Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge branch 'master' into users/v-dvedak/az_stream_analytics_update_sol

This commit is contained in:
v-amolpatil 2022-07-01 10:56:18 +05:30
Родитель 9d741a701b 545d4f7346
Коммит 4cc35685df
197 изменённых файлов: 64269 добавлений и 1203 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

1
.github/workflows/codeql-analysis.yml поставляемый
Просмотреть файл

@ -49,6 +49,7 @@ jobs:
# By default, queries listed here will override any specified in a config file. # By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file. # Prefix the list here with "+" to use these queries and those in the config file.
# queries: ./path/to/local/query, your-org/your-repo/queries@main # queries: ./path/to/local/query, your-org/your-repo/queries@main
queries: security-extended,security-and-quality
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below) # If this step fails, then you should remove it and run the build manually (see below)

4
ASIM/dev/ASimTester/ASimDataTester.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

44
ASIM/dev/ASimTester/ASimTester.csv
Просмотреть файл

@ -1,4 +1,44 @@
ColumnName,ColumnType,Class,Schema,LogicalType,ListOfValues,Aliased ColumnName,ColumnType,Class,Schema,LogicalType,ListOfValues,Aliased
_ResourceId,string,Recommended,Common,,,
TimeGenerated,datetime,Optional,Common,,,
Type,string,Recommended,Common,,,
EventMessage,string,Optional,Common,,,
EventCount,int,Mandatory,Common,,,
EventStartTime,datetime,Mandatory,Common,,,
EventEndTime,datetime,Mandatory,Common,,,
EventType,string,Mandatory,Common,,,
EventSubType,string,Optional,Common,,,
EventResult,string,Mandatory,Common,Enumerated,Success|Partial|Failure|NA,
EventResultDetails,string,Recommended,Common,,,
EventOriginalResultDetails,string,Optional,Common,,,
EventSeverity,string,Mandatory,Common,Enumerated,Informational|Low|Medium|High,
EventOriginalSeverity,string,Optional,Common,,,
EventOriginalUid,string,Optional,Common,,,
EventOriginalType,string,Optional,Common,,,
EventOriginalSubType,string,Optional,Common,,,
EventProduct,string,Mandatory,Common,,,
EventProductVersion,string,Optional,Common,,,
EventVendor,string,Mandatory,Common,,,
EventSchema,string,Mandatory,Common,,,
EventSchemaVersion,string,Mandatory,Common,SchemaVersion,,
EventReportUrl,string,Optional,Common,URL,,
Dvc,string,Mandatory,Common,,,
DvcIpAddr,string,Recommended,Common,IP Address,,
DvcHostname,string,Recommended,Common,Hostname,,
DvcDomain,string,Recommended,Common,Domain,,
DvcDomainType,string,Conditional,Common,Enumerated,Windows|FQDN|ResourceGroup,DvcDomain
DvcFQDN,string,Optional,Common,FQDN,,
DvcId,string,Optional,Common,,,
DvcIdType,string,Conditional,Common,Enumerated,AzureResourceId|MDEid|MD4IoTid|VMConnectionId|AwsVpcId|VectraId|AppGateId|Other,DvcId
DvcMacAddr,string,Optional,Common,MAC address,,
DvcZone,string,Optional,Common,,,
DvcAction,string,Optional,Common,,,
DvcDescription,string,Optional,Common,,,
DvcOs,string,Optional,Common,,,
DvcOsVersion,string,Optional,Common,,,
DvcSubscriptionId,string,Optional,Common,,,
DvcOriginalAction,string,Optional,Common,,,
DvcInterface,string,Optional,Common,,,
_ResourceId,string,Recommended,NetworkSession,,, _ResourceId,string,Recommended,NetworkSession,,,
TimeGenerated,datetime,Optional,NetworkSession,,, TimeGenerated,datetime,Optional,NetworkSession,,,
Type,string,Recommended,NetworkSession,,, Type,string,Recommended,NetworkSession,,,
@ -145,7 +185,7 @@ DnsFlagsRecursionDesired,bool,Optional,Dns,,,
DnsFlagsTruncated,bool,Optional,Dns,,, DnsFlagsTruncated,bool,Optional,Dns,,,
DnsFlagsZ,bool,Optional,Dns,,, DnsFlagsZ,bool,Optional,Dns,,,
DnsNetworkDuration,int,Optional,Dns,,, DnsNetworkDuration,int,Optional,Dns,,,
DnsQuery,string,Recommended,Dns,DnsDomain,, DnsQuery,string,Recommended,Dns,RecommendedDnsDomain,,
DnsQueryClass,int,Optional,Dns,,, DnsQueryClass,int,Optional,Dns,,,
DnsQueryClassName,string,Recommended,Dns,Enumerated,IN|CH|HS|NONE|ANY|Reserved|Unassigned, DnsQueryClassName,string,Recommended,Dns,Enumerated,IN|CH|HS|NONE|ANY|Reserved|Unassigned,
DnsQueryType,int,Optional,Dns,,, DnsQueryType,int,Optional,Dns,,,
@ -154,7 +194,7 @@ DnsResponseCode,int,Optional,Dns,,,
DnsResponseCodeName,string,Mandatory,Dns,DnsResponseCodeName,, DnsResponseCodeName,string,Mandatory,Dns,DnsResponseCodeName,,
DnsResponseName,string,Optional,Dns,,, DnsResponseName,string,Optional,Dns,,,
DnsSessionId,string,Optional,Dns,,, DnsSessionId,string,Optional,Dns,,,
Domain,string,Alias,Dns,DnsDomain,,DnsQuery Domain,string,Alias,Dns,RecommendedDnsDomain,,DnsQuery
DomainCategory,string,Optional,Dns,,,UrlCategory DomainCategory,string,Optional,Dns,,,UrlCategory
Dst,string,Recommended,Dns,,, Dst,string,Recommended,Dns,,,
DstDeviceType,string,Optional,Dns,Enumerated,Computer|Mobile Device|IOT Device|Other, DstDeviceType,string,Optional,Dns,Enumerated,Computer|Mobile Device|IOT Device|Other,

1 ColumnName ColumnType Class Schema LogicalType ListOfValues Aliased
2 _ResourceId string Recommended Common
3 TimeGenerated datetime Optional Common
4 Type string Recommended Common
5 EventMessage string Optional Common
6 EventCount int Mandatory Common
7 EventStartTime datetime Mandatory Common
8 EventEndTime datetime Mandatory Common
9 EventType string Mandatory Common
10 EventSubType string Optional Common
11 EventResult string Mandatory Common Enumerated Success|Partial|Failure|NA
12 EventResultDetails string Recommended Common
13 EventOriginalResultDetails string Optional Common
14 EventSeverity string Mandatory Common Enumerated Informational|Low|Medium|High
15 EventOriginalSeverity string Optional Common
16 EventOriginalUid string Optional Common
17 EventOriginalType string Optional Common
18 EventOriginalSubType string Optional Common
19 EventProduct string Mandatory Common
20 EventProductVersion string Optional Common
21 EventVendor string Mandatory Common
22 EventSchema string Mandatory Common
23 EventSchemaVersion string Mandatory Common SchemaVersion
24 EventReportUrl string Optional Common URL
25 Dvc string Mandatory Common
26 DvcIpAddr string Recommended Common IP Address
27 DvcHostname string Recommended Common Hostname
28 DvcDomain string Recommended Common Domain
29 DvcDomainType string Conditional Common Enumerated Windows|FQDN|ResourceGroup DvcDomain
30 DvcFQDN string Optional Common FQDN
31 DvcId string Optional Common
32 DvcIdType string Conditional Common Enumerated AzureResourceId|MDEid|MD4IoTid|VMConnectionId|AwsVpcId|VectraId|AppGateId|Other DvcId
33 DvcMacAddr string Optional Common MAC address
34 DvcZone string Optional Common
35 DvcAction string Optional Common
36 DvcDescription string Optional Common
37 DvcOs string Optional Common
38 DvcOsVersion string Optional Common
39 DvcSubscriptionId string Optional Common
40 DvcOriginalAction string Optional Common
41 DvcInterface string Optional Common
42 _ResourceId string Recommended NetworkSession
43 TimeGenerated datetime Optional NetworkSession
44 Type string Recommended NetworkSession
185 DnsFlagsTruncated bool Optional Dns
186 DnsFlagsZ bool Optional Dns
187 DnsNetworkDuration int Optional Dns
188 DnsQuery string Recommended Dns DnsDomain RecommendedDnsDomain
189 DnsQueryClass int Optional Dns
190 DnsQueryClassName string Recommended Dns Enumerated IN|CH|HS|NONE|ANY|Reserved|Unassigned
191 DnsQueryType int Optional Dns
194 DnsResponseCodeName string Mandatory Dns DnsResponseCodeName
195 DnsResponseName string Optional Dns
196 DnsSessionId string Optional Dns
197 Domain string Alias Dns DnsDomain RecommendedDnsDomain DnsQuery
198 DomainCategory string Optional Dns UrlCategory
199 Dst string Recommended Dns
200 DstDeviceType string Optional Dns Enumerated Computer|Mobile Device|IOT Device|Other

4
DataConnectors/CEF/cef_AMA_troubleshoot.py
Просмотреть файл

@ -709,7 +709,7 @@ def main():
running_in_collect_mode = True running_in_collect_mode = True
printer.print_notice("Starting to collect data. This may take a couple of seconds") printer.print_notice("Starting to collect data. This may take a couple of seconds")
time.sleep(2) time.sleep(2)
subprocess.Popen(['rm', COLLECT_OUTPUT_FILE, '2>', '/dev/null'], subprocess.Popen(['rm', '-f', COLLECT_OUTPUT_FILE],
stdout=subprocess.PIPE, stderr=subprocess.STDOUT).communicate() stdout=subprocess.PIPE, stderr=subprocess.STDOUT).communicate()
system_info = SystemInfo() system_info = SystemInfo()
system_info.handle_commands() system_info.handle_commands()
@ -734,7 +734,7 @@ def main():
(IncomingEventsVerifications(), "Starting validation tests for capturing incoming events")] (IncomingEventsVerifications(), "Starting validation tests for capturing incoming events")]
printer.print_notice("\nStarting to run the CEF validation script") printer.print_notice("\nStarting to run the CEF validation script")
time.sleep(1) time.sleep(1)
subprocess.Popen(['rm', LOG_OUTPUT_FILE, '2>', '/dev/null'], subprocess.Popen(['rm', '-f', LOG_OUTPUT_FILE],
stdout=subprocess.PIPE, stderr=subprocess.STDOUT).communicate() stdout=subprocess.PIPE, stderr=subprocess.STDOUT).communicate()
printer.print_notice("Please validate you are sending CEF messages to the agent machine") printer.print_notice("Please validate you are sending CEF messages to the agent machine")
for class_test in class_tests_array: for class_test in class_tests_array:

Двоичные данные
DataConnectors/CiscoUmbrella/CiscoUmbrellaConn.zip
Просмотреть файл

Двоичный файл не отображается.

