changed vim name
This commit is contained in:
YuvalNaor
Родитель
1409c21cf2
Коммит
410b7de9b2
|
|
@ -28,7 +28,7 @@
|
|||
"displayName": "ASIM Source Agnostic Process Creation Event Parser",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "imProcessCreate",
|
||||
"query": "union isfuzzy=true\n vimProcessEmpty,\n vimProcessEventsMicrosoft365D,\n vimProcessCreateMicrosoftSysmon,\n vimProcessCreateMicrosoftSecurityEvents,\n vimProcessCreateLinuxSysmon,\n vimProcessCreationMicrosoftWindowsEvents",
|
||||
"query": "union isfuzzy=true\n vimProcessEmpty,\n vimProcessEventsMicrosoft365D,\n vimProcessCreateMicrosoftSysmon,\n vimProcessCreateMicrosoftSecurityEvents,\n vimProcessCreateLinuxSysmon,\n vimProcessCreateMicrosoftWindowsEvents",
|
||||
"version": 1
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -234,7 +234,7 @@
|
|||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedvimProcessCreationMicrosoftWindowsEvents",
|
||||
"name": "linkedvimProcessCreateMicrosoftWindowsEvents",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
|
|
@ -254,7 +254,7 @@
|
|||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedvimProcessTerminationMicrosoftWindowsEvents",
|
||||
"name": "linkedvimProcessTerminateMicrosoftWindowsEvents",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@
|
|||
"displayName": "ASIM Source Agnostic Process Events Parser",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "imProcess",
|
||||
"query": "union isfuzzy=true\n vimProcessEmpty,\n vimProcessEventMicrosoft365D,\n vimProcessCreateMicrosoftSysmon,\n vimProcessTerminateMicrosoftSysmon,\n vimProcessCreateMicrosoftSecurityEvents,\n vimProcessTerminateMicrosoftSecurityEvents,\n vimProcessCreateLinuxSysmon,\n vimProcessTerminationMicrosoftWindowsEvents,\n vimProcessCreationMicrosoftWindowsEvents,\n vimProcessEventAD4IoT\n",
|
||||
"query": "union isfuzzy=true\n vimProcessEmpty,\n vimProcessEventMicrosoft365D,\n vimProcessCreateMicrosoftSysmon,\n vimProcessTerminateMicrosoftSysmon,\n vimProcessCreateMicrosoftSecurityEvents,\n vimProcessTerminateMicrosoftSecurityEvents,\n vimProcessCreateLinuxSysmon,\n vimProcessTerminateMicrosoftWindowsEvents,\n vimProcessCreateMicrosoftWindowsEvents,\n vimProcessEventAD4IoT\n",
|
||||
"version": 1
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "vimProcessCreationMicrosoftWindowsEvents",
|
||||
"name": "vimProcessCreateMicrosoftWindowsEvents",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||||
],
|
||||
|
|
@ -27,7 +27,7 @@
|
|||
"etag": "*",
|
||||
"displayName": "ASIM Microsoft WindowsEvent Process Creation Events Parser",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "vimProcessCreationMicrosoftWindowsEvents",
|
||||
"FunctionAlias": "vimProcessCreateMicrosoftWindowsEvents",
|
||||
"query": "let MandatoryLabelLookup = datatable (MandatoryLabel:string,MandatoryLabelRid:string, MandatoryLabelText:string, MandatoryLabelMeaning:string)\n [\n 'S-1-16-0', '0x00000000', 'SECURITY_MANDATORY_UNTRUSTED_RID', 'Untrusted',\n 'S-1-16-4096', '0x00001000', 'SECURITY_MANDATORY_LOW_RID', 'Low integrity',\n 'S-1-16-8192', '0x00002000', 'SECURITY_MANDATORY_MEDIUM_RID', 'Medium integrity',\n 'S-1-16-8448', '0x00002100', 'SECURITY_MANDATORY_MEDIUM_PLUS_RID', 'Medium high integrity',\n 'S-1-16-12288', '0X00003000', 'SECURITY_MANDATORY_HIGH_RID', 'High integrity',\n 'S-1-16-16384', '0x00004000', 'SECURITY_MANDATORY_SYSTEM_RID', 'System integrity',\n 'S-1-16-20480', '0x00005000', 'SECURITY_MANDATORY_PROTECTED_PROCESS_RID', 'Protected process'\n ];\n let ProcessEvents=(){\n WindowsEvent\n | where EventID == 4688\n // -- Map\n | extend\n // Event\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventProduct = 'Security Event',\n EventSchemaVersion = '0.1.0',\n EventResult = 'Success',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = 'ProcessCreated',\n EventOriginalType = tostring(EventID),\n // EventOriginalUid = EventOriginId, will be added later to the schema\n // \"Data\" field will move to \"EventData\" later\n // Device\n // DvcId = SourceComputerId, \n DvcHostname = Computer,\n DvcOs = 'Windows',\n // Users\n ActorUserId = tostring(Data.SubjectUserSid),\n ActorUserIdType = 'SID',\n ActorUsername = tostring(iff (Data.SubjectDomainName == '-', Data.SubjectUserName, strcat(Data.SubjectDomainName, @\"\\\" , Data.SubjectUserName))),\n ActorUsernameType = iff(Data.SubjectDomainName == '-','Simple', 'Windows'),\n ActorSessionId = tostring(toint(Data.SubjectLogonId)),\n // ActorType = AccountType, No such field in WindowsEvent\n TargetUserId = tostring(Data.TargetUserSid), \n TargetUserIdType = 'SID',\n TargetUsername = tostring(iff (Data.TargetDomainName == '-', Data.TargetUserName, strcat(Data.TargetDomainName, @\"\\\" , Data.TargetUserName))),\n TargetUsernameType = iff (Data.TargetDomainName == '-', 'Simple', 'Windows'),\n TargetUserSessionId = tostring(toint(Data.TargetLogonId)), \n // Processes \n ActingProcessId = tostring(toint(Data.ProcessId)),\n ActingProcessName = tostring(Data.ParentProcessName),\n TargetProcessId = tostring(Data.NewProcessId),\n TargetProcessName = tostring(Data.NewProcessName),\n TargetProcessCommandLine = tostring(Data.CommandLine),\n TargetProcessTokenElevation = tostring(Data.TokenElevationType),\n MandatoryLabel = tostring(Data.MandatoryLabel)\n | lookup MandatoryLabelLookup on MandatoryLabel\n // -- Aliases\n | extend\n User = TargetUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n }; ProcessEvents",
|
||||
"version": 1
|
||||
}
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
{
|
||||
"type": "savedSearches",
|
||||
"apiVersion": "2020-08-01",
|
||||
"name": "vimProcessTerminationMicrosoftWindowsEvents",
|
||||
"name": "vimProcessTerminateMicrosoftWindowsEvents",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
|
||||
],
|
||||
|
|
@ -27,7 +27,7 @@
|
|||
"etag": "*",
|
||||
"displayName": "ASIM Microsoft WindowsEvent Process Termination Events Parser",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "vimProcessTerminationMicrosoftWindowsEvents",
|
||||
"FunctionAlias": "vimProcessTerminateMicrosoftWindowsEvents",
|
||||
"query": "let ProcessEvents=(){\n WindowsEvent | where EventID == 4689\n // -- Filter\n // -- Map\n | extend\n // Event\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"Security Event\",\n EventSchemaVersion = \"0.1.0\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = \"ProcessTerminated\",\n EventResult = 'Success',\n EventOriginalType = tostring(EventID),\n // EventOriginalUid = EventOriginId, Field will be added later on\n EventResultDetails = tostring(Data.Status),\n EventOriginalResultDetails = tostring(Data.Status), \n // Device\n DvcId = tostring(Data.SourceComputerId),\n DvcHostname = Computer,\n DvcOs = \"Windows\",\n // Users\n ActorUserId = tostring(Data.SubjectUserSid),\n ActorUserIdType = \"SID\",\n ActorUsername = tostring(iff (Data.SubjectDomainName == '-', Data.SubjectUserName, strcat(Data.SubjectDomainName, @\"\\\" , Data.SubjectUserName))),\n ActorUsernameType = iff(Data.SubjectDomainName == '-','Simple', 'Windows'),\n ActorSessionId = tostring(toint(Data.SubjectLogonId)),\n // Processes \n TargetProcessId = tostring(toint(Data.ProcessId)),\n TargetProcessName = tostring(Data.ProcessName),\n TargetProcessCommandLine = tostring(Data.CommandLine),\n TargetProcessTokenElevation = tostring(Data.TokenElevationType)\n // Aliases\n | extend \n User = ActorUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n }; ProcessEvents",
|
||||
"version": 1
|
||||
}
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@
|
|||
"displayName": "ASIM Source Agnostic Process Termination Event Parser",
|
||||
"category": "Security",
|
||||
"FunctionAlias": "imProcessTerminate",
|
||||
"query": "union isfuzzy=true\n vimProcessEmpty,\n vimProcessTerminateMicrosoftSysmon,\n vimProcessTerminateMicrosoftSecurityEvents,\n vimProcessTerminationMicrosoftWindowsEvents",
|
||||
"query": "union isfuzzy=true\n vimProcessEmpty,\n vimProcessTerminateMicrosoftSysmon,\n vimProcessTerminateMicrosoftSecurityEvents,\n vimProcessTerminateMicrosoftWindowsEvents",
|
||||
"version": 1
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ The template deploys the following:
|
|||
* **Sysmon for Windows** - vimProcessCreateMicrosoftSysmon, vimProcessTerminateMicrosoftSysmon
|
||||
* **Sysmon for Linux** - vimProcessCreateLinuxSysmon
|
||||
* **Windows Security Events**, collecting using the Log Analytics Agent or Azure Monitor Agent - vimProcessCreateMicrosoftSecurityEvents, vimProcessTerminateMicrosoftSecurityEvents
|
||||
* **Windows Events**, collecting using the Azure Monitor Agent - vimProcessCreationMicrosoftWindowsEvents, vimProcessTerminationMicrosoftWindowsEvents
|
||||
* **Windows Events**, collecting using the Azure Monitor Agent - vimProcessCreateMicrosoftWindowsEvents, vimProcessTerminateMicrosoftWindowsEvents
|
||||
* **AzudeDefender for IoT (AD4IoT)** - vimProcessEventAD4IoT
|
||||
|
||||
<br>
|
||||
|
|
|
|||
|
|
@ -22,5 +22,5 @@ ParserQuery: |
|
|||
vimProcessCreateMicrosoftSysmon,
|
||||
vimProcessCreateMicrosoftSecurityEvents,
|
||||
vimProcessCreateLinuxSysmon,
|
||||
vimProcessCreationMicrosoftWindowsEvents,
|
||||
vimProcessCreateMicrosoftWindowsEvents,
|
||||
vimProcessEventAD4IoT
|
||||
|
|
|
|||
|
|
@ -24,6 +24,6 @@ ParserQuery: |
|
|||
vimProcessCreateMicrosoftSecurityEvents,
|
||||
vimProcessTerminateMicrosoftSecurityEvents,
|
||||
vimProcessCreateLinuxSysmon,
|
||||
vimProcessTerminationMicrosoftWindowsEvents,
|
||||
vimProcessCreationMicrosoftWindowsEvents,
|
||||
vimProcessTerminateMicrosoftWindowsEvents,
|
||||
vimProcessCreateMicrosoftWindowsEvents,
|
||||
vimProcessEventAD4IoT
|
||||
|
|
|
|||
|
|
@ -20,5 +20,5 @@ ParserQuery: |
|
|||
vimProcessEmpty,
|
||||
vimProcessTerminateMicrosoftSysmon,
|
||||
vimProcessTerminateMicrosoftSecurityEvents,
|
||||
vimProcessTerminationMicrosoftWindowsEvents,
|
||||
vimProcessTerminateMicrosoftWindowsEvents,
|
||||
vimProcessEventAD4IoT
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ References:
|
|||
- Title: ASIM
|
||||
Link: https:/aka.ms/AzSentinelNormalization
|
||||
Description: ASIM WindowsEvents Parser
|
||||
ParserName: vimProcessCreationMicrosoftWindowsEvents
|
||||
ParserName: vimProcessCreateMicrosoftWindowsEvents
|
||||
ParserQuery: |
|
||||
let MandatoryLabelLookup = datatable (MandatoryLabel:string,MandatoryLabelRid:string, MandatoryLabelText:string, MandatoryLabelMeaning:string)
|
||||
[
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ References:
|
|||
- Title: ASIM
|
||||
Link: https:/aka.ms/AzSentinelNormalization
|
||||
Description: ASIM WindowsEvents Parser
|
||||
ParserName: vimProcessTerminationMicrosoftWindowsEvents
|
||||
ParserName: vimProcessTerminateMicrosoftWindowsEvents
|
||||
ParserQuery: |
|
||||
let ProcessEvents=(){
|
||||
WindowsEvent | where EventID == 4689
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@
|
|||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedvimProcessCreationMicrosoftWindowsEvents",
|
||||
"name": "linkedvimProcessCreateMicrosoftWindowsEvents",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
|
|
@ -54,7 +54,7 @@
|
|||
{
|
||||
"type": "Microsoft.Resources/deployments",
|
||||
"apiVersion": "2020-10-01",
|
||||
"name": "linkedvimProcessTerminationMicrosoftWindowsEvents",
|
||||
"name": "linkedvimProcessTerminateMicrosoftWindowsEvents",
|
||||
"properties": {
|
||||
"mode": "Incremental",
|
||||
"templateLink": {
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ For more information, see:
|
|||
|
||||
The template deploys the following:
|
||||
* vimRegistryEventMicrosoftWindowsEvent
|
||||
* vimProcessCreationMicrosoftWindowsEvents
|
||||
* vimProcessTerminationMicrosoftWindowsEvents
|
||||
* vimProcessCreateMicrosoftWindowsEvents
|
||||
* vimProcessTerminateMicrosoftWindowsEvents
|
||||
|
||||
<br>
|
||||
|
|
|
|||
|
|
@ -13,8 +13,8 @@ For more information, see:
|
|||
|
||||
The template deploys the following:
|
||||
* vimRegistryEventMicrosoftWindowsEvent
|
||||
* vimProcessCreationMicrosoftWindowsEvents
|
||||
* vimProcessTerminationMicrosoftWindowsEvents
|
||||
* vimProcessCreateMicrosoftWindowsEvents
|
||||
* vimProcessTerminateMicrosoftWindowsEvents
|
||||
* vimAuthenticationMicrosoftWindowsEvent
|
||||
|
||||
<br>
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче