Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Orca SEcurity REST API connector (#721) 

Co-authored-by: Alon Lavian <alon@orca.security>
This commit is contained in:
Alon Lavian 2020-06-20 00:03:45 +03:00 коммит произвёл GitHub
Родитель 1ccee11bfc
Коммит 22a7521bfb
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
3 изменённых файлов: 513 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

81
DataConnectors/OrcaSecurityAlerts.json Normal file
Просмотреть файл

@ -0,0 +1,81 @@
{
"id": "OrcaSecurityAlerts",
"title": "Orca Security Alerts",
"publisher": "Orca Security",
"descriptionMarkdown": "The Orca Security Alerts connector allows you to easily export Alerts logs to Azure Sentinel.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "OrcaAlerts_CL",
"baseQuery": "OrcaAlerts_CL"
}
],
"sampleQueries": [
{
"description" : "Fetch all service vulnerabilities on running asset",
"query": "OrcaAlerts_CL | where alert_type_s == \"service_vulnerability\" | where asset_state_s == \"running\" | sort by TimeGenerated "
},
{
"description" : "Fetch all alerts with \"remote_code_execution\" label",
"query": "OrcaAlerts_CL | where split(alert_labels_s, \",\") contains(\"remote_code_execution\") | sort by TimeGenerated "
}
],
"dataTypes": [
{
"name": "OrcaAlerts_CL",
"lastDataReceivedQuery": "OrcaAlerts_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"OrcaAlerts_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
}
]
},
"instructionSteps": [
{
"title": "",
"description":"Follow [guidance](https://orcasecurity.zendesk.com/hc/en-us/articles/360043941992-Azure-Sentinel-configuration) for integrating Orca Security Alerts logs with Azure Sentinel.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
}
]
}

1
Logos/OrcaSecurity.svg Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 28 KiB

431
Sample Data/Custom/OrcaAlerts_CL.json Normal file
Просмотреть файл

@ -0,0 +1,431 @@
[
{
"TenantId": "496cbb5d-087e-4281-8f48-d91e3fcbc23a",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-06-01T18:32:22.221Z",
"Computer": "",
"RawData": "",
"cloud_provider_id_s": 380102283719,
"asset_unique_id_s": "vm_380102283719_i-06e71a2b20333b35e",
"asset_name_s": "scan_me_3_vip_vuln_new",
"asset_type_s": "vm",
"cluster_name_s": "scan_me_3_vip_vuln_new",
"cluster_type_s": "vm",
"vm_id_s": "i-06e71a2b20333b35e",
"asset_state_s": "stopped",
"alert_id_s": "orca-9423",
"score_d": 2,
"description_s": "Malware found on asset",
"details_s": "We have detected infected files on the asset.",
"recommendation_s": "Remediate the host and attend additional alerts on the host to close the infection path.",
"source_s": "eicarcom2.zip",
"alert_type_s": "malware",
"alert_labels_s": "malware_found",
"time_t": "2020-05-06T16:51:31.05Z",
"findings_s": {
"malware": {
"sha1": "bec1b52d350d721c7e22a6d4bb0a92909893a3ae",
"has_macro": false,
"file": "/usr/local/bin/eicarcom2.zip",
"sha256": "e1105070ba828007508566e28a2b8d4c65d192e9eaf3b7868382b7cae747b397",
"virus_names": [
"EICAR-Test-File"
],
"type": "malware",
"modification_time": "2019-07-09T21:16:26+00:00",
"md5": "e4968ef99266df7c9a1f0637d2389dab",
"labels": [
"malware_found"
]
}
},
"asset_name_g": "",
"vm_id_g": "",
"Type": "OrcaAlerts_CL",
"_ResourceId": ""
},
{
"TenantId": "496cbb5d-087e-4281-8f48-d91e3fcbc23a",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-06-01T11:31:37.792Z",
"Computer": "",
"RawData": "",
"cloud_provider_id_s": 506464807365,
"asset_unique_id_s": "vm_506464807365_i-05684cbf5c348a706",
"asset_name_s": "BASTION",
"asset_type_s": "vm",
"cluster_name_s": "BASTION",
"cluster_type_s": "vm",
"vm_id_s": "i-05684cbf5c348a706",
"asset_state_s": "running",
"alert_id_s": "orca-9217",
"score_d": 2,
"description_s": "The following vulnerabilities were found on service: kernel 4.4.0",
"details_s": "We have found vulnerabilities on service: kernel 4.4.0",
"recommendation_s": "Patch the listed packages",
"source_s": "kernel",
"alert_type_s": "service_vulnerability",
"alert_labels_s": "remote_code_execution,gain_privilege,denial_of_service",
"time_t": "2020-03-15T22:27:54.684Z",
"findings_s": {
"cve": {
"summary": "An issue was discovered in net/ipv6/ip6mr.c in the Linux kernel before 4.11. By setting a specific socket option, an attacker can control a pointer in kernel land and cause an inet_csk_listen_stop general protection fault, or potentially execute arbitrary code under certain circumstances. The issue can be triggered as root (e.g., inside a default LXC container or with the CAP_NET_ADMIN capability) or after namespace unsharing. This occurs because sk_type and protocol are not checked in the appropriate part of the ip6_mroute_* functions. NOTE: this affects Linux distributions that use 4.9.x longterm kernels before 4.9.187.",
"score": 3,
"cve_id": "CVE-2017-18509",
"published": "2019-08-13T14:15:00+00:00",
"type": "cve",
"cvss3_vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"affected_packages": [
"linux-image-4.4.0-1018-aws"
],
"cvss3_score": 7.2,
"source_link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18509",
"labels": [
"remote_code_execution"
]
}
},
"asset_name_g": "",
"vm_id_g": "",
"Type": "OrcaAlerts_CL",
"_ResourceId": ""
},
{
"TenantId": "496cbb5d-087e-4281-8f48-d91e3fcbc23a",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-06-01T12:11:46.964Z",
"Computer": "",
"RawData": "",
"cloud_provider_id_s": 172455144344,
"asset_unique_id_s": "vm_172455144344_i-0e32473dda7273c81",
"asset_name_s": "scan_me_3_vip_vuln_new",
"asset_type_s": "vm",
"cluster_name_s": "scan_me_3_vip_vuln_new",
"cluster_type_s": "vm",
"vm_id_s": "i-0e32473dda7273c81",
"asset_state_s": "stopped",
"alert_id_s": "orca-8842",
"score_d": 2,
"description_s": "The operating system's host can be accessed using weak login passwords",
"details_s": "Weak passwords were found on the operating system's user accounts. Weak passwords are very common and can be used in order to penetrate the system.",
"recommendation_s": "We recommend changing the passwords of these users",
"source_s": "N/A",
"alert_type_s": "weak_password_os",
"alert_labels_s": "internet_facing_service,weak_password",
"time_t": "2020-05-18T21:24:55Z",
"findings_s": {
"weak_password_os": {
"password": "qw*****",
"type": "weak_password_os",
"labels": [
"weak_password"
],
"username": "myuser1"
}
},
"asset_name_g": "",
"vm_id_g": "",
"Type": "OrcaAlerts_CL",
"_ResourceId": ""
},
{
"TenantId": "496cbb5d-087e-4281-8f48-d91e3fcbc23a",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-06-01T14:28:25.402Z",
"Computer": "",
"RawData": "",
"cloud_provider_id_s": 380102283719,
"asset_unique_id_s": "s3bucket_380102283719_scan-me-s3-bucket-6lug4",
"asset_name_s": "scan-me-s3-bucket-6lug4",
"asset_type_s": "s3bucket",
"cluster_name_s": "scan-me-s3-bucket-6lug4",
"cluster_type_s": "s3bucket",
"vm_id_s": "",
"asset_state_s": "enabled",
"alert_id_s": "orca-9375",
"score_d": 1,
"description_s": "Malware found on asset",
"details_s": "We have detected infected files on the asset.",
"recommendation_s": "Remediate the host and attend additional alerts on the host to close the infection path.",
"source_s": "test_eicar_file",
"alert_type_s": "malware",
"alert_labels_s": "malware_found",
"time_t": "2020-05-06T16:47:54.508Z",
"findings_s": {
"malware": {
"sha1": "3395856ce81f2b7382dee72602f798b642f14140",
"has_macro": false,
"file": "/test_eicar_file",
"sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
"virus_names": [
"EICAR-Test-File"
],
"type": "malware",
"modification_time": "2019-12-01T11:23:47+00:00",
"md5": "44d88612fea8a8f36de82e1278abb02f",
"labels": [
"malware_found"
]
}
},
"asset_name_g": "",
"vm_id_g": "",
"Type": "OrcaAlerts_CL",
"_ResourceId": ""
},
{
"TenantId": "496cbb5d-087e-4281-8f48-d91e3fcbc23a",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-06-01T21:15:51.198Z",
"Computer": "",
"RawData": "",
"cloud_provider_id_s": 506464807365,
"asset_unique_id_s": "vm_506464807365_i-0415c6bbba7c49bb3",
"asset_name_s": "Ubuntu_1204-ami-a10651cb",
"asset_type_s": "vm",
