Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge branch 'master' into users/v-dvedak/az_cog_search_sol

This commit is contained in:
v-sabiraj 2022-07-01 10:48:51 +05:30
Родитель f913913545 545d4f7346
Коммит 1be5091898
154 изменённых файлов: 62964 добавлений и 498 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
ASIM/dev/ASimTester/ASimDataTester.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

4
DataConnectors/CEF/cef_AMA_troubleshoot.py
Просмотреть файл

@ -709,7 +709,7 @@ def main():
running_in_collect_mode = True
printer.print_notice("Starting to collect data. This may take a couple of seconds")
time.sleep(2)
subprocess.Popen(['rm', COLLECT_OUTPUT_FILE, '2>', '/dev/null'],
subprocess.Popen(['rm', '-f', COLLECT_OUTPUT_FILE],
stdout=subprocess.PIPE, stderr=subprocess.STDOUT).communicate()
system_info = SystemInfo()
system_info.handle_commands()
@ -734,7 +734,7 @@ def main():
(IncomingEventsVerifications(), "Starting validation tests for capturing incoming events")]
printer.print_notice("\nStarting to run the CEF validation script")
time.sleep(1)
subprocess.Popen(['rm', LOG_OUTPUT_FILE, '2>', '/dev/null'],
subprocess.Popen(['rm', '-f', LOG_OUTPUT_FILE],
stdout=subprocess.PIPE, stderr=subprocess.STDOUT).communicate()
printer.print_notice("Please validate you are sending CEF messages to the agent machine")
for class_test in class_tests_array:

Двоичные данные
DataConnectors/CiscoUmbrella/CiscoUmbrellaConn.zip
Просмотреть файл

Двоичный файл не отображается.

2
DataConnectors/CiscoUmbrella/azuredeploy_CiscoUmbrella_API_FunctionApp.json
Просмотреть файл

@ -157,7 +157,7 @@
"AWSAccessKeyId": "[parameters('AWSAccessKeyId')]",
"AWSSecretAccessKey": "[parameters('AWSSecretAccessKey')]",
"logAnalyticsUri": "[variables('LogAnaltyicsUri')]",
"WEBSITE_RUN_FROM_PACKAGE": "https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/CiscoUmbrella/CiscoUmbrellaConn.zip?raw=true"
"WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-CiscoUmbrellaConn-functionapp"
}
}
]

61
Detections/AzureDiagnostics/MaliciousWAFSessions.yaml
Просмотреть файл

@ -20,41 +20,46 @@ tactics:
relevantTechniques:
- T1190
query: |
let mode = 'Blocked';
let queryperiod = 1d;
let mode = 'Blocked';
let successCode = dynamic(['200', '101','204', '400','504','304','401','500']);
let minTime = ago(1d);
let maxSessionWindow = 1h;
let sessionBin = maxSessionWindow/2.0;
let sessionBin = 30m;
AzureDiagnostics
| where TimeGenerated > minTime
| where Category == 'ApplicationGatewayFirewallLog'
| where action_s == mode
| where TimeGenerated > ago(queryperiod)
| where Category == 'ApplicationGatewayFirewallLog' and action_s == mode
| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc
| extend SessionStarted = row_window_session(TimeGenerated, maxSessionWindow, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))
| summarize minTime = min(TimeGenerated), maxTime = max(TimeGenerated), SessionBlockedCount=count() by hostname_s, clientIp_s, SessionStarted
| extend duration = maxTime - minTime
| extend TimeKey = bin(SessionStarted, sessionBin)
| join kind = inner(
AzureDiagnostics
| where TimeGenerated > minTime
| where Category == 'ApplicationGatewayAccessLog'
| where httpStatus_d in (successCode) or isempty(httpStatus_d)
| extend TimeKey = range(bin(TimeGenerated-maxSessionWindow, sessionBin), bin(TimeGenerated, sessionBin), sessionBin)
| extend SessionBlockedStarted = row_window_session(TimeGenerated, queryperiod, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))
| summarize SessionBlockedEnded = max(TimeGenerated), SessionBlockedCount = count() by hostname_s, clientIp_s, SessionBlockedStarted
| extend TimeKey = range(bin(SessionBlockedStarted, sessionBin), bin(SessionBlockedEnded, sessionBin), sessionBin)
| mv-expand TimeKey to typeof(datetime)
) on $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s, TimeKey
| where (TimeGenerated - SessionStarted) between (0m .. duration)
| extend originalRequestUriWithArgs_s = column_ifexists("originalRequestUriWithArgs_s", "")
| extend serverStatus_s = column_ifexists("serverStatus_s", "")
| extend timestamp = SessionStarted, IPCustomEntity = clientIP_s
| summarize SuccessfulAccessLogCount = count(), UserAgents = make_set(userAgent_s), RequestURIs = make_set(requestUri_s) , OriginalRequestURIs = make_set(originalRequestUriWithArgs_s),
SuccessCodes = make_set(httpStatus_d), SuccessCodes_BackendServer = make_set(serverStatus_s) by timestamp, hostname_s, IPCustomEntity, SessionBlockedCount
| extend BlockvsSuccessRatio = SessionBlockedCount/SuccessfulAccessLogCount
| join kind = inner(
AzureDiagnostics
| where TimeGenerated > ago(queryperiod)
| where Category == 'ApplicationGatewayAccessLog' and isempty(httpStatus_d) or httpStatus_d in (successCode)
| extend TimeKey = bin(TimeGenerated, sessionBin)
) on TimeKey, $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s
| where TimeGenerated between (SessionBlockedStarted..SessionBlockedEnded)
| extend
originalRequestUriWithArgs_s = column_ifexists("originalRequestUriWithArgs_s", ""),
serverStatus_s = column_ifexists("serverStatus_s", "")
| summarize
SuccessfulAccessCount = count(),
UserAgents = make_set(userAgent_s, 250),
RequestURIs = make_set(requestUri_s, 250),
OriginalRequestURIs = make_set(originalRequestUriWithArgs_s, 250),
SuccessCodes = make_set(httpStatus_d, 250),
SuccessCodes_BackendServer = make_set(serverStatus_s, 250),
take_any(SessionBlockedEnded, SessionBlockedCount)
by hostname_s, clientIp_s, SessionBlockedStarted
| where SessionBlockedCount > SuccessfulAccessCount
| extend timestamp = SessionBlockedStarted, IPCustomEntity = clientIp_s
| extend BlockvsSuccessRatio = SessionBlockedCount/toreal(SuccessfulAccessCount)
| sort by BlockvsSuccessRatio desc, timestamp asc
| where SessionBlockedCount > SuccessfulAccessLogCount
| project-reorder SessionBlockedStarted, SessionBlockedEnded, hostname_s, clientIp_s, SessionBlockedCount, SuccessfulAccessCount, BlockvsSuccessRatio, SuccessCodes, RequestURIs, OriginalRequestURIs, UserAgents
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled
version: 1.0.1
kind: Scheduled

27
Detections/GitHub/NRT Two Factor Authentication Disabled.yaml Normal file
Просмотреть файл

@ -0,0 +1,27 @@
id: 594c653d-719a-4c23-b028-36e3413e632e
name: NRT GitHub Two Factor Auth Disable
description: |
'Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. '
severity: Medium
requiredDataConnectors: []
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
GitHubAudit
| where Action == "org.disable_two_factor_requirement"
| project TimeGenerated, Action, Actor, Country, IPaddress, Repository
| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: NRT

5
Detections/OfficeActivity/RareOfficeOperations.yaml
Просмотреть файл

@ -22,7 +22,8 @@ query: |
OfficeActivity
| where Operation in~ ( "Add-MailboxPermission", "Add-MailboxFolderPermission", "Set-Mailbox", "New-ManagementRoleAssignment", "New-InboxRule", "Set-InboxRule", "Set-TransportRule")
and not(UserId has_any ('NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)', 'NT AUTHORITY\\SYSTEM (w3wp)', 'devilfish-applicationaccount') and Operation in~ ( "Add-MailboxPermission", "Set-Mailbox"))
| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP
| extend ClientIPOnly = tostring(extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?', dynamic(["IPAddress"]), ClientIP)[0][0])
| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIPOnly
entityMappings:
- entityType: Account
@ -33,5 +34,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.2
version: 1.0.3
kind: Scheduled

31
Detections/PulseConnectSecure/PulseConnectSecureVPN-CVE_2021_22893_Exploit.yaml Normal file
Просмотреть файл

@ -0,0 +1,31 @@
id: d0c82b7f-40b2-4180-a4d6-7aa0541b7599
name: PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack
description: |
'This query identifies exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893) to the VPN server'
severity: High
requiredDataConnectors:
- connectorId: PulseConnectSecure
dataTypes:
- Syslog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1190
query: |
let threshold = 3;
PulseConnectSecure
| where Messages contains "Unauthenticated request url /dana-na/"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Source_IP
| where count_ > threshold
| extend timestamp = StartTime, IPCustomEntity = Source_IP
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled

5
Detections/readme.md
Просмотреть файл

@ -1,6 +1,8 @@
# About
This folder contains Detections based on different types of data sources that you can leverage in order to create alerts and respond to threats in your environment.
This folder contains Detections based on different types of data sources that you can leverage in order to create alerts and respond to threats in your environment. These detections are termed as Analytics Rule templates in Microsoft Sentinel.
**Note**: Many of these analytic rule templates are being delivered in Solutions for Microsoft Sentinel. You can discover and deploy those in [Microsoft Sentinel Content Hub](https://docs.microsoft.com/azure/sentinel/sentinel-solutions-deploy). These are available in this repository under [Solutions](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions) folder. For e.g. Analytic rules for McAfee solution are at https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/McAfeeePO/Analytic%20Rules.
For general information please start with the [Wiki](https://github.com/Azure/Azure-Sentinel/wiki) pages.
@ -10,6 +12,7 @@ More Specific to Detections:
* These detections are written using [KQL query langauge](https://docs.microsoft.com/azure/kusto/query/index) and will provide you a starting point to protect your environment and get familiar with the different data tables.
* To enable these detections in your environment follow the [out of the box guidance](https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-built-in) (Notice that after a detection is available in this GitHub, it might take up to 2 weeks before it is available in Microsoft Sentinel portal).
* The rule created will run the query on the scheduled time that was defined, and trigger an alert that will be seen both in the **SecurityAlert** table and in a case in the **Incidents** tab
* If you are contributing analytic rule templates as part of a solution, follow [guidance for solutions](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions#step-1--create-your-content) to include those in the right folder paths. Do NOT include content to be packaged in solutions under the Detections folder.
# Feedback
For questions or feedback, please contact AzureSentinel@microsoft.com

8
MasterPlaybooks/Remediation-IP/azuredeploy.json
Просмотреть файл

@ -124,7 +124,7 @@
"type": "Microsoft.Logic/workflows"
},
{
"type": "MICROSOFT.WEB/CONNECTIONS",
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"kind": "V1",
@ -292,12 +292,6 @@
},
"method": "post",
"path": "/entities/ip"
},
"runtimeConfiguration": {
"staticResult": {
"staticResultOptions": "Disabled",
"name": "Entities_-_Get_IPs0"
}
}
},
"Filter_success_status_code": {

2
Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json
Просмотреть файл

@ -35,7 +35,7 @@
"displayName": "Network Session ASIM parser",
"category": "ASIM",
"FunctionAlias": "ASimNetworkSession",
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , ASimNetworkSessionLinuxSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoft365Defender (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoT (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoT' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftWindowsEventFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , ASimNetworkSessionVMConnection (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMConnection' in (DisabledParsers) ))\n , ASimNetworkSessionAWSVPC (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , ASimNetworkSessionAzureFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionAzureNSG (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , ASimNetworkSessionVectraAI (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVectraAI' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , ASimNetworkSessionAppGateSDP (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAppGateSDP' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric",
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , ASimNetworkSessionLinuxSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoft365Defender (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoT (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoT' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftWindowsEventFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , ASimNetworkSessionVMConnection (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMConnection' in (DisabledParsers) ))\n , ASimNetworkSessionAWSVPC (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , ASimNetworkSessionAzureFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionAzureNSG (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , ASimNetworkSessionVectraAI (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVectraAI' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , ASimNetworkSessionAppGateSDP (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAppGateSDP' in (DisabledParsers) ))\n , ASimNetworkSessionFortinetFortiGate (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionFortinetFortiGate' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric",
"version": 1
}
}

46
Parsers/ASimNetworkSession/ARM/ASimNetworkSessionFortinetFortiGate/ASimNetworkSessionFortinetFortiGate.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

18
Parsers/ASimNetworkSession/ARM/ASimNetworkSessionFortinetFortiGate/README.md Normal file
Просмотреть файл

@ -0,0 +1,18 @@
# Fortinet FortiGate ASIM NetworkSession Normalization Parser
ARM template for ASIM NetworkSession schema parser for Fortinet FortiGate.
This ASIM parser supports normalizing Fortinet FortiGate logs to the ASIM Web Session normalized schema.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSessionFortinetFortiGate%2FASimNetworkSessionFortinetFortiGate.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSessionFortinetFortiGate%2FASimNetworkSessionFortinetFortiGate.json)

748
Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json
Просмотреть файл

@ -21,11 +21,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionVectraAI",
"name": "linkedASimNetworkSessionAzureNSG",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVectraAI/ASimNetworkSessionVectraAI.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureNSG/ASimNetworkSessionAzureNSG.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -41,211 +41,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionEmpty",
"name": "linkedASimNetworkSessionVMConnection",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionPaloAltoCEF",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCEF/vimNetworkSessionPaloAltoCEF.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionAzureFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureFirewall/ASimNetworkSessionAzureFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionMicrosoft365Defender",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionVMConnection",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionAzureNSG",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureNSG/vimNetworkSessionAzureNSG.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionzScalerZIA",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/ASimNetworkSessionzScalerZIA.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionAzureFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureFirewall/vimNetworkSessionAzureFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionCiscoMeraki",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMeraki/vimNetworkSessionCiscoMeraki.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionMicrosoftMD4IoT",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftMD4IoT/ASimNetworkSessionMicrosoftMD4IoT.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionMicrosoftLinuxSysmon",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -301,11 +101,391 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionVMConnection",
"name": "linkedvimNetworkSessionMicrosoftMD4IoT",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftMD4IoT/vimNetworkSessionMicrosoftMD4IoT.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionVectraAI",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVectraAI/vimNetworkSessionVectraAI.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionMicrosoft365Defender",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSession",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionAppGateSDP",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAppGateSDP/ASimNetworkSessionAppGateSDP.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionzScalerZIA",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/ASimNetworkSessionzScalerZIA.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionMicrosoftWindowsEventFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionEmpty",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionMicrosoftWindowsEventFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionCiscoMeraki",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMeraki/ASimNetworkSessionCiscoMeraki.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionMicrosoftLinuxSysmon",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionzScalerZIA",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionVMConnection",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionMicrosoftMD4IoT",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftMD4IoT/ASimNetworkSessionMicrosoftMD4IoT.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionAzureFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureFirewall/ASimNetworkSessionAzureFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionAWSVPC",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionVectraAI",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVectraAI/ASimNetworkSessionVectraAI.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionCiscoMeraki",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMeraki/vimNetworkSessionCiscoMeraki.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionFortinetFortiGate",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionFortinetFortiGate/ASimNetworkSessionFortinetFortiGate.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionFortinetFortiGate",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionFortinetFortiGate/vimNetworkSessionFortinetFortiGate.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -361,11 +541,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionzScalerZIA",
"name": "linkedvimNetworkSessionAppGateSDP",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAppGateSDP/vimNetworkSessionAppGateSDP.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -381,11 +561,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionAWSVPC",
"name": "linkedvimNetworkSessionAzureNSG",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureNSG/vimNetworkSessionAzureNSG.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -401,11 +581,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionMicrosoftWindowsEventFirewall",
"name": "linkedvimNetworkSessionPaloAltoCEF",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCEF/vimNetworkSessionPaloAltoCEF.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -421,111 +601,11 @@
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionMicrosoftMD4IoT",
"name": "linkedvimNetworkSessionAzureFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftMD4IoT/vimNetworkSessionMicrosoftMD4IoT.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSession",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionAzureNSG",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureNSG/ASimNetworkSessionAzureNSG.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionMicrosoftWindowsEventFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionAppGateSDP",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAppGateSDP/ASimNetworkSessionAppGateSDP.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionVectraAI",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVectraAI/vimNetworkSessionVectraAI.json",
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureFirewall/vimNetworkSessionAzureFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
@ -557,46 +637,6 @@
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionAppGateSDP",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAppGateSDP/vimNetworkSessionAppGateSDP.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionCiscoMeraki",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMeraki/ASimNetworkSessionCiscoMeraki.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
}
],
"outputs": {}

2
Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json
Просмотреть файл

@ -35,7 +35,7 @@
"displayName": "Network Session ASIM filtering parser",
"category": "ASIM",
"FunctionAlias": "imNetworkSession",
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludevimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(starttime:datetime=datetime(null) , endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false)\n{\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , vimNetworkSessionLinuxSysmon (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoft365Defender (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , vimNetworkSessionMD4IoT (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMD4IoT' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftWindowsEventFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , vimNetworkSessionPaloAltoCEF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , vimNetworkSessionVMConnection (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVMConnection' in (DisabledParsers) ))\n , vimNetworkSessionAWSVPC (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , vimNetworkSessionAzureFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , vimNetworkSessionAzureNSG (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , vimNetworkSessionVectraAI (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVectraAI' in (DisabledParsers) ))\n , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , vimNetworkSessionAppGateSDP (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNvimNetworkSessionAppGateSDP' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult)",
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludevimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n dstipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null),\n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]),\n eventresult:string='*', \n disabled:bool=false)\n{\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , vimNetworkSessionLinuxSysmon (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoft365Defender (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , vimNetworkSessionMD4IoT (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMD4IoT' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftWindowsEventFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , vimNetworkSessionPaloAltoCEF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , vimNetworkSessionVMConnection (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVMConnection' in (DisabledParsers) ))\n , vimNetworkSessionAWSVPC (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , vimNetworkSessionAzureFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , vimNetworkSessionAzureNSG (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , vimNetworkSessionVectraAI (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVectraAI' in (DisabledParsers) ))\n , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , vimNetworkSessionAppGateSDP (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNvimNetworkSessionAppGateSDP' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult)\n",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*'"
}

18
Parsers/ASimNetworkSession/ARM/vimNetworkSessionFortinetFortiGate/README.md Normal file
Просмотреть файл

@ -0,0 +1,18 @@
# Fortinet FortiGate ASIM NetworkSession Normalization Parser
ARM template for ASIM NetworkSession schema parser for Fortinet FortiGate.
This ASIM parser supports filtering and normalizing Fortinet FortiGate logs produced by the Microsoft Sentinel Fortinet connector to the ASIM Network Session normalized schema.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FvimNetworkSessionFortinetFortiGate%2FvimNetworkSessionFortinetFortiGate.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FvimNetworkSessionFortinetFortiGate%2FvimNetworkSessionFortinetFortiGate.json)

46
Parsers/ASimNetworkSession/ARM/vimNetworkSessionFortinetFortiGate/vimNetworkSessionFortinetFortiGate.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

