Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

solution re-packaged and file moment

This commit is contained in:
v-laanjana 2022-11-25 16:35:14 +05:30
Родитель cb63c67d66
Коммит 159e218db3
24 изменённых файлов: 1901 добавлений и 1876 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

1
Solutions/ProofPointPOD/Analytic Rules/ProofpointPODEmailSenderIPinTIList.yaml → Detections/ProofpointPOD/ProofpointPODEmailSenderIPinTIList.yaml
Просмотреть файл

@ -3,6 +3,7 @@ name: ProofpointPOD - Email sender IP in TI list
description: |
'Email sender IP in TI list.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: ThreatIntelligence
dataTypes:

1
Solutions/ProofPointPOD/Analytic Rules/ProofpointPODEmailSenderInTIList.yaml → Detections/ProofpointPOD/ProofpointPODEmailSenderInTIList.yaml
Просмотреть файл

@ -3,6 +3,7 @@ name: ProofpointPOD - Email sender in TI list
description: |
'Email sender in TI list.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: ThreatIntelligence
dataTypes:

1
Solutions/ProofPointPOD/Analytic Rules/ProofpointPODBinaryInAttachment.yaml
Просмотреть файл

@ -3,6 +3,7 @@ name: ProofpointPOD - Binary file in attachment
description: |
'Detects when email received with binary file as attachment.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: ProofpointPOD
dataTypes:

1
Solutions/ProofPointPOD/Analytic Rules/ProofpointPODDataExfiltrationToPrivateEmail.yaml
Просмотреть файл

@ -3,6 +3,7 @@ name: ProofpointPOD - Possible data exfiltration to private email
description: |
'Detects when sender sent email to the non-corporate domain and recipient's username is the same as sender's username.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: ProofpointPOD
dataTypes:

1
Solutions/ProofPointPOD/Analytic Rules/ProofpointPODHighRiskNotDiscarded.yaml
Просмотреть файл

@ -3,6 +3,7 @@ name: ProofpointPOD - High risk message not discarded
description: |
'Detects when email with high risk score was not rejected or discarded by filters.'
severity: Low
status: Available
requiredDataConnectors:
- connectorId: ProofpointPOD
dataTypes:

1
Solutions/ProofPointPOD/Analytic Rules/ProofpointPODMultipleArchivedAttachmentsToSameRecipient.yaml
Просмотреть файл

@ -3,6 +3,7 @@ name: ProofpointPOD - Multiple archived attachments to the same recipient
description: |
'Detects when multiple emails where sent to the same recipient with large archived attachments.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: ProofpointPOD
dataTypes:

1
Solutions/ProofPointPOD/Analytic Rules/ProofpointPODMultipleLargeEmailsToSameRecipient.yaml
Просмотреть файл

@ -3,6 +3,7 @@ name: ProofpointPOD - Multiple large emails to the same recipient
description: |
'Detects when multiple emails with large size where sent to the same recipient.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: ProofpointPOD
dataTypes:

1
Solutions/ProofPointPOD/Analytic Rules/ProofpointPODMultipleProtectedEmailsToUnknownRecipient.yaml
Просмотреть файл

@ -3,6 +3,7 @@ name: ProofpointPOD - Multiple protected emails to unknown recipient
description: |
'Detects when multiple protected messages where sent to early not seen recipient.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: ProofpointPOD
dataTypes:

1
Solutions/ProofPointPOD/Analytic Rules/ProofpointPODSuspiciousAttachment.yaml
Просмотреть файл

@ -3,6 +3,7 @@ name: ProofpointPOD - Suspicious attachment
description: |
'Detects when email contains suspicious attachment (file type).'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: ProofpointPOD
dataTypes:

1
Solutions/ProofPointPOD/Analytic Rules/ProofpointPODWeakCiphers.yaml
Просмотреть файл

@ -3,6 +3,7 @@ name: ProofpointPOD - Weak ciphers
description: |
'Detects when weak TLS ciphers are used.'
severity: Low
status: Available
requiredDataConnectors:
- connectorId: ProofpointPOD
dataTypes:

0
DataConnectors/ProofpointPOD/ProofpointPOD_API_FunctionApp.json → Solutions/ProofPointPOD/Data Connectors/ProofpointPOD_API_FunctionApp.json
Просмотреть файл

0
DataConnectors/ProofpointPOD/ProofpointSentinelConn.zip → Solutions/ProofPointPOD/Data Connectors/ProofpointSentinelConn.zip
Просмотреть файл

0
DataConnectors/ProofpointPOD/ProofpointSentinelConnector/__init__.py → Solutions/ProofPointPOD/Data Connectors/ProofpointSentinelConnector/__init__.py
Просмотреть файл

0
DataConnectors/ProofpointPOD/ProofpointSentinelConnector/function.json → Solutions/ProofPointPOD/Data Connectors/ProofpointSentinelConnector/function.json
Просмотреть файл

0
DataConnectors/ProofpointPOD/ProofpointSentinelConnector/sentinel_connector.py → Solutions/ProofPointPOD/Data Connectors/ProofpointSentinelConnector/sentinel_connector.py
Просмотреть файл

0
DataConnectors/ProofpointPOD/azuredeploy_Connector_Proofpoint_AzureFunction.json → Solutions/ProofPointPOD/Data Connectors/azuredeploy_Connector_Proofpoint_AzureFunction.json
Просмотреть файл

0
DataConnectors/ProofpointPOD/host.json → Solutions/ProofPointPOD/Data Connectors/host.json
Просмотреть файл

0
DataConnectors/ProofpointPOD/proxies.json → Solutions/ProofPointPOD/Data Connectors/proxies.json
Просмотреть файл

0
DataConnectors/ProofpointPOD/requirements.txt → Solutions/ProofPointPOD/Data Connectors/requirements.txt
Просмотреть файл

6
Solutions/ProofPointPOD/Data/Solution_ProofPointPOD.json
Просмотреть файл

@ -19,12 +19,10 @@
"Analytic Rules/ProofpointPODWeakCiphers.yaml",
"Analytic Rules/ProofpointPODBinaryInAttachment.yaml",
"Analytic Rules/ProofpointPODDataExfiltrationToPrivateEmail.yaml",
"Analytic Rules/ProofpointPODEmailSenderInTIList.yaml",
"Analytic Rules/ProofpointPODEmailSenderIPinTIList.yaml",
"Analytic Rules/ProofpointPODHighRiskNotDiscarded.yaml",
"Analytic Rules/ProofpointPODMultipleArchivedAttachmentsToSameRecipient.yaml"
],
"Analytic Rules": [
"Hunting Queries": [
"Hunting Queries/ProofpointPODLargeOutboundEmails.yaml",
"Hunting Queries/ProofpointPODRecipientsHighNumberDiscardReject.yaml",
"Hunting Queries/ProofpointPODRecipientsLargeNumberOfCorruptedEmails.yaml",
@ -37,7 +35,7 @@
"Hunting Queries/ProofpointPODHighScoreSuspectValue.yaml"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\solutions\\ProofPointPOD",
"Version": "2.0.1",
"Version": "2.0.2",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false

Двоичные данные
Solutions/ProofPointPOD/Package/2.0.2.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

290
Solutions/ProofPointPOD/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [ Proofpoint on Demand Email Security](https://www.proofpoint.com/us/products/email-security-and-protection/email-protection) solution for Microsoft Sentinel enables you to ingest Proofpoint on Demand Email Protection data and activity logs for monitoring email activity, events and threats in your organization.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview) \n\n**Data Connectors:** 1, **Parsers:** 1,**Workbooks:** 1, **Analytic Rules:** 8, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/proofpointlogo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Proofpoint on Demand Email Security](https://www.proofpoint.com/us/products/email-security-and-protection/email-protection) solution for Microsoft Sentinel enables you to ingest Proofpoint on Demand Email Protection data and activity logs for monitoring email activity, events and threats in your organization.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\r\n\n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 8, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@ -67,7 +67,7 @@
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the ProofpointPOD Kusto Function alias."
"text": "he solution installs a parser that transforms ingested data. The transformed logs can be accessed using the ProofpointPOD Kusto Function alias."
}
},
{
@ -139,66 +139,10 @@
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "ProofpointPOD - Binary file in attachment",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when email received with binary file as attachment."
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "ProofpointPOD - Possible data exfiltration to private email",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when sender sent email to the non-corporate domain and recipient's username is the same as sender's username."
}
}
]
},
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
"label": "ProofpointPOD - High risk message not discarded",
"elements": [
{
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when email with high risk score was not rejected or discarded by filters."
}
}
]
},
{
"name": "analytic4",
"type": "Microsoft.Common.Section",
"label": "ProofpointPOD - Multiple archived attachments to the same recipient",
"elements": [
{
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when multiple emails where sent to the same recipient with large archived attachments."
}
}
]
},
{
"name": "analytic5",
"type": "Microsoft.Common.Section",
"label": "ProofpointPOD - Multiple large emails to the same recipient",
"elements": [
{
"name": "analytic5-text",
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when multiple emails with large size where sent to the same recipient."
@ -207,12 +151,12 @@
]
},
{
"name": "analytic6",
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "ProofpointPOD - Multiple protected emails to unknown recipient",
"elements": [
{
"name": "analytic6-text",
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when multiple protected messages where sent to early not seen recipient."
@ -221,12 +165,12 @@
]
},
{
"name": "analytic7",
"name": "analytic3",
"type": "Microsoft.Common.Section",
"label": "ProofpointPOD - Suspicious attachment",
"elements": [
{
"name": "analytic7-text",
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when email contains suspicious attachment (file type)."
@ -235,15 +179,71 @@
]
},
{
"name": "analytic8",
"name": "analytic4",
"type": "Microsoft.Common.Section",
"label": "ProofpointPOD - Weak ciphers",
"elements": [
{
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when weak TLS ciphers are used."
}
}
]
},
{
"name": "analytic5",
"type": "Microsoft.Common.Section",
"label": "ProofpointPOD - Binary file in attachment",
"elements": [
{
"name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when email received with binary file as attachment."
}
}
]
},
{
"name": "analytic6",
"type": "Microsoft.Common.Section",
"label": "ProofpointPOD - Possible data exfiltration to private email",
"elements": [
{
"name": "analytic6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when sender sent email to the non-corporate domain and recipient's username is the same as sender's username."
}
}
]
},
{
"name": "analytic7",
"type": "Microsoft.Common.Section",
"label": "ProofpointPOD - High risk message not discarded",
"elements": [
{
"name": "analytic7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when email with high risk score was not rejected or discarded by filters."
}
}
]
},
{
"name": "analytic8",
"type": "Microsoft.Common.Section",
"label": "ProofpointPOD - Multiple archived attachments to the same recipient",
"elements": [
{
"name": "analytic8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when weak TLS ciphers are used."
"text": "Detects when multiple emails where sent to the same recipient with large archived attachments."
}
}
]
@ -259,7 +259,7 @@
"name": "huntingqueries-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view."
"text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. "
}
},
{
@ -275,80 +275,10 @@
{
"name": "huntingquery1",
"type": "Microsoft.Common.Section",
"label": "ProofpointPOD - Emails with high score of 'adult' filter classifier value",
"elements": [
{
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Search for emails with high score of 'adult' filter classifier value. It depends on the ProofpointPOD data connector and ProofpointPOD_message_CL data type and ProofpointPOD parser."
}
}
]
},
{
"name": "huntingquery2",
"type": "Microsoft.Common.Section",
"label": "ProofpointPOD - Emails with high score of 'malware' filter classifier value",
"elements": [
{
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Search for emails with high score of 'malware' filter classifier value. It depends on the ProofpointPOD data connector and ProofpointPOD_message_CL data type and ProofpointPOD parser."
}
}
]
},
{
"name": "huntingquery3",
"type": "Microsoft.Common.Section",