"cluster_name_s": "Ubuntu_1204-ami-a10651cb",
"cluster_type_s": "vm",
"vm_id_s": "i-0415c6bbba7c49bb3",
"asset_state_s": "running",
"alert_id_s": "orca-986",
"score_d": 3,
"description_s": "Host OS has reached end of support and does not get security patches",
"details_s": "The Installed operating system Ubuntu 12.04 has reached end of support since 2017-04-28 and does not get security patches. This leaves the system vulnerable to many security issues that can be exploited.",
"recommendation_s": "Please visit the vendor web site https://ubuntu.com/ and update the system to the latest version as soon as possible",
"source_s": "N/A",
"alert_type_s": "os_end_of_support",
"alert_labels_s": "",
"time_t": "2020-06-01T21:06:47Z",
"findings_s": {
"os_end_of_support": {
"type": "os_end_of_support",
"distro": "ubuntu",
"release": "12.04",
"distro_nice": "ubuntu",
"release_nice": "12.04",
"end_support": "28.04.2017"
}
},
"asset_name_g": "",
"vm_id_g": "",
"Type": "OrcaAlerts_CL",
"_ResourceId": ""
},
{
"TenantId": "496cbb5d-087e-4281-8f48-d91e3fcbc23a",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-06-01T21:15:51.198Z",
"Computer": "",
"RawData": "",
"cloud_provider_id_s": 506464807365,
"asset_unique_id_s": "iam_policy_506464807365_IAM_Policy",
"asset_name_s": "IAM_Policy",
"asset_type_s": "iam_policy",
"cluster_name_s": "IAM_Policy",
"cluster_type_s": "iam_policy",
"vm_id_s": "",
"asset_state_s": "enabled",
"alert_id_s": "orca-6345",
"score_d": 3,
"description_s": "MFA disabled for root user in AWS account acme-production",
"details_s": "The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password.With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. The root account in the AWS account acme-production is configured with MFA disabled",
"recommendation_s": "It is recommended that MFA be enabled for the 'root' account.",
"source_s": "AWS Root account with MFA disabled",
"alert_type_s": "account_iam_policy",
"alert_labels_s": "",
"time_t": "2020-06-01T21:06:48Z",
"findings_s": {
"account_iam_policy": {
"type": "account_iam_policy",
"user": "<root_account>",
"arn": "arn:aws:iam::506464807365:root",
"mfa_active": false
}
},
"asset_name_g": "",
"vm_id_g": "",
"Type": "OrcaAlerts_CL",
"_ResourceId": ""
},
{
"TenantId": "496cbb5d-087e-4281-8f48-d91e3fcbc23a",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-06-01T21:15:51.198Z",
"Computer": "",
"RawData": "",
"cloud_provider_id_s": 506464807365,
"asset_unique_id_s": "iam_policy_506464807365_IAM_Policy",
"asset_name_s": "IAM_Policy",
"asset_type_s": "iam_policy",
"cluster_name_s": "IAM_Policy",
"cluster_type_s": "iam_policy",
"vm_id_s": "",
"asset_state_s": "enabled",
"alert_id_s": "orca-6343",
"score_d": 3,
"description_s": "Avoid the use of the \"root\" account",
"details_s": "The AWS root account has unlimited privileges within the AWS account, as such it is highly recommended to avoid its usage and refrain from sharing its credentials. For IAM best practices please see https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html",
"recommendation_s": "Avoid using the AWS root account, consider using IAM roles or per service IAM users",
"source_s": "AWS Root account recently used",
"alert_type_s": "account_iam_policy",
"alert_labels_s": "cis,cis_aws",
"time_t": "2020-06-01T21:06:48Z",
"findings_s": {
"account_iam_policy": {
"type": "account_iam_policy",
"cis_aws_version": "v1.2 05-23-2018",
"cis_aws_control": "1.1",
"user": "<root_account>",
"arn": "arn:aws:iam::506464807365:root",
"user_creation_time": "2019-06-23T10:57:24+00:00",
"password_last_used": "2020-05-12T05:38:31+00:00",
"cloudtrail_event_id": "b1353f9a-ab3f-45c4-a31b-0cad47849829",
"cloudtrail_event_source": "signin.amazonaws.com",
"cloudtrail_event_time": "2020-05-12T05:38:30+00:00",
"cloudtrail_source_ip": "89.139.126.35",
"cloudtrail_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36",
"cloudtrail_user_type": "Root"
}
},
"asset_name_g": "",
"vm_id_g": "",
"Type": "OrcaAlerts_CL",
"_ResourceId": ""
},
{
"TenantId": "496cbb5d-087e-4281-8f48-d91e3fcbc23a",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-06-01T21:15:51.198Z",
"Computer": "",
"RawData": "",
"cloud_provider_id_s": 506464807365,
"asset_unique_id_s": "s3bucket_506464807365_orca-demo-bucket-db",
"asset_name_s": "orca-demo-bucket-db",
"asset_type_s": "s3bucket",
"cluster_name_s": "orca-demo-bucket-db",
"cluster_type_s": "s3bucket",
"vm_id_s": "",
"asset_state_s": "enabled",
"alert_id_s": "orca-8790",
"score_d": 3,
"description_s": "Bucket is publicly accessible",
"details_s": "We have found that the bucket is publicly accessible and is not configured as a website",
"recommendation_s": "Block public access",
"source_s": "orca-demo-bucket-db",
"alert_type_s": "public_storage_bucket",
"alert_labels_s": "",
"time_t": "2020-06-01T21:07:01Z",
"findings_s": {
"acl": {
"type": "acl",
"description": "We found acl configuration on this bucket that grants public access to the bucket",
"details": "All Users found in ACL grantee.",
"public_acl": [
"{\"Grantee\": {\"Type\": \"Group\", \"URI\": \"http://acs.amazonaws.com/groups/global/AllUsers\"}, \"Permission\": \"READ\"}",
"{\"Grantee\": {\"Type\": \"Group\", \"URI\": \"http://acs.amazonaws.com/groups/global/AllUsers\"}, \"Permission\": \"READ_ACP\"}"
]
}
},
"asset_name_g": "",
"vm_id_g": "",
"Type": "OrcaAlerts_CL",
"_ResourceId": ""
},
{
"TenantId": "496cbb5d-087e-4281-8f48-d91e3fcbc23a",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-06-01T21:15:51.198Z",
"Computer": "",
"RawData": "",
"cloud_provider_id_s": 506464807365,
"asset_unique_id_s": "vm_506464807365_i-0fd34bb1230e101c1",
"asset_name_s": "DEV-RND",
"asset_type_s": "vm",
"cluster_name_s": "DEV-RND",
"cluster_type_s": "vm",
"vm_id_s": "i-0fd34bb1230e101c1",
"asset_state_s": "running",
"alert_id_s": "orca-873",
"score_d": 3,
"description_s": "Host OS has reached end of support and does not get security patches",
"details_s": "The Installed operating system Ubuntu 14.04 has reached end of support since 2019-04-30 and does not get security patches. This leaves the system vulnerable to many security issues that can be exploited. For more information please visit https://ubuntu.com/about/release-cycle",
"recommendation_s": "Please visit the vendor web site https://ubuntu.com/ and update the system to the latest version as soon as possible",
"source_s": "N/A",
"alert_type_s": "os_end_of_support",
"alert_labels_s": "",
"time_t": "2020-06-01T21:08:31Z",
"findings_s": {
"os_end_of_support": {
"type": "os_end_of_support",
"distro": "ubuntu",
"release": "14.04",
"distro_nice": "ubuntu",
"release_nice": "14.04",
"end_support": "30.04.2019"
}
},
"asset_name_g": "",
"vm_id_g": "",
"Type": "OrcaAlerts_CL",
"_ResourceId": ""
},
{
"TenantId": "496cbb5d-087e-4281-8f48-d91e3fcbc23a",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2020-06-01T21:15:51.198Z",
"Computer": "",
"RawData": "",
"cloud_provider_id_s": 506464807365,
"asset_unique_id_s": "vm_506464807365_i-0fd34bb1230e101c1",
"asset_name_s": "DEV-RND",
"asset_type_s": "vm",
"cluster_name_s": "DEV-RND",
"cluster_type_s": "vm",
"vm_id_s": "i-0fd34bb1230e101c1",
"asset_state_s": "running",
"alert_id_s": "orca-780",
"score_d": 3,
"description_s": "Non corporate ssh keys were found",
"details_s": "The ssh authorized keys file contains the following non-corporate account keys: 'willy@yahoo.com', 'john@gmail.com'",
"recommendation_s": "Remove the non-corporate users from the asset",
"source_s": "N/A",
"alert_type_s": "non_corporate_auth_key",
"alert_labels_s": "internet_facing_service",
"time_t": "2020-06-01T21:08:31Z",
"findings_s": {
"non_corporate_auth_key": {
"type": "non_corporate_auth_key",
"file": "/home/ubuntu/.ssh/authorized_keys",
"keys": [
"willy@yahoo.com",
"john@gmail.com"
],
"description": "The ssh authorized keys file contains the following non-corporate account keys: 'willy@yahoo.com', 'john@gmail.com'"
}
},
"asset_name_g": "",
"vm_id_g": "",
"Type": "OrcaAlerts_CL",
"_ResourceId": ""
}
]