107
Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml
Просмотреть файл

@ -1,54 +1,55 @@
Parser:
Title: Network Session ASIM parser
Version: '0.5'
LastUpdated: Feb 21, 2021
Product:
Name: Source agnostic
Normalization:
Schema: NetworkSession
Version: '0.2.0'
References:
- Title: ASIM NetworkSession Schema
Link: https://aka.ms/ASimNetworkSessionDoc
- Title: ASIM
Link: https://aka.ms/AboutASIM
Description: |
This ASIM parser supports normalizing Network Session logs from all supported sources to the ASIM Network Session normalized schema.
ParserName: ASimNetworkSession
EquivalentBuiltInParser: _ASim_NetworkSession
Parsers:
- _Im_NetworkSession_Empty
- _ASim_NetworSession_Microsoft365Defender
- _ASim_NetworkSession_LinuxSysmon
- _ASim_NetworkSession_MD4IoT
- _ASim_NetworkSession_MicrosoftWindowsEventFirewall
- _ASim_NetworkSession_ZscalerZIA
- _ASim_NetworkSession_PaloAltoCEF
- _ASim_NetworkSession_VMConnection
- _ASim_NetworkSession_AWSVPC
- _ASim_NetworkSession_AzureFirewall
- _ASim_NetworkSession_AzureNSG
- _ASim_NetworkSession_VectraAI
- _ASim_NetworkSession_CiscoMeraki
- _ASim_NetworkSession_AppGateSDP
ParserQuery: |
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);
let ASimBuiltInDisabled=toscalar('ExcludeASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers));
let NetworkSessionsGeneric=(){
union isfuzzy=true
vimNetworkSessionEmpty
, ASimNetworkSessionLinuxSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionLinuxSysmon' in (DisabledParsers) ))
, ASimNetworkSessionMicrosoft365Defender (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))
, ASimNetworkSessionMD4IoT (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoT' in (DisabledParsers) ))
, ASimNetworkSessionMicrosoftWindowsEventFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))
, ASimNetworkSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))
, ASimNetworkSessionVMConnection (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMConnection' in (DisabledParsers) ))
, ASimNetworkSessionAWSVPC (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAWSVPC' in (DisabledParsers) ))
, ASimNetworkSessionAzureFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureFirewall' in (DisabledParsers) ))
, ASimNetworkSessionAzureNSG (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureNSG' in (DisabledParsers) ))
, ASimNetworkSessionVectraAI (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVectraAI' in (DisabledParsers) ))
, ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))
, ASimNetworkSessionAppGateSDP (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAppGateSDP' in (DisabledParsers) ))
};
Parser:
Title: Network Session ASIM parser
Version: '0.5'
LastUpdated: Feb 21, 2021
Product:
Name: Source agnostic
Normalization:
Schema: NetworkSession
Version: '0.2.0'
References:
- Title: ASIM NetworkSession Schema
Link: https://aka.ms/ASimNetworkSessionDoc
- Title: ASIM
Link: https://aka.ms/AboutASIM
Description: |
This ASIM parser supports normalizing Network Session logs from all supported sources to the ASIM Network Session normalized schema.
ParserName: ASimNetworkSession
EquivalentBuiltInParser: _ASim_NetworkSession
Parsers:
- _Im_NetworkSession_Empty
- _ASim_NetworSession_Microsoft365Defender
- _ASim_NetworkSession_LinuxSysmon
- _ASim_NetworkSession_MD4IoT
- _ASim_NetworkSession_MicrosoftWindowsEventFirewall
- _ASim_NetworkSession_ZscalerZIA
- _ASim_NetworkSession_PaloAltoCEF
- _ASim_NetworkSession_VMConnection
- _ASim_NetworkSession_AWSVPC
- _ASim_NetworkSession_AzureFirewall
- _ASim_NetworkSession_AzureNSG
- _ASim_NetworkSession_VectraAI
- _ASim_NetworkSession_CiscoMeraki
- _ASim_NetworkSession_AppGateSDP
- _ASim_NetworkSession_FortinetFortiGate
ParserQuery: |
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);
let ASimBuiltInDisabled=toscalar('ExcludeASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers));
let NetworkSessionsGeneric=(){
union isfuzzy=true
vimNetworkSessionEmpty
, ASimNetworkSessionLinuxSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionLinuxSysmon' in (DisabledParsers) ))
, ASimNetworkSessionMicrosoft365Defender (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))
, ASimNetworkSessionMD4IoT (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoT' in (DisabledParsers) ))
, ASimNetworkSessionMicrosoftWindowsEventFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))
, ASimNetworkSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))
, ASimNetworkSessionVMConnection (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMConnection' in (DisabledParsers) ))
, ASimNetworkSessionAWSVPC (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAWSVPC' in (DisabledParsers) ))
, ASimNetworkSessionAzureFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureFirewall' in (DisabledParsers) ))
, ASimNetworkSessionAzureNSG (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureNSG' in (DisabledParsers) ))
, ASimNetworkSessionVectraAI (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVectraAI' in (DisabledParsers) ))
, ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))
, ASimNetworkSessionAppGateSDP (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAppGateSDP' in (DisabledParsers) ))
, ASimNetworkSessionFortinetFortiGate (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionFortinetFortiGate' in (DisabledParsers) ))
};
NetworkSessionsGeneric

240
Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionFortinetFortiGate.yaml Normal file
Просмотреть файл

@ -0,0 +1,240 @@
Parser:
Title: Network Session ASIM parser for Fortinet FortiGate
Version: '0.2'
LastUpdated: June 24, 2022
Product:
Name: Fortinet FortiGate
Normalization:
Schema: NetworkSession
Version: '0.2.3'
References:
- Title: ASIM Network Session Schema
Link: https://aka.ms/ASimNetworkSessionDoc
- Title: ASIM
Link: https:/aka.ms/AboutASIM
Description: |
This ASIM parser supports normalizing Fortinet FortiGate logs to the ASIM Web Session normalized schema.
ParserName: ASimNetworkSessionFortinetFortiGate
EquivalentBuiltInParser: _ASim_NetworkSession_FortinetFortiGate
ParserParams:
- Name: disabled
Type: bool
Default: false
ParserQuery: |
let EventLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string,EventResultDetails:string)
[
"accept","Allow","Success",""
, "client-rst","Reset Source","Failure",""
, "close","","Success",""
, "deny","Deny","Failure",""
, "ip-conn","","Failure","IP connection error"
, "server-rst","Reset Destination","Failure",""
, "timeout","","Failure",""
];
let ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)
[
"0","HOPOPT"
, "1","ICMP"
, "2","IGMP"
, "3","GGP"
, "4","IPv4"
, "5","ST"
, "6","TCP"
, "7","CBT"
, "8","EGP"
, "9","IGP"
, "10","BBN-RCC-MON"
, "11","NVP-II"
, "12","PUP"
, "13","ARGUS (deprecated)"
, "14","EMCON"
, "15","XNET"
, "16","CHAOS"
, "17","UDP"
, "18","MUX"
, "19","DCN-MEAS"
, "20","HMP"
, "21","PRM"
, "22","XNS-IDP"
, "23","TRUNK-1"
, "24","TRUNK-2"
, "25","LEAF-1"
, "26","LEAF-2"
, "27","RDP"
, "28","IRTP"
, "29","ISO-TP4"
, "30","NETBLT"
, "31","MFE-NSP"
, "32","MERIT-INP"
, "33","DCCP"
, "34","3PC"
, "35","IDPR"
, "36","XTP"
, "37","DDP"
, "38","IDPR-CMTP"
, "39","TP++"
, "40","IL"
, "41","IPv6"
, "42","SDRP"
, "43","IPv6-Route"
, "44","IPv6-Frag"
, "45","IDRP"
, "46","RSVP"
, "47","GRE"
, "48","DSR"
, "49","BNA"
, "50","ESP"
, "51","AH"
, "52","I-NLSP"
, "53","SWIPE (deprecated)"
, "54","NARP"
, "55","MOBILE"
, "56","TLSP"
, "57","SKIP"
, "58","IPv6-ICMP"
, "59","IPv6-NoNxt"
, "60","IPv6-Opts"
, "61",""
, "62","CFTP"
, "63",""
, "64","SAT-EXPAK"
, "65","KRYPTOLAN"
, "66","RVD"
, "67","IPPC"
, "68",""
, "69","SAT-MON"
, "70","VISA"
, "71","IPCV"
, "72","CPNX"
, "73","CPHB"
, "74","WSN"
, "75","PVP"
, "76","BR-SAT-MON"
, "77","SUN-ND"
, "78","WB-MON"
, "79","WB-EXPAK"
, "80","ISO-IP"
, "81","VMTP"
, "82","SECURE-VMTP"
, "83","VINES"
, "84","TTP"
, "84","IPTM"
, "85","NSFNET-IGP"
, "86","DGP"
, "87","TCF"
, "88","EIGRP"
, "89","OSPFIGP"
, "90","Sprite-RPC"
, "91","LARP"
, "92","MTP"
, "93","AX.25"
, "94","IPIP"
, "95","MICP (deprecated)"
, "96","SCC-SP"
, "97","ETHERIP"
, "98","ENCAP"
, "99",""
, "100","GMTP"
, "101","IFMP"
, "102","PNNI"
, "103","PIM"
, "104","ARIS"
, "105","SCPS"
, "106","QNX"
, "107","A/N"
, "108","IPComp"
, "109","SNP"
, "110","Compaq-Peer"
, "111","IPX-in-IP"
, "112","VRRP"
, "113","PGM"
, "114",""
, "115","L2TP"
, "116","DDX"
, "117","IATP"
, "118","STP"
, "119","SRP"
, "120","UTI"
, "121","SMP"
, "122","SM (deprecated)"
, "123","PTP"
, "124","ISIS over IPv4"
, "125","FIRE"
, "126","CRTP"
, "127","CRUDP"
, "128","SSCOPMCE"
, "129","IPLT"
, "130","SPS"
, "131","PIPE"
, "132","SCTP"
, "133","FC"
, "134","RSVP-E2E-IGNORE"
, "135","Mobility Header"
, "136","UDPLite"
, "137","MPLS-in-IP"
, "138","manet"
, "139","HIP"
, "140","Shim6"
, "141","WESP"
, "142","ROHC"
, "143","Ethernet"
, "253",""
, "254",""
, "255","Reserved"];
let Parser=(disabled:bool=false){
CommonSecurityLog
| where not(disabled)
| where DeviceVendor == "Fortinet" and DeviceProduct startswith "FortiGate" and AdditionalExtensions has "cat=traffic"
| where DeviceAction != "dns"
| project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceName,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated
| project-rename DstBytes = ReceivedBytes
, DstInterfaceName = DeviceOutboundInterface
, DstIpAddr = DestinationIP
, DstPortNumber = DestinationPort
, Dvc = DeviceName
, EventEndTime = TimeGenerated
, EventMessage = Activity
, EventOriginalSeverity = LogSeverity
, EventProduct = DeviceProduct
, EventProductVersion = DeviceVersion
, SrcBytes = SentBytes
, SrcInterfaceName = DeviceInboundInterface
, SrcIpAddr = SourceIP
, SrcPortNumber = SourcePort
| lookup EventLookup on DeviceAction
| lookup ProtocolLookup on Protocol
| project-rename DvcOriginalAction = DeviceAction
| parse AdditionalExtensions with "start=" EventStartTime
";" * "srcintfrole=" SrcZone
";" * "dstintfrole=" DstZone
";" * "externalID=" NetworkSessionId
";" * "policyid=" NetworkRuleNumber:int
";" * "dstcountry=" DstGeoCountry
";" * "srccountry=" SrcGeoCountry
";" *
| parse AdditionalExtensions with * "crscore=" ThreatRiskLevel:int
";" *
| parse AdditionalExtensions with * "duration=" NetworkDuration
";" * "sentpkt=" SrcPackets:int
";" * "rcvdpkt=" DstPackets:int
";" *
| extend EventCount = int(1)
, EventSchema = "NetworkSession"
, EventSchemaVersion = "0.2.3"
, EventSeverity = iif(EventOriginalSeverity == 5, "Informational", "")
, EventType = "NetworkSession"
, EventVendor = "Fortinet"
, NetworkBytes = DstBytes + SrcBytes
, NetworkProtocolVersion = case(DstIpAddr contains ".", "IPv4"
, DstIpAddr contains ":", "IPv6"
, "")
, NetworkPackets = DstPackets + SrcPackets
| extend
Src = SrcIpAddr,
Dst = DstIpAddr,
SessionId = NetworkSessionId,
IpAddr = SrcIpAddr,
Rule = NetworkRuleNumber
| project-away Protocol
};
Parser (disabled=disabled)

15
Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml
Просмотреть файл

@ -31,6 +31,7 @@ Parsers:
- _Im_NetworkSession_VectraAI
- _Im_NetworkSession_CiscoMeraki
- _Im_NetworkSession_AppGateSDP
- _Im_NetworkSession_FortinetFortiGate
ParserParams:
- Name: starttime
Type: datetime
@ -63,7 +64,17 @@ ParserParams:
ParserQuery: |
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));
let ASimBuiltInDisabled=toscalar('ExcludevimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers));
let NetworkSessionsGeneric=(starttime:datetime=datetime(null) , endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false)
let NetworkSessionsGeneric=(
starttime:datetime=datetime(null),
endtime:datetime=datetime(null),
srcipaddr_has_any_prefix:dynamic=dynamic([]),
dstipaddr_has_any_prefix:dynamic=dynamic([]),
ipaddr_has_any_prefix:dynamic=dynamic([]),
dstportnumber:int=int(null),
hostname_has_any:dynamic=dynamic([]),
dvcaction:dynamic=dynamic([]),
eventresult:string='*',
disabled:bool=false)
{
union isfuzzy=true
vimNetworkSessionEmpty
@ -80,4 +91,4 @@ ParserQuery: |
, vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) ))
, vimNetworkSessionAppGateSDP (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNvimNetworkSessionAppGateSDP' in (DisabledParsers) ))
};
NetworkSessionsGeneric(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult)
NetworkSessionsGeneric(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult)

290
Parsers/ASimNetworkSession/Parsers/vimNetworkSessionFortinetFortiGate.yaml Normal file
Просмотреть файл

@ -0,0 +1,290 @@
Parser:
Title: Network Session ASIM filtering parser for Fortinet FortiGate
Version: '0.2'
LastUpdated: June 26, 2022
Product:
Name: Fortinet FortiGate
Normalization:
Schema: NetworkSession
Version: '0.2.3'
References:
- Title: ASIM Network Session Schema
Link: https://aka.ms/ASimNetworkSessionDoc
- Title: ASIM
Link: https://aka.ms/AboutASIM
- Title: traffic log fields
Link: https://docs.fortinet.com/document/fortigate/7.2.0/fortios-log-message-reference/949981/traffic-log-support-for-cef
- Title: Fortinet FortiGate CEF setup
Link: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Integrate-FortiGate-with-Microsoft-Sentinel/ta-p/199709
- Title: Fortinet FortiGate syslogd documentation
Link: https://docs.fortinet.com/document/fortigate/7.2.0/cli-reference/450620/config-log-syslogd-setting
Description: |
This ASIM parser supports filtering and normalizing Fortinet FortiGate logs produced by the Microsoft Sentinel Fortinet connector to the ASIM Network Session normalized schema.
ParserName: vimNetworkSessionFortinetFortiGate
EquivalentBuiltInParser: _Im_NetworkSession_FortinetFortiGate
ParserParams:
- Name: starttime
Type: datetime
Default: datetime(null)
- Name: endtime
Type: datetime
Default: datetime(null)
- Name: srcipaddr_has_any_prefix
Type: dynamic
Default: dynamic([])
- Name: dstipaddr_has_any_prefix
Type: dynamic
Default: dynamic([])
- Name: ipaddr_has_any_prefix
Type: dynamic
Default: dynamic([])
- Name: dstportnumber
Type: int
Default: int(null)
- Name: hostname_has_any
Type: dynamic
Default: dynamic([])
- Name: dvcaction
Type: dynamic
Default: dynamic([])
- Name: eventresult
Type: string
Default: '*'
- Name: disabled
Type: bool
Default: false
ParserQuery: |
let EventLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string,EventResultDetails:string)
[
"accept","Allow","Success",""
, "client-rst","Reset Source","Failure",""
, "close","","Success",""
, "deny","Deny","Failure",""
, "ip-conn","","Failure","IP connection error"
, "server-rst","Reset Destination","Failure",""
, "timeout","","Failure",""
];
let ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)
[
"0","HOPOPT"
, "1","ICMP"
, "2","IGMP"
, "3","GGP"
, "4","IPv4"
, "5","ST"
, "6","TCP"
, "7","CBT"
, "8","EGP"
, "9","IGP"
, "10","BBN-RCC-MON"
, "11","NVP-II"
, "12","PUP"
, "13","ARGUS (deprecated)"
, "14","EMCON"
, "15","XNET"
, "16","CHAOS"
, "17","UDP"
, "18","MUX"
, "19","DCN-MEAS"
, "20","HMP"
, "21","PRM"
, "22","XNS-IDP"
, "23","TRUNK-1"
, "24","TRUNK-2"
, "25","LEAF-1"
, "26","LEAF-2"
, "27","RDP"
, "28","IRTP"
, "29","ISO-TP4"
, "30","NETBLT"
, "31","MFE-NSP"
, "32","MERIT-INP"
, "33","DCCP"
, "34","3PC"
, "35","IDPR"
, "36","XTP"
, "37","DDP"
, "38","IDPR-CMTP"
, "39","TP++"
, "40","IL"
, "41","IPv6"
, "42","SDRP"
, "43","IPv6-Route"
, "44","IPv6-Frag"
, "45","IDRP"
, "46","RSVP"
, "47","GRE"
, "48","DSR"
, "49","BNA"
, "50","ESP"
, "51","AH"
, "52","I-NLSP"
, "53","SWIPE (deprecated)"
, "54","NARP"
, "55","MOBILE"
, "56","TLSP"
, "57","SKIP"
, "58","IPv6-ICMP"
, "59","IPv6-NoNxt"
, "60","IPv6-Opts"
, "61",""
, "62","CFTP"
, "63",""
, "64","SAT-EXPAK"
, "65","KRYPTOLAN"
, "66","RVD"
, "67","IPPC"
, "68",""
, "69","SAT-MON"
, "70","VISA"
, "71","IPCV"
, "72","CPNX"
, "73","CPHB"
, "74","WSN"
, "75","PVP"
, "76","BR-SAT-MON"
, "77","SUN-ND"
, "78","WB-MON"
, "79","WB-EXPAK"
, "80","ISO-IP"
, "81","VMTP"
, "82","SECURE-VMTP"
, "83","VINES"
, "84","TTP"
, "84","IPTM"
, "85","NSFNET-IGP"
, "86","DGP"
, "87","TCF"
, "88","EIGRP"
, "89","OSPFIGP"
, "90","Sprite-RPC"
, "91","LARP"
, "92","MTP"
, "93","AX.25"
, "94","IPIP"
, "95","MICP (deprecated)"
, "96","SCC-SP"
, "97","ETHERIP"
, "98","ENCAP"
, "99",""
, "100","GMTP"
, "101","IFMP"
, "102","PNNI"
, "103","PIM"
, "104","ARIS"
, "105","SCPS"
, "106","QNX"
, "107","A/N"
, "108","IPComp"
, "109","SNP"
, "110","Compaq-Peer"
, "111","IPX-in-IP"
, "112","VRRP"
, "113","PGM"
, "114",""
, "115","L2TP"
, "116","DDX"
, "117","IATP"
, "118","STP"
, "119","SRP"
, "120","UTI"
, "121","SMP"
, "122","SM (deprecated)"
, "123","PTP"
, "124","ISIS over IPv4"
, "125","FIRE"
, "126","CRTP"
, "127","CRUDP"
, "128","SSCOPMCE"
, "129","IPLT"
, "130","SPS"
, "131","PIPE"
, "132","SCTP"
, "133","FC"
, "134","RSVP-E2E-IGNORE"
, "135","Mobility Header"
, "136","UDPLite"
, "137","MPLS-in-IP"
, "138","manet"
, "139","HIP"
, "140","Shim6"
, "141","WESP"
, "142","ROHC"
, "143","Ethernet"
, "253",""
, "254",""
, "255","Reserved"];
let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);
let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);
let Parser=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false){
CommonSecurityLog
| where not(disabled)
| where (isnull(starttime) or TimeGenerated>=starttime) and (isnull(endtime) or TimeGenerated<=endtime)
| where DeviceVendor == "Fortinet" and DeviceProduct startswith "FortiGate" and AdditionalExtensions has "cat=traffic"
| where DeviceAction != "dns"
| where (isnull(dstportnumber) or DestinationPort==dstportnumber)
| extend temp_SrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any)
, temp_DstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)
| extend ASimMatchingIpAddr=case(
array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,"-",
temp_SrcMatch and temp_DstMatch, "Both",
temp_SrcMatch, "SrcIpAddr",
temp_DstMatch, "DstIpAddr",
"No match"
)
| where ASimMatchingIpAddr != "No match"
| project-away temp_*
| project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceName,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated
| lookup EventLookup on DeviceAction
| where (array_length(hostname_has_any)==0) and (eventresult=="*" or (DvcAction=="Allow" and eventresult=="Success") or (eventresult=="Failure"))
| where (array_length(dvcaction)==0 or DvcAction has_any (dvcaction))
| project-rename DstBytes = ReceivedBytes
, DstInterfaceName = DeviceOutboundInterface
, DstIpAddr = DestinationIP
, DstPortNumber = DestinationPort
, Dvc = DeviceName
, EventEndTime = TimeGenerated
, EventMessage = Activity
, EventOriginalSeverity = LogSeverity
, EventProduct = DeviceProduct
, EventProductVersion = DeviceVersion
, SrcBytes = SentBytes
, SrcInterfaceName = DeviceInboundInterface
, SrcIpAddr = SourceIP
, SrcPortNumber = SourcePort
| lookup ProtocolLookup on Protocol
| project-rename DvcOriginalAction = DeviceAction
| parse AdditionalExtensions with "start=" EventStartTime
";" * "srcintfrole=" SrcZone
";" * "dstintfrole=" DstZone
";" * "externalID=" NetworkSessionId
";" * "policyid=" NetworkRuleNumber:int
";" * "dstcountry=" DstGeoCountry
";" * "srccountry=" SrcGeoCountry
";" *
| parse AdditionalExtensions with * "crscore=" ThreatRiskLevel:int
";" *
| parse AdditionalExtensions with * "duration=" NetworkDuration
";" * "sentpkt=" SrcPackets:int
";" * "rcvdpkt=" DstPackets:int
";" *
| extend EventCount = int(1)
, EventSchema = "NetworkSession"
, EventSchemaVersion = "0.2.3"
, EventSeverity = iif(EventOriginalSeverity == 5, "Informational", "")
, EventType = "NetworkSession"
, EventVendor = "Fortinet"
, NetworkBytes = DstBytes + SrcBytes
, NetworkProtocolVersion = case(DstIpAddr contains ".", "IPv4"
, DstIpAddr contains ":", "IPv6"
, "")
, NetworkPackets = DstPackets + SrcPackets
| extend
Src = SrcIpAddr,
Dst = DstIpAddr,
SessionId = NetworkSessionId,
IpAddr = SrcIpAddr,
Rule = NetworkRuleNumber
| project-away Protocol
};
Parser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)

29398
Sample Data/CEF/FortinetFortiGate.csv Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

6
Sample Data/Vcenter_RawLogs.txt Normal file
Просмотреть файл

@ -0,0 +1,6 @@
2018-04-30 14:14:08.143 samplehostname vcenter-server: User VSPHERE.LOCAL\Administrator@10.0.0.1 logged out(Login time: Monday, 30 APril, 2018 14:14:07, number of API invocations: 2, user agent: JAX-WS RI 2.2.9-b130926.1035 svn-revision#5f6196f2b90e30e065b24)]
2018-04-30 14:14:08.642 samplehostname1 vcenter-server: User VSPHERE.LOCAL\Administrator@10.0.0.1 logged in as JAX-WS RI 2.2.9-b130926.1035 svn-revisions#5f6196f2b90e30e065b24
2018-04-30 14:14:08.234 samplehostname2 vcenter-server: Role modified Previous name: oldcryptorole, new name newcryptorole Added privileges: Network.assign, Network.config Removed privileges: Network.Remove
2018-04-30 14:14:08.2341234+00:00 samplehostname2 vcenter-server: New role oldcrypticrole removed
2018-04-30 14:14:08.234 samplehostname2 vcenter-server: New role newAdminRole created

17
Solutions/Alibaba Cloud/Data/Solution_Alibaba Cloud.json Normal file
Просмотреть файл

@ -0,0 +1,17 @@
{
"Name": "Alibaba Cloud",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [Alibaba Cloud](https://www.alibabacloud.com/product/log-service) solution provides the capability to retrieve logs from cloud applications using the Cloud API and more events into Microsoft Sentinel through the [REST API](https://aliyun-log-python-sdk.readthedocs.io/api.html). \n \n **Underlying Microsoft Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n \n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \n \n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)",
"Parsers": [
"Parsers/AliCloud.txt"
],
"Data Connectors": [
"DataConnectors/AliCloud_API_FunctionApp.json"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Alibaba Cloud",
"Version": "2.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false
}

0
Solutions/AliCloud/DataConnectors/AliCloudConn.zip → Solutions/Alibaba Cloud/DataConnectors/AliCloudConn.zip
Просмотреть файл

0
Solutions/AliCloud/DataConnectors/AliCloudSentinelConnector/__init__.py → Solutions/Alibaba Cloud/DataConnectors/AliCloudSentinelConnector/__init__.py
Просмотреть файл

0
Solutions/AliCloud/DataConnectors/AliCloudSentinelConnector/function.json → Solutions/Alibaba Cloud/DataConnectors/AliCloudSentinelConnector/function.json
Просмотреть файл

0
Solutions/AliCloud/DataConnectors/AliCloudSentinelConnector/state_manager.py → Solutions/Alibaba Cloud/DataConnectors/AliCloudSentinelConnector/state_manager.py
Просмотреть файл

2
Solutions/AliCloud/DataConnectors/AliCloud_API_FunctionApp.json → Solutions/Alibaba Cloud/DataConnectors/AliCloud_API_FunctionApp.json
Просмотреть файл

@ -29,7 +29,7 @@
],
"availability": {
"status": 1,
"isPreview": true
"isPreview": false
},
"permissions": {
"resourceProvider": [{

0
Solutions/AliCloud/DataConnectors/azuredeploy_Connector_AliCloud_API_AzureFunction.json → Solutions/Alibaba Cloud/DataConnectors/azuredeploy_Connector_AliCloud_API_AzureFunction.json
Просмотреть файл

0
Solutions/AliCloud/DataConnectors/host.json → Solutions/Alibaba Cloud/DataConnectors/host.json
Просмотреть файл

0
Solutions/AliCloud/DataConnectors/proxies.json → Solutions/Alibaba Cloud/DataConnectors/proxies.json
Просмотреть файл

0
Solutions/AliCloud/DataConnectors/requirements.txt → Solutions/Alibaba Cloud/DataConnectors/requirements.txt
Просмотреть файл

Двоичные данные
Solutions/Alibaba Cloud/Package/2.0.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

92
Solutions/Alibaba Cloud/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,92 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\" height=\"75px\"> \n\n **Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Alibaba Cloud](https://www.alibabacloud.com/product/log-service) solution provides the capability to retrieve logs from cloud applications using the Cloud API and more events into Microsoft Sentinel through the [REST API](https://aliyun-log-python-sdk.readthedocs.io/api.html). \n \n **Underlying Microsoft Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n \n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \n \n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the data connector provides the capability to retrieve logs from cloud applications using the Cloud API and more events into Microsoft Sentinel through the REST API. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the AliCloud Kusto Function alias."
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
}
],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}

611
Solutions/Alibaba Cloud/Package/mainTemplate.json Normal file
Просмотреть файл

@ -0,0 +1,611 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Microsoft - support@microsoft.com",
"comments": "Solution template for Alibaba Cloud"
},
"parameters": {
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
}
},
"variables": {
"solutionId": "azuresentinel.azure-sentinel-solution-alibabacloud",
"_solutionId": "[variables('solutionId')]",
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"parserVersion1": "1.0.0",
"parserContentId1": "AliCloud-Parser",
"_parserContentId1": "[variables('parserContentId1')]",
"parserName1": "AliCloud",
"_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
"parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"_parserId1": "[variables('parserId1')]",
"parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"uiConfigId1": "AliCloud",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "AliCloud",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
"dataConnectorVersion1": "1.0.0"
},
"resources": [
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2021-05-01",
"name": "[variables('parserTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "Parser"
},
"properties": {
"description": "AliCloud Data Parser with template",
"displayName": "AliCloud Data Parser template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2021-05-01",
"name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "Parser"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
],
"properties": {
"description": "AliCloud Data Parser with template version 2.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
"name": "[variables('_parserName1')]",
"apiVersion": "2020-08-01",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "AliCloud",
"category": "Samples",
"functionAlias": "AliCloud",
"query": "\nAliCloud_CL\r\n| extend EventVendor = 'Alibaba Cloud',\r\n EventProduct = 'Alibaba Cloud',\r\n EventCount = 1,\r\n CreatedAt = unixtime_seconds_todatetime(timestamp_d)\r\n| extend d=parse_json(contents_event_s)\r\n| evaluate bag_unpack(d)\r\n| extend ContentTopic = contents___topic___s,\r\n SourceName = source_s,\r\n ContentTagPackId = contents___tag_____pack_id___s\r\n|project-away timestamp_d,\r\n contents_event_s,\r\n contents___topic___s,\r\n source_s,\r\n contents___tag_____pack_id___s",
"version": 1,
"tags": [
{
"name": "description",
"value": "AliCloud"
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
"dependsOn": [
"[variables('_parserName1')]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"contentId": "[variables('_parserContentId1')]",
"kind": "Parser",
"version": "[variables('parserVersion1')]",
"source": {
"name": "Alibaba Cloud",
"kind": "Solution",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2021-06-01",
"name": "[variables('_parserName1')]",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "AliCloud",
"category": "Samples",
"functionAlias": "AliCloud",
"query": "\nAliCloud_CL\r\n| extend EventVendor = 'Alibaba Cloud',\r\n EventProduct = 'Alibaba Cloud',\r\n EventCount = 1,\r\n CreatedAt = unixtime_seconds_todatetime(timestamp_d)\r\n| extend d=parse_json(contents_event_s)\r\n| evaluate bag_unpack(d)\r\n| extend ContentTopic = contents___topic___s,\r\n SourceName = source_s,\r\n ContentTagPackId = contents___tag_____pack_id___s\r\n|project-away timestamp_d,\r\n contents_event_s,\r\n contents___topic___s,\r\n source_s,\r\n contents___tag_____pack_id___s",
"version": 1
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
"dependsOn": [
"[variables('_parserId1')]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"contentId": "[variables('_parserContentId1')]",
"kind": "Parser",
"version": "[variables('parserVersion1')]",
"source": {
"kind": "Solution",
"name": "Alibaba Cloud",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
},
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2021-05-01",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "DataConnector"
},
"properties": {
"description": "Alibaba Cloud data connector with template",
"displayName": "Alibaba Cloud template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2021-05-01",
"name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "DataConnector"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
],
"properties": {
"description": "Alibaba Cloud data connector with template version 2.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
"title": "AliCloud (using Azure Function)",
"publisher": "AliCloud",
"descriptionMarkdown": "The [AliCloud](https://www.alibabacloud.com/product/log-service) data connector provides the capability to retrieve logs from cloud applications using the Cloud API and more events into Microsoft Sentinel through the [REST API](https://aliyun-log-python-sdk.readthedocs.io/api.html). The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.",
"additionalRequirementBanner": ">This data connector depends on a parser based on a Kusto Function to work as expected [**AliCloud**](https://aka.ms/sentinel-AliCloud-parser) which is deployed with the Microsoft Sentinel Solution.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "AliCloud_CL",
"baseQuery": "AliCloud_CL"
}
],
"sampleQueries": [
{
"description": "AliCloud Events - All Activities.",
"query": "AliCloud\n | sort by TimeGenerated desc"
}
],
"dataTypes": [
{
"name": "AliCloud_CL",
"lastDataReceivedQuery": "AliCloud_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"AliCloud_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions on the workspace are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "Microsoft.Web/sites permissions",
"description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
},
{
"name": "REST API Credentials/permissions",
"description": "**AliCloudAccessKeyId** and **AliCloudAccessKey** are required for making API calls."
}
]
},
"instructionSteps": [
{
"description": ">**NOTE:** This connector uses Azure Functions to connect to the Azure Blob Storage API to pull logs into Microsoft Sentinel. This might result in additional costs for data ingestion and for storing data in Azure Blob Storage costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) and [Azure Blob Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) for details."
},
{
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
},
{
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**AliCloud**](https://aka.ms/sentinel-AliCloud-parser) which is deployed with the Microsoft Sentinel Solution."
},
{
"description": "**STEP 1 - Configuration steps for the AliCloud API**\n\n Follow the instructions to obtain the credentials.\n\n1. Obtain the **AliCloudAccessKeyId** and **AliCloudAccessKey**: log in the account, click on AccessKey Management then click View Secret.\n2. Save credentials for using in the data connector."
},
{
"description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the AliCloud data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
},
{
"description": "**Option 1 - Azure Resource Manager (ARM) Template**\n\nUse this method for automated deployment of the AliCloud data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-AliCloudAPI-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **AliCloudEnvId**, **AliCloudAppName**, **AliCloudUsername** and **AliCloudPassword** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
},
{
"description": "**Option 2 - Manual Deployment of Azure Functions**\n\nUse the following step-by-step instructions to deploy the AliCloud data connector manually with Azure Functions (Deployment via Visual Studio Code)."
},
{
"description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-AliCloudAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. AliCloudXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
},
{
"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAliCloudAccessKeyId\n\t\tAliCloudAccessKey\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n\t\tAliCloudProjects (optional)\n\t\tAliCloudWorkers (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**."
}
],
"metadata": {
"id": "Unique Identifier (GUID) used to identify dependencies and content from solutions or community.",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Microsoft"
},
"support": {
"tier": "community",
"name": "Microsoft",
"link": "https://github.com/Azure/Azure-Sentinel/issues"
}
}
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "Alibaba Cloud",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
],
"location": "[parameters('workspace-location')]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "Alibaba Cloud",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "AliCloud (using Azure Function)",
"publisher": "AliCloud",
"descriptionMarkdown": "The [AliCloud](https://www.alibabacloud.com/product/log-service) data connector provides the capability to retrieve logs from cloud applications using the Cloud API and more events into Microsoft Sentinel through the [REST API](https://aliyun-log-python-sdk.readthedocs.io/api.html). The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "AliCloud_CL",
"baseQuery": "AliCloud_CL"
}
],
"dataTypes": [
{
"name": "AliCloud_CL",
"lastDataReceivedQuery": "AliCloud_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"AliCloud_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"sampleQueries": [
{
"description": "AliCloud Events - All Activities.",
"query": "AliCloud\n | sort by TimeGenerated desc"
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions on the workspace are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "Microsoft.Web/sites permissions",
"description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
},
{
"name": "REST API Credentials/permissions",
"description": "**AliCloudAccessKeyId** and **AliCloudAccessKey** are required for making API calls."
}
]
},
"instructionSteps": [
{
"description": ">**NOTE:** This connector uses Azure Functions to connect to the Azure Blob Storage API to pull logs into Microsoft Sentinel. This might result in additional costs for data ingestion and for storing data in Azure Blob Storage costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) and [Azure Blob Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) for details."
},
{
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
},
{
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**AliCloud**](https://aka.ms/sentinel-AliCloud-parser) which is deployed with the Microsoft Sentinel Solution."
},
{
"description": "**STEP 1 - Configuration steps for the AliCloud API**\n\n Follow the instructions to obtain the credentials.\n\n1. Obtain the **AliCloudAccessKeyId** and **AliCloudAccessKey**: log in the account, click on AccessKey Management then click View Secret.\n2. Save credentials for using in the data connector."
},
{
"description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the AliCloud data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
},
{
"description": "**Option 1 - Azure Resource Manager (ARM) Template**\n\nUse this method for automated deployment of the AliCloud data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-AliCloudAPI-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **AliCloudEnvId**, **AliCloudAppName**, **AliCloudUsername** and **AliCloudPassword** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
},
{
"description": "**Option 2 - Manual Deployment of Azure Functions**\n\nUse the following step-by-step instructions to deploy the AliCloud data connector manually with Azure Functions (Deployment via Visual Studio Code)."
},
{
"description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-AliCloudAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. AliCloudXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
},
{
"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAliCloudAccessKeyId\n\t\tAliCloudAccessKey\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n\t\tAliCloudProjects (optional)\n\t\tAliCloudWorkers (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**."
}
],
"id": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_uiConfigId1'))]",
"additionalRequirementBanner": ">This data connector depends on a parser based on a Kusto Function to work as expected [**AliCloud**](https://aka.ms/sentinel-AliCloud-parser) which is deployed with the Microsoft Sentinel Solution."
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "2.0.0",
"kind": "Solution",
"contentSchemaVersion": "2.0.0",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
"kind": "Solution",
"name": "Alibaba Cloud",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "Parser",
"contentId": "[variables('_parserContentId1')]",
"version": "[variables('parserVersion1')]"
},
{
"kind": "DataConnector",
"contentId": "[variables('_dataConnectorContentId1')]",
"version": "[variables('dataConnectorVersion1')]"
}
]
},
"firstPublishDate": "2022-06-27",
"providers": [
"AliCloud"
],
"categories": {
"domains": [
"Cloud Provider"
]
}
},
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
}
],
"outputs": {}
}

2
Solutions/AliCloud/Parsers/AliCloud.txt → Solutions/Alibaba Cloud/Parsers/AliCloud.txt
Просмотреть файл

@ -1,6 +1,6 @@
// Usage Instructions:
// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name as AliCloud and specifying Legacy Category.
// This function maps Alibaba Cloud events to Azure Sentinel Information Model (ASIM) (https://docs.microsoft.com/azure/sentinel/normalization).
// This function maps Alibaba Cloud events to Microsoft Sentinel Information Model (ASIM) (https://docs.microsoft.com/azure/sentinel/normalization).
// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. AliCloud | take 10).
// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
AliCloud_CL

15
Solutions/Alibaba Cloud/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"publisherId": "azuresentinel",
"offerId": "azure-sentinel-solution-alibabacloud",
"firstPublishDate": "2022-06-27",
"providers": ["AliCloud"],
"categories": {
"domains" : ["Cloud Provider"]
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}

5
Solutions/Azure Batch Account/Data Connectors/AzureBatchAccount_CCP.JSON
Просмотреть файл

@ -22,7 +22,10 @@
],
"connectivityCriterias": [
{
"type": "IsPolicyConnected"
"type": "IsConnectedQuery",
"value": [
"AzureDiagnostics | where ResourceProvider == \"MICROSOFT.BATCH\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
]
}
],
"dataTypes": [

5
Solutions/Azure Cognitive Search/Data Connectors/AzureCognitiveSearch_CCP.JSON
Просмотреть файл

@ -22,7 +22,10 @@
],
"connectivityCriterias": [
{
"type": "IsPolicyConnected"
"type": "IsConnectedQuery",
"value": [
"AzureDiagnostics | where ResourceProvider == \"MICROSOFT.SEARCH\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
]
}
],
"dataTypes": [

5
Solutions/Azure Data Lake Storage Gen1/Data Connectors/AzureDataLakeStorageGen1_CCP.JSON
Просмотреть файл

@ -22,7 +22,10 @@
],
"connectivityCriterias": [
{
"type": "IsPolicyConnected"
"type": "IsConnectedQuery",
"value": [
"AzureDiagnostics | where ResourceProvider == \"MICROSOFT.DATALAKESTORE\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
]
}
],
"dataTypes": [

5
Solutions/Azure Event Hub/Data Connectors/AzureEventHub_CCP.JSON
Просмотреть файл

@ -22,7 +22,10 @@
],
"connectivityCriterias": [
{
"type": "IsPolicyConnected"
"type": "IsConnectedQuery",
"value": [
"AzureDiagnostics | where ResourceProvider == \"MICROSOFT.EVENTHUB\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
]
}
],
"dataTypes": [

5
Solutions/Azure Logic Apps/Data Connectors/AzureLogicApps_CCP.JSON
Просмотреть файл

@ -22,7 +22,10 @@
],
"connectivityCriterias": [
{
"type": "IsPolicyConnected"
"type": "IsConnectedQuery",
"value": [
"AzureDiagnostics | where ResourceProvider == \"MICROSOFT.LOGIC\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
]
}
],
"dataTypes": [

