules Replace 'Planned' with 'Available (requires configuration)' for the three Logic App playbooks now implemented, and 'Available' for the Sentinel detection rule library. Update the problem statement blurb to accurately describe the playbooks as requiring Azure configuration rather than implying they work out of the box. Closes #34
feat: containment Logic App — block IP, disable account, isolate host
…-app feat: threat-intel enrichment Logic App — AbuseIPDB + VirusTotal
feat: triage-classify Logic App — auto-classify incidents by title pattern
docs: add Logic Apps deployment guide (DEPLOYMENT.md)
fix: update README feature status to match implemented deliverables
…ql (T1110.004, T1078) Closes #40 Adds credential_stuffing.kql (T1110.004 High — 4 signals: DistributedLoginFailure, AccountTakeoverAfterStuffing, StuffingFromBlacklistedIP, RiskySigninAfterStuffing) and after_hours_access.kql (T1078 Medium — 3 signals: AfterHoursInteractiveLogin, AfterHoursPrivilegedOperation, AfterHoursSensitiveDeviceLogon).
Closes #41 Adds data_exfiltration.kql (T1048 Critical — 4 signals: DNSTunneling, LargeOutboundTransfer, IOCMatchedExfilTarget, DataStagingToExfil).
…SE-002) Closes #46 4 signals: MFAPromptFlood, FatigueAcceptance, DistributedMFAFlood, RiskySigninPostMFAFlood. Severity High, PlaybookTrigger block_ip.
…-SSE-003) Closes #47 4 signals: SensitiveRoleAssigned, AfterHoursRoleAddition, RoleAdditionFollowedByMFAChange, SensitiveGroupMemberAdded. Severity High, PlaybookTrigger notify_soc.
…RS-SSE-004) Closes #48 4 signals: ImpossibleTravel (geo_distance_2points), NewCountryForSupplier, HighRiskCountrySignin. Scoped to RetailSupplierAccounts watchlist. Severity Medium, PlaybookTrigger notify_soc.
…d (RS-POS-002) Closes #49 4 signals: AfterHoursVoidRefund, HighVolumeVoidRefund, HighValueVoidNoOverride, TenderMismatchRefund. Table RetailShield_POS_CL. Severity High, PlaybookTrigger notify_soc.
…S-FRD-001) Closes #50 4 signals: HighVelocityGiftCardActivation, StructuredGiftCardPurchase, GiftCardDrainAndReload, GiftCardMultiTerminalUse. Table RetailShield_POS_CL. Severity High, PlaybookTrigger notify_soc.
…ADME Closes #56 - 13 retail-specific rules moved to detection-rules/retail/ - 6 generic SOC rules moved to detection-rules/generic/ - Rewrote detection-rules/README.md with full rule index table (RS- ID, MITRE technique, tactic, severity, playbook trigger)
Reposition README — RetailShield as a Microsoft Sentinel content pack
Add CONTENT_PACK.md — document Sentinel Solution structure
Issue audit — assessment comments added to all 28 open issues
- Replace scripts/deploy_rules.py Quick Start step with manual Sentinel Analytics blade instructions (the script does not exist) - Update scripts/ folder structure to show actual files present - Remove broken LICENSE hyperlinks (file does not exist) - Add sentinel/data-connectors/ to folder structure - Move pip install step to the Run tests section where it belongs Closes #64
Fix README references to non-existent files
Add test classes for pos_void_refund, gift_card_fraud, mfa_fatigue, credential_stuffing, after_hours_access, data_exfiltration, supplier_impossible_travel, and privileged_role_addition. Closes #15
Step-by-step walkthrough covering workspace setup, data connectors, custom tables, KQL analytics rules, watchlists, Logic App playbooks, automation rules, and validation testing. Closes #14
… App Triggered on High/Critical Sentinel incidents; calculates 24h CSR Bill and 72h GDPR/ICO deadlines, drafts ICO/NCSC-format report, emails compliance contact. Never auto-files with any government body. Closes #74
… rules Converts every KQL rule in detection-rules/retail/ into a deployable Microsoft Sentinel analytics rule ARM template under sentinel/analytics-rules/. Each template embeds the full KQL query inline and carries MITRE tactics, techniques, entity mappings, and customDetails (PlaybookTrigger, RiskScore). Closes #69
Defines RetailShield_POS_CL and RetailShield_Logs_CL custom Log Analytics table schemas with full column definitions, types, and descriptions. Includes README documenting ingestion endpoints and standard table dependencies. Closes #70
Scripts/validate_field_mapping.py checks every ARM template in sentinel/analytics-rules/ for: required properties, valid severity/duration format, MITRE technique codes, entityMappings structure, required customDetails fields (PlaybookTrigger, RiskScore), and cross-references entity mapping column names against KQL output columns. Adds field-mapping-validation as job 6 in ci.yml and includes it in the ci-success gate. Closes #72
Restores proper newlines in test_kql_rules.py (was stored as a single line with literal \n sequences). Removes unused `import os` from validate_field_mapping.py (flake8 F401).