"label": "ProofpointPOD - Emails with high score of 'phish' filter classifier value",
"elements": [
{
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Search for emails with high score of 'phish' filter classifier value. It depends on the ProofpointPOD data connector and ProofpointPOD_message_CL data type and ProofpointPOD parser."
}
}
]
},
{
"name": "huntingquery4",
"type": "Microsoft.Common.Section",
"label": "ProofpointPOD - Emails with high score of 'spam' filter classifier value",
"elements": [
{
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Search for emails with high score of 'spam' filter classifier value. It depends on the ProofpointPOD data connector and ProofpointPOD_message_CL data type and ProofpointPOD parser."
}
}
]
},
{
"name": "huntingquery5",
"type": "Microsoft.Common.Section",
"label": "ProofpointPOD - Emails with high score of 'suspect' filter classifier value",
"elements": [
{
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Search for emails with high score of 'suspect' filter classifier value. It depends on the ProofpointPOD data connector and ProofpointPOD_message_CL data type and ProofpointPOD parser."
}
}
]
},
{
"name": "huntingquery6",
"type": "Microsoft.Common.Section",
"label": "ProofpointPOD - Large size outbound emails",
"elements": [
{
"name": "huntingquery6-text",
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Search for emails which size is 2 times grater than average size of outbound email for user. It depends on the ProofpointPOD data connector and ProofpointPOD_message_CL data type and ProofpointPOD parser."
@ -357,12 +287,12 @@
]
},
{
"name": "huntingquery7",
"name": "huntingquery2",
"type": "Microsoft.Common.Section",
"label": "ProofpointPOD - Recipients with high number of discarded or rejected emails",
"elements": [
{
"name": "huntingquery7-text",
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Search for recipients with high number of discarded or rejected emails. It depends on the ProofpointPOD data connector and ProofpointPOD_message_CL data type and ProofpointPOD parser."
@ -371,12 +301,12 @@
]
},
{
"name": "huntingquery8",
"name": "huntingquery3",
"type": "Microsoft.Common.Section",
"label": "ProofpointPOD - Recipients with large number of corrupted emails",
"elements": [
{
"name": "huntingquery8-text",
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Search for recipients with large number of corrupted emails. It depends on the ProofpointPOD data connector and ProofpointPOD_message_CL data type and ProofpointPOD parser."
@ -385,12 +315,12 @@
]
},
{
"name": "huntingquery9",
"name": "huntingquery4",
"type": "Microsoft.Common.Section",
"label": "ProofpointPOD - Senders with large number of corrupted messages",
"elements": [
{
"name": "huntingquery9-text",
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Search for senders with large number of corrupted messages. It depends on the ProofpointPOD data connector and ProofpointPOD_message_CL data type and ProofpointPOD parser."
@ -399,15 +329,85 @@
]
},
{
"name": "huntingquery10",
"name": "huntingquery5",
"type": "Microsoft.Common.Section",
"label": "ProofpointPOD - Suspicious file types in attachments",
"elements": [
{
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Hunting for suspicious file types in attachments. It depends on the ProofpointPOD data connector and ProofpointPOD_message_CL data type and ProofpointPOD parser."
}
}
]
},
{
"name": "huntingquery6",
"type": "Microsoft.Common.Section",
"label": "ProofpointPOD - Emails with high score of 'adult' filter classifier value",
"elements": [
{
"name": "huntingquery6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Search for emails with high score of 'adult' filter classifier value. It depends on the ProofpointPOD data connector and ProofpointPOD_message_CL data type and ProofpointPOD parser."
}
}
]
},
{
"name": "huntingquery7",
"type": "Microsoft.Common.Section",
"label": "ProofpointPOD - Emails with high score of 'malware' filter classifier value",
"elements": [
{
"name": "huntingquery7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Search for emails with high score of 'malware' filter classifier value. It depends on the ProofpointPOD data connector and ProofpointPOD_message_CL data type and ProofpointPOD parser."
}
}
]
},
{
"name": "huntingquery8",
"type": "Microsoft.Common.Section",
"label": "ProofpointPOD - Emails with high score of 'phish' filter classifier value",
"elements": [
{
"name": "huntingquery8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Search for emails with high score of 'phish' filter classifier value. It depends on the ProofpointPOD data connector and ProofpointPOD_message_CL data type and ProofpointPOD parser."
}
}
]
},
{
"name": "huntingquery9",
"type": "Microsoft.Common.Section",
"label": "ProofpointPOD - Emails with high score of 'spam' filter classifier value",
"elements": [
{
"name": "huntingquery9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Search for emails with high score of 'spam' filter classifier value. It depends on the ProofpointPOD data connector and ProofpointPOD_message_CL data type and ProofpointPOD parser."
}
}
]
},
{
"name": "huntingquery10",
"type": "Microsoft.Common.Section",
"label": "ProofpointPOD - Emails with high score of 'suspect' filter classifier value",
"elements": [
{
"name": "huntingquery10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Hunting for suspicious file types in attachments. It depends on the ProofpointPOD data connector and ProofpointPOD_message_CL data type and ProofpointPOD parser."
"text": "Search for emails with high score of 'suspect' filter classifier value. It depends on the ProofpointPOD data connector and ProofpointPOD_message_CL data type and ProofpointPOD parser."
}
}
]

3471
Solutions/ProofPointPOD/Package/mainTemplate.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

0
Solutions/ProofPointPOD/Parsers/ProofpointPOD → Solutions/ProofPointPOD/Parsers/ProofpointPOD.txt
Просмотреть файл