5
Solutions/Azure Service Bus/Data Connectors/AzureServiceBus_CCP.JSON
Просмотреть файл

@ -22,7 +22,10 @@
],
"connectivityCriterias": [
{
"type": "IsPolicyConnected"
"type": "IsConnectedQuery",
"value": [
"AzureDiagnostics | where ResourceProvider == \"MICROSOFT.SERVICEBUS\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
]
}
],
"dataTypes": [

5
Solutions/Azure Stream Analytics/Data Connectors/AzureStreamAnalytics_CCP.JSON
Просмотреть файл

@ -22,7 +22,10 @@
],
"connectivityCriterias": [
{
"type": "IsPolicyConnected"
"type": "IsConnectedQuery",
"value": [
"AzureDiagnostics | where ResourceProvider == \"MICROSOFT.STREAMANALYTICS\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
]
}
],
"dataTypes": [

1
Solutions/GitLab/Analytic Rules/GitLab_BruteForce.yaml
Просмотреть файл

@ -3,6 +3,7 @@ name: GitLab - Brute-force Attempts
description: |
'This query relies on GitLab Application Logs to get failed logins to highlight brute-force attempts from different IP addresses in a short space of time.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: Syslog
dataTypes:

1
Solutions/GitLab/Analytic Rules/GitLab_ExternalUser.yaml
Просмотреть файл

@ -3,6 +3,7 @@ name: GitLab - External User Added to GitLab
description: |
'This queries GitLab Application logs to list external user accounts (i.e.: account not in allow-listed domains) which have been added to GitLab users.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: Syslog
dataTypes:

1
Solutions/GitLab/Analytic Rules/GitLab_Impersonation.yaml
Просмотреть файл

@ -4,6 +4,7 @@ description: |
'This queries GitLab Audit Logs for user impersonation. A malicious operator or a compromised admin account could leverage the impersonation feature of GitLab to change code or
repository settings bypassing usual processes. This hunting queries allows you to track the audit actions done under impersonation.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: Syslog
dataTypes:

1
Solutions/GitLab/Analytic Rules/GitLab_LocalAuthNoMFA.yaml
Просмотреть файл

@ -3,6 +3,7 @@ name: GitLab - Local Auth - No MFA
description: |
'This query checks GitLab Audit Logs to see if a user authenticated without MFA. Ot might mean that MFA was disabled for the GitLab server or that an external authentication provider was bypassed. This rule focuses on 'admin' privileges but the parameter can be adapted to also include all users.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: Syslog
dataTypes:

1
Solutions/GitLab/Analytic Rules/GitLab_MaliciousIP.yaml
Просмотреть файл

@ -3,6 +3,7 @@ name: GitLab - TI - Connection from Malicious IP
description: |
'This query correlates Threat Intelligence data from Sentinel with GitLab NGINX Access Logs (available in GitLab CE as well) to identify access from potentially TI-flagged IPs.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: ThreatIntelligence
dataTypes:

1
Solutions/GitLab/Analytic Rules/GitLab_PAT_Repo.yaml
Просмотреть файл

@ -5,6 +5,7 @@ description: |
This hunting queries allows you to track the personal access tokens creation for each of your repositories.
The visualization allow you to quickly identify anomalies/excessive creation, to further investigate repo access & permissions.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: Syslog
dataTypes:

1
Solutions/GitLab/Analytic Rules/GitLab_RepoVisibilityChange.yaml
Просмотреть файл

@ -3,6 +3,7 @@ name: GitLab - Repository visibility to Public
description: |
'This query leverages GitLab Audit Logs. A repository in GitLab changed visibility from Private or Internal to Public which could indicate compromise, error or misconfiguration leading to exposing the repository to the public.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: Syslog
dataTypes:

1
Solutions/GitLab/Analytic Rules/GitLab_Repo_Deletion.yaml
Просмотреть файл

@ -3,6 +3,7 @@ name: GitLab - Abnormal number of repositories deleted
description: |
'This hunting queries identify an unusual increase of repo deletion activities adversaries may want to disrupt availability or compromise integrity by deleting business data.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: Syslog
dataTypes:

1
Solutions/GitLab/Analytic Rules/GitLab_SignInBurst.yaml
Просмотреть файл

@ -3,6 +3,7 @@ name: GitLab - SSO - Sign-Ins Burst
description: |
'This query relies on Azure Active Directory sign-in activity when Azure AD is used for SSO with GitLab to highlights GitLab accounts associated with multiple authentications from different geographical locations in a short space of time.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:

6
Solutions/GitLab/Data Connectors/Connector_Syslog_GitLab.json
Просмотреть файл

@ -3,7 +3,7 @@
"title": "GitLab",
"publisher": "Microsoft",
"descriptionMarkdown": "The GitLab connector allows you to easily connect your GitLab (GitLab Enterprise Edition - Standalone) logs with Microsoft Sentinel. This gives you more security insight into your organization's DevOps pipelines.",
"additionalRequirementBanner": "This data connector depends on three parsers based on a Kusto Function to work as expected [**GitLab Access Logs**](https://github.com/tuxnam/Azure-Sentinel/blob/gitlab/Parsers/GitLab/GitLabAccess), [**GitLab Audit Logs**](https://github.com/tuxnam/Azure-Sentinel/blob/gitlab/Parsers/GitLab/GitLabAudit) and [**GitLab Application Logs**](https://github.com/tuxnam/Azure-Sentinel/blob/gitlab/Parsers/GitLab/GitLabApp) which are deployed with the Azure Sentinel Solution.",
"additionalRequirementBanner": "This data connector depends on three parsers based on a Kusto Function to work as expected [**GitLab Access Logs**](https://aka.ms/sentinel-GitLabAccess-parser), [**GitLab Audit Logs**](https://aka.ms/sentinel-GitLabAudit-parser) and [**GitLab Application Logs**](https://aka.ms/sentinel-GitLabApp-parser) which are deployed with the Microsoft Sentinel Solution.",
"graphQueries": [
{
"metricName": "Total data received",
@ -49,7 +49,7 @@
],
"availability": {
"status": 1,
"isPreview": true
"isPreview": false
},
"permissions": {
"resourceProvider": [
@ -68,7 +68,7 @@
"instructionSteps": [
{
"title": "Configuration",
"description": ">This data connector depends on three parsers based on a Kusto Function to work as expected [**GitLab Access Logs**](https://github.com/tuxnam/Azure-Sentinel/blob/gitlab/Parsers/GitLab/GitLabAccess), [**GitLab Audit Logs**](https://github.com/tuxnam/Azure-Sentinel/blob/gitlab/Parsers/GitLab/GitLabAudit) and [**GitLab Application Logs**](https://github.com/tuxnam/Azure-Sentinel/blob/gitlab/Parsers/GitLab/GitLabApp) which are deployed with the Azure Sentinel Solution.",
"description": ">This data connector depends on three parsers based on a Kusto Function to work as expected [**GitLab Access Logs**](https://aka.ms/sentinel-GitLabAccess-parser), [**GitLab Audit Logs**](https://aka.ms/sentinel-GitLabAudit-parser) and [**GitLab Application Logs**](https://aka.ms/sentinel-GitLabApp-parser) which are deployed with the Microsoft Sentinel Solution.",
"instructions": [
]
},

30
Solutions/GitLab/Data/Solution_Gitlab.json Normal file
Просмотреть файл

@ -0,0 +1,30 @@
{
"Name": "GitLab",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "The GitLab solution allows you to easily connect your GitLab (GitLab Enterprise Edition - Standalone) logs into Microsoft Sentinel. This gives you more security insight into your organization's DevOps pipelines. .\r\n \r\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \r\n \r\n a. [Agent-based log collection (Syslog)](https://docs.microsoft.com/azure/sentinel/connect-syslog)",
"Data Connectors": [
"Data Connectors/Connector_Syslog_GitLab.json"
],
"Parsers": [
"Parsers/GitLabAccess",
"Parsers/GitLabApp",
"Parsers/GitLabAudit"
],
"Analytic Rules": [
"Analytic Rules/GitLab_BruteForce.yaml",
"Analytic Rules/GitLab_ExternalUser.yaml",
"Analytic Rules/GitLab_Impersonation.yaml",
"Analytic Rules/GitLab_LocalAuthNoMFA.yaml",
"Analytic Rules/GitLab_MaliciousIP.yaml",
"Analytic Rules/GitLab_PAT_Repo.yaml",
"Analytic Rules/GitLab_RepoVisibilityChange.yaml",
"Analytic Rules/GitLab_Repo_Deletion.yaml",
"Analytic Rules/GitLab_SignInBurst.yaml"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\GitLab",
"Version": "2.0.0",
"TemplateSpec": true,
"Is1PConnector": false
}

Двоичные данные
Solutions/GitLab/Package/2.0.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

246
Solutions/GitLab/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,246 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe GitLab solution allows you to easily connect your GitLab (GitLab Enterprise Edition - Standalone) logs into Microsoft Sentinel. This gives you more security insight into your organization's DevOps pipelines. .\r\n \r\n\r\n **Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \r\n \r\n a. [Agent-based log collection (Syslog)](https://docs.microsoft.com/azure/sentinel/connect-syslog)\n\n**Data Connectors:** 1, **Parsers:** 3, **Analytic Rules:** 9\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the data connector that allows to connect your GitLab (GitLab Enterprise Edition - Standalone) logs into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the GitLab Kusto Function alias."
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
},
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
}
},
{
"name": "analytics-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "GitLab - Brute-force Attempts",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query relies on GitLab Application Logs to get failed logins to highlight brute-force attempts from different IP addresses in a short space of time."
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "GitLab - External User Added to GitLab",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This queries GitLab Application logs to list external user accounts (i.e.: account not in allow-listed domains) which have been added to GitLab users."
}
}
]
},
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
"label": "GitLab - User Impersonation",
"elements": [
{
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This queries GitLab Audit Logs for user impersonation. A malicious operator or a compromised admin account could leverage the impersonation feature of GitLab to change code or\nrepository settings bypassing usual processes. This hunting queries allows you to track the audit actions done under impersonation."
}
}
]
},
{
"name": "analytic4",
"type": "Microsoft.Common.Section",
"label": "GitLab - Local Auth - No MFA",
"elements": [
{
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query checks GitLab Audit Logs to see if a user authenticated without MFA. Ot might mean that MFA was disabled for the GitLab server or that an external authentication provider was bypassed. This rule focuses on 'admin' privileges but the parameter can be adapted to also include all users."
}
}
]
},
{
"name": "analytic5",
"type": "Microsoft.Common.Section",
"label": "GitLab - TI - Connection from Malicious IP",
"elements": [
{
"name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query correlates Threat Intelligence data from Sentinel with GitLab NGINX Access Logs (available in GitLab CE as well) to identify access from potentially TI-flagged IPs."
}
}
]
},
{
"name": "analytic6",
"type": "Microsoft.Common.Section",
"label": "GitLab - Personal Access Tokens creation over time",
"elements": [
{
"name": "analytic6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This queries GitLab Audit Logs for access tokens. Attacker can exfiltrate data from you GitLab repository after gaining access to it by generating or hijacking access tokens. \nThis hunting queries allows you to track the personal access tokens creation for each of your repositories. \nThe visualization allow you to quickly identify anomalies/excessive creation, to further investigate repo access & permissions."
}
}
]
},
{
"name": "analytic7",
"type": "Microsoft.Common.Section",
"label": "GitLab - Repository visibility to Public",
"elements": [
{
"name": "analytic7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query leverages GitLab Audit Logs. A repository in GitLab changed visibility from Private or Internal to Public which could indicate compromise, error or misconfiguration leading to exposing the repository to the public."
}
}
]
},
{
"name": "analytic8",
"type": "Microsoft.Common.Section",
"label": "GitLab - Abnormal number of repositories deleted",
"elements": [
{
"name": "analytic8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This hunting queries identify an unusual increase of repo deletion activities adversaries may want to disrupt availability or compromise integrity by deleting business data."
}
}
]
},
{
"name": "analytic9",
"type": "Microsoft.Common.Section",
"label": "GitLab - SSO - Sign-Ins Burst",
"elements": [
{
"name": "analytic9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query relies on Azure Active Directory sign-in activity when Azure AD is used for SSO with GitLab to highlights GitLab accounts associated with multiple authentications from different geographical locations in a short space of time."
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}

2070
Solutions/GitLab/Package/mainTemplate.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

41
Solutions/GitLab/SolutionMetadata.json
Просмотреть файл

@ -1,35 +1,16 @@
{
"publisherId": "azuresentinel",
"offerId": "azure-sentinel-solution-gitlab",
"version": "1.0.0",
"dependencies": {
"criteria": [
{ "kind": "AnalyticsRule", "contentId": "2238d13a-cf05-4973-a83f-d12a25dbb153", "version": "1.0.0" },
{ "kind": "AnalyticsRule", "contentId": "c1544d8f-cbbd-4e35-8d32-5b9312279833", "version": "1.0.0" },
{ "kind": "AnalyticsRule", "contentId": "0f4f16a2-b464-4c10-9a42-993da3e15a40", "version": "1.0.0" },
{ "kind": "AnalyticsRule", "contentId": "e0b45487-5c79-482d-8ac0-695de8c031af", "version": "1.0.0" },
{ "kind": "AnalyticsRule", "contentId": "7241740a-5280-4b74-820a-862312d721a8", "version": "1.0.0" },
{ "kind": "AnalyticsRule", "contentId": "4d6d8b0e-6d9a-4857-a141-f5d89393cddb", "version": "1.0.0" },
{ "kind": "AnalyticsRule", "contentId": "8b291c3d-90ba-4ebf-af2c-0283192d430e", "version": "1.0.0" },
{ "kind": "AnalyticsRule", "contentId": "3efd09bd-a582-4410-b7ec-5ff21cfad7bd", "version": "1.0.0" },
{ "kind": "AnalyticsRule", "contentId": "57b1634b-531d-4eab-a456-8b855887428f", "version": "1.0.0" },
{ "kind": "DataConnector", "contentId": "GitLab", "version": "1.0.0" },
{ "kind": "Parser", "contentId": "GitLabAccess", "version": "1.0.0" },
{ "kind": "Parser", "contentId": "GitLabAudit", "version": "1.0.0" },
{ "kind": "Parser", "contentId": "GitLabApp", "version": "1.0.0" }
]
"firstPublishDate": "2022-04-27",
"lastPublishDate": "2022-06-27",
"providers": ["GitLab"],
"categories": {
"domains": ["DevOps"]
},
"firstPublishDate": "2022-03-13",
"lastPublishDate": "2022-03-13",
"providers": ["Cisco"],
"categories": {
"verticals": [],
"domains": ["Security - Others"]
},
"support": {
"tier": "Microsoft",
"email": "support@microsoft.com",
"name": "Azure Sentinel, Microsoft Corporation",
"link": "https://support.microsoft.com/"
}
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}

Двоичные данные
Solutions/PCI DSS Compliance/Workbooks/Images/Preview/PCIDSSComplianceBlack01.PNG Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 186 KiB

Двоичные данные
Solutions/PCI DSS Compliance/Workbooks/Images/Preview/PCIDSSComplianceBlack02.PNG Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 176 KiB

Двоичные данные
Solutions/PCI DSS Compliance/Workbooks/Images/Preview/PCIDSSComplianceWhite01.PNG Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 191 KiB

Двоичные данные
Solutions/PCI DSS Compliance/Workbooks/Images/Preview/PCIDSSComplianceWhite02.PNG Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 152 KiB