The file was stored with literal \n sequences instead of real newlines (MCP push_files encoding bug from previous session), causing syntax errors in pytest and flake8 on every branch forked from dev.
The file was stored with literal \n sequences instead of real newlines (MCP push_files encoding bug from previous session), causing syntax errors in pytest and flake8 on every branch forked from dev.
The file was stored with literal \n sequences instead of real newlines (MCP push_files encoding bug from previous session), causing syntax errors in pytest and flake8 on every branch forked from dev.
Add UK incident reporting compliance assistant Logic App
Add Sentinel analytics rule ARM templates for all 13 retail detection rules
Add RetailShield custom table schema definitions (data connector ARM template)
Add Sentinel field mapping validator and CI job
* Fix corrupted test file: restore proper newlines in test_kql_rules.py The file was stored with literal \n escape sequences instead of real newlines (caused by MCP push_files encoding in the previous session), making it a single-line file that fails syntax parsing and flake8. Restores the 1260-line properly formatted Python source. * Fix E127 flake8 in test_kql_rules.py (continuation line indent)
…nition) * Add Sentinel Solution deployment package (mainTemplate, UI definition, README) Adds solution/ with a top-level mainTemplate.json that orchestrates deployment of all RetailShield components (custom tables, 13 analytics rules, 5 playbooks) via linked ARM template deployments with conditional flags per component type. createUiDefinition.json provides a guided Azure portal wizard experience with pre-deployment checklist and compliance contact configuration. Closes #71 * Fix corrupted test file: restore proper newlines in test_kql_rules.py The file was stored with literal \n sequences instead of real newlines (MCP push_files encoding bug from previous session), causing syntax errors in pytest and flake8 on every branch forked from dev. * Fix E127 flake8 in test_kql_rules.py (continuation line indent)
* Add capability matrix covering all 13 retail rules, 6 generic rules, and 5 playbooks Documents every detection rule and response playbook with MITRE technique, tactic, severity, frequency, data sources, playbook trigger, and honest status labels (Complete vs Placeholder for generic stubs). Includes tactic coverage summary and watchlist/custom table dependency tables. Closes #73 * Fix corrupted test file: restore proper newlines in test_kql_rules.py The file was stored with literal \n sequences instead of real newlines (MCP push_files encoding bug from previous session), causing syntax errors in pytest and flake8 on every branch forked from dev. * Fix E127 flake8 in test_kql_rules.py (continuation line indent)
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Syncs all work from
devintomain.Changes included:
RetailShield_POS_CLandRetailShield_Logs_CL(closes Build a proper data connector definition for RetailShield log tables #70)mainTemplate.json+createUiDefinition.json(closes Package RetailShield as a Microsoft Sentinel Solution (mainTemplate + createUiDefinition) #71)test_kql_rules.py(newline encoding bug from MCP push_files)field-mapping-validationGenerated by Claude Code