2
DataConnectors/CiscoUmbrella/azuredeploy_CiscoUmbrella_API_FunctionApp.json
Просмотреть файл

@ -157,7 +157,7 @@
"AWSAccessKeyId": "[parameters('AWSAccessKeyId')]", "AWSAccessKeyId": "[parameters('AWSAccessKeyId')]",
"AWSSecretAccessKey": "[parameters('AWSSecretAccessKey')]", "AWSSecretAccessKey": "[parameters('AWSSecretAccessKey')]",
"logAnalyticsUri": "[variables('LogAnaltyicsUri')]", "logAnalyticsUri": "[variables('LogAnaltyicsUri')]",
"WEBSITE_RUN_FROM_PACKAGE": "https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/CiscoUmbrella/CiscoUmbrellaConn.zip?raw=true" "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-CiscoUmbrellaConn-functionapp"
} }
} }
] ]

2
DataConnectors/ReadMe.md
Просмотреть файл

@ -194,7 +194,7 @@ Once you have a working POC, you are ready to build, validate the data connector
3. Important: Please ensure all sample data has been scrubbed to remove all sensitive PII information that may exist in the logs. The intent is to understand the "what" and "how" from the logs not the "who". 3. Important: Please ensure all sample data has been scrubbed to remove all sensitive PII information that may exist in the logs. The intent is to understand the "what" and "how" from the logs not the "who".
_**IMPORTANT!:** Detailed guidance on Sample Data contribution including expected file names, format, file extensions and extraction method is available [here](https://github.com/Azure/Azure-Sentinel/master/tree/Sample%20Data/README.md)_ _**IMPORTANT!:** Detailed guidance on Sample Data contribution including expected file names, format, file extensions and extraction method is available [here](https://github.com/Azure/Azure-Sentinel/blob/master/Sample%20Data/README.md).
5. **Submit your data connector** - Follow the [general contribution guidelines for Microsoft Sentinel](https://aka.ms/sentinelgithubcontributionguidelines) to open a Pull Request (PR) to submit the data connector: 5. **Submit your data connector** - Follow the [general contribution guidelines for Microsoft Sentinel](https://aka.ms/sentinelgithubcontributionguidelines) to open a Pull Request (PR) to submit the data connector:
1. The json file in the ['Connectors' folder](https://aka.ms/azuresentinelgithubdataconnectors) 1. The json file in the ['Connectors' folder](https://aka.ms/azuresentinelgithubdataconnectors)

61
Detections/AzureDiagnostics/MaliciousWAFSessions.yaml
Просмотреть файл

@ -20,41 +20,46 @@ tactics:
relevantTechniques: relevantTechniques:
- T1190 - T1190
query: | query: |
let mode = 'Blocked'; let queryperiod = 1d;
let mode = 'Blocked';
let successCode = dynamic(['200', '101','204', '400','504','304','401','500']); let successCode = dynamic(['200', '101','204', '400','504','304','401','500']);
let minTime = ago(1d); let sessionBin = 30m;
let maxSessionWindow = 1h;
let sessionBin = maxSessionWindow/2.0;
AzureDiagnostics AzureDiagnostics
| where TimeGenerated > minTime | where TimeGenerated > ago(queryperiod)
| where Category == 'ApplicationGatewayFirewallLog' | where Category == 'ApplicationGatewayFirewallLog' and action_s == mode
| where action_s == mode
| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc | sort by hostname_s asc, clientIp_s asc, TimeGenerated asc
| extend SessionStarted = row_window_session(TimeGenerated, maxSessionWindow, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s)))) | extend SessionBlockedStarted = row_window_session(TimeGenerated, queryperiod, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))
| summarize minTime = min(TimeGenerated), maxTime = max(TimeGenerated), SessionBlockedCount=count() by hostname_s, clientIp_s, SessionStarted | summarize SessionBlockedEnded = max(TimeGenerated), SessionBlockedCount = count() by hostname_s, clientIp_s, SessionBlockedStarted
| extend duration = maxTime - minTime | extend TimeKey = range(bin(SessionBlockedStarted, sessionBin), bin(SessionBlockedEnded, sessionBin), sessionBin)
| extend TimeKey = bin(SessionStarted, sessionBin)
| join kind = inner(
AzureDiagnostics
| where TimeGenerated > minTime
| where Category == 'ApplicationGatewayAccessLog'
| where httpStatus_d in (successCode) or isempty(httpStatus_d)
| extend TimeKey = range(bin(TimeGenerated-maxSessionWindow, sessionBin), bin(TimeGenerated, sessionBin), sessionBin)
| mv-expand TimeKey to typeof(datetime) | mv-expand TimeKey to typeof(datetime)
) on $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s, TimeKey | join kind = inner(
| where (TimeGenerated - SessionStarted) between (0m .. duration) AzureDiagnostics
| extend originalRequestUriWithArgs_s = column_ifexists("originalRequestUriWithArgs_s", "") | where TimeGenerated > ago(queryperiod)
| extend serverStatus_s = column_ifexists("serverStatus_s", "") | where Category == 'ApplicationGatewayAccessLog' and isempty(httpStatus_d) or httpStatus_d in (successCode)
| extend timestamp = SessionStarted, IPCustomEntity = clientIP_s | extend TimeKey = bin(TimeGenerated, sessionBin)
| summarize SuccessfulAccessLogCount = count(), UserAgents = make_set(userAgent_s), RequestURIs = make_set(requestUri_s) , OriginalRequestURIs = make_set(originalRequestUriWithArgs_s), ) on TimeKey, $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s
SuccessCodes = make_set(httpStatus_d), SuccessCodes_BackendServer = make_set(serverStatus_s) by timestamp, hostname_s, IPCustomEntity, SessionBlockedCount | where TimeGenerated between (SessionBlockedStarted..SessionBlockedEnded)
| extend BlockvsSuccessRatio = SessionBlockedCount/SuccessfulAccessLogCount | extend
originalRequestUriWithArgs_s = column_ifexists("originalRequestUriWithArgs_s", ""),
serverStatus_s = column_ifexists("serverStatus_s", "")
| summarize
SuccessfulAccessCount = count(),
UserAgents = make_set(userAgent_s, 250),
RequestURIs = make_set(requestUri_s, 250),
OriginalRequestURIs = make_set(originalRequestUriWithArgs_s, 250),
SuccessCodes = make_set(httpStatus_d, 250),
SuccessCodes_BackendServer = make_set(serverStatus_s, 250),
take_any(SessionBlockedEnded, SessionBlockedCount)
by hostname_s, clientIp_s, SessionBlockedStarted
| where SessionBlockedCount > SuccessfulAccessCount
| extend timestamp = SessionBlockedStarted, IPCustomEntity = clientIp_s
| extend BlockvsSuccessRatio = SessionBlockedCount/toreal(SuccessfulAccessCount)
| sort by BlockvsSuccessRatio desc, timestamp asc | sort by BlockvsSuccessRatio desc, timestamp asc
| where SessionBlockedCount > SuccessfulAccessLogCount | project-reorder SessionBlockedStarted, SessionBlockedEnded, hostname_s, clientIp_s, SessionBlockedCount, SuccessfulAccessCount, BlockvsSuccessRatio, SuccessCodes, RequestURIs, OriginalRequestURIs, UserAgents
entityMappings: entityMappings:
- entityType: IP - entityType: IP
fieldMappings: fieldMappings:
- identifier: Address - identifier: Address
columnName: IPCustomEntity columnName: IPCustomEntity
version: 1.0.0 version: 1.0.1
kind: Scheduled kind: Scheduled

27
Detections/GitHub/NRT Two Factor Authentication Disabled.yaml Normal file
Просмотреть файл

@ -0,0 +1,27 @@
id: 594c653d-719a-4c23-b028-36e3413e632e
name: NRT GitHub Two Factor Auth Disable
description: |
'Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. '
severity: Medium
requiredDataConnectors: []
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
GitHubAudit
| where Action == "org.disable_two_factor_requirement"
| project TimeGenerated, Action, Actor, Country, IPaddress, Repository
| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: NRT

54
Detections/OfficeActivity/NRT_Office_MailForwarding.yaml
Просмотреть файл

@ -17,45 +17,21 @@ relevantTechniques:
query: | query: |
OfficeActivity OfficeActivity
| where OfficeWorkload =~ "Exchange" | where OfficeWorkload =~ "Exchange"
| where Parameters has "ForwardingSmtpAddress" | where Parameters has_any ("ForwardTo", "RedirectTo", "ForwardingSmtpAddress")
| extend parsed = parse_json(Parameters) | mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))
| mv-expand parsed | evaluate bag_unpack(ParsedParameters, columnsConflict='replace_source')
| where parsed.Name == "ForwardingSmtpAddress" | extend DestinationMailAddress = tolower(case(
| extend parameterName = tostring(parsed.Name), fwdingDestination = tostring(parsed.Value) isnotempty(column_ifexists("ForwardTo", "")), column_ifexists("ForwardTo", ""),
| where isnotempty(fwdingDestination) isnotempty(column_ifexists("RedirectTo", "")), column_ifexists("RedirectTo", ""),
| extend ClientIPOnly = case( isnotempty(column_ifexists("ForwardingSmtpAddress", "")), trim_start(@"smtp:", column_ifexists("ForwardingSmtpAddress", "")),
ClientIP has "." and ClientIP has ':', tostring(split(ClientIP,":")[0]), ""))
ClientIP has "." and ClientIP has '-', tostring(split(ClientIP,"-")[0]), | where isnotempty(DestinationMailAddress)
ClientIP has ']-', tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))), | mv-expand split(DestinationMailAddress, ";")
ClientIP has ']:', tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))), | extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?([-:](?P<Port>\d+))?', dynamic(["IPAddress", "Port"]), ClientIP)[0]
isempty(ClientIP) and ClientIP_ has "." and ClientIP_ has ':', tostring(split(ClientIP_,":")[0]), | extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])
isempty(ClientIP) and ClientIP_ has "." and ClientIP_ has '-', tostring(split(ClientIP_,"-")[0]), | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP
isempty(ClientIP) and ClientIP_ has ']-', tostring(trim_start(@'[[]',tostring(split(ClientIP_,"]")[0]))),
isempty(ClientIP) and ClientIP_ has ']:', tostring(trim_start(@'[[]',tostring(split(ClientIP_,"]")[0]))),
isnotempty(ClientIP), ClientIP,
isnotempty(ClientIP_), ClientIP_,
"IP Not Available"
)
| extend Port = case(
ClientIP has "." and ClientIP has ':', tostring(split(ClientIP,":")[1]),
ClientIP has "." and ClientIP has '-', tostring(split(ClientIP,"-")[1]),
ClientIP has ']-', tostring(split(ClientIP,"]-")[1]),
ClientIP has ']:', tostring(split(ClientIP,"]:")[1]),
isempty(ClientIP) and ClientIP_ has "." and ClientIP_ has ':', tostring(split(ClientIP_,":")[1]),
isempty(ClientIP) and ClientIP_ has "." and ClientIP_ has '-', tostring(split(ClientIP_,"-")[1]),
isempty(ClientIP) and ClientIP_ has ']-', tostring(split(ClientIP_,"]-")[1]),
isempty(ClientIP) and ClientIP_ has ']:', tostring(split(ClientIP_,"]:")[1]),
isnotempty(ClientIP), ClientIP,
isnotempty(ClientIP_), ClientIP_,
"IP Not Available"
)
| extend UserId = iff(isempty(UserId), UserId_, UserId)
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId),
Ports = make_set(Port), EventCount = count() by fwdingDestination, ClientIP = ClientIPOnly
| where DistinctUserCount > 1 | where DistinctUserCount > 1
| mv-expand UserId | mv-expand UserId to typeof(string)
| extend UserId = tostring(UserId), Ports = tostring(Ports)
| distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, fwdingDestination, EventCount
entityMappings: entityMappings:
- entityType: Account - entityType: Account
fieldMappings: fieldMappings:
@ -65,5 +41,5 @@ entityMappings:
fieldMappings: fieldMappings:
- identifier: Address - identifier: Address
columnName: ClientIP columnName: ClientIP
version: 1.0.1 version: 1.0.2
kind: NRT kind: NRT

67
Detections/OfficeActivity/Office_MailForwarding.yaml
Просмотреть файл

@ -19,49 +19,28 @@ relevantTechniques:
- T1114 - T1114
- T1020 - T1020
query: | query: |
let queryfrequency = 1d;
let queryperiod = 7d;
OfficeActivity OfficeActivity
| where Operation =~ "Set-Mailbox" | where TimeGenerated > ago(queryperiod)
| where Parameters has "ForwardingSmtpAddress" | where OfficeWorkload =~ "Exchange"
| extend parsed = parse_json(Parameters) //| where Operation in ("Set-Mailbox", "New-InboxRule", "Set-InboxRule")
| mv-expand parsed | where Parameters has_any ("ForwardTo", "RedirectTo", "ForwardingSmtpAddress")
| where parsed.Name == "ForwardingSmtpAddress" | mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))
| extend parameterName = tostring(parsed.Name), fwdingDestination = tostring(parsed.Value) | evaluate bag_unpack(ParsedParameters, columnsConflict='replace_source')
| where isnotempty(fwdingDestination) | extend DestinationMailAddress = tolower(case(
| extend ClientIPOnly = case( isnotempty(column_ifexists("ForwardTo", "")), column_ifexists("ForwardTo", ""),
ClientIP has "." and ClientIP has ':', tostring(split(ClientIP,":")[0]), isnotempty(column_ifexists("RedirectTo", "")), column_ifexists("RedirectTo", ""),
ClientIP has "." and ClientIP has '-', tostring(split(ClientIP,"-")[0]), isnotempty(column_ifexists("ForwardingSmtpAddress", "")), trim_start(@"smtp:", column_ifexists("ForwardingSmtpAddress", "")),
ClientIP has ']-', tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))), ""))
ClientIP has ']:', tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))), | where isnotempty(DestinationMailAddress)
isempty(ClientIP) and ClientIP_ has "." and ClientIP_ has ':', tostring(split(ClientIP_,":")[0]), | mv-expand split(DestinationMailAddress, ";")
isempty(ClientIP) and ClientIP_ has "." and ClientIP_ has '-', tostring(split(ClientIP_,"-")[0]), | extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?([-:](?P<Port>\d+))?', dynamic(["IPAddress", "Port"]), ClientIP)[0]
isempty(ClientIP) and ClientIP_ has ']-', tostring(trim_start(@'[[]',tostring(split(ClientIP_,"]")[0]))), | extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])
isempty(ClientIP) and ClientIP_ has ']:', tostring(trim_start(@'[[]',tostring(split(ClientIP_,"]")[0]))), | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP
isnotempty(ClientIP), ClientIP, | where DistinctUserCount > 1 and EndTime > ago(queryfrequency)
isnotempty(ClientIP_), ClientIP_, | mv-expand UserId to typeof(string)
"IP Not Available" | extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP
)
| extend Port = case(
ClientIP has "." and ClientIP has ':', tostring(split(ClientIP,":")[1]),
ClientIP has "." and ClientIP has '-', tostring(split(ClientIP,"-")[1]),
ClientIP has ']-', tostring(split(ClientIP,"]-")[1]),
ClientIP has ']:', tostring(split(ClientIP,"]:")[1]),
isempty(ClientIP) and ClientIP_ has "." and ClientIP_ has ':', tostring(split(ClientIP_,":")[1]),
isempty(ClientIP) and ClientIP_ has "." and ClientIP_ has '-', tostring(split(ClientIP_,"-")[1]),
isempty(ClientIP) and ClientIP_ has ']-', tostring(split(ClientIP_,"]-")[1]),
isempty(ClientIP) and ClientIP_ has ']:', tostring(split(ClientIP_,"]:")[1]),
isnotempty(ClientIP), ClientIP,
isnotempty(ClientIP_), ClientIP_,
"IP Not Available"
)
| extend UserId = iff(isempty(UserId), UserId_, UserId)
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId),
Ports = make_set(Port), EventCount = count() by fwdingDestination, ClientIP = ClientIPOnly
| where DistinctUserCount > 1
| mv-expand UserId
| extend UserId = tostring(UserId), Ports = tostring(Ports)
| distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, fwdingDestination, EventCount
| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP
entityMappings: entityMappings:
- entityType: Account - entityType: Account
fieldMappings: fieldMappings:
@ -71,5 +50,5 @@ entityMappings:
fieldMappings: fieldMappings:
- identifier: Address - identifier: Address
columnName: IPCustomEntity columnName: IPCustomEntity
version: 1.0.0 version: 1.0.1
kind: Scheduled kind: Scheduled

5
Detections/OfficeActivity/RareOfficeOperations.yaml
Просмотреть файл

@ -22,7 +22,8 @@ query: |
OfficeActivity OfficeActivity
| where Operation in~ ( "Add-MailboxPermission", "Add-MailboxFolderPermission", "Set-Mailbox", "New-ManagementRoleAssignment", "New-InboxRule", "Set-InboxRule", "Set-TransportRule") | where Operation in~ ( "Add-MailboxPermission", "Add-MailboxFolderPermission", "Set-Mailbox", "New-ManagementRoleAssignment", "New-InboxRule", "Set-InboxRule", "Set-TransportRule")
and not(UserId has_any ('NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)', 'NT AUTHORITY\\SYSTEM (w3wp)', 'devilfish-applicationaccount') and Operation in~ ( "Add-MailboxPermission", "Set-Mailbox")) and not(UserId has_any ('NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)', 'NT AUTHORITY\\SYSTEM (w3wp)', 'devilfish-applicationaccount') and Operation in~ ( "Add-MailboxPermission", "Set-Mailbox"))
| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP | extend ClientIPOnly = tostring(extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?', dynamic(["IPAddress"]), ClientIP)[0][0])
| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIPOnly
entityMappings: entityMappings:
- entityType: Account - entityType: Account
@ -33,5 +34,5 @@ entityMappings:
fieldMappings: fieldMappings:
- identifier: Address - identifier: Address
columnName: IPCustomEntity columnName: IPCustomEntity
version: 1.0.2 version: 1.0.3
kind: Scheduled kind: Scheduled

31
Detections/PulseConnectSecure/PulseConnectSecureVPN-CVE_2021_22893_Exploit.yaml Normal file
Просмотреть файл

@ -0,0 +1,31 @@
id: d0c82b7f-40b2-4180-a4d6-7aa0541b7599
name: PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack
description: |
'This query identifies exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893) to the VPN server'
severity: High
requiredDataConnectors:
- connectorId: PulseConnectSecure
dataTypes:
- Syslog
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1190
query: |
let threshold = 3;
PulseConnectSecure
| where Messages contains "Unauthenticated request url /dana-na/"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Source_IP
| where count_ > threshold
| extend timestamp = StartTime, IPCustomEntity = Source_IP
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled

5
Detections/readme.md
Просмотреть файл

@ -1,6 +1,8 @@
# About # About
This folder contains Detections based on different types of data sources that you can leverage in order to create alerts and respond to threats in your environment. This folder contains Detections based on different types of data sources that you can leverage in order to create alerts and respond to threats in your environment. These detections are termed as Analytics Rule templates in Microsoft Sentinel.
**Note**: Many of these analytic rule templates are being delivered in Solutions for Microsoft Sentinel. You can discover and deploy those in [Microsoft Sentinel Content Hub](https://docs.microsoft.com/azure/sentinel/sentinel-solutions-deploy). These are available in this repository under [Solutions](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions) folder. For e.g. Analytic rules for McAfee solution are at https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/McAfeeePO/Analytic%20Rules.
For general information please start with the [Wiki](https://github.com/Azure/Azure-Sentinel/wiki) pages. For general information please start with the [Wiki](https://github.com/Azure/Azure-Sentinel/wiki) pages.
@ -10,6 +12,7 @@ More Specific to Detections:
* These detections are written using [KQL query langauge](https://docs.microsoft.com/azure/kusto/query/index) and will provide you a starting point to protect your environment and get familiar with the different data tables. * These detections are written using [KQL query langauge](https://docs.microsoft.com/azure/kusto/query/index) and will provide you a starting point to protect your environment and get familiar with the different data tables.
* To enable these detections in your environment follow the [out of the box guidance](https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-built-in) (Notice that after a detection is available in this GitHub, it might take up to 2 weeks before it is available in Microsoft Sentinel portal). * To enable these detections in your environment follow the [out of the box guidance](https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-built-in) (Notice that after a detection is available in this GitHub, it might take up to 2 weeks before it is available in Microsoft Sentinel portal).
* The rule created will run the query on the scheduled time that was defined, and trigger an alert that will be seen both in the **SecurityAlert** table and in a case in the **Incidents** tab * The rule created will run the query on the scheduled time that was defined, and trigger an alert that will be seen both in the **SecurityAlert** table and in a case in the **Incidents** tab
* If you are contributing analytic rule templates as part of a solution, follow [guidance for solutions](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions#step-1--create-your-content) to include those in the right folder paths. Do NOT include content to be packaged in solutions under the Detections folder.
# Feedback # Feedback
For questions or feedback, please contact AzureSentinel@microsoft.com For questions or feedback, please contact AzureSentinel@microsoft.com

8
MasterPlaybooks/Remediation-IP/azuredeploy.json
Просмотреть файл

@ -124,7 +124,7 @@
"type": "Microsoft.Logic/workflows" "type": "Microsoft.Logic/workflows"
}, },
{ {
"type": "MICROSOFT.WEB/CONNECTIONS", "type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01", "apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]", "name": "[variables('AzureSentinelConnectionName')]",
"kind": "V1", "kind": "V1",
@ -292,12 +292,6 @@
}, },
"method": "post", "method": "post",
"path": "/entities/ip" "path": "/entities/ip"
},
"runtimeConfiguration": {
"staticResult": {
"staticResultOptions": "Disabled",
"name": "Entities_-_Get_IPs0"
}
} }
}, },
"Filter_success_status_code": { "Filter_success_status_code": {

2
Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json
Просмотреть файл

@ -35,7 +35,7 @@
"displayName": "Network Session ASIM parser", "displayName": "Network Session ASIM parser",
"category": "ASIM", "category": "ASIM",
"FunctionAlias": "ASimNetworkSession", "FunctionAlias": "ASimNetworkSession",
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , ASimNetworkSessionLinuxSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoft365Defender (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoT (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoT' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftWindowsEventFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , ASimNetworkSessionVMConnection (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMConnection' in (DisabledParsers) ))\n , ASimNetworkSessionAWSVPC (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , ASimNetworkSessionAzureFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionAzureNSG (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , ASimNetworkSessionVectraAI (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVectraAI' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , ASimNetworkSessionAppGateSDP (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAppGateSDP' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric", "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , ASimNetworkSessionLinuxSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoft365Defender (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoT (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoT' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftWindowsEventFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , ASimNetworkSessionVMConnection (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMConnection' in (DisabledParsers) ))\n , ASimNetworkSessionAWSVPC (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , ASimNetworkSessionAzureFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionAzureNSG (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , ASimNetworkSessionVectraAI (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVectraAI' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , ASimNetworkSessionAppGateSDP (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAppGateSDP' in (DisabledParsers) ))\n , ASimNetworkSessionFortinetFortiGate (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionFortinetFortiGate' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric",
"version": 1 "version": 1
} }
} }

46
Parsers/ASimNetworkSession/ARM/ASimNetworkSessionFortinetFortiGate/ASimNetworkSessionFortinetFortiGate.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

18
Parsers/ASimNetworkSession/ARM/ASimNetworkSessionFortinetFortiGate/README.md Normal file
Просмотреть файл

@ -0,0 +1,18 @@
# Fortinet FortiGate ASIM NetworkSession Normalization Parser
ARM template for ASIM NetworkSession schema parser for Fortinet FortiGate.
This ASIM parser supports normalizing Fortinet FortiGate logs to the ASIM Web Session normalized schema.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSessionFortinetFortiGate%2FASimNetworkSessionFortinetFortiGate.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSessionFortinetFortiGate%2FASimNetworkSessionFortinetFortiGate.json)

748
Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json
Просмотреть файл

@ -21,11 +21,11 @@
{ {
"type": "Microsoft.Resources/deployments", "type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01", "apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionVectraAI", "name": "linkedASimNetworkSessionAzureNSG",
"properties": { "properties": {
"mode": "Incremental", "mode": "Incremental",
"templateLink": { "templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVectraAI/ASimNetworkSessionVectraAI.json", "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureNSG/ASimNetworkSessionAzureNSG.json",
"contentVersion": "1.0.0.0" "contentVersion": "1.0.0.0"
}, },
"parameters": { "parameters": {
@ -41,211 +41,11 @@
{ {
"type": "Microsoft.Resources/deployments", "type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01", "apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionEmpty", "name": "linkedASimNetworkSessionVMConnection",
"properties": { "properties": {
"mode": "Incremental", "mode": "Incremental",
"templateLink": { "templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json", "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionPaloAltoCEF",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCEF/vimNetworkSessionPaloAltoCEF.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionAzureFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureFirewall/ASimNetworkSessionAzureFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionMicrosoft365Defender",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionVMConnection",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionAzureNSG",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureNSG/vimNetworkSessionAzureNSG.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionzScalerZIA",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/ASimNetworkSessionzScalerZIA.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionAzureFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureFirewall/vimNetworkSessionAzureFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionCiscoMeraki",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMeraki/vimNetworkSessionCiscoMeraki.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionMicrosoftMD4IoT",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftMD4IoT/ASimNetworkSessionMicrosoftMD4IoT.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionMicrosoftLinuxSysmon",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json",
"contentVersion": "1.0.0.0" "contentVersion": "1.0.0.0"
}, },
"parameters": { "parameters": {
@ -301,11 +101,391 @@
{ {
"type": "Microsoft.Resources/deployments", "type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01", "apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionVMConnection", "name": "linkedvimNetworkSessionMicrosoftMD4IoT",
"properties": { "properties": {
"mode": "Incremental", "mode": "Incremental",
"templateLink": { "templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json", "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftMD4IoT/vimNetworkSessionMicrosoftMD4IoT.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionVectraAI",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVectraAI/vimNetworkSessionVectraAI.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionMicrosoft365Defender",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSession",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionAppGateSDP",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAppGateSDP/ASimNetworkSessionAppGateSDP.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionzScalerZIA",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/ASimNetworkSessionzScalerZIA.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionMicrosoftWindowsEventFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionEmpty",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionMicrosoftWindowsEventFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionCiscoMeraki",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMeraki/ASimNetworkSessionCiscoMeraki.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionMicrosoftLinuxSysmon",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionzScalerZIA",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionVMConnection",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionMicrosoftMD4IoT",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftMD4IoT/ASimNetworkSessionMicrosoftMD4IoT.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionAzureFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureFirewall/ASimNetworkSessionAzureFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionAWSVPC",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionVectraAI",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVectraAI/ASimNetworkSessionVectraAI.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionCiscoMeraki",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMeraki/vimNetworkSessionCiscoMeraki.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionFortinetFortiGate",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionFortinetFortiGate/ASimNetworkSessionFortinetFortiGate.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionFortinetFortiGate",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionFortinetFortiGate/vimNetworkSessionFortinetFortiGate.json",
"contentVersion": "1.0.0.0" "contentVersion": "1.0.0.0"
}, },
"parameters": { "parameters": {
@ -361,11 +541,11 @@
{ {
"type": "Microsoft.Resources/deployments", "type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01", "apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionzScalerZIA", "name": "linkedvimNetworkSessionAppGateSDP",
"properties": { "properties": {
"mode": "Incremental", "mode": "Incremental",
"templateLink": { "templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json", "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAppGateSDP/vimNetworkSessionAppGateSDP.json",
"contentVersion": "1.0.0.0" "contentVersion": "1.0.0.0"
}, },
"parameters": { "parameters": {
@ -381,11 +561,11 @@
{ {
"type": "Microsoft.Resources/deployments", "type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01", "apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionAWSVPC", "name": "linkedvimNetworkSessionAzureNSG",
"properties": { "properties": {
"mode": "Incremental", "mode": "Incremental",
"templateLink": { "templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json", "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureNSG/vimNetworkSessionAzureNSG.json",
"contentVersion": "1.0.0.0" "contentVersion": "1.0.0.0"
}, },
"parameters": { "parameters": {
@ -401,11 +581,11 @@
{ {
"type": "Microsoft.Resources/deployments", "type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01", "apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionMicrosoftWindowsEventFirewall", "name": "linkedvimNetworkSessionPaloAltoCEF",
"properties": { "properties": {
"mode": "Incremental", "mode": "Incremental",
"templateLink": { "templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json", "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCEF/vimNetworkSessionPaloAltoCEF.json",
"contentVersion": "1.0.0.0" "contentVersion": "1.0.0.0"
}, },
"parameters": { "parameters": {
@ -421,111 +601,11 @@
{ {
"type": "Microsoft.Resources/deployments", "type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01", "apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionMicrosoftMD4IoT", "name": "linkedvimNetworkSessionAzureFirewall",
"properties": { "properties": {
"mode": "Incremental", "mode": "Incremental",
"templateLink": { "templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftMD4IoT/vimNetworkSessionMicrosoftMD4IoT.json", "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureFirewall/vimNetworkSessionAzureFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSession",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionAzureNSG",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureNSG/ASimNetworkSessionAzureNSG.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionMicrosoftWindowsEventFirewall",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionAppGateSDP",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAppGateSDP/ASimNetworkSessionAppGateSDP.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionVectraAI",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVectraAI/vimNetworkSessionVectraAI.json",
"contentVersion": "1.0.0.0" "contentVersion": "1.0.0.0"
}, },
"parameters": { "parameters": {
@ -557,46 +637,6 @@
} }
} }
} }
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimNetworkSessionAppGateSDP",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAppGateSDP/vimNetworkSessionAppGateSDP.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimNetworkSessionCiscoMeraki",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMeraki/ASimNetworkSessionCiscoMeraki.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Workspace": {
"value": "[parameters('Workspace')]"
},
"WorkspaceRegion": {
"value": "[parameters('WorkspaceRegion')]"
}
}
}
} }
], ],
"outputs": {} "outputs": {}

2
Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json
Просмотреть файл

@ -35,7 +35,7 @@
"displayName": "Network Session ASIM filtering parser", "displayName": "Network Session ASIM filtering parser",
"category": "ASIM", "category": "ASIM",
"FunctionAlias": "imNetworkSession", "FunctionAlias": "imNetworkSession",
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludevimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(starttime:datetime=datetime(null) , endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false)\n{\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , vimNetworkSessionLinuxSysmon (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoft365Defender (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , vimNetworkSessionMD4IoT (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMD4IoT' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftWindowsEventFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , vimNetworkSessionPaloAltoCEF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , vimNetworkSessionVMConnection (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVMConnection' in (DisabledParsers) ))\n , vimNetworkSessionAWSVPC (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , vimNetworkSessionAzureFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , vimNetworkSessionAzureNSG (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , vimNetworkSessionVectraAI (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVectraAI' in (DisabledParsers) ))\n , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , vimNetworkSessionAppGateSDP (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNvimNetworkSessionAppGateSDP' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult)", "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludevimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n dstipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null),\n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]),\n eventresult:string='*', \n disabled:bool=false)\n{\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , vimNetworkSessionLinuxSysmon (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoft365Defender (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , vimNetworkSessionMD4IoT (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMD4IoT' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftWindowsEventFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , vimNetworkSessionPaloAltoCEF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , vimNetworkSessionVMConnection (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVMConnection' in (DisabledParsers) ))\n , vimNetworkSessionAWSVPC (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , vimNetworkSessionAzureFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , vimNetworkSessionAzureNSG (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , vimNetworkSessionVectraAI (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVectraAI' in (DisabledParsers) ))\n , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , vimNetworkSessionAppGateSDP (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNvimNetworkSessionAppGateSDP' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult)\n",
"version": 1, "version": 1,
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*'" "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*'"
} }

18
Parsers/ASimNetworkSession/ARM/vimNetworkSessionFortinetFortiGate/README.md Normal file
Просмотреть файл

@ -0,0 +1,18 @@
# Fortinet FortiGate ASIM NetworkSession Normalization Parser
ARM template for ASIM NetworkSession schema parser for Fortinet FortiGate.
This ASIM parser supports filtering and normalizing Fortinet FortiGate logs produced by the Microsoft Sentinel Fortinet connector to the ASIM Network Session normalized schema.
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FvimNetworkSessionFortinetFortiGate%2FvimNetworkSessionFortinetFortiGate.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FvimNetworkSessionFortinetFortiGate%2FvimNetworkSessionFortinetFortiGate.json)

46
Parsers/ASimNetworkSession/ARM/vimNetworkSessionFortinetFortiGate/vimNetworkSessionFortinetFortiGate.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

107
Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml
Просмотреть файл

@ -1,54 +1,55 @@
Parser: Parser:
Title: Network Session ASIM parser Title: Network Session ASIM parser
Version: '0.5' Version: '0.5'
LastUpdated: Feb 21, 2021 LastUpdated: Feb 21, 2021
Product: Product:
Name: Source agnostic Name: Source agnostic
Normalization: Normalization:
Schema: NetworkSession Schema: NetworkSession
Version: '0.2.0' Version: '0.2.0'
References: References:
- Title: ASIM NetworkSession Schema - Title: ASIM NetworkSession Schema
Link: https://aka.ms/ASimNetworkSessionDoc Link: https://aka.ms/ASimNetworkSessionDoc
- Title: ASIM - Title: ASIM
Link: https://aka.ms/AboutASIM Link: https://aka.ms/AboutASIM
Description: | Description: |
This ASIM parser supports normalizing Network Session logs from all supported sources to the ASIM Network Session normalized schema. This ASIM parser supports normalizing Network Session logs from all supported sources to the ASIM Network Session normalized schema.
ParserName: ASimNetworkSession ParserName: ASimNetworkSession
EquivalentBuiltInParser: _ASim_NetworkSession EquivalentBuiltInParser: _ASim_NetworkSession
Parsers: Parsers:
- _Im_NetworkSession_Empty - _Im_NetworkSession_Empty
- _ASim_NetworSession_Microsoft365Defender - _ASim_NetworSession_Microsoft365Defender
- _ASim_NetworkSession_LinuxSysmon - _ASim_NetworkSession_LinuxSysmon
- _ASim_NetworkSession_MD4IoT - _ASim_NetworkSession_MD4IoT
- _ASim_NetworkSession_MicrosoftWindowsEventFirewall - _ASim_NetworkSession_MicrosoftWindowsEventFirewall
- _ASim_NetworkSession_ZscalerZIA - _ASim_NetworkSession_ZscalerZIA
- _ASim_NetworkSession_PaloAltoCEF - _ASim_NetworkSession_PaloAltoCEF
- _ASim_NetworkSession_VMConnection - _ASim_NetworkSession_VMConnection
- _ASim_NetworkSession_AWSVPC - _ASim_NetworkSession_AWSVPC
- _ASim_NetworkSession_AzureFirewall - _ASim_NetworkSession_AzureFirewall
- _ASim_NetworkSession_AzureNSG - _ASim_NetworkSession_AzureNSG
- _ASim_NetworkSession_VectraAI - _ASim_NetworkSession_VectraAI
- _ASim_NetworkSession_CiscoMeraki - _ASim_NetworkSession_CiscoMeraki
- _ASim_NetworkSession_AppGateSDP - _ASim_NetworkSession_AppGateSDP
- _ASim_NetworkSession_FortinetFortiGate
ParserQuery: | ParserQuery: |
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser); let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);
let ASimBuiltInDisabled=toscalar('ExcludeASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); let ASimBuiltInDisabled=toscalar('ExcludeASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers));
let NetworkSessionsGeneric=(){ let NetworkSessionsGeneric=(){
union isfuzzy=true union isfuzzy=true
vimNetworkSessionEmpty vimNetworkSessionEmpty
, ASimNetworkSessionLinuxSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionLinuxSysmon' in (DisabledParsers) )) , ASimNetworkSessionLinuxSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionLinuxSysmon' in (DisabledParsers) ))
, ASimNetworkSessionMicrosoft365Defender (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoft365Defender' in (DisabledParsers) )) , ASimNetworkSessionMicrosoft365Defender (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))
, ASimNetworkSessionMD4IoT (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoT' in (DisabledParsers) )) , ASimNetworkSessionMD4IoT (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoT' in (DisabledParsers) ))
, ASimNetworkSessionMicrosoftWindowsEventFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) )) , ASimNetworkSessionMicrosoftWindowsEventFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))
, ASimNetworkSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCEF' in (DisabledParsers) )) , ASimNetworkSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))
, ASimNetworkSessionVMConnection (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMConnection' in (DisabledParsers) )) , ASimNetworkSessionVMConnection (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMConnection' in (DisabledParsers) ))
, ASimNetworkSessionAWSVPC (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAWSVPC' in (DisabledParsers) )) , ASimNetworkSessionAWSVPC (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAWSVPC' in (DisabledParsers) ))
, ASimNetworkSessionAzureFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureFirewall' in (DisabledParsers) )) , ASimNetworkSessionAzureFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureFirewall' in (DisabledParsers) ))
, ASimNetworkSessionAzureNSG (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureNSG' in (DisabledParsers) )) , ASimNetworkSessionAzureNSG (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureNSG' in (DisabledParsers) ))
, ASimNetworkSessionVectraAI (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVectraAI' in (DisabledParsers) )) , ASimNetworkSessionVectraAI (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVectraAI' in (DisabledParsers) ))
, ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) )) , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))
, ASimNetworkSessionAppGateSDP (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAppGateSDP' in (DisabledParsers) )) , ASimNetworkSessionAppGateSDP (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAppGateSDP' in (DisabledParsers) ))
}; , ASimNetworkSessionFortinetFortiGate (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionFortinetFortiGate' in (DisabledParsers) ))
};
NetworkSessionsGeneric NetworkSessionsGeneric

240
Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionFortinetFortiGate.yaml Normal file
Просмотреть файл

@ -0,0 +1,240 @@
Parser:
Title: Network Session ASIM parser for Fortinet FortiGate
Version: '0.2'
LastUpdated: June 24, 2022
Product:
Name: Fortinet FortiGate
Normalization:
Schema: NetworkSession
Version: '0.2.3'
References:
- Title: ASIM Network Session Schema
Link: https://aka.ms/ASimNetworkSessionDoc
- Title: ASIM
Link: https:/aka.ms/AboutASIM
Description: |
This ASIM parser supports normalizing Fortinet FortiGate logs to the ASIM Web Session normalized schema.
ParserName: ASimNetworkSessionFortinetFortiGate
EquivalentBuiltInParser: _ASim_NetworkSession_FortinetFortiGate
ParserParams:
- Name: disabled
Type: bool
Default: false
ParserQuery: |
let EventLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string,EventResultDetails:string)
[
"accept","Allow","Success",""
, "client-rst","Reset Source","Failure",""
, "close","","Success",""
, "deny","Deny","Failure",""
, "ip-conn","","Failure","IP connection error"
, "server-rst","Reset Destination","Failure",""
, "timeout","","Failure",""
];
let ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)
[
"0","HOPOPT"
, "1","ICMP"
, "2","IGMP"
, "3","GGP"
, "4","IPv4"
, "5","ST"
, "6","TCP"
, "7","CBT"
, "8","EGP"
, "9","IGP"
, "10","BBN-RCC-MON"
, "11","NVP-II"
, "12","PUP"
, "13","ARGUS (deprecated)"
, "14","EMCON"
, "15","XNET"
, "16","CHAOS"
, "17","UDP"
, "18","MUX"
, "19","DCN-MEAS"
, "20","HMP"
, "21","PRM"
, "22","XNS-IDP"
, "23","TRUNK-1"
, "24","TRUNK-2"
, "25","LEAF-1"
, "26","LEAF-2"
, "27","RDP"
, "28","IRTP"
, "29","ISO-TP4"
, "30","NETBLT"
, "31","MFE-NSP"
, "32","MERIT-INP"
, "33","DCCP"
, "34","3PC"
, "35","IDPR"
, "36","XTP"
, "37","DDP"
, "38","IDPR-CMTP"
, "39","TP++"
, "40","IL"
, "41","IPv6"
, "42","SDRP"
, "43","IPv6-Route"
, "44","IPv6-Frag"
, "45","IDRP"
, "46","RSVP"
, "47","GRE"
, "48","DSR"
, "49","BNA"
, "50","ESP"
, "51","AH"
, "52","I-NLSP"
, "53","SWIPE (deprecated)"
, "54","NARP"
, "55","MOBILE"
, "56","TLSP"
, "57","SKIP"
, "58","IPv6-ICMP"
, "59","IPv6-NoNxt"
, "60","IPv6-Opts"
, "61",""
, "62","CFTP"
, "63",""
, "64","SAT-EXPAK"
, "65","KRYPTOLAN"
, "66","RVD"
, "67","IPPC"
, "68",""
, "69","SAT-MON"
, "70","VISA"
, "71","IPCV"
, "72","CPNX"
, "73","CPHB"
, "74","WSN"
, "75","PVP"
, "76","BR-SAT-MON"
, "77","SUN-ND"
, "78","WB-MON"
, "79","WB-EXPAK"
, "80","ISO-IP"
, "81","VMTP"
, "82","SECURE-VMTP"
, "83","VINES"
, "84","TTP"
, "84","IPTM"
, "85","NSFNET-IGP"
, "86","DGP"
, "87","TCF"
, "88","EIGRP"
, "89","OSPFIGP"
, "90","Sprite-RPC"
, "91","LARP"
, "92","MTP"
, "93","AX.25"
, "94","IPIP"
, "95","MICP (deprecated)"
, "96","SCC-SP"
, "97","ETHERIP"
, "98","ENCAP"
, "99",""
, "100","GMTP"
, "101","IFMP"
, "102","PNNI"
, "103","PIM"
, "104","ARIS"
, "105","SCPS"
, "106","QNX"
, "107","A/N"
, "108","IPComp"
, "109","SNP"
, "110","Compaq-Peer"
, "111","IPX-in-IP"
, "112","VRRP"
, "113","PGM"
, "114",""
, "115","L2TP"
, "116","DDX"
, "117","IATP"
, "118","STP"
, "119","SRP"
, "120","UTI"
, "121","SMP"
, "122","SM (deprecated)"
, "123","PTP"
, "124","ISIS over IPv4"
, "125","FIRE"
, "126","CRTP"
, "127","CRUDP"
, "128","SSCOPMCE"
, "129","IPLT"
, "130","SPS"
, "131","PIPE"
, "132","SCTP"
, "133","FC"
, "134","RSVP-E2E-IGNORE"
, "135","Mobility Header"
, "136","UDPLite"
, "137","MPLS-in-IP"
, "138","manet"
, "139","HIP"
, "140","Shim6"
, "141","WESP"
, "142","ROHC"
, "143","Ethernet"
, "253",""
, "254",""
, "255","Reserved"];
let Parser=(disabled:bool=false){
CommonSecurityLog
| where not(disabled)
| where DeviceVendor == "Fortinet" and DeviceProduct startswith "FortiGate" and AdditionalExtensions has "cat=traffic"
| where DeviceAction != "dns"
| project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceName,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated
| project-rename DstBytes = ReceivedBytes
, DstInterfaceName = DeviceOutboundInterface
, DstIpAddr = DestinationIP
, DstPortNumber = DestinationPort
, Dvc = DeviceName
, EventEndTime = TimeGenerated
, EventMessage = Activity
, EventOriginalSeverity = LogSeverity
, EventProduct = DeviceProduct
, EventProductVersion = DeviceVersion
, SrcBytes = SentBytes
, SrcInterfaceName = DeviceInboundInterface
, SrcIpAddr = SourceIP
, SrcPortNumber = SourcePort
| lookup EventLookup on DeviceAction
| lookup ProtocolLookup on Protocol
| project-rename DvcOriginalAction = DeviceAction
| parse AdditionalExtensions with "start=" EventStartTime
";" * "srcintfrole=" SrcZone
";" * "dstintfrole=" DstZone
";" * "externalID=" NetworkSessionId
";" * "policyid=" NetworkRuleNumber:int
";" * "dstcountry=" DstGeoCountry
";" * "srccountry=" SrcGeoCountry
";" *
| parse AdditionalExtensions with * "crscore=" ThreatRiskLevel:int
";" *
| parse AdditionalExtensions with * "duration=" NetworkDuration
";" * "sentpkt=" SrcPackets:int
";" * "rcvdpkt=" DstPackets:int
";" *
| extend EventCount = int(1)
, EventSchema = "NetworkSession"
, EventSchemaVersion = "0.2.3"
, EventSeverity = iif(EventOriginalSeverity == 5, "Informational", "")
, EventType = "NetworkSession"
, EventVendor = "Fortinet"
, NetworkBytes = DstBytes + SrcBytes
, NetworkProtocolVersion = case(DstIpAddr contains ".", "IPv4"
, DstIpAddr contains ":", "IPv6"
, "")
, NetworkPackets = DstPackets + SrcPackets
| extend
Src = SrcIpAddr,
Dst = DstIpAddr,
SessionId = NetworkSessionId,
IpAddr = SrcIpAddr,
Rule = NetworkRuleNumber
| project-away Protocol
};
Parser (disabled=disabled)

15
Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml
Просмотреть файл

@ -31,6 +31,7 @@ Parsers:
- _Im_NetworkSession_VectraAI - _Im_NetworkSession_VectraAI
- _Im_NetworkSession_CiscoMeraki - _Im_NetworkSession_CiscoMeraki
- _Im_NetworkSession_AppGateSDP - _Im_NetworkSession_AppGateSDP
- _Im_NetworkSession_FortinetFortiGate
ParserParams: ParserParams:
- Name: starttime - Name: starttime
Type: datetime Type: datetime
@ -63,7 +64,17 @@ ParserParams:
ParserQuery: | ParserQuery: |
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser)); let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));
let ASimBuiltInDisabled=toscalar('ExcludevimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); let ASimBuiltInDisabled=toscalar('ExcludevimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers));
let NetworkSessionsGeneric=(starttime:datetime=datetime(null) , endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false) let NetworkSessionsGeneric=(
starttime:datetime=datetime(null),
endtime:datetime=datetime(null),
srcipaddr_has_any_prefix:dynamic=dynamic([]),
dstipaddr_has_any_prefix:dynamic=dynamic([]),
ipaddr_has_any_prefix:dynamic=dynamic([]),
dstportnumber:int=int(null),
hostname_has_any:dynamic=dynamic([]),
dvcaction:dynamic=dynamic([]),
eventresult:string='*',
disabled:bool=false)
{ {
union isfuzzy=true union isfuzzy=true
vimNetworkSessionEmpty vimNetworkSessionEmpty
@ -80,4 +91,4 @@ ParserQuery: |
, vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) )) , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) ))
, vimNetworkSessionAppGateSDP (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNvimNetworkSessionAppGateSDP' in (DisabledParsers) )) , vimNetworkSessionAppGateSDP (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNvimNetworkSessionAppGateSDP' in (DisabledParsers) ))
}; };
NetworkSessionsGeneric(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult) NetworkSessionsGeneric(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult)

290
Parsers/ASimNetworkSession/Parsers/vimNetworkSessionFortinetFortiGate.yaml Normal file
Просмотреть файл

@ -0,0 +1,290 @@
Parser:
Title: Network Session ASIM filtering parser for Fortinet FortiGate
Version: '0.2'
LastUpdated: June 26, 2022
Product:
Name: Fortinet FortiGate
Normalization:
Schema: NetworkSession
Version: '0.2.3'
References:
- Title: ASIM Network Session Schema
Link: https://aka.ms/ASimNetworkSessionDoc
- Title: ASIM
Link: https://aka.ms/AboutASIM
- Title: traffic log fields
Link: https://docs.fortinet.com/document/fortigate/7.2.0/fortios-log-message-reference/949981/traffic-log-support-for-cef
- Title: Fortinet FortiGate CEF setup
Link: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Integrate-FortiGate-with-Microsoft-Sentinel/ta-p/199709
- Title: Fortinet FortiGate syslogd documentation
Link: https://docs.fortinet.com/document/fortigate/7.2.0/cli-reference/450620/config-log-syslogd-setting
Description: |
This ASIM parser supports filtering and normalizing Fortinet FortiGate logs produced by the Microsoft Sentinel Fortinet connector to the ASIM Network Session normalized schema.
ParserName: vimNetworkSessionFortinetFortiGate
EquivalentBuiltInParser: _Im_NetworkSession_FortinetFortiGate
ParserParams:
- Name: starttime
Type: datetime
Default: datetime(null)
- Name: endtime
Type: datetime
Default: datetime(null)
- Name: srcipaddr_has_any_prefix
Type: dynamic
Default: dynamic([])
- Name: dstipaddr_has_any_prefix
Type: dynamic
Default: dynamic([])
- Name: ipaddr_has_any_prefix
Type: dynamic
Default: dynamic([])
- Name: dstportnumber
Type: int
Default: int(null)
- Name: hostname_has_any
Type: dynamic
Default: dynamic([])
- Name: dvcaction
Type: dynamic
Default: dynamic([])
- Name: eventresult
Type: string
Default: '*'
- Name: disabled
Type: bool
Default: false
ParserQuery: |
let EventLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string,EventResultDetails:string)
[
"accept","Allow","Success",""
, "client-rst","Reset Source","Failure",""
, "close","","Success",""
, "deny","Deny","Failure",""
, "ip-conn","","Failure","IP connection error"
, "server-rst","Reset Destination","Failure",""
, "timeout","","Failure",""
];
let ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)
[
"0","HOPOPT"
, "1","ICMP"
, "2","IGMP"
, "3","GGP"
, "4","IPv4"
, "5","ST"
, "6","TCP"
, "7","CBT"
, "8","EGP"
, "9","IGP"
, "10","BBN-RCC-MON"
, "11","NVP-II"
, "12","PUP"
, "13","ARGUS (deprecated)"
, "14","EMCON"
, "15","XNET"
, "16","CHAOS"
, "17","UDP"
, "18","MUX"
, "19","DCN-MEAS"
, "20","HMP"
, "21","PRM"
, "22","XNS-IDP"
, "23","TRUNK-1"
, "24","TRUNK-2"
, "25","LEAF-1"
, "26","LEAF-2"
, "27","RDP"
, "28","IRTP"
, "29","ISO-TP4"
, "30","NETBLT"
, "31","MFE-NSP"
, "32","MERIT-INP"
, "33","DCCP"
, "34","3PC"
, "35","IDPR"
, "36","XTP"
, "37","DDP"
, "38","IDPR-CMTP"
, "39","TP++"
, "40","IL"
, "41","IPv6"
, "42","SDRP"
, "43","IPv6-Route"
, "44","IPv6-Frag"
, "45","IDRP"
, "46","RSVP"
, "47","GRE"
, "48","DSR"
, "49","BNA"
, "50","ESP"
, "51","AH"
, "52","I-NLSP"
, "53","SWIPE (deprecated)"
, "54","NARP"
, "55","MOBILE"
, "56","TLSP"
, "57","SKIP"
, "58","IPv6-ICMP"
, "59","IPv6-NoNxt"
, "60","IPv6-Opts"
, "61",""
, "62","CFTP"
, "63",""
, "64","SAT-EXPAK"
, "65","KRYPTOLAN"
, "66","RVD"
, "67","IPPC"
, "68",""
, "69","SAT-MON"
, "70","VISA"
, "71","IPCV"
, "72","CPNX"
, "73","CPHB"
, "74","WSN"
, "75","PVP"
, "76","BR-SAT-MON"
, "77","SUN-ND"
, "78","WB-MON"
, "79","WB-EXPAK"
, "80","ISO-IP"
, "81","VMTP"
, "82","SECURE-VMTP"
, "83","VINES"
, "84","TTP"
, "84","IPTM"
, "85","NSFNET-IGP"
, "86","DGP"
, "87","TCF"
, "88","EIGRP"
, "89","OSPFIGP"
, "90","Sprite-RPC"
, "91","LARP"
, "92","MTP"
, "93","AX.25"
, "94","IPIP"
, "95","MICP (deprecated)"
, "96","SCC-SP"
, "97","ETHERIP"
, "98","ENCAP"
, "99",""
, "100","GMTP"
, "101","IFMP"
, "102","PNNI"
, "103","PIM"
, "104","ARIS"
, "105","SCPS"
, "106","QNX"
, "107","A/N"
, "108","IPComp"
, "109","SNP"
, "110","Compaq-Peer"
, "111","IPX-in-IP"
, "112","VRRP"
, "113","PGM"
, "114",""
, "115","L2TP"
, "116","DDX"
, "117","IATP"
, "118","STP"
, "119","SRP"
, "120","UTI"
, "121","SMP"
, "122","SM (deprecated)"
, "123","PTP"
, "124","ISIS over IPv4"
, "125","FIRE"
, "126","CRTP"
, "127","CRUDP"
, "128","SSCOPMCE"
, "129","IPLT"
, "130","SPS"
, "131","PIPE"
, "132","SCTP"
, "133","FC"
, "134","RSVP-E2E-IGNORE"
, "135","Mobility Header"
, "136","UDPLite"
, "137","MPLS-in-IP"
, "138","manet"
, "139","HIP"
, "140","Shim6"
, "141","WESP"
, "142","ROHC"
, "143","Ethernet"
, "253",""
, "254",""
, "255","Reserved"];
let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);
let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);
let Parser=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false){
CommonSecurityLog
| where not(disabled)
| where (isnull(starttime) or TimeGenerated>=starttime) and (isnull(endtime) or TimeGenerated<=endtime)
| where DeviceVendor == "Fortinet" and DeviceProduct startswith "FortiGate" and AdditionalExtensions has "cat=traffic"
| where DeviceAction != "dns"
| where (isnull(dstportnumber) or DestinationPort==dstportnumber)
| extend temp_SrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any)
, temp_DstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)
| extend ASimMatchingIpAddr=case(
array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,"-",
temp_SrcMatch and temp_DstMatch, "Both",
temp_SrcMatch, "SrcIpAddr",
temp_DstMatch, "DstIpAddr",
"No match"
)
| where ASimMatchingIpAddr != "No match"
| project-away temp_*
| project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceName,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated
| lookup EventLookup on DeviceAction
| where (array_length(hostname_has_any)==0) and (eventresult=="*" or (DvcAction=="Allow" and eventresult=="Success") or (eventresult=="Failure"))
| where (array_length(dvcaction)==0 or DvcAction has_any (dvcaction))
| project-rename DstBytes = ReceivedBytes
, DstInterfaceName = DeviceOutboundInterface
, DstIpAddr = DestinationIP
, DstPortNumber = DestinationPort
, Dvc = DeviceName
, EventEndTime = TimeGenerated
, EventMessage = Activity
, EventOriginalSeverity = LogSeverity
, EventProduct = DeviceProduct
, EventProductVersion = DeviceVersion
, SrcBytes = SentBytes
, SrcInterfaceName = DeviceInboundInterface
, SrcIpAddr = SourceIP
, SrcPortNumber = SourcePort
| lookup ProtocolLookup on Protocol
| project-rename DvcOriginalAction = DeviceAction
| parse AdditionalExtensions with "start=" EventStartTime
";" * "srcintfrole=" SrcZone
";" * "dstintfrole=" DstZone
";" * "externalID=" NetworkSessionId
";" * "policyid=" NetworkRuleNumber:int
";" * "dstcountry=" DstGeoCountry
";" * "srccountry=" SrcGeoCountry
";" *
| parse AdditionalExtensions with * "crscore=" ThreatRiskLevel:int
";" *
| parse AdditionalExtensions with * "duration=" NetworkDuration
";" * "sentpkt=" SrcPackets:int
";" * "rcvdpkt=" DstPackets:int
";" *
| extend EventCount = int(1)
, EventSchema = "NetworkSession"
, EventSchemaVersion = "0.2.3"
, EventSeverity = iif(EventOriginalSeverity == 5, "Informational", "")
, EventType = "NetworkSession"
, EventVendor = "Fortinet"
, NetworkBytes = DstBytes + SrcBytes
, NetworkProtocolVersion = case(DstIpAddr contains ".", "IPv4"
, DstIpAddr contains ":", "IPv6"
, "")
, NetworkPackets = DstPackets + SrcPackets
| extend
Src = SrcIpAddr,
Dst = DstIpAddr,
SessionId = NetworkSessionId,
IpAddr = SrcIpAddr,
Rule = NetworkRuleNumber
| project-away Protocol
};
Parser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)

29398
Sample Data/CEF/FortinetFortiGate.csv Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

6
Sample Data/Vcenter_RawLogs.txt Normal file
Просмотреть файл

@ -0,0 +1,6 @@
2018-04-30 14:14:08.143 samplehostname vcenter-server: User VSPHERE.LOCAL\Administrator@10.0.0.1 logged out(Login time: Monday, 30 APril, 2018 14:14:07, number of API invocations: 2, user agent: JAX-WS RI 2.2.9-b130926.1035 svn-revision#5f6196f2b90e30e065b24)]
2018-04-30 14:14:08.642 samplehostname1 vcenter-server: User VSPHERE.LOCAL\Administrator@10.0.0.1 logged in as JAX-WS RI 2.2.9-b130926.1035 svn-revisions#5f6196f2b90e30e065b24
2018-04-30 14:14:08.234 samplehostname2 vcenter-server: Role modified Previous name: oldcryptorole, new name newcryptorole Added privileges: Network.assign, Network.config Removed privileges: Network.Remove
2018-04-30 14:14:08.2341234+00:00 samplehostname2 vcenter-server: New role oldcrypticrole removed
2018-04-30 14:14:08.234 samplehostname2 vcenter-server: New role newAdminRole created

17
Solutions/Alibaba Cloud/Data/Solution_Alibaba Cloud.json Normal file
Просмотреть файл

@ -0,0 +1,17 @@
{
"Name": "Alibaba Cloud",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [Alibaba Cloud](https://www.alibabacloud.com/product/log-service) solution provides the capability to retrieve logs from cloud applications using the Cloud API and more events into Microsoft Sentinel through the [REST API](https://aliyun-log-python-sdk.readthedocs.io/api.html). \n \n **Underlying Microsoft Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n \n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \n \n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)",
"Parsers": [
"Parsers/AliCloud.txt"
],
"Data Connectors": [
"DataConnectors/AliCloud_API_FunctionApp.json"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Alibaba Cloud",
"Version": "2.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false
}

0
Solutions/AliCloud/DataConnectors/AliCloudConn.zip → Solutions/Alibaba Cloud/DataConnectors/AliCloudConn.zip
Просмотреть файл

0
Solutions/AliCloud/DataConnectors/AliCloudSentinelConnector/__init__.py → Solutions/Alibaba Cloud/DataConnectors/AliCloudSentinelConnector/__init__.py
Просмотреть файл

0
Solutions/AliCloud/DataConnectors/AliCloudSentinelConnector/function.json → Solutions/Alibaba Cloud/DataConnectors/AliCloudSentinelConnector/function.json
Просмотреть файл

0
Solutions/AliCloud/DataConnectors/AliCloudSentinelConnector/state_manager.py → Solutions/Alibaba Cloud/DataConnectors/AliCloudSentinelConnector/state_manager.py
Просмотреть файл

2
Solutions/AliCloud/DataConnectors/AliCloud_API_FunctionApp.json → Solutions/Alibaba Cloud/DataConnectors/AliCloud_API_FunctionApp.json
Просмотреть файл

@ -29,7 +29,7 @@
], ],
"availability": { "availability": {
"status": 1, "status": 1,
"isPreview": true "isPreview": false
}, },
"permissions": { "permissions": {
"resourceProvider": [{ "resourceProvider": [{

0
Solutions/AliCloud/DataConnectors/azuredeploy_Connector_AliCloud_API_AzureFunction.json → Solutions/Alibaba Cloud/DataConnectors/azuredeploy_Connector_AliCloud_API_AzureFunction.json
Просмотреть файл

0
Solutions/AliCloud/DataConnectors/host.json → Solutions/Alibaba Cloud/DataConnectors/host.json
Просмотреть файл

0
Solutions/AliCloud/DataConnectors/proxies.json → Solutions/Alibaba Cloud/DataConnectors/proxies.json
Просмотреть файл

0
Solutions/AliCloud/DataConnectors/requirements.txt → Solutions/Alibaba Cloud/DataConnectors/requirements.txt
Просмотреть файл

Двоичные данные
Solutions/Alibaba Cloud/Package/2.0.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

20
Solutions/ApigeeX/Package/createUiDefinition.json → Solutions/Alibaba Cloud/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": { "config": {
"isWizard": false, "isWizard": false,
"basics": { "basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/google_logo.svg\"width=\"75px\"height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Google ApigeeX](https://cloud.google.com/apigee/docs) data connector provides the capability to ingest ApigeeX audit logs into Azure Sentinel using the GCP Logging API. Refer to [GCP Logging API documentation](https://cloud.google.com/logging/docs/reference/v2/rest) for more information.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\" height=\"75px\"> \n\n **Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Alibaba Cloud](https://www.alibabacloud.com/product/log-service) solution provides the capability to retrieve logs from cloud applications using the Cloud API and more events into Microsoft Sentinel through the [REST API](https://aliyun-log-python-sdk.readthedocs.io/api.html). \n \n **Underlying Microsoft Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n \n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \n \n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": { "subscription": {
"resourceProviders": [ "resourceProviders": [
"Microsoft.OperationsManagement/solutions", "Microsoft.OperationsManagement/solutions",
@ -44,7 +44,7 @@
"placeholder": "Select a workspace", "placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": { "constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true "required": true
}, },
"visible": true "visible": true
@ -60,24 +60,14 @@
"name": "dataconnectors1-text", "name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock", "type": "Microsoft.Common.TextBlock",
"options": { "options": {
"text": "This Solution installs the data connector for ApigeeX. You can get ApigeeX custom log data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. This data connector creates custom log table(s) ApigeeX_CL in your Azure Sentinel / Azure Log Analytics workspace." "text": "This solution installs the data connector provides the capability to retrieve logs from cloud applications using the Cloud API and more events into Microsoft Sentinel through the REST API. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
} }
}, },
{ {
"name": "dataconnectors-parser-text", "name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock", "type": "Microsoft.Common.TextBlock",
"options": { "options": {
"text": "The Solution installs a parser that transforms the ingested data into Azure Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Azure Sentinel." "text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the AliCloud Kusto Function alias."
}
},
{
"name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about normalized format",
"uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema"
}
} }
}, },
{ {
@ -94,7 +84,7 @@
} }
], ],
"outputs": { "outputs": {
"workspace-location": "[resourceGroup().location]", "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]", "location": "[location()]",
"workspace": "[basics('workspace')]" "workspace": "[basics('workspace')]"
} }

611
Solutions/Alibaba Cloud/Package/mainTemplate.json Normal file
Просмотреть файл

@ -0,0 +1,611 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Microsoft - support@microsoft.com",
"comments": "Solution template for Alibaba Cloud"
},
"parameters": {
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
}
},
"variables": {
"solutionId": "azuresentinel.azure-sentinel-solution-alibabacloud",
"_solutionId": "[variables('solutionId')]",
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"parserVersion1": "1.0.0",
"parserContentId1": "AliCloud-Parser",
"_parserContentId1": "[variables('parserContentId1')]",
"parserName1": "AliCloud",
"_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
"parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"_parserId1": "[variables('parserId1')]",
"parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"uiConfigId1": "AliCloud",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "AliCloud",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
"dataConnectorVersion1": "1.0.0"
},
"resources": [
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2021-05-01",
"name": "[variables('parserTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "Parser"
},
"properties": {
"description": "AliCloud Data Parser with template",
"displayName": "AliCloud Data Parser template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2021-05-01",
"name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "Parser"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
],
"properties": {
"description": "AliCloud Data Parser with template version 2.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
"name": "[variables('_parserName1')]",
"apiVersion": "2020-08-01",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "AliCloud",
"category": "Samples",
"functionAlias": "AliCloud",
"query": "\nAliCloud_CL\r\n| extend EventVendor = 'Alibaba Cloud',\r\n EventProduct = 'Alibaba Cloud',\r\n EventCount = 1,\r\n CreatedAt = unixtime_seconds_todatetime(timestamp_d)\r\n| extend d=parse_json(contents_event_s)\r\n| evaluate bag_unpack(d)\r\n| extend ContentTopic = contents___topic___s,\r\n SourceName = source_s,\r\n ContentTagPackId = contents___tag_____pack_id___s\r\n|project-away timestamp_d,\r\n contents_event_s,\r\n contents___topic___s,\r\n source_s,\r\n contents___tag_____pack_id___s",
"version": 1,
"tags": [
{
"name": "description",
"value": "AliCloud"
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
"dependsOn": [
"[variables('_parserName1')]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"contentId": "[variables('_parserContentId1')]",
"kind": "Parser",
"version": "[variables('parserVersion1')]",
"source": {
"name": "Alibaba Cloud",
"kind": "Solution",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2021-06-01",
"name": "[variables('_parserName1')]",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "AliCloud",
"category": "Samples",
"functionAlias": "AliCloud",
"query": "\nAliCloud_CL\r\n| extend EventVendor = 'Alibaba Cloud',\r\n EventProduct = 'Alibaba Cloud',\r\n EventCount = 1,\r\n CreatedAt = unixtime_seconds_todatetime(timestamp_d)\r\n| extend d=parse_json(contents_event_s)\r\n| evaluate bag_unpack(d)\r\n| extend ContentTopic = contents___topic___s,\r\n SourceName = source_s,\r\n ContentTagPackId = contents___tag_____pack_id___s\r\n|project-away timestamp_d,\r\n contents_event_s,\r\n contents___topic___s,\r\n source_s,\r\n contents___tag_____pack_id___s",
"version": 1
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
"dependsOn": [
"[variables('_parserId1')]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"contentId": "[variables('_parserContentId1')]",
"kind": "Parser",
"version": "[variables('parserVersion1')]",
"source": {
"kind": "Solution",
"name": "Alibaba Cloud",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
},
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2021-05-01",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "DataConnector"
},
"properties": {
"description": "Alibaba Cloud data connector with template",
"displayName": "Alibaba Cloud template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2021-05-01",
"name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "DataConnector"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
],
"properties": {
"description": "Alibaba Cloud data connector with template version 2.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
"title": "AliCloud (using Azure Function)",
"publisher": "AliCloud",
"descriptionMarkdown": "The [AliCloud](https://www.alibabacloud.com/product/log-service) data connector provides the capability to retrieve logs from cloud applications using the Cloud API and more events into Microsoft Sentinel through the [REST API](https://aliyun-log-python-sdk.readthedocs.io/api.html). The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.",
"additionalRequirementBanner": ">This data connector depends on a parser based on a Kusto Function to work as expected [**AliCloud**](https://aka.ms/sentinel-AliCloud-parser) which is deployed with the Microsoft Sentinel Solution.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "AliCloud_CL",
"baseQuery": "AliCloud_CL"
}
],
"sampleQueries": [
{
"description": "AliCloud Events - All Activities.",
"query": "AliCloud\n | sort by TimeGenerated desc"
}
],
"dataTypes": [
{
"name": "AliCloud_CL",
"lastDataReceivedQuery": "AliCloud_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"AliCloud_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions on the workspace are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "Microsoft.Web/sites permissions",
"description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
},
{
"name": "REST API Credentials/permissions",
"description": "**AliCloudAccessKeyId** and **AliCloudAccessKey** are required for making API calls."
}
]
},
"instructionSteps": [
{
"description": ">**NOTE:** This connector uses Azure Functions to connect to the Azure Blob Storage API to pull logs into Microsoft Sentinel. This might result in additional costs for data ingestion and for storing data in Azure Blob Storage costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) and [Azure Blob Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) for details."
},
{
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
},
{
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**AliCloud**](https://aka.ms/sentinel-AliCloud-parser) which is deployed with the Microsoft Sentinel Solution."
},
{
"description": "**STEP 1 - Configuration steps for the AliCloud API**\n\n Follow the instructions to obtain the credentials.\n\n1. Obtain the **AliCloudAccessKeyId** and **AliCloudAccessKey**: log in the account, click on AccessKey Management then click View Secret.\n2. Save credentials for using in the data connector."
},
{
"description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the AliCloud data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
},
{
"description": "**Option 1 - Azure Resource Manager (ARM) Template**\n\nUse this method for automated deployment of the AliCloud data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-AliCloudAPI-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **AliCloudEnvId**, **AliCloudAppName**, **AliCloudUsername** and **AliCloudPassword** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
},
{
"description": "**Option 2 - Manual Deployment of Azure Functions**\n\nUse the following step-by-step instructions to deploy the AliCloud data connector manually with Azure Functions (