849
Solutions/PCI DSS Compliance/Workbooks/PCIDSSCompliance.json Normal file
Просмотреть файл

@ -0,0 +1,849 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## PCI-DSS Compliance Reporting and Analysis"
},
"name": "text - 1",
"styleSettings": {
"margin": "0"
}
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "3f9981ce-9bb6-4645-aad3-d400f17d898e",
"version": "KqlParameterItem/1.0",
"name": "SubscriptionToken",
"label": "Subscription",
"type": 6,
"description": "Choose your subscription in which PCI assets are deployed",
"isRequired": true,
"typeSettings": {
"additionalResourceOptions": [],
"includeAll": true,
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
}
},
{
"id": "ca9065a5-b239-43ca-913a-e300bc5e174f",
"version": "KqlParameterItem/1.0",
"name": "WorkspaceToken",
"label": "Workspace",
"type": 5,
"description": "Choose Workspace where PCI assets reports logs",
"isRequired": true,
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
}
},
{
"id": "70c7dce2-4f4a-4fe2-a0c7-e632a5fd97d7",
"version": "KqlParameterItem/1.0",
"name": "TimeToken",
"label": "Time",
"type": 4,
"description": "Choose the time range apporpriate for your analysis",
"isRequired": true,
"value": {
"durationMs": 2592000000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 259200000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2592000000
}
],
"allowCustom": true
},
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 0"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "4d1f108b-c166-44fb-af69-77838051c673",
"cellValue": "selTab",
"linkTarget": "parameter",
"linkLabel": "Getting Started",
"subTarget": "Getting Started",
"style": "link"
},
{
"id": "8895f25c-1d00-49b9-97fb-322a528d35a1",
"cellValue": "selTab",
"linkTarget": "parameter",
"linkLabel": "Overview",
"subTarget": "Overview",
"style": "link"
},
{
"id": "dc7ceb39-fd9c-4f61-be4b-f13d0966b6f8",
"cellValue": "selTab",
"linkTarget": "parameter",
"linkLabel": "Audit Trail Reporting",
"subTarget": "Audit Trail Reporting",
"style": "link"
},
{
"id": "942892a0-c339-459f-97f9-efdd82153262",
"cellValue": "selTab",
"linkTarget": "parameter",
"linkLabel": "Further Analysis",
"subTarget": "Further Analysis",
"style": "link"
}
]
},
"name": "linktab"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "The Microsoft Sentinel Solution for PCI Compliance provides real-time insights into activity and potential threats in your cardholder data environment. This solution is designed for Compliance Teams, Architects, Analysts, and Consultants to define and monitor their PCI assets, as well as identify and investigate compliance issues. This Solution is presented in two parts, as a Workbook and a Watchlist, with the ability to export data from pre-written queries for further exploration. \r\n<br>\r\nThe Microsoft Sentinel team welcomes your feedback on this PCI-DSS Solution, and how we can expand our compliance content to better meet your organizations needs. Please share any feedback with us [Here](https://forms.office.com/r/ChitppJ5T8). ",
"style": "info"
},
"name": "text - 0"
},
{
"type": 1,
"content": {
"json": "### Getting Started \r\n\r\nThere are two pre-requisites to getting started with the PCI-DSS Compliance Solution:<br>\r\n1. <u>Connect Data Sources:</u> Users will need to connect applicable data sources to populate the reports. This Solution provides support for the following data sources:\r\n - AzureDaignostics (firewalls and other network devices)\r\n - SecurityEvent (windows VM)\r\n\t- SecurityAlert (For anamolies detection)\r\n\t- Syslog (linux VM)\r\n\t- OracleDatabaseAuditEvent (Oracle Database Audit solution)\r\n2. <u>Define PCI Assets:</u> Users will need to define the PCI Assets within their compliance scope via the PCI Assets Watchlist\r\n - Save the CSV file with all your pci assets name under column \"asset\".\r\n - Open your workspace in sentinel\r\n\t- Go to watchlist under configration tab\r\n\t- Click on Add new \r\n\t- Enter \"pciassets\" in Name field\r\n\t- Enter Description \r\n\t- Enter \"pciassets\" in Alias field\r\n\t- SourceType should be LocalFile\r\n\t- File type CSV\r\n\t- Upload the CSV file here \r\n\t- Enter \"asset\" as search key\r\n\t- click on Review and Create and then Create\r\n<br>\r\n\r\n### Included in the Microsoft Sentinel PCI-DSS Compliance Solution \r\nThis Solution enables Microsoft Sentinel users to harness the power of their SIEM to assist in meeting PCI-DSS 3.2.1 requirements. This Solution comes with pre-defined dashboards, visualizations, and reports, providing users with immediate insights in their PCI environment. \r\n<br>\r\nThe Watchlist included in this Solution allows users to define the PCI Assets included in their organizations compliance scope. The Workbook included in this Solution contains three tabs, with the following information: \r\n\r\n\r\n<u>Overview Tab</u> This Workbook tab provides an overview of recent activity on the PCI Assets you define and trends over time, through the following tables and charts: \r\n1. PCI Asset Status: Online and offline status of PCI assets, including how long a device has been offline \r\n2. PCI Network Asset Status: Online and offline status of network assets in PCI scope, including how long a network device has been offline \r\n3. Anomalous Activity Detected: summary of potentially anomalous activity detected on PCI assets, and correlation to the MITRE ATT&CK framework \r\n4. Network Traffic and Activity Events Over Time: Visualization of data movement over PCI assets \r\n5. Top 10 Activities: Visualization of the top 10 activities occurring on PCI assets \r\n6. Failed vs. Successful Log Ins: summary of login attempts and status on PCI assets \r\n7. Network Data Processed Over Time: Visualization of all network traffic passing through PCI assets, over time \r\n8. Top Actions on Cardholder DB: Visualization of top 10 actions performed on data within the defined cardholder databases\r\n\r\n<u>Audit Trail Reporting Tab</u> This Workbook tab provides a more in-depth look at the data summarized in the Overview, through the following tables and charts: \r\n1. Security Events, Network Traffic Logs, Process Running on PCI Assets: provides an audit trail of activities occurring on PCI assets \r\n2. Login Activities: provides an audit trail of invalid logical access attempts on PCI assets \r\n3. Security Events: provides an audit trail of all actions taken by an individual with root or administrative privileges. This includes use of or changes to identification and authentication mechanisms, creation of new accounts, elevation of privileges, and all changes, additions, deletions to accounts with root or administrative privileges \r\n4. All Activities by User on Cardholder DB: provides audit trail of all events occurring on PCI servers that store cardholder data \r\n\r\n<u>Further Analysis Tab</u> This Workbook tab provides users with the ability to dive deeper into these results, with pre-written queries provided for export and further exploration. \r\n\t",
"style": "upsell"
},
"name": "text - 1"
}
]
},
"conditionalVisibility": {
"parameterName": "selTab",
"comparison": "isEqualTo",
"value": "Getting Started"
},
"name": "SummaryGroup"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let watchlist = (_GetWatchlist('pciassets') | project asset);\r\nHeartbeat\r\n|where Computer in~ (watchlist)\r\n|extend Lastlog = TimeGenerated\r\n|summarize arg_max(Lastlog, *) by Computer\r\n|extend Current = now()\r\n|extend Offline_past_hours = datetime_diff('hour',now(),Lastlog)\r\n|project Computer,Lastlog,Current,Offline_past_hours",
"size": 1,
"title": "PCI Assets status",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{WorkspaceToken}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Offline_past_hours",
"formatter": 8,
"formatOptions": {
"min": 10,
"max": 24,
"palette": "red"
}
}
],
"sortBy": [
{
"itemKey": "$gen_heatmap_Offline_past_hours_3",
"sortOrder": 1
}
]
},
"sortBy": [
{
"itemKey": "$gen_heatmap_Offline_past_hours_3",
"sortOrder": 1
}
]
},
"customWidth": "50",
"name": "query - 4",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let watchlist = (_GetWatchlist('pciassets') | project asset);\r\nAzureDiagnostics \r\n|where Resource in~ (watchlist)\r\n|extend Lastlog = TimeGenerated\r\n|summarize arg_max(Lastlog, *) by Resource\r\n|extend Current = now()\r\n|extend Offline_past_hour = datetime_diff('hour',now(),Lastlog)\r\n|project Resource,Lastlog,Current,Offline_past_hour",
"size": 1,
"title": "PCI Network assets status",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{WorkspaceToken}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Offline_past_hour",
"formatter": 8,
"formatOptions": {
"min": 2,
"max": 10,
"palette": "red"
}
}
]
}
},
"customWidth": "50",
"name": "query - 6",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let watchlist = (_GetWatchlist('pciassets') | project asset);\r\nAnomalies\r\n|where Entities has_any (watchlist) or AnomalyReasons has_any (watchlist)\r\n|summarize count() by RuleName, UserName,Tactics,Techniques, tostring(AnomalyReasons) ",
"size": 0,
"title": "Anomalous Activity Detected",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{WorkspaceToken}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Tactics",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "20ch"
}
},
{
"columnMatch": "Techniques",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "16ch"
}
},
{
"columnMatch": "AnomalyReasons",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "100ch"
}
},
{
"columnMatch": "count_",
"formatter": 8,
"formatOptions": {
"min": 0,
"max": 10,
"palette": "turquoise"
}
}
]
}
},
"name": "query - 7",
"styleSettings": {
"margin": "0px",
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let watchlist = (_GetWatchlist('pciassets') | project asset);\r\nAzureDiagnostics \r\n|where Resource in~ (watchlist)\r\n|make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeToken:start} to {TimeToken:end} step {TimeToken:grain};",
"size": 1,
"title": "Network traffic events over time",
"color": "lightBlue",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{WorkspaceToken}"
],
"visualization": "unstackedbar"
},
"customWidth": "50",
"name": "query - 5",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let watchlist = (_GetWatchlist('pciassets') | project asset);\r\nunion Event,Syslog\r\n|where Computer in~ (watchlist)\r\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeToken:start} to {TimeToken:end} step {TimeToken:grain};",
"size": 1,
"title": "Activity Events over time",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"customWidth": "50",
"name": "query - 4",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let watchlist = (_GetWatchlist('pciassets') | project asset);\r\nSecurityEvent \r\n|where Computer in~ (watchlist)\r\n|summarize count() by Activity,Computer\r\n|sort by count_\r\n|take 10",
"size": 2,
"title": "Top 10 activities",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{WorkspaceToken}"
],
"visualization": "piechart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "Activity",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "Activity",
"formatter": 1
},
"centerContent": {
"columnMatch": "count_",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"chartSettings": {
"yAxis": [
"count_"
],
"group": "Activity",
"createOtherGroup": 10
},
"mapSettings": {
"locInfo": "LatLong",
"sizeSettings": "count_",
"sizeAggregation": "Sum",
"legendMetric": "count_",
"legendAggregation": "Sum",
"itemColorSettings": {
"type": "heatmap",
"colorAggregation": "Sum",
"nodeColorField": "count_",
"heatmapPalette": "greenRed"
}
}
},
"customWidth": "50",
"name": "query - 4",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let watchlist = (_GetWatchlist('pciassets') | project asset);\r\nSecurityEvent \r\n|where Computer in~ (watchlist)\r\n|where Activity has_any (\"An account failed to log on\",\"An account was successfully logged on\")\r\n|where SubjectUserName !has (\"$\")\r\n|summarize count() by Activity",
"size": 2,
"title": "Failed Vs Successful login",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{WorkspaceToken}"
],
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 5",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureMetrics \r\n|where MetricName == \"DataProcessed\"\r\n|project TimeGenerated ,Resource , Average\r\n|extend Average = log10(Average) \r\n",
"size": 0,
"title": "Network Data Processed over time",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{WorkspaceToken}"
],
"visualization": "areachart",
"chartSettings": {
"xAxis": "TimeGenerated",
"yAxis": [
"Average"
],
"group": "Resource",
"createOtherGroup": 10,
"seriesLabelSettings": [
{
"seriesName": "PCIFIREWALL",
"color": "orange"
}
],
"ySettings": {
"min": 4,
"max": 10
}
}
},
"name": "query - 6",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let watchlist = (_GetWatchlist('pciassets') | project asset);\r\nOracleDatabaseAuditEvent\r\n|where SrcDvcHostname has_any (watchlist)\r\n| where isnotempty(DbAction)\r\n| summarize TotalEvents = count() by DbAction",
"size": 2,
"title": "Top actions on card holder DB",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{WorkspaceToken}"
],
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 8"
}
]
},
"conditionalVisibility": {
"parameterName": "selTab",
"comparison": "isEqualTo",
"value": "Overview"
},
"name": "OverviewGroup"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let watchlist = (_GetWatchlist('pciassets') | project asset);\r\nAzureDiagnostics\r\n| where Resource in~ (watchlist)\r\n|summarize count() by msg_s,Resource\r\n|project-away count_ ",
"size": 0,
"title": "Network Traffic logs",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{WorkspaceToken}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "msg_s",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "93ch"
}
},
{
"columnMatch": "Resource",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "16ch"
}
}
]
}
},
"customWidth": "50",
"name": "query - 0",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let watchlist = (_GetWatchlist('pciassets') | project asset);\r\nunion SecurityEvent,Syslog \r\n|where Computer in (watchlist)\r\n|where Process != \"\"\r\n|extend Process = coalesce(Process,ProcessName)\r\n|summarize count() by Process,Computer\r\n|project-away count_",
"size": 0,
"title": "Process running on PCI assets",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{WorkspaceToken}"
]
},
"customWidth": "50",
"name": "query - 1",
"styleSettings": {
"padding": "15px",
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let watchlist = (_GetWatchlist('pciassets') | project asset);\r\nSecurityEvent \r\n|where Computer in~ (watchlist)\r\n| summarize count() by Account , AccountType ,Computer , Activity ,ParentProcessName",
"size": 0,
"title": "Security Events",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{WorkspaceToken}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Activity",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "80ch"
}
},
{
"columnMatch": "count_",
"formatter": 8,
"formatOptions": {
"min": 100,
"max": 3000,
"palette": "pink"
}
}
]
}
},
"name": "query - 2",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let watchlist = (_GetWatchlist('pciassets') | project asset);\r\nSecurityEvent \r\n|where Computer in~ (watchlist)\r\n|where Activity has_any (\"An account failed to log on\",\"An account was successfully logged on\")\r\n|where SubjectUserName !has (\"$\")\r\n|summarize count() by Account, AccountType,Computer , Activity ,WorkstationName",
"size": 0,
"title": "Login Activities",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{WorkspaceToken}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Account",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "35ch"
}
},
{
"columnMatch": "AccountType",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "22ch"
}
},
{
"columnMatch": "Computer",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "20ch"
}
},
{
"columnMatch": "Activity",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "55ch"
}
},
{
"columnMatch": "WorkstationName",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "26ch"
}
},
{
"columnMatch": "count_",
"formatter": 8,
"formatOptions": {
"min": 2,
"max": 10,
"palette": "magenta",
"customColumnWidthSetting": "12ch"
}
}
]
}
},
"name": "query - 3",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let watchlist = (_GetWatchlist('pciassets') | project asset);\r\nSecurityEvent \r\n|where Computer has_any (watchlist)\r\n|project TimeGenerated , Account , Activity , Process\r\n|where Activity has \"privileged\"\r\n|distinct *\r\n|sort by TimeGenerated",
"size": 0,
"title": "All actions taken by any individual with root or administrative privileges ",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{WorkspaceToken}"
]
},
"name": "query - 5",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let watchlist = (_GetWatchlist('pciassets') | project asset);\r\nHeartbeat\r\n|where Computer in~ (watchlist) \r\n|project Computer ,ComputerIP,Category,OSType,OSName,tostring(ComputerPrivateIPs)\r\n|distinct *",
"size": 0,
"title": "Assets information",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{WorkspaceToken}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Computer",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "20ch"
}
},
{
"columnMatch": "ComputerIP",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "22ch"
}
},
{
"columnMatch": "Category",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "25ch"
}
},
{
"columnMatch": "OSType",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "20ch"
}
},
{
"columnMatch": "OSName",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "35ch"
}
},
{
"columnMatch": "ComputerPrivateIPs",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "26ch"
}
}
]
}
},
"name": "query - 4",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let watchlist = (_GetWatchlist('pciassets') | project asset);\r\nOracleDatabaseAuditEvent\r\n|where SrcDvcHostname has_any (watchlist)",
"size": 0,
"title": "All activities by user on card holder DB",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{WorkspaceToken}"
]
},
"name": "query - 6",
"styleSettings": {
"showBorder": true
}
}
]
},
"conditionalVisibility": {
"parameterName": "selTab",
"comparison": "isEqualTo",
"value": "Audit Trail Reporting"
},
"name": "ReportingGroup"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "## For complete analaysis, We are providing the analytic KQL queries through which more in depth detailed can be extracted .",
"style": "info"
},
"name": "text - 0"
},
{
"type": 1,
"content": {
"json": "### Steps on how to run the query :\r\n\r\n1> Search and Select microsoft sentinel on azure portal </br>\r\n2> choose the correct workspace </br>\r\n3> choose logs and then paste the query </br>\r\n4> Run it for suitable time range </br>",
"style": "info"
},
"name": "text - 1"
},
{
"type": 1,
"content": {
"json": "## Query for extracting the failed and succesfull login attempts </br>\r\nlet watchlist = (_GetWatchlist('pciassets') | project asset); </br>\r\nSecurityEvent </br>\r\n|where Computer in~ (watchlist) </br>\r\n|where Activity has_any (\"An account failed to log on\",\"An account was successfully logged on\")</br> \r\n|where SubjectUserName !has (\"$\")</br>\r\n</br>\r\n</br>\r\n## Query for fetching the traffic logs </br>\r\nlet watchlist = (_GetWatchlist('pciassets') | project asset); </br>\r\nAzureDiagnostics </br>\r\n|where Resource in~ (watchlist) </br>\r\n|summarize count() by msg_s, Resource</br>\r\n|project-away count_ </br>\r\n</br>\r\n</br>\r\n## Query for getting the details of process running on PCI servers</br>\r\nlet watchlist = (_GetWatchlist('pciassets') | project asset);</br>\r\nSecurityEvent </br>\r\n|where Computer in (watchlist)</br>\r\n|where Process != \"\"</br>\r\n|summarize count() by Process,Computer</br>\r\n</br>\r\n</br>\r\n## Query for checking the activities on PCI servers </br>\r\nlet watchlist = (_GetWatchlist('pciassets') | project asset);</br>\r\nSecurityEvent </br>\r\n|where Computer in~ (watchlist)</br>\r\n|summarize count() by Activity,Computer</br>\r\n</br>\r\n</br>\r\n## Query for checking the status of PCI assets</br>\r\nlet watchlist = (_GetWatchlist('pciassets') | project asset);</br>\r\nHeartbeat</br>\r\n|where Computer in~ (watchlist)</br>\r\n|extend Lastlog = TimeGenerated</br>\r\n|summarize arg_max(Lastlog, *) by Computer</br>\r\n|extend Current = now()</br>\r\n|extend Diffrence = datetime_diff('minute',now(),Lastlog)</br>\r\n|project Computer,Lastlog,Current,Diffrence</br>\r\n</br>\r\n</br>\r\n## Query for fetching the activities performed by user</br>\r\nlet watchlist = (_GetWatchlist('pciassets') | project asset);</br>\r\nSecurityEvent </br>\r\n|where Computer in~ (watchlist)</br>\r\n|where SubjectUserName !has (\"$\")</br>\r\n|where SubjectUserName != \"\"</br>\r\n|project SubjectUserName , Activity, Process , ProcessName</br>\r\n|distinct *</br>\r\n<br>\r\n<br>\r\n## All actions taken by any individual with root or administrative privileges<br>\r\nlet watchlist = (_GetWatchlist('pciassets') | project asset);<br>\r\nSecurityEvent <br>\r\n|where Computer has_any (watchlist)<br>\r\n|where Activity has \"privileged\"<br>\r\n|distinct *<br>\r\n|sort by TimeGenerated<br>\r\n<br>\r\n<br>\r\n## All activities by user on card holder DB<br>\r\nlet watchlist = (_GetWatchlist('pciassets') | project asset);<br>\r\nOracleDatabaseAuditEvent<br>\r\n|where SrcDvcHostname has_any (watchlist)<br>\r\n\r\n\r\n\r\n",
"style": "upsell"
},
"name": "text - 2"
}
]
},
"conditionalVisibility": {
"parameterName": "selTab",
"comparison": "isEqualTo",
"value": "Further Analysis"
},
"name": "AnalysisGroup"
}
],
"fromTemplateId": "sentinel-PCIDSSCompliance",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}

135
Solutions/Palo Alto - XDR (Cortex)/Data Connectors/Connector_PaloAlto_XDR_CEF.json Normal file
Просмотреть файл

@ -0,0 +1,135 @@
{
"id": "PaloAltoNetworksCortex",
"title": "Palo Alto Networks Cortex XDR",
"publisher": "Palo Alto Networks",
"descriptionMarkdown": "The Palo Alto Networks Cortex XDR connector gives you an easy way to connect to your Cortex XDR logs with Microsoft Sentinel. This increases the visibility of your endpoint security. It will give you better ability to monitor your resources by creating custom Workbooks, analytics rules, Incident investigation, and evidence gathering.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "PaloAltoNetworksCortex",
"baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct == \"Cortex XDR\""
}
],
"sampleQueries": [
{
"description" : "All logs",
"query": "\nCommonSecurityLog\n | where DeviceVendor == \"Palo Alto Networks\"\n | where DeviceProduct == \"Cortex XDR\"\n | sort by TimeGenerated"
},
{
"description" : "Alert By Severity",
"query": "\nCommonSecurityLog\n | where DeviceVendor == \"Palo Alto Networks\"\n | where DeviceProduct == \"Cortex XDR\"\n | where DeviceAction == \"Prevented (Blocked)\"\n | where LogSeverity =~ \"6\"\n | summarize by TimeGenerated,DeviceProduct, DeviceEventClassID, LogSeverity, Activity, DeviceAction, Computer, DeviceVersion, FileHash, FileName, FilePath, RequestURL, SourceHostName, SourceUserName\n | sort by TimeGenerated"
}
],
"dataTypes": [
{
"name": "CommonSecurityLog (PaloAltoNetworksCortex)",
"lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct == \"Cortex XDR\"\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"CommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct == \"Cortex XDR\"\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"title": "1. Linux Syslog agent configuration",
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Azure Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
"innerSteps": [
{
"title": "1.1 Select or create a Linux machine",
"description": "Select or create a Linux machine that Azure Sentinel will use as the proxy between your security solution and Azure Sentinel this machine can be on your on-prem environment, Azure or other clouds."
},
{
"title": "1.2 Install the CEF collector on the Linux machine",
"description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Azure Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId",
"PrimaryKey"
],
"label": "Run the following command to install and apply the CEF collector:",
"value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
},
"type": "CopyableLabel"
}
]
}
]
},
{
"title": "2. Forward Palo Alto Networks (Cortex) logs to Syslog agent",
"description": "\n\n> 1. Go to [Cortex Settings and Configurations](https://inspira.xdr.in.paloaltonetworks.com/configuration/external-alerting) and Click to add New Server under External Applications.\n\n> 2. Then specify the name and Give public IP of your syslog server in Destination. \n\n> 3. Give Port number as 514 and from Facility field select FAC_SYSLOG from dropdown. \n\n> 4. Select Protocol as UDP and hit Create."
},
{
"title": "3. Validate connection",
"description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Run the following command to validate your connectivity:",
"value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
},
"type": "CopyableLabel"
}
]
},
{
"title": "4. Secure your machine ",
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
}
],
"metadata": {
"id": "32512c5f-aa20-4d6b-a9e5-f21958cefa63",
"version": "V2.0",
"kind": "dataConnector",
"source": {
"kind": "solution",
"name": "PaloAltoXDR"
},
"author": {
"name": "Vikas Chaturvedi"
},
"support": {
"tier": "community",
"name": "Microsoft",
"email": "v-chaturvedi01@outlook.com"
}
}
}

46
Solutions/Palo Alto - XDR (Cortex)/Detection Queries/High Severity Cortex Incidents. yaml Normal file
Просмотреть файл

@ -0,0 +1,46 @@
id: be8325a4-530c-484d-b301-e01be23395e2
name: Palo Alto XDR High Severity Incidents
description: |
'The query checks for all High Log Severity Alerts and fire incidents in Cortex to return information of the entities.'
severity: High
requiredDataConnectors:
- connectorId: PaloAltoNetworksCortex
dataTypes:
- PaloAltoNetworksCortex
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
CommonSecurityLog
| where DeviceVendor == "Palo Alto Networks"
| where DeviceProduct == "Cortex XDR"
| where LogSeverity has_any (2,3,4,5,6)
| sort by TimeGenerated
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: SourceUserName
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: SourceHostName
- entityType: File
fieldMappings:
- identifier: Name
columnName: FileName
- entityType: File
fieldMappings:
- identifier: Name
columnName: FilePath
- entityType: URL
fieldMappings:
- identifier: Url
columnName: RequestURL
version: 1.0.0
kind: Scheduled

52
Solutions/Palo Alto - XDR (Cortex)/Detection Queries/Preventive Alerts.yaml Normal file
Просмотреть файл

@ -0,0 +1,52 @@
id: 5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb
name: Palo Alto Prevention alert
description: |
'The query checks for all malicious events prevented events across all devices having LogSeverity of '6' and summarize the result.'
severity: Medium
requiredDataConnectors:
- connectorId: PaloAltoNetworksCortex
dataTypes:
- PaloAltoNetworksCortex
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
CommonSecurityLog
| where DeviceVendor == "Palo Alto Networks"
| where DeviceProduct == "Cortex XDR"
| where DeviceAction == "Prevented (Blocked)"
| where LogSeverity =~ "6"
| summarize by TimeGenerated,DeviceProduct, DeviceEventClassID, LogSeverity, Activity, DeviceAction, Computer, DeviceVersion, FileHash, FileName, FilePath, RequestURL, SourceHostName, SourceUserName
| sort by TimeGenerated
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: SourceUserName
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: SourceHostName
- entityType: File hash
fieldMappings:
- identifier: Value
columnName: FileHash
- entityType: File
fieldMappings:
- identifier: Name
columnName: FileName
- entityType: File
fieldMappings:
- identifier: Name
columnName: FilePath
- entityType: URL
fieldMappings:
- identifier: Url
columnName: RequestURL
version: 1.0.0
kind: Scheduled

36
Solutions/Palo Alto - XDR (Cortex)/Detection Queries/WildFire Malware Detection.yaml Normal file
Просмотреть файл

@ -0,0 +1,36 @@
id: 961672e7-15db-4df1-9bab-dc4f032b9b6f
name: Palo Alto WildFire Malware Detection
description: |
'The query checks for specifically WildFire Malware and returns the result with Entities and hosts involved and count of attakcs.'
severity: High
requiredDataConnectors:
- connectorId: PaloAltoNetworksCortex
dataTypes:
- PaloAltoNetworksCortex
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
CommonSecurityLog
| where ingestion_time() > ago(1d)
| where DeviceVendor == "Palo Alto Networks"
| where DeviceProduct == "Cortex XDR"
| where Activity == "WildFire Malware"
| summarize (Timestamp, ReportId,Severity, AttackType)=arg_max(TimeGenerated, ExternalID, LogSeverity, Activity, SourceUserName, SourceHostName), count() by Computer
| where count_ > 5
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: SourceUserName
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: SourceHostName
version: 1.0.0
kind: Scheduled

17
Solutions/Palo Alto - XDR (Cortex)/PaloAltoXDRMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,17 @@
{
"publisherId": "",
"offerId": "",
"firstPublishDate": "2022-05-16",
"lastPublishDate": "2022-05-16",
"providers": "Palo Alto",
"categories": {
"domains" : "Security",
"verticals": "XDR"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}

61
Solutions/Palo Alto - XDR (Cortex)/Playbook/README.md Normal file
Просмотреть файл

@ -0,0 +1,61 @@
# Palo Alto Cortx XDR Logic App and Playbook Template
## Table of Contents
1. [Overview](#overview)
1. [Prerequisites](#prerequisites)
1. [Deploy Palo Alot XDR playbook](#deployall)
1. [Deployment Instructions](#instructions)
1. [Post-Deployment Instructions](#postdeployment)
1. [References](#references)
<a name="overview">
# Overview
Palo Alto XDR playbook is used in Alert triaging and executing the automated response towards issue, and it also helps in evidence collection.
<a name="prerequisites">
# Prerequisites
- This playbook uses Microsoft Teams connector and VirusTotal connector to enrich the investigation, so you should set up your account if not already to use the Microsoft ID to authorize the teams connector and you will also have to visit this VirusTotal site create your free account, After successful account creation you shall get a standard free public API Key. This key will be required to authorize the VT connector. Reference link - https://www.virustotal.com/
This Video demonstarte on how to obtain the API Key https://youtu.be/9ftKViq71eQ.
<a name="deployall">
# Deploy the Playbook
- You may copy the JSON file and deploy the custom template in azure with variables of own choice or do single click deploy from below tab.
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FPalo%2520Alto%2520-%2520XDR%2520(Cortex)%2FPlaybook%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FPalo%2520Alto%2520-%2520XDR%2520(Cortex)%2FPlaybook%2Fazuredeploy.json)
<a name="instructions">
# Deployment Instructions
- Deploy the Palo Alto XDR Playbooks by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
- Fill in the required parameters and then proceed with review and create.
<a name="postdeployment">
# Post Deployment Instructions
## Authorize Connections
* Once deployment is complete, you will need to authorize each connection.
- Click the Teams connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for other connections as well.
* In Logic App designer authorize Teams channel connection as well, for playbooks posting adaptive cards.
* For VirusTotal connector please enter the valid API key to activate the connector.
* For Log analytics workspace action you will have to provide the Resouirce group name where your deployment is done, specify the resource name, resource type will be Log Analytics Workspace, your Subscription detail, time range can be like Last 12 hours, and then configure the desired query which your analysts should receive prior to their investigation as a kick starter.
<a name="references">
# References
https://docs.microsoft.com/power-automate/create-adaptive-cards-teams

480
Solutions/Palo Alto - XDR (Cortex)/Playbook/azuredeploy.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

653
Solutions/Palo Alto - XDR (Cortex)/Workbook/PaloAltoXDR.json Normal file
Просмотреть файл

@ -0,0 +1,653 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "<div style=\"font-size: 200%;\">Palo Alto Networks Cortex XDR overview</div>"
},
"name": "text - 2"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "851602d3-cd7f-4cbb-909e-93ac064917ef",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isGlobal": true,
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"timeContext": {
"durationMs": 86400000
},
"value": {
"durationMs": 2592000000
}
},
{
"id": "86d6172c-9273-425e-8802-fbbf553762ee",
"version": "KqlParameterItem/1.0",
"name": "Subscription",
"type": 6,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"includeAll": false,
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
},
"value": [
"/subscriptions/{SubscriptionID}"
]
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog \r\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"Cortex XDR\" \r\n| summarize count() by Activity",
"size": 0,
"title": "Attack Activity View",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "graph",
"graphSettings": {
"type": 2,
"topContent": {
"columnMatch": "Activity",
"formatter": 8,
"formatOptions": {
"palette": "greenRed"
}
},
"centerContent": {
"columnMatch": "count_",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"nodeIdField": "Activity",
"graphOrientation": 3,
"showOrientationToggles": false,
"nodeSize": null,
"staticNodeSize": 80,
"colorSettings": {
"nodeColorField": "Activity",
"type": 1,
"colorPalette": "default",
"emptyValueColor": "green"
},
"hivesMargin": 10
}
},
"customWidth": "30",
"name": "query - 6"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"Cortex XDR\"\r\n| summarize count() by DeviceAction",
"size": 0,
"title": "Palo Alto Incidents coverage",
"noDataMessage": "Please customize the time range to view beter results.",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "DeviceAction",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "DeviceAction",
"formatter": 1
},
"centerContent": {
"columnMatch": "count_",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"mapSettings": {
"locInfo": "LatLong",
"sizeSettings": "count_",
"sizeAggregation": "Sum",
"legendMetric": "count_",
"legendAggregation": "Sum",
"itemColorSettings": {
"type": "heatmap",
"colorAggregation": "Sum",
"nodeColorField": "count_",
"heatmapPalette": "greenRed"
}
}
},
"customWidth": "30",
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"Cortex XDR\"\r\n| summarize count() by DeviceEventClassID",
"size": 0,
"title": "Device Event Class IDs",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "30",
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"Cortex XDR\"\r\n| where Activity == \"WildFire Malware\"",
"size": 0,
"title": "WILDFIRE Alerts",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "graph",
"graphSettings": {
"type": 2,
"topContent": {
"columnMatch": "TenantId",
"formatter": 1
},
"centerContent": {
"columnMatch": "SourceHostName",
"formatter": 8,
"formatOptions": {
"palette": "categorical"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
}
}
},
"nodeIdField": "SourceHostName",
"graphOrientation": 3,
"showOrientationToggles": false,
"nodeSize": null,
"staticNodeSize": 100,
"colorSettings": {
"nodeColorField": "SourceHostName",
"type": 4,
"heatmapPalette": "categorical",
"heatmapMin": null,
"heatmapMax": null
},
"hivesMargin": 5
}
},
"customWidth": "50",
"name": "query - 10"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n | where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"Cortex XDR\"\r\n | where LogSeverity has_any (6,7,8,9)",
"size": 0,
"title": "Alerts by Log Severity 6, 7, 8, 9 ",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "graph",
"graphSettings": {
"type": 2,
"topContent": {
"columnMatch": "SourceHostName",
"formatter": 8,
"formatOptions": {
"palette": "redGreen"
}
},
"centerContent": {
"columnMatch": "count_",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
}
}
},
"nodeIdField": "SourceHostName",
"graphOrientation": 3,
"showOrientationToggles": false,
"nodeSize": null,
"staticNodeSize": 80,
"colorSettings": {
"nodeColorField": "LogSeverity",
"type": 4,
"heatmapPalette": "redGreen",
"heatmapMin": null,
"heatmapMax": null
},
"hivesMargin": 10
}
},
"customWidth": "50",
"name": "query - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"Cortex XDR\"\r\n| summarize count() by SourceHostName, LogSeverity, DeviceCustomString6",
"size": 0,
"title": "Alerts by Source Vendor",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "AdditionalExtensions",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "AdditionalExtensions",
"formatter": 1
},
"centerContent": {
"columnMatch": "count_",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"mapSettings": {
"locInfo": "LatLong",
"sizeSettings": "count_",
"sizeAggregation": "Sum",
"legendMetric": "count_",
"legendAggregation": "Sum",
"itemColorSettings": {
"type": "heatmap",
"colorAggregation": "Sum",
"nodeColorField": "count_",
"heatmapPalette": "greenRed"
}
}
},
"customWidth": "30",
"name": "query - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"Cortex XDR\"\r\n| summarize count() by SourceHostName, LogSeverity, DeviceCustomString6",
"size": 0,
"title": "Source Host, Log Severity and Vendor signature",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "categoricalbar",
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "SourceHostName",
"formatter": 1
},
"centerContent": {
"columnMatch": "count_",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
}
}
},
"rightContent": {
"columnMatch": "SourceHostName",
"formatter": 11
},
"nodeIdField": "SourceHostName",
"sourceIdField": "DeviceCustomString6",
"targetIdField": "LogSeverity",
"graphOrientation": 2,
"showOrientationToggles": false,
"edgeSize": "DeviceCustomString6",
"edgeLabel": "SourceHostName",
"nodeSize": {
"sizeField": "LogSeverity",
"minSize": 10,
"maxSize": 100
},
"staticNodeSize": 100,
"colorSettings": {
"nodeColorField": "SourceHostName",
"type": 2,
"emptyValueColor": "orange"
},
"hivesMargin": 5
}
},
"customWidth": "70",
"name": "query - 8",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"Cortex XDR\"\r\n| summarize count() by TimeGenerated, DeviceVendor, SourceHostName, DeviceAction, Activity, LogSeverity, DeviceEventClassID",
"size": 0,
"title": "Devices list by Alert generated",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "SourceHostName",
"formatter": 8,
"formatOptions": {
"palette": "categorical"
}
},
{
"columnMatch": "DeviceAction",
"formatter": 8,
"formatOptions": {
"palette": "green"
}
},
{
"columnMatch": "Activity",
"formatter": 8,
"formatOptions": {
"palette": "blue"
}
},
{
"columnMatch": "LogSeverity",
"formatter": 8,
"formatOptions": {
"palette": "greenRed"
}
}
]
},
"sortBy": []
},
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"Cortex XDR\"\r\n| summarize count() by DeviceCustomString3",
"size": 0,
"title": "Singatures provided by",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "graph",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "DeviceCustomString3",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"graphSettings": {
"type": 2,
"topContent": {
"columnMatch": "DeviceCustomString3",
"formatter": 8,
"formatOptions": {
"palette": "greenRed"
}
},
"centerContent": {
"columnMatch": "count_",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"nodeIdField": "DeviceCustomString3",
"graphOrientation": 3,
"showOrientationToggles": false,
"nodeSize": null,
"staticNodeSize": 100,
"colorSettings": {
"nodeColorField": "DeviceCustomString3",
"type": 4,
"heatmapPalette": "categorical",
"heatmapMin": null,
"heatmapMax": null
},
"hivesMargin": 5
}
},
"customWidth": "30",
"name": "query - 9"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"Cortex XDR\"\r\n| summarize count() by SourceHostName",
"size": 0,
"title": "Hosts by Attacked frequency",
"timeContext": {
"durationMs": 8899200000,
"endTime": "2022-05-15T15:59:00.000Z"
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "count_",
"formatter": 8,
"formatOptions": {
"palette": "orange"
}
}
]
}
},
"customWidth": "30",
"name": "query - 12"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"Cortex XDR\"\r\n| summarize count() by DeviceVendor",
"size": 0,
"title": "Device Networking",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "30",
"name": "query - 3"
}
],
"styleSettings": {},
"fromTemplateId": "sentinel-PaloAltoXDR",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}

2
Solutions/PostgreSQL/Data Connectors/Connector_PostgreSQL.json
Просмотреть файл

@ -33,7 +33,7 @@
],
"availability": {
"status": 1,
"isPreview": true
"isPreview": false
},
"permissions": {
"resourceProvider": [

17
Solutions/PostgreSQL/Data/Solution_PostgresSQL.json Normal file
Просмотреть файл

@ -0,0 +1,17 @@
{
"Name": "PostgreSQL",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "The PostgreSQL solution provides the capability to ingest [PostgreSQL](https://www.postgresql.org/) events into Microsoft Sentinel. Refer to [PostgreSQL documentation](https://www.postgresql.org/docs/current/index.html) for more information.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [ Agent based logs collection from Windows and Linux machines ](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-custom-logs)\r\n\n",
"Parsers": [
"Parsers/PostgreSQLEvent.txt"
],
"Data Connectors": [
"Data Connectors/Connector_PostgreSQL.json"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\PostgreSQL",
"Version": "2.0.0",
"TemplateSpec": true,
"Is1PConnector": false
}

Двоичные данные
Solutions/PostgreSQL/Package/2.0.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

92
Solutions/PostgreSQL/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,92 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe PostgreSQL solution provides the capability to ingest [PostgreSQL](https://www.postgresql.org/) events into Microsoft Sentinel. Refer to [PostgreSQL documentation](https://www.postgresql.org/docs/current/index.html) for more information.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [ Agent based logs collection from Windows and Linux machines ](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-custom-logs)\r\n\n\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the data connector provides the capability to ingest PostgreSQL events into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the PostgreSQLEvent Kusto Function alias."
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
}
],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}

