Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Updating parsers

This commit is contained in:
v-sabiraj 2023-11-08 14:53:35 +05:30
Родитель 534e84026c
Коммит 2daba6b949
7 изменённых файлов: 108 добавлений и 755 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

Двоичные данные
Solutions/GitHub/Package/3.0.2.zip
Просмотреть файл

Двоичный файл не отображается.

208
Solutions/GitHub/Package/mainTemplate.json
Просмотреть файл

@ -225,13 +225,13 @@
"parserContentId3": "GitHubDependabotData-Parser",
"_parserContentId3": "[variables('parserContentId3')]",
"_parsercontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId3'),'-', variables('parserVersion3'))))]",
"parserName4": "GithubSecretScanningData",
"parserName4": "GitHubSecretScanningData",
"_parserName4": "[concat(parameters('workspace'),'/',variables('parserName4'))]",
"parserId4": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName4'))]",
"_parserId4": "[variables('parserId4')]",
"parserTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId4'))))]",
"parserVersion4": "1.0.0",
"parserContentId4": "GithubSecretScanningData-Parser",
"parserContentId4": "GitHubSecretScanningData-Parser",
"_parserContentId4": "[variables('parserContentId4')]",
"_parsercontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId4'),'-', variables('parserVersion4'))))]",
"uiConfigId1": "GitHubEcAuditLogPolling",
@ -475,13 +475,13 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
]
],
"entityType": "Account"
}
]
}
@ -572,13 +572,13 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
]
],
"entityType": "Account"
}
]
}
@ -669,13 +669,13 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
]
],
"entityType": "Account"
}
]
}
@ -766,13 +766,13 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
]
],
"entityType": "Account"
}
]
}
@ -863,13 +863,13 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
]
],
"entityType": "Account"
}
]
}
@ -960,13 +960,13 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
]
],
"entityType": "Account"
}
]
}
@ -1057,13 +1057,13 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
]
],
"entityType": "Account"
}
]
}
@ -1154,13 +1154,13 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
]
],
"entityType": "Account"
}
]
}
@ -1251,13 +1251,13 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
]
],
"entityType": "Account"
}
]
}
@ -1348,13 +1348,13 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
]
],
"entityType": "Account"
}
]
}
@ -1445,13 +1445,13 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
]
],
"entityType": "Account"
}
]
}
@ -1542,13 +1542,13 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
]
],
"entityType": "Account"
}
]
}
@ -1635,22 +1635,22 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
]
],
"entityType": "Account"
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
"columnName": "IPCustomEntity",
"identifier": "Address"
}
]
],
"entityType": "IP"
}
]
}
@ -2480,16 +2480,16 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "GitHubAuditData",
"category": "Samples",
"displayName": "Parser for GitHubAuditData",
"category": "Microsoft Sentinel Parser",
"functionAlias": "GitHubAuditData",
"query": "\n\r\n\r\nGitHubAuditLogPolling_CL\r\n| project TimeGenerated=unixtime_milliseconds_todatetime(created_at_d),\r\n Organization=columnifexists('org_s', \"\"),\r\n Action=action_s,\r\n Repository=columnifexists('repo_s',\"\"),\r\n Actor=columnifexists('actor_s', \"\"),\r\n\tCountry=columnifexists('actor_location_country_code_s', \"\"),\r\n ImpactedUser=columnifexists('user_s', \"\"),\r\n InvitedUserPermission=columnifexists('permission_s', \"\"),\r\n Visibility=columnifexists('visibility_s', \"\"),\r\n PreviousVisibility=columnifexists('previous_visibility_s', \"\"),\r\n CurrentPermission=columnifexists('permission_s', \"\"),\r\n PreviousPermission=columnifexists('old_permission_s', \"\"),\r\n TeamName=columnifexists('team_s', \"\"),\r\n BlockedUser=columnifexists('blocked_user_s', \"\")\r\n\r\n\r\n\r\n",
"query": "GitHubAuditLogPolling_CL\n| project TimeGenerated=unixtime_milliseconds_todatetime(created_at_d),\n Organization=columnifexists('org_s', \"\"),\n Action=action_s,\n Repository=columnifexists('repo_s',\"\"),\n Actor=columnifexists('actor_s', \"\"),\n\tCountry=columnifexists('actor_location_country_code_s', \"\"),\n ImpactedUser=columnifexists('user_s', \"\"),\n InvitedUserPermission=columnifexists('permission_s', \"\"),\n Visibility=columnifexists('visibility_s', \"\"),\n PreviousVisibility=columnifexists('previous_visibility_s', \"\"),\n CurrentPermission=columnifexists('permission_s', \"\"),\n PreviousPermission=columnifexists('old_permission_s', \"\"),\n TeamName=columnifexists('team_s', \"\"),\n BlockedUser=columnifexists('blocked_user_s', \"\")\n",
"functionParameters": "",
"version": 1,
"version": 2,
"tags": [
{
"name": "description",
"value": "GitHubAuditData"
"value": ""
}
]
}
@ -2532,7 +2532,7 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_parserContentId1')]",
"contentKind": "Parser",
"displayName": "GitHubAuditData",
"displayName": "Parser for GitHubAuditData",
"contentProductId": "[variables('_parsercontentProductId1')]",
"id": "[variables('_parsercontentProductId1')]",
"version": "[variables('parserVersion1')]"
@ -2545,16 +2545,16 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "GitHubAuditData",
"category": "Samples",
"displayName": "Parser for GitHubAuditData",
"category": "Microsoft Sentinel Parser",
"functionAlias": "GitHubAuditData",
"query": "\n\r\n\r\nGitHubAuditLogPolling_CL\r\n| project TimeGenerated=unixtime_milliseconds_todatetime(created_at_d),\r\n Organization=columnifexists('org_s', \"\"),\r\n Action=action_s,\r\n Repository=columnifexists('repo_s',\"\"),\r\n Actor=columnifexists('actor_s', \"\"),\r\n\tCountry=columnifexists('actor_location_country_code_s', \"\"),\r\n ImpactedUser=columnifexists('user_s', \"\"),\r\n InvitedUserPermission=columnifexists('permission_s', \"\"),\r\n Visibility=columnifexists('visibility_s', \"\"),\r\n PreviousVisibility=columnifexists('previous_visibility_s', \"\"),\r\n CurrentPermission=columnifexists('permission_s', \"\"),\r\n PreviousPermission=columnifexists('old_permission_s', \"\"),\r\n TeamName=columnifexists('team_s', \"\"),\r\n BlockedUser=columnifexists('blocked_user_s', \"\")\r\n\r\n\r\n\r\n",
"query": "GitHubAuditLogPolling_CL\n| project TimeGenerated=unixtime_milliseconds_todatetime(created_at_d),\n Organization=columnifexists('org_s', \"\"),\n Action=action_s,\n Repository=columnifexists('repo_s',\"\"),\n Actor=columnifexists('actor_s', \"\"),\n\tCountry=columnifexists('actor_location_country_code_s', \"\"),\n ImpactedUser=columnifexists('user_s', \"\"),\n InvitedUserPermission=columnifexists('permission_s', \"\"),\n Visibility=columnifexists('visibility_s', \"\"),\n PreviousVisibility=columnifexists('previous_visibility_s', \"\"),\n CurrentPermission=columnifexists('permission_s', \"\"),\n PreviousPermission=columnifexists('old_permission_s', \"\"),\n TeamName=columnifexists('team_s', \"\"),\n BlockedUser=columnifexists('blocked_user_s', \"\")\n",
"functionParameters": "",
"version": 1,
"version": 2,
"tags": [
{
"name": "description",
"value": "GitHubAuditData"
"value": ""
}
]
}
@ -2612,16 +2612,16 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "GitHubCodeScanningData",
"category": "Samples",
"displayName": "Parser for GitHubCodeScanningData",
"category": "Microsoft Sentinel Parser",
"functionAlias": "GitHubCodeScanningData",
