Create README.md

dashboards/m-21-31/README.md

@@ -0,0 +1,77 @@
+# M-21-31 Documentation
+
+## 1. To Deploy
+
+Deploying M-21-31 is simple. Follow these steps:
+
+1. Take the dashboard configuration file `m-21-31.conf` and paste it into the account.
+
+<img width="1893" alt="image" src="https://github.com/user-attachments/assets/90feb949-fa97-4469-a26a-ccc66dd330a9" />
+
+
+2. Export the following Google Spreadsheet as a CSV file:
+   - [M-21-31 Mapping Sheet](https://docs.google.com/spreadsheets/d/120NWtQXE-DAgBftd-h6weXnqPqdLBy_reTTNcdMusOE/edit?pli=1&gid=1925210520#gid=1925210520)
+3. Save the exported file as `m2131.csv` and save it to `/datatables/m2131.csv`
+4. Add the following stanza to the alerts (watchlist JSON):
+   - [M-21-31 Alerts File](https://docs.google.com/document/d/1TD2jRa5ypT0yfoTrqS82rXijDS7hPHasF7gO4emIf1Q/edit?tab=t.0)
+
+Once these steps are completed, you will have:
+- A functional dashboard
+- A lookup table (`m2131.csv`) for mappings
+- An alerts file that checks every minute if alerts match the defined mappings
+
+---
+
+## 2. Adding Detections
+
+To add detections:
+
+1. Open the `alerts.json` file.
+2. Add more `query-m21` queries to the alerts file.
+3. Map each `query-m21` to a corresponding requirement in the `m2131.csv` file.
+
+### Example:
+If the `m2131.csv` file contains the following:
+```csv
+1,Identity & Credential Management,Account Creation,0
+```
+
+Then in `alerts.json`, you will map it as:
+```json
+{
+  "requirement": "1",
+  "query-m21": "type_uid = 300101"
+}
+```
+
+Each new detection should follow the same structure, ensuring that queries align with requirement IDs.
+
+---
+
+## 3. Managing Mappings
+
+Mappings between requirements and queries are handled via the `m2131.csv` file and the `alerts.json` file:
+
+- The **primary key** in `m2131.csv` is the **requirement ID**.
+- In `alerts.json`, each query is mapped to a requirement using the requirement ID.
+- Queries in `alerts.json` should reference the correct requirement ID from `m2131.csv`.
+
+### Example Mapping:
+#### `m2131.csv`:
+```csv
+1,Identity & Credential Management,Account Creation,0
+```
+#### `alerts.json`:
+```json
+{
+  "requirement": "1",
+  "query-m21": "type_uid = 300101"
+}
+```
+
+### Managing Mappings Effectively:
+1. Ensure each requirement ID in `m2131.csv` corresponds to an entry in `alerts.json`.
+2. Update `alerts.json` whenever a new detection rule is added.
+3. Regularly validate the mappings to ensure they are still relevant.
+
+By following this structure, M-21-31 remains organized and easy to maintain.

dashboards/m-21-31/m-21-31.conf

@@ -0,0 +1,69 @@
+{
+    parameters: [
+
+
+      { "name": "Category", values: ["Identity & Credential Management", "Privileged Identity & Credential Management", "Email Filtering, Spam, and Phishing ", "Operating Systems - Windows", "Operating Systems- Windows", "Operating Systems - macOS", "Operating Systems - BSD (Linux) ", "Operating Systems - BSD (Linux)", "Network Device Infrastructure (for Devices with Multiple Interfaces)", "Network Device Infratructure ", "Network Device Infrastructure", "Network Device Infrastructure (General Logging)", "Network Device Infrastructure (Multiple Device Interfaces)", "Network Device Infrastructure ", "Network Device Infrastructure (Access, Authorization, and Accounting)", "Cloud Environments (General Logging)", "Amazon Web Services (AWS)", "Cloud Azure", "Microsoft 365", "Google Cloud Platform (GCP)", "System Configuration and Performance", "Authentication and Authorization - Administrative", "Authentication and Authorization - Authorization", "Anti-Virus/Behavioral-Based Malware Protection", "Network Device Infrastructure - Firwewalls", "Network Device Infrastructure - All Devices", "PKI Infrastructure", "Vulnerability Assessments", "Database Level", "Application Level", "Application Level - Web Application & Middleware", "Virtualization on System", "Mobile (Smartphones/Tablets)/MTD Server Logs", "Mobile (Smartphones/Tablets)/MTD Agent Logs", "Container - Supply Chain", "DLP", "Application Level - Commercial Off the Shelf (COTS)", "Application Level - Non-COTS", "Container - Image", "Contaimer - image", "Container - Management/Orchestration", "Container - OS", "Mainframes", "Container - Cluster/Pod Events"], defaultValue: "Network"} 
+    { "name": "Criticality",   defaultValue: "('0', '1', '2', '3')"} 
+
+  ], 
+  graphs: [
+    {
+      title: "Summary",
+      query: "| left join \nreq = (timestamp = *\n| limit 1000\n| group c = running_count() by timestamp\n| let id = format(\"%d\", c)\n| lookup Log, Category, Criticality from m2131.csv by id=id \n| filter  Category  contains (\"#Category#\") Criticality contains #Criticality#\n),\n\nall = (\ntag='alertState' param_requirement = * \n| group triggered = count(status='TRIGGERED'), count = count() by param_description, id = param_requirement, status = 1, param_query-m21\t\n\n)\n\non id\n\n| columns Log, param_query-m21,  log_status = abs(status) > 0 ? 10 : 0, Category, id, triggered, count\n| let status = param_query-m21 = null ? \"Needs Configuration\" : triggered > 0 ? \"Compliant\" : triggered = 0 AND count > 0  ? \"Non Compliant\" : \"Non Compliant\"\n| columns Log, status, id\n",
+      layout: {
+  h: 14,
+  w: 60,
+  x: 0,
+  y: 29
+},
+      graphStyle: "",
+      showBarsColumn: "false"
+    },
+    {
+      graphStyle: "",
+      title: "CISA Requirements (Criticality 0)",
+      query: "timestamp = *\n| limit 1000\n| group c = running_count() by timestamp\n| let id = format(\"%d\", c)\n| lookup Log, Category, Criticality from m2131.csv by id=id\n| columns Criticality, Category, Log, id\n| filter  Category  contains \"#Category#\"\n| columns Criticality, Category, Log\n",
+      showBarsColumn: "false",
+      layout: {
+  h: 14,
+  w: 30,
+  x: 30,
+  y: 15
+}
+    ,
+    },
+    {
+      graphStyle: "honeycomb",
+      honeyCombColor: {
+        hover: "#B9E885",
+        label: "Green",
+        value: "#6DB222"
+      },
+      honeyCombGroupBy: "",
+      honeyCombLinkTo: "/events?startTime=1+hour&view=standard&filter=[query]",
+      honeyCombThresholds: ["0", "1", "9", "10"],
+      layout: {
+  h: 14,
+  w: 30,
+  x: 0,
+  y: 15
+},
+      query: "| left join \nreq = (timestamp = *\n| limit 1000\n| group c = running_count() by timestamp\n| let id = format(\"%d\", c)\n| lookup Log, Category, Criticality from m2131.csv by id=id \n| filter  Category  contains (\"#Category#\") and Criticality contains #Criticality#\n),\n\nall = (\n tag='alertState' param_requirement = * \n| group count = count(), triggered = count(status='TRIGGERED') by param_description, id = param_requirement, status = 1, param_query-m21\t\n\n)\n\non id\n\n| columns Log, param_query-m21 ,   log_status = abs(status) > 0 ? 10 : 1, triggered, count\n| let status = param_query-m21 = null ? 1 : triggered > 0 ? 10 : triggered = 0 AND count > 0  ? 2: 2\n| let query = param_query-m21 = null ? \"needs config\" : triggered > 0 ? param_query-m21 : triggered = 0 AND count > 0  ? param_query-m21: param_query-m21\n| columns Log, query,status",
+      title: "At a Glance (Watchlist)"
+    },
+    {
+      graphStyle: "markdown",
+      markdown: "# M-21-31 Compliance Detections Dashboards\n\nSentinelOne Engineering and Government teams have reviewed each of the requirements of M-21-31 and compiled a list of those requirements. Where possible, we've mapped these requirements to a search to aid in compliance verification.\n\n## How to Use\n\nThe dashboard includes three statuses to indicate compliance levels:\n\n1. **Status 1**:  \n   Requires configuration of the bureau.  \n   - This status is for items that are bureau-specific and need additional setup.  \n\n2. **Status 2**:  \n   Non-compliant.  \n   - This status means the search has returned no results within the configured time frame.  \n\n3. **Status 10**:  \n   Compliant.  \n   - This status means the search has successfully found the logs in question.",
+      title: "ReadMe",
+      layout: {
+  h: 15,
+  w: 60,
+  x: 0,
+  y: 0
+}
+    }
+  ],
+  filters: [
+  ],
+  description: ""
+}