697
Solutions/PostgreSQL/Package/mainTemplate.json Normal file
Просмотреть файл

@ -0,0 +1,697 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Microsoft - support@microsoft.com",
"comments": "Solution template for PostgreSQL"
},
"parameters": {
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
}
},
"variables": {
"solutionId": "azuresentinel.azure-sentinel-solution-postgresql",
"_solutionId": "[variables('solutionId')]",
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"parserVersion1": "1.0.0",
"parserContentId1": "PostgreSQLEvent-Parser",
"_parserContentId1": "[variables('parserContentId1')]",
"parserName1": "PostgreSQLEvent",
"_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
"parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"_parserId1": "[variables('parserId1')]",
"parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"uiConfigId1": "PostgreSQL",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "PostgreSQL",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
"dataConnectorVersion1": "1.0.0"
},
"resources": [
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2021-05-01",
"name": "[variables('parserTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "Parser"
},
"properties": {
"description": "PostgreSQLEvent Data Parser with template",
"displayName": "PostgreSQLEvent Data Parser template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2021-05-01",
"name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "Parser"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
],
"properties": {
"description": "PostgreSQLEvent Data Parser with template version 2.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
"name": "[variables('_parserName1')]",
"apiVersion": "2020-08-01",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "PostgreSQLEvent",
"category": "Samples",
"functionAlias": "PostgreSQLEvent",
"query": "\nPostgreSQL_CL\r\n| extend EventVendor = 'PostgreSQL'\r\n , EventProduct = 'PostgreSQL'\r\n , EventCount = int(1)\r\n , EventEndTime = todatetime(extract(@'\\A(\\d{4}-\\d{2}-\\d{2}\\s[0-9:]{8}.\\d{3}\\s\\w+)\\s\\[\\d+\\]', 1, RawData))\r\n , ProcessId = toreal(extract(@'\\[(\\d+)\\]', 1, RawData))\r\n , EventSeverity = tostring(extract(@'\\[\\d+\\]\\s([A-Z]+):', 1, RawData))\r\n , EventMessage = tostring(extract(@'\\[\\d+\\]\\s[A-Z]+:\\s(.*)', 1, RawData))\r\n , QueryDuration = toreal(extract(@'duration:\\s([0-9.]+)\\s\\w+', 1, RawData))\r\n , AdditionalData = extract_all(@\"(?P<key>[a-zA-Z0-9-]+=[a-zA-Z0-9-_:/@.#{}''\\[\\]]+)\", tostring(RawData))\r\n| project-away RawData",
"version": 1,
"tags": [
{
"name": "description",
"value": "PostgreSQLEvent"
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
"dependsOn": [
"[variables('_parserName1')]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"contentId": "[variables('_parserContentId1')]",
"kind": "Parser",
"version": "[variables('parserVersion1')]",
"source": {
"name": "PostgreSQL",
"kind": "Solution",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2021-06-01",
"name": "[variables('_parserName1')]",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "PostgreSQLEvent",
"category": "Samples",
"functionAlias": "PostgreSQLEvent",
"query": "\nPostgreSQL_CL\r\n| extend EventVendor = 'PostgreSQL'\r\n , EventProduct = 'PostgreSQL'\r\n , EventCount = int(1)\r\n , EventEndTime = todatetime(extract(@'\\A(\\d{4}-\\d{2}-\\d{2}\\s[0-9:]{8}.\\d{3}\\s\\w+)\\s\\[\\d+\\]', 1, RawData))\r\n , ProcessId = toreal(extract(@'\\[(\\d+)\\]', 1, RawData))\r\n , EventSeverity = tostring(extract(@'\\[\\d+\\]\\s([A-Z]+):', 1, RawData))\r\n , EventMessage = tostring(extract(@'\\[\\d+\\]\\s[A-Z]+:\\s(.*)', 1, RawData))\r\n , QueryDuration = toreal(extract(@'duration:\\s([0-9.]+)\\s\\w+', 1, RawData))\r\n , AdditionalData = extract_all(@\"(?P<key>[a-zA-Z0-9-]+=[a-zA-Z0-9-_:/@.#{}''\\[\\]]+)\", tostring(RawData))\r\n| project-away RawData",
"version": 1
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
"dependsOn": [
"[variables('_parserId1')]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"contentId": "[variables('_parserContentId1')]",
"kind": "Parser",
"version": "[variables('parserVersion1')]",
"source": {
"kind": "Solution",
"name": "PostgreSQL",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
},
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2021-05-01",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "DataConnector"
},
"properties": {
"description": "PostgreSQL data connector with template",
"displayName": "PostgreSQL template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2021-05-01",
"name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "DataConnector"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
],
"properties": {
"description": "PostgreSQL data connector with template version 2.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
"title": "PostgreSQL Events",
"publisher": "PostgreSQL",
"descriptionMarkdown": "PostgreSQL data connector provides the capability to ingest [PostgreSQL](https://www.postgresql.org/) events into Microsoft Sentinel. Refer to [PostgreSQL documentation](https://www.postgresql.org/docs/current/index.html) for more information.",
"additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected. Follow the steps to use this Kusto Function alias **PostgreSQLEvent** in queries and workbooks. [Follow steps to get this Kusto Function>](https://aka.ms/sentinel-postgresql-parser)",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "PostgreSQL_CL",
"baseQuery": "PostgreSQLEvent"
}
],
"sampleQueries": [
{
"description": "PostgreSQL errors",
"query": "PostgreSQLEvent\n | where EventSeverity in~ ('ERROR', 'FATAL')\n | sort by EventEndTime"
}
],
"dataTypes": [
{
"name": "PostgreSQL_CL",
"lastDataReceivedQuery": "PostgreSQLEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"PostgreSQLEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://aka.ms/sentinel-postgresql-parser) to create the Kusto Functions alias, **PostgreSQLEvent**"
},
{
"description": "Install the agent on the Tomcat Server where the logs are generated.\n\n> Logs from PostgreSQL Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents.",
"instructions": [
{
"parameters": {
"title": "Choose where to install the Linux agent:",
"instructionSteps": [
{
"title": "Install agent on Azure Linux Virtual Machine",
"description": "Select the machine to install the agent on and then click **Connect**.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxVirtualMachine"
},
"type": "InstallAgent"
}
]
},
{
"title": "Install agent on a non-Azure Linux Machine",
"description": "Download the agent on the relevant machine and follow the instructions.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxNonAzure"
},
"type": "InstallAgent"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
],
"title": "1. Install and onboard the agent for Linux or Windows"
},
{
"instructions": [
{
"parameters": {
"title": "Choose where to install the Windows agent:",
"instructionSteps": [
{
"title": "Install agent on Azure Windows Virtual Machine",
"description": "Select the machine to install the agent on and then click **Connect**.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnVirtualMachine"
},
"type": "InstallAgent"
}
]
},
{
"title": "Install agent on a non-Azure Windows Machine",
"description": "Download the agent on the relevant machine and follow the instructions.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnNonAzure"
},
"type": "InstallAgent"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
]
},
{
"description": "1. Edit postgresql.conf file to write logs to files:\n\n>**log_destination** = 'stderr'\n\n>**logging_collector** = on\n\nSet the following parameters: **log_directory** and **log_filename**. Refer to the [PostgreSQL documentation for more details](https://www.postgresql.org/docs/current/runtime-config-logging.html)",
"title": "2. Configure PostgreSQL to write logs to files"
},
{
"description": "Configure the custom log directory to be collected",
"instructions": [
{
"parameters": {
"linkType": "OpenCustomLogsSettings"
},
"type": "InstallAgent"
}
],
"title": "3. Configure the logs to be collected"
},
{
"description": "1. Select the link above to open your workspace advanced settings \n2. From the left pane, select **Settings**, select **Custom Logs** and click **+Add custom log**\n3. Click **Browse** to upload a sample of a PostgreSQL log file. Then, click **Next >**\n4. Select **Timestamp** as the record delimiter and click **Next >**\n5. Select **Windows** or **Linux** and enter the path to PostgreSQL logs based on your configuration(e.g. for some Linux distros the default path is /var/log/postgresql/) \n6. After entering the path, click the '+' symbol to apply, then click **Next >** \n7. Add **PostgreSQL** as the custom log Name (the '_CL' suffix will be added automatically) and click **Done**."
},
{
"description": "It may take upwards of 20 minutes until your logs start to appear in Microsoft Sentinel.",
"title": "Validate connectivity"
}
],
"metadata": {
"id": "046d5618-89c8-4441-a680-0e839970dcd2",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "PostgreSQL"
},
"support": {
"name": "PostgreSQL",
"link": "https://www.postgresql.org/support/",
"tier": "developer"
}
}
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "PostgreSQL",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
],
"location": "[parameters('workspace-location')]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "PostgreSQL",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "PostgreSQL Events",
"publisher": "PostgreSQL",
"descriptionMarkdown": "PostgreSQL data connector provides the capability to ingest [PostgreSQL](https://www.postgresql.org/) events into Microsoft Sentinel. Refer to [PostgreSQL documentation](https://www.postgresql.org/docs/current/index.html) for more information.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "PostgreSQL_CL",
"baseQuery": "PostgreSQLEvent"
}
],
"dataTypes": [
{
"name": "PostgreSQL_CL",
"lastDataReceivedQuery": "PostgreSQLEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"PostgreSQLEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"sampleQueries": [
{
"description": "PostgreSQL errors",
"query": "PostgreSQLEvent\n | where EventSeverity in~ ('ERROR', 'FATAL')\n | sort by EventEndTime"
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://aka.ms/sentinel-postgresql-parser) to create the Kusto Functions alias, **PostgreSQLEvent**"
},
{
"description": "Install the agent on the Tomcat Server where the logs are generated.\n\n> Logs from PostgreSQL Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents.",
"instructions": [
{
"parameters": {
"title": "Choose where to install the Linux agent:",
"instructionSteps": [
{
"title": "Install agent on Azure Linux Virtual Machine",
"description": "Select the machine to install the agent on and then click **Connect**.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxVirtualMachine"
},
"type": "InstallAgent"
}
]
},
{
"title": "Install agent on a non-Azure Linux Machine",
"description": "Download the agent on the relevant machine and follow the instructions.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxNonAzure"
},
"type": "InstallAgent"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
],
"title": "1. Install and onboard the agent for Linux or Windows"
},
{
"instructions": [
{
"parameters": {
"title": "Choose where to install the Windows agent:",
"instructionSteps": [
{
"title": "Install agent on Azure Windows Virtual Machine",
"description": "Select the machine to install the agent on and then click **Connect**.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnVirtualMachine"
},
"type": "InstallAgent"
}
]
},
{
"title": "Install agent on a non-Azure Windows Machine",
"description": "Download the agent on the relevant machine and follow the instructions.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnNonAzure"
},
"type": "InstallAgent"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
]
},
{
"description": "1. Edit postgresql.conf file to write logs to files:\n\n>**log_destination** = 'stderr'\n\n>**logging_collector** = on\n\nSet the following parameters: **log_directory** and **log_filename**. Refer to the [PostgreSQL documentation for more details](https://www.postgresql.org/docs/current/runtime-config-logging.html)",
"title": "2. Configure PostgreSQL to write logs to files"
},
{
"description": "Configure the custom log directory to be collected",
"instructions": [
{
"parameters": {
"linkType": "OpenCustomLogsSettings"
},
"type": "InstallAgent"
}
],
"title": "3. Configure the logs to be collected"
},
{
"description": "1. Select the link above to open your workspace advanced settings \n2. From the left pane, select **Settings**, select **Custom Logs** and click **+Add custom log**\n3. Click **Browse** to upload a sample of a PostgreSQL log file. Then, click **Next >**\n4. Select **Timestamp** as the record delimiter and click **Next >**\n5. Select **Windows** or **Linux** and enter the path to PostgreSQL logs based on your configuration(e.g. for some Linux distros the default path is /var/log/postgresql/) \n6. After entering the path, click the '+' symbol to apply, then click **Next >** \n7. Add **PostgreSQL** as the custom log Name (the '_CL' suffix will be added automatically) and click **Done**."
},
{
"description": "It may take upwards of 20 minutes until your logs start to appear in Microsoft Sentinel.",
"title": "Validate connectivity"
}
],
"id": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_uiConfigId1'))]",
"additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected. Follow the steps to use this Kusto Function alias **PostgreSQLEvent** in queries and workbooks. [Follow steps to get this Kusto Function>](https://aka.ms/sentinel-postgresql-parser)"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "2.0.0",
"kind": "Solution",
"contentSchemaVersion": "2.0.0",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
"kind": "Solution",
"name": "PostgreSQL",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "Parser",
"contentId": "[variables('_parserContentId1')]",
"version": "[variables('parserVersion1')]"
},
{
"kind": "DataConnector",
"contentId": "[variables('_dataConnectorContentId1')]",
"version": "[variables('dataConnectorVersion1')]"
}
]
},
"firstPublishDate": "2022-06-27",
"providers": [
"PostgreSQL"
],
"categories": {
"domains": [
"Application"
]
}
},
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
}
],
"outputs": {}
}

15
Solutions/PostgreSQL/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"publisherId": "azuresentinel",
"offerId": "azure-sentinel-solution-postgresql",
"firstPublishDate": "2022-06-27",
"providers": ["PostgreSQL"],
"categories": {
"domains": ["Application"]
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}

92
Solutions/Symantec Integrated Cyber Defense/Data Connectors/SymantecICDX.JSON Normal file
Просмотреть файл

@ -0,0 +1,92 @@
{
"id": "Symantec",
"title": "Symantec Integrated Cyber Defense Exchange",
"publisher": "Symantec",
"descriptionMarkdown": "Symantec ICDx connector allows you to easily connect your Symantec security solutions logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organizations network and improves your security operation capabilities.",
"logo": "SymantecLogo.svg",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "SymantecICDx",
"baseQuery": "SymantecICDx_CL"
}
],
"sampleQueries": [
{
"description": "Summarize by connection source ip",
"query": "SymantecICDx_CL\n | summarize count() by connection_src_ip_s"
},
{
"description": "Summarize by threat id",
"query": "SymantecICDx_CL\n | summarize count() by threat_id_d"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"SymantecICDx_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
]
}
],
"dataTypes": [
{
"name": "SymantecICDx_CL",
"lastDataReceivedQuery": "SymantecICDx_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"title": "Configure and connect Symantec ICDx",
"description": "1. On the ICDx navigation bar, click **Configuration**.\n2. At the top of the **Configuration** screen, click **Forwarders**, and next to Microsoft Sentinel (Log Analytics), click **Add**.\n3. In the Microsoft Sentinel (Log Analytics) window that opens, click **Show Advanced**. [See the documentation to set advanced features](https://aka.ms/SymantecICDX-learn-more).\n4. Make sure that you set a name for the forwarder and under Azure Destination, set these required fields:\n - Workspace ID: Paste the Workspace ID from the Microsoft Sentinel portal connector page.\n - Primary Key: Paste the Primary Key from the Microsoft Sentinel portal connector page.\n - Custom Log Name: Type the custom log name in the Microsoft Azure portal Log Analytics workspace to which you are going to forward events. The default is SymantecICDx.\n5. Click Save and to start the forwarder, go to Options > More and click **Start**.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
}
]
}

14
Solutions/Symantec Integrated Cyber Defense/Data/Solution_Symantec.json Normal file
Просмотреть файл

@ -0,0 +1,14 @@
{
"Name": "Symantec Integrated Cyber Defense",
"Author": "Symantec",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/symantec_logo.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [Symantec Integrated Cyber Defense Exchange](https://www.broadcom.com/products/cyber-security/integrated-cyber-defense/integrated-cyber-defense-exchange) (ICDx) solution allows you to easily connect your Symantec security solutions logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)",
"Data Connectors": [
"Data Connectors/SymantecICDX.json"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Symantec Integrated Cyber Defense",
"Version": "2.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false
}

Двоичные данные
Solutions/Symantec Integrated Cyber Defense/Package/2.0.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

85
Solutions/Symantec Integrated Cyber Defense/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,85 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/symantec_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Symantec Integrated Cyber Defense Exchange](https://www.broadcom.com/products/cyber-security/integrated-cyber-defense/integrated-cyber-defense-exchange) (ICDx) solution allows you to easily connect your Symantec security solutions logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the data connector for ingesting Symantec Integrated Cyber Defense Exchange data into your Microsoft Sentinel Workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
}
],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}

387
Solutions/Symantec Integrated Cyber Defense/Package/mainTemplate.json Normal file
Просмотреть файл

@ -0,0 +1,387 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Symantec",
"comments": "Solution template for Symantec Integrated Cyber Defense"
},
"parameters": {
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
}
},
"variables": {
"solutionId": "azuresentinel.symantec_icdx_mss",
"_solutionId": "[variables('solutionId')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"uiConfigId1": "Symantec",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "Symantec",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
"dataConnectorVersion1": "1.0.0"
},
"resources": [
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2021-05-01",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "DataConnector"
},
"properties": {
"description": "Symantec Integrated Cyber Defense data connector with template",
"displayName": "Symantec Integrated Cyber Defense template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2021-05-01",
"name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "DataConnector"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
],
"properties": {
"description": "Symantec Integrated Cyber Defense data connector with template version 2.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
"title": "Symantec Integrated Cyber Defense Exchange",
"publisher": "Symantec",
"descriptionMarkdown": "Symantec ICDx connector allows you to easily connect your Symantec security solutions logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organizations network and improves your security operation capabilities.",
"logo": "SymantecLogo.svg",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "SymantecICDx",
"baseQuery": "SymantecICDx_CL"
}
],
"sampleQueries": [
{
"description": "Summarize by connection source ip",
"query": "SymantecICDx_CL\n | summarize count() by connection_src_ip_s"
},
{
"description": "Summarize by threat id",
"query": "SymantecICDx_CL\n | summarize count() by threat_id_d"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"SymantecICDx_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
]
}
],
"dataTypes": [
{
"name": "SymantecICDx_CL",
"lastDataReceivedQuery": "SymantecICDx_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"description": "1. On the ICDx navigation bar, click **Configuration**.\n2. At the top of the **Configuration** screen, click **Forwarders**, and next to Microsoft Sentinel (Log Analytics), click **Add**.\n3. In the Microsoft Sentinel (Log Analytics) window that opens, click **Show Advanced**. [See the documentation to set advanced features](https://aka.ms/SymantecICDX-learn-more).\n4. Make sure that you set a name for the forwarder and under Azure Destination, set these required fields:\n - Workspace ID: Paste the Workspace ID from the Microsoft Sentinel portal connector page.\n - Primary Key: Paste the Primary Key from the Microsoft Sentinel portal connector page.\n - Custom Log Name: Type the custom log name in the Microsoft Azure portal Log Analytics workspace to which you are going to forward events. The default is SymantecICDx.\n5. Click Save and to start the forwarder, go to Options > More and click **Start**.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
],
"title": "Configure and connect Symantec ICDx"
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "Symantec Integrated Cyber Defense",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Symantec"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
],
"location": "[parameters('workspace-location')]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "Symantec Integrated Cyber Defense",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Symantec"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "Symantec Integrated Cyber Defense Exchange",
"publisher": "Symantec",
"descriptionMarkdown": "Symantec ICDx connector allows you to easily connect your Symantec security solutions logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organizations network and improves your security operation capabilities.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "SymantecICDx",
"baseQuery": "SymantecICDx_CL"
}
],
"dataTypes": [
{
"name": "SymantecICDx_CL",
"lastDataReceivedQuery": "SymantecICDx_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"SymantecICDx_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
]
}
],
"sampleQueries": [
{
"description": "Summarize by connection source ip",
"query": "SymantecICDx_CL\n | summarize count() by connection_src_ip_s"
},
{
"description": "Summarize by threat id",
"query": "SymantecICDx_CL\n | summarize count() by threat_id_d"
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"description": "1. On the ICDx navigation bar, click **Configuration**.\n2. At the top of the **Configuration** screen, click **Forwarders**, and next to Microsoft Sentinel (Log Analytics), click **Add**.\n3. In the Microsoft Sentinel (Log Analytics) window that opens, click **Show Advanced**. [See the documentation to set advanced features](https://aka.ms/SymantecICDX-learn-more).\n4. Make sure that you set a name for the forwarder and under Azure Destination, set these required fields:\n - Workspace ID: Paste the Workspace ID from the Microsoft Sentinel portal connector page.\n - Primary Key: Paste the Primary Key from the Microsoft Sentinel portal connector page.\n - Custom Log Name: Type the custom log name in the Microsoft Azure portal Log Analytics workspace to which you are going to forward events. The default is SymantecICDx.\n5. Click Save and to start the forwarder, go to Options > More and click **Start**.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
],
"title": "Configure and connect Symantec ICDx"
}
],
"id": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_uiConfigId1'))]"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "2.0.0",
"kind": "Solution",
"contentSchemaVersion": "2.0.0",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
"kind": "Solution",
"name": "Symantec Integrated Cyber Defense",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Symantec"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "DataConnector",
"contentId": "[variables('_dataConnectorContentId1')]",
"version": "[variables('dataConnectorVersion1')]"
}
]
},
"firstPublishDate": "2022-06-02",
"providers": [
"Symantec"
],
"categories": {
"domains": [
"Security - Threat Protection"
]
}
},
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
}
],
"outputs": {}
}

20
Solutions/Symantec Integrated Cyber Defense/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,20 @@
{
"publisherId": "azuresentinel",
"offerId": "symantec_icdx_mss",
"firstPublishDate": "2022-06-02",
"providers": ["Symantec"],
"categories": {
"domains" : ["Security - Threat Protection"],
"verticals": []
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}

1
Solutions/UEBA Essentials/Hunting Queries/anomaliesOnVIPUsers.yaml
Просмотреть файл

@ -1,3 +1,4 @@
id: 028ac38c-f5a4-483b-a58a-aa83d500bf27
name: Anomalies on users tagged as VIP
description: |
'Shows all users tagged as VIP in the VIP users watchlist that had anomalies with a score greater than 0.'

1
Solutions/UEBA Essentials/Hunting Queries/anomalousActionInTenant.yaml
Просмотреть файл

@ -1,3 +1,4 @@
id: 9ba2b304-7767-4d54-b03c-b0161ae87cc7
name: Anomalous action performed in tenant by privileged user
description: |
'Shows activties that have never been executed in the tenant, performed by a user with high privileges.'

1
Solutions/UEBA Essentials/Hunting Queries/dormantAccountActivityFromUncommonCountry.yaml
Просмотреть файл

@ -1,3 +1,4 @@
id: 7c303408-f913-42f8-8d7b-9eb64a229c4d
name: Dormant account activity from uncommon country
description: |
'Shows dormant accounts (not active in last 180 days), that connect from a country for the first time and the country is uncommon in the tenant or is the first time the ISP is used.'

1
Solutions/UEBA Essentials/Hunting Queries/firstConnectionFromGroup.yaml
Просмотреть файл

@ -1,3 +1,4 @@
id: 741fdf32-e002-4577-ac9b-839fb49f128e
name: Anomalous connection from highly privileged user
description: |
'Shows all users from a given department, which have high impact on the organization, who connected to a resource for the first time, and none of their peers accessed it'

1
Solutions/UEBA Essentials/Hunting Queries/loginActivityFromBotnet.yaml
Просмотреть файл

@ -1,3 +1,4 @@
id: c3b09dd3-ee50-41ae-b863-8603620e5f48
name: Anomalous login activity originated from Botnet, Tor proxy or C2
description: |
'Shows login activity (successful or failed) originated from botnet, Tor proxy or C2, with at least one 'True' activity insight.'

1
Solutions/UEBA Essentials/Hunting Queries/newAccountAddedToAdminGroup.yaml
Просмотреть файл

@ -1,3 +1,4 @@
id: 8a255821-844a-4b6a-a529-0fdaff23219b
name: New account added to admin group
description: |
'Account created in the last 7 days that is added to administrators group'

3
Solutions/UEBA Essentials/Hunting Queries/terminatedEmployeeAccessHVA.yaml
Просмотреть файл

@ -1,3 +1,4 @@
id: f0ad3b3f-72ac-48b1-9f01-ad408b3af88e
name: Terminated employee accessing High Value Asset
description: |
'Shows all users tagged as terminated employees in the Terminated Employees watchlist that had activities after their termination date.'
@ -8,7 +9,7 @@ requiredDataConnectors:
tactics:
relevantTechniques:
query: |
_GetWatchlist('HighValueAssets1')
_GetWatchlist('HighValueAssets')
| join ( BehaviorAnalytics
| where ActionType contains "ResourceAccess")
on $left.['Asset Name'] == $right.DestinationDevice

1
Solutions/UEBA Essentials/Hunting Queries/terminatedEmployeeActivity.yaml
Просмотреть файл

@ -1,3 +1,4 @@
id: e091e85d-4376-48cd-9bff-4beaa2ed4280
name: Activity from terminated employees after their termination date
description: |
'Shows all users tagged as terminated employees in the Terminated Employees watchlist that had activities after their termination date.'

1
Solutions/UEBA Essentials/Hunting Queries/updateKeyVaultActivity.yaml
Просмотреть файл

@ -1,3 +1,4 @@
id: 202ee40b-e6d8-4968-9a79-cf24c5c09db9
name: Anomalous update Key Vault activity by high blast radius user
description: |
'Shows all update Key Vault activities done by a user with a High blast radius. If the activity is performed for the first time (by the user or in the tenant) or if the activity originated in a never seen before country'

367
Solutions/URLhaus/Playbooks/URLhaus-CheckHashAndEnrichIncident/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,367 @@
{
"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion":"1.0.0.0",
"parameters":{
"PlaybookName":{
"defaultValue":"URLhaus-CheckHashAndEnrichIncident",
"type":"String"
}
},
"variables":{
"AzureSentinelConnectionName":"[concat('azuresentinel-', parameters('PlaybookName'))]",
"URLhausAPIConnectionName":"[concat('urlhaus-connection-', parameters('PlaybookName'))]",
"customApis_URLhaus":"URLhausAPI"
},
"resources":[
{
"type":"Microsoft.Web/connections",
"apiVersion":"2016-06-01",
"name":"[variables('AzureSentinelConnectionName')]",
"location":"[resourceGroup().location]",
"properties":{
"displayName":"[variables('AzureSentinelConnectionName')]",
"customParameterValues":{
},
"api":{
"id":"[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type":"Microsoft.Web/connections",
"apiVersion":"2016-06-01",
"name":"[variables('URLhausAPIConnectionName')]",
"location":"[resourceGroup().location]",
"kind":"V1",
"properties":{
"displayName":"[variables('URLhausAPIConnectionName')]",
"customParameterValues":{
},
"api":{
"id":"[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', variables('customApis_URLhaus'))]"
}
}
},
{
"type":"Microsoft.Logic/workflows",
"apiVersion":"2017-07-01",
"name":"[parameters('PlaybookName')]",
"location":"[resourceGroup().location]",
"dependsOn":[
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('URLhausAPIConnectionName'))]"
],
"properties":{
"state":"Enabled",
"definition":{
"$schema":"https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion":"1.0.0.0",
"parameters":{
"$connections":{
"defaultValue":{
},
"type":"Object"
}
},
"triggers":{
"Microsoft_Sentinel_incident":{
"type":"ApiConnectionWebhook",
"inputs":{
"body":{
"callback_url":"@{listCallbackUrl()}"
},
"host":{
"connection":{
"name":"@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path":"/incident-creation"
}
}
},
"actions":{
"Check_Results_Length":{
"actions":{
"Add_comment_to_incident_(V3)":{
"runAfter":{
"Compose":[
"Succeeded"
]
},
"type":"ApiConnection",
"inputs":{
"body":{
"incidentArmId":"@triggerBody()?['object']?['id']",
"message":"<p><span style=\"font-size: 14px\"><strong>URLhaus Hash Checking Results:<br>\n</strong></span><span style=\"font-size: 14px\"><strong>@{outputs('Compose')}</strong></span><span style=\"font-size: 14px\"><strong></strong></span></p>"
},
"host":{
"connection":{
"name":"@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method":"post",
"path":"/Incidents/Comment"
}
},
"Compose":{
"runAfter":{
"Create_HTML_table":[
"Succeeded"
]
},
"type":"Compose",
"inputs":"@body('Create_HTML_table')"
},
"Create_HTML_table":{
"runAfter":{
},
"type":"Table",
"inputs":{
"format":"HTML",
"from":"@variables('Result List')"
}
}
},
"runAfter":{
"Check_each_md5_hash_in_URLhaus":[
"Succeeded"
],
"Check_each_sha256_hash_in_URLhaus":[
"Succeeded"
]
},
"expression":{
"and":[
{
"greater":[
"@length(variables('Result List'))",
0
]
}
]
},
"type":"If"
},
"Check_each_md5_hash_in_URLhaus":{
"foreach":"@body('Entities_-_Get_FileHashes')?['Filehashes']",
"actions":{
"Check_Query_Status(md5_hash)":{
"actions":{
"Append_to_array_variable(md5_hash)":{
"runAfter":{
},
"type":"AppendToArrayVariable",
"inputs":{
"name":"Result List",
"value":{
"file_size":"@body('Query_payload_information(md5_hash)')?['file_size']",
"file_type":"@body('Query_payload_information(md5_hash)')?['file_type']",
"firstseen":"@body('Query_payload_information(md5_hash)')?['firstseen']",
"imphash":"@body('Query_payload_information(md5_hash)')?['imphash']",
"lastseen":"@body('Query_payload_information(md5_hash)')?['lastseen']",
"md5_hash":"@body('Query_payload_information(md5_hash)')?['md5_hash']",
"sha256_hash":"@body('Query_payload_information(md5_hash)')?['sha256_hash']",
"signature":"@body('Query_payload_information(md5_hash)')?['signature']",
"ssdeep":"@body('Query_payload_information(md5_hash)')?['ssdeep']",
"tlsh":"@body('Query_payload_information(md5_hash)')?['tlsh']",
"url_count":"@body('Query_payload_information(md5_hash)')?['url_count']",
"urlhaus_download":"@body('Query_payload_information(md5_hash)')?['urlhaus_download']",
"virustotal":"@body('Query_payload_information(md5_hash)')?['virustotal']"
}
}
}
},
"runAfter":{
"Query_payload_information(md5_hash)":[
"Succeeded"
]
},
"expression":{
"and":[
{
"equals":[
"@body('Query_payload_information(md5_hash)')?['query_status']",
"ok"
]
}
]
},
"type":"If"
},
"Query_payload_information(md5_hash)":{
"runAfter":{
},
"type":"ApiConnection",
"inputs":{
"body":{
"$content-type":"multipart/form-data",
"$multipart":[
{
"body":"@items('Check_each_md5_hash_in_URLhaus')?['Value']",
"headers":{
"Content-Disposition":"form-data; name=\"md5_hash\""
}
}
]
},
"host":{
"connection":{
"name":"@parameters('$connections')['URLhausAPI']['connectionId']"
}
},
"method":"post",
"path":"/payload/"
}
}
},
"runAfter":{
"Initialize_Results_List":[
"Succeeded"
]
},
"type":"Foreach"
},
"Check_each_sha256_hash_in_URLhaus":{
"foreach":"@body('Entities_-_Get_FileHashes')?['Filehashes']",
"actions":{
"Check_Query_Status(sha256_hash)":{
"actions":{
"Append_to_array_variable(sha256_hash)":{
"runAfter":{
},
"type":"AppendToArrayVariable",
"inputs":{
"name":"Result List",
"value":{
"file_size":"@body('Query_payload_information(sha256_hash)')?['file_size']",
"file_type":"@body('Query_payload_information(sha256_hash)')?['file_type']",
"firstseen":"@body('Query_payload_information(sha256_hash)')?['firstseen']",
"imphash":"@body('Query_payload_information(sha256_hash)')?['imphash']",
"lastseen":"@body('Query_payload_information(sha256_hash)')?['lastseen']",
"md5_hash":"@body('Query_payload_information(sha256_hash)')?['md5_hash']",
"sha256_hash":"@body('Query_payload_information(sha256_hash)')?['sha256_hash']",
"signature":"@body('Query_payload_information(sha256_hash)')?['signature']",
"ssdeep":"@body('Query_payload_information(sha256_hash)')?['ssdeep']",
"tlsh":"@body('Query_payload_information(sha256_hash)')?['tlsh']",
"url_count":"@body('Query_payload_information(sha256_hash)')?['url_count']",
"urlhaus_download":"@body('Query_payload_information(sha256_hash)')?['urlhaus_download']",
"virustotal":"@body('Query_payload_information(sha256_hash)')?['virustotal']"
}
}
}
},
"runAfter":{
"Query_payload_information(sha256_hash)":[
"Succeeded"
]
},
"expression":{
"and":[
{
"equals":[
"@body('Query_payload_information(sha256_hash)')?['query_status']",
"ok"
]
}
]
},
"type":"If"
},
"Query_payload_information(sha256_hash)":{
"runAfter":{
},
"type":"ApiConnection",
"inputs":{
"body":{
"$content-type":"multipart/form-data",
"$multipart":[
{
"body":"@items('Check_each_sha256_hash_in_URLhaus')?['Value']",
"headers":{
"Content-Disposition":"form-data; name=\"sha256_hash\""
}
}
]
},
"host":{
"connection":{
"name":"@parameters('$connections')['URLhausAPI']['connectionId']"
}
},
"method":"post",
"path":"/payload/"
}
}
},
"runAfter":{
"Initialize_Results_List":[
"Succeeded"
]
},
"type":"Foreach"
},
"Entities_-_Get_FileHashes":{
"runAfter":{
},
"type":"ApiConnection",
"inputs":{
"body":"@triggerBody()?['object']?['properties']?['relatedEntities']",
"host":{
"connection":{
"name":"@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method":"post",
"path":"/entities/filehash"
}
},
"Initialize_Results_List":{
"runAfter":{
"Entities_-_Get_FileHashes":[
"Succeeded"
]
},
"type":"InitializeVariable",
"inputs":{
"variables":[
{
"name":"Result List",
"type":"array"
}
]
}
}
},
"outputs":{
}
},
"parameters":{
"$connections":{
"value":{
"azuresentinel":{
"connectionName":"[variables('AzureSentinelConnectionName')]",
"connectionId":"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"id":"[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Web/locations/',resourceGroup().location,'/managedApis/azuresentinel')]"
},
"URLhausAPI":{
"connectionId":"[resourceId('Microsoft.Web/connections', variables('URLhausAPIConnectionName'))]",
"connectionName":"[variables('URLhausAPIConnectionName')]",
"id":"[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', variables('customApis_URLhaus'))]"
}
}
}
}
}
}
]
}

Двоичные данные
Solutions/URLhaus/Playbooks/URLhaus-CheckHashAndEnrichIncident/playbook_screenshot.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 208 KiB

35
Solutions/URLhaus/Playbooks/URLhaus-CheckHashAndEnrichIncident/readme.md Normal file
Просмотреть файл

@ -0,0 +1,35 @@
# URLhaus-CheckHashAndEnrichIncident
## Summary
Once a new sentinal incident is created, this playbook gets triggered and performs the following actions:
1. [Gets Information](https://urlhaus-api.abuse.ch/#payloadinfo) from URLhaus by hashes, provided in the alert custom entities.
2. Enriches the incident with the obtained info.
<img src="./playbook_screenshot.png" width="80%"/><br>
### Prerequisites
1. URLhausAPI Custom Connector has to be deployed prior to the deployment of this playbook under the same subscription.
### Deployment instructions
1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
2. Fill in the required paramteres:
* Playbook Name: Enter the playbook name here
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Faverbn%2FAzure-Sentinel%2FURLhaus-Connector-and-Playbooks%2FSolutions%2FURLhaus%2FPlaybooks%2FURLhaus-CheckHashAndEnrichIncident%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FURLhaus%2FPlaybooks%2FURLhaus-CheckHashAndEnrichIncident%2Fazuredeploy.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Faverbn%2FAzure-Sentinel%2FURLhaus-Connector-and-Playbooks%2FSolutions%2FURLhaus%2FPlaybooks%2FURLhaus-CheckHashAndEnrichIncident%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FURLhaus%2FPlaybooks%2FURLhaus-CheckHashAndEnrichIncident%2Fazuredeploy.json)
### Post-Deployment instructions
#### a. Authorize connections
Once deployment is complete, authorize each connection.
1. Open playbook which has been deployed
2. Click API connection on left side blade
3. Click the Azure Sentinel connection resource
4. Click edit API connection
5. Click Authorize
6. Sign in
7. Click Save
8. Repeat steps for URLhausAPI connector API Connection
#### b. Configurations in Sentinel
1. In Azure sentinel, analytical rules should be configured to trigger an incident.
2. Configure the automation rules to trigger the playbook.

275
Solutions/URLhaus/Playbooks/URLhaus-CheckHostAndEnrichIncident/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,275 @@
{
"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion":"1.0.0.0",
"parameters":{
"PlaybookName":{
"defaultValue":"URLhaus-CheckHostAndEnrichIncident",
"type":"String"
}
},
"variables":{
"AzureSentinelConnectionName":"[concat('azuresentinel-', parameters('PlaybookName'))]",
"URLhausAPIConnectionName":"[concat('urlhaus-connection-', parameters('PlaybookName'))]",
"customApis_URLhaus":"URLhausAPI"
},
"resources":[
{
"type":"Microsoft.Web/connections",
"apiVersion":"2016-06-01",
"name":"[variables('AzureSentinelConnectionName')]",
"location":"[resourceGroup().location]",
"properties":{
"displayName":"[variables('AzureSentinelConnectionName')]",
"customParameterValues":{
},
"api":{
"id":"[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type":"Microsoft.Web/connections",
"apiVersion":"2016-06-01",
"name":"[variables('URLhausAPIConnectionName')]",
"location":"[resourceGroup().location]",
"kind":"V1",
"properties":{
"displayName":"[variables('URLhausAPIConnectionName')]",
"customParameterValues":{
},
"api":{
"id":"[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', variables('customApis_URLhaus'))]"
}
}
},
{
"type":"Microsoft.Logic/workflows",
"apiVersion":"2017-07-01",
"name":"[parameters('PlaybookName')]",
"location":"[resourceGroup().location]",
"dependsOn":[
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('URLhausAPIConnectionName'))]"
],
"properties":{
"state":"Enabled",
"definition":{
"$schema":"https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion":"1.0.0.0",
"parameters":{
"$connections":{
"defaultValue":{
},
"type":"Object"
}
},
"triggers":{
"Microsoft_Sentinel_incident":{
"type":"ApiConnectionWebhook",
"inputs":{
"body":{
"callback_url":"@{listCallbackUrl()}"
},
"host":{
"connection":{
"name":"@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path":"/incident-creation"
}
}
},
"actions":{
"Check_Results_Length":{
"actions":{
"Add_comment_to_incident_(V3)":{
"runAfter":{
"Compose":[
"Succeeded"
]
},
"type":"ApiConnection",
"inputs":{
"body":{
"incidentArmId":"@triggerBody()?['object']?['id']",
"message":"<p><span style=\"font-size: 14px\"><strong>URLhaus URL Checking Results:</strong></span><br>\n@{outputs('Compose')}</p>"
},
"host":{
"connection":{
"name":"@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method":"post",
"path":"/Incidents/Comment"
}
},
"Compose":{
"runAfter":{
"Create_HTML_table":[
"Succeeded"
]
},
"type":"Compose",
"inputs":"@body('Create_HTML_table')"
},
"Create_HTML_table":{
"runAfter":{
},
"type":"Table",
"inputs":{
"format":"HTML",
"from":"@variables('Result List')"
}
}
},
"runAfter":{
"Check_each_Host_in_URLhaus":[
"Succeeded"
]
},
"expression":{
"and":[
{
"greater":[
"@length(variables('Result List'))",
0
]
}
]
},
"type":"If"
},
"Check_each_Host_in_URLhaus":{
"foreach":"@body('Entities_-_Get_Hosts')?['Hosts']",
"actions":{
"Condition":{
"actions":{
"Append_to_array_variable":{
"runAfter":{
},
"type":"AppendToArrayVariable",
"inputs":{
"name":"Result List",
"value":{
"blacklists":"@replace(replace(replace(string(body('Query_host_information')?['blacklists']),'{',''),'}',''),'\"','')",
"firstseen":"@body('Query_host_information')?['firstseen']",
"host":"@body('Query_host_information')?['host']",
"url_count":"@body('Query_host_information')?['url_count']",
"urlhaus_reference":"@body('Query_host_information')?['urlhaus_reference']"
}
}
}
},
"runAfter":{
"Query_host_information":[
"Succeeded"
]
},
"expression":{
"and":[
{
"equals":[
"@body('Query_host_information')?['query_status']",
"ok"
]
}
]
},
"type":"If"
},
"Query_host_information":{
"runAfter":{
},
"type":"ApiConnection",
"inputs":{
"body":{
"$content-type":"multipart/form-data",
"$multipart":[
{
"body":"@items('Check_each_Host_in_URLhaus')?['HostName']",
"headers":{
"Content-Disposition":"form-data; name=\"host\""
}
}
]
},
"host":{
"connection":{
"name":"@parameters('$connections')['URLhausAPI']['connectionId']"
}
},
"method":"post",
"path":"/host/"
}
}
},
"runAfter":{
"Initialize_Results_List":[
"Succeeded"
]
},
"type":"Foreach"
},
"Entities_-_Get_Hosts":{
"runAfter":{
},
"type":"ApiConnection",
"inputs":{
"body":"@triggerBody()?['object']?['properties']?['relatedEntities']",
"host":{
"connection":{
"name":"@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method":"post",
"path":"/entities/host"
}
},
"Initialize_Results_List":{
"runAfter":{
"Entities_-_Get_Hosts":[
"Succeeded"
]
},
"type":"InitializeVariable",
"inputs":{
"variables":[
{
"name":"Result List",
"type":"array"
}
]
}
}
},
"outputs":{
}
},
"parameters":{
"$connections":{
"value":{
"azuresentinel":{
"connectionName":"[variables('AzureSentinelConnectionName')]",
"connectionId":"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"id":"[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Web/locations/',resourceGroup().location,'/managedApis/azuresentinel')]"
},
"URLhausAPI":{
"connectionId":"[resourceId('Microsoft.Web/connections', variables('URLhausAPIConnectionName'))]",
"connectionName":"[variables('URLhausAPIConnectionName')]",
"id":"[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', variables('customApis_URLhaus'))]"
}
}
}
}
}
}
]
}

Двоичные данные
Solutions/URLhaus/Playbooks/URLhaus-CheckHostAndEnrichIncident/playbook_screenshot.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 172 KiB

35
Solutions/URLhaus/Playbooks/URLhaus-CheckHostAndEnrichIncident/readme.md Normal file
Просмотреть файл

@ -0,0 +1,35 @@
# URLhaus-CheckHostAndEnrichIncident
## Summary
Once a new sentinal incident is created, this playbook gets triggered and performs the following actions:
1. [Gets Information](https://urlhaus-api.abuse.ch/#hostinfo) from URLhaus by hosts, provided in the alert custom entities.
2. Enriches the incident with the obtained info.
<img src="./playbook_screenshot.png" width="80%"/><br>
### Prerequisites
1. URLhausAPI Custom Connector has to be deployed prior to the deployment of this playbook under the same subscription.
### Deployment instructions
1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
2. Fill in the required paramteres:
* Playbook Name: Enter the playbook name here
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Faverbn%2FAzure-Sentinel%2FURLhaus-Connector-and-Playbooks%2FSolutions%2FURLhaus%2FPlaybooks%2FURLhaus-CheckHostAndEnrichIncident%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FURLhaus%2FPlaybooks%2FURLhaus-CheckHostAndEnrichIncident%2Fazuredeploy.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Faverbn%2FAzure-Sentinel%2FURLhaus-Connector-and-Playbooks%2FSolutions%2FURLhaus%2FPlaybooks%2FURLhaus-CheckHostAndEnrichIncident%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FURLhaus%2FPlaybooks%2FURLhaus-CheckHostAndEnrichIncident%2Fazuredeploy.json)
### Post-Deployment instructions
#### a. Authorize connections
Once deployment is complete, authorize each connection.
1. Open playbook which has been deployed
2. Click API connection on left side blade
3. Click the Azure Sentinel connection resource
4. Click edit API connection
5. Click Authorize
6. Sign in
7. Click Save
8. Repeat steps for URLhausAPI connector API Connection
#### b. Configurations in Sentinel
1. In Azure sentinel, analytical rules should be configured to trigger an incident.
2. Configure the automation rules to trigger the playbook.

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше