Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge branch 'master' into dev/normalization/proxy-parsers

This commit is contained in:
Ofer Shezaf 2021-12-07 09:19:15 +02:00
Родитель 9db1ff6462 f867c9859b
Коммит 37b3ade013
55 изменённых файлов: 10443 добавлений и 374 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
.azure-pipelines/sampleDataValidator.yaml
Просмотреть файл

@ -7,6 +7,6 @@ jobs:
displayName: "npm install"
inputs:
verbose: false
command: "install"
command: "install -g npm@6.14.15"
- script: "npm run tsc && node .script/sampleDataValidator.js"
displayName: "sample Data Validator"

349
.script/tests/KqlvalidationsTests/CustomTables/CiscoSecureEndpoint_CL.json Normal file
Просмотреть файл

@ -0,0 +1,349 @@
{
"Name": "CiscoSecureEndpoint_CL",
"Properties": [
{
"Name": "audit_log_id_g",
"Type": "String"
},
{
"Name": "audit_log_id_s",
"Type": "String"
},
{
"Name": "audit_log_type_s",
"Type": "String"
},
{
"Name": "audit_log_user_s",
"Type": "String"
},
{
"Name": "bp_data_package_manager_pending_version_d",
"Type": "Real"
},
{
"Name": "bp_data_package_manager_serial_number_d",
"Type": "Real"
},
{
"Name": "bp_data_sts_d",
"Type": "Real"
},
{
"Name": "cloud_ioc_description_s",
"Type": "String"
},
{
"Name": "cloud_ioc_short_description_s",
"Type": "String"
},
{
"Name": "command_line_arguments_s",
"Type": "String"
},
{
"Name": "Computer",
"Type": "String"
},
{
"Name": "computer_active_b",
"Type": "Boolean"
},
{
"Name": "computer_connector_guid_g",
"Type": "String"
},
{
"Name": "computer_external_ip_s",
"Type": "String"
},
{
"Name": "computer_hostname_s",
"Type": "String"
},
{
"Name": "computer_links_computer_s",
"Type": "String"
},
{
"Name": "computer_links_group_s",
"Type": "String"
},
{
"Name": "computer_links_trajectory_s",
"Type": "String"
},
{
"Name": "computer_network_addresses_s",
"Type": "String"
},
{
"Name": "computer_user_s",
"Type": "String"
},
{
"Name": "connector_guid_g",
"Type": "String"
},
{
"Name": "created_at_t",
"Type": "DateTime"
},
{
"Name": "date_t",
"Type": "DateTime"
},
{
"Name": "detection_id_s",
"Type": "String"
},
{
"Name": "detection_s",
"Type": "String"
},
{
"Name": "error_description_s",
"Type": "String"
},
{
"Name": "error_error_code_d",
"Type": "Real"
},
{
"Name": "event_s",
"Type": "String"
},
{
"Name": "event_type_id_d",
"Type": "Real"
},
{
"Name": "event_type_s",
"Type": "String"
},
{
"Name": "file_attack_details_application_s",
"Type": "String"
},
{
"Name": "file_attack_details_attacked_module_s",
"Type": "String"
},
{
"Name": "file_attack_details_base_address_s",
"Type": "String"
},
{
"Name": "file_attack_details_suspicious_files_s",
"Type": "String"
},
{
"Name": "file_disposition_s",
"Type": "String"
},
{
"Name": "file_file_name_s",
"Type": "String"
},
{
"Name": "file_file_path_s",
"Type": "String"
},
{
"Name": "file_identity_md5_g",
"Type": "String"
},
{
"Name": "file_identity_sha1_s",
"Type": "String"
},
{
"Name": "file_identity_sha256_s",
"Type": "String"
},
{
"Name": "file_parent_disposition_s",
"Type": "String"
},
{
"Name": "file_parent_file_name_s",
"Type": "String"
},
{
"Name": "file_parent_identity_md5_g",
"Type": "String"
},
{
"Name": "file_parent_identity_sha1_s",
"Type": "String"
},
{
"Name": "file_parent_identity_sha256_s",
"Type": "String"
},
{
"Name": "file_parent_process_id_d",
"Type": "Real"
},
{
"Name": "file_parent_process_id_s",
"Type": "String"
},
{
"Name": "group_guids_s",
"Type": "String"
},
{
"Name": "hostname_s",
"Type": "String"
},
{
"Name": "id_d",
"Type": "Real"
},
{
"Name": "new_attributes_connector_guid_g",
"Type": "String"
},
{
"Name": "new_attributes_group_id_d",
"Type": "Real"
},
{
"Name": "new_attributes_hostname_s",
"Type": "String"
},
{
"Name": "new_attributes_ip_external_s",
"Type": "String"
},
{
"Name": "new_attributes_name_s",
"Type": "String"
},
{
"Name": "new_attributes_operating_system_id_d",
"Type": "Real"
},
{
"Name": "new_attributes_policy_id_d",
"Type": "Real"
},
{
"Name": "new_attributes_product_version_id_d",
"Type": "Real"
},
{
"Name": "new_attributes_status_s",
"Type": "String"
},
{
"Name": "old_attributes_hostname_s",
"Type": "String"
},
{
"Name": "old_attributes_ip_external_s",
"Type": "String"
},
{
"Name": "old_attributes_name_s",
"Type": "String"
},
{
"Name": "old_attributes_operating_system_id_d",
"Type": "Real"
},
{
"Name": "old_attributes_product_version_id_d",
"Type": "Real"
},
{
"Name": "old_attributes_status_s",
"Type": "String"
},
{
"Name": "orbital_old_version_s",
"Type": "String"
},
{
"Name": "orbital_version_s",
"Type": "String"
},
{
"Name": "RawData",
"Type": "String"
},
{
"Name": "scan_clean_b",
"Type": "Boolean"
},
{
"Name": "scan_description_s",
"Type": "String"
},
{
"Name": "scan_malicious_detections_d",
"Type": "Real"
},
{
"Name": "scan_scanned_files_d",
"Type": "Real"
},
{
"Name": "scan_scanned_paths_d",
"Type": "Real"
},
{
"Name": "scan_scanned_processes_d",
"Type": "Real"
},
{
"Name": "severity_s",
"Type": "String"
},
{
"Name": "start_date_t",
"Type": "DateTime"
},
{
"Name": "start_timestamp_d",
"Type": "Real"
},
{
"Name": "tactics_s",
"Type": "String"
},
{
"Name": "techniques_s",
"Type": "String"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "timestamp_d",
"Type": "Real"
},
{
"Name": "timestamp_nanoseconds_d",
"Type": "Real"
},
{
"Name": "Type",
"Type": "String"
},
{
"Name": "vulnerabilities_s",
"Type": "String"
},
{
"Name": "_ResourceId",
"Type": "String"
},
{
"Name": "_SubscriptionId",
"Type": "String"
}
]
}

30
.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json
Просмотреть файл

@ -88,5 +88,35 @@
"id": "87210ca1-49a4-4a7d-bb4a-4988752f978c",
"templateName": "AzurePortalSigninfromanotherAzureTenant.yaml",
"validationFailReason": "ipv4_lookup not recognized as a function."
},
{
"id": "9122a9cb-916b-4d98-a199-1b7b0af8d598",
"templateName": "NICKELIOCsNov2021.yaml",
"validationFailReason": "The name 'imDns' does not refer to any known function."
},
{
"id": "42436753-9944-4d70-801c-daaa4d19ddd2",
"templateName": "UnusualUAPowershell.yaml",
"validationFailReason": "The name 'imWebSession' does not refer to any known function"
},
{
"id": "8cbc3215-fa58-4bd6-aaaa-f0029c351730",
"templateName": "UnusualUACryptoMiners.yaml",
"validationFailReason": "The name 'imWebSession' does not refer to any known function"
},
{
"id": "09c49590-4e9d-4da9-a34d-17222d0c9e7e",
"templateName": "PotentiallyHarmfulFileTypes.yaml",
"validationFailReason": "The name 'imWebSession' does not refer to any known function"
},
{
"id": "4902eddb-34f7-44a8-ac94-8486366e9494",
"templateName": "ExcessiveDenyFromSource.yaml",
"validationFailReason": "The name 'imWebSession' does not refer to any known function"
},
{
"id": "3f0c20d5-6228-48ef-92f3-9ff7822c1954",
"templateName": "UnusualUAHackTool.yaml",
"validationFailReason": "The name 'imWebSession' does not refer to any known function"
}
]

1
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Просмотреть файл

@ -37,6 +37,7 @@
"CiscoFirepowerEStreamer",
"CiscoISE",
"CiscoMeraki",
"CiscoSecureEndpoint",
"CiscoUCS",
"CiscoUmbrellaDataConnector",
"Citrix",

9
Detections/MultipleDataSources/GalliumIOCs.yaml
Просмотреть файл

@ -52,7 +52,7 @@ query: |
| where DNSName has_any (DomainNames)
| extend IPAddress = ClientIP
),
( imDns (domain_has_any=DomainNames)
( imDns(domain_has_any=DomainNames)
| extend DNSName = DnsQuery
| extend IPAddress = SrcIpAddr
),
@ -74,7 +74,10 @@ query: |
| extend Account = UserName
),
(SecurityAlert
| where Entities has_any (SigNames)
| where ProductName == "Microsoft Defender Advanced Threat Protection"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| where isnotempty(ThreatName)
| where ThreatName has_any (SigNames)
| extend Computer = tostring(parse_json(Entities)[0].HostName)
),
(AzureDiagnostics
@ -109,5 +112,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.3.0
version: 1.4.0
kind: Scheduled

217
Detections/MultipleDataSources/NICKELIOCsNov2021.yaml Normal file
Просмотреть файл

@ -0,0 +1,217 @@
id: 9122a9cb-916b-4d98-a199-1b7b0af8d598
name: Known NICKEL domains and hashes
description: |
'IOC domains and hash values for tools and malware used by NICKEL.
Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.'
severity: High
tags:
- Schema: ASIMDns
SchemaVersion: 0.1.1
requiredDataConnectors:
- connectorId: DNS
dataTypes:
- DnsEvents
- connectorId: AzureMonitor(VMInsights)
dataTypes:
- VMConnection
- connectorId: CiscoASA
dataTypes:
- CommonSecurityLog
- connectorId: PaloAltoNetworks
dataTypes:
- CommonSecurityLog
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
- connectorId: AzureFirewall
dataTypes:
- AzureDiagnostics
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandAndControl
relevantTechniques:
- T1071
query: |
let DomainNames = dynamic(["beesweiserdog.com",
"bluehostfit.com",
"business-toys.com",
"cleanskycloud.com",
"cumberbat.com",
"czreadsecurity.com",
"dgtresorgouv.com",
"dimediamikedask.com",
"diresitioscon.com",
"elcolectador.com",
"elperuanos.org",
"eprotectioneu.com",
"fheacor.com",
"followthewaterdata.com",
"francevrteepress.com",
"futtuhy.com",
"gardienweb.com",
"heimflugaustr.com",
"ivpsers.com",
"jkeducation.org",
"micrlmb.com",
"muthesck.com",
"netscalertech.com",
"newgoldbalmap.com",
"news-laestrella.com",
"noticialif.com",
"opentanzanfoundation.com",
"optonlinepress.com",
"palazzochigi.com",
"pandemicacre.com",
"papa-ser.com",
"pekematclouds.com",
"pipcake.com",
"popularservicenter.com",
"projectsyndic.com",
"qsadtv.com",
"sankreal.com",
"scielope.com",
"seoamdcopywriting.com",
"slidenshare.com",
"somoswake.com",
"squarespacenow.com",
"subapostilla.com",
"suzukicycles.net",
"tatanotakeeps.com",
"tijuanazxc.com",
"transactioninfo.net",
"eurolabspro.com",
"adelluminate.com",
"headhunterblue.com",
"primenuesty.com"
]);
let SHA256Hashes = dynamic (["02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2",
"0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c",
"0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c",
"10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95",
"12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21",
"1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49",
"22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844",
"259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef",
"26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822",
"35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2",
"3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838",
"3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65",
"3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6",
"3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1",
"3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90",
"6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b",
"6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce",
"7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0",
"926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c",
"95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a",
"a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b",
"afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a",
"b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124",
"c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa",
"c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda",
"ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94",
"ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6",
"d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce",
"d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6",
"e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba"
]);
let SigNames = dynamic(["Backdoor:Win32/Leeson", "Trojan:Win32/Kechang", "Backdoor:Win32/Nightimp!dha", "Trojan:Win32/QuarkBandit.A!dha", "TrojanSpy:Win32/KeyLogger"]);
(union isfuzzy=true
(CommonSecurityLog
| parse Message with * '(' DNSName ')' *
| where isnotempty(FileHash)
| where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)
| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP
),
(DnsEvents
| extend DNSName = Name
| where isnotempty(DNSName)
| where DNSName has_any (DomainNames)
| extend IPAddress = ClientIP
),
(imDns(domain_has_any = DomainNames)
| extend DNSName = DnsQuery
| extend IPAddress = SrcIpAddr
),
(VMConnection
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
| where isnotempty(DNSName)
| where DNSName in~ (DomainNames)
| extend IPAddress = RemoteIp
),
(Event
//This query uses sysmon data depending on table name used this may need updataing
| where Source == "Microsoft-Windows-Sysmon"
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend Hashes = EventDetail.[16].["#text"]
| parse Hashes with * 'SHA256=' SHA256 ',' *
| where isnotempty(Hashes)
| where Hashes in (SHA256Hashes)
| extend Account = UserName
),
(DeviceFileEvents
| where SHA256 in~ (SHA256Hashes)
| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256
| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
),
(imFileEvent
| where TargetFileSHA256 in~ (SHA256Hashes)
| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256
| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash
),
(DeviceNetworkEvents
| where RemoteUrl in~ (DomainNames)
| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName
| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl
),
(SecurityAlert
| where ProductName == "Microsoft Defender Advanced Threat Protection"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| where isnotempty(ThreatName)
| where ThreatName has_any (SigNames)
| extend Computer = tostring(parse_json(Entities)[0].HostName)
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallDnsProxy"
| parse msg_s with "DNS Request: " ClientIP ":" ClientPort " - " QueryID " " Request_Type " " Request_Class " " Request_Name ". " Request_Protocol " " Request_Size " " EDNSO_DO " " EDNS0_Buffersize " " Responce_Code " " Responce_Flags " " Responce_Size " " Response_Duration
| where Request_Name has_any (DomainNames)
| extend DNSName = Request_Name
| extend IPAddress = ClientIP
),
(AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
| where Category == "AzureFirewallApplicationRule"
| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action
| where isnotempty(DestinationHost)
| where DestinationHost has_any (DomainNames)
| extend DNSName = DestinationHost
| extend IPAddress = SourceHost
)
)
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled

7
Detections/MultipleDataSources/ZincJan272021IOCs.yaml
Просмотреть файл

@ -104,7 +104,10 @@ query: |
| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl
),
(SecurityAlert
| where Entities has_any (SigNames)
| where ProductName == "Microsoft Defender Advanced Threat Protection"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| where isnotempty(ThreatName)
| where ThreatName has_any (SigNames)
| extend Computer = tostring(parse_json(Entities)[0].HostName)
| project Type, TimeGenerated, Computer
),
@ -151,5 +154,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.3.0
version: 1.4.0
kind: Scheduled

62
Hunting Queries/MultipleDataSources/NICKELCommandLineActivity-Nov2021.yaml Normal file
Просмотреть файл

@ -0,0 +1,62 @@
id: bb30abbc-9af6-4a37-9536-e9207e023989
name: NICKEL Command Line Activity November 2021
description: |
'This hunting query looks for process command line activity related to data collection and staging observed by NICKEL.
It hunts for use of tools such as xcopy and renamed archiving tools for data collection and staging purposes on the hosts with signatures observed related to NICKEL actor.'
requiredDataConnectors:
- connectorId: MicrosoftDefenderAdvancedThreatProtection
dataTypes:
- SecurityAlert (MDATP)
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
- connectorId: WindowsSecurityEvents
dataTypes:
- SecurityEvent
tactics:
- Collection
relevantTechniques:
- T1074.001
query: |
let xcopy_tokens = dynamic(["xcopy", "\\windows\\temp\\wmi", "/S/Y/C"]);
let archive_tokens = dynamic(["\\windows\\temp\\wmi", ".rar", ".7zip"]);
let SigNames = dynamic(["Backdoor:Win32/Leeson", "Trojan:Win32/Kechang", "Backdoor:Win32/Nightimp!dha", "Trojan:Win32/QuarkBandit.A!dha", "TrojanSpy:Win32/KeyLogger"]);
(union isfuzzy=true
(DeviceProcessEvents
| where ProcessCommandLine has_all(xcopy_tokens) or (ProcessCommandLine has_all (archive_tokens))
| join kind=leftouter (
SecurityAlert
| where ProductName == "Microsoft Defender Advanced Threat Protection"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| where isnotempty(ThreatName)
| extend AlertRiskScore =iif(ThreatName has_any (SigNames), 1.0, 0.5)) on DeviceId
| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0 , AlertRiskScore)
| project-reorder TimeGenerated, DeviceName, DeviceId, ProcessCommandLine, AccountName
| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName
),
(imProcessCreate
| where (CommandLine has_all (xcopy_tokens)) or (CommandLine has_all (archive_tokens))
| extend timestamp = TimeGenerated, HostCustomEntity = DvcHostname , AccountCustomEntity = ActorUsername, ProcessCustomEntity = TargetProcessFilePath
),
(SecurityEvent
| where EventID == '4688'
| where (CommandLine has_all (xcopy_tokens)) or (CommandLine has_all (archive_tokens))
| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine
| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName
)
)
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
- entityType: Process
fieldMappings:
- identifier: ProcessId
columnName: ProcessCustomEntity
- identifier: CommandLine
columnName: CommandLineCustomEntity

64
Hunting Queries/MultipleDataSources/NickelRegIOCPatterns.yaml Normal file
Просмотреть файл

@ -0,0 +1,64 @@
id: f090f8f4a-b986-42d2-b536-e0795c723e25
name: Known NICKEL Registry modifications patterns
description: |
'This query identifies instances where malware intentionally configures the browser settings for its use by modifying the following registry entries by NICKEL threat actor.'
severity: Medium
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceRegistryEvents
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
relevantTechniques:
- T1546.012
query: |
let reg_paths = dynamic(["HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Recovery",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Privacy",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap"
]);
let reg_keys = dynamic(["Start Page", "DisableFirstRunCustomize", "RunOnceComplete", "RunOnceHasShown", "Check_Associations", "AutoRecover", "ClearBrowsingHistoryOnExit", "Completed", "IEHarden"]);
(union isfuzzy=true
(
SecurityEvent
| where EventID == 4657
| where ObjectName has_any (reg_paths) and ObjectValueName has_any (reg_keys)
| summarize Count=count() by Computer, Account, ObjectName
| extend AccountCustomEntity = Account, HostCustomEntity = Computer
),
(
Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID in (12, 13)
| extend EventData = parse_xml(EventData).DataItem.EventData.Data
| mv-expand bagexpansion=array EventData
| evaluate bag_unpack(EventData)
| extend Key=tostring(['@Name']), Value=['#text']
| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)
| where TargetObject has_any (reg_paths) and TargetObject has_any (reg_keys)
| summarize Count=count() by Computer, UserName, tostring(TargetObject)
| extend AccountCustomEntity = UserName, HostCustomEntity = Computer
),
(
imRegistry
| where RegistryKey has_any (reg_paths) and RegistryValue has_any (reg_keys)
| summarize Count=count() by Dvc, Username, RegistryKey
| extend AccountCustomEntity = Username, HostCustomEntity = Dvc
)
)
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity

8
Parsers/ASimDns/ProductParsers/ASimDns.yaml
Просмотреть файл

@ -1,5 +1,5 @@
Parser:
Title: Generic DnsEvents
Title: DNS activity ASIM parser
Version: '0.2'
LastUpdated: Oct 13th 2021
Product:
@ -9,11 +9,11 @@ Normalization:
Version: '0.1.3'
References:
- Title: ASIM DNS Schema
Link: https://aka.ms/AzSentinelDnsDoc
Link: https://aka.ms/ASimDnsDoc
- Title: ASIM
Link: https://aka.ms/AzSentinelNormalization
Link: https://aka.ms/AboutASIM
Description: |
ASIM Source Agnostic DNS Parser
This ASIM parser supports normalizing DNS activity logs from all supported sources to the ASIM DNS activity normalized schema.
ParserName: ASimDns
EquivalentBuiltInParser: _ASim_Dns
Parsers:

8
Parsers/ASimDns/ProductParsers/ASimDnsAzureFirewall.yaml
Просмотреть файл

@ -1,5 +1,5 @@
Parser:
Title: Azure Firewall DNS parser
Title: DNS activity ASIM parser for Azure Firewall
Version: '0.2'
LastUpdated: Nov 11 2021
Product:
@ -9,11 +9,11 @@ Normalization:
Version: '0.1.3'
References:
- Title: ASIM DNS Schema
Link: https://aka.ms/AzSentinelDnsDoc
Link: https://aka.ms/ASimDnsDoc
- Title: ASIM
Link: https://aka.ms/AzSentinelNormalization
Link: https://aka.ms/AboutASIM
Description: |
This is a Query Parser that is used to map Azure Firewall DNS Events to the Advanced SIEM Information Model DNS schema.
This ASIM parser supports normalizing Azure Firewall logs to the ASIM DNS activity normalized schema.
ParserName: ASimDnsAzureFirewall
EquivalentBuiltInParser: _ASim_Dns_AzureFirewall
ParserParams:

8
Parsers/ASimDns/ProductParsers/ASimDnsCiscoUmbrella.yaml
Просмотреть файл

@ -1,5 +1,5 @@
Parser:
Title: Cisco Umbrella DNS Events
Title: DNS activity ASIM parser for Cisco Umbrella
Version: '0.2'
LastUpdated: Nov 11 2021
Product:
@ -9,11 +9,11 @@ Normalization:
Version: '0.1.3'
References:
- Title: ASIM DNS Schema
Link: https://aka.ms/AzSentinelDnsDoc
Link: https://aka.ms/ASimDnsDoc
- Title: ASIM
Link: https://aka.ms/AzSentinelNormalization
Link: https://aka.ms/AboutASIM
Description: |
This is a Query Parser that is used to map Cisco Umbrella DNS Events (Cisco_Umbrella_dns_CL) to the Advanced SIEM Information Model DNS schema.
This ASIM parser supports normalizing Cisco Umbrella DNS logs to the ASIM DNS activity normalized schema.
ParserName: ASimDnsCiscoUmbrella
EquivalentBuiltInParser: _ASim_Dns_CiscoUmbrella
ParserParams:

8
Parsers/ASimDns/ProductParsers/ASimDnsCorelightZeek.yaml
Просмотреть файл

@ -1,5 +1,5 @@
Parser:
Title: Corelight Zeek DNS Query Parser
Title: DNS activity ASIM parser for Corelight Zeek
Version: '0.2'
LastUpdated: Nov 11 2021
Product:
@ -9,11 +9,11 @@ Normalization:
Version: '0.1.3'
References:
- Title: ASIM DNS Schema
Link: https://aka.ms/AzSentinelDnsDoc
Link: https://aka.ms/ASimDnsDoc
- Title: ASIM
Link: https://aka.ms/AzSentinelNormalization
Link: https://aka.ms/AboutASIM
Description: |
This Parser normalizes Corelight DNS query events to the Advanced SIEM Information Model DNS schema.
This ASIM parser supports normalizing Corelight Zeek DNS logs to the ASIM DNS activity normalized schema.
ParserName: ASimDnsCorelightZeek
EquivalentBuiltInParser: _ASim_Dns_CorelightZeek
ParserParams:

8
Parsers/ASimDns/ProductParsers/ASimDnsGcp.yaml
Просмотреть файл

@ -1,5 +1,5 @@
Parser:
Title: GCP DNS Query Parser
Title: DNS activity ASIM parser for GCP
Version: '0.2'
LastUpdated: Nov 11 2021
Product:
@ -9,11 +9,11 @@ Normalization:
Version: '0.1.3'
References:
- Title: ASIM DNS Schema
Link: https://aka.ms/AzSentinelDnsDoc
Link: https://aka.ms/ASimDnsDoc
- Title: ASIM
Link: https://aka.ms/AzSentinelNormalization
Link: https://aka.ms/AboutASIM
Description: |
This Parser that normalizes GCP DNS query events to the Advanced SIEM Information Model DNS schema.
This ASIM parser supports normalizing Google Cloud Platform (GCP) DNS logs to the ASIM DNS activity normalized schema.
ParserName: ASimDnsGcp
EquivalentBuiltInParser: _ASim_Dns_Gcp
ParserParams:

8
Parsers/ASimDns/ProductParsers/ASimDnsInfobloxNIOS.yaml
Просмотреть файл

@ -1,5 +1,5 @@
Parser:
Title: InfoBlox
Title: DNS activity ASIM parser for Infoblox NIOS
Version: '0.2'
LastUpdated: Nov 11 2021
Product:
@ -9,11 +9,11 @@ Normalization:
Version: '0.1.3'
References:
- Title: ASIM DNS Schema
Link: https://aka.ms/AzSentinelDnsDoc
Link: https://aka.ms/ASimDnsDoc
- Title: ASIM
Link: https://aka.ms/AzSentinelNormalization
Link: https://aka.ms/AboutASIM
Description: |
This is a Query Parser that is used to map Infoblox NIOS DNS Events (Syslog) to the Advanced SIEM Information Model DNS schema.
This ASIM parser supports normalizing Infoblox NIOS DNS logs to the ASIM DNS activity normalized schema.
ParserName: ASimDnsInfobloxNIOS
EquivalentBuiltInParser: _ASim_Dns_InfobloxNIOS
ParserParams:

8
Parsers/ASimDns/ProductParsers/ASimDnsMicrosoftNXlog.yaml
Просмотреть файл

@ -1,5 +1,5 @@
Parser:
Title: Microsoft DNS events collected by NXlog
Title: DNS activity ASIM parser for Microsoft DNS logs collected using NXlog
Version: '0.2'
LastUpdated: Nov 11 2021
Product:
@ -9,11 +9,11 @@ Normalization:
Version: '0.1.3'
References:
- Title: ASIM DNS Schema
Link: https://aka.ms/AzSentinelDnsDoc
Link: https://aka.ms/ASimDnsDoc
- Title: ASIM
Link: https://aka.ms/AzSentinelNormalization
Link: https://aka.ms/AboutASIM
Description: |
This is a Query Parser that is used to map MS DNS (DnsEvents) collected using NXLog to the Advanced SIEM Information Model DNS schema.
This ASIM parser supports normalizing Windows DNS logs collected using NXlog to the ASIM DNS activity normalized schema.
ParserName: ASimDnsMicrosoftNXlog
EquivalentBuiltInParser: _ASim_Dns_MicrosoftNXlog
ParserParams:

8
Parsers/ASimDns/ProductParsers/ASimDnsMicrosoftOMS.yaml
Просмотреть файл

@ -1,5 +1,5 @@
Parser:
Title: Microsoft DNS
Title: DNS activity ASIM parser for Windows DNS Log collected using the Log Analytics Agent
Version: '0.2'
LastUpdated: Nov 11 2021
Product:
@ -9,11 +9,11 @@ Normalization:
Version: '0.1.3'
References:
- Title: ASIM DNS Schema
Link: https://aka.ms/AzSentinelDnsDoc
Link: https://aka.ms/ASimDnsDoc
- Title: ASIM
Link: https://aka.ms/AzSentinelNormalization
Link: https://aka.ms/AboutASIM
Description: |
This is a Query Parser that is used to map MS DNS (DnsEvents) to the Advanced SIEM Information Model DNS schema.
This ASIM parser supports normalizing Windows DNS Log collected using the Log Analytics Agent to the ASIM DNS activity normalized schema.
ParserName: ASimDnsMicrosoftOMS
EquivalentBuiltInParser: _ASim_Dns_MicrosoftOMS
ParserParams:

8
Parsers/ASimDns/ProductParsers/ASimDnsMicrosoftSysmon.yaml
Просмотреть файл

@ -1,5 +1,5 @@
Parser:
Title: ASIM Sysmon DNS Parser
Title: DNS activity ASIM parser for Sysmon for Windows
Version: '0.2'
LastUpdated: Nov 11 2021
Product:
@ -9,10 +9,10 @@ Normalization:
Version: '0.1.3'
References:
- Title: ASIM DNS Schema
Link: https://aka.ms/AzSentinelDnsDoc
Link: https://aka.ms/ASimDnsDoc
- Title: ASIM
Link: https:/aka.ms/AzSentinelNormalization
Description: ASIM Sysmon DNS Parser (event number 22) from "Event" and "WindowsEvent" tables.
Link: https://aka.ms/AboutASIM
Description: This ASIM parser supports normalizing Sysmon for Windows DNS events (event number 22) collected using the Log Analytic Agent to the ASIM DNS activity normalized schema. The parser supports events collected to both the Event and WindowsEvent tables.
ParserName: ASimDnsMicrosoftSysmon
EquivalentBuiltInParser: _ASim_Dns_MicrosoftSysmon
ParserParams:

8
Parsers/ASimDns/ProductParsers/ASimDnszScalerZIA.yaml
Просмотреть файл

@ -1,5 +1,5 @@
Parser:
Title: zScaler ZIA DNS
Title: DNS activity ASIM parser for zScaler ZIA
Version: '0.3'
LastUpdated: Nov 23 2021
Product:
@ -9,11 +9,11 @@ Normalization:
Version: '0.1.3'
References:
- Title: ASIM DNS Schema
Link: https://aka.ms/AzSentinelDnsDoc
Link: https://aka.ms/ASimDnsDoc
- Title: ASIM
Link: https://aka.ms/AzSentinelNormalization
Link: https://aka.ms/AboutASIM
Description: |
This is a Query Parser that is used to map zScaler ZIA DNS events to the Advanced SIEM Information Model DNS schema.
This ASIM parser supports normalizing zScaler ZIA DNS logs to the ASIM DNS activity normalized schema.
ParserName: ASimDnszScalerZIA
EquivalentBuiltInParser: _ASim_Dns_zScalerZIA
ParserParams:

8
Parsers/ASimDns/ProductParsers/DnsEmpty.yaml
Просмотреть файл

@ -1,5 +1,5 @@
Parser:
Title: Empty DNS Events Table
Title: DNS activity ASIM schema function
Version: '0.2'
LastUpdated: Nov 11 2021
Product:
@ -9,11 +9,11 @@ Normalization:
Version: '0.1.3'
References:
- Title: ASIM DNS Schema
Link: https://aka.ms/AzSentinelDnsDoc
Link: https://aka.ms/ASimDnsDoc
- Title: ASIM
Link: https://aka.ms/AzSentinelNormalization
Link: https://aka.ms/AboutASIM
Description: |
The purpose of this function is to generate and guarentee the schema columns
This function returns an empty ASIM DNS activity schema
ParserName: vimDnsEmpty
EquivalentBuiltInParser: _Im_Dns_Empty
ParserQuery: |

8
Parsers/ASimDns/ProductParsers/VimDnsGcp.yaml
Просмотреть файл

@ -1,5 +1,5 @@
Parser:
Title: GCP DNS Query Parameterized Parser
Title: DNS activity ASIM filtering parser for GCP
Version: '0.2'
LastUpdated: Nov 11 2021
Product:
@ -9,11 +9,11 @@ Normalization:
Version: '0.1.3'
References:
- Title: ASIM DNS Schema
Link: https://aka.ms/AzSentinelDnsDoc
Link: https://aka.ms/ASimDnsDoc
- Title: ASIM
Link: https://aka.ms/AzSentinelNormalization
Link: https://aka.ms/AboutASIM
Description: |
This Parser normalizes GCP DNS query events to the Advanced SIEM Information Model DNS schema and accepted filtering parameters.
This ASIM parser supports filtering and normalizing Google Cloud Platform (GCP) DNS logs to the ASIM DNS activity normalized schema.
ParserName: vimDnsGcp
EquivalentBuiltInParser: _Im_Dns_Gcp
ParserParams:

6
Parsers/ASimDns/ProductParsers/imDns.yaml
Просмотреть файл

@ -1,5 +1,5 @@
Parser:
Title: Generic DnsEvents
Title: DNS activity ASIM filtering parser
Version: '0.2'
LastUpdated: Oct 19 2021
Product:
@ -9,9 +9,9 @@ Normalization:
Version: '0.1.3'
References:
- Title: ASIM DNS Schema
Link: https://aka.ms/AzSentinelDnsDoc
Link: https://aka.ms/ASimDnsDoc
- Title: ASIM
Link: https://aka.ms/AzSentinelNormalization
Link: https://aka.ms/AboutASIM
Description: |
ASIM Source Agnostic DNS Parser
ParserName: imDns

8
Parsers/ASimDns/ProductParsers/vimDnsAzureFirewall.yaml
Просмотреть файл

@ -1,5 +1,5 @@
Parser:
Title: Azure Firewall DNS parser
Title: DNS activity ASIM filtering parser for Azure Firewall
Version: '0.2'
LastUpdated: Nov 11 2021
Product:
@ -9,11 +9,11 @@ Normalization:
Version: '0.1.3'
References:
- Title: ASIM DNS Schema
Link: https://aka.ms/AzSentinelDnsDoc
Link: https://aka.ms/ASimDnsDoc
- Title: ASIM
Link: https://aka.ms/AzSentinelNormalization
Link: https://aka.ms/AboutASIM
Description: |
This is a Query Parser that is used to map Azure Firewall DNS Events to the Advanced SIEM Information Model DNS schema.
This ASIM parser supports filtering and normalizing Azure Firewall logs to the ASIM DNS activity normalized schema.
ParserName: vimDnsAzureFirewall
EquivalentBuiltInParser: _Im_Dns_AzureFirewall
ParserParams:

8
Parsers/ASimDns/ProductParsers/vimDnsCiscoUmbrella.yaml
Просмотреть файл

@ -1,5 +1,5 @@
Parser:
Title: Cisco Umbrella DNS Events
Title: DNS activity ASIM filtering parser for Cisco Umbrella
Version: '0.2'
LastUpdated: Nov 11 2021
Product:
@ -9,11 +9,11 @@ Normalization:
Version: '0.1.3'
References:
- Title: ASIM DNS Schema
Link: https://aka.ms/AzSentinelDnsDoc
Link: https://aka.ms/ASimDnsDoc
- Title: ASIM
Link: https://aka.ms/AzSentinelNormalization
Link: https://aka.ms/AboutASIM
Description: |
This is a Query Parser that is used to map Cisco Umrella DNS Events (Cisco_Umbrella_dns_CL) to the Advanced SIEM Information Model DNS schema.
This ASIM parser supports filtering and normalizing Cisco Umbrella DNS logs to the ASIM DNS activity normalized schema.
ParserName: vimDnsCiscoUmbrella
EquivalentBuiltInParser: _Im_Dns_CiscoUmbrella
ParserParams:

8
Parsers/ASimDns/ProductParsers/vimDnsCorelightZeek.yaml
Просмотреть файл

@ -1,5 +1,5 @@
Parser:
Title: Corelight Zeek DNS Parametrized Parser
Title: DNS activity ASIM filtering parser for Corelight Zeek
Version: '0.2'
LastUpdated: Nov 11 2021
Product:
@ -9,11 +9,11 @@ Normalization:
Version: '0.1.3'
References:
- Title: ASIM DNS Schema
Link: https://aka.ms/AzSentinelDnsDoc
Link: https://aka.ms/ASimDnsDoc
- Title: ASIM
Link: https://aka.ms/AzSentinelNormalization
Link: https://aka.ms/AboutASIM
Description: |
This Parser normalizes Corelight DNS query events to the Advanced SIEM Information Model DNS schema and accepted filtering parameters.
This ASIM parser supports filtering and normalizing Corelight Zeek DNS logs to the ASIM DNS activity normalized schema.
ParserName: vimDnsCorelightZeek
EquivalentBuiltInParser: _Im_Dns_CorelightZeek
ParserParams:

8
Parsers/ASimDns/ProductParsers/vimDnsInfobloxNIOS.yaml
Просмотреть файл

@ -1,5 +1,5 @@
Parser:
Title: InfoBlox
Title: DNS activity ASIM filtering parser for Infoblox NIOS
Version: '0.2'
LastUpdated: Nov 11 2021
Product:
@ -9,11 +9,11 @@ Normalization:
Version: '0.1.3'
References:
- Title: ASIM DNS Schema
Link: https://aka.ms/AzSentinelDnsDoc
Link: https://aka.ms/ASimDnsDoc
- Title: ASIM
Link: https://aka.ms/AzSentinelNormalization
Link: https://aka.ms/AboutASIM
Description: |
This is a Query Parser that is used to map Infoblox NIOS DNS Events (Syslog) to the Advanced SIEM Information Model DNS schema.
This ASIM parser supports filtering and normalizing Infoblox NIOS DNS logs to the ASIM DNS activity normalized schema.
ParserName: vimDnsInfobloxNIOS
EquivalentBuiltInParser: _Im_Dns_InfobloxNIOS
ParserParams:

8
Parsers/ASimDns/ProductParsers/vimDnsMicrosoftNXlog.yaml
Просмотреть файл

@ -1,5 +1,5 @@
Parser:
Title: Microsoft DNS events collected by NXlog
Title: DNS activity ASIM filtering parser for Microsoft DNS logs collected using NXlog
Version: '0.2'
LastUpdated: Nov 11 2021
Product:
@ -9,11 +9,11 @@ Normalization:
Version: '0.1.3'
References:
- Title: ASIM DNS Schema
Link: https://aka.ms/AzSentinelDnsDoc
Link: https://aka.ms/ASimDnsDoc
- Title: ASIM
Link: https://aka.ms/AzSentinelNormalization
Link: https://aka.ms/AboutASIM
Description: |
This is a Query Parser that is used to map MS DNS (DnsEvents) collected using NXLog to the Advanced SIEM Information Model DNS schema.
This ASIM parser supports filtering and normalizing Windows DNS logs collected using NXlog to the ASIM DNS activity normalized schema.
ParserName: vimDnsMicrosoftNXlog
EquivalentBuiltInParser: _Im_Dns_MicrosoftNXlog
ParserParams:

8
Parsers/ASimDns/ProductParsers/vimDnsMicrosoftOMS.yaml
Просмотреть файл

@ -1,5 +1,5 @@
Parser:
Title: Microsoft DNS
Title: DNS activity ASIM filtering parser for Windows DNS Log collected using the Log Analytics Agent
Version: '0.2'
LastUpdated: Nov 11 2021
Product:
@ -9,11 +9,11 @@ Normalization:
Version: '0.1.3'
References:
- Title: ASIM DNS Schema
Link: https://aka.ms/AzSentinelDnsDoc
Link: https://aka.ms/ASimDnsDoc
- Title: ASIM
Link: https://aka.ms/AzSentinelNormalization
Link: https://aka.ms/AboutASIM
Description: |
This is a Query Parser that is used to map MS DNS (DnsEvents) to the Advanced SIEM Information Model DNS schema.
This ASIM parser supports filtering and normalizing Windows DNS Log collected using the Log Analytics Agent to the ASIM DNS activity normalized schema.
ParserName: vimDnsMicrosoftOMS
EquivalentBuiltInParser: _Im_Dns_MicrosoftOMS
ParserParams:

8
Parsers/ASimDns/ProductParsers/vimDnsMicrosoftSysmon.yaml
Просмотреть файл

@ -1,5 +1,5 @@
Parser:
Title: ASIM Sysmon DNS Parametrized Parser
Title: DNS activity ASIM filtering parser for Sysmon for Windows
Version: '0.2'
LastUpdated: Nov 11 2021
Product:
@ -9,10 +9,10 @@ Normalization:
Version: '0.1.3'
References:
- Title: ASIM DNS Schema
Link: https://aka.ms/AzSentinelDnsDoc
Link: https://aka.ms/ASimDnsDoc
- Title: ASIM
Link: https:/aka.ms/AzSentinelNormalization
Description: ASIM Sysmon DNS Parametrized Parser (event number 22) from "Event" and "WindowsEvent" tables.
Link: https://aka.ms/AboutASIM
Description: This ASIM parser supports filtering and normalizing Sysmon for Windows DNS events (event number 22) collected using the Log Analytic Agent to the ASIM DNS activity normalized schema. The parser supports events collected to both the Event and WindowsEvent tables.
ParserName: vimDnsMicrosoftSysmon
EquivalentBuiltInParser: _Im_Dns_MicrosoftSysmon
ParserParams:

8
Parsers/ASimDns/ProductParsers/vimDnszScalerZIA.yaml
Просмотреть файл

@ -1,5 +1,5 @@
Parser:
Title: zScaler ZIA DNS
Title: DNS activity ASIM filtering parser for zScaler ZIA
Version: '0.1'
LastUpdated: Nov 24 2021
Product:
@ -9,11 +9,11 @@ Normalization:
Version: '0.1.3'
References:
- Title: ASIM DNS Schema
Link: https://aka.ms/AzSentinelDnsDoc
Link: https://aka.ms/ASimDnsDoc
- Title: ASIM
Link: https://aka.ms/AzSentinelNormalization
Link: https://aka.ms/AboutASIM
Description: |
This is a Query Parser that is used to map zScaler ZIA DNS events to the Advanced SIEM Information Model DNS schema.
This ASIM parser supports filtering and normalizing zScaler ZIA DNS logs to the ASIM DNS activity normalized schema.
ParserName: vimDnszScalerZIA
EquivalentBuiltInParser: _Im_Dns_zScalerZIA
ParserParams:

902
Sample Data/Custom/SlackAuditNativePoller_CL.json Normal file
Просмотреть файл

@ -0,0 +1,902 @@
[
{
"RawData": "",
"details_name_s": "",
"details_disconnecting_team_s": "",
"entity_workspace_id_s": "",
"entity_workspace_name_s": "",
"entity_workspace_domain_s": "",
"details_new_value_type_s": "",
"details_new_value_user_s": "",
"details_new_value_subteam_s": "",
"details_previous_value_type_s": "",
"details_new_value_s": "",
"details_previous_value_s": "",
"details_is_token_rotation_enabled_app_b": "",
"entity_huddle_id_s": "",
"entity_huddle_date_start_d": "",
"entity_huddle_date_end_d": "",
"entity_huddle_participants_s": "",
"entity_channel_teams_shared_with_s": "",
"details_origin_team_s": "",
"details_target_team_s": "",
"details_approver_id_s": "",
"details_approval_type_s": "",
"details_mobile_only_b": "",
"details_web_only_b": "",
"details_kicker_id_s": "",
"details_kicker_name_s": "",
"details_kicker_email_s": "",
"details_kicker_team_s": "",
"details_app_owner_id_s": "",
"details_granular_bot_token_b": "",
"details_new_scopes_s": "",
"details_previous_scopes_s": "",
"entity_usergroup_id_s": "",
"entity_usergroup_name_s": "",
"details_kicker_type_s": "",
"details_kicker_user_id_s": "",
"details_kicker_user_name_s": "",
"details_kicker_user_email_s": "",
"details_kicker_user_team_s": "",
"details_inviter_id_s": "",
"details_inviter_name_s": "",
"details_inviter_email_s": "",
"details_inviter_team_s": "",
"details_inviter_type_s": "",
"details_inviter_user_id_s": "",
"details_inviter_user_name_s": "",
"details_inviter_user_email_s": "",
"details_inviter_user_team_s": "",
"details_is_workflow_b": "",
"entity_app_id_s": "",
"entity_app_name_s": "",
"entity_app_is_distributed_b": "",
"entity_app_is_directory_approved_b": "",
"entity_app_is_workflow_app_b": "",
"entity_app_scopes_s": "",
"details_is_internal_integration_b": "",
"details_bot_scopes_s": "",
"entity_channel_id_s": "",
"entity_channel_privacy_s": "",
"entity_channel_name_s": "",
"entity_channel_is_shared_b": "",
"entity_channel_is_org_shared_b": "",
"details_type_s": "",
"entity_user_id_s": "",
"entity_user_name_s": "",
"entity_user_email_s": "",
"entity_user_team_s": "",
"id_g": "bda3f258-ec72-44ac-8526-8fe3cef62c3f",
"date_create_d": 1637753737,
"action_s": "file_shared",
"actor_type_s": "user",
"actor_user_id_s": "test",
"actor_user_name_s": "test",
"actor_user_email_s": "sanitized@sanitized.com",
"actor_user_team_s": "test",
"entity_type_s": "file",
"entity_file_id_s": "F02NGM3LZGB",
"entity_file_name_s": "test",
"entity_file_filetype_s": "application/vnd.google-apps.document",
"entity_file_title_s": "test",
"context_location_type_s": "workspace",
"context_location_id_s": "test",
"context_location_name_s": "test",
"context_location_domain_s": "test",
"context_ua_s": "",
"context_ip_address_s": "10.10.10.10",
"context_session_id_d": 2353217475334,
"action_description_s": ""
},
{
"RawData": "",
"details_name_s": "",
"details_disconnecting_team_s": "",
"entity_workspace_id_s": "",
"entity_workspace_name_s": "",
"entity_workspace_domain_s": "",
"details_new_value_type_s": "",
"details_new_value_user_s": "",
"details_new_value_subteam_s": "",
"details_previous_value_type_s": "",
"details_new_value_s": "",
"details_previous_value_s": "",
"details_is_token_rotation_enabled_app_b": "",
"entity_huddle_id_s": "",
"entity_huddle_date_start_d": "",
"entity_huddle_date_end_d": "",
"entity_huddle_participants_s": "",
"entity_channel_teams_shared_with_s": "",
"details_origin_team_s": "",
"details_target_team_s": "",
"details_approver_id_s": "",
"details_approval_type_s": "",
"details_mobile_only_b": "",
"details_web_only_b": "",
"details_kicker_id_s": "",
"details_kicker_name_s": "",
"details_kicker_email_s": "",
"details_kicker_team_s": "",
"details_app_owner_id_s": "",
"details_granular_bot_token_b": "",
"details_new_scopes_s": "",
"details_previous_scopes_s": "",
"entity_usergroup_id_s": "",
"entity_usergroup_name_s": "",
"details_kicker_type_s": "",
"details_kicker_user_id_s": "",
"details_kicker_user_name_s": "",
"details_kicker_user_email_s": "",
"details_kicker_user_team_s": "",
"details_inviter_id_s": "",
"details_inviter_name_s": "",
"details_inviter_email_s": "",
"details_inviter_team_s": "",
"details_inviter_type_s": "",
"details_inviter_user_id_s": "",
"details_inviter_user_name_s": "",
"details_inviter_user_email_s": "",
"details_inviter_user_team_s": "",
"details_is_workflow_b": "",
"entity_app_id_s": "",
"entity_app_name_s": "",
"entity_app_is_distributed_b": "",
"entity_app_is_directory_approved_b": "",
"entity_app_is_workflow_app_b": "",
"entity_app_scopes_s": "",
"details_is_internal_integration_b": "",
"details_bot_scopes_s": "",
"entity_channel_id_s": "",
"entity_channel_privacy_s": "",
"entity_channel_name_s": "",
"entity_channel_is_shared_b": "",
"entity_channel_is_org_shared_b": "",
"details_type_s": "",
"entity_user_id_s": "",
"entity_user_name_s": "",
"entity_user_email_s": "",
"entity_user_team_s": "",
"id_g": "b9457f56-6109-45ba-b58d-d5d4ddde98e5",
"date_create_d": 1637753736,
"action_s": "file_uploaded",
"actor_type_s": "user",
"actor_user_id_s": "test",
"actor_user_name_s": "test",
"actor_user_email_s": "sanitized@sanitized.com",
"actor_user_team_s": "test",
"entity_type_s": "file",
"entity_file_id_s": "F02NGM3LZGB",
"entity_file_name_s": "test",
"entity_file_filetype_s": "",
"entity_file_title_s": "test",
"context_location_type_s": "workspace",
"context_location_id_s": "test",
"context_location_name_s": "test",
"context_location_domain_s": "test",
"context_ua_s": "",
"context_ip_address_s": "10.10.10.10",
"context_session_id_d": 2353217475334,
"action_description_s": ""
},
{
"RawData": "",
"details_name_s": "",
"details_disconnecting_team_s": "",
"entity_workspace_id_s": "",
"entity_workspace_name_s": "",
"entity_workspace_domain_s": "",
"details_new_value_type_s": "",
"details_new_value_user_s": "",
"details_new_value_subteam_s": "",
"details_previous_value_type_s": "",
"details_new_value_s": "",
"details_previous_value_s": "",
"details_is_token_rotation_enabled_app_b": "",
"entity_huddle_id_s": "",
"entity_huddle_date_start_d": "",
"entity_huddle_date_end_d": "",
"entity_huddle_participants_s": "",
"entity_channel_teams_shared_with_s": "",
"details_origin_team_s": "",
"details_target_team_s": "",
"details_approver_id_s": "",
"details_approval_type_s": "",
"details_mobile_only_b": "",
"details_web_only_b": "",
"details_kicker_id_s": "",
"details_kicker_name_s": "",
"details_kicker_email_s": "",
"details_kicker_team_s": "",
"details_app_owner_id_s": "",
"details_granular_bot_token_b": "",
"details_new_scopes_s": "",
"details_previous_scopes_s": "",
"entity_usergroup_id_s": "",
"entity_usergroup_name_s": "",
"details_kicker_type_s": "",
"details_kicker_user_id_s": "",
"details_kicker_user_name_s": "",
"details_kicker_user_email_s": "",
"details_kicker_user_team_s": "",
"details_inviter_id_s": "",
"details_inviter_name_s": "",
"details_inviter_email_s": "",
"details_inviter_team_s": "",
"details_inviter_type_s": "",
"details_inviter_user_id_s": "",
"details_inviter_user_name_s": "",
"details_inviter_user_email_s": "",
"details_inviter_user_team_s": "",
"details_is_workflow_b": "",
"entity_app_id_s": "",
"entity_app_name_s": "",
"entity_app_is_distributed_b": "",
"entity_app_is_directory_approved_b": "",
"entity_app_is_workflow_app_b": "",
"entity_app_scopes_s": "",
"details_is_internal_integration_b": "",
"details_bot_scopes_s": "",
"entity_channel_id_s": "",
"entity_channel_privacy_s": "",
"entity_channel_name_s": "",
"entity_channel_is_shared_b": "",
"entity_channel_is_org_shared_b": "",
"details_type_s": "",
"entity_user_id_s": "",
"entity_user_name_s": "",
"entity_user_email_s": "",
"entity_user_team_s": "",
"id_g": "a8170df3-f0b5-44c3-9ba2-b7d81b456c90",
"date_create_d": 1637753710,
"action_s": "file_shared",
"actor_type_s": "user",
"actor_user_id_s": "test",
"actor_user_name_s": "test",
"actor_user_email_s": "sanitized@sanitized.com",
"actor_user_team_s": "test",
"entity_type_s": "file",
"entity_file_id_s": "test",
"entity_file_name_s": "slack_image__2021-11-23_17-57-52_.jpg",
"entity_file_filetype_s": "image/jpeg",
"entity_file_title_s": "Slack Image (2021-11-23_17-57-52).jpg",
"context_location_type_s": "workspace",
"context_location_id_s": "test",
"context_location_name_s": "test",
"context_location_domain_s": "test",
"context_ua_s": "Mozilla/5.0 (Windows NT 10.0.19043; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Slack/4.22.0 Chrome/94.0.4606.81 Electron/15.3.0 Safari/537.36 OS_Product/Workstation Servicing_Channel/SAC Sonic Slack_SSB/4.22.0",
"context_ip_address_s": "10.10.10.10",
"context_session_id_d": 1639277775665,
"action_description_s": ""
},
{
"RawData": "",
"details_name_s": "",
"details_disconnecting_team_s": "",
"entity_workspace_id_s": "",
"entity_workspace_name_s": "",
"entity_workspace_domain_s": "",
"details_new_value_type_s": "",
"details_new_value_user_s": "",
"details_new_value_subteam_s": "",
"details_previous_value_type_s": "",
"details_new_value_s": "",
"details_previous_value_s": "",
"details_is_token_rotation_enabled_app_b": "",
"entity_huddle_id_s": "",
"entity_huddle_date_start_d": "",
"entity_huddle_date_end_d": "",
"entity_huddle_participants_s": "",
"entity_channel_teams_shared_with_s": "",
"details_origin_team_s": "",
"details_target_team_s": "",
"details_approver_id_s": "",
"details_approval_type_s": "",
"details_mobile_only_b": "",
"details_web_only_b": "",
"details_kicker_id_s": "",
"details_kicker_name_s": "",
"details_kicker_email_s": "",
"details_kicker_team_s": "",
"details_app_owner_id_s": "",
"details_granular_bot_token_b": "",
"details_new_scopes_s": "",
"details_previous_scopes_s": "",
"entity_usergroup_id_s": "",
"entity_usergroup_name_s": "",
"details_kicker_type_s": "",
"details_kicker_user_id_s": "",
"details_kicker_user_name_s": "",
"details_kicker_user_email_s": "",
"details_kicker_user_team_s": "",
"details_inviter_id_s": "",
"details_inviter_name_s": "",
"details_inviter_email_s": "",
"details_inviter_team_s": "",
"details_inviter_type_s": "",
"details_inviter_user_id_s": "",
"details_inviter_user_name_s": "",
"details_inviter_user_email_s": "",
"details_inviter_user_team_s": "",
"details_is_workflow_b": "",
"entity_app_id_s": "",
"entity_app_name_s": "",
"entity_app_is_distributed_b": "",
"entity_app_is_directory_approved_b": "",
"entity_app_is_workflow_app_b": "",
"entity_app_scopes_s": "",
"details_is_internal_integration_b": "",
"details_bot_scopes_s": "",
"entity_channel_id_s": "",
"entity_channel_privacy_s": "",
"entity_channel_name_s": "",
"entity_channel_is_shared_b": "",
"entity_channel_is_org_shared_b": "",
"details_type_s": "",
"entity_user_id_s": "",
"entity_user_name_s": "",
"entity_user_email_s": "",
"entity_user_team_s": "",
"id_g": "3265fb41-d3c9-4667-98c9-664d8d4d94fe",
"date_create_d": 1637753708,
"action_s": "file_shared",
"actor_type_s": "user",
"actor_user_id_s": "test",
"actor_user_name_s": "test",
"actor_user_email_s": "sanitized@sanitized.com",
"actor_user_team_s": "test",
"entity_type_s": "file",
"entity_file_id_s": "test",
"entity_file_name_s": "image.png",
"entity_file_filetype_s": "image/png",
"entity_file_title_s": "image.png",
"context_location_type_s": "workspace",
"context_location_id_s": "test",
"context_location_name_s": "test",
"context_location_domain_s": "test",
"context_ua_s": "Mozilla/5.0 (Macintosh; Intel Mac OS X 12_0_1) AppleWebKit/537.36 (KHTML, like Gecko) Slack/4.22.0 Chrome/94.0.4606.81 Electron/15.3.0 Safari/537.36 Sonic Slack_SSB/4.22.0",
"context_ip_address_s": "10.10.10.10",
"context_session_id_d": 971594246096,
"action_description_s": ""
},
{
"RawData": "",
"details_name_s": "",
"details_disconnecting_team_s": "",
"entity_workspace_id_s": "",
"entity_workspace_name_s": "",
"entity_workspace_domain_s": "",
"details_new_value_type_s": "",
"details_new_value_user_s": "",
"details_new_value_subteam_s": "",
"details_previous_value_type_s": "",
"details_new_value_s": "",
"details_previous_value_s": "",
"details_is_token_rotation_enabled_app_b": "",
"entity_huddle_id_s": "",
"entity_huddle_date_start_d": "",
"entity_huddle_date_end_d": "",
"entity_huddle_participants_s": "",
"entity_channel_teams_shared_with_s": "",
"details_origin_team_s": "",
"details_target_team_s": "",
"details_approver_id_s": "",
"details_approval_type_s": "",
"details_mobile_only_b": "",
"details_web_only_b": "",
"details_kicker_id_s": "",
"details_kicker_name_s": "",
"details_kicker_email_s": "",
"details_kicker_team_s": "",
"details_app_owner_id_s": "",
"details_granular_bot_token_b": "",
"details_new_scopes_s": "",
"details_previous_scopes_s": "",
"entity_usergroup_id_s": "",
"entity_usergroup_name_s": "",
"details_kicker_type_s": "",
"details_kicker_user_id_s": "",
"details_kicker_user_name_s": "",
"details_kicker_user_email_s": "",
"details_kicker_user_team_s": "",
"details_inviter_id_s": "",
"details_inviter_name_s": "",
"details_inviter_email_s": "",
"details_inviter_team_s": "",
"details_inviter_type_s": "",
"details_inviter_user_id_s": "",
"details_inviter_user_name_s": "",
"details_inviter_user_email_s": "",
"details_inviter_user_team_s": "",
"details_is_workflow_b": "",
"entity_app_id_s": "",
"entity_app_name_s": "",
"entity_app_is_distributed_b": "",
"entity_app_is_directory_approved_b": "",
"entity_app_is_workflow_app_b": "",
"entity_app_scopes_s": "",
"details_is_internal_integration_b": "",
"details_bot_scopes_s": "",
"entity_channel_id_s": "",
"entity_channel_privacy_s": "",
"entity_channel_name_s": "",
"entity_channel_is_shared_b": "",
"entity_channel_is_org_shared_b": "",
"details_type_s": "",
"entity_user_id_s": "",
"entity_user_name_s": "",
"entity_user_email_s": "",
"entity_user_team_s": "",
"id_g": "0cd5db48-c90a-453d-89d5-76146eff9004",
"date_create_d": 1637753707,
"action_s": "file_uploaded",
"actor_type_s": "user",
"actor_user_id_s": "test",
"actor_user_name_s": "test",
"actor_user_email_s": "sanitized@sanitized.com",
"actor_user_team_s": "test",
"entity_type_s": "file",
"entity_file_id_s": "test",
"entity_file_name_s": "image.png",
"entity_file_filetype_s": "",
"entity_file_title_s": "image.png",
"context_location_type_s": "workspace",
"context_location_id_s": "test",
"context_location_name_s": "test",
"context_location_domain_s": "test",
"context_ua_s": "",
"context_ip_address_s": "10.10.10.10",
"context_session_id_d": "",
"action_description_s": ""
},
{
"RawData": "",
"details_name_s": "",
"details_disconnecting_team_s": "",
"entity_workspace_id_s": "",
"entity_workspace_name_s": "",
"entity_workspace_domain_s": "",
"details_new_value_type_s": "",
"details_new_value_user_s": "",
"details_new_value_subteam_s": "",
"details_previous_value_type_s": "",
"details_new_value_s": "",
"details_previous_value_s": "",
"details_is_token_rotation_enabled_app_b": "",
"entity_huddle_id_s": "",
"entity_huddle_date_start_d": "",
"entity_huddle_date_end_d": "",
"entity_huddle_participants_s": "",
"entity_channel_teams_shared_with_s": "",
"details_origin_team_s": "",
"details_target_team_s": "",
"details_approver_id_s": "",
"details_approval_type_s": "",
"details_mobile_only_b": "",
"details_web_only_b": "",
"details_kicker_id_s": "",
"details_kicker_name_s": "",
"details_kicker_email_s": "",
"details_kicker_team_s": "",
"details_app_owner_id_s": "",
"details_granular_bot_token_b": "",
"details_new_scopes_s": "",
"details_previous_scopes_s": "",
"entity_usergroup_id_s": "",
"entity_usergroup_name_s": "",
"details_kicker_type_s": "",
"details_kicker_user_id_s": "",
"details_kicker_user_name_s": "",
"details_kicker_user_email_s": "",
"details_kicker_user_team_s": "",
"details_inviter_id_s": "",
"details_inviter_name_s": "",
"details_inviter_email_s": "",
"details_inviter_team_s": "",
"details_inviter_type_s": "",
"details_inviter_user_id_s": "",
"details_inviter_user_name_s": "",
"details_inviter_user_email_s": "",
"details_inviter_user_team_s": "",
"details_is_workflow_b": "",
"entity_app_id_s": "",
"entity_app_name_s": "",
"entity_app_is_distributed_b": "",
"entity_app_is_directory_approved_b": "",
"entity_app_is_workflow_app_b": "",
"entity_app_scopes_s": "",
"details_is_internal_integration_b": "",
"details_bot_scopes_s": "",
"entity_channel_id_s": "",
"entity_channel_privacy_s": "",
"entity_channel_name_s": "",
"entity_channel_is_shared_b": "",
"entity_channel_is_org_shared_b": "",
"details_type_s": "",
"entity_user_id_s": "",
"entity_user_name_s": "",
"entity_user_email_s": "",
"entity_user_team_s": "",
"id_g": "3d8637ba-329d-446c-a2a2-6641ab59a5e9",
"date_create_d": 1637753688,
"action_s": "file_downloaded",
"actor_type_s": "user",
"actor_user_id_s": "test",
"actor_user_name_s": "test",
"actor_user_email_s": "sanitized@sanitized.com",
"actor_user_team_s": "test",
"entity_type_s": "file",
"entity_file_id_s": "F02NT6XRV6D",
"entity_file_name_s": "slack_image__2021-11-23_17-57-52_.jpg",
"entity_file_filetype_s": "image/jpeg",
"entity_file_title_s": "Slack Image (2021-11-23_17-57-52).jpg",
"context_location_type_s": "workspace",
"context_location_id_s": "test",
"context_location_name_s": "test",
"context_location_domain_s": "test",
"context_ua_s": "Slack/21.11.20 (iPhone; iOS 14.8.1; Scale/3.00)",
"context_ip_address_s": "10.10.10.10",
"context_session_id_d": 1517175686928,
"action_description_s": ""
},
{
"RawData": "",
"details_name_s": "",
"details_disconnecting_team_s": "",
"entity_workspace_id_s": "",
"entity_workspace_name_s": "",
"entity_workspace_domain_s": "",
"details_new_value_type_s": "",
"details_new_value_user_s": "",
"details_new_value_subteam_s": "",
"details_previous_value_type_s": "",
"details_new_value_s": "",
"details_previous_value_s": "",
"details_is_token_rotation_enabled_app_b": "",
"entity_huddle_id_s": "",
"entity_huddle_date_start_d": "",
"entity_huddle_date_end_d": "",
"entity_huddle_participants_s": "",
"entity_channel_teams_shared_with_s": "",
"details_origin_team_s": "",
"details_target_team_s": "",
"details_approver_id_s": "",
"details_approval_type_s": "",
"details_mobile_only_b": "",
"details_web_only_b": "",
"details_kicker_id_s": "",
"details_kicker_name_s": "",
"details_kicker_email_s": "",
"details_kicker_team_s": "",
"details_app_owner_id_s": "",
"details_granular_bot_token_b": "",
"details_new_scopes_s": "",
"details_previous_scopes_s": "",
"entity_usergroup_id_s": "",
"entity_usergroup_name_s": "",
"details_kicker_type_s": "",
"details_kicker_user_id_s": "",
"details_kicker_user_name_s": "",
"details_kicker_user_email_s": "",
"details_kicker_user_team_s": "",
"details_inviter_id_s": "",
"details_inviter_name_s": "",
"details_inviter_email_s": "",
"details_inviter_team_s": "",
"details_inviter_type_s": "",
"details_inviter_user_id_s": "",
"details_inviter_user_name_s": "",
"details_inviter_user_email_s": "",
"details_inviter_user_team_s": "",
"details_is_workflow_b": "",
"entity_app_id_s": "",
"entity_app_name_s": "",
"entity_app_is_distributed_b": "",
"entity_app_is_directory_approved_b": "",
"entity_app_is_workflow_app_b": "",
"entity_app_scopes_s": "",
"details_is_internal_integration_b": "",
"details_bot_scopes_s": "",
"entity_channel_id_s": "",
"entity_channel_privacy_s": "",
"entity_channel_name_s": "",
"entity_channel_is_shared_b": "",
"entity_channel_is_org_shared_b": "",
"details_type_s": "",
"entity_user_id_s": "",
"entity_user_name_s": "",
"entity_user_email_s": "",
"entity_user_team_s": "",
"id_g": "2b716055-3efd-418c-bb9a-b645c28353d9",
"date_create_d": 1637753569,
"action_s": "file_downloaded",
"actor_type_s": "user",
"actor_user_id_s": "test",
"actor_user_name_s": "test",
"actor_user_email_s": "sanitized@sanitized.com",
"actor_user_team_s": "test",
"entity_type_s": "file",
"entity_file_id_s": "F02NT6XRV6D",
"entity_file_name_s": "slack_image__2021-11-23_17-57-52_.jpg",
"entity_file_filetype_s": "image/jpeg",
"entity_file_title_s": "Slack Image (2021-11-23_17-57-52).jpg",
"context_location_type_s": "workspace",
"context_location_id_s": "test",
"context_location_name_s": "test",
"context_location_domain_s": "test",
"context_ua_s": "Mozilla/5.0 (Windows NT 10.0.19043; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Slack/4.22.0 Chrome/94.0.4606.81 Electron/15.3.0 Safari/537.36 OS_Product/Workstation Servicing_Channel/SAC Sonic Slack_SSB/4.22.0",
"context_ip_address_s": "10.10.10.10",
"context_session_id_d": 1639277775665,
"action_description_s": ""
},
{
"RawData": "",
"details_name_s": "",
"details_disconnecting_team_s": "",
"entity_workspace_id_s": "",
"entity_workspace_name_s": "",
"entity_workspace_domain_s": "",
"details_new_value_type_s": "",
"details_new_value_user_s": "",
"details_new_value_subteam_s": "",
"details_previous_value_type_s": "",
"details_new_value_s": "",
"details_previous_value_s": "",
"details_is_token_rotation_enabled_app_b": "",
"entity_huddle_id_s": "",
"entity_huddle_date_start_d": "",
"entity_huddle_date_end_d": "",
"entity_huddle_participants_s": "",
"entity_channel_teams_shared_with_s": "",
"details_origin_team_s": "",
"details_target_team_s": "",
"details_approver_id_s": "",
"details_approval_type_s": "",
"details_mobile_only_b": "",
"details_web_only_b": "",
"details_kicker_id_s": "",
"details_kicker_name_s": "",
"details_kicker_email_s": "",
"details_kicker_team_s": "",
"details_app_owner_id_s": "",
"details_granular_bot_token_b": "",
"details_new_scopes_s": "",
"details_previous_scopes_s": "",
"entity_usergroup_id_s": "",
"entity_usergroup_name_s": "",
"details_kicker_type_s": "",
"details_kicker_user_id_s": "",
"details_kicker_user_name_s": "",
"details_kicker_user_email_s": "",
"details_kicker_user_team_s": "",
"details_inviter_id_s": "",
"details_inviter_name_s": "",
"details_inviter_email_s": "",
"details_inviter_team_s": "",
"details_inviter_type_s": "",
"details_inviter_user_id_s": "",
"details_inviter_user_name_s": "",
"details_inviter_user_email_s": "",
"details_inviter_user_team_s": "",
"details_is_workflow_b": "",
"entity_app_id_s": "",
"entity_app_name_s": "",
"entity_app_is_distributed_b": "",
"entity_app_is_directory_approved_b": "",
"entity_app_is_workflow_app_b": "",
"entity_app_scopes_s": "",
"details_is_internal_integration_b": "",
"details_bot_scopes_s": "",
"entity_channel_id_s": "",
"entity_channel_privacy_s": "",
"entity_channel_name_s": "",
"entity_channel_is_shared_b": "",
"entity_channel_is_org_shared_b": "",
"details_type_s": "",
"entity_user_id_s": "",
"entity_user_name_s": "",
"entity_user_email_s": "",
"entity_user_team_s": "",
"id_g": "807ed8aa-2758-4a0b-bf22-2f9cf03381bd",
"date_create_d": 1637753931,
"action_s": "file_downloaded",
"actor_type_s": "user",
"actor_user_id_s": "test",
"actor_user_name_s": "test",
"actor_user_email_s": "sanitized@sanitized.com",
"actor_user_team_s": "test",
"entity_type_s": "file",
"entity_file_id_s": "F02NJ2HKJ8L",
"entity_file_name_s": "audio_clip__2021-11-24_08_51_50_.m4a",
"entity_file_filetype_s": "audio/mp4",
"entity_file_title_s": "Audio Clip (2021-11-24 08:51:50)",
"context_location_type_s": "workspace",
"context_location_id_s": "test",
"context_location_name_s": "test",
"context_location_domain_s": "test",
"context_ua_s": "Mozilla/5.0 (Macintosh; Intel Mac OS X 12_0_1) AppleWebKit/537.36 (KHTML, like Gecko) Slack/4.22.1 Chrome/94.0.4606.81 Electron/15.3.0 Safari/537.36 MacAppStore/21.1.0 Sonic Slack_SSB/4.22.1",
"context_ip_address_s": "10.10.10.10",
"context_session_id_d": 1642319554900,
"action_description_s": ""
},
{
"RawData": "",
"details_name_s": "",
"details_disconnecting_team_s": "",
"entity_workspace_id_s": "",
"entity_workspace_name_s": "",
"entity_workspace_domain_s": "",
"details_new_value_type_s": "",
"details_new_value_user_s": "",
"details_new_value_subteam_s": "",
"details_previous_value_type_s": "",
"details_new_value_s": "",
"details_previous_value_s": "",
"details_is_token_rotation_enabled_app_b": "",
"entity_huddle_id_s": "",
"entity_huddle_date_start_d": "",
"entity_huddle_date_end_d": "",
"entity_huddle_participants_s": "",
"entity_channel_teams_shared_with_s": "",
"details_origin_team_s": "",
"details_target_team_s": "",
"details_approver_id_s": "",
"details_approval_type_s": "",
"details_mobile_only_b": "",
"details_web_only_b": "",
"details_kicker_id_s": "",
"details_kicker_name_s": "",
"details_kicker_email_s": "",
"details_kicker_team_s": "",
"details_app_owner_id_s": "",
"details_granular_bot_token_b": "",
"details_new_scopes_s": "",
"details_previous_scopes_s": "",
"entity_usergroup_id_s": "",
"entity_usergroup_name_s": "",
"details_kicker_type_s": "",
"details_kicker_user_id_s": "",
"details_kicker_user_name_s": "",
"details_kicker_user_email_s": "",
"details_kicker_user_team_s": "",
"details_inviter_id_s": "",
"details_inviter_name_s": "",
"details_inviter_email_s": "",
"details_inviter_team_s": "",
"details_inviter_type_s": "",
"details_inviter_user_id_s": "",
"details_inviter_user_name_s": "",
"details_inviter_user_email_s": "",
"details_inviter_user_team_s": "",
"details_is_workflow_b": "",
"entity_app_id_s": "",
"entity_app_name_s": "",
"entity_app_is_distributed_b": "",
"entity_app_is_directory_approved_b": "",
"entity_app_is_workflow_app_b": "",
"entity_app_scopes_s": "",
"details_is_internal_integration_b": "",
"details_bot_scopes_s": "",
"entity_channel_id_s": "",
"entity_channel_privacy_s": "",
"entity_channel_name_s": "",
"entity_channel_is_shared_b": "",
"entity_channel_is_org_shared_b": "",
"details_type_s": "",
"entity_user_id_s": "",
"entity_user_name_s": "",
"entity_user_email_s": "",
"entity_user_team_s": "",
"id_g": "f48ce188-8b75-4d8d-85e4-d7f84ffa0c70",
"date_create_d": 1637753859,
"action_s": "file_downloaded",
"actor_type_s": "user",
"actor_user_id_s": "test",
"actor_user_name_s": "test",
"actor_user_email_s": "sanitized@sanitized.com",
"actor_user_team_s": "test",
"entity_type_s": "file",
"entity_file_id_s": "test",
"entity_file_name_s": "image.png",
"entity_file_filetype_s": "image/png",
"entity_file_title_s": "image.png",
"context_location_type_s": "workspace",
"context_location_id_s": "test",
"context_location_name_s": "test",
"context_location_domain_s": "test",
"context_ua_s": "Mozilla/5.0 (Macintosh; Intel Mac OS X 12_0_1) AppleWebKit/537.36 (KHTML, like Gecko) Slack/4.22.0 Chrome/94.0.4606.81 Electron/15.3.0 Safari/537.36 Sonic Slack_SSB/4.22.0",
"context_ip_address_s": "10.10.10.10",
"context_session_id_d": 1378563859536,
"action_description_s": ""
},
{
"RawData": "",
"details_name_s": "",
"details_disconnecting_team_s": "",
"entity_workspace_id_s": "",
"entity_workspace_name_s": "",
"entity_workspace_domain_s": "",
"details_new_value_type_s": "",
"details_new_value_user_s": "",
"details_new_value_subteam_s": "",
"details_previous_value_type_s": "",
"details_new_value_s": "",
"details_previous_value_s": "",
"details_is_token_rotation_enabled_app_b": "",
"entity_huddle_id_s": "",
"entity_huddle_date_start_d": "",
"entity_huddle_date_end_d": "",
"entity_huddle_participants_s": "",
"entity_channel_teams_shared_with_s": "",
"details_origin_team_s": "",
"details_target_team_s": "",
"details_approver_id_s": "",
"details_approval_type_s": "",
"details_mobile_only_b": "",
"details_web_only_b": "",
"details_kicker_id_s": "",
"details_kicker_name_s": "",
"details_kicker_email_s": "",
"details_kicker_team_s": "",
"details_app_owner_id_s": "",
"details_granular_bot_token_b": "",
"details_new_scopes_s": "",
"details_previous_scopes_s": "",
"entity_usergroup_id_s": "",
"entity_usergroup_name_s": "",
"details_kicker_type_s": "",
"details_kicker_user_id_s": "",
"details_kicker_user_name_s": "",
"details_kicker_user_email_s": "",
"details_kicker_user_team_s": "",
"details_inviter_id_s": "",
"details_inviter_name_s": "",
"details_inviter_email_s": "",
"details_inviter_team_s": "",
"details_inviter_type_s": "",
"details_inviter_user_id_s": "",
"details_inviter_user_name_s": "",
"details_inviter_user_email_s": "",
"details_inviter_user_team_s": "",
"details_is_workflow_b": "",
"entity_app_id_s": "",
"entity_app_name_s": "",
"entity_app_is_distributed_b": "",
"entity_app_is_directory_approved_b": "",
"entity_app_is_workflow_app_b": "",
"entity_app_scopes_s": "",
"details_is_internal_integration_b": "",
"details_bot_scopes_s": "",
"entity_channel_id_s": "",
"entity_channel_privacy_s": "",
"entity_channel_name_s": "",
"entity_channel_is_shared_b": "",
"entity_channel_is_org_shared_b": "",
"details_type_s": "",
"entity_user_id_s": "",
"entity_user_name_s": "",
"entity_user_email_s": "",
"entity_user_team_s": "",
"id_g": "eebad56a-b0e1-4813-b0a4-b924fcd2dbb3",
"date_create_d": 1637753854,
"action_s": "file_shared",
"actor_type_s": "user",
"actor_user_id_s": "test",
"actor_user_name_s": "test",
"actor_user_email_s": "sanitized@sanitized.com",
"actor_user_team_s": "test",
"entity_type_s": "file",
"entity_file_id_s": "F02NGLGS0KC",
"entity_file_name_s": "image.png",
"entity_file_filetype_s": "image/png",
"entity_file_title_s": "image.png",
"context_location_type_s": "workspace",
"context_location_id_s": "test",
"context_location_name_s": "test",
"context_location_domain_s": "test",
"context_ua_s": "Mozilla/5.0 (Macintosh; Intel Mac OS X 12_0_1) AppleWebKit/537.36 (KHTML, like Gecko) Slack/4.22.0 Chrome/94.0.4606.81 Electron/15.3.0 Safari/537.36 Sonic Slack_SSB/4.22.0",
"context_ip_address_s": "10.10.10.10",
"context_session_id_d": 971594246096,
"action_description_s": ""
}
]

38
Solutions/CiscoSecureEndpoint/Analytic Rules/CiscoEndpointHighAlert.yaml Normal file
Просмотреть файл

@ -0,0 +1,38 @@
id: 4683ebce-07ad-4089-89e3-39d8fe83c011
name: Cisco SE High Events Last Hour
description: |
'Find events from Cisco Secure Endpoint that are of High severity in the last hour.'
severity: High
requiredDataConnectors:
- connectorId: CiscoSecureEndpoint
dataTypes:
- CiscoSecureEndpoint_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Execution
- InitialAccess
query: |
let endtime = 1h;
CiscoSecureEndpoint_CL
| where TimeGenerated >= ago(endtime)
| where severity_s == "High"
| project NetworkAddresses = parse_json(computer_network_addresses_s), computer_hostname_s, date_t, event_type_s, computer_links_trajectory_s
| summarize CountInLastHour = count() by computer_hostname_s, date_t, event_type_s, tostring(NetworkAddresses.ip), computer_links_trajectory_s
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: NetworkAddresses_ip
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: computer_hostname_s
- entityType: URL
fieldMappings:
- identifier: Url
columnName: computer_links_trajectory_s
version: 1.0.0
kind: Scheduled

8
Solutions/CybersecurityMaturityModelCertification(CMMC)/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Cybersecurity Maturity Model Certification (CMMC) model consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references, as well as inputs from the Defense Industrial Base (DIB) and Department of Defense (DoD stakeholders. The CMMC model specifies 5 levels of maturity measurement from Maturity Level 1 (Basic Cyber Hygiene) to Maturity Level 5 (Proactive & Advanced Cyber Practice). For more information, see the Office of the Under Secretary of Defense for Acquisition & Sustainment 💡[CMMC Model](https://www.acq.osd.mil/cmmc/draft.html).\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Workbooks:** 1, **Analytic Rules:** 10, **Playbooks:** 1\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Cybersecurity Maturity Model Certification (CMMC) model consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references, as well as inputs from the Defense Industrial Base (DIB) and Department of Defense (DoD stakeholders. The CMMC model specifies 5 levels of maturity measurement from Maturity Level 1 (Basic Cyber Hygiene) to Maturity Level 5 (Proactive & Advanced Cyber Practice). For more information, see the Office of the Under Secretary of Defense for Acquisition & Sustainment 💡[CMMC Model](https://www.acq.osd.mil/cmmc/draft.html).\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Workbooks:** 1, **Analytic Rules:** 10, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@ -64,7 +64,7 @@
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Azure Sentinel and combine them into unified interactive experiences.",
"text": "This Microsoft Sentinel Solution installs the CMMC Workbook. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
@ -112,7 +112,7 @@
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs analytic rules for CybersecurityMaturityModelCertification(CMMC) that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
"text": "This Microsoft Sentinel Solution installs analytic rules for CybersecurityMaturityModelCertification(CMMC) that you can enable for custom alert generation in Microsoft Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Microsoft Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
@ -274,7 +274,7 @@
"name": "playbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs playbook resources. A security playbook is a collection of procedures that can be run from Azure Sentinel in response to an alert. A security playbook can help automate and orchestrate your response, and can be run manually or set to run automatically when specific alerts are triggered. Security playbooks in Azure Sentinel are based on Azure Logic Apps, which means that you get all the power, customizability, and built-in templates of Logic Apps. Each playbook is created for the specific subscription you choose, but when you look at the Playbooks page, you will see all the playbooks across any selected subscriptions.",
"text": "This solution installs playbook resources. A security playbook is a collection of procedures that can be run from Microsoft Sentinel in response to an alert. A security playbook can help automate and orchestrate your response, and can be run manually or set to run automatically when specific alerts are triggered. Security playbooks in Microsoft Sentinel are based on Azure Logic Apps, which means that you get all the power, customizability, and built-in templates of Logic Apps. Each playbook is created for the specific subscription you choose, but when you look at the Playbooks page, you will see all the playbooks across any selected subscriptions.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"

2
Solutions/CybersecurityMaturityModelCertification(CMMC)/Package/mainTemplate.json
Просмотреть файл

@ -2,7 +2,7 @@
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"author": "TJ Banasik - thomas.banasik@microsoft.com",
"comments": "Solution template for CybersecurityMaturityModelCertification(CMMC)"
},
"parameters": {

23
Solutions/CybersecurityMaturityModelCertification(CMMC)/readme.md
Просмотреть файл

@ -1,21 +1,30 @@
# Overview
---
## What is the Cybersecurity Maturity Model Certification?
The Cybersecurity Maturity Model Certification (CMMC) model consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references, as well as inputs from the Defense Industrial Base (DIB) and Department of Defense (DoD stakeholders. The CMMC model specifies 5 levels of maturity measurement from Maturity Level 1 (Basic Cyber Hygiene) to Maturity Level 5 (Proactive & Advanced Cyber Practice). For more information, see the Office of the Under Secretary of Defense for Acquisition & Sustainment 💡[CMMC Model](https://www.acq.osd.mil/cmmc/draft.html).
## Disclaimer
The Azure Sentinel CMMC Solution demonstrates best practice guidance, but Microsoft does not guarantee nor imply compliance. All accreditation requirements and decisions are governed by the 💡 [CMMC Accreditation Body](https://www.cmmcab.org/c3pao-lp). This workbook provides visibility and situational awareness for control requirements delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations and query modification for operation. Recommendations do not imply coverage of respective controls as they are often one of several courses of action for approaching requirements which is unique to each customer. Recommendations should be considered a starting point for planning full or partial coverage of respective control requirements.
## Try on Portal
You can deploy the solution by clicking on the buttons below:
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCybersecurityMaturityModelCertification(CMMC)%2FPackage%2FmainTemplate.json" target="_blank"><img src="https://aka.ms/deploytoazurebutton"/></a>
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FCybersecurityMaturityModelCertification(CMMC)%2FPackage%2FmainTemplate.json" target="_blank"><img src="https://aka.ms/deploytoazuregovbutton"/></a>
![Workbook Overview](./CybersecurityMaturityModelCertification(CMMC)Workbook.png)
# Getting Started
This Solution is designed to augment staffing through automation, artificial intelligence, machine learning, query/alerting generation, and visualizations. This workbook leverages Azure Policy, Azure Resource Graph, and Azure Log Analytics to align with Cybersecurity Maturity Model Certification control requirements. A filter set is available for custom reporting by guides, subscriptions, workspaces, time-filtering, control family, and maturity level. This offering telemetry from 50+ Microsoft Security products, while only Azure Sentinel/Azure Security Center are required to get started, each offering provides additional enrichment for aligning with control requirements. Each CMMC control includes a Control Card detailing an overiew of requirements, primary/secondary controls, deep-links to referenced product pages/portals, recommendations, implementation guides, compliance cross-walks and tooling telemetry for building situational awareness of cloud workloads.
This Solution is designed to augment staffing through automation, artificial intelligence, machine learning, query/alerting generation, and visualizations. This workbook leverages Azure Policy, Azure Resource Graph, and Azure Log Analytics to align with Cybersecurity Maturity Model Certification control requirements. A filter set is available for custom reporting by guides, subscriptions, workspaces, time-filtering, control family, and maturity level. This offering telemetry from 50+ Microsoft Security products, while only Microsoft Sentinel/Azure Security Center are required to get started, each offering provides additional enrichment for aligning with control requirements. Each CMMC control includes a Control Card detailing an overview of requirements, primary/secondary controls, deep-links to referenced product pages/portals, recommendations, implementation guides, compliance cross-walks and tooling telemetry for building situational awareness of cloud workloads.
💡 [Deploy Azure CMMC Blueprint](https://docs.microsoft.com/azure/governance/blueprints/samples/cmmc-l3)<br>
💡 [Onboard Azure Sentinel](https://docs.microsoft.com/azure/sentinel/quickstart-onboard)<br>
💡 [Onboard Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/quickstart-onboard)<br>
💡 [Onboard Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-get-started)<br>
💡 [Add the Azure Security Center: CMMC Assessment to Your Dashboard](https://docs.microsoft.com/azure/security-center/update-regulatory-compliance-packages#add-a-regulatory-standard-to-your-dashboard)<br>
💡 [Continuously Export Security Center Data to Log Analytics Workspace](https://docs.microsoft.com/azure/security-center/continuous-export)<br>
💡 [Extend Azure Sentinel Across Workspaces and Tenants](https://docs.microsoft.com/azure/sentinel/extend-sentinel-across-workspaces-tenants)<br>
💡 [Extend Microsoft Sentinel Across Workspaces and Tenants](https://docs.microsoft.com/azure/sentinel/extend-sentinel-across-workspaces-tenants)<br>
# Workbook
The Azure Sentinel CMMC Workbook provides a mechanism for viewing log queries, azure resource graph, and policies aligned to CMMC controls across the Microsoft portfolio including Microsoft security offerings, Office 365, Teams, Intune, Windows Virtual Desktop and many more. This workbook enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness visibility for the security posture of cloud workloads. There are also recommendations for selecting, designing, deploying, and configuring Microsoft offerings for alignment with respective CMMC requirements and practices.
The Microsoft Sentinel CMMC Workbook provides a mechanism for viewing log queries, azure resource graph, and policies aligned to CMMC controls across the Microsoft portfolio including Microsoft security offerings, Office 365, Teams, and many more. This workbook enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness visibility for the security posture of cloud workloads. There are also recommendations for selecting, designing, deploying, and configuring Microsoft offerings for alignment with respective CMMC requirements and practices.
# Analytics
The Azure Sentinel CMMC Analytics rules include 10 Alerts designed to monitor CMMC compliance posture. The Alerts are organized by CMMC Control Family and leverage the Azure Security Center: SecurityRecommendation data source. Organziations can customize these alerts for time, subscription, workspace, maturity level, and compliance thresholds. These analytics allow security practictioners to actively monitor/alert on changes to CMMC compliance posture.
The Microsoft Sentinel CMMC Analytics Rules include 10 Alerts designed to monitor CMMC compliance posture. The Alerts are organized by CMMC Control Family and leverage the Azure Security Center: SecurityRecommendation data source. Organizations can customize these alerts for time, subscription, workspace, maturity level, and compliance thresholds. These analytics allow security practitioners to actively monitor/alert on changes to CMMC compliance posture.
# Playbook
This solution includes the Notify-Governance Compliance Team playbook. Playbooks are a Security Orchestration, Automation, & Response (SOAR) capability to automate manual tasks. This playbook should be configured as an automation action with the CMMC Analytics Rules. Upon triggering an Analytic Rule, this playbook captures respective details and both emails and posts a message in a Teams chat to the governance team. This automation increases response times while reducing the need to return to the workbook for monitoring.

8
Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThere has been a long-standing split between ICS/SCADA (OT) and Corporate (IT) cybersecurity. This split was often driven by significant differences in technology/tooling. Microsoft Defender for IoT's integration with Azure Sentinel drives convergency by providing a single pane for coverage of both D4IOT (OT) and Azure Sentinel (IT) alerting. This solution includes Workbooks, Analytics rules, and Playbooks providing a guide OT detection, Analysis, and Response.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Workbooks:** 1, **Analytic Rules:** 14, **Playbooks:** 3\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Important:** _This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThere has been a long-standing split between ICS/SCADA (OT) and Corporate (IT) cybersecurity. This split was often driven by significant differences in technology/tooling. Microsoft Defender for IoT's integration with Microsoft Sentinel drives convergency by providing a single pane for coverage of both D4IOT (OT) and Microsoft Sentinel (IT) alerting. This solution includes Workbooks, Analytics rules, and Playbooks providing a guide OT detection, Analysis, and Response.\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Workbooks:** 1, **Analytic Rules:** 14, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@ -64,7 +64,7 @@
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Azure Sentinel and combine them into unified interactive experiences.",
"text": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
@ -109,7 +109,7 @@
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs analytic rules for IoTOTThreatMonitoringwithDefenderforIoT that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
"text": "This Microsoft Sentinel Solution installs analytic rules for IoTOTThreatMonitoringwithDefenderforIoT that you can enable for custom alert generation in Microsoft Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Microsoft Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
@ -327,7 +327,7 @@
"name": "playbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs playbook resources. A security playbook is a collection of procedures that can be run from Azure Sentinel in response to an alert. A security playbook can help automate and orchestrate your response, and can be run manually or set to run automatically when specific alerts are triggered. Security playbooks in Azure Sentinel are based on Azure Logic Apps, which means that you get all the power, customizability, and built-in templates of Logic Apps. Each playbook is created for the specific subscription you choose, but when you look at the Playbooks page, you will see all the playbooks across any selected subscriptions.",
"text": "This solution installs playbook resources. A security playbook is a collection of procedures that can be run from Microsoft Sentinel in response to an alert. A security playbook can help automate and orchestrate your response, and can be run manually or set to run automatically when specific alerts are triggered. Security playbooks in Microsoft Sentinel are based on Azure Logic Apps, which means that you get all the power, customizability, and built-in templates of Logic Apps. Each playbook is created for the specific subscription you choose, but when you look at the Playbooks page, you will see all the playbooks across any selected subscriptions.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"

6
Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Package/mainTemplate.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

12
Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Workbooks/IoTOTThreatMonitoringwithDefenderforIoT.json
Просмотреть файл

@ -166,7 +166,7 @@
"value": "Yes"
},
"customWidth": "20",
"name": "Azure Defender for IoT Logo"
"name": "Microsoft Defender for IoT Logo"
},
{
"type": 11,
@ -1239,7 +1239,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let sensorengine_ = dynamic('{_sensorengine}');\r\nSecurityAlert \r\n| where ProductName == \"Azure Security Center for IoT\" \r\n| extend Category_ = tostring(parse_json(ExtendedProperties).Category)\r\n| extend DeviceId_ = tostring(parse_json(ExtendedProperties).DeviceId)\r\n| extend SensorId_ = tostring(parse_json(ExtendedProperties).SensorId)\r\n| extend Address_ = tostring(parse_json(Entities)[0].Address)\r\n| extend Type1_ = tostring(parse_json(Entities)[0].Type)\r\n| extend DeviceId_ = tostring(parse_json(Entities)[0].DeviceId)\r\n| extend Type2_ = tostring(parse_json(tostring(parse_json(Entities)[0].IoTHub)).Type)\r\n| extend Type3_ = tostring(parse_json(Entities)[0].Type)\r\n| extend DeviceType_ = tostring(parse_json(Entities)[0].DeviceType)\r\n| extend Vendor_ = tostring(parse_json(Entities)[0].Vendor)\r\n| where DeviceType_ <> \"\"\r\n| summarize count() by DeviceType_\r\n| sort by count_ desc",
"query": "let sensorengine_ = dynamic('{_sensorengine}');\r\nSecurityAlert \r\n| where ProductName == \"Azure Security Center for IoT for IoT\" \r\n| extend Category_ = tostring(parse_json(ExtendedProperties).Category)\r\n| extend DeviceId_ = tostring(parse_json(ExtendedProperties).DeviceId)\r\n| extend SensorId_ = tostring(parse_json(ExtendedProperties).SensorId)\r\n| extend Address_ = tostring(parse_json(Entities)[0].Address)\r\n| extend Type1_ = tostring(parse_json(Entities)[0].Type)\r\n| extend DeviceId_ = tostring(parse_json(Entities)[0].DeviceId)\r\n| extend Type2_ = tostring(parse_json(tostring(parse_json(Entities)[0].IoTHub)).Type)\r\n| extend Type3_ = tostring(parse_json(Entities)[0].Type)\r\n| extend DeviceType_ = tostring(parse_json(Entities)[0].DeviceType)\r\n| extend Vendor_ = tostring(parse_json(Entities)[0].Vendor)\r\n| where DeviceType_ <> \"\"\r\n| summarize count() by DeviceType_\r\n| sort by count_ desc",
"size": 0,
"showAnalytics": true,
"title": "DEVICE_TYPE",
@ -1288,7 +1288,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let sensorengine_ = dynamic('{_sensorengine}');\r\nSecurityAlert \r\n| where ProductName == \"Azure Security Center for IoT\" \r\n| extend Category_ = tostring(parse_json(ExtendedProperties).Category)\r\n| extend DeviceId_ = tostring(parse_json(ExtendedProperties).DeviceId)\r\n| extend SensorId_ = tostring(parse_json(ExtendedProperties).SensorId)\r\n| extend Address_ = tostring(parse_json(Entities)[0].Address)\r\n| extend Type1_ = tostring(parse_json(Entities)[0].Type)\r\n| extend DeviceId_ = tostring(parse_json(Entities)[0].DeviceId)\r\n| extend Type2_ = tostring(parse_json(tostring(parse_json(Entities)[0].IoTHub)).Type)\r\n| extend Type3_ = tostring(parse_json(Entities)[0].Type)\r\n| extend DeviceType_ = tostring(parse_json(Entities)[0].DeviceType)\r\n| extend Vendor_ = tostring(parse_json(Entities)[0].Vendor)\r\n| where Vendor_ <> \"\"\r\n| summarize count() by Vendor_\r\n| sort by count_ desc",
"query": "let sensorengine_ = dynamic('{_sensorengine}');\r\nSecurityAlert \r\n| where ProductName == \"Azure Security Center for IoT for IoT\" \r\n| extend Category_ = tostring(parse_json(ExtendedProperties).Category)\r\n| extend DeviceId_ = tostring(parse_json(ExtendedProperties).DeviceId)\r\n| extend SensorId_ = tostring(parse_json(ExtendedProperties).SensorId)\r\n| extend Address_ = tostring(parse_json(Entities)[0].Address)\r\n| extend Type1_ = tostring(parse_json(Entities)[0].Type)\r\n| extend DeviceId_ = tostring(parse_json(Entities)[0].DeviceId)\r\n| extend Type2_ = tostring(parse_json(tostring(parse_json(Entities)[0].IoTHub)).Type)\r\n| extend Type3_ = tostring(parse_json(Entities)[0].Type)\r\n| extend DeviceType_ = tostring(parse_json(Entities)[0].DeviceType)\r\n| extend Vendor_ = tostring(parse_json(Entities)[0].Vendor)\r\n| where Vendor_ <> \"\"\r\n| summarize count() by Vendor_\r\n| sort by count_ desc",
"size": 0,
"showAnalytics": true,
"title": "VENDOR",
@ -1352,7 +1352,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let sensorengine_ = dynamic('{_sensorengine}');\r\nSecurityAlert \r\n| where ProductName == \"Azure Security Center for IoT\" \r\n| extend Category_ = tostring(parse_json(ExtendedProperties).Category)\r\n| extend DeviceId_ = tostring(parse_json(ExtendedProperties).DeviceId)\r\n| extend SensorId_ = tostring(parse_json(ExtendedProperties).SensorId)\r\n| extend Address_ = tostring(parse_json(Entities)[0].Address)\r\n| extend Type1_ = tostring(parse_json(Entities)[0].Type)\r\n| extend DeviceId_ = tostring(parse_json(Entities)[0].DeviceId)\r\n| extend Type2_ = tostring(parse_json(tostring(parse_json(Entities)[0].IoTHub)).Type)\r\n| extend Type3_ = tostring(parse_json(Entities)[0].Type)\r\n| extend DeviceType_ = tostring(parse_json(Entities)[0].DeviceType)\r\n| extend Vendor_ = tostring(parse_json(Entities)[0].Vendor)\r\n| where Address_ <> \"\"\r\n| summarize count() by Address_\r\n| sort by count_ desc",
"query": "let sensorengine_ = dynamic('{_sensorengine}');\r\nSecurityAlert \r\n| where ProductName == \"Azure Security Center for IoT for IoT\" \r\n| extend Category_ = tostring(parse_json(ExtendedProperties).Category)\r\n| extend DeviceId_ = tostring(parse_json(ExtendedProperties).DeviceId)\r\n| extend SensorId_ = tostring(parse_json(ExtendedProperties).SensorId)\r\n| extend Address_ = tostring(parse_json(Entities)[0].Address)\r\n| extend Type1_ = tostring(parse_json(Entities)[0].Type)\r\n| extend DeviceId_ = tostring(parse_json(Entities)[0].DeviceId)\r\n| extend Type2_ = tostring(parse_json(tostring(parse_json(Entities)[0].IoTHub)).Type)\r\n| extend Type3_ = tostring(parse_json(Entities)[0].Type)\r\n| extend DeviceType_ = tostring(parse_json(Entities)[0].DeviceType)\r\n| extend Vendor_ = tostring(parse_json(Entities)[0].Vendor)\r\n| where Address_ <> \"\"\r\n| summarize count() by Address_\r\n| sort by count_ desc",
"size": 0,
"showAnalytics": true,
"title": "IP_ADDRESS",
@ -2062,7 +2062,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityAlert\n| where AlertName in ('Suspicion of Malicious Activity (Stuxnet)', 'Suspicion of Malicious Activity (Poison Ivy)', 'Suspicion of Malicious Activity (Regin)', 'Suspicion of Malicious Activity (WannaCry)', 'Suspicion of NotPetya Malware - Illegal SMB Parameters Detected', 'Suspicion of Remote Code Execution with PsExec', 'Unauthorized Windows Service', 'Unexpected message length', 'Azure Security Center for IoT', 'Suspicion of Remote Windows Service Management', 'Unauthorized HTTP Activity', 'Unauthorized HTTP Server', 'Unauthorized Internet Connectivity Detected', 'Unauthorized SMB Login', 'Unauthorized SSH Access', 'Suspicion of Conficker Malware', 'Abnormal usage of MAC Addresses', 'Phish delivered due to an ETR override', 'User restricted from sending email', 'Email messages containing malicious URL removed after delivery', 'Anomalous email access detected', 'Phishing document leading to credential access, lateral movement and ADFS private key theft', 'Malicious link in email')\n| summarize count()\n\n\n",
"query": "SecurityAlert\n| where AlertName in ('Suspicion of Malicious Activity (Stuxnet)', 'Suspicion of Malicious Activity (Poison Ivy)', 'Suspicion of Malicious Activity (Regin)', 'Suspicion of Malicious Activity (WannaCry)', 'Suspicion of NotPetya Malware - Illegal SMB Parameters Detected', 'Suspicion of Remote Code Execution with PsExec', 'Unauthorized Windows Service', 'Unexpected message length', 'Azure Security Center for IoT for IoT', 'Suspicion of Remote Windows Service Management', 'Unauthorized HTTP Activity', 'Unauthorized HTTP Server', 'Unauthorized Internet Connectivity Detected', 'Unauthorized SMB Login', 'Unauthorized SSH Access', 'Suspicion of Conficker Malware', 'Abnormal usage of MAC Addresses', 'Phish delivered due to an ETR override', 'User restricted from sending email', 'Email messages containing malicious URL removed after delivery', 'Anomalous email access detected', 'Phishing document leading to credential access, lateral movement and ADFS private key theft', 'Malicious link in email')\n| summarize count()\n\n\n",
"size": 4,
"showAnalytics": true,
"title": "Initial Access",
@ -10652,7 +10652,7 @@
"size": 0,
"showAnalytics": true,
"title": "🟦 OT Asset Inventory",
"noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening • Controls: Confirm Licensing, Availability, and Health of Respective Offerings • Logging: Confirm Log Source is Onboarded to Azure Sentinel Workspace • Time: Adjust the Time Parameter for a Larger Data-Set ",
"noDataMessage": "An Empty Panel Provides Opportunity To Explore Further and Implement Hardening • Controls: Confirm Licensing, Availability, and Health of Respective Offerings • Logging: Confirm Log Source is Onboarded to Microsoft Sentinel Workspace • Time: Adjust the Time Parameter for a Larger Data-Set ",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",

23
Solutions/IoTOTThreatMonitoringwithDefenderforIoT/readme.md
Просмотреть файл

@ -1,13 +1,22 @@
# Overview
There has been a long-standing split between ICS/SCADA (OT) and Corporate (IT) cybersecurity. This split was often driven by significant differences in technology/tooling. Microsoft Defender for IoT's integration with Azure Sentinel drives convergency by providing a single pane for coverage of both D4IOT (OT) and Azure Sentinel (IT) alerting. This solution includes Workbooks, Analytics rules, and Playbooks providing a guide OT detection, Analysis, and Response.<br>
There has been a long-standing split between ICS/SCADA (OT) and Corporate (IT) cybersecurity. This split was often driven by significant differences in technology/tooling. Microsoft Defender for IoT's integration with Microsoft Sentinel drives convergency by providing a single pane for coverage of both D4IOT (OT) and Microsoft Sentinel (IT) alerting. This solution includes Workbooks, Analytics rules, and Playbooks providing a guide OT detection, Analysis, and Response.<br>
## Try on Portal
You can deploy the solution by clicking on the buttons below:
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FIoTOTThreatMonitoringwithDefenderforIoT%2FPackage%2FmainTemplate.json" target="_blank"><img src="https://aka.ms/deploytoazurebutton"/></a>
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FIoTOTThreatMonitoringwithDefenderforIoT%2FPackage%2FmainTemplate.json" target="_blank"><img src="https://aka.ms/deploytoazuregovbutton"/></a>
![Workbook Overview](./IoTOTThreatMonitoringwithDefenderforIoTBlack.png)
# Getting Started
1) [Onboard Microsoft Defender for IoT](https://docs.microsoft.com/azure/defender-for-iot/device-builders/quickstart-onboard-iot-hub)<br>
2) [Onboard Azure Sentinel](https://docs.microsoft.com/azure/sentinel/quickstart-onboard)<br>
3) [Enable Microsoft Defender for IoT Connector to Azure Sentinel](https://docs.microsoft.com/azure/defender-for-iot/organizations/how-to-configure-with-sentinel)<br>
4) View the Workbook: Navigate to Azure Sentinel > Workbooks > My Workbooks > IoT/OT Threat Monitoring with Defender for IoT > View<br>
5) View the Analytics Rules: Navigate to Azure Sentinel > Analytics > Search "IOT"<br>
6) View the Playbooks: Navigate to Azure Sentinel> Automation > Playbooks > Search "IOT"<br>
2) [Onboard Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/quickstart-onboard)<br>
3) [Enable Microsoft Defender for IoT Connector to Microsoft Sentinel](https://docs.microsoft.com/azure/defender-for-iot/organizations/how-to-configure-with-sentinel)<br>
4) View the Workbook: Navigate to Microsoft Sentinel > Workbooks > My Workbooks > IoT/OT Threat Monitoring with Defender for IoT > View<br>
5) View the Analytics Rules: Navigate to Microsoft Sentinel > Analytics > Search "IOT"<br>
6) View the Playbooks: Navigate to Microsoft Sentinel> Automation > Playbooks > Search "IOT"<br>
# Workbook
The OT Threat Monitoring with Defender for IoT Workbook features OT filtering for Security Alerts, Incidents, and Asset Inventory. The workbook features a dynamic assessment of the MITRE ATT&CK for ICS matrix across your environment to analyze and respond to OT-based threats. This workbook is designed to enable SecOps Analysts, Security Engineers, and MSSPs to gain situational awareness for IT/OT security posture.<br>
@ -50,4 +59,4 @@ The following playbook will send mail to notify specific stake holders. One exam
## 3) New Asset ServiceNow Ticket
Normally, the authorized entity to program a PLC is the Engineering Workstation, to program a PLC attackers might create a new Engineering Workstation to create malicious programing. The following playbook will open a ticket in ServiceNow each time a new Engineering Workstation is detected. This playbook parses explicitly the IoT device entity fields. For more information, see [AD4IoT-NewAssetServiceNowTicket](https://github.com/Azure/Azure-Sentinel/blob/master/Playbooks/AD4IoT-NewAssetServiceNowTicket/readme.md)<br>
## 4) Get OT Device CVEs
This playbook will get device CVEs from Defender for IoT. The CVEs will be written to a JSON blob in Azure Storage and a link will be added to the Azure Sentinel Incident comments. For more information, see [Get-AD4IoTDeviceCVEs](https://github.com/Azure/Azure-Sentinel/blob/master/Playbooks/Get-AD4IoTDeviceCVEs/readme.md)<br>
This playbook will get device CVEs from Defender for IoT. The CVEs will be written to a JSON blob in Azure Storage and a link will be added to the Microsoft Sentinel Incident comments. For more information, see [Get-AD4IoTDeviceCVEs](https://github.com/Azure/Azure-Sentinel/blob/master/Playbooks/Get-AD4IoTDeviceCVEs/readme.md)<br>

4
Solutions/MicrosoftInsiderRiskManagement/Analytic Rules/InsiderRiskSensitiveDataAccessOutsideOrgGeo.yaml
Просмотреть файл

@ -1,7 +1,7 @@
id: b81ed294-28cf-48c3-bac8-ac60dcef293b
name: (Preview) Insider Risk - Sensitive Data Access Outside Organziational Geolocations
name: (Preview) Insider Risk - Sensitive Data Access Outside Organizational Geo-location
description: |
'This alert joins Azure Information Protection Logs (InformationProtectionLogs_CL) with Azure Active Directory Sign in Logs (SigninLogs) to provide a correlation of sensitive data access by geolocation. Results include User Principal Name, Label Name, Activity, City, State, Country/Region, and Time Generated. Recommended configuration is to include (or exclude) Sign in geolocations (City, State, Country and/or Region) for trusted organizational locations. There is an option for configuration of correlations against Azure Sentinel watchlists. Accessing sensitive data from a new or unauthorized geolocation warrants further review. For more information see [Sign-in logs in Azure Active Directory: Location Filtering](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins)'
'This alert joins Azure Information Protection Logs (InformationProtectionLogs_CL) with Azure Active Directory Sign in Logs (SigninLogs) to provide a correlation of sensitive data access by geo-location. Results include User Principal Name, Label Name, Activity, City, State, Country/Region, and Time Generated. Recommended configuration is to include (or exclude) Sign in geo-locations (City, State, Country and/or Region) for trusted organizational locations. There is an option for configuration of correlations against Azure Sentinel watchlists. Accessing sensitive data from a new or unauthorized geo-location warrants further review. For more information see [Sign-in logs in Azure Active Directory: Location Filtering](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins)'
severity: High
requiredDataConnectors:
- connectorId: AzureInformationProtection

24
Solutions/MicrosoftInsiderRiskManagement/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThis solution enables insider risk management teams to investigate risk-based behavior across 25+ Microsoft products. This solution is a better-together story between Microsoft Sentinel and Microsoft 365 Insider Risk Management. The solution includes the Insider Risk Management Workbook, (5) Hunting Queries, (5) Analytics Rules, (1) Playbook automation and the Microsoft 365 Insider Risk Management connector. While only Microsoft Sentinel is required to get started, the solution is enhanced with numerous Microsoft offerings, including, but not limited to:\n\n- [Microsoft 365 Insider Risk Management](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-solution-overview?view=o365-worldwide)\n- [Microsoft 365 Communications Compliance](https://docs.microsoft.com/microsoft-365/compliance/communication-compliance-solution-overview?view=o365-worldwide)\n- [Microsoft 365 Advanced eDiscovery](https://docs.microsoft.com/microsoft-365/compliance/ediscovery?view=o365-worldwide)\n- [Microsoft 365 Defender](https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender?rtc=1)\n- [Microsoft Information Protection](https://docs.microsoft.com/microsoft-365/compliance/information-protection?view=o365-worldwide)\n- [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)\n- [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)\n- [Microsoft Sentinel Notebooks](https://docs.microsoft.com/azure/sentinel/notebooks) [(Bring Your Own Machine Learning)](https://docs.microsoft.com/azure/sentinel/bring-your-own-ml)\n- [Microsoft Defender for Endpoint](https://www.microsoft.com/security/business/threat-protection/endpoint-defender?rtc=1)\n- [Microsoft Defender for Identity](https://www.microsoft.com/security/business/threat-protection/identity-defender?rtc=1)\n- [Microsoft Defender for Cloud Apps](https://www.microsoft.com/security/business/cloud-apps-defender?rtc=1)\n- [Microsoft Defender for Office 365](https://www.microsoft.com/security/business/threat-protection/office-365-defender?rtc=1)\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThis solution enables insider risk management teams to investigate risk-based behavior across 25+ Microsoft products. This solution is a better-together story between Microsoft Sentinel and Microsoft 365 Insider Risk Management. The solution includes the Insider Risk Management Workbook, (5) Hunting Queries, (5) Analytics Rules, (1) Playbook automation and the Microsoft 365 Insider Risk Management connector. While only Microsoft Sentinel is required to get started, the solution is enhanced with numerous Microsoft offerings, including, but not limited to:\n\n- [Microsoft 365 Insider Risk Management](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-solution-overview?view=o365-worldwide)\n- [Microsoft 365 Communications Compliance](https://docs.microsoft.com/microsoft-365/compliance/communication-compliance-solution-overview?view=o365-worldwide)\n- [Microsoft 365 Advanced eDiscovery](https://docs.microsoft.com/microsoft-365/compliance/ediscovery?view=o365-worldwide)\n- [Microsoft 365 Defender](https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender?rtc=1)\n- [Microsoft Information Protection](https://docs.microsoft.com/microsoft-365/compliance/information-protection?view=o365-worldwide)\n- [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)\n- [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)\n- [Microsoft Sentinel Notebooks](https://docs.microsoft.com/azure/sentinel/notebooks) [(Bring Your Own Machine Learning)](https://docs.microsoft.com/azure/sentinel/bring-your-own-ml)\n- [Microsoft Defender for Endpoint](https://www.microsoft.com/security/business/threat-protection/endpoint-defender?rtc=1)\n- [Microsoft Defender for Identity](https://www.microsoft.com/security/business/threat-protection/identity-defender?rtc=1)\n- [Microsoft Defender for Cloud Apps](https://www.microsoft.com/security/business/cloud-apps-defender?rtc=1)\n- [Microsoft Defender for Office 365](https://www.microsoft.com/security/business/threat-protection/office-365-defender?rtc=1)\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@ -64,7 +64,7 @@
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Azure Sentinel and combine them into unified interactive experiences.",
"text": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
@ -80,7 +80,7 @@
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The Azure Sentinel: Insider Risk Management Workbook demonstrates the “better together” story between Microsoft 365 Insider Risk Management and Azure Sentinel. This workbook integrates telemetry from 25+ Microsoft security products to provide actionable insights into insider risk management. Reporting tools provide “Go to Alert” links to provide deeper integration between products and a simplified user experience for exploring alerts. A filter set provides custom reporting for Guide, Subscription, Workspace, and Time. The workbook can be exported as a PDF or print report via the Print Workbooks feature. Content sections include Overviews, Insider Risk Management, Watchlist, and User Forensics. The Overview tab provides recommendations for building insider risk program architectures. The Insider Risk tab provides alert reporting by both insider risk scenarios such as Sensitive Data Leaks, Security Violations, and MITRE ATT&CK tactics. The Watchlist tab provides filtering by Azure Sentinel Watchlists and the User Forensics tab collects logging telemetry by user. The user experience includes designing insider risk management architectures and streamlining telemetry from all users > watchlist > specific users while transitioning to M365 Insider Risk Management to investigate/resolve activity of interest."
"text": "The Microsoft Sentinel: Insider Risk Management Workbook demonstrates the “better together” story between Microsoft 365 Insider Risk Management and Microsoft Sentinel. This workbook integrates telemetry from 25+ Microsoft security products to provide actionable insights into insider risk management. Reporting tools provide “Go to Alert” links to provide deeper integration between products and a simplified user experience for exploring alerts. A filter set provides custom reporting for Guide, Subscription, Workspace, and Time. The workbook can be exported as a PDF or print report via the Print Workbooks feature. Content sections include Overviews, Insider Risk Management, Watchlist, and User Forensics. The Overview tab provides recommendations for building insider risk program architectures. The Insider Risk tab provides alert reporting by both insider risk scenarios such as Sensitive Data Leaks, Security Violations, and MITRE ATT&CK tactics. The Watchlist tab provides filtering by Microsoft Sentinel Watchlists and the User Forensics tab collects logging telemetry by user. The user experience includes designing insider risk management architectures and streamlining telemetry from all users > watchlist > specific users while transitioning to M365 Insider Risk Management to investigate/resolve activity of interest."
}
},
{
@ -112,7 +112,7 @@
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs analytic rules for MicrosoftInsiderRiskManagement that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
"text": "This Microsoft Sentinel Solution installs analytic rules for MicrosoftInsiderRiskManagement that you can enable for custom alert generation in Microsoft Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Microsoft Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
@ -128,7 +128,7 @@
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This alert joins SecurityAlerts from Microsoft Products with SecurityIncidents from Azure Sentinel and Microsoft 365 Defender. This join allows for identifying patterns in user principal names associated with respective security alerts. A machine learning function (Basket) is leveraged with a .001 threshold. Baset finds all frequent patterns of discrete attributes (dimensions) in the data. It returns the frequent patterns passed the frequency threshold. This query evaluates UserPrincipalName for patterns in SecurityAlerts and Reporting Security Tools. This query can be further tuned/configured for higher confidence percentages, security products, or alert severities pending the needs of the organization. There is an option for configuration of correlations against Azure Sentinel watchlists. For more information on the basket plugin, see [basket plugin](https://docs.microsoft.com/azure/data-explorer/kusto/query/basketplugin)"
"text": "This alert joins SecurityAlerts from Microsoft Products with SecurityIncidents from Microsoft Sentinel and Microsoft 365 Defender. This join allows for identifying patterns in user principal names associated with respective security alerts. A machine learning function (Basket) is leveraged with a .001 threshold. Baset finds all frequent patterns of discrete attributes (dimensions) in the data. It returns the frequent patterns passed the frequency threshold. This query evaluates UserPrincipalName for patterns in SecurityAlerts and Reporting Security Tools. This query can be further tuned/configured for higher confidence percentages, security products, or alert severities pending the needs of the organization. There is an option for configuration of correlations against Microsoft Sentinel watchlists. For more information on the basket plugin, see [basket plugin](https://docs.microsoft.com/azure/data-explorer/kusto/query/basketplugin)"
}
}
]
@ -142,7 +142,7 @@
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This alert joins SecurityAlerts to SecurityIncidents to associate Security Alerts and Incidents with user accounts. This aligns all Microsoft Alerting Products (MCAS, MDE, ASC, etc.) with Microsoft Incident Generating Products (Azure Sentinel, M365 Defender) for a count of user security incidents over time. The default threshold is 5 security incidents, and this is customizable per the organization's requirements. Results include UserPrincipalName (UPN), SecurityIncident, LastIncident, ProductName, LastObservedTime, and Previous Incidents. There is an option for configuration of correlations against Azure Sentinel watchlists. For more information, see [Investigate incidents with Azure Sentinel]( https://docs.microsoft.com/azure/sentinel/investigate-cases)."
"text": "This alert joins SecurityAlerts to SecurityIncidents to associate Security Alerts and Incidents with user accounts. This aligns all Microsoft Alerting Products (MCAS, MDE, ASC, etc.) with Microsoft Incident Generating Products (Microsoft Sentinel, M365 Defender) for a count of user security incidents over time. The default threshold is 5 security incidents, and this is customizable per the organization's requirements. Results include UserPrincipalName (UPN), SecurityIncident, LastIncident, ProductName, LastObservedTime, and Previous Incidents. There is an option for configuration of correlations against Microsoft Sentinel watchlists. For more information, see [Investigate incidents with Microsoft Sentinel]( https://docs.microsoft.com/azure/sentinel/investigate-cases)."
}
}
]
@ -156,7 +156,7 @@
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This alert is triggered when a Microsoft 365 Insider Risk Management alert is recieved in Azure Sentinel via the Microsoft 365 Insider Risk Management Connector. The alert extracts usernames from security alerts to provide UserPrincipalName, Alert Name, Reporting Product Name, Status, Alert Link, Previous Alerts Links, Time Generated. There is an option for configuration of correlations against Azure Sentinel watchlists. For more information, see [Learn about insider risk management in Microsoft 365](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management)"
"text": "This alert is triggered when a Microsoft 365 Insider Risk Management alert is recieved in Microsoft Sentinel via the Microsoft 365 Insider Risk Management Connector. The alert extracts usernames from security alerts to provide UserPrincipalName, Alert Name, Reporting Product Name, Status, Alert Link, Previous Alerts Links, Time Generated. There is an option for configuration of correlations against Microsoft Sentinel watchlists. For more information, see [Learn about insider risk management in Microsoft 365](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management)"
}
}
]
@ -170,7 +170,7 @@
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This alert joins Azure Information Protection Logs (InformationProtectionLogs_CL) with Azure Active Directory Sign in Logs (SigninLogs) to provide a correlation of sensitive data access by geolocation. Results include User Principal Name, Label Name, Activity, City, State, Country/Region, and Time Generated. Recommended configuration is to include (or exclude) Sign in geolocations (City, State, Country and/or Region) for trusted organizational locations. There is an option for configuration of correlations against Azure Sentinel watchlists. Accessing sensitive data from a new or unauthorized geolocation warrants further review. For more information see [Sign-in logs in Azure Active Directory: Location Filtering](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins)"
"text": "This alert joins Azure Information Protection Logs (InformationProtectionLogs_CL) with Azure Active Directory Sign in Logs (SigninLogs) to provide a correlation of sensitive data access by geolocation. Results include User Principal Name, Label Name, Activity, City, State, Country/Region, and Time Generated. Recommended configuration is to include (or exclude) Sign in geolocations (City, State, Country and/or Region) for trusted organizational locations. There is an option for configuration of correlations against Microsoft Sentinel watchlists. Accessing sensitive data from a new or unauthorized geolocation warrants further review. For more information see [Sign-in logs in Azure Active Directory: Location Filtering](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins)"
}
}
]
@ -184,7 +184,7 @@
"name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This alert evaluates Azure Active Directory Sign in risk via Machine Learning correlations in the basket operator. The basket threshold is adjustable, and the default is set to .01. There is an optional configuration to configure the percentage rates. The correlations are designed to leverage machine learning to identify patterns of risky user application access. There is an option for configuration of correlations against Azure Sentinel watchlists. For more information, see [Tutorial: Use risk detections for user sign-ins to trigger Azure AD Multi-Factor Authentication or password changes](https://docs.microsoft.com/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa)"
"text": "This alert evaluates Azure Active Directory Sign in risk via Machine Learning correlations in the basket operator. The basket threshold is adjustable, and the default is set to .01. There is an optional configuration to configure the percentage rates. The correlations are designed to leverage machine learning to identify patterns of risky user application access. There is an option for configuration of correlations against Microsoft Sentinel watchlists. For more information, see [Tutorial: Use risk detections for user sign-ins to trigger Azure AD Multi-Factor Authentication or password changes](https://docs.microsoft.com/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa)"
}
}
]
@ -200,7 +200,7 @@
"name": "huntingqueries-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs hunting queries for MicrosoftInsiderRiskManagement that you can run in Azure Sentinel. These hunting queries will be deployed in the Hunting gallery of your Azure Sentinel workspace. Run these hunting queries to hunt for threats in the Hunting gallery after this Solution deploys.",
"text": "This Microsoft Sentinel Solution installs hunting queries for MicrosoftInsiderRiskManagement that you can run in Microsoft Sentinel. These hunting queries will be deployed in the Hunting gallery of your Microsoft Sentinel workspace. Run these hunting queries to hunt for threats in the Hunting gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/hunting"
@ -216,7 +216,7 @@
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query joins Azure Sentinel UEBA with Microsoft 365 Insider Risk Management Alerts. There is also an option for configuration of correlations against watchlists. For more information, see https://docs.microsoft.com/azure/sentinel/watchlists It depends on the BehaviorAnalytics OfficeATP data connector and BehaviorAnalytics SecurityAlert (Office 365) data type and BehaviorAnalytics OfficeATP parser."
"text": "This query joins Microsoft Sentinel UEBA with Microsoft 365 Insider Risk Management Alerts. There is also an option for configuration of correlations against watchlists. For more information, see https://docs.microsoft.com/azure/sentinel/watchlists It depends on the BehaviorAnalytics OfficeATP data connector and BehaviorAnalytics SecurityAlert (Office 365) data type and BehaviorAnalytics OfficeATP parser."
}
}
]
@ -292,7 +292,7 @@
"name": "playbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs playbook resources. A security playbook is a collection of procedures that can be run from Azure Sentinel in response to an alert. A security playbook can help automate and orchestrate your response, and can be run manually or set to run automatically when specific alerts are triggered. Security playbooks in Azure Sentinel are based on Azure Logic Apps, which means that you get all the power, customizability, and built-in templates of Logic Apps. Each playbook is created for the specific subscription you choose, but when you look at the Playbooks page, you will see all the playbooks across any selected subscriptions.",
"text": "This solution installs playbook resources. A security playbook is a collection of procedures that can be run from Microsoft Sentinel in response to an alert. A security playbook can help automate and orchestrate your response, and can be run manually or set to run automatically when specific alerts are triggered. Security playbooks in Microsoft Sentinel are based on Azure Logic Apps, which means that you get all the power, customizability, and built-in templates of Logic Apps. Each playbook is created for the specific subscription you choose, but when you look at the Playbooks page, you will see all the playbooks across any selected subscriptions.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"

20
Solutions/MicrosoftInsiderRiskManagement/Package/mainTemplate.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

92
Solutions/MicrosoftInsiderRiskManagement/Workbooks/InsiderRiskManagement.json
Просмотреть файл

@ -169,7 +169,7 @@
"value": "Yes"
},
"customWidth": "21",
"name": "Azure Sentinel Logo"
"name": "Microsoft Sentinel Logo"
},
{
"type": 12,
@ -238,7 +238,7 @@
{
"type": 1,
"content": {
"json": "# ✳️ [Getting Started](https://docs.microsoft.com/azure/sentinel/prerequisites)\n---\n\nThis workbook enables Insider Risk Teams, SecOps Analysts, and MSSPs to gain situational awareness for cloud workload security posture. This workbook is designed to augment staffing through automation, artificial intelligence, machine learning, query+alerting generation and visualizations. All panels use dynamic display, meaning they only display if data/results are available. Recommended onboarding steps are included below, note user experience will vary by workload. <br>\n<br>\n1⃣ Onboard 💡[Azure Sentinel](https://docs.microsoft.com/azure/sentinel/quickstart-onboard) and 💡[Microsoft 365 Insider Risk Management](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-configure)<br>\n2⃣ Enable the 💡[Microsoft 365 Insider Risk Management Export Alerts (Preview) Feature](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-settings#export-alerts-preview)<br>\n3⃣ Enable the Azure Sentinel Insider Risk Management Connector Preview via [Feature Flag](https://aka.ms/OfficeIRM)<br>\n4⃣ Configure the Azure Sentinel IRM Connector. Open IRM Connector Page > Connect<br>\n5⃣ Enable 💡[Azure Sentinel User Entity Behavior Analytics](https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)<br>\n6⃣ Configure an 💡[Azure Sentinel Watchlist via SearchKey Columns](https://docs.microsoft.com/azure/sentinel/watchlists)<br>\n\n\n\n"
"json": "# ✳️ [Getting Started](https://docs.microsoft.com/azure/sentinel/prerequisites)\n---\n\nThis workbook enables Insider Risk Teams, SecOps Analysts, and MSSPs to gain situational awareness for cloud workload security posture. This workbook is designed to augment staffing through automation, artificial intelligence, machine learning, query+alerting generation and visualizations. All panels use dynamic display, meaning they only display if data/results are available. Recommended onboarding steps are included below, note user experience will vary by workload. <br>\n<br>\n1⃣ Onboard 💡[Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/quickstart-onboard) and 💡[Microsoft 365 Insider Risk Management](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-configure)<br>\n2⃣ Enable the 💡[Microsoft 365 Insider Risk Management Export Alerts (Preview) Feature](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-settings#export-alerts-preview)<br>\n3⃣ Enable the Microsoft Sentinel Insider Risk Management Connector Preview via [Feature Flag](https://aka.ms/OfficeIRM)<br>\n4⃣ Configure the Microsoft Sentinel IRM Connector. Open IRM Connector Page > Connect<br>\n5⃣ Enable 💡[Microsoft Sentinel User Entity Behavior Analytics](https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)<br>\n6⃣ Configure an 💡[Microsoft Sentinel Watchlist via SearchKey Columns](https://docs.microsoft.com/azure/sentinel/watchlists)<br>\n\n\n\n"
},
"customWidth": "45",
"name": "text - 2",
@ -257,7 +257,7 @@
{
"type": 1,
"content": {
"json": "# ✳️ [Recommended Enrichments](https://docs.microsoft.com/azure/sentinel/connect-data-sources)\n---\nThis workbook leverages 25+ Microsoft Security products. While only Azure Sentinel is mandatory for this solution, the following offerings provide enrichments:<br>\n\n✳ [Insider Risk Management](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-solution-overview)<br>\n✳ [Communications Compliance](https://docs.microsoft.com/microsoft-365/compliance/communication-compliance-solution-overview)<br>\n✳ [Microsoft Information Protection](https://docs.microsoft.com/microsoft-365/compliance/information-protection)<br>\n✳ [Advanced eDiscovery](https://docs.microsoft.com/microsoft-365/compliance/ediscovery)<br>\n✳ [Azure Sentinel Notebooks](https://docs.microsoft.com/azure/sentinel/notebooks)<br>\n✳ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)<br>\n✳ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender)<br>\n✳ [Microsoft Cloud App Security](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security)<br>\n✳ [Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender) <br>\n✳ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)<br>\n✳ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br>\n\n\n"
"json": "# ✳️ [Recommended Enrichments](https://docs.microsoft.com/azure/sentinel/connect-data-sources)\n---\nThis workbook leverages 25+ Microsoft Security products. While only Microsoft Sentinel is mandatory for this solution, the following offerings provide enrichments:<br>\n\n✳ [Insider Risk Management](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-solution-overview)<br>\n✳ [Communications Compliance](https://docs.microsoft.com/microsoft-365/compliance/communication-compliance-solution-overview)<br>\n✳ [Microsoft Information Protection](https://docs.microsoft.com/microsoft-365/compliance/information-protection)<br>\n✳ [Advanced eDiscovery](https://docs.microsoft.com/microsoft-365/compliance/ediscovery)<br>\n✳ [Microsoft Sentinel Notebooks](https://docs.microsoft.com/azure/sentinel/notebooks)<br>\n✳ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)<br>\n✳ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender)<br>\n✳ [Microsoft Defender for Cloud Apps](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security)<br>\n✳ [Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender) <br>\n✳ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)<br>\n✳ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)<br>\n\n\n"
},
"customWidth": "45",
"name": "text - 11",
@ -378,7 +378,7 @@
{
"type": 1,
"content": {
"json": "# ✳️[Insider Risk](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-solution-overview)\n---\n\nThis section is designed to aggregate signal, telemetry, and alerting from 25+ Microsoft products. Looking across all data collected by Azure Sentinel provides a starting point to identity risk. Capabilities in this section are organized by tabs below and include Microft 365 Insider Risk Management Alerts, User & Entity Behavior Analytics, Artificial Intelligence & Machine Learning, Sensitive Data Leaks, and Security Violations. <br>\n\n\n\n"
"json": "# ✳️[Insider Risk](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-solution-overview)\n---\n\nThis section is designed to aggregate signal, telemetry, and alerting from 25+ Microsoft products. Looking across all data collected by Microsoft Sentinel provides a starting point to identity risk. Capabilities in this section are organized by tabs below and include Microft 365 Insider Risk Management Alerts, User & Entity Behavior Analytics, Artificial Intelligence & Machine Learning, Sensitive Data Leaks, and Security Violations. <br>\n\n\n\n"
},
"customWidth": "50",
"name": "text - 2",
@ -518,7 +518,7 @@
"size": 0,
"showAnalytics": true,
"title": "Microsoft 365: Insider Risk Management Alerts by User",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). Confirm Security Alerts are onboarded to Azure Sentinel and see Getting Started with Insider Risk Management for respective IRM configurations (https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-configure)",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). Confirm Security Alerts are onboarded to Microsoft Sentinel and see Getting Started with Insider Risk Management for respective IRM configurations (https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-configure)",
"timeContext": {
"durationMs": 7776000000
},
@ -739,7 +739,7 @@
"size": 0,
"showAnalytics": true,
"title": "Microsoft 365: Insider Risk Management Alerts over Time",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). Confirm Security Alerts are onboarded to Azure Sentinel and see Getting Started with Insider Risk Management for respective IRM configurations (https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-configure)",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). Confirm Security Alerts are onboarded to Microsoft Sentinel and see Getting Started with Insider Risk Management for respective IRM configurations (https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-configure)",
"timeContext": {
"durationMs": 7776000000
},
@ -960,7 +960,7 @@
"size": 0,
"showAnalytics": true,
"title": "Microsoft 365: Insider Risk Management Alert Details",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). Confirm Security Alerts are onboarded to Azure Sentinel and see Getting Started with Insider Risk Management for respective IRM configurations (https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-configure)",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). Confirm Security Alerts are onboarded to Microsoft Sentinel and see Getting Started with Insider Risk Management for respective IRM configurations (https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-configure)",
"timeContext": {
"durationMs": 7776000000
},
@ -1490,7 +1490,7 @@
"size": 0,
"showAnalytics": true,
"title": "Entity Behavior Analytics Alerts",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Azure Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)",
"timeContext": {
"durationMs": 7776000000
},
@ -1625,7 +1625,7 @@
"size": 0,
"showAnalytics": true,
"title": "User Anomalies",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Azure Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)",
"timeContext": {
"durationMs": 7776000000
},
@ -1788,7 +1788,7 @@
"size": 3,
"showAnalytics": true,
"title": "Anomalous Activity by Geolocation",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Azure Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)",
"timeContext": {
"durationMs": 7776000000
},
@ -1938,7 +1938,7 @@
"size": 0,
"showAnalytics": true,
"title": "Anomalous Activity by User & GeoLocation",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Azure Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)",
"timeContext": {
"durationMs": 7776000000
},
@ -2795,7 +2795,7 @@
{
"type": 1,
"content": {
"json": "# ✴️[Artificial Intelligence & Machine Learning (AI/ML)](https://docs.microsoft.com/azure/sentinel/work-with-anomaly-rules)\r\n---\r\nMachine Learning (ML) is one of the major underpinnings of Azure Sentinel, and one of the main attributes that set it apart. Azure Sentinel offers ML in several experiences: built-in to the 💡 [Fusion](https://docs.microsoft.com/azure/sentinel/fusion) correlation engine and Jupyter notebooks, and the newly available Build-Your-Own ML (BYOML) platform. ML detection models can adapt to individual environments and to changes in user behavior, to reduce 💡[false positives](https://docs.microsoft.com/azure/sentinel/false-positives) and identify threats that wouldn't be found with a traditional approach. Many security organizations understand the value of ML for security, though not many of them have the luxury of professionals who have expertise in both security and ML. We designed the framework presented here for security organizations and professionals to grow with us in their ML journey. Organizations new to ML, or without the necessary expertise, can get significant protection value out of Azure Sentinel's built-in ML capabilities. There are several layers and components of Microsoft's AI/ML offerings for security detections which include, but are not limited to:<br>\r\n<br>\r\n1⃣ KQL Query: 💡[Autocluster](https://docs.microsoft.com/azure/data-explorer/kusto/query/autoclusterplugin), 💡[Basket](https://docs.microsoft.com/azure/data-explorer/kusto/query/basketplugin), & 💡[DiffPatterns](https://docs.microsoft.com/azure/data-explorer/kusto/query/diffpatternsplugin)<br> 2⃣ Built-in Tooling Algorithms: 💡[Detect Threats Out-Of-The-Box](https://docs.microsoft.com/azure/sentinel/detect-threats-built-in), 💡[Optical Character Recognition](https://docs.microsoft.com/microsoft-365/compliance/communication-compliance-feature-reference#optical-character-recognition-ocr), & 💡[Trainable Classifiers](https://docs.microsoft.com/microsoft-365/compliance/classifier-get-started-with)<br>\r\n3⃣ User and Entity Behavior Analytics: 💡[Azure Sentinel UEBA](https://docs.microsoft.com/azure/sentinel/identify-threats-with-entity-behavior-analytics), 💡[M365 Insider Risk Management UEBA](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-cases), & 💡[Microsoft Cloud App Security UEBA](https://docs.microsoft.com/cloud-app-security/tutorial-suspicious-activity)<br>\r\n5⃣ Advanced Multistage Attack Detection: 💡[Fusion Rules](https://docs.microsoft.com/azure/sentinel/fusion#enable-fusion-rule), & 💡[SOC-ML Anomaly Rules](https://docs.microsoft.com/azure/sentinel/soc-ml-anomalies) <br>\r\n6⃣ Bring Your Own Machine Learning & Trainable Algorithms: 💡[Azure Sentinel BYOML](https://docs.microsoft.com/azure/sentinel/bring-your-own-ml), 💡[Azure Sentinel Notebooks](https://docs.microsoft.com/azure/sentinel/notebooks), & 💡[Machine Learning Studio](https://docs.microsoft.com/azure/machine-learning/overview-what-is-machine-learning-studio)\r\n\r\n\r\n\r\n"
"json": "# ✴️[Artificial Intelligence & Machine Learning (AI/ML)](https://docs.microsoft.com/azure/sentinel/work-with-anomaly-rules)\r\n---\r\nMachine Learning (ML) is one of the major underpinnings of Microsoft Sentinel, and one of the main attributes that set it apart. Microsoft Sentinel offers ML in several experiences: built-in to the 💡 [Fusion](https://docs.microsoft.com/azure/sentinel/fusion) correlation engine and Jupyter notebooks, and the newly available Build-Your-Own ML (BYOML) platform. ML detection models can adapt to individual environments and to changes in user behavior, to reduce 💡[false positives](https://docs.microsoft.com/azure/sentinel/false-positives) and identify threats that wouldn't be found with a traditional approach. Many security organizations understand the value of ML for security, though not many of them have the luxury of professionals who have expertise in both security and ML. We designed the framework presented here for security organizations and professionals to grow with us in their ML journey. Organizations new to ML, or without the necessary expertise, can get significant protection value out of Microsoft Sentinel's built-in ML capabilities. There are several layers and components of Microsoft's AI/ML offerings for security detections which include, but are not limited to:<br>\r\n<br>\r\n1⃣ KQL Query: 💡[Autocluster](https://docs.microsoft.com/azure/data-explorer/kusto/query/autoclusterplugin), 💡[Basket](https://docs.microsoft.com/azure/data-explorer/kusto/query/basketplugin), & 💡[DiffPatterns](https://docs.microsoft.com/azure/data-explorer/kusto/query/diffpatternsplugin)<br> 2⃣ Built-in Tooling Algorithms: 💡[Detect Threats Out-Of-The-Box](https://docs.microsoft.com/azure/sentinel/detect-threats-built-in), 💡[Optical Character Recognition](https://docs.microsoft.com/microsoft-365/compliance/communication-compliance-feature-reference#optical-character-recognition-ocr), & 💡[Trainable Classifiers](https://docs.microsoft.com/microsoft-365/compliance/classifier-get-started-with)<br>\r\n3⃣ User and Entity Behavior Analytics: 💡[Microsoft Sentinel UEBA](https://docs.microsoft.com/azure/sentinel/identify-threats-with-entity-behavior-analytics), 💡[M365 Insider Risk Management UEBA](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-cases), & 💡[Microsoft Defender for Cloud Apps UEBA](https://docs.microsoft.com/cloud-app-security/tutorial-suspicious-activity)<br>\r\n5⃣ Advanced Multistage Attack Detection: 💡[Fusion Rules](https://docs.microsoft.com/azure/sentinel/fusion#enable-fusion-rule), & 💡[SOC-ML Anomaly Rules](https://docs.microsoft.com/azure/sentinel/soc-ml-anomalies) <br>\r\n6⃣ Bring Your Own Machine Learning & Trainable Algorithms: 💡[Microsoft Sentinel BYOML](https://docs.microsoft.com/azure/sentinel/bring-your-own-ml), 💡[Microsoft Sentinel Notebooks](https://docs.microsoft.com/azure/sentinel/notebooks), & 💡[Machine Learning Studio](https://docs.microsoft.com/azure/machine-learning/overview-what-is-machine-learning-studio)\r\n\r\n\r\n\r\n"
},
"customWidth": "50",
"name": "text - 179"
@ -2816,7 +2816,7 @@
"size": 0,
"showAnalytics": true,
"title": "Fusion Alerts",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Advanced multistage attack detection in Azure Sentinel (https://docs.microsoft.com/azure/sentinel/fusion)",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Advanced multistage attack detection in Microsoft Sentinel (https://docs.microsoft.com/azure/sentinel/fusion)",
"timeContext": {
"durationMs": 7776000000
},
@ -3037,7 +3037,7 @@
"size": 0,
"showAnalytics": true,
"title": "Fusion Alerts over Time",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Advanced multistage attack detection in Azure Sentinel (https://docs.microsoft.com/azure/sentinel/fusion)",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Advanced multistage attack detection in Microsoft Sentinel (https://docs.microsoft.com/azure/sentinel/fusion)",
"timeContext": {
"durationMs": 7776000000
},
@ -3255,7 +3255,7 @@
"size": 0,
"showAnalytics": true,
"title": "Anomaly Alerts",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Use SOC-ML anomalies to detect threats in Azure Sentinel (https://docs.microsoft.com/azure/sentinel/soc-ml-anomalies)",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Use SOC-ML anomalies to detect threats in Microsoft Sentinel (https://docs.microsoft.com/azure/sentinel/soc-ml-anomalies)",
"timeContext": {
"durationMs": 7776000000
},
@ -3476,7 +3476,7 @@
"size": 0,
"showAnalytics": true,
"title": "Anomaly Alerts",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Use SOC-ML anomalies to detect threats in Azure Sentinel (https://docs.microsoft.com/azure/sentinel/soc-ml-anomalies)",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Use SOC-ML anomalies to detect threats in Microsoft Sentinel (https://docs.microsoft.com/azure/sentinel/soc-ml-anomalies)",
"timeContext": {
"durationMs": 7776000000
},
@ -3697,7 +3697,7 @@
"size": 0,
"showAnalytics": true,
"title": "Creation of An Anomalous Number of Resources (Outliers) by UserName",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Use SOC-ML anomalies to detect threats in Azure Sentinel (https://docs.microsoft.com/azure/sentinel/soc-ml-anomalies)",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Use SOC-ML anomalies to detect threats in Microsoft Sentinel (https://docs.microsoft.com/azure/sentinel/soc-ml-anomalies)",
"timeContext": {
"durationMs": 7776000000
},
@ -3922,7 +3922,7 @@
"size": 0,
"showAnalytics": true,
"title": "Deletion of An Anomalous Number of Resources (Outliers) by UserName",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Use SOC-ML anomalies to detect threats in Azure Sentinel (https://docs.microsoft.com/azure/sentinel/soc-ml-anomalies)",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Use SOC-ML anomalies to detect threats in Microsoft Sentinel (https://docs.microsoft.com/azure/sentinel/soc-ml-anomalies)",
"timeContext": {
"durationMs": 7776000000
},
@ -4144,7 +4144,7 @@
"size": 0,
"showAnalytics": true,
"title": "Security Alert Frequency by Basket",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Use SOC-ML anomalies to detect threats in Azure Sentinel (https://docs.microsoft.com/azure/sentinel/soc-ml-anomalies)",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Use SOC-ML anomalies to detect threats in Microsoft Sentinel (https://docs.microsoft.com/azure/sentinel/soc-ml-anomalies)",
"timeContext": {
"durationMs": 7776000000
},
@ -4375,7 +4375,7 @@
"size": 0,
"showAnalytics": true,
"title": "Security Alert Autocluster (Tool Efficiency Tuning)",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Use SOC-ML anomalies to detect threats in Azure Sentinel (https://docs.microsoft.com/azure/sentinel/soc-ml-anomalies)",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Use SOC-ML anomalies to detect threats in Microsoft Sentinel (https://docs.microsoft.com/azure/sentinel/soc-ml-anomalies)",
"timeContext": {
"durationMs": 7776000000
},
@ -4606,7 +4606,7 @@
"size": 0,
"showAnalytics": true,
"title": "Risky Application Access (Basket)",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Use SOC-ML anomalies to detect threats in Azure Sentinel (https://docs.microsoft.com/azure/sentinel/soc-ml-anomalies)",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Use SOC-ML anomalies to detect threats in Microsoft Sentinel (https://docs.microsoft.com/azure/sentinel/soc-ml-anomalies)",
"timeContext": {
"durationMs": 7776000000
},
@ -5020,7 +5020,7 @@
"size": 3,
"showAnalytics": true,
"title": "Sensitive Data Access by Geolocation",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Azure Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)",
"timeContext": {
"durationMs": 7776000000
},
@ -5170,7 +5170,7 @@
"size": 0,
"showAnalytics": true,
"title": "Sensitive Data Access by Geolocation Details",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Azure Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)",
"timeContext": {
"durationMs": 7776000000
},
@ -5386,7 +5386,7 @@
"query": "SecurityAlert\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\r\n | mv-expand todynamic(Entities)\r\n | where Entities[\"Type\"] =~ \"account\"\r\n | extend Name = tostring(tolower(Entities[\"Name\"])), NTDomain = tostring(Entities[\"NTDomain\"]), UPNSuffix = tostring(Entities[\"UPNSuffix\"]), AadUserId = tostring(Entities[\"AadUserId\"]), AadTenantId = tostring(Entities[\"AadTenantId\"]), \r\n Sid = tostring(Entities[\"Sid\"]), IsDomainJoined = tobool(Entities[\"IsDomainJoined\"]), Host = tostring(Entities[\"Host\"])\r\n | extend UPN = iff(Name != \"\" and UPNSuffix != \"\", strcat(Name, \"@\", UPNSuffix), \"\")\r\n| extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\r\n| extend UserPrincipalName = UPN\r\n| distinct AlertName, ProductName, Status, AlertLink, UserPrincipalName, Tactics, TimeGenerated\r\n| where AlertName contains \"sensitive\" or AlertName contains \"data\" or AlertName contains \"leak\" or Tactics contains \"exfil\" or AlertName contains \"theft\" or AlertName contains \"steal\" or AlertName contains \"PII\" or AlertName contains \"intellectual\" or AlertName contains \"confidential\" or AlertName contains \"spill\"\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by AlertName\r\n| render timechart",
"size": 0,
"title": "Sensitive Data Leaks over Time",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). Confirm Security Alerts are onboarded to Azure Sentinel and see Getting Started with Insider Risk Management for respective IRM configurations (https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-configure)",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). Confirm Security Alerts are onboarded to Microsoft Sentinel and see Getting Started with Insider Risk Management for respective IRM configurations (https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-configure)",
"timeContext": {
"durationMs": 7776000000
},
@ -5605,7 +5605,7 @@
"query": "SecurityAlert\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\r\n | mv-expand todynamic(Entities)\r\n | where Entities[\"Type\"] =~ \"account\"\r\n | extend Name = tostring(tolower(Entities[\"Name\"])), NTDomain = tostring(Entities[\"NTDomain\"]), UPNSuffix = tostring(Entities[\"UPNSuffix\"]), AadUserId = tostring(Entities[\"AadUserId\"]), AadTenantId = tostring(Entities[\"AadTenantId\"]), \r\n Sid = tostring(Entities[\"Sid\"]), IsDomainJoined = tobool(Entities[\"IsDomainJoined\"]), Host = tostring(Entities[\"Host\"])\r\n | extend UPN = iff(Name != \"\" and UPNSuffix != \"\", strcat(Name, \"@\", UPNSuffix), \"\")\r\n| extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\r\n| extend UserPrincipalName = UPN\r\n| distinct UserPrincipalName, AlertName, ProductName, Status, AlertLink, Tactics, TimeGenerated\r\n| where AlertName contains \"sensitive\" or AlertName contains \"data\" or AlertName contains \"leak\" or Tactics contains \"exfil\" or AlertName contains \"theft\" or AlertName contains \"steal\" or AlertName contains \"PII\" or AlertName contains \"intellectual\" or AlertName contains \"confidential\" or AlertName contains \"spill\"\r\n| sort by TimeGenerated desc\r\n| limit 250",
"size": 0,
"title": "Sensitive Data Leaks Alert Details",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). Confirm Security Alerts are onboarded to Azure Sentinel and see Getting Started with Insider Risk Management for respective IRM configurations (https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-configure)",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). Confirm Security Alerts are onboarded to Microsoft Sentinel and see Getting Started with Insider Risk Management for respective IRM configurations (https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-configure)",
"timeContext": {
"durationMs": 7776000000
},
@ -5839,7 +5839,7 @@
"query": "InformationProtectionLogs_CL\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by LabelName_s, ApplicationName_s\r\n| render timechart ",
"size": 0,
"title": "Microsoft Information Protection Document Access by Labels",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). Confirm Security Alerts are onboarded to Azure Sentinel and see Getting Started with Insider Risk Management for respective IRM configurations (https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-configure)",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). Confirm Security Alerts are onboarded to Microsoft Sentinel and see Getting Started with Insider Risk Management for respective IRM configurations (https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-configure)",
"timeContext": {
"durationMs": 7776000000
},
@ -6059,7 +6059,7 @@
"query": "InformationProtectionLogs_CL\r\n| summarize count() by LabelName_s\r\n| render piechart",
"size": 0,
"title": "Microsoft Information Protection Access by Label",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). Confirm Security Alerts are onboarded to Azure Sentinel and see Getting Started with Insider Risk Management for respective IRM configurations (https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-configure)",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). Confirm Security Alerts are onboarded to Microsoft Sentinel and see Getting Started with Insider Risk Management for respective IRM configurations (https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-configure)",
"timeContext": {
"durationMs": 7776000000
},
@ -6280,7 +6280,7 @@
"size": 0,
"showAnalytics": true,
"title": "Microsoft Information Protection Details",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). Confirm Security Alerts are onboarded to Azure Sentinel and see Getting Started with Insider Risk Management for respective IRM configurations (https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-configure)",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). Confirm Security Alerts are onboarded to Microsoft Sentinel and see Getting Started with Insider Risk Management for respective IRM configurations (https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-configure)",
"timeContext": {
"durationMs": 7776000000
},
@ -6562,7 +6562,7 @@
{
"type": 1,
"content": {
"json": "# ✴️[Security Alerts](https://docs.microsoft.com/azure/sentinel/create-incidents-from-alerts)\n---\n\nAlerts triggered in Microsoft security solutions that are connected to Azure Sentinel, such as Microsoft Cloud App Security and Microsoft Defender for Identity (formerly Azure ATP), do not automatically create incidents in Azure Sentinel. By default, when you connect a Microsoft solution to Azure Sentinel, any alert generated in that service will be stored as raw data in Azure Sentinel, in the Security Alert table in your Azure Sentinel workspace. You can then use that data like any other raw data you connect into Azure Sentinel.\n\n\n\n\n"
"json": "# ✴️[Security Alerts](https://docs.microsoft.com/azure/sentinel/create-incidents-from-alerts)\n---\n\nAlerts triggered in Microsoft security solutions that are connected to Microsoft Sentinel, such as Microsoft Defender for Cloud Apps and Microsoft Defender for Identity (formerly Azure ATP), do not automatically create incidents in Microsoft Sentinel. By default, when you connect a Microsoft solution to Microsoft Sentinel, any alert generated in that service will be stored as raw data in Microsoft Sentinel, in the Security Alert table in your Microsoft Sentinel workspace. You can then use that data like any other raw data you connect into Microsoft Sentinel.\n\n\n\n\n"
},
"customWidth": "50",
"name": "text - 2",
@ -6578,7 +6578,7 @@
"size": 3,
"showAnalytics": true,
"title": "Security Alerts by Geolocation",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Azure Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)",
"timeContext": {
"durationMs": 7776000000
},
@ -6723,7 +6723,7 @@
"size": 0,
"showAnalytics": true,
"title": "Security Alerts by Geolocation Details",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Azure Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)",
"timeContext": {
"durationMs": 7776000000
},
@ -6934,7 +6934,7 @@
"query": "SecurityAlert\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\r\n | mv-expand todynamic(Entities)\r\n | where Entities[\"Type\"] =~ \"account\"\r\n | extend Name = tostring(tolower(Entities[\"Name\"])), NTDomain = tostring(Entities[\"NTDomain\"]), UPNSuffix = tostring(Entities[\"UPNSuffix\"]), AadUserId = tostring(Entities[\"AadUserId\"]), AadTenantId = tostring(Entities[\"AadTenantId\"]), \r\n Sid = tostring(Entities[\"Sid\"]), IsDomainJoined = tobool(Entities[\"IsDomainJoined\"]), Host = tostring(Entities[\"Host\"])\r\n | extend UPN = iff(Name != \"\" and UPNSuffix != \"\", strcat(Name, \"@\", UPNSuffix), \"\")\r\n| extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\r\n| extend UserPrincipalName = UPN\r\n| where UserPrincipalName <> \"\"\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by AlertName\r\n| render timechart",
"size": 0,
"title": "Security Alerts over Time",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). Confirm Security Alerts are onboarded to Azure Sentinel and see Getting Started with Insider Risk Management for respective IRM configurations (https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-configure)",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). Confirm Security Alerts are onboarded to Microsoft Sentinel and see Getting Started with Insider Risk Management for respective IRM configurations (https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-configure)",
"timeContext": {
"durationMs": 7776000000
},
@ -7153,7 +7153,7 @@
"query": "SecurityAlert\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\r\n | mv-expand todynamic(Entities)\r\n | where Entities[\"Type\"] =~ \"account\"\r\n | extend Name = tostring(tolower(Entities[\"Name\"])), NTDomain = tostring(Entities[\"NTDomain\"]), UPNSuffix = tostring(Entities[\"UPNSuffix\"]), AadUserId = tostring(Entities[\"AadUserId\"]), AadTenantId = tostring(Entities[\"AadTenantId\"]), \r\n Sid = tostring(Entities[\"Sid\"]), IsDomainJoined = tobool(Entities[\"IsDomainJoined\"]), Host = tostring(Entities[\"Host\"])\r\n | extend UPN = iff(Name != \"\" and UPNSuffix != \"\", strcat(Name, \"@\", UPNSuffix), \"\")\r\n| extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\r\n| extend UserPrincipalName = UPN\r\n| where UserPrincipalName !contains \"[\"\r\n| where UserPrincipalName <> \"\"\r\n| summarize count() by UserPrincipalName\r\n| sort by count_ desc\r\n| limit 250",
"size": 0,
"title": "Security Alerts by User",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). Confirm Security Alerts are onboarded to Azure Sentinel and see Getting Started with Insider Risk Management for respective IRM configurations (https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-configure)",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). Confirm Security Alerts are onboarded to Microsoft Sentinel and see Getting Started with Insider Risk Management for respective IRM configurations (https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-configure)",
"timeContext": {
"durationMs": 7776000000
},
@ -7388,7 +7388,7 @@
"query": "SecurityAlert\r\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\r\n | mv-expand todynamic(Entities)\r\n | where Entities[\"Type\"] =~ \"account\"\r\n | extend Name = tostring(tolower(Entities[\"Name\"])), NTDomain = tostring(Entities[\"NTDomain\"]), UPNSuffix = tostring(Entities[\"UPNSuffix\"]), AadUserId = tostring(Entities[\"AadUserId\"]), AadTenantId = tostring(Entities[\"AadTenantId\"]), \r\n Sid = tostring(Entities[\"Sid\"]), IsDomainJoined = tobool(Entities[\"IsDomainJoined\"]), Host = tostring(Entities[\"Host\"])\r\n | extend UPN = iff(Name != \"\" and UPNSuffix != \"\", strcat(Name, \"@\", UPNSuffix), \"\")\r\n| extend Href_ = tostring(parse_json(ExtendedLinks)[0].Href)\r\n| extend UserPrincipalName = UPN\r\n| distinct UserPrincipalName, AlertName, ProductName, Status, AlertLink, Tactics, TimeGenerated\r\n| where UserPrincipalName <> \"\"\r\n| where UserPrincipalName !contains \"[\"\r\n| sort by TimeGenerated desc\r\n| limit 250",
"size": 0,
"title": "Security Alert Details",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). Confirm Security Alerts are onboarded to Azure Sentinel and see Getting Started with Insider Risk Management for respective IRM configurations (https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-configure)",
"noDataMessage": "There are no results within the selected thresholds (time, workspace, subscription). Confirm Security Alerts are onboarded to Microsoft Sentinel and see Getting Started with Insider Risk Management for respective IRM configurations (https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-configure)",
"timeContext": {
"durationMs": 7776000000
},
@ -7642,7 +7642,7 @@
{
"type": 1,
"content": {
"json": "# ✳️ [Watchlists](https://docs.microsoft.com/azure/sentinel/watchlists)\n---\n\nAzure Sentinel watchlists enable the collection of data from external data sources for correlation with the events in your Azure Sentinel environment. Once created, you can use watchlists in your search, detection rules, threat hunting, and response playbooks. Watchlists are stored in your Azure Sentinel workspace as name-value pairs and are cached for optimal query performance and low latency. This section's panels require Azure Sentinel Watchlists. Your available Watchlists are displayed in the first panel below, if this panel is blank, configure watchlists as needed. This section requires that Watchlists are configured with use of the SearchKey column which groups queries to UserPrincipalName, AADEmail, Caller and respective user identifier fields. For more information, see 💡[Use Watchlists in Queries](https://docs.microsoft.com/azure/sentinel/watchlists#use-watchlists-in-queries). \n\n\n\n"
"json": "# ✳️ [Watchlists](https://docs.microsoft.com/azure/sentinel/watchlists)\n---\n\nMicrosoft Sentinel watchlists enable the collection of data from external data sources for correlation with the events in your Microsoft Sentinel environment. Once created, you can use watchlists in your search, detection rules, threat hunting, and response playbooks. Watchlists are stored in your Microsoft Sentinel workspace as name-value pairs and are cached for optimal query performance and low latency. This section's panels require Microsoft Sentinel Watchlists. Your available Watchlists are displayed in the first panel below, if this panel is blank, configure watchlists as needed. This section requires that Watchlists are configured with use of the SearchKey column which groups queries to UserPrincipalName, AADEmail, Caller and respective user identifier fields. For more information, see 💡[Use Watchlists in Queries](https://docs.microsoft.com/azure/sentinel/watchlists#use-watchlists-in-queries). \n\n\n\n"
},
"customWidth": "50",
"name": "text - 2",
@ -11926,7 +11926,7 @@
{
"type": 1,
"content": {
"json": "# ✴️ [Security Alerts](https://docs.microsoft.com/azure/sentinel/create-incidents-from-alerts)\n---\n\nAlerts triggered in Microsoft security solutions that are connected to Azure Sentinel, such as Microsoft Cloud App Security and Microsoft Defender for Identity (formerly Azure ATP), do not automatically create incidents in Azure Sentinel. By default, when you connect a Microsoft solution to Azure Sentinel, any alert generated in that service will be stored as raw data in Azure Sentinel, in the Security Alert table in your Azure Sentinel workspace. You can then use that data like any other raw data you connect into Azure Sentinel. You can easily configure Azure Sentinel to automatically create incidents every time an alert is triggered in a connected Microsoft security solution.\n\n\n\n"
"json": "# ✴️ [Security Alerts](https://docs.microsoft.com/azure/sentinel/create-incidents-from-alerts)\n---\n\nAlerts triggered in Microsoft security solutions that are connected to Microsoft Sentinel, such as Microsoft Defender for Cloud Apps and Microsoft Defender for Identity (formerly Azure ATP), do not automatically create incidents in Microsoft Sentinel. By default, when you connect a Microsoft solution to Microsoft Sentinel, any alert generated in that service will be stored as raw data in Microsoft Sentinel, in the Security Alert table in your Microsoft Sentinel workspace. You can then use that data like any other raw data you connect into Microsoft Sentinel. You can easily configure Microsoft Sentinel to automatically create incidents every time an alert is triggered in a connected Microsoft security solution.\n\n\n\n"
},
"customWidth": "45",
"name": "text - 2",
@ -17541,7 +17541,7 @@
"version": "KqlParameterItem/1.0",
"name": "Results67",
"type": 1,
"query": "let opValues = dynamic([\"microsoft.insights/workbooks/write\", \"microsoft.insights/workbooks/delete\"]);\r\n// Azure Sentinel Workbook Create / Update / Delete\r\nAzureActivity\r\n| where Caller in ({UserPrincipalName})\r\n| where Category == \"Administrative\"\r\n| where OperationNameValue in (opValues)\r\n| where ActivitySubstatusValue in (\"Created\", \"OK\")\r\n| sort by TimeGenerated desc\r\n| where Caller in ({UserPrincipalName})\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
"query": "let opValues = dynamic([\"microsoft.insights/workbooks/write\", \"microsoft.insights/workbooks/delete\"]);\r\n// Microsoft Sentinel Workbook Create / Update / Delete\r\nAzureActivity\r\n| where Caller in ({UserPrincipalName})\r\n| where Category == \"Administrative\"\r\n| where OperationNameValue in (opValues)\r\n| where ActivitySubstatusValue in (\"Created\", \"OK\")\r\n| sort by TimeGenerated desc\r\n| where Caller in ({UserPrincipalName})\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
"crossComponentResources": [
"{Workspace}"
],
@ -17615,7 +17615,7 @@
"version": "KqlParameterItem/1.0",
"name": "Results69",
"type": 1,
"query": "let opValues = dynamic([\"Microsoft.SecurityInsights/alertRules/write\", \"Microsoft.SecurityInsights/alertRules/delete\"]);\r\n// Azure Sentinel Analytics - Rule Create / Update / Delete\r\nAzureActivity\r\n| where Caller in ({UserPrincipalName})\r\n| where Category == \"Administrative\"\r\n| where OperationNameValue in (opValues)\r\n| where ActivitySubstatusValue in (\"Created\", \"OK\")\r\n| sort by TimeGenerated desc\r\n| where Caller in ({UserPrincipalName})\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
"query": "let opValues = dynamic([\"Microsoft.SecurityInsights/alertRules/write\", \"Microsoft.SecurityInsights/alertRules/delete\"]);\r\n// Microsoft Sentinel Analytics - Rule Create / Update / Delete\r\nAzureActivity\r\n| where Caller in ({UserPrincipalName})\r\n| where Category == \"Administrative\"\r\n| where OperationNameValue in (opValues)\r\n| where ActivitySubstatusValue in (\"Created\", \"OK\")\r\n| sort by TimeGenerated desc\r\n| where Caller in ({UserPrincipalName})\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
"crossComponentResources": [
"{Workspace}"
],
@ -17726,7 +17726,7 @@
"version": "KqlParameterItem/1.0",
"name": "Results72",
"type": 1,
"query": "let opValues = dynamic([\"Microsoft.SecurityInsights/dataConnectors/write\", \"Microsoft.SecurityInsights/dataConnectors/delete\"]);\r\n// Azure Sentinel Data Connectors Update / Delete\r\nAzureActivity\r\n| where Caller in ({UserPrincipalName})\r\n| where Category == \"Administrative\"\r\n| where OperationNameValue in (opValues)\r\n| where ActivitySubstatusValue in (\"Created\", \"OK\")\r\n| sort by TimeGenerated desc\r\n| where Caller in ({UserPrincipalName})\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
"query": "let opValues = dynamic([\"Microsoft.SecurityInsights/dataConnectors/write\", \"Microsoft.SecurityInsights/dataConnectors/delete\"]);\r\n// Microsoft Sentinel Data Connectors Update / Delete\r\nAzureActivity\r\n| where Caller in ({UserPrincipalName})\r\n| where Category == \"Administrative\"\r\n| where OperationNameValue in (opValues)\r\n| where ActivitySubstatusValue in (\"Created\", \"OK\")\r\n| sort by TimeGenerated desc\r\n| where Caller in ({UserPrincipalName})\r\n| limit 1\r\n| summarize count()\r\n| extend Results = iff(count_ ==0, \"No\", \"Yes\")\r\n| project Results",
"crossComponentResources": [
"{Workspace}"
],
@ -18459,10 +18459,10 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let opValues = dynamic([\"microsoft.insights/workbooks/write\", \"microsoft.insights/workbooks/delete\"]);\r\n// Azure Sentinel Workbook Create / Update / Delete\r\nAzureActivity\r\n| where Caller in ({UserPrincipalName})\r\n| where Category == \"Administrative\"\r\n| where OperationNameValue in (opValues)\r\n| where ActivitySubstatusValue in (\"Created\", \"OK\")\r\n| summarize count() by Caller, ResourceId\r\n| limit 250\r\n| sort by count_ desc\r\n\r\n\r\n",
"query": "let opValues = dynamic([\"microsoft.insights/workbooks/write\", \"microsoft.insights/workbooks/delete\"]);\r\n// Microsoft Sentinel Workbook Create / Update / Delete\r\nAzureActivity\r\n| where Caller in ({UserPrincipalName})\r\n| where Category == \"Administrative\"\r\n| where OperationNameValue in (opValues)\r\n| where ActivitySubstatusValue in (\"Created\", \"OK\")\r\n| summarize count() by Caller, ResourceId\r\n| limit 250\r\n| sort by count_ desc\r\n\r\n\r\n",
"size": 0,
"showAnalytics": true,
"title": "Azure Sentinel Workbooks Administrative Operations",
"title": "Microsoft Sentinel Workbooks Administrative Operations",
"timeContext": {
"durationMs": 7776000000
},
@ -18707,10 +18707,10 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let opValues = dynamic([\"Microsoft.SecurityInsights/alertRules/write\", \"Microsoft.SecurityInsights/alertRules/delete\"]);\r\n// Azure Sentinel Analytics - Rule Create / Update / Delete\r\nAzureActivity\r\n| where Caller in ({UserPrincipalName})\r\n| where Category == \"Administrative\"\r\n| where OperationNameValue in (opValues)\r\n| where ActivitySubstatusValue in (\"Created\", \"OK\")\r\n| sort by TimeGenerated desc\r\n| where Caller in ({UserPrincipalName})\r\n| summarize count() by Caller\r\n| sort by count_ desc\r\n\r\n\r\n",
"query": "let opValues = dynamic([\"Microsoft.SecurityInsights/alertRules/write\", \"Microsoft.SecurityInsights/alertRules/delete\"]);\r\n// Microsoft Sentinel Analytics - Rule Create / Update / Delete\r\nAzureActivity\r\n| where Caller in ({UserPrincipalName})\r\n| where Category == \"Administrative\"\r\n| where OperationNameValue in (opValues)\r\n| where ActivitySubstatusValue in (\"Created\", \"OK\")\r\n| sort by TimeGenerated desc\r\n| where Caller in ({UserPrincipalName})\r\n| summarize count() by Caller\r\n| sort by count_ desc\r\n\r\n\r\n",
"size": 0,
"showAnalytics": true,
"title": "Azure Sentinel Analytics Rules Administrative Operations",
"title": "Microsoft Sentinel Analytics Rules Administrative Operations",
"timeContext": {
"durationMs": 7776000000
},
@ -19084,10 +19084,10 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let opValues = dynamic([\"Microsoft.SecurityInsights/dataConnectors/write\", \"Microsoft.SecurityInsights/dataConnectors/delete\"]);\r\n// Azure Sentinel Data Connectors Update / Delete\r\nAzureActivity\r\n| where Caller in ({UserPrincipalName})\r\n| where Category == \"Administrative\"\r\n| where OperationNameValue in (opValues)\r\n| where ActivitySubstatusValue in (\"Created\", \"OK\")\r\n| sort by TimeGenerated desc\r\n| where Caller in ({UserPrincipalName})\r\n| summarize count() by Caller, ResourceId\r\n| limit 250\r\n| sort by count_ desc\r\n\r\n\r\n",
"query": "let opValues = dynamic([\"Microsoft.SecurityInsights/dataConnectors/write\", \"Microsoft.SecurityInsights/dataConnectors/delete\"]);\r\n// Microsoft Sentinel Data Connectors Update / Delete\r\nAzureActivity\r\n| where Caller in ({UserPrincipalName})\r\n| where Category == \"Administrative\"\r\n| where OperationNameValue in (opValues)\r\n| where ActivitySubstatusValue in (\"Created\", \"OK\")\r\n| sort by TimeGenerated desc\r\n| where Caller in ({UserPrincipalName})\r\n| summarize count() by Caller, ResourceId\r\n| limit 250\r\n| sort by count_ desc\r\n\r\n\r\n",
"size": 0,
"showAnalytics": true,
"title": "Azure Sentinel Connectors Administrative Operations",
"title": "Microsoft Sentinel Connectors Administrative Operations",
"timeContext": {
"durationMs": 7776000000
},
@ -20606,7 +20606,7 @@
{
"type": 1,
"content": {
"json": "# ✴️ [Office Activity](https://docs.microsoft.com/azure/sentinel/connect-microsoft-365-defender)\n---\n\nAzure Sentinel's Microsoft 365 Defender (M365D) connector with incident integration allows you to stream all M365D incidents and alerts into Azure Sentinel, and keeps the incidents synchronized between both portals. M365D incidents include all their alerts, entities, and other relevant information, and they are enriched by and group together alerts from M365D's component services Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Office 365, and Microsoft Cloud App Security.\n\n\n\n"
"json": "# ✴️ [Office Activity](https://docs.microsoft.com/azure/sentinel/connect-microsoft-365-defender)\n---\n\nMicrosoft Sentinel's Microsoft 365 Defender (M365D) connector with incident integration allows you to stream all M365D incidents and alerts into Microsoft Sentinel, and keeps the incidents synchronized between both portals. M365D incidents include all their alerts, entities, and other relevant information, and they are enriched by and group together alerts from M365D's component services Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Office 365, and Microsoft Defender for Cloud Apps.\n\n\n\n"
},
"customWidth": "45",
"name": "text - 2",

58
Solutions/MicrosoftInsiderRiskManagement/readme.md
Просмотреть файл

@ -1,22 +1,50 @@
# Overview
The Azure Sentinel: Insider Risk Management Workbook demonstrates the “better together” story between Microsoft 365 Insider Risk Management and Azure Sentinel. This workbook integrates telemetry from 25+ Microsoft security products to provide actionable insights into insider risk management. Reporting tools provide “Go to Alert” links to provide deeper integration between products and a simplified user experience for exploring alerts. A filter set provides custom reporting for Guide, Subscription, Workspace, and Time. The workbook can be exported as a PDF or print report via the Print Workbooks feature. Content sections include Overviews, Insider Risk Management, Watchlist, and User Forensics. The Overview tab provides recommendations for building insider risk program architectures. The Insider Risk tab provides alert reporting by both insider risk scenarios such as Sensitive Data Leaks, Security Violations, and MITRE ATT&CK tactics. The Watchlist tab provides filtering by Azure Sentinel Watchlists and the User Forensics tab collects logging telemetry by user. The user experience includes designing insider risk management architectures and streamlining telemetry from all users > watchlist > specific users while transitioning to M365 Insider Risk Management to investigate/resolve activity of interest.
The Microsoft Sentinel: Insider Risk Management Solution demonstrates the “better together” story between Microsoft 365 Insider Risk Management and Microsoft Sentinel. The solution includes (1) Workbook, (5) Hunting Queries, (5) Analytics Rules, (1) Playbook, and (1) Data Connector. Insider risk management helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization. Insider risk policies allow you to define the types of risks to identify and detect in your organization, including acting on cases and act on cases including the ability to escalate cases to Microsoft Advanced eDiscovery. Risk analysts in your organization can quickly take appropriate actions to make sure users are compliant with your organization's compliance standards. Insider risks come in various forms including both witting (intentional) and unwitting (unintentional).This workbook provides an automated visualization of Insider risk behavior cross walked to Microsoft security offerings. This solution is enhanced when integrated with complimentary Microsoft Offerings such as💡 [Microsoft 365 Insider Risk Management](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-solution-overview), 💡 [Communications Compliance](https://docs.microsoft.com/microsoft-365/compliance/communication-compliance-solution-overview), 💡 [Microsoft Information Protection](https://docs.microsoft.com/microsoft-365/compliance/information-protection), 💡 [Advanced eDiscovery](https://docs.microsoft.com/microsoft-365/compliance/ediscovery), and 💡 [Microsoft Sentinel Notebooks](https://docs.microsoft.com/azure/sentinel/notebooks). This workbook enables Insider Risk Teams, SecOps Analysts, and MSSPs to gain situational awareness for insider risk management, UEBA, device indicators, physical access, and HR signals. This workbook is designed to augment staffing through automation, artificial intelligence, machine learning, query/alerting generation, and visualizations. For more information, see 💡 [Microsoft 365 Insider Risk Management](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-solution-overview).
Disclaimer: The Microsoft 365 insider risk management workbook provides a tenant level option to help customers facilitate internal governance at the user level. Tenant level administrators can set up permissions to provide access to this solution for members of your organization and set up data connectors in the Microsoft 365 compliance center to import relevant data to support user level identification of potentially risky activity. Customers acknowledge insights related to the individual user's behavior, character, or performance materially related to employment can be calculated by the administrator and made available to others in the organization. In addition, customers acknowledge that they must conduct their own full investigation related to the individual user's behavior, character, or performance materially related to employment, and not just rely on insights from the insider risk management service. Customers are solely responsible for using the Microsoft 365 insider risk management service, and any associated feature or service in compliance with all applicable laws, including laws relating to individual user identification and any remediation actions. This workbook provides visibility and situational awareness for insider risk management delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation.
## Try on Portal
You can deploy the solution by clicking on the buttons below:
# Basics
Insider risk management helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization. Insider risk policies allow you to define the types of risks to identify and detect in your organization, including acting on cases and act on cases including the ability to escalate cases to Microsoft Advanced eDiscovery. Risk analysts in your organization can quickly take appropriate actions to make sure users are compliant with your organization's compliance standards. Insider risks come in various forms including both witting (intentional) and unwitting (unintentional).This workbook provides an automated visualization of Insider risk behavior cross walked to Microsoft security offerings.
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMicrosoftInsiderRiskManagement%2FPackage%2FmainTemplate.json" target="_blank"><img src="https://aka.ms/deploytoazurebutton"/></a>
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMicrosoftInsiderRiskManagement%2FPackage%2FmainTemplate.json" target="_blank"><img src="https://aka.ms/deploytoazuregovbutton"/></a>
This solution is enhanced when integrated with complimentary Microsoft Offerings such as💡 [Microsoft 365 Insider Risk Management](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-solution-overview), 💡 [Communications Compliance](https://docs.microsoft.com/microsoft-365/compliance/communication-compliance-solution-overview), 💡 [Microsoft Information Protection](https://docs.microsoft.com/microsoft-365/compliance/information-protection), 💡 [Advanced eDiscovery](https://docs.microsoft.com/microsoft-365/compliance/ediscovery), and 💡 [Azure Sentinel Notebooks](https://docs.microsoft.com/azure/sentinel/notebooks). This workbook enables Insider Risk Teams, SecOps Analysts, and MSSPs to gain situational awareness for insider risk management, UEBA, device indicators, physical access, and HR signals. This workbook is designed to augment staffing through automation, artificial intelligence, machine learning, query/alerting generation, and visualizations. For more information, see 💡 [Microsoft 365 Insider Risk Management](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-solution-overview).
![Workbook Overview](./InsiderRiskManagementBlack1.png)
# Workbooks
## Preview Pre-Requisites & Requirements
1) Onboard [Azure Sentinel](https://docs.microsoft.com/azure/sentinel/quickstart-onboard) and [Microsoft 365 Insider Risk Management](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-configure)
# Getting Started
1) Onboard [Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/quickstart-onboard) and [Microsoft 365 Insider Risk Management](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-configure)
2) Enable the [Microsoft 365 Insider Risk Management Export alerts feature](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-settings#export-alerts-preview)
3) Enable the Azure Sentinel IRM Connector Preview via [feature flag](https://aka.ms/OfficeIRM)
4) Enable the Azure Sentinel IRM Connector
• Navigate to Azure Sentinel > Connectors > Microsoft 365 Insider Risk Management (Preview) > Open Connector Page > Connect
5) Enable [Azure Sentinel UEBA](https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)
6) Configure an [Azure Sentinel Watchlist via SearchKey Columns](https://docs.microsoft.com/azure/sentinel/watchlists)
7) This workbook leverages 25+ Microsoft Security products. Only Azure Sentinel and Microsoft 365 Insider Risk Management are mandatory for this content, but Microsoft 365 Communications Compliance, Advanced eDiscovery, Microsoft Infromation Protection, Azure Security Center, Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Cloud App Security, Microsoft 365 Defender, Microsoft Defender for Office, Azure Lighthouse, Azure Active Directory and many more offerings enhance this workbook with alignment to insider risk management.
3) Enable the Microsoft Sentinel IRM Connector Preview via [feature flag](https://aka.ms/OfficeIRM)
4) Enable the Microsoft Sentinel IRM Connector
• Navigate to Microsoft Sentinel > Connectors > Microsoft 365 Insider Risk Management (Preview) > Open Connector Page > Connect
5) Enable [Microsoft Sentinel UEBA](https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)
6) Configure an [Microsoft Sentinel Watchlist via SearchKey Columns](https://docs.microsoft.com/azure/sentinel/watchlists)
7) This workbook leverages 25+ Microsoft Security products. Only Microsoft Sentinel and Microsoft 365 Insider Risk Management are mandatory for this content, but Microsoft 365 Communications Compliance, Advanced eDiscovery, Microsoft Information Protection, Azure Security Center, Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Cloud App Security, Microsoft 365 Defender, Microsoft Defender for Office, Azure Lighthouse, Azure Active Directory and many more offerings enhance this workbook with alignment to insider risk management.
# Workbook
The Microsoft Insider Risk Management Workbook integrates telemetry from 25+ Microsoft security products to provide actionable insights into insider risk management. Reporting tools provide “Go to Alert” links to provide deeper integration between products and a simplified user experience for exploring alerts. A filter set provides custom reporting for Guide, Subscription, Workspace, and Time. The workbook can be exported as a PDF or print report via the Print Workbooks feature. Content sections include Overviews, Insider Risk Management, Watchlist, and User Forensics. The Overview tab provides recommendations for building insider risk program architectures. The Insider Risk tab provides alert reporting by both insider risk scenarios such as Sensitive Data Leaks, Security Violations, and MITRE ATT&CK tactics. The Watchlist tab provides filtering by Microsoft Sentinel Watchlists and the User Forensics tab collects logging telemetry by user. The user experience includes designing insider risk management architectures and streamlining telemetry from all users > watchlist > specific users while transitioning to M365 Insider Risk Management to investigate/resolve activity of interest.
# Analytics Rules
## 1) High User Security Alert Correlations
This alert joins SecurityAlerts from Microsoft Products with SecurityIncidents from Microsoft Sentinel and Microsoft 365 Defender. This join allows for identifying patterns in user principal names associated with respective security alerts. A machine learning function (Basket) is leveraged with a .001 threshold. Baset finds all frequent patterns of discrete attributes (dimensions) in the data. It returns the frequent patterns passed the frequency threshold. This query evaluates UserPrincipalName for patterns in SecurityAlerts and Reporting Security Tools. This query can be further tuned/configured for higher confidence percentages, security products, or alert severities pending the needs of the organization. There is an option for configuration of correlations against Microsoft Sentinel watchlists. For more information on the basket plugin, see [basket plugin](https://docs.microsoft.com/azure/data-explorer/kusto/query/basketplugin).<br>
## 2) High User Security Incidents Correlations
This alert joins SecurityAlerts to SecurityIncidents to associate Security Alerts and Incidents with user accounts. This aligns all Microsoft Alerting Products (MCAS, MDE, ASC, etc.) with Microsoft Incident Generating Products (Microsoft Sentinel, M365 Defender) for a count of user security incidents over time. The default threshold is 5 security incidents, and this is customizable per the organization's requirements. Results include UserPrincipalName (UPN), SecurityIncident, LastIncident, ProductName, LastObservedTime, and Previous Incidents. There is an option for configuration of correlations against Microsoft Sentinel watchlists. For more information, see [Investigate incidents with Microsoft Sentinel]( https://docs.microsoft.com/azure/sentinel/investigate-cases).<br>
## 3) Microsoft 365 Insider Risk Management Alert Observed
This alert is triggered when a Microsoft 365 Insider Risk Management alert is recieved in Microsoft Sentinel via the Microsoft 365 Insider Risk Management Connector. The alert extracts usernames from security alerts to provide UserPrincipalName, Alert Name, Reporting Product Name, Status, Alert Link, Previous Alerts Links, Time Generated. There is an option for configuration of correlations against Microsoft Sentinel watchlists. For more information, see [Learn about insider risk management in Microsoft 365](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management).<br>
## 4) Sensitive Data Access Outside Organizational Geo-location
This alert joins Azure Information Protection Logs (InformationProtectionLogs_CL) with Azure Active Directory Sign in Logs (SigninLogs) to provide a correlation of sensitive data access by geo-location. Results include User Principal Name, Label Name, Activity, City, State, Country/Region, and Time Generated. Recommended configuration is to include (or exclude) Sign in geo-locations (City, State, Country and/or Region) for trusted organizational locations. There is an option for configuration of correlations against Microsoft Sentinel watchlists. Accessing sensitive data from a new or unauthorized geo-location warrants further review. For more information see [Sign-in logs in Azure Active Directory: Location Filtering](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins).<br>
## 5) Risky User Access By Application
This alert evaluates Azure Active Directory Sign in risk via Machine Learning correlations in the basket operator. The basket threshold is adjustable, and the default is set to .01. There is an optional configuration to configure the percentage rates. The correlations are designed to leverage machine learning to identify patterns of risky user application access. There is an option for configuration of correlations against Microsoft Sentinel watchlists. For more information, see [Tutorial: Use risk detections for user sign-ins to trigger Azure AD Multi-Factor Authentication or password changes](https://docs.microsoft.com/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa).<br>
# Hunting Queries
## 1) Entity Anomaly Followed by IRM Alert
This query joins Microsoft Sentinel UEBA with Microsoft 365 Insider Risk Management Alerts. There is also an option for configuration of correlations against watchlists. For more information, see https://docs.microsoft.com/azure/sentinel/watchlists.<br>
## 2) Internet Service Provider Anomaly followed by Data Exfiltration
This query joins UEBA to Security Alerts from Microsoft products for a correlation of Internet Service Provider anomalies to data exfiltration (watchlist options). For more information, see https://docs.microsoft.com/azure/sentinel/watchlists.<br>
## 3) Multiple Entity-Based Anomalies
This query returns entity counts by anomaly and user principal name including ranges for start/end time observed (watchlists configurable). For more information, see https://docs.microsoft.com/azure/sentinel/watchlists.<br>
## 4) Possible Sabotage
This query correlates users with entity anomalies, security alerts, and delete/remove actions for identification of possible sabotage activities (watchlists configurable). For more information, see https://docs.microsoft.com/azure/sentinel/watchlists.<br>
## 5) Sign In Risk Followed By Sensitive Data Access
This query correlates a risky user sign ins with access to sensitive data classified by data loss prevention capabilities (watchlist configurable). For more information, see https://docs.microsoft.com/azure/sentinel/watchlists.<br>
# Playbook
This solution includes the Notify-Insider Risk Management Team playbook. Playbooks are a Security Orchestration, Automation, & Response (SOAR) capability to automate manual tasks. This playbook should be configured as an automation action with the Insider Risk Management Analytics Rules. Upon triggering an Analytic Rule, this playbook captures respective details and both emails and posts a message in a Teams chat to the Insider Risk Management team. This automation increases response times while reducing the need to return to the workbook for monitoring.

143
Solutions/SlackAudit/Data Connectors/SlackNativePollerConnector/azuredeploy_Slack_native_poller_connector.json Normal file
Просмотреть файл

@ -0,0 +1,143 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"logAnalyticsWorkspaceName": {
"defaultValue": "<Enter Log Analytics Workspace name>",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
},
"connectorResourceName": {
"type": "string",
"defaultValue": "[newGuid()]",
"metadata": {
"description": "Resource name for connector"
}
}
},
"functions": [],
"variables": {},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"name": "[concat(parameters('logAnalyticsWorkspaceName'),'/Microsoft.SecurityInsights/', parameters('connectorResourceName'))]",
"apiVersion": "2021-03-01-preview",
"location": "[resourceGroup().location]",
"dependsOn": [],
"kind": "APIPolling",
"properties": {
"connectorUiConfig": {
"id": "SlackAudit",
"title": "Slack",
"publisher": "Slack",
"descriptionMarkdown": "The [Slack](https://slack.com) data connector provides the capability to ingest [Slack Audit Records](https://api.slack.com/admins/audit-logs) events into Microsoft Sentinel through the REST API. Refer to [API documentation](https://api.slack.com/admins/audit-logs#the_audit_event) for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. This data connector uses Microsoft Sentinel native polling capability.",
"graphQueriesTableName": "SlackAuditNativePoller_CL",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "Slack audit events",
"baseQuery": "{{graphQueriesTableName}}"
}
],
"sampleQueries": [
{
"description": "All Slack audit events",
"query": "{{graphQueriesTableName}}\n| sort by TimeGenerated desc"
}
],
"dataTypes": [
{
"name": "{{graphQueriesTableName}}",
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriteria": [
{
"type": "SentinelKindsV2",
"value": []
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "Slack API credentials",
"description": "**SlackAPIBearerToken** is required for REST API. [See the documentation to learn more about API](https://api.slack.com/web#authentication). Check all [requirements and follow the instructions](https://api.slack.com/web#authentication) for obtaining credentials."
}
]
},
"instructionSteps": [
{
"title": "Connect Slack to Microsoft Sentinel",
"description": "Enable Slack audit Logs.",
"instructions": [
{
"parameters": {
"enable": "true"
},
"type": "APIKey"
}
]
}
]
},
"pollingConfig": {
"auth": {
"authType": "APIKey",
"APIKeyName": "Authorization",
"APIKeyIdentifier": "Bearer"
},
"request": {
"apiEndpoint": "https://api.slack.com/audit/v1/logs",
"httpMethod": "Get",
"queryTimeFormat": "UnixTimestamp",
"startTimeAttributeName": "oldest",
"endTimeAttributeName": "latest",
"queryWindowInMin": 5,
"queryParameters": {
"limit": 1000
}
},
"paging": {
"pagingType": "PageToken",
"nextPageParaName": "cursor",
"nextPageTokenJsonPath": "..response_metadata.next_cursor"
},
"response": {
"eventsJsonPaths": [
"$..entries"
]
}
}
}
}
],
"outputs": {}
}

2
Solutions/SlackAudit/Parsers/SlackAudit.txt
Просмотреть файл

@ -6,7 +6,7 @@
// Tech Community Blog on KQL Functions : https://techcommunity.microsoft.com/t5/Azure-Sentinel/Using-KQL-functions-to-speed-up-analysis-in-Azure-Sentinel/ba-p/712381
//
let SlackAudit_view = view () {
SlackAudit_CL
union isfuzzy=true SlackAudit_CL, SlackAuditNativePoller_CL
| extend
EventVendor="Slack",
EventProduct="Slack Audit Logs",

30
Solutions/ThreatAnalysis&Response/readme.md
Просмотреть файл

@ -1,14 +1,28 @@
# ✳️ [Getting Started](https://docs.microsoft.com/azure/sentinel/prerequisites)
# Overview
---
This solution enables SecOps Analysts, Threat Intelligence Professional, and Threat Hunters to gain situational awareness for threats in cloud environment. This solution is designed to augment staffing through automation, artificial intelligence, machine learning, alert generation, and visualizations. Threat modeling is an advanced cybersecurity discipline requiring detailed knowledge of identifying and acting on the attacker based on observation of indicators in various stages of the attack cycle. This offering provides granular situational awareness across the MITRE ATT&CK® for Cloud Matrix including 75+ Tactic/Technique cards demonstrating a red versus blue approach to threat modeling. This offering augments the advanced cybersecurity skillsets required for threat modeling and provides actionable insights across 25+ Microsoft products.
ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. The ATT&CK Cloud Matrix provides tactics and techniques representing the ATT&CK Matrix for Enterprise covering cloud-based techniques. The Matrix contains information for the following platforms: Azure AD, Office 365, Google Workspace, SaaS, IaaS. For more information, see the 💡 [ATT&CK: Cloud Matrix](https://attack.mitre.org/matrices/enterprise/cloud/).
<br>
This solution enables SecOps Analysts, Threat Intelligence Professional, and Threat Hunters to gain situational awareness for threats in cloud environment. The Solution includes (2) Workbooks and (1) Notebook for comprehensive threat hunting. Threat modeling is an advanced discipline requiring a detailed understanding of adversary actions. Threat analysis provides an understanding of where the attacker is in the cycle which often drives both a historic lens of where the threat may have progressed, but also predictive analytics on the threats objectives. This approach is adversarial as understanding of the threats attack cycle drives defense actions in a red versus blue model. The Threat Analysis & Response Solution augments the customer burden of building threat hunting programs. Microsoft Sentinel Hunting maps MITRE ATT&CK® Tactics/Techniques to Hunting Queries. This Sentinel Solution includes (2) Workbooks and a Notebook which provides the foundation to build a threat hunting program across cloud and hybrid computing environments. <br>
<br>
1⃣ Onboard 💡[Azure Sentinel](https://docs.microsoft.com/azure/sentinel/quickstart-onboard)<br>
2⃣ Deploy 💡[Azure Sentinel: Threat Analysis & Response Solution](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-mitreattck)<br>
## Try on Portal
You can deploy the solution by clicking on the buttons below:
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FThreatAnalysis%2526ResponsewithMITREATT%2526CK%2FPackage%2FmainTemplate.json" target="_blank"><img src="https://aka.ms/deploytoazurebutton"/></a>
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FThreatAnalysis%2526ResponsewithMITREATT%2526CK%2FPackage%2FmainTemplate.json" target="_blank"><img src="https://aka.ms/deploytoazuregovbutton"/></a>
![Workbook Overview](./ThreatAnalysis&ResponseForCloudBlack.png)
# Getting Started
1⃣ Onboard 💡[Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/quickstart-onboard)<br>
2⃣ Deploy 💡[Microsoft Sentinel: Threat Analysis & Response Solution](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-mitreattck)<br>
3⃣ Access Threat Analysis & Response Workbook for Analytics/Hunting Configuration Guidance<br>
4⃣ Leverage the Threat Analysis & Response Notebook for custom Heat Mapping of MITRE ATT&CK Tactics & Techniques<br>
5⃣ Leverage the Threat Analysis & Response: Cloud Matrix for a Red (Attack) versus Blue (Defense) perspective for threat detection and mitigation<br>
# Workbooks
## 1) Threat Analysis & Response Workbook
This workbook provides the foundation for building a threat hunting program including references for analytics and hunting query repositories. There are data source statistics to baseline available data sets which is helpful in planning selection of analytics rules. There is a breakdown of ATT&CK tactics to understand focus areas for greater analysis. There is an assessment of detection platform services to understand which capabilities and workloads are being employed. <br>
## 2) Threat Analysis & Response for Cloud Workbook
This workbook is designed for response to threat tactics. It enables SecOps Analysts, Threat Intelligence Professionals, and Threat Hunters to gain situational awareness for threats in cloud environment. This workbook is designed to augment staffing through automation, artificial intelligence, machine learning, query+alerting generation and visualizations. Threat modeling is an advanced cybersecurity discipline requiring detailed knowledge of identifying and acting on the attacker based on observation of indicators in various stages of the attack cycle. This offering provides granular situational awareness across the ATT&CK for Cloud Matrix including 75+ Tactic/Technique cards demonstrating a red versus blue approach to threat modeling. This offering augments the advanced cybersecurity skillsets required for threat modeling and provides actionable insights across 25+ Microsoft products.<br>
# Notebook
The Threat Analysis & Response Notebook This notebook builds upon the ATT&CK workbooks to analyze and model threat behavior across the ATT&CK enterprise matrix. This includes custom heat mapping for exportable reports. It also provides a posture assessment to determine areas of coverage and highlights areas for further analysis/remediations.

2
Solutions/ThreatAnalysis&ResponsewithMITREATT&CK/Package/mainTemplate.json
Просмотреть файл

@ -2,7 +2,7 @@
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"author": "TJ Banasik - thomas.banasik@microsoft.com",
"comments": "Solution template for MITREATT&CK"
},
"parameters": {

2
Solutions/ZeroTrust(TIC3.0)/Package/mainTemplate.json
Просмотреть файл

@ -2,7 +2,7 @@
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"author": "TJ Banasik - thomas.banasik@microsoft.com",
"comments": "Solution template for ZeroTrust(TIC3.0)"
},
"parameters": {

294
Solutions/ZeroTrust(TIC3.0)/Workbooks/ZeroTrust(TIC3.0).json
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

21
Solutions/ZeroTrust(TIC3.0)/readme.md
Просмотреть файл

@ -1,22 +1,23 @@
# Overview
---
The Microsoft Sentinel Zero Trust (TIC3.0) Solution provides a mechanism for viewing log queries aligned to Zero Trust and Trusted Internet Connections models across the Microsoft portfolio. This solution enables governance and compliance teams to design, build, monitor, and respond to Zero Trust (TIC3.0) requirements across 25+ Microsoft products. The solution includes the new Zero Trust (TIC3.0) Workbook, (11) Analytics Rules, and (1) Playbook. While only Microsoft Sentinel is required to get started, the solution is enhanced with numerous Microsoft offerings. This Solution enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness visibility for the security posture of cloud workloads. There are also recommendations for selecting, designing, deploying, and configuring Microsoft offerings for alignment with respective security best practice.
## What is Zero Trust?
Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify”. Every access request is fully authenticated, authorized, and encrypted before granting access. Microsegmentation and least privileged access principles are applied to minimize lateral movement. Rich intelligence and analytics are utilized to detect and respond to anomalies in real time. Zero Trust principles include verify explicitly, use least privileged access, and assume breach. Zero Trust pillars include identities, endpoints, data, apps, infrastructure, and network. For more information, see the 💡 [Microsoft Zero Trust Model](https://www.microsoft.com/en-us/security/business/zero-trust).
## Try on Portal
You can deploy the solution by clicking on the buttons below:
## What is Trusted Internet Connections (TIC 3.0)?
The Trusted Internet Connections (TIC) initiative, since its establishment in 2007, has moved the government from a period of uncontrolled and unmonitored internet connections to a controlled state, reducing the .GOVs attack surface. In accordance with the Office of Management and Budget (OMB) Memorandum (M) 19-26: Update to the TIC Initiative, TIC 3.0 expands on the original initiative to drive security standards and leverage advances in technology to secure a wide spectrum of agency network architectures. This new version of TIC is highly iterative, which means the guidance will better reflect modern processes and technological innovations compared to previous iterations of the program. TIC 3.0 recognizes shifts in modern cybersecurity and pushes agencies toward adoption, while recognizing their challenges and constraints in modernizing IT infrastructure. For more information, see the CISA: Trusted Internet Connections 💡 [Core Guidance Documents](https://www.cisa.gov/trusted-internet-connections).
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FZeroTrust(TIC3.0)%2FPackage%2FmainTemplate.json" target="_blank"><img src="https://aka.ms/deploytoazurebutton"/></a>
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FZeroTrust(TIC3.0)%2FPackage%2FmainTemplate.json" target="_blank"><img src="https://aka.ms/deploytoazuregovbutton"/></a>
# Basics
The Azure Sentinel Zero Trust (TIC3.0) Workbook provides a mechanism for viewing log queries aligned to Zero Trust and Trusted Internet Connections models across the Microsoft portfolio including Microsoft security offerings, Office 365, Teams, Intune, Windows Virtual Desktop and many more. This workbook enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness visibility for the security posture of cloud workloads. There are also recommendations for selecting, designing, deploying, and configuring Microsoft offerings for alignment with respective security best practice.
![Workbook Overview](./ZeroTrust(TIC3.0)Black1.PNG)
# Workbooks
The Azure Sentinel Zero Trust (TIC3.0) Workbook provides a mechanism for viewing log queries aligned to Zero Trust and Trusted Internet Connections models across the Microsoft portfolio including Microsoft security offerings, Office 365, Teams, Intune, Windows Virtual Desktop and many more. This workbook enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness visibility for the security posture of cloud workloads. There are also recommendations for selecting, designing, deploying, and configuring Microsoft offerings for alignment with respective security best practice.
The Microsoft Sentinel Zero Trust (TIC3.0) Workbook provides a mechanism for viewing log queries aligned to Zero Trust and Trusted Internet Connections models across the Microsoft portfolio including Microsoft security offerings, Office 365 and many more. This workbook enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness visibility for the security posture of cloud workloads. There are also recommendations for selecting, designing, deploying, and configuring Microsoft offerings for alignment with respective security best practice.
# Analytics Rules
The Azure Sentinel Zero Trust (TIC3.0) Analytics rules leverage Azure Security Center Regulatory Compliance mappings (Derived from NIST SP 800-53 and Azure Security Benchmark Baselines) to measure Zero Trust posture alignment across (11) TIC3.0 control families. The default configuration is set for scheduled rules running every 7 days to reduce alert overload. The default configuration is to alert when posture compliance is below 70% and this number is configurable per organizational requirements.
The Microsoft Sentinel Zero Trust (TIC3.0) Analytics rules leverage Azure Security Center Regulatory Compliance mappings (Derived from NIST SP 800-53 and Azure Security Benchmark Baselines) to measure Zero Trust posture alignment across (11) TIC3.0 control families. The default configuration is set for scheduled rules running every 7 days to reduce alert overload. The default configuration is to alert when posture compliance is below 70% and this number is configurable per organizational requirements.
# Playbooks
The Azure Sentinel Zero Trust (TIC3.0) Solution includes a Playbook Automation for Security Orchestration Automation & Response (SOAR). This playbook is triggered when an Azure Sentinel incident is generated, resulting in an email and Teams chat to the Security Governance Team including respective details of the event and remediation options. Note, this automation requires configuration for Security Governance Team group email address and Teams channel. There is also a requirement to configure this automation rule to trigger for each Zero Trust (TIC3.0) Analytics Rule to ensure the governance team is notified for remediation accordingly.
The Microsoft Sentinel Zero Trust (TIC3.0) Solution includes a Playbook Automation for Security Orchestration Automation & Response (SOAR). This playbook is triggered when an Microsoft Sentinel incident is generated, resulting in an email and Teams chat to the Security Governance Team including respective details of the event and remediation options. Note, this automation requires configuration for Security Governance Team group email address and Teams channel. There is also a requirement to configure this automation rule to trigger for each Zero Trust (TIC3.0) Analytics Rule to ensure the governance team is notified for remediation accordingly.
## Disclaimer
The Azure Sentinel Zero Trust (TIC 3.0) Workbook demonstrates best practice guidance, but Microsoft does not guarantee nor imply compliance. All TIC requirements, validations, and controls are governed by the 💡 [Cybersecurity & Infrastructure Security Agency](https://www.cisa.gov/trusted-internet-connections). This workbook provides visibility and situational awareness for control requirements delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations and query modification for operation. Recommendations do not imply coverage of respective controls as they are often one of several courses of action for approaching requirements which is unique to each customer. Recommendations should be considered a starting point for planning full or partial coverage of respective control requirements.
The Microsoft Sentinel Zero Trust (TIC 3.0) Workbook demonstrates best practice guidance, but Microsoft does not guarantee nor imply compliance. All TIC requirements, validations, and controls are governed by the 💡 [Cybersecurity & Infrastructure Security Agency](https://www.cisa.gov/trusted-internet-connections). This workbook provides visibility and situational awareness for control requirements delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations and query modification for operation. Recommendations do not imply coverage of respective controls as they are often one of several courses of action for approaching requirements which is unique to each customer. Recommendations should be considered a starting point for planning full or partial coverage of respective control requirements.

8183
Workbooks/AdvancedKQL.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Двоичные данные
Workbooks/Images/Preview/AdvancedKQLBlack.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 283 KiB

Двоичные данные
Workbooks/Images/Preview/AdvancedKQLWhite.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 281 KiB

13
Workbooks/WorkbooksMetadata.json
Просмотреть файл

@ -1455,5 +1455,18 @@
"templateRelativePath": "ProofPointThreatDashboard.json",
"subtitle": "",
"provider": "Azure Sentinel Community"
},
{
"workbookKey": "AdvancedKQL",
"logoFileName": "Azure_Sentinel.svg",
"description": "This interactive Workbook is designed to improve your KQL proficiency by using a use-case driven approach.",
"dataTypesDependencies": [],
"dataConnectorsDependencies": [],
"previewImagesFileNames": [ "AdvancedKQLWhite.png", "AdvancedKQLBlack.png"],
"version": "1.0",
"title": "Advanced KQL for Microsoft Sentinel",
"templateRelativePath": "AdvancedKQL.json",
"subtitle": "",
"provider": "Azure Sentinel Community"
}
]