Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #10580 from Azure/WebSession/NetworkSession-DomainSoln 

Repackaged - Web Session Essentials
This commit is contained in:
v-atulyadav 2024-06-07 17:57:10 +05:30 коммит произвёл GitHub
Родитель 8125304c2d 374857e8fc
Коммит 3bd428e8a1
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
21 изменённых файлов: 1111 добавлений и 970 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

Двоичные данные
Solutions/Apache Log4j Vulnerability Detection/Package/3.0.4.zip
Просмотреть файл

Двоичный файл не отображается.

2
Solutions/Apache Log4j Vulnerability Detection/Package/createUiDefinition.json
Просмотреть файл

@ -384,7 +384,7 @@
"name": "watchlist1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "[parameters('watchlistdescription')]"
"text": "Watchlist provide lookup for IOC of different sources."
}
}
]

56
Solutions/Apache Log4j Vulnerability Detection/Package/mainTemplate.json
Просмотреть файл

@ -2474,6 +2474,62 @@
"kind": "Watchlist",
"contentId": "[variables('_Campaign')]",
"version": "3.0.4"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-azurewebapplicationfirewal"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-office365"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-dns"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-ciscoasa"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-paloaltopanos"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-azureactivedirectory"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-azureactivity"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-amazonwebservices"
},
{
"kind": "Solution",
"contentId": "sentinel4azurefirewall.sentinel4azurefirewall"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-squidproxy"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-zscalerprivateaccess"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-syslog"
},
{
"kind": "Solution",
"contentId": "checkpoint.checkpoint-sentinel-solutions"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-microsoft365defender"
}
]
},

2
Solutions/Business Email Compromise - Financial Fraud/Data/Solution_Business Email Compromise - Financial Fraud.json
Просмотреть файл

@ -36,7 +36,7 @@
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Business Email Compromise - Financial Fraud",
"Version": "3.0.8",
"Version": "3.0.9",
"TemplateSpec": true,
"Is1PConnector": true
}

Двоичные данные
Solutions/Business Email Compromise - Financial Fraud/Package/3.0.9.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

4
Solutions/Business Email Compromise - Financial Fraud/Package/createUiDefinition.json
Просмотреть файл

@ -142,7 +142,7 @@
"name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query looks for users with suspicious spikes in the number of files accessed that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks. The query looks for access to files in storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. \nThis query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities. This query uses the imFileEvent schema from ASIM, you will first need to ensure you have ASIM deployed in your environment. Ref https://learn.microsoft.com/azure/sentinel/normalization-about-parsers"
"text": "This query looks for users with suspicious spikes in the number of files accessed that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks.\nThe query looks for access to files in storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. \nThis query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities. This query uses the imFileEvent schema from ASIM, you will first need to ensure you have ASIM deployed in your environment. Ref https://learn.microsoft.com/azure/sentinel/normalization-about-parsers"
}
}
]
@ -156,7 +156,7 @@
"name": "analytic6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query looks for users with suspicious spikes in the number of files accessed that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks. The query looks for access to files in AWS S3 storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. \nThis query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities."
"text": "This query looks for users with suspicious spikes in the number of files accessed that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks.\nThe query looks for access to files in AWS S3 storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. \nThis query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities."
}
}
]

407
Solutions/Business Email Compromise - Financial Fraud/Package/mainTemplate.json
Просмотреть файл

@ -33,7 +33,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Business Email Compromise - Financial Fraud",
"_solutionVersion": "3.0.8",
"_solutionVersion": "3.0.9",
"solutionId": "azuresentinel.azure-sentinel-solution-bec_financialfraud",
"_solutionId": "[variables('solutionId')]",
"analyticRuleObject1": {
@ -58,25 +58,25 @@
"_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8ac77493-3cae-4840-8634-15fb23f8fb68','-', '1.0.2')))]"
},
"analyticRuleObject4": {
"analyticRuleVersion4": "1.0.6",
"analyticRuleVersion4": "1.0.7",
"_analyticRulecontentId4": "0433c8a3-9aa6-4577-beef-2ea23be41137",
"analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0433c8a3-9aa6-4577-beef-2ea23be41137')]",
"analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0433c8a3-9aa6-4577-beef-2ea23be41137')))]",
"_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0433c8a3-9aa6-4577-beef-2ea23be41137','-', '1.0.6')))]"
"_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0433c8a3-9aa6-4577-beef-2ea23be41137','-', '1.0.7')))]"
},
"analyticRuleObject5": {
"analyticRuleVersion5": "1.0.3",
"analyticRuleVersion5": "1.0.4",
"_analyticRulecontentId5": "cd8d946d-10a4-40a9-bac1-6d0a6c847d65",
"analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'cd8d946d-10a4-40a9-bac1-6d0a6c847d65')]",
"analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('cd8d946d-10a4-40a9-bac1-6d0a6c847d65')))]",
"_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','cd8d946d-10a4-40a9-bac1-6d0a6c847d65','-', '1.0.3')))]"
"_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','cd8d946d-10a4-40a9-bac1-6d0a6c847d65','-', '1.0.4')))]"
},
"analyticRuleObject6": {
"analyticRuleVersion6": "1.0.3",
"analyticRuleVersion6": "1.0.4",
"_analyticRulecontentId6": "f3e2d35f-1202-4215-995c-4654ef07d1d8",
"analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f3e2d35f-1202-4215-995c-4654ef07d1d8')]",
"analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f3e2d35f-1202-4215-995c-4654ef07d1d8')))]",
"_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f3e2d35f-1202-4215-995c-4654ef07d1d8','-', '1.0.3')))]"
"_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f3e2d35f-1202-4215-995c-4654ef07d1d8','-', '1.0.4')))]"
},
"analyticRuleObject7": {
"analyticRuleVersion7": "1.0.4",
@ -162,7 +162,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "AccountElevatedtoNewRole_AnalyticalRules Analytics Rule with template version 3.0.8",
"description": "AccountElevatedtoNewRole_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@ -207,56 +207,56 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingUserPrincipalName",
"identifier": "FullName"
"identifier": "FullName",
"columnName": "InitiatingUserPrincipalName"
},
{
"columnName": "InitiatingAccountName",
"identifier": "Name"
"identifier": "Name",
"columnName": "InitiatingAccountName"
},
{
"columnName": "InitiatingAccountUPNSuffix",
"identifier": "UPNSuffix"
"identifier": "UPNSuffix",
"columnName": "InitiatingAccountUPNSuffix"
}
]
],
"entityType": "Account"
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingAadUserId",
"identifier": "AadUserId"
"identifier": "AadUserId",
"columnName": "InitiatingAadUserId"
}
]
],
"entityType": "Account"
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "TargetUserPrincipalName",
"identifier": "FullName"
"identifier": "FullName",
"columnName": "TargetUserPrincipalName"
},
{
"columnName": "TargetAccountName",
"identifier": "Name"
"identifier": "Name",
"columnName": "TargetAccountName"
},
{
"columnName": "TargetAccountUPNSuffix",
"identifier": "UPNSuffix"
"identifier": "UPNSuffix",
"columnName": "TargetAccountUPNSuffix"
}
]
],
"entityType": "Account"
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "InitiatingIPAddress",
"identifier": "Address"
"identifier": "Address",
"columnName": "InitiatingIPAddress"
}
]
],
"entityType": "IP"
}
]
}
@ -312,7 +312,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "AuthenticationMethodChangedforPrivilegedAccount_AnalyticalRules Analytics Rule with template version 3.0.8",
"description": "AuthenticationMethodChangedforPrivilegedAccount_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@ -360,65 +360,65 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "TargetUserPrincipalName",
"identifier": "FullName"
"identifier": "FullName",
"columnName": "TargetUserPrincipalName"
},
{
"columnName": "TargetAccountName",
"identifier": "Name"
"identifier": "Name",
"columnName": "TargetAccountName"
},
{
"columnName": "TargetAccountUPNSuffix",
"identifier": "UPNSuffix"
"identifier": "UPNSuffix",
"columnName": "TargetAccountUPNSuffix"
}
]
],
"entityType": "Account"
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "TargetAadUserId",
"identifier": "AadUserId"
"identifier": "AadUserId",
"columnName": "TargetAadUserId"
}
]
],
"entityType": "Account"
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingUserPrincipalName",
"identifier": "FullName"
"identifier": "FullName",
"columnName": "InitiatingUserPrincipalName"
},
{
"columnName": "InitiatingAccountName",
"identifier": "Name"
"identifier": "Name",
"columnName": "InitiatingAccountName"
},
{
"columnName": "InitiatingAccountUPNSuffix",
"identifier": "UPNSuffix"
"identifier": "UPNSuffix",
"columnName": "InitiatingAccountUPNSuffix"
}
]
],
"entityType": "Account"
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingAadUserId",
"identifier": "AadUserId"
"identifier": "AadUserId",
"columnName": "InitiatingAadUserId"
}
]
],
"entityType": "Account"
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "InitiatingIPAddress",
"identifier": "Address"
"identifier": "Address",
"columnName": "InitiatingIPAddress"
}
]
],
"entityType": "IP"
}
]
}
@ -474,7 +474,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "BEC_MailboxRule_AnalyticalRules Analytics Rule with template version 3.0.8",
"description": "BEC_MailboxRule_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@ -518,30 +518,30 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "UserId",
"identifier": "FullName"
"identifier": "FullName",
"columnName": "UserId"
},
{
"columnName": "UserName",
"identifier": "Name"
"identifier": "Name",
"columnName": "UserName"
},
{
"columnName": "DomainName",
"identifier": "UPNSuffix"
"identifier": "UPNSuffix",
"columnName": "DomainName"
}
]
],
"entityType": "Account"
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "ClientIPAddress",
"identifier": "Address"
"identifier": "Address",
"columnName": "ClientIPAddress"
}
]
],
"entityType": "IP"
}
]
}
@ -597,7 +597,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PrivilegedAccountPermissionsChanged_AnalyticalRules Analytics Rule with template version 3.0.8",
"description": "PrivilegedAccountPermissionsChanged_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@ -648,56 +648,56 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "TargetUserPrincipalName",
"identifier": "Name"
"identifier": "FullName",
"columnName": "TargetUserPrincipalName"
},
{
"columnName": "TargetAccountName",
"identifier": "Name"
"identifier": "Name",
"columnName": "TargetAccountName"
},
{
"columnName": "TargetAccountUPNSuffix",
"identifier": "UPNSuffix"
"identifier": "UPNSuffix",
"columnName": "TargetAccountUPNSuffix"
}
]
],
"entityType": "Account"
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "TargetAadUserId",
"identifier": "AadUserId"
"identifier": "AadUserId",
"columnName": "TargetAadUserId"
}
]
],
"entityType": "Account"
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingAccountName",
"identifier": "Name"
"identifier": "FullName",
"columnName": "InitiatingUserPrincipalName"
},
{
"columnName": "InitiatingAccountName",
"identifier": "Name"
"identifier": "Name",
"columnName": "InitiatingAccountName"
},
{
"columnName": "InitiatingAccountUPNSuffix",
"identifier": "UPNSuffix"
"identifier": "UPNSuffix",
"columnName": "InitiatingAccountUPNSuffix"
}
]
],
"entityType": "Account"
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingAadUserId",
"identifier": "AadUserId"
"identifier": "AadUserId",
"columnName": "InitiatingAadUserId"
}
]
],
"entityType": "Account"
}
]
}
@ -753,7 +753,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "SuspiciousAccessOfBECRelatedDocuments_AnalyticalRules Analytics Rule with template version 3.0.8",
"description": "SuspiciousAccessOfBECRelatedDocuments_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@ -767,7 +767,7 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "This query looks for users with suspicious spikes in the number of files accessed that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks. The query looks for access to files in storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. \nThis query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities. This query uses the imFileEvent schema from ASIM, you will first need to ensure you have ASIM deployed in your environment. Ref https://learn.microsoft.com/azure/sentinel/normalization-about-parsers",
"description": "This query looks for users with suspicious spikes in the number of files accessed that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks.\nThe query looks for access to files in storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. \nThis query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities. This query uses the imFileEvent schema from ASIM, you will first need to ensure you have ASIM deployed in your environment. Ref https://learn.microsoft.com/azure/sentinel/normalization-about-parsers",
"displayName": "Suspicious access of BEC related documents",
"enabled": false,
"query": "let BEC_Keywords = dynamic([ 'invoice','payment','paycheck','transfer','bank statement','bank details','closing','funds','bank account','account details','remittance','purchase','deposit',\"PO#\",\"Zahlung\",\"Rechnung\",\"Paiement\", \"virement bancaire\",\"Bankuberweisung\",'hacked','phishing']);\n// Adjust this threshold based on your environment\nlet sensitivity = 2.5;\nlet Events = materialize(imFileEvent\n| where TimeGenerated between(startofday(ago(14d))..endofday(ago(0d)))\n| where User !~ \"app@sharepoint\"\n| where EventType =~ \"FileAccessed\"\n| extend OriginalEvent = column_ifexists(\"EventOriginalType\",\"Unknown\")\n| where OriginalEvent !~ \"FileSyncDownloadedFull\"\n| where EventProduct in (\"SharePoint 365\", \"Azure File Storage\", \"OneDrive\" , \"SharePoint\")\n| where FilePath has_any(BEC_Keywords)\n| extend _AuthDetails = column_ifexists(\"AuthorizationDetails\", \"None\")\n| extend SPuser = case(gettype(_AuthDetails) == \"array\", tostring(todynamic(_AuthDetails)[0].principals[0].id), \"Unknown\")\n| extend User = case(isnotempty(User), User, SPuser)\n| where isnotempty(User));\nEvents\n| summarize dcount(FileName) by User, bin(startofday(TimeGenerated), 1d)\n| summarize CountOfDocs = make_list(dcount_FileName, 10000), TimeStamp = make_list(TimeGenerated, 10000) by User\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(CountOfDocs, sensitivity, -1, 'linefit')\n| mv-expand CountOfDocs to typeof(double), TimeStamp to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)\n| where Anomalies > 0\n| project TimeStamp, CountOfDocs, Baseline, Score, Anomalies, User\n| join kind=inner(Events | extend TimeStamp = startofday(TimeGenerated)) on TimeStamp, User\n| extend IpAddr = column_ifexists(\"IpAddr\", SrcIpAddr)\n| extend Name = iif(User contains \"@\", split(User, \"@\")[0], split(User, \"\\\\\")[1])\n| extend UPNSuffix = iif(User contains \"@\", split(User, \"@\")[1], \"\")\n| extend NTDomain = iif(User contains \"@\", split(User, \"\\\\\")[0], \"\")\n| project-reorder TimeGenerated, User, EventType, EventResult, EventProduct, FilePath, HttpUserAgent, IpAddr, CountOfDocs, Baseline, Score\n",
@ -787,79 +787,79 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "User",
"identifier": "FullName"
"identifier": "FullName",
"columnName": "User"
},
{
"columnName": "Name",
"identifier": "Name"
"identifier": "Name",
"columnName": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
]
],
"entityType": "Account"
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "User",
"identifier": "FullName"
"identifier": "FullName",
"columnName": "User"
},
{
"columnName": "Name",
"identifier": "Name"
"identifier": "Name",
"columnName": "Name"
},
{
"columnName": "NTDomain",
"identifier": "NTDomain"
"identifier": "NTDomain",
"columnName": "NTDomain"
}
]
],
"entityType": "Account"
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "User",
"identifier": "AadUserId"
"identifier": "AadUserId",
"columnName": "User"
}
]
],
"entityType": "Account"
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IpAddr",
"identifier": "Address"
"identifier": "Address",
"columnName": "IpAddr"
}
]
],
"entityType": "IP"
},
{
"entityType": "File",
"fieldMappings": [
{
"columnName": "FilePath",
"identifier": "Name"
"identifier": "Name",
"columnName": "FilePath"
}
]
],
"entityType": "File"
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"customDetails": {
"UserAgent": "HttpUserAgent",
"Result": "EventResult",
"Type": "EventType",
"UserAgent": "HttpUserAgent",
"Product": "EventProduct"
},
"alertDetailsOverride": {
"alertDisplayNameFormat": "Suspicious access of {{number_of_files_accessed}} BEC related documents by {{User}}",
"alertDescriptionFormat": "This query looks for users (in this case {{User}}) with suspicious spikes in the number of files accessed (in this case {{number_of_files_accessed}} events) that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks. The query looks for access to files in storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. \nThis query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities. This query uses the imFileEvent schema from ASIM, you will first need to ensure you have ASIM deployed in your environment. Ref https://learn.microsoft.com/azure/sentinel/normalization-about-parsers\n"
"alertDescriptionFormat": "This query looks for users (in this case {{User}}) with suspicious spikes in the number of files accessed (in this case {{number_of_files_accessed}} events) that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks. The query looks for access to files in storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. \nThis query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities. This query uses the imFileEvent schema from ASIM, you will first need to ensure you have ASIM deployed in your environment. Ref https://learn.microsoft.com/azure/sentinel/normalization-about-parsers\n",
"alertDisplayNameFormat": "Suspicious access of {{number_of_files_accessed}} BEC related documents by {{User}}"
}
}
},
@ -914,7 +914,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "SuspiciousAccessOfBECRelatedDocumentsInAWSS3Buckets_AnalyticalRules Analytics Rule with template version 3.0.8",
"description": "SuspiciousAccessOfBECRelatedDocumentsInAWSS3Buckets_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@ -928,7 +928,7 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "This query looks for users with suspicious spikes in the number of files accessed that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks. The query looks for access to files in AWS S3 storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. \nThis query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities.",
"description": "This query looks for users with suspicious spikes in the number of files accessed that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks.\nThe query looks for access to files in AWS S3 storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. \nThis query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities.",
"displayName": "Suspicious access of BEC related documents in AWS S3 buckets",
"enabled": false,
"query": "let BEC_Keywords = dynamic([ 'invoice','payment','paycheck','transfer','bank statement','bank details','closing','funds','bank account','account details','remittance','purchase','deposit',\"PO#\",\"Zahlung\",\"Rechnung\",\"Paiement\", \"virement bancaire\",\"Bankuberweisung\",'hacked','phishing']);\n// Adjust this threshold based on your environment\nlet sensitivity = 2.5;\nlet Events = materialize(AWSCloudTrail\n| where TimeGenerated between (ago(14d)..ago(0d))\n| where UserIdentityAccountId != \"anonymous\"\n| where EventSource startswith \"s3.\"\n| where EventName =~ \"GetObject\"\n| extend FilePath = tostring(parse_json(RequestParameters).key)\n| where FilePath has_any(BEC_Keywords)\n);\nEvents\n| summarize dcount(FilePath) by UserIdentityPrincipalid, bin(startofday(TimeGenerated), 1d)\n| summarize CountOfDocs = make_list(dcount_FilePath, 10000), TimeStamp = make_list(TimeGenerated, 10000) by UserIdentityPrincipalid\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(CountOfDocs, sensitivity, -1, 'linefit')\n| mv-expand CountOfDocs to typeof(double), TimeStamp to typeof(datetime), Anomalies to typeof(double),Score to typeof(double), Baseline to typeof(long)\n| where Anomalies > 0\n| project TimeStamp, CountOfDocs, Baseline, Score, Anomalies, UserIdentityPrincipalid\n| join kind=inner(Events | extend TimeStamp = startofday(TimeGenerated)) on TimeStamp, UserIdentityPrincipalid\n| extend Name = iif(UserIdentityUserName contains \"@\", split(UserIdentityUserName, \"@\")[0], UserIdentityUserName)\n| extend UPNSuffix = iif(UserIdentityUserName contains \"@\", split(UserIdentityUserName, \"@\")[1], \"\")\n| project-reorder TimeGenerated, UserIdentityType, UserIdentityPrincipalid, UserIdentityUserName, FilePath, EventName, UserAgent, SourceIpAddress, CountOfDocs, Baseline, Score\n",
@ -956,39 +956,39 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "UserIdentityUserName",
"identifier": "FullName"
"identifier": "FullName",
"columnName": "UserIdentityUserName"
},
{
"columnName": "Name",
"identifier": "Name"
"identifier": "Name",
"columnName": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
]
],
"entityType": "Account"
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
"identifier": "Address",
"columnName": "SourceIpAddress"
}
]
],
"entityType": "IP"
},
{
"entityType": "File",
"fieldMappings": [
{
"columnName": "FilePath",
"identifier": "Name"
"identifier": "Name",
"columnName": "FilePath"
}
]
],
"entityType": "File"
}
],
"eventGroupingSettings": {
@ -996,12 +996,12 @@
},
"customDetails": {
"UserType": "UserIdentityType",
"UserAgent": "UserAgent",
"Event": "EventName"
"Event": "EventName",
"UserAgent": "UserAgent"
},
"alertDetailsOverride": {
"alertDisplayNameFormat": "Suspicious access of {{CountOfDocs}} BEC related documents in AWS S3 buckets by {{UserIdentityUserName}}",
"alertDescriptionFormat": "This query looks for users (in this case {{UserIdentityUserName}}) with suspicious spikes in the number of files accessed (in this case {{CountOfDocs}})that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks. The query looks for access to files in AWS S3 storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. \nThis query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities.\n"
"alertDescriptionFormat": "This query looks for users (in this case {{UserIdentityUserName}}) with suspicious spikes in the number of files accessed (in this case {{CountOfDocs}})that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks. The query looks for access to files in AWS S3 storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. \nThis query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities.\n",
"alertDisplayNameFormat": "Suspicious access of {{CountOfDocs}} BEC related documents in AWS S3 buckets by {{UserIdentityUserName}}"
}
}
},
@ -1056,7 +1056,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "UserAddedtoAdminRole_AnalyticalRules Analytics Rule with template version 3.0.8",
"description": "UserAddedtoAdminRole_AnalyticalRules Analytics Rule with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@ -1101,56 +1101,56 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "TargetUserPrincipalName",
"identifier": "FullName"
"identifier": "FullName",
"columnName": "TargetUserPrincipalName"
},
{
"columnName": "TargetAccountName",
"identifier": "Name"
"identifier": "Name",
"columnName": "TargetAccountName"
},
{
"columnName": "TargetAccountUPNSuffix",
"identifier": "UPNSuffix"
"identifier": "UPNSuffix",
"columnName": "TargetAccountUPNSuffix"
}
]
],
"entityType": "Account"
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "TargetAadUserId",
"identifier": "AadUserId"
"identifier": "AadUserId",
"columnName": "TargetAadUserId"
}
]
],
"entityType": "Account"
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingUserPrincipalName",
"identifier": "FullName"
"identifier": "FullName",
"columnName": "InitiatingUserPrincipalName"
},
{
"columnName": "InitiatingAccountName",
"identifier": "Name"
"identifier": "Name",
"columnName": "InitiatingAccountName"
},
{
"columnName": "InitiatingAccountUPNSuffix",
"identifier": "UPNSuffix"
"identifier": "UPNSuffix",
"columnName": "InitiatingAccountUPNSuffix"
}
]
],
"entityType": "Account"
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingAadUserId",
"identifier": "AadUserId"
"identifier": "AadUserId",
"columnName": "InitiatingAadUserId"
}
]
],
"entityType": "Account"
}
]
}
@ -1206,7 +1206,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "AWSBucketAPILogs-S3BucketDataTransferTimeSeriesAnomaly_HuntingQueries Hunting Query with template version 3.0.8",
"description": "AWSBucketAPILogs-S3BucketDataTransferTimeSeriesAnomaly_HuntingQueries Hunting Query with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@ -1291,7 +1291,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "AWSBucketAPILogs-SuspiciousDataAccessToS3BucketsfromUnknownIP_HuntingQueries Hunting Query with template version 3.0.8",
"description": "AWSBucketAPILogs-SuspiciousDataAccessToS3BucketsfromUnknownIP_HuntingQueries Hunting Query with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@ -1376,7 +1376,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Emailforwarding_SAPdownload_HuntingQueries Hunting Query with template version 3.0.8",
"description": "Emailforwarding_SAPdownload_HuntingQueries Hunting Query with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@ -1461,7 +1461,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "LegacyAuthAttempt_HuntingQueries Hunting Query with template version 3.0.8",
"description": "LegacyAuthAttempt_HuntingQueries Hunting Query with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@ -1546,7 +1546,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "new_locations_azuread_signin_HuntingQueries Hunting Query with template version 3.0.8",
"description": "new_locations_azuread_signin_HuntingQueries Hunting Query with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@ -1631,7 +1631,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "OfficeMailRuleCreationWithMailMoveActivity_HuntingQueries Hunting Query with template version 3.0.8",
"description": "OfficeMailRuleCreationWithMailMoveActivity_HuntingQueries Hunting Query with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
@ -1716,7 +1716,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "riskSignInWithNewMFAMethod_HuntingQueries Hunting Query with template version 3.0.8",
"description": "riskSignInWithNewMFAMethod_HuntingQueries Hunting Query with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
@ -1801,7 +1801,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "SAP_HighdownloadfromPriviledgedaccount_HuntingQueries Hunting Query with template version 3.0.8",
"description": "SAP_HighdownloadfromPriviledgedaccount_HuntingQueries Hunting Query with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
@ -1886,7 +1886,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "SuccessfulSigninFromNon-CompliantDevice_HuntingQueries Hunting Query with template version 3.0.8",
"description": "SuccessfulSigninFromNon-CompliantDevice_HuntingQueries Hunting Query with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]",
@ -1971,7 +1971,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "UserAccounts-NewSingleFactorAuth_HuntingQueries Hunting Query with template version 3.0.8",
"description": "UserAccounts-NewSingleFactorAuth_HuntingQueries Hunting Query with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]",
@ -2056,7 +2056,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "UserAccounts-UnusualLogonTimes_HuntingQueries Hunting Query with template version 3.0.8",
"description": "UserAccounts-UnusualLogonTimes_HuntingQueries Hunting Query with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject11').huntingQueryVersion11]",
@ -2141,7 +2141,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "UserDetectPrivilegeGroup_HuntingQueries Hunting Query with template version 3.0.8",
"description": "UserDetectPrivilegeGroup_HuntingQueries Hunting Query with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject12').huntingQueryVersion12]",
@ -2226,7 +2226,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "UserLoginIPAddressTeleportation_HuntingQueries Hunting Query with template version 3.0.8",
"description": "UserLoginIPAddressTeleportation_HuntingQueries Hunting Query with template version 3.0.9",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject13').huntingQueryVersion13]",
@ -2307,7 +2307,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "3.0.8",
"version": "3.0.9",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Business Email Compromise - Financial Fraud",
@ -2335,7 +2335,6 @@
"link": "https://support.microsoft.com/"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "AnalyticsRule",
@ -2436,6 +2435,26 @@
"kind": "HuntingQuery",
"contentId": "[variables('huntingQueryObject13')._huntingQuerycontentId13]",
"version": "[variables('huntingQueryObject13').huntingQueryVersion13]"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-azureactivedirectory"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-office365"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-amazonwebservices"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-microsoft365defender"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-okta"
}
]
},

7
Solutions/Business Email Compromise - Financial Fraud/ReleaseNotes.md
Просмотреть файл

@ -1,6 +1,7 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|------------------------------------------------------------------------------|
| 3.0.8 | 04-04-2024 | Updataed Entity Mappings |
| 3.0.9 | 05-06-2024 | Analytical Rule description updated |
| 3.0.8 | 04-04-2024 | Updated Entity Mappings |
| 3.0.7 | 28-02-2024 | Removed usage of BlastRadius from **Hunting Queries** |
| 3.0.6 | 16-02-2024 | Updated the solution to fix **Analytic Rules** deployment issue |
| 3.0.5 | 08-02-2024 | Tagged for dependent solutions for deployment |
@ -8,4 +9,6 @@
| 3.0.3 | 23-11-2023 | Updated description of **Hunting query** |
| 3.0.2 | 06-11-2023 | Changes for rebranding from Microsoft 365 Defender to Microsoft Defender XDR |
| 3.0.1 | 03-11-2023 | Updated **Analytic Rule** datatype and descriptions for **Hunting queries** |
| 3.0.0 | 07-08-2023 | Initial Solution Release |
| 3.0.0 | 07-08-2023 | Initial Solution Release |

2
Solutions/Endpoint Threat Protection Essentials/Data/Solution_EndpointThreatProtectionEssentials.json
Просмотреть файл

@ -42,7 +42,7 @@
"azuresentinel.azure-sentinel-solution-windowsforwardedevents"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Endpoint Threat Protection Essentials",
"Version": "3.0.3",
"Version": "3.0.4",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": true

Двоичные данные
Solutions/Endpoint Threat Protection Essentials/Package/3.0.4.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

591
Solutions/Endpoint Threat Protection Essentials/Package/mainTemplate.json
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

3
Solutions/Endpoint Threat Protection Essentials/ReleaseNotes.md
Просмотреть файл

@ -1,6 +1,7 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|------------------------------------------------------------------------------|
| 3.0.3 | 11-03-2024 | Added few **Hunting Queries** to detect Endpoint Threats |
| 3.0.4 | 07-06-2024 | Added entityMappings in **Analytical Rules ** |
| 3.0.3 | 11-03-2024 | Added few **Hunting Queries** to detect Endpoint Threats |
| 3.0.2 | 21-02-2024 | Tagged for dependent solutions for deployment |
| | | Added New rules to detect Suspicious PowerShell Commandlet Exceutions |
| 3.0.1 | 29-01-2024 | Added subTechniques in Template |

2
Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Data/Solution_Multi Cloud Attack Coverage Essentials - Resource Abuse.json
Просмотреть файл

@ -23,7 +23,7 @@
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Multi Cloud Attack Coverage Essentials - Resource Abuse",
"Version": "3.0.2",
"Version": "3.0.3",
"TemplateSpec": true,
"Is1PConnector": false,
"createPackage": false

Двоичные данные
Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Package/3.0.3.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

8
Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Package/createUiDefinition.json
Просмотреть файл

@ -100,7 +100,7 @@
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "\nThis detection identifies potential suspicious activity across multi-cloud environments by combining AWS GuardDuty findings with GCP Audit Logs. It focuses on AWS activities related to unauthorized access, credential abuse, and unusual behaviors, as well as GCP instances creation with non-Google service account users. The query aims to provide a comprehensive view of cross-cloud security incidents for proactive threat detection and response.\n"
"text": "This detection identifies potential suspicious activity across multi-cloud environments by combining AWS GuardDuty findings with GCP Audit Logs. It focuses on AWS activities related to unauthorized access, credential abuse, and unusual behaviors, as well as GCP instances creation with non-Google service account users. The query aims to provide a comprehensive view of cross-cloud security incidents for proactive threat detection and response."
}
}
]
@ -114,7 +114,7 @@
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "\nThis detection query aims to correlate potentially suspicious user activities logged in Google Cloud Platform (GCP) Audit Logs with security alerts originating from Microsoft Security products. This correlation facilitates the identification of potential cross-cloud security incidents. By summarizing these findings, the query provides valuable insights into cross-cloud identity threats and their associated details, enabling organizations to respond promptly and mitigate potential risks effectively.\n"
"text": "This detection query aims to correlate potentially suspicious user activities logged in Google Cloud Platform (GCP) Audit Logs with security alerts originating from Microsoft Security products. This correlation facilitates the identification of potential cross-cloud security incidents. By summarizing these findings, the query provides valuable insights into cross-cloud identity threats and their associated details, enabling organizations to respond promptly and mitigate potential risks effectively."
}
}
]
@ -128,7 +128,7 @@
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "\nThis detection correlates AWS GuardDuty Credential Access alerts related to Amazon Relational Database Service (RDS) activity with Azure portal sign-in activities. It identifies successful and failed logins, anomalous behavior, and malicious IP access. By joining these datasets on network entities and IP addresses, it detects unauthorized credential access attempts across AWS and Azure resources, enhancing cross-cloud security monitoring.\n"
"text": "This detection correlates AWS GuardDuty Credential Access alerts related to Amazon Relational Database Service (RDS) activity with Azure portal sign-in activities. It identifies successful and failed logins, anomalous behavior, and malicious IP access. By joining these datasets on network entities and IP addresses, it detects unauthorized credential access attempts across AWS and Azure resources, enhancing cross-cloud security monitoring."
}
}
]
@ -170,7 +170,7 @@
"name": "analytic7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "\nThis detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty with Azure portal sign-in activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The ditection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources.\n"
"text": "This detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty with Azure portal sign-in activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The ditection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources."
}
}
]

305
Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Package/mainTemplate.json
Просмотреть файл

@ -33,7 +33,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Multi Cloud Attack Coverage Essentials - Resource Abuse",
"_solutionVersion": "3.0.2",
"_solutionVersion": "3.0.3",
"solutionId": "azuresentinel.azure-sentinel-solution-multicloudattackcoverage",
"_solutionId": "[variables('solutionId')]",
"analyticRuleObject1": {
@ -44,25 +44,25 @@
"_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1f40ed57-f54b-462f-906a-ac3a89cc90d4','-', '1.0.1')))]"
},
"analyticRuleObject2": {
"analyticRuleVersion2": "1.0.1",
"analyticRuleVersion2": "1.0.2",
"_analyticRulecontentId2": "5c847e47-0a07-4c01-ab99-5817ad6cb11e",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5c847e47-0a07-4c01-ab99-5817ad6cb11e')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5c847e47-0a07-4c01-ab99-5817ad6cb11e')))]",
"_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5c847e47-0a07-4c01-ab99-5817ad6cb11e','-', '1.0.1')))]"
"_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5c847e47-0a07-4c01-ab99-5817ad6cb11e','-', '1.0.2')))]"
},
"analyticRuleObject3": {
"analyticRuleVersion3": "1.0.1",
"analyticRuleVersion3": "1.0.2",
"_analyticRulecontentId3": "58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7",
"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7')]",
"analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7')))]",
"_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7','-', '1.0.1')))]"
"_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7','-', '1.0.2')))]"
},
"analyticRuleObject4": {
"analyticRuleVersion4": "1.0.2",
"analyticRuleVersion4": "1.0.3",
"_analyticRulecontentId4": "122fbc6a-57ab-4aa7-b9a9-51ac4970cac1",
"analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '122fbc6a-57ab-4aa7-b9a9-51ac4970cac1')]",
"analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('122fbc6a-57ab-4aa7-b9a9-51ac4970cac1')))]",
"_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','122fbc6a-57ab-4aa7-b9a9-51ac4970cac1','-', '1.0.2')))]"
"_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','122fbc6a-57ab-4aa7-b9a9-51ac4970cac1','-', '1.0.3')))]"
},
"analyticRuleObject5": {
"analyticRuleVersion5": "1.0.1",
@ -79,11 +79,11 @@
"_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b51fe620-62ad-4ed2-9d40-5c97c0a8231f','-', '1.0.1')))]"
},
"analyticRuleObject7": {
"analyticRuleVersion7": "1.0.3",
"analyticRuleVersion7": "1.0.4",
"_analyticRulecontentId7": "60f31001-018a-42bf-8045-a92e1f361b7b",
"analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '60f31001-018a-42bf-8045-a92e1f361b7b')]",
"analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('60f31001-018a-42bf-8045-a92e1f361b7b')))]",
"_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','60f31001-018a-42bf-8045-a92e1f361b7b','-', '1.0.3')))]"
"_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','60f31001-018a-42bf-8045-a92e1f361b7b','-', '1.0.4')))]"
},
"analyticRuleObject8": {
"analyticRuleVersion8": "1.0.0",
@ -111,7 +111,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "BrutforceAttemptOnAzurePortalAndAWSConsolAtSameTime_AnalyticalRules Analytics Rule with template version 3.0.2",
"description": "BrutforceAttemptOnAzurePortalAndAWSConsolAtSameTime_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@ -173,16 +173,16 @@
{
"fieldMappings": [
{
"columnName": "UserPrincipalName",
"identifier": "FullName"
"identifier": "FullName",
"columnName": "UserPrincipalName"
},
{
"columnName": "Name",
"identifier": "Name"
"identifier": "Name",
"columnName": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
],
"entityType": "Account"
@ -190,8 +190,8 @@
{
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
"identifier": "Address",
"columnName": "SourceIpAddress"
}
],
"entityType": "IP"
@ -199,9 +199,9 @@
],
"customDetails": {
"AzureClientAppUsed": "ClientAppUsed",
"UserAgent": "UserAgent",
"AzureUser": "UserPrincipalName",
"AwsUser": "UserIdentityUserName",
"UserAgent": "UserAgent"
"AwsUser": "UserIdentityUserName"
}
}
},
@ -256,7 +256,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Cross-CloudSuspiciousComputeResourcecreationinGCP_AnalyticalRules Analytics Rule with template version 3.0.2",
"description": "Cross-CloudSuspiciousComputeResourcecreationinGCP_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@ -270,7 +270,7 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "\nThis detection identifies potential suspicious activity across multi-cloud environments by combining AWS GuardDuty findings with GCP Audit Logs. It focuses on AWS activities related to unauthorized access, credential abuse, and unusual behaviors, as well as GCP instances creation with non-Google service account users. The query aims to provide a comprehensive view of cross-cloud security incidents for proactive threat detection and response.\n",
"description": "This detection identifies potential suspicious activity across multi-cloud environments by combining AWS GuardDuty findings with GCP Audit Logs. It focuses on AWS activities related to unauthorized access, credential abuse, and unusual behaviors, as well as GCP instances creation with non-Google service account users. The query aims to provide a comprehensive view of cross-cloud security incidents for proactive threat detection and response.",
"displayName": "Cross-Cloud Suspicious Compute resource creation in GCP",
"enabled": false,
"query": "// Materialize AWS GuardDuty findings\nlet AwsAlert = materialize (\n AWSGuardDuty\n // Filter for specific activity types in AWS GuardDuty\n | where ActivityType has_any (\n \"Backdoor:EC2/DenialOfService.UnusualProtocol\",\n \"CredentialAccess:Kubernetes/MaliciousIPCaller\",\n \"CredentialAccess:Kubernetes/SuccessfulAnonymousAccess\",\n \"CredentialAccess:Kubernetes/TorIPCaller\",\n \"CredentialAccess:RDS/AnomalousBehavior.SuccessfulBruteForce\",\n \"CredentialAccess:RDS/TorIPCaller.FailedLogin\",\n \"CredentialAccess:RDS/TorIPCaller.SuccessfulLogin\",\n \"Discovery:Kubernetes/MaliciousIPCaller\",\n \"Recon:IAMUser/MaliciousIPCaller.Custom\",\n \"UnauthorizedAccess:EC2/TorClient\",\n \"UnauthorizedAccess:IAMUser/TorIPCaller\",\n \"UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom\",\n \"UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS\",\n \"UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS\",\n \"UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B\"\n )\n // Extract and transform AWS GuardDuty attributes\n | extend\n AWSAlertId = Id, \n AWSAlertTitle = Title,\n AWSAlertDescription = Description,\n AWSresourceType = tostring(parse_json(ResourceDetails).resourceType),\n AWSNetworkEntity = tostring(parse_json(ServiceDetails).action.awsApiCallAction.remoteIpDetails.ipAddressV4),\n AWSAlertUserNameEntity = tostring(parse_json(ResourceDetails).accessKeyDetails.userName),\n InstanceType = tostring(parse_json(ResourceDetails).instanceDetails.instanceType),\n AWSTargetingService = parse_json(ServiceDetails).additionalInfo.apiCalls,\n AWSAlertTime = TimeCreated,\n AWSAlertLink= tostring(strcat('https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=', Id)),\n Severity = \n case (\n Severity >= 7.0,\n \"High\",\n Severity between (4.0 .. 6.9),\n \"Medium\",\n Severity between (1.0 .. 3.9),\n \"Low\",\n \"Unknown\"\n)\n // Extract API call details and count\n | mv-apply AIPCall = AWSTargetingService on \n ( \n where AIPCall has \"name\" \n | extend APICallName = tostring(AIPCall.name), APICallCount = tostring(AIPCall[\"count\"])\n ) \n // Select distinct attributes for further analysis\n | distinct\n AWSAlertTime,\n ActivityType,\n Severity,\n AWSAlertId,\n AWSAlertTitle,\n AWSAlertDescription,\n AWSAlertLink,\n Arn,\n AWSresourceType,\n AWSNetworkEntity,\n AWSAlertUserNameEntity,\n InstanceType,\n APICallName,\n APICallCount \n );\n// Materialize GCP Audit Logs related to VM instance creation\nlet GCPVMActivity= materialize(\n GCPAuditLogs \n // Filter for Compute Engine instances insertions\n | where ServiceName == \"compute.googleapis.com\" and MethodName endswith \"instances.insert\"\n // Extract and transform relevant GCP Audit Log attributes\n | extend\n GCPUserUPN= tostring(parse_json(AuthenticationInfo).principalEmail),\n GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),\n GCPUserUA= tostring(parse_json(RequestMetadata).callerSuppliedUserAgent),\n VMDetails= parse_json(AuthorizationInfo),\n VMStatus = tostring(parse_json(Response).status),\n VMOperation=tostring(parse_json(Response).operationType),\n VMName= tostring(parse_json(Request).name),\n VMDescription= tostring(parse_json(Request).description),\n VMType = tostring(split(parse_json(Request).machineType, \"/\")[-1]),\n Tags= tostring(parse_json(Request).tags),\n RequestJS = parse_json(Request)\n // Filter out service account-related activities and private IP addresses\n | where GCPUserUPN !has \"gserviceaccount.com\"\n | extend Name = tostring(split(GCPUserUPN, \"@\")[0]), UPNSuffix = tostring(split(GCPUserUPN, \"@\")[1])\n | where VMOperation == \"insert\" and isnotempty(GCPUserIp) and GCPUserIp != \"private\"\n // Select relevant attributes for further analysis\n | project\n GCPOperationTime=TimeGenerated,\n VMName,\n VMStatus,\n MethodName,\n GCPUserUPN,\n ProjectId,\n GCPUserIp,\n GCPUserUA,\n VMOperation,\n VMType,\n Name,\n UPNSuffix\n );\n// Join AWS and GCP activities based on matching IP addresses\nAwsAlert\n| join kind= inner (GCPVMActivity)\n on\n $left.AWSNetworkEntity == $right.GCPUserIp\n",
@ -318,8 +318,8 @@
{
"fieldMappings": [
{
"columnName": "GCPUserIp",
"identifier": "Address"
"identifier": "Address",
"columnName": "GCPUserIp"
}
],
"entityType": "IP"
@ -327,36 +327,38 @@
{
"fieldMappings": [
{
"columnName": "GCPUserUPN",
"identifier": "FullName"
"identifier": "FullName",
"columnName": "GCPUserUPN"
},
{
"columnName": "Name",
"identifier": "Name"
"identifier": "Name",
"columnName": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
],
"entityType": "Account"
}
],
"customDetails": {
"GCPVMType": "VMType",
"AWSArn": "Arn",
"AWSAPICallName": "APICallName",
"GCPProjectId": "ProjectId",
"GCPUserAgent": "GCPUserUA",
"AWSAPICallCount": "APICallCount",
"AWSInstanceType": "InstanceType",
"AWSAlertUserName": "AWSAlertUserNameEntity",
"CorrelationWith": "GCPAuditLogs",
"AWSresourceType": "AWSresourceType",
"GCPVMName": "VMName"
"AWSAPICallCount": "APICallCount",
"AWSAlertUserName": "AWSAlertUserNameEntity",
"AWSInstanceType": "InstanceType",
"GCPVMType": "VMType",
"GCPVMName": "VMName",
"AWSAPICallName": "APICallName",
"GCPUserAgent": "GCPUserUA",
"CorrelationWith": "GCPAuditLogs",
"AWSArn": "Arn",
"GCPProjectId": "ProjectId"
},
"alertDetailsOverride": {
"alertSeverityColumnName": "Severity",
"alertDescriptionFormat": " This detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty With Alert Description '{{AWSAlertDescription}}' assocated with GCP compute activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources. \n\n AWS ALert Link : '{{AWSAlertLink}}' \n\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html",
"alertDisplayNameFormat": "{{AWSNetworkEntity}} from {{AWSAlertTitle}} observed in GCP compute activity with {{GCPUserUPN}}",
"alertDynamicProperties": [
{
"value": "AWSAlertLink",
@ -370,9 +372,7 @@
"value": "AWSGuarduty",
"alertProperty": "ProductComponentName"
}
],
"alertDisplayNameFormat": "{{AWSNetworkEntity}} from {{AWSAlertTitle}} observed in GCP compute activity with {{GCPUserUPN}}",
"alertDescriptionFormat": " This detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty With Alert Description '{{AWSAlertDescription}}' assocated with GCP compute activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources. \n\n AWS ALert Link : '{{AWSAlertLink}}' \n\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html"
]
}
}
},
@ -427,7 +427,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "CrossCloudSuspiciousUserActivityObservedInGCPEnvourment_AnalyticalRules Analytics Rule with template version 3.0.2",
"description": "CrossCloudSuspiciousUserActivityObservedInGCPEnvourment_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@ -441,7 +441,7 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "\nThis detection query aims to correlate potentially suspicious user activities logged in Google Cloud Platform (GCP) Audit Logs with security alerts originating from Microsoft Security products. This correlation facilitates the identification of potential cross-cloud security incidents. By summarizing these findings, the query provides valuable insights into cross-cloud identity threats and their associated details, enabling organizations to respond promptly and mitigate potential risks effectively.\n",
"description": "This detection query aims to correlate potentially suspicious user activities logged in Google Cloud Platform (GCP) Audit Logs with security alerts originating from Microsoft Security products. This correlation facilitates the identification of potential cross-cloud security incidents. By summarizing these findings, the query provides valuable insights into cross-cloud identity threats and their associated details, enabling organizations to respond promptly and mitigate potential risks effectively.",
"displayName": "Cross-Cloud Suspicious user activity observed in GCP Envourment",
"enabled": false,
"query": "// Filter GCP Audit Logs to exclude service accounts\nGCPAuditLogs \n| where PrincipalEmail !endswith \"gserviceaccount.com\"\n// Exclude system-related authentication information\n| where AuthenticationInfo !has (\"system:\")\n// Extract GCP request name and relevant attributes\n| extend GCPRequestName= parse_json(Request).name\n| extend\n GCPAccoutType= tostring(split(GCPRequestName, \"/\")[2]),\n GCPUserIdentity = iff(isempty(tostring(split(GCPRequestName, \"/\")[3])), tostring(parse_json(AuthenticationInfo).principalEmail), \"na\"), \n GCPUserIp = tostring(parse_json(RequestMetadata).callerIp),\n GCPCallerUA = tostring(parse_json(RequestMetadata).callerSuppliedUserAgent)\n// Filter out empty or service account identities\n| where isnotempty(GCPUserIdentity) and GCPUserIdentity !endswith \"gserviceaccount.com\"\n// Select relevant attributes for further analysis\n| project\n PrincipalEmail,\n GCPUserIdentity,\n GCPAccoutType,\n GCPRequestName,\n GCPCallerUA,\n Request,\n RequestMetadata,\n GCPUserIp,\n MethodName,\n ServiceName,\n GCPEventTime= TimeGenerated,\n ProjectId\n// Join GCP Audit Logs with SecurityAlert data based on user identity and IP\n| join kind=inner ( \n SecurityAlert \n // Exclude alerts from Azure Sentinel\n | where ProductName !in (\"Azure Sentinel\")\n // Extract IP entities from alert data\n | extend AlertIPEntity= tostring(extract(@\"\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\", 0, Entities))\n | extend\n AlertUserUPN = tostring(extract(@'\\b[\\w\\.\\-]+@[\\w\\.\\-]+\\b', 0, Entities)),\n AlertTime= TimeGenerated\n // Filter out empty user identities and IP entities\n | where isnotempty(AlertIPEntity) and isnotempty(AlertUserUPN)\n )\n on $left.GCPUserIdentity == $right.AlertUserUPN and $left.GCPUserIp == $right.AlertIPEntity\n// Summarize the data, calculating time differences and aggregating attributes\n| summarize\n FirstAlert=min(AlertTime),\n LastAlert=max(AlertTime),\n TimeDiff=datetime_diff('minute', min(AlertTime), min(GCPEventTime)),\n MethodName=make_set(MethodName),\n ServiceName= make_set(ServiceName),\n GCPProjctId=make_set(ProjectId),\n Request=make_set(Request),\n GCPCallerUA=make_set(GCPCallerUA)\n by\n AlertUserUPN,\n AlertIPEntity,\n GCPUserIp,\n GCPUserIdentity,\n AlertSeverity,\n AlertName,\n AlertLink,\n Description,\n Tactics,\n ProductName,\n SystemAlertId,\n GCPAccoutType\n// Extend the data with additional attributes\n| extend\n Name = tostring(split(GCPUserIdentity, \"@\")[0]),\n UPNSuffix = tostring(split(GCPUserIdentity, \"@\")[1])\n",
@ -507,8 +507,8 @@
{
"fieldMappings": [
{
"columnName": "GCPUserIp",
"identifier": "Address"
"identifier": "Address",
"columnName": "GCPUserIp"
}
],
"entityType": "IP"
@ -516,38 +516,40 @@
{
"fieldMappings": [
{
"columnName": "GCPUserIdentity",
"identifier": "FullName"
"identifier": "FullName",
"columnName": "GCPUserIdentity"
},
{
"columnName": "Name",
"identifier": "Name"
"identifier": "Name",
"columnName": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
],
"entityType": "Account"
}
],
"customDetails": {
"AlertUserUPN": "AlertUserUPN",
"CorrelationWith": "GCPAuditLogs",
"GCPCallerUA": "GCPCallerUA",
"ServiceName": "ServiceName",
"Tactics": "Tactics",
"FirstAlert": "FirstAlert",
"AlertName": "AlertName",
"LastAlert": "LastAlert",
"TimeDiff": "TimeDiff",
"GCPProjctId": "GCPProjctId",
"MethodName": "MethodName",
"FirstAlert": "FirstAlert",
"AlertUserUPN": "AlertUserUPN",
"ServiceName": "ServiceName",
"GCPProjctId": "GCPProjctId",
"AlertName": "AlertName",
"CorrelationWith": "GCPAuditLogs",
"Request": "Request",
"SystemAlertId": "SystemAlertId",
"Request": "Request"
"TimeDiff": "TimeDiff",
"GCPCallerUA": "GCPCallerUA",
"Tactics": "Tactics"
},
"alertDetailsOverride": {
"alertSeverityColumnName": "AlertSeverity",
"alertDescriptionFormat": " This detection compiles and correlates unauthorized user access alerts originating from {{ProductName}} With Alert Description '{{Description}}' observed activity in GCP environmeny. It focuses on Microsoft Security, specifically targeting user bhaviour and network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint users suspicious activity to access both Azure and GCP resources. \n\n Microsoft Security ALert Link : '{{AlertLink}}'",
"alertDisplayNameFormat": "A user {{GCPUserUPN}} has been linked to {{AlertName}}, and has potentially suspicious behavior within the GCP environment from, originating from the IP address {{GCPUserIp}}.",
"alertDynamicProperties": [
{
"value": "AlertLink",
@ -561,9 +563,7 @@
"value": "Microsoft Security",
"alertProperty": "ProductComponentName"
}
],
"alertDisplayNameFormat": "A user {{GCPUserUPN}} has been linked to {{AlertName}}, and has potentially suspicious behavior within the GCP environment from, originating from the IP address {{GCPUserIp}}.",
"alertDescriptionFormat": " This detection compiles and correlates unauthorized user access alerts originating from {{ProductName}} With Alert Description '{{Description}}' observed activity in GCP environmeny. It focuses on Microsoft Security, specifically targeting user bhaviour and network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint users suspicious activity to access both Azure and GCP resources. \n\n Microsoft Security ALert Link : '{{AlertLink}}'"
]
}
}
},
@ -618,7 +618,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "CrossCloudUnauthorizedCredentialsAccessDetection_AnalyticalRules Analytics Rule with template version 3.0.2",
"description": "CrossCloudUnauthorizedCredentialsAccessDetection_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@ -632,7 +632,7 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "\nThis detection correlates AWS GuardDuty Credential Access alerts related to Amazon Relational Database Service (RDS) activity with Azure portal sign-in activities. It identifies successful and failed logins, anomalous behavior, and malicious IP access. By joining these datasets on network entities and IP addresses, it detects unauthorized credential access attempts across AWS and Azure resources, enhancing cross-cloud security monitoring.\n",
"description": "This detection correlates AWS GuardDuty Credential Access alerts related to Amazon Relational Database Service (RDS) activity with Azure portal sign-in activities. It identifies successful and failed logins, anomalous behavior, and malicious IP access. By joining these datasets on network entities and IP addresses, it detects unauthorized credential access attempts across AWS and Azure resources, enhancing cross-cloud security monitoring.",
"displayName": "Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login",
"enabled": false,
"query": "// Define variable 'AwsAlert' to collect AWS GuardDuty CredentialAccess alerts related to Amazon Relational Database Service (RDS) activity\nlet AwsAlert = materialize (\n AWSGuardDuty\n | where ActivityType has_any (\n \"CredentialAccess:RDS/TorIPCaller.SuccessfulLogin\",\n \"CredentialAccess:RDS/TorIPCaller.FailedLogin\",\n \"CredentialAccess:RDS/AnomalousBehavior.SuccessfulBruteForce\",\n \"CredentialAccess:RDS/AnomalousBehavior.SuccessfulLogin\",\n \"CredentialAccess:RDS/MaliciousIPCaller.SuccessfulLogin\",\n \"CredentialAccess:RDS/MaliciousIPCaller.FailedLogin\"\n )\n | extend\n AWSAlertId = Id, \n AWSAlertTitle = Title,\n AWSAlertDescription = Description,\n AWSresourceType = tostring(parse_json(ResourceDetails).resourceType),\n AWSNetworkEntity = tostring(parse_json(ServiceDetails).action.rdsLoginAttemptAction.remoteIpDetails.ipAddressV4),\n RDSInstanceId = tostring(parse_json(ResourceDetails).rdsDbInstanceDetails.dbInstanceIdentifier),\n RDSUser = tostring(parse_json(ResourceDetails).rdsDbUserDetails.user),\n RDSApplication = tostring(parse_json(ResourceDetails).rdsDbUserDetails.application),\n RDSactionType = tostring(parse_json(ServiceDetails).action.actionType),\n AWSAlertTime = TimeCreated,\n AWSAlertLink= tostring(strcat('https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=',Id)),\n Severity = \n case (\n Severity >= 7.0, \"High\",\n Severity between (4.0 .. 6.9), \"Medium\",\n Severity between (1.0 .. 3.9), \"Low\",\n \"Unknown\")\n | distinct\n AWSAlertTime,\n ActivityType,\n AWSAlertId,\n AWSAlertLink,\n AWSAlertTitle,\n AWSAlertDescription,\n AWSresourceType,\n Arn,\n Severity,\n RDSactionType,\n RDSApplication,\n RDSInstanceId,\n RDSUser,\n AWSNetworkEntity\n );\n // Define variable 'Azure_sigin' to collect Azure portal sign-in activities\n let Azure_sigin = materialize (\n SigninLogs\n | where AppDisplayName == \"Azure Portal\"\n | where isnotempty(OriginalRequestId)\n | summarize \n AzureSuccessfulEvent = countif(ResultType == 0), \n AzureFailedEvent = countif(ResultType != 0), \n totalAzureLoginEventId = dcount(OriginalRequestId), \n AzureFailedEventsCount = dcountif(OriginalRequestId, ResultType != 0), \n AzureSuccessfuleventsCount = dcountif(OriginalRequestId, ResultType == 0),\n AzureSetOfFailedevents = makeset(iff(ResultType != 0, OriginalRequestId, \"\"), 5), \n AzureSetOfSuccessfulEvents = makeset(iff(ResultType == 0, OriginalRequestId, \"\"), 5) \n by \n IPAddress, \n UserPrincipalName, \n bin(TimeGenerated, 1min), \n UserAgent,\n ConditionalAccessStatus,\n OperationName,\n RiskDetail,\n AuthenticationRequirement,\n ClientAppUsed\n // Extracting the name and UPN suffix from UserPrincipalName\n | extend\n Name = tostring(split(UserPrincipalName, '@')[0]),\n UPNSuffix = tostring(split(UserPrincipalName, '@')[1])\n );\n // Join 'AwsAlert' and 'Azure_sigin' on the AWS Network Entity and Azure IP Address\n AwsAlert\n | join kind=inner Azure_sigin on $left.AWSNetworkEntity == $right.IPAddress\n",
@ -679,8 +679,8 @@
{
"fieldMappings": [
{
"columnName": "IPAddress",
"identifier": "Address"
"identifier": "Address",
"columnName": "IPAddress"
}
],
"entityType": "IP"
@ -688,39 +688,41 @@
{
"fieldMappings": [
{
"columnName": "UserPrincipalName",
"identifier": "FullName"
"identifier": "FullName",
"columnName": "UserPrincipalName"
},
{
"columnName": "Name",
"identifier": "Name"
"identifier": "Name",
"columnName": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
],
"entityType": "Account"
}
],
"customDetails": {
"AWSresourceType": "AWSresourceType",
"AWSInstanceId": "RDSInstanceId",
"AzureOperationName": "OperationName",
"AzAuthRequirement": "AuthenticationRequirement",
"AWSAplicationName": "RDSApplication",
"AzureUserAgent": "UserAgent",
"AWSArn": "Arn",
"AzureRiskDetail": "RiskDetail",
"AWSInstanceType": "RDSactionType",
"AzureClientAppUsed": "ClientAppUsed",
"alertSeverity": "Severity",
"AWSAplicationName": "RDSApplication",
"AzConditionalAccess": "ConditionalAccessStatus",
"AzureRiskDetail": "RiskDetail",
"AzAuthRequirement": "AuthenticationRequirement",
"alertSeverity": "Severity",
"AzureUserAgent": "UserAgent",
"AWSresourceType": "AWSresourceType",
"AWSAlertUserName": "RDSUser",
"AWSInstanceId": "RDSInstanceId",
"AzureUser": "UserPrincipalName",
"AWSArn": "Arn"
"AzureOperationName": "OperationName"
},
"alertDetailsOverride": {
"alertSeverityColumnName": "Severity",
"alertDescriptionFormat": "This detection correlates AWS GuardDuty Credential Access alert described '{{AWSAlertDescription}}' related to Amazon Relational Database Service (RDS) activity with Azure portal sign-in activities. It identifies successful and failed logins, anomalous behavior, and malicious IP access. By joining these datasets on network entities and IP addresses, it detects unauthorized credential access attempts across AWS and Azure resources, enhancing cross-cloud security monitoring. \n\n AWS ALert Link : '{{AWSAlertLink}}' \n\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html",
"alertDisplayNameFormat": "IP address {{IPAddress}} in {{AWSAlertTitle}} seen in Azure Signin Logs with {{UserPrincipalName}}",
"alertDynamicProperties": [
{
"value": "AWSAlertLink",
@ -738,9 +740,7 @@
"value": "AWSGuardDuty",
"alertProperty": "ProductComponentName"
}
],
"alertDisplayNameFormat": "IP address {{IPAddress}} in {{AWSAlertTitle}} seen in Azure Signin Logs with {{UserPrincipalName}}",
"alertDescriptionFormat": "This detection correlates AWS GuardDuty Credential Access alert described '{{AWSAlertDescription}}' related to Amazon Relational Database Service (RDS) activity with Azure portal sign-in activities. It identifies successful and failed logins, anomalous behavior, and malicious IP access. By joining these datasets on network entities and IP addresses, it detects unauthorized credential access attempts across AWS and Azure resources, enhancing cross-cloud security monitoring. \n\n AWS ALert Link : '{{AWSAlertLink}}' \n\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html"
]
}
}
},
@ -795,7 +795,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "SuccessfulAWSConsoleLoginfromIPAddressObservedConductingPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.2",
"description": "SuccessfulAWSConsoleLoginfromIPAddressObservedConductingPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@ -865,16 +865,16 @@
{
"fieldMappings": [
{
"columnName": "AccountUPN",
"identifier": "FullName"
"identifier": "FullName",
"columnName": "AccountUPN"
},
{
"columnName": "Name",
"identifier": "Name"
"identifier": "Name",
"columnName": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
],
"entityType": "Account"
@ -882,8 +882,8 @@
{
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
"identifier": "Address",
"columnName": "SourceIpAddress"
}
],
"entityType": "IP"
@ -891,8 +891,8 @@
],
"customDetails": {
"AWSUserUPN": "CTUPN",
"AWSUser": "UserIdentityArn",
"UserAgent": "UserAgent"
"UserAgent": "UserAgent",
"AWSUser": "UserIdentityArn"
}
}
},
@ -947,7 +947,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "SuspiciousAWSConsolLoginByCredentialAceessAlerts_AnalyticalRules Analytics Rule with template version 3.0.2",
"description": "SuspiciousAWSConsolLoginByCredentialAceessAlerts_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@ -1022,16 +1022,16 @@
{
"fieldMappings": [
{
"columnName": "AccountUPN",
"identifier": "FullName"
"identifier": "FullName",
"columnName": "AccountUPN"
},
{
"columnName": "Name",
"identifier": "Name"
"identifier": "Name",
"columnName": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
],
"entityType": "Account"
@ -1039,16 +1039,16 @@
{
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
"identifier": "Address",
"columnName": "SourceIpAddress"
}
],
"entityType": "IP"
}
],
"customDetails": {
"AWSUSerUPN": "CTUPN",
"UserAgent": "UserAgent",
"AWSUSerUPN": "CTUPN",
"ComonIp": "SourceIpAddress",
"AzureUserUPN": "AccountUPN"
}
@ -1105,7 +1105,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Unauthorized_user_access_across_AWS_and_Azure_AnalyticalRules Analytics Rule with template version 3.0.2",
"description": "Unauthorized_user_access_across_AWS_and_Azure_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@ -1119,7 +1119,7 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "\nThis detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty with Azure portal sign-in activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The ditection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources.\n",
"description": "This detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty with Azure portal sign-in activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The ditection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources.",
"displayName": "Unauthorized user access across AWS and Azure",
"enabled": false,
"query": "// Define a variable 'AwsAlert' to collect Unauthorized user access alerts from AWS GuardDuty table\nlet AwsAlert = materialize (\n AWSGuardDuty\n | where ActivityType has_any (\"UnauthorizedAccess:IAMUser/TorIPCaller\", \"UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom\", \n \"UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS\", \"UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS\",\n \"UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B\",\"UnauthorizedAccess:IAMUser/MaliciousIPCaller\")\n | extend\n AWSAlertId = Id, \n AWSAlertTitle = Title,\n AWSAlertDescription = Description,\n AWSresourceType = tostring(parse_json(ResourceDetails).resourceType),\n AWSNetworkEntity = tostring(parse_json(ServiceDetails).action.awsApiCallAction.remoteIpDetails.ipAddressV4),\n AWSAlertUserNameEntity = tostring(parse_json(ResourceDetails).accessKeyDetails.userName),\n InstanceType = tostring(parse_json(ResourceDetails).instanceDetails.instanceType),\n AWSTargetingService = parse_json(ServiceDetails).additionalInfo.apiCalls,\n AWSAlertTime = TimeCreated,\n AWSAlertLink= tostring(strcat('https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=',Id)),\n Severity = \n case (\n Severity >= 7.0, \"High\",\n Severity between (4.0 .. 6.9), \"Medium\",\n Severity between (1.0 .. 3.9), \"Low\",\n \"Unknown\")\n | mv-apply AIPCall = AWSTargetingService on \n ( \n where AIPCall has \"name\" \n | extend APICallName = tostring(AIPCall.name), APICallCount = tostring(AIPCall[\"count\"])\n ) \n | distinct\n AWSAlertTime,\n ActivityType,\n Severity,\n AWSAlertId,\n AWSAlertTitle,\n AWSAlertDescription,\n AWSAlertLink,\n Arn,\n AWSresourceType,\n AWSNetworkEntity,\n AWSAlertUserNameEntity,\n InstanceType,\n APICallName,\n APICallCount \n );\n // Define a variable 'Azure_sigin' to collect Azure portal Signing activity from SigninLogs Table\n let Azure_sigin = materialize (SigninLogs\n | where AppDisplayName == \"Azure Portal\"\n | where isnotempty(OriginalRequestId)\n | summarize \n totalAzureLoginEventId = dcount(OriginalRequestId), \n AzureFailedEventsCount = dcountif(OriginalRequestId, ResultType != 0), \n AzureSuccessfulEventsCount = dcountif(OriginalRequestId, ResultType == 0),\n AzureSetOfFailedEvents = makeset(iff(ResultType != 0, OriginalRequestId, \"\"), 5), \n AzureSetOfSuccessfulEvents = makeset(iff(ResultType == 0, OriginalRequestId, \"\"), 5) \n by \n IPAddress, \n UserPrincipalName, \n bin(TimeGenerated, 1min), \n UserAgent,\n ConditionalAccessStatus,\n OperationName,\n RiskDetail,\n AuthenticationRequirement,\n ClientAppUsed \n // Extracting the name and UPN suffix from UserPrincipalName\n | extend\n Name = tostring(split(UserPrincipalName, \"@\")[0]),\n UPNSuffix = tostring(split(UserPrincipalName, \"@\")[1])\n );\n // Join 'AwsAlert' and 'Azure_sigin' on the AWS Network Entity and Azure IP Address\n AwsAlert\n | join kind=inner Azure_sigin on $left.AWSNetworkEntity == $right.IPAddress\n",
@ -1168,8 +1168,8 @@
{
"fieldMappings": [
{
"columnName": "IPAddress",
"identifier": "Address"
"identifier": "Address",
"columnName": "IPAddress"
}
],
"entityType": "IP"
@ -1177,39 +1177,41 @@
{
"fieldMappings": [
{
"columnName": "UserPrincipalName",
"identifier": "FullName"
"identifier": "FullName",
"columnName": "UserPrincipalName"
},
{
"columnName": "Name",
"identifier": "Name"
"identifier": "Name",
"columnName": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
],
"entityType": "Account"
}
],
"customDetails": {
"AWSresourceType": "AWSresourceType",
"AzureOperationName": "OperationName",
"AzAuthRequirement": "AuthenticationRequirement",
"AWSArn": "Arn",
"AzureUserAgent": "UserAgent",
"AzureRiskDetail": "RiskDetail",
"AWSInstanceType": "InstanceType",
"AzureClientAppUsed": "ClientAppUsed",
"AWSAPICallName": "APICallName",
"alertSeverity": "Severity",
"AWSresourceType": "AWSresourceType",
"AzConditionalAccess": "ConditionalAccessStatus",
"AzureRiskDetail": "RiskDetail",
"AzAuthRequirement": "AuthenticationRequirement",
"alertSeverity": "Severity",
"AzureUserAgent": "UserAgent",
"AWSAPICallCount": "APICallCount",
"AWSAPICallName": "APICallName",
"AWSAlertUserName": "AWSAlertUserNameEntity",
"AzureUser": "UserPrincipalName",
"AWSAPICallCount": "APICallCount"
"AzureOperationName": "OperationName"
},
"alertDetailsOverride": {
"alertSeverityColumnName": "Severity",
"alertDescriptionFormat": " This detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty With Alert Description '{{AWSAlertDescription}}' with Azure portal sign-in activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources. \n\n AWS ALert Link : '{{AWSAlertLink}}' \n\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html",
"alertDisplayNameFormat": "{{AWSNetworkEntity}} from {{AWSAlertTitle}} observed in Azure Singins with {{UserPrincipalName}}",
"alertDynamicProperties": [
{
"value": "AWSAlertLink",
@ -1227,9 +1229,7 @@
"value": "AWSGuardDuty",
"alertProperty": "ProductComponentName"
}
],
"alertDisplayNameFormat": "{{AWSNetworkEntity}} from {{AWSAlertTitle}} observed in Azure Singins with {{UserPrincipalName}}",
"alertDescriptionFormat": " This detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty With Alert Description '{{AWSAlertDescription}}' with Azure portal sign-in activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources. \n\n AWS ALert Link : '{{AWSAlertLink}}' \n\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html"
]
}
}
},
@ -1284,7 +1284,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "UserImpersonateByAAID_AnalyticalRules Analytics Rule with template version 3.0.2",
"description": "UserImpersonateByAAID_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@ -1334,8 +1334,8 @@
{
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
"identifier": "Address",
"columnName": "SourceIpAddress"
}
],
"entityType": "IP"
@ -1343,8 +1343,8 @@
],
"customDetails": {
"AlertName": "AlertName",
"AlertIp": "ipAddress",
"AWSUser": "UserIdentityArn"
"AWSUser": "UserIdentityArn",
"AlertIp": "ipAddress"
}
}
},
@ -1399,7 +1399,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "UserImpersonateByRiskyUser_AnalyticalRules Analytics Rule with template version 3.0.2",
"description": "UserImpersonateByRiskyUser_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
@ -1455,18 +1455,18 @@
{
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
"identifier": "Address",
"columnName": "SourceIpAddress"
}
],
"entityType": "IP"
}
],
"customDetails": {
"RiskEventTypes": "RiskEventTypes",
"AzureUser": "UserPrincipalName",
"AWSEventName": "EventName",
"AwsUser": "UserIdentityArn"
"RiskEventTypes": "RiskEventTypes",
"AwsUser": "UserIdentityArn",
"AWSEventName": "EventName"
}
}
},
@ -1517,7 +1517,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "3.0.2",
"version": "3.0.3",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Multi Cloud Attack Coverage Essentials - Resource Abuse",
@ -1545,7 +1545,6 @@
"link": "https://support.microsoft.com"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "AnalyticsRule",
@ -1591,6 +1590,26 @@
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
"version": "[variables('analyticRuleObject9').analyticRuleVersion9]"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-microsoft365defender"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-azureactivedirectory"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-amazonwebservices"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-gcpiam"
},
{
"kind": "Solution",
"contentId": "azuresentinel.azure-sentinel-solution-gcpauditlogs-api"
}
]
},

5
Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/ReleaseNotes.md
Просмотреть файл

@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
| 3.0.2 | 08-04-2024 | Added Account and FullName in entity mapping |
|-------------|--------------------------------|--------------------------------------------------------------------| |
| 3.0.3 | 07-06-2024 | Analytical Rule description updated |
| 3.0.2 | 08-04-2024 | Added Account and FullName in entity mapping |
| 3.0.1 | 23-02-2024 | Tagged for dependent solutions for deployment |
| 3.0.0 | 22-11-2023 | Initial Release |

Двоичные данные
Solutions/Web Session Essentials/Package/3.0.3.zip
Просмотреть файл

Двоичный файл не отображается.

12
Solutions/Web Session Essentials/Package/createUiDefinition.json
Просмотреть файл

@ -142,7 +142,7 @@
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query utilizes built-in KQL anomaly detection algorithms to identify anomalous data transfers to public networks. It detects significant deviations from a baseline pattern, \nallowing the detection of sudden increases in data transferred to unknown public networks, which may indicate data exfiltration attempts. Investigating such anomalies is crucial. The \nscore indicates the degree to which the data transfer deviates from the baseline value. A higher score indicates a greater deviation. The query's output provides an aggregated summary \nview of the traffic observed in the flagged anomaly hour, including unique combinations of source IP addresses, destination IP addresses, and port bytes sent. It may be necessary \nto run queries for individual source IP addresses from the provided 'SourceIPlist' to identify any suspicious activity that warrants further investigation"
"text": "This query utilizes built-in KQL anomaly detection algorithms to identify anomalous data transfers to public networks. It detects significant deviations from a baseline pattern, allowing the detection of sudden increases in data transferred to unknown public networks, which may indicate data exfiltration attempts. Investigating such anomalies is crucial.\nThe score indicates the degree to which the data transfer deviates from the baseline value. A higher score indicates a greater deviation. The query's output provides an aggregated summary view of the traffic observed in the flagged anomaly hour, including unique combinations of source IP addresses, destination IP addresses, and port bytes sent. It may be necessary to run queries for individual source IP addresses from the provided 'SourceIPlist' to identify any suspicious activity that warrants further investigation"
}
}
]
@ -226,7 +226,7 @@
"name": "analytic8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This detection mechanism identifies requests originating from a single source within a brief time period\n that exhibit multiple user agents. Such behavior could indicate unusual web browsing activities performed by unconventional processes"
"text": "This detection mechanism identifies requests originating from a single source within a brief time period that exhibit multiple user agents. Such behavior could indicate unusual web browsing activities performed by unconventional processes"
}
}
]
@ -240,7 +240,7 @@
"name": "analytic9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Double extension vulnerability is a significant concern in file uploads, as it can lead to various \n issues if an attacker successfully uploads a virus-infected file."
"text": "Double extension vulnerability is a significant concern in file uploads, as it can lead to various issues if an attacker successfully uploads a virus-infected file."
}
}
]
@ -268,7 +268,7 @@
"name": "analytic11-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This rule identifies requests made to atypical URLs, as malware can exploit IP addresses \nfor communication with command-and-control (C2) servers. The detection identifies network \nrequests that contain either plain text or Base64 encoded IP addresses. Alerts are triggered when a \nprivate IP address is observed as plain text or base64 encoded in an outbound \nweb request. This method of concealing the IP address was observed in the utilization of the RunningRAT \ntool by POLONIUM."
"text": "This rule identifies requests made to atypical URLs, as malware can exploit IP addresses for communication with command-and-control (C2) servers. The detection identifies network requests that contain either plain text or Base64 encoded IP addresses. Alerts are triggered when a private IP address is observed as plain text or base64 encoded in an outbound web request. This method of concealing the IP address was observed in the utilization of the RunningRAT tool by POLONIUM."
}
}
]
@ -282,7 +282,7 @@
"name": "analytic12-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This detection mechanism examines connections made to a domain where only a single file is requested, \nwhich is considered unusual since most contemporary web applications require additional resources. \nSuch activity is often associated with malware beaconing or tracking URLs delivered via emails. \nThe query includes a sample set of popular web script extensions (scriptExtensions), \nwhich should be customized to align with the specific requirements of your environment"
"text": "This detection mechanism examines connections made to a domain where only a single file is requested, which is considered unusual since most contemporary web applications require additional resources. Such activity is often associated with malware beaconing or tracking URLs delivered via emails. \nThe query includes a sample set of popular web script extensions (scriptExtensions), which should be customized to align with the specific requirements of your environment"
}
}
]
@ -296,7 +296,7 @@
"name": "analytic13-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This rule assists in detecting rare user agents, which may indicate web browsing activity by an \n unconventional process different from the usual ones. The rule specifically searches for UserAgent \n strings that have not been seen in the past 14 days. This query will perform better when run over summarized data"
"text": "This rule assists in detecting rare user agents, which may indicate web browsing activity by an unconventional process different from the usual ones. The rule specifically searches for UserAgent strings that have not been seen in the past 14 days. This query will perform better when run over summarized data"
}
}
]

673
Solutions/Web Session Essentials/Package/mainTemplate.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

2
Solutions/Web Session Essentials/ReleaseNotes.md
Просмотреть файл

@ -1,6 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|-----------------------------------------------|
| 3.0.3 | 21-03-2024 | Updated Entity Mapping **Analytic Rule** CommandInURL.yaml |
| 3.0.3 | 06-06-2024 | Updated Entity Mapping **Analytic Rule** CommandInURL.yaml |
| 3.0.2 | 31-01-2024 | Updated the solution to fix **Analytic Rules** deployment issue |
| 3.0.1 | 02-01-2024 | Tagged for dependent Solutions for deployment |
| 3.0.0 | 11-09-2023 | Initial Solution Release |