"query": "\n\r\ngithubscanaudit_CL \r\n| where action_s in ('created', 'reopened_by_user', 'closed_by_user', 'fixed', 'appeared_in_branch', 'reopened') and isnotempty(commit_oid_s)\r\n| extend EventType='CodeScanningAlert'\r\n| extend alert = todynamic(alert_s),\r\n organization = todynamic(organization_s),\r\n repository = todynamic(repository_s),\r\n sender = todynamic(sender_s) \r\n| extend alertcreatedate = alert.created_at, url = alert.url, commit_oid = commit_oid_s,\r\n alertdescription = alert.rule.description,\r\n toolname = alert.tool.name,\r\n repositoryfullname = repository.full_name,\r\n repositoryOwnerlogin = repository.owner.login,\r\n repositoryurl = repository.url,\r\n orglogin = organization.login,\r\n orgurl = organization.url,\r\n senderlogin = sender.login,\r\n sendertype = sender.type,\r\n action=action_s\r\n| project-keep\r\n TimeGenerated,\r\n EventType,\r\n action,\r\n alertdescription,\r\n alertcreatedate,\r\n commit_oid,\r\n toolname,\r\n repositoryfullname,\r\n repositoryOwnerlogin,\r\n repositoryurl,\r\n orglogin,\r\n orgurl,\r\n senderlogin,\r\n sendertype \r\n",
"query": "githubscanaudit_CL \n| where action_s in ('created', 'reopened_by_user', 'closed_by_user', 'fixed', 'appeared_in_branch', 'reopened') and isnotempty(commit_oid_s)\n| extend EventType='CodeScanningAlert'\n| extend alert = todynamic(alert_s),\n organization = todynamic(organization_s),\n repository = todynamic(repository_s),\n sender = todynamic(sender_s) \n| extend alertcreatedate = alert.created_at, url = alert.url, commit_oid = commit_oid_s,\n alertdescription = alert.rule.description,\n toolname = alert.tool.name,\n repositoryfullname = repository.full_name,\n repositoryOwnerlogin = repository.owner.login,\n repositoryurl = repository.url,\n orglogin = organization.login,\n orgurl = organization.url,\n senderlogin = sender.login,\n sendertype = sender.type,\n action=action_s\n| project-keep\n TimeGenerated,\n EventType,\n action,\n alertdescription,\n alertcreatedate,\n commit_oid,\n toolname,\n repositoryfullname,\n repositoryOwnerlogin,\n repositoryurl,\n orglogin,\n orgurl,\n senderlogin,\n sendertype\n",
"functionParameters": "",
"version": 1,
"version": 2,
"tags": [
{
"name": "description",
"value": "GitHubCodeScanningData"
"value": ""
}
]
}
@ -2664,7 +2664,7 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_parserContentId2')]",
"contentKind": "Parser",
"displayName": "GitHubCodeScanningData",
"displayName": "Parser for GitHubCodeScanningData",
"contentProductId": "[variables('_parsercontentProductId2')]",
"id": "[variables('_parsercontentProductId2')]",
"version": "[variables('parserVersion2')]"
@ -2677,16 +2677,16 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "GitHubCodeScanningData",
"category": "Samples",
"displayName": "Parser for GitHubCodeScanningData",
"category": "Microsoft Sentinel Parser",
"functionAlias": "GitHubCodeScanningData",
"query": "\n\r\ngithubscanaudit_CL \r\n| where action_s in ('created', 'reopened_by_user', 'closed_by_user', 'fixed', 'appeared_in_branch', 'reopened') and isnotempty(commit_oid_s)\r\n| extend EventType='CodeScanningAlert'\r\n| extend alert = todynamic(alert_s),\r\n organization = todynamic(organization_s),\r\n repository = todynamic(repository_s),\r\n sender = todynamic(sender_s) \r\n| extend alertcreatedate = alert.created_at, url = alert.url, commit_oid = commit_oid_s,\r\n alertdescription = alert.rule.description,\r\n toolname = alert.tool.name,\r\n repositoryfullname = repository.full_name,\r\n repositoryOwnerlogin = repository.owner.login,\r\n repositoryurl = repository.url,\r\n orglogin = organization.login,\r\n orgurl = organization.url,\r\n senderlogin = sender.login,\r\n sendertype = sender.type,\r\n action=action_s\r\n| project-keep\r\n TimeGenerated,\r\n EventType,\r\n action,\r\n alertdescription,\r\n alertcreatedate,\r\n commit_oid,\r\n toolname,\r\n repositoryfullname,\r\n repositoryOwnerlogin,\r\n repositoryurl,\r\n orglogin,\r\n orgurl,\r\n senderlogin,\r\n sendertype \r\n",
"query": "githubscanaudit_CL \n| where action_s in ('created', 'reopened_by_user', 'closed_by_user', 'fixed', 'appeared_in_branch', 'reopened') and isnotempty(commit_oid_s)\n| extend EventType='CodeScanningAlert'\n| extend alert = todynamic(alert_s),\n organization = todynamic(organization_s),\n repository = todynamic(repository_s),\n sender = todynamic(sender_s) \n| extend alertcreatedate = alert.created_at, url = alert.url, commit_oid = commit_oid_s,\n alertdescription = alert.rule.description,\n toolname = alert.tool.name,\n repositoryfullname = repository.full_name,\n repositoryOwnerlogin = repository.owner.login,\n repositoryurl = repository.url,\n orglogin = organization.login,\n orgurl = organization.url,\n senderlogin = sender.login,\n sendertype = sender.type,\n action=action_s\n| project-keep\n TimeGenerated,\n EventType,\n action,\n alertdescription,\n alertcreatedate,\n commit_oid,\n toolname,\n repositoryfullname,\n repositoryOwnerlogin,\n repositoryurl,\n orglogin,\n orgurl,\n senderlogin,\n sendertype\n",
"functionParameters": "",
"version": 1,
"version": 2,
"tags": [
{
"name": "description",
"value": "GitHubCodeScanningData"
"value": ""
}
]
}
@ -2744,16 +2744,16 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "GitHubDependabotData",
"category": "Samples",
"displayName": "Parser for GitHubDependabotData",
"category": "Microsoft Sentinel Parser",
"functionAlias": "GitHubDependabotData",
"query": "\n\r\ngithubscanaudit_CL \r\n| where action_s in ('create', 'dismiss', 'resolve')\r\n| extend EventType='RepositoryVulnerabilityAlert'\r\n| extend alert = todynamic(alert_s),\r\n organization = todynamic(organization_s),\r\n repository = todynamic(repository_s),\r\n sender = todynamic(sender_s) \r\n| extend alertcreatedate = alert.created_at, alertaffectedrange = alert.affected_range, \r\n alertexternalidentifier= alert.external_identifier, \r\n alertghsaid = alert.ghsa_id,\r\n alertseverity = alert.severity,\r\n repositoryfullname = repository.full_name,\r\n repositoryOwnerlogin = repository.owner.login,\r\n repositoryurl = repository.url, \r\n senderlogin = sender.login,\r\n sendertype = sender.type,\r\n action=action_s\r\n| where isnotempty(alertexternalidentifier)\r\n| project-keep\r\n TimeGenerated,\r\n EventType,\r\n action,\r\n alertexternalidentifier,\r\n alertghsaid,\r\n alertcreatedate,\r\n repositoryfullname,\r\n repositoryOwnerlogin,\r\n repositoryurl,\r\n senderlogin,\r\n sendertype \r\n\r\n",
"query": "githubscanaudit_CL \n| where action_s in ('create', 'dismiss', 'resolve')\n| extend EventType='RepositoryVulnerabilityAlert'\n| extend alert = todynamic(alert_s),\n organization = todynamic(organization_s),\n repository = todynamic(repository_s),\n sender = todynamic(sender_s) \n| extend alertcreatedate = alert.created_at, alertaffectedrange = alert.affected_range, \n alertexternalidentifier= alert.external_identifier, \n alertghsaid = alert.ghsa_id,\n alertseverity = alert.severity,\n repositoryfullname = repository.full_name,\n repositoryOwnerlogin = repository.owner.login,\n repositoryurl = repository.url, \n senderlogin = sender.login,\n sendertype = sender.type,\n action=action_s\n| where isnotempty(alertexternalidentifier)\n| project-keep\n TimeGenerated,\n EventType,\n action,\n alertexternalidentifier,\n alertghsaid,\n alertcreatedate,\n repositoryfullname,\n repositoryOwnerlogin,\n repositoryurl,\n senderlogin,\n sendertype\n",
"functionParameters": "",
"version": 1,
"version": 2,
"tags": [
{
"name": "description",
"value": "GitHubDependabotData"
"value": ""
}
]
}
@ -2796,7 +2796,7 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_parserContentId3')]",
"contentKind": "Parser",
"displayName": "GitHubDependabotData",
"displayName": "Parser for GitHubDependabotData",
"contentProductId": "[variables('_parsercontentProductId3')]",
"id": "[variables('_parsercontentProductId3')]",
"version": "[variables('parserVersion3')]"
@ -2809,16 +2809,16 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "GitHubDependabotData",
"category": "Samples",
"displayName": "Parser for GitHubDependabotData",
"category": "Microsoft Sentinel Parser",
"functionAlias": "GitHubDependabotData",
"query": "\n\r\ngithubscanaudit_CL \r\n| where action_s in ('create', 'dismiss', 'resolve')\r\n| extend EventType='RepositoryVulnerabilityAlert'\r\n| extend alert = todynamic(alert_s),\r\n organization = todynamic(organization_s),\r\n repository = todynamic(repository_s),\r\n sender = todynamic(sender_s) \r\n| extend alertcreatedate = alert.created_at, alertaffectedrange = alert.affected_range, \r\n alertexternalidentifier= alert.external_identifier, \r\n alertghsaid = alert.ghsa_id,\r\n alertseverity = alert.severity,\r\n repositoryfullname = repository.full_name,\r\n repositoryOwnerlogin = repository.owner.login,\r\n repositoryurl = repository.url, \r\n senderlogin = sender.login,\r\n sendertype = sender.type,\r\n action=action_s\r\n| where isnotempty(alertexternalidentifier)\r\n| project-keep\r\n TimeGenerated,\r\n EventType,\r\n action,\r\n alertexternalidentifier,\r\n alertghsaid,\r\n alertcreatedate,\r\n repositoryfullname,\r\n repositoryOwnerlogin,\r\n repositoryurl,\r\n senderlogin,\r\n sendertype \r\n\r\n",
"query": "githubscanaudit_CL \n| where action_s in ('create', 'dismiss', 'resolve')\n| extend EventType='RepositoryVulnerabilityAlert'\n| extend alert = todynamic(alert_s),\n organization = todynamic(organization_s),\n repository = todynamic(repository_s),\n sender = todynamic(sender_s) \n| extend alertcreatedate = alert.created_at, alertaffectedrange = alert.affected_range, \n alertexternalidentifier= alert.external_identifier, \n alertghsaid = alert.ghsa_id,\n alertseverity = alert.severity,\n repositoryfullname = repository.full_name,\n repositoryOwnerlogin = repository.owner.login,\n repositoryurl = repository.url, \n senderlogin = sender.login,\n sendertype = sender.type,\n action=action_s\n| where isnotempty(alertexternalidentifier)\n| project-keep\n TimeGenerated,\n EventType,\n action,\n alertexternalidentifier,\n alertghsaid,\n alertcreatedate,\n repositoryfullname,\n repositoryOwnerlogin,\n repositoryurl,\n senderlogin,\n sendertype\n",
"functionParameters": "",
"version": 1,
"version": 2,
"tags": [
{
"name": "description",
"value": "GitHubDependabotData"
"value": ""
}
]
}
@ -2876,16 +2876,16 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "GithubSecretScanningData",
"category": "Samples",
"functionAlias": "GithubSecretScanningData",
"query": "\n\r\ngithubscanaudit_CL \r\n| where action_s in ('created', 'resolved', 'reopened')\r\n| extend EventType='SecretScanningAlert'\r\n| extend alert = todynamic(alert_s),\r\n organization = todynamic(organization_s),\r\n repository = todynamic(repository_s),\r\n sender = todynamic(sender_s) \r\n| extend \r\n alertSecretType = alert.secret_type,\r\n alertnumber = alert.number,\r\n alertresolution = alert.resolution,\r\n alertresolvedby = alert.resolved_by,\r\n alertresolvedat = alert.resolved_at,\r\n repositoryfullname = repository.full_name,\r\n repositoryOwnerlogin = repository.owner.login,\r\n repositoryurl = repository.url, \r\n senderlogin = sender.login,\r\n sendertype = sender.type,\r\n action=action_s\r\n| where isnotempty(alertSecretType)\r\n| project-keep\r\n TimeGenerated,\r\n EventType,\r\n action,\r\n alertSecretType,\r\n alertnumber,\r\n alertresolution,\r\n alertresolvedby,\r\n alertresolvedat,\r\n repositoryfullname,\r\n repositoryOwnerlogin,\r\n repositoryurl,\r\n senderlogin,\r\n sendertype \r\n\r\n\r\n\r\n\r\n\r\n\r\n",
"displayName": "Parser for GitHubSecretScanningData",
"category": "Microsoft Sentinel Parser",
"functionAlias": "GitHubSecretScanningData",
"query": "githubscanaudit_CL \n| where action_s in ('created', 'resolved', 'reopened')\n| extend EventType='SecretScanningAlert'\n| extend alert = todynamic(alert_s),\n organization = todynamic(organization_s),\n repository = todynamic(repository_s),\n sender = todynamic(sender_s) \n| extend \n alertSecretType = alert.secret_type,\n alertnumber = alert.number,\n alertresolution = alert.resolution,\n alertresolvedby = alert.resolved_by,\n alertresolvedat = alert.resolved_at,\n repositoryfullname = repository.full_name,\n repositoryOwnerlogin = repository.owner.login,\n repositoryurl = repository.url, \n senderlogin = sender.login,\n sendertype = sender.type,\n action=action_s\n| where isnotempty(alertSecretType)\n| project-keep\n TimeGenerated,\n EventType,\n action,\n alertSecretType,\n alertnumber,\n alertresolution,\n alertresolvedby,\n alertresolvedat,\n repositoryfullname,\n repositoryOwnerlogin,\n repositoryurl,\n senderlogin,\n sendertype\n",
"functionParameters": "",
"version": 1,
"version": 2,
"tags": [
{
"name": "description",
"value": "GithubSecretScanningData"
"value": ""
}
]
}
@ -2928,7 +2928,7 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_parserContentId4')]",
"contentKind": "Parser",
"displayName": "GithubSecretScanningData",
"displayName": "Parser for GitHubSecretScanningData",
"contentProductId": "[variables('_parsercontentProductId4')]",
"id": "[variables('_parsercontentProductId4')]",
"version": "[variables('parserVersion4')]"
@ -2941,16 +2941,16 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "GithubSecretScanningData",
"category": "Samples",
"functionAlias": "GithubSecretScanningData",
"query": "\n\r\ngithubscanaudit_CL \r\n| where action_s in ('created', 'resolved', 'reopened')\r\n| extend EventType='SecretScanningAlert'\r\n| extend alert = todynamic(alert_s),\r\n organization = todynamic(organization_s),\r\n repository = todynamic(repository_s),\r\n sender = todynamic(sender_s) \r\n| extend \r\n alertSecretType = alert.secret_type,\r\n alertnumber = alert.number,\r\n alertresolution = alert.resolution,\r\n alertresolvedby = alert.resolved_by,\r\n alertresolvedat = alert.resolved_at,\r\n repositoryfullname = repository.full_name,\r\n repositoryOwnerlogin = repository.owner.login,\r\n repositoryurl = repository.url, \r\n senderlogin = sender.login,\r\n sendertype = sender.type,\r\n action=action_s\r\n| where isnotempty(alertSecretType)\r\n| project-keep\r\n TimeGenerated,\r\n EventType,\r\n action,\r\n alertSecretType,\r\n alertnumber,\r\n alertresolution,\r\n alertresolvedby,\r\n alertresolvedat,\r\n repositoryfullname,\r\n repositoryOwnerlogin,\r\n repositoryurl,\r\n senderlogin,\r\n sendertype \r\n\r\n\r\n\r\n\r\n\r\n\r\n",
"displayName": "Parser for GitHubSecretScanningData",
"category": "Microsoft Sentinel Parser",
"functionAlias": "GitHubSecretScanningData",
"query": "githubscanaudit_CL \n| where action_s in ('created', 'resolved', 'reopened')\n| extend EventType='SecretScanningAlert'\n| extend alert = todynamic(alert_s),\n organization = todynamic(organization_s),\n repository = todynamic(repository_s),\n sender = todynamic(sender_s) \n| extend \n alertSecretType = alert.secret_type,\n alertnumber = alert.number,\n alertresolution = alert.resolution,\n alertresolvedby = alert.resolved_by,\n alertresolvedat = alert.resolved_at,\n repositoryfullname = repository.full_name,\n repositoryOwnerlogin = repository.owner.login,\n repositoryurl = repository.url, \n senderlogin = sender.login,\n sendertype = sender.type,\n action=action_s\n| where isnotempty(alertSecretType)\n| project-keep\n TimeGenerated,\n EventType,\n action,\n alertSecretType,\n alertnumber,\n alertresolution,\n alertresolvedby,\n alertresolvedat,\n repositoryfullname,\n repositoryOwnerlogin,\n repositoryurl,\n senderlogin,\n sendertype\n",
"functionParameters": "",
"version": 1,
"version": 2,
"tags": [
{
"name": "description",
"value": "GithubSecretScanningData"
"value": ""
}
]
}

27
Solutions/GitHub/Parsers/GitHubAuditData.txt
Просмотреть файл

@ -1,27 +0,0 @@
// GitHub Enterprise Audit Entry Data Parser
// Last Updated Date: Feb 16, 2022
//
//This parser parses GitHub Enterprise Audit and extract the infromation from their various components. It is assumed that you are using officially supported Github connector (installed from Content hub)
//
// Parser Notes:
// 1. This parser assumes logs are collected into a custom log table entitled GitHubAuditLogPolling_CL
GitHubAuditLogPolling_CL
| project TimeGenerated=unixtime_milliseconds_todatetime(created_at_d),
Organization=columnifexists('org_s', ""),
Action=action_s,
Repository=columnifexists('repo_s',""),
Actor=columnifexists('actor_s', ""),
Country=columnifexists('actor_location_country_code_s', ""),
ImpactedUser=columnifexists('user_s', ""),
InvitedUserPermission=columnifexists('permission_s', ""),
Visibility=columnifexists('visibility_s', ""),
PreviousVisibility=columnifexists('previous_visibility_s', ""),
CurrentPermission=columnifexists('permission_s', ""),
PreviousPermission=columnifexists('old_permission_s', ""),
TeamName=columnifexists('team_s', ""),
BlockedUser=columnifexists('blocked_user_s', "")

221
Solutions/GitHub/Parsers/GitHubCodeScanningData.txt
Просмотреть файл

@ -1,221 +0,0 @@
// Title: Github Code Scanning alerts
// Author: Prathibha Tadikamalla
// Version: 1.0
// Last Updated: 23/06/2022
// Comment: Initial Release
//
// DESCRIPTION:
//This parser receives the code scanning alerts from github webhook connector and parses these alters into a normalized schema. It is assumed that you are using officially supported Github webhook connector (installed from Content hub)
//
// USAGE:
// 1. Open Log Analytics/Azure Sentinel Logs blade. Copy the query below and paste into the Logs query window.
// 2. Click the Save button above the query. A pane will appear on the right, select "as Function" from the drop down. Enter a Function Name.
// It is recommended to name the Function Alias, as GithubCodeScanEvents
// 3. Kusto Functions can typically take up to 15 minutes to activate. You can then use Function Alias for other queries.
//
// REFERENCES:
// Using functions in Azure monitor log queries: https://docs.microsoft.com/azure/azure-monitor/log-query/functions
//
// LOG SAMPLES:
// This parser assumes the raw log are formatted as follows:
// {
// "action": "reopened",
// "alert": {
// "number": 10,
// "created_at": "2020-07-22T14:06:31Z",
// "updated_at": "2020-07-22T14:06:31Z",
// "url": "https://api.github.com/repos/Codertocat/Hello-World/code-scanning/alerts/10",
// "html_url": "https://github.com/Codertocat/Hello-World/security/code-scanning/10",
// "instances": [
// {
// "ref": "refs/heads/main",
// "analysis_key": ".github/workflows/workflow.yml:upload",
// "environment": "{}",
// "state": "open"
// }
// ],
// "state": "open",
// "fixed_at": null,
// "dismissed_by": null,
// "dismissed_at": null,
// "dismissed_reason": null,
// "rule": {
// "id": "Style/FrozenStringLiteralComment",
// "severity": "note",
// "description": "Add the frozen_string_literal comment to the top of files to help transition to frozen string literals by default.",
// "full_description": "Add the frozen_string_literal comment to the top of files to help transition to frozen string literals by default.",
// "tags": [
// "style"
// ],
// "help": "Enabled by default | Safe `never`\n\n"
// },
// "tool": {
// "name": "Rubocop",
// "version": null
// }
// },
// "ref": "refs/heads/main",
// "commit_oid": "d6e4c75c141dbacecc279b721b8b9393d5405795",
// "repository": {
// "id": 186853002,
// "node_id": "MDEwOlJlcG9zaXRvcnkxODY4NTMwMDI=",
// "name": "Hello-World",
// "full_name": "Codertocat/Hello-World",
// "private": false,
// "owner": {
// "login": "Codertocat",
// "id": 21031067,
// "node_id": "MDQ6VXNlcjIxMDMxMDY3",
// "avatar_url": "https://avatars1.githubusercontent.com/u/21031067?v=4",
// "gravatar_id": "",
// "url": "https://api.github.com/users/Codertocat",
// "html_url": "https://github.com/Codertocat",
// "followers_url": "https://api.github.com/users/Codertocat/followers",
// "following_url": "https://api.github.com/users/Codertocat/following{/other_user}",
// "gists_url": "https://api.github.com/users/Codertocat/gists{/gist_id}",
// "starred_url": "https://api.github.com/users/Codertocat/starred{/owner}{/repo}",
// "subscriptions_url": "https://api.github.com/users/Codertocat/subscriptions",
// "organizations_url": "https://api.github.com/users/Codertocat/orgs",
// "repos_url": "https://api.github.com/users/Codertocat/repos",
// "events_url": "https://api.github.com/users/Codertocat/events{/privacy}",
// "received_events_url": "https://api.github.com/users/Codertocat/received_events",
// "type": "User",
// "site_admin": false
// },
// "html_url": "https://github.com/Codertocat/Hello-World",
// "description": null,
// "fork": false,
// "url": "https://api.github.com/repos/Codertocat/Hello-World",
// "forks_url": "https://api.github.com/repos/Codertocat/Hello-World/forks",
// "keys_url": "https://api.github.com/repos/Codertocat/Hello-World/keys{/key_id}",
// "collaborators_url": "https://api.github.com/repos/Codertocat/Hello-World/collaborators{/collaborator}",
// "teams_url": "https://api.github.com/repos/Codertocat/Hello-World/teams",
// "hooks_url": "https://api.github.com/repos/Codertocat/Hello-World/hooks",
// "issue_events_url": "https://api.github.com/repos/Codertocat/Hello-World/issues/events{/number}",
// "events_url": "https://api.github.com/repos/Codertocat/Hello-World/events",
// "assignees_url": "https://api.github.com/repos/Codertocat/Hello-World/assignees{/user}",
// "branches_url": "https://api.github.com/repos/Codertocat/Hello-World/branches{/branch}",
// "tags_url": "https://api.github.com/repos/Codertocat/Hello-World/tags",
// "blobs_url": "https://api.github.com/repos/Codertocat/Hello-World/git/blobs{/sha}",
// "git_tags_url": "https://api.github.com/repos/Codertocat/Hello-World/git/tags{/sha}",
// "git_refs_url": "https://api.github.com/repos/Codertocat/Hello-World/git/refs{/sha}",
// "trees_url": "https://api.github.com/repos/Codertocat/Hello-World/git/trees{/sha}",
// "statuses_url": "https://api.github.com/repos/Codertocat/Hello-World/statuses/{sha}",
// "languages_url": "https://api.github.com/repos/Codertocat/Hello-World/languages",
// "stargazers_url": "https://api.github.com/repos/Codertocat/Hello-World/stargazers",
// "contributors_url": "https://api.github.com/repos/Codertocat/Hello-World/contributors",
// "subscribers_url": "https://api.github.com/repos/Codertocat/Hello-World/subscribers",
// "subscription_url": "https://api.github.com/repos/Codertocat/Hello-World/subscription",
// "commits_url": "https://api.github.com/repos/Codertocat/Hello-World/commits{/sha}",
// "git_commits_url": "https://api.github.com/repos/Codertocat/Hello-World/git/commits{/sha}",
// "comments_url": "https://api.github.com/repos/Codertocat/Hello-World/comments{/number}",
// "issue_comment_url": "https://api.github.com/repos/Codertocat/Hello-World/issues/comments{/number}",
// "contents_url": "https://api.github.com/repos/Codertocat/Hello-World/contents/{+path}",
// "compare_url": "https://api.github.com/repos/Codertocat/Hello-World/compare/{base}...{head}",
// "merges_url": "https://api.github.com/repos/Codertocat/Hello-World/merges",
// "archive_url": "https://api.github.com/repos/Codertocat/Hello-World/{archive_format}{/ref}",
// "downloads_url": "https://api.github.com/repos/Codertocat/Hello-World/downloads",
// "issues_url": "https://api.github.com/repos/Codertocat/Hello-World/issues{/number}",
// "pulls_url": "https://api.github.com/repos/Codertocat/Hello-World/pulls{/number}",
// "milestones_url": "https://api.github.com/repos/Codertocat/Hello-World/milestones{/number}",
// "notifications_url": "https://api.github.com/repos/Codertocat/Hello-World/notifications{?since,all,participating}",
// "labels_url": "https://api.github.com/repos/Codertocat/Hello-World/labels{/name}",
// "releases_url": "https://api.github.com/repos/Codertocat/Hello-World/releases{/id}",
// "deployments_url": "https://api.github.com/repos/Codertocat/Hello-World/deployments",
// "created_at": "2019-05-15T15:19:25Z",
// "updated_at": "2019-05-15T15:19:27Z",
// "pushed_at": "2019-05-15T15:20:32Z",
// "git_url": "git://github.com/Codertocat/Hello-World.git",
// "ssh_url": "git@github.com:Codertocat/Hello-World.git",
// "clone_url": "https://github.com/Codertocat/Hello-World.git",
// "svn_url": "https://github.com/Codertocat/Hello-World",
// "homepage": null,
// "size": 0,
// "stargazers_count": 0,
// "watchers_count": 0,
// "language": null,
// "has_issues": true,
// "has_projects": true,
// "has_downloads": true,
// "has_wiki": true,
// "has_pages": true,
// "forks_count": 0,
// "mirror_url": null,
// "archived": false,
// "disabled": false,
// "open_issues_count": 2,
// "license": null,
// "forks": 0,
// "open_issues": 2,
// "watchers": 0,
// "default_branch": "main"
// },
// "organization": {
// "login": "Octocoders",
// "id": 6,
// "node_id": "MDEyOk9yZ2FuaXphdGlvbjY=",
// "url": "https://api.github.com/orgs/Octocoders",
// "repos_url": "https://api.github.com/orgs/Octocoders/repos",
// "events_url": "https://api.github.com/orgs/Octocoders/events",
// "hooks_url": "https://api.github.com/orgs/Octocoders/hooks",
// "issues_url": "https://api.github.com/orgs/Octocoders/issues",
// "members_url": "https://api.github.com/orgs/Octocoders/members{/member}",
// "public_members_url": "https://api.github.com/orgs/Octocoders/public_members{/member}",
// "avatar_url": "https://avatars0.githubusercontent.com/u/6?",
// "description": ""
// },
// "sender": {
// "login": "github",
// "id": 9919,
// "node_id": "MDEyOk9yZ2FuaXphdGlvbjk5MTk=",
// "avatar_url": "https://avatars.githubusercontent.com/u/9919?v=4",
// "gravatar_id": "",
// "url": "https://api.github.com/users/github",
// "html_url": "https://github.com/github",
// "followers_url": "https://api.github.com/users/github/followers",
// "following_url": "https://api.github.com/users/github/following{/other_user}",
// "gists_url": "https://api.github.com/users/github/gists{/gist_id}",
// "starred_url": "https://api.github.com/users/github/starred{/owner}{/repo}",
// "subscriptions_url": "https://api.github.com/users/github/subscriptions",
// "organizations_url": "https://api.github.com/users/github/orgs",
// "repos_url": "https://api.github.com/users/github/repos",
// "events_url": "https://api.github.com/users/github/events{/privacy}",
// "received_events_url": "https://api.github.com/users/github/received_events",
// "type": "Organization",
// "site_admin": false
// }
// }
githubscanaudit_CL
| where action_s in ('created', 'reopened_by_user', 'closed_by_user', 'fixed', 'appeared_in_branch', 'reopened') and isnotempty(commit_oid_s)
| extend EventType='CodeScanningAlert'
| extend alert = todynamic(alert_s),
organization = todynamic(organization_s),
repository = todynamic(repository_s),
sender = todynamic(sender_s)
| extend alertcreatedate = alert.created_at, url = alert.url, commit_oid = commit_oid_s,
alertdescription = alert.rule.description,
toolname = alert.tool.name,
repositoryfullname = repository.full_name,
repositoryOwnerlogin = repository.owner.login,
repositoryurl = repository.url,
orglogin = organization.login,
orgurl = organization.url,
senderlogin = sender.login,
sendertype = sender.type,
action=action_s
| project-keep
TimeGenerated,
EventType,
action,
alertdescription,
alertcreatedate,
commit_oid,
toolname,
repositoryfullname,
repositoryOwnerlogin,
repositoryurl,
orglogin,
orgurl,
senderlogin,
sendertype

179
Solutions/GitHub/Parsers/GitHubDependabotData.txt
Просмотреть файл

@ -1,179 +0,0 @@
// Title: Github Repository vulnerability alerts
// Author: Prathibha Tadikamalla
// Version: 1.0
// Last Updated: 23/06/2022
// Comment: Initial Release
//
// DESCRIPTION:
//This parser receives the repository vulnerability scanning alerts from github webhook connector and parses these alters into a normalized schema. It is assumed that you are using officially supported Github webhook connector (installed from Content hub)
//
// USAGE:
// 1. Open Log Analytics/Azure Sentinel Logs blade. Copy the query below and paste into the Logs query window.
// 2. Click the Save button above the query. A pane will appear on the right, select "as Function" from the drop down. Enter a Function Name.
// It is recommended to name the Function Alias, as GithubRepoVulnerabilityEvents
// 3. Kusto Functions can typically take up to 15 minutes to activate. You can then use Function Alias for other queries.
//
// REFERENCES:
// Using functions in Azure monitor log queries: https://docs.microsoft.com/azure/azure-monitor/log-query/functions
//
// LOG SAMPLES:
// This parser assumes the raw log are formatted as follows:
// {
// "action": "create",
// "alert": {
// "id": 91095730,
// "affected_range": ">= 2.0.4, < 2.0.6",
// "affected_package_name": "rack",
// "fixed_in": "2.0.6",
// "external_reference": "https://nvd.nist.gov/vuln/detail/CVE-2018-16470",
// "external_identifier": "CVE-2018-16470",
// "severity": "moderate",
// "ghsa_id": "GHSA-hg78-4f6x-99wq",
// "created_at": "2021-03-01T01:23:45Z"
// },
// "repository": {
// "id": 186853002,
// "node_id": "MDEwOlJlcG9zaXRvcnkxODY4NTMwMDI=",
// "name": "Hello-World",
// "full_name": "Codertocat/Hello-World",
// "private": false,
// "owner": {
// "login": "Codertocat",
// "id": 21031067,
// "node_id": "MDQ6VXNlcjIxMDMxMDY3",
// "avatar_url": "https://avatars1.githubusercontent.com/u/21031067?v=4",
// "gravatar_id": "",
// "url": "https://api.github.com/users/Codertocat",
// "html_url": "https://github.com/Codertocat",
// "followers_url": "https://api.github.com/users/Codertocat/followers",
// "following_url": "https://api.github.com/users/Codertocat/following{/other_user}",
// "gists_url": "https://api.github.com/users/Codertocat/gists{/gist_id}",
// "starred_url": "https://api.github.com/users/Codertocat/starred{/owner}{/repo}",
// "subscriptions_url": "https://api.github.com/users/Codertocat/subscriptions",
// "organizations_url": "https://api.github.com/users/Codertocat/orgs",
// "repos_url": "https://api.github.com/users/Codertocat/repos",
// "events_url": "https://api.github.com/users/Codertocat/events{/privacy}",
// "received_events_url": "https://api.github.com/users/Codertocat/received_events",
// "type": "User",
// "site_admin": false
// },
// "html_url": "https://github.com/Codertocat/Hello-World",
// "description": null,
// "fork": false,
// "url": "https://api.github.com/repos/Codertocat/Hello-World",
// "forks_url": "https://api.github.com/repos/Codertocat/Hello-World/forks",
// "keys_url": "https://api.github.com/repos/Codertocat/Hello-World/keys{/key_id}",
// "collaborators_url": "https://api.github.com/repos/Codertocat/Hello-World/collaborators{/collaborator}",
// "teams_url": "https://api.github.com/repos/Codertocat/Hello-World/teams",
// "hooks_url": "https://api.github.com/repos/Codertocat/Hello-World/hooks",
// "issue_events_url": "https://api.github.com/repos/Codertocat/Hello-World/issues/events{/number}",
// "events_url": "https://api.github.com/repos/Codertocat/Hello-World/events",
// "assignees_url": "https://api.github.com/repos/Codertocat/Hello-World/assignees{/user}",
// "branches_url": "https://api.github.com/repos/Codertocat/Hello-World/branches{/branch}",
// "tags_url": "https://api.github.com/repos/Codertocat/Hello-World/tags",
// "blobs_url": "https://api.github.com/repos/Codertocat/Hello-World/git/blobs{/sha}",
// "git_tags_url": "https://api.github.com/repos/Codertocat/Hello-World/git/tags{/sha}",
// "git_refs_url": "https://api.github.com/repos/Codertocat/Hello-World/git/refs{/sha}",
// "trees_url": "https://api.github.com/repos/Codertocat/Hello-World/git/trees{/sha}",
// "statuses_url": "https://api.github.com/repos/Codertocat/Hello-World/statuses/{sha}",
// "languages_url": "https://api.github.com/repos/Codertocat/Hello-World/languages",
// "stargazers_url": "https://api.github.com/repos/Codertocat/Hello-World/stargazers",
// "contributors_url": "https://api.github.com/repos/Codertocat/Hello-World/contributors",
// "subscribers_url": "https://api.github.com/repos/Codertocat/Hello-World/subscribers",
// "subscription_url": "https://api.github.com/repos/Codertocat/Hello-World/subscription",
// "commits_url": "https://api.github.com/repos/Codertocat/Hello-World/commits{/sha}",
// "git_commits_url": "https://api.github.com/repos/Codertocat/Hello-World/git/commits{/sha}",
// "comments_url": "https://api.github.com/repos/Codertocat/Hello-World/comments{/number}",
// "issue_comment_url": "https://api.github.com/repos/Codertocat/Hello-World/issues/comments{/number}",
// "contents_url": "https://api.github.com/repos/Codertocat/Hello-World/contents/{+path}",
// "compare_url": "https://api.github.com/repos/Codertocat/Hello-World/compare/{base}...{head}",
// "merges_url": "https://api.github.com/repos/Codertocat/Hello-World/merges",
// "archive_url": "https://api.github.com/repos/Codertocat/Hello-World/{archive_format}{/ref}",
// "downloads_url": "https://api.github.com/repos/Codertocat/Hello-World/downloads",
// "issues_url": "https://api.github.com/repos/Codertocat/Hello-World/issues{/number}",
// "pulls_url": "https://api.github.com/repos/Codertocat/Hello-World/pulls{/number}",
// "milestones_url": "https://api.github.com/repos/Codertocat/Hello-World/milestones{/number}",
// "notifications_url": "https://api.github.com/repos/Codertocat/Hello-World/notifications{?since,all,participating}",
// "labels_url": "https://api.github.com/repos/Codertocat/Hello-World/labels{/name}",
// "releases_url": "https://api.github.com/repos/Codertocat/Hello-World/releases{/id}",
// "deployments_url": "https://api.github.com/repos/Codertocat/Hello-World/deployments",
// "created_at": "2019-05-15T15:19:25Z",
// "updated_at": "2019-05-15T15:19:27Z",
// "pushed_at": "2019-05-15T15:20:32Z",
// "git_url": "git://github.com/Codertocat/Hello-World.git",
// "ssh_url": "git@github.com:Codertocat/Hello-World.git",
// "clone_url": "https://github.com/Codertocat/Hello-World.git",
// "svn_url": "https://github.com/Codertocat/Hello-World",
// "homepage": null,
// "size": 0,
// "stargazers_count": 0,
// "watchers_count": 0,
// "language": null,
// "has_issues": true,
// "has_projects": true,
// "has_downloads": true,
// "has_wiki": true,
// "has_pages": true,
// "forks_count": 0,
// "mirror_url": null,
// "archived": false,
// "disabled": false,
// "open_issues_count": 2,
// "license": null,
// "forks": 0,
// "open_issues": 2,
// "watchers": 0,
// "default_branch": "master"
// },
// "sender": {
// "login": "github",
// "id": 9919,
// "node_id": "MDEyOk9yZ2FuaXphdGlvbjk5MTk=",
// "avatar_url": "https://avatars1.githubusercontent.com/u/9919?v=4",
// "gravatar_id": "",
// "url": "https://api.github.com/users/github",
// "html_url": "https://github.com/github",
// "followers_url": "https://api.github.com/users/github/followers",
// "following_url": "https://api.github.com/users/github/following{/other_user}",
// "gists_url": "https://api.github.com/users/github/gists{/gist_id}",
// "starred_url": "https://api.github.com/users/github/starred{/owner}{/repo}",
// "subscriptions_url": "https://api.github.com/users/github/subscriptions",
// "organizations_url": "https://api.github.com/users/github/orgs",
// "repos_url": "https://api.github.com/users/github/repos",
// "events_url": "https://api.github.com/users/github/events{/privacy}",
// "received_events_url": "https://api.github.com/users/github/received_events",
// "type": "Organization",
// "site_admin": false
// }
githubscanaudit_CL
| where action_s in ('create', 'dismiss', 'resolve')
| extend EventType='RepositoryVulnerabilityAlert'
| extend alert = todynamic(alert_s),
organization = todynamic(organization_s),
repository = todynamic(repository_s),
sender = todynamic(sender_s)
| extend alertcreatedate = alert.created_at, alertaffectedrange = alert.affected_range,
alertexternalidentifier= alert.external_identifier,
alertghsaid = alert.ghsa_id,
alertseverity = alert.severity,
repositoryfullname = repository.full_name,
repositoryOwnerlogin = repository.owner.login,
repositoryurl = repository.url,
senderlogin = sender.login,
sendertype = sender.type,
action=action_s
| where isnotempty(alertexternalidentifier)
| project-keep
TimeGenerated,
EventType,
action,
alertexternalidentifier,
alertghsaid,
alertcreatedate,
repositoryfullname,
repositoryOwnerlogin,
repositoryurl,
senderlogin,
sendertype

220
Solutions/GitHub/Parsers/GitHubSecretScanningData.txt
Просмотреть файл

@ -1,220 +0,0 @@
// Title: Github Secret Scanning alerts
// Author: Prathibha Tadikamalla
// Version: 1.0
// Last Updated: 23/06/2022
// Comment: Initial Release
//
// DESCRIPTION:
//This parser receives the secret scanning alerts from github webhook connector and parses these alters into a normalized schema. It is assumed that you are using officially supported Github webhook connector (installed from Content hub)
//
// USAGE:
// 1. Open Log Analytics/Azure Sentinel Logs blade. Copy the query below and paste into the Logs query window.
// 2. Click the Save button above the query. A pane will appear on the right, select "as Function" from the drop down. Enter a Function Name.
// It is recommended to name the Function Alias, as GithubSecretScanEvents
// 3. Kusto Functions can typically take up to 15 minutes to activate. You can then use Function Alias for other queries.
//
// REFERENCES:
// Using functions in Azure monitor log queries: https://docs.microsoft.com/azure/azure-monitor/log-query/functions
//
// LOG SAMPLES:
// This parser assumes the raw log are formatted as follows:
// {
// "action": "reopened",
// "alert": {
// "number": 191,
// "secret_type": "adafruit_io_key",
// "resolution": null,
// "resolved_by": null,
// "resolved_at": null,
// "push_protection_bypassed": true,
// "push_protection_bypassed_by": {
// "login": "octocat",
// "id": 81782111,
// "node_id": "MDQ6VXNlcjgxNgyMTEx",
// "avatar_url": "https://avatars.githubusercontent.com/u/583231?v=4",
// "gravatar_id": "",
// "url": "https://api.github.com/users/octocat",
// "html_url": "https://github.com/octocat",
// "followers_url": "https://api.github.com/users/octocat/followers",
// "following_url": "https://api.github.com/users/octocat/following{/other_user}",
// "gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
// "starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
// "subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
// "organizations_url": "https://api.github.com/users/octocat/orgs",
// "repos_url": "https://api.github.com/users/octocat/repos",
// "events_url": "https://api.github.com/users/octocat/events{/privacy}",
// "received_events_url": "https://api.github.com/users/octocat/received_events",
// "type": "User",
// "site_admin": true
// },
// "push_protection_bypassed_at": "2022-04-25T23:10:19Z"
// },
// "repository": {
// "id": 257423561,
// "node_id": "MDEwOlJlcG9zaXRvcnkyNTc0MjM1NjE=",
// "name": "Hello-World",
// "full_name": "Codertocat/Hello-World",
// "private": true,
// "owner": {
// "login": "Codertocat",
// "id": 30846345,
// "node_id": "MDEyOk9yZ2FuaXphdGlvbjMwODQ2MzQ1",
// "avatar_url": "https://avatars0.githubusercontent.com/u/30846345?v=4",
// "gravatar_id": "",
// "url": "https://api.github.com/users/Codertocat",
// "html_url": "https://github.com/Codertocat",
// "followers_url": "https://api.github.com/users/Codertocat/followers",
// "following_url": "https://api.github.com/users/Codertocat/following{/other_user}",
// "gists_url": "https://api.github.com/users/Codertocat/gists{/gist_id}",
// "starred_url": "https://api.github.com/users/Codertocat/starred{/owner}{/repo}",
// "subscriptions_url": "https://api.github.com/users/Codertocat/subscriptions",
// "organizations_url": "https://api.github.com/users/Codertocat/orgs",
// "repos_url": "https://api.github.com/users/Codertocat/repos",
// "events_url": "https://api.github.com/users/Codertocat/events{/privacy}",
// "received_events_url": "https://api.github.com/users/Codertocat/received_events",
// "type": "Organization",
// "site_admin": false
// },
// "html_url": "https://github.com/Codertocat/Hello-World",
// "description": null,
// "fork": false,
// "url": "https://api.github.com/repos/Codertocat/Hello-World",
// "forks_url": "https://api.github.com/repos/Codertocat/Hello-World/forks",
// "keys_url": "https://api.github.com/repos/Codertocat/Hello-World/keys{/key_id}",
// "collaborators_url": "https://api.github.com/repos/Codertocat/Hello-World/collaborators{/collaborator}",
// "teams_url": "https://api.github.com/repos/Codertocat/Hello-World/teams",
// "hooks_url": "https://api.github.com/repos/Codertocat/Hello-World/hooks",
// "issue_events_url": "https://api.github.com/repos/Codertocat/Hello-World/issues/events{/number}",
// "events_url": "https://api.github.com/repos/Codertocat/Hello-World/events",
// "assignees_url": "https://api.github.com/repos/Codertocat/Hello-World/assignees{/user}",
// "branches_url": "https://api.github.com/repos/Codertocat/Hello-World/branches{/branch}",
// "tags_url": "https://api.github.com/repos/Codertocat/Hello-World/tags",
// "blobs_url": "https://api.github.com/repos/Codertocat/Hello-World/git/blobs{/sha}",
// "git_tags_url": "https://api.github.com/repos/Codertocat/Hello-World/git/tags{/sha}",
// "git_refs_url": "https://api.github.com/repos/Codertocat/Hello-World/git/refs{/sha}",
// "trees_url": "https://api.github.com/repos/Codertocat/Hello-World/git/trees{/sha}",
// "statuses_url": "https://api.github.com/repos/Codertocat/Hello-World/statuses/{sha}",
// "languages_url": "https://api.github.com/repos/Codertocat/Hello-World/languages",
// "stargazers_url": "https://api.github.com/repos/Codertocat/Hello-World/stargazers",
// "contributors_url": "https://api.github.com/repos/Codertocat/Hello-World/contributors",
// "subscribers_url": "https://api.github.com/repos/Codertocat/Hello-World/subscribers",
// "subscription_url": "https://api.github.com/repos/Codertocat/Hello-World/subscription",
// "commits_url": "https://api.github.com/repos/Codertocat/Hello-World/commits{/sha}",
// "git_commits_url": "https://api.github.com/repos/Codertocat/Hello-World/git/commits{/sha}",
// "comments_url": "https://api.github.com/repos/Codertocat/Hello-World/comments{/number}",
// "issue_comment_url": "https://api.github.com/repos/Codertocat/Hello-World/issues/comments{/number}",
// "contents_url": "https://api.github.com/repos/Codertocat/Hello-World/contents/{+path}",
// "compare_url": "https://api.github.com/repos/Codertocat/Hello-World/compare/{base}...{head}",
// "merges_url": "https://api.github.com/repos/Codertocat/Hello-World/merges",
// "archive_url": "https://api.github.com/repos/Codertocat/Hello-World/{archive_format}{/ref}",
// "downloads_url": "https://api.github.com/repos/Codertocat/Hello-World/downloads",
// "issues_url": "https://api.github.com/repos/Codertocat/Hello-World/issues{/number}",
// "pulls_url": "https://api.github.com/repos/Codertocat/Hello-World/pulls{/number}",
// "milestones_url": "https://api.github.com/repos/Codertocat/Hello-World/milestones{/number}",
// "notifications_url": "https://api.github.com/repos/Codertocat/Hello-World/notifications{?since,all,participating}",
// "labels_url": "https://api.github.com/repos/Codertocat/Hello-World/labels{/name}",
// "releases_url": "https://api.github.com/repos/Codertocat/Hello-World/releases{/id}",
// "deployments_url": "https://api.github.com/repos/Codertocat/Hello-World/deployments",
// "created_at": "2020-04-20T22:59:11Z",
// "updated_at": "2020-11-24T01:37:33Z",
// "pushed_at": "2020-11-24T01:37:31Z",
// "git_url": "git://github.com/Codertocat/Hello-World.git",
// "ssh_url": "git@github.com:Codertocat/Hello-World.git",
// "clone_url": "https://github.com/Codertocat/Hello-World.git",
// "svn_url": "https://github.com/Codertocat/Hello-World",
// "homepage": null,
// "size": 1156,
// "stargazers_count": 0,
// "watchers_count": 0,
// "language": "JavaScript",
// "has_issues": false,
// "has_projects": false,
// "has_downloads": true,
// "has_wiki": false,
// "has_pages": true,
// "forks_count": 0,
// "mirror_url": null,
// "archived": false,
// "disabled": false,
// "open_issues_count": 3,
// "license": null,
// "forks": 0,
// "open_issues": 3,
// "watchers": 0,
// "default_branch": "master"
// },
// "organization": {
// "login": "Codertocat",
// "id": 30846345,
// "node_id": "MDEyOk9yZ2FuaXphdGlvbjMwODQ2MzQ1",
// "url": "https://api.github.com/orgs/Codertocat",
// "repos_url": "https://api.github.com/orgs/Codertocat/repos",
// "events_url": "https://api.github.com/orgs/Codertocat/events",
// "hooks_url": "https://api.github.com/orgs/Codertocat/hooks",
// "issues_url": "https://api.github.com/orgs/Codertocat/issues",
// "members_url": "https://api.github.com/orgs/Codertocat/members{/member}",
// "public_members_url": "https://api.github.com/orgs/Codertocat/public_members{/member}",
// "avatar_url": "https://avatars0.githubusercontent.com/u/30846345?v=4",
// "description": "Demos and testing of GitHub security products"
// },
// "sender": {
// "login": "Codertocat",
// "id": 10136561,
// "node_id": "MDQ6VXNlcjEwMTM2NTYx",
// "avatar_url": "https://avatars1.githubusercontent.com/u/10136561?v=4",
// "gravatar_id": "",
// "url": "https://api.github.com/users/Codertocat",
// "html_url": "https://github.com/Codertocat",
// "followers_url": "https://api.github.com/users/Codertocat/followers",
// "following_url": "https://api.github.com/users/Codertocat/following{/other_user}",
// "gists_url": "https://api.github.com/users/Codertocat/gists{/gist_id}",
// "starred_url": "https://api.github.com/users/Codertocat/starred{/owner}{/repo}",
// "subscriptions_url": "https://api.github.com/users/Codertocat/subscriptions",
// "organizations_url": "https://api.github.com/users/Codertocat/orgs",
// "repos_url": "https://api.github.com/users/Codertocat/repos",
// "events_url": "https://api.github.com/users/Codertocat/events{/privacy}",
// "received_events_url": "https://api.github.com/users/Codertocat/received_events",
// "type": "User",
// "site_admin": true
// }
githubscanaudit_CL
| where action_s in ('created', 'resolved', 'reopened')
| extend EventType='SecretScanningAlert'
| extend alert = todynamic(alert_s),
organization = todynamic(organization_s),
repository = todynamic(repository_s),
sender = todynamic(sender_s)
| extend
alertSecretType = alert.secret_type,
alertnumber = alert.number,
alertresolution = alert.resolution,
alertresolvedby = alert.resolved_by,
alertresolvedat = alert.resolved_at,
repositoryfullname = repository.full_name,
repositoryOwnerlogin = repository.owner.login,
repositoryurl = repository.url,
senderlogin = sender.login,
sendertype = sender.type,
action=action_s
| where isnotempty(alertSecretType)
| project-keep
TimeGenerated,
EventType,
action,
alertSecretType,
alertnumber,
alertresolution,
alertresolvedby,
alertresolvedat,
repositoryfullname,
repositoryOwnerlogin,
repositoryurl,
senderlogin,
sendertype

8
Solutions/GitHub/data/Solution_GitHub.json
Просмотреть файл

@ -34,10 +34,10 @@
"Hunting Queries/User Grant Access and Grants Other Access.yaml"
],
"Parsers": [
"Parsers/GitHubAuditData.txt",
"Parsers/GitHubCodeScanningData.txt",
"Parsers/GitHubDependabotData.txt",
"Parsers/GithubSecretScanningData.txt"
"Parsers/GitHubAuditData.yaml",
"Parsers/GitHubCodeScanningData.yaml",
"Parsers/GitHubDependabotData.yaml",
"Parsers/GithubSecretScanningData.yaml"
],
"Data Connectors": [
"Data Connectors/azuredeploy_GitHub_native_poller_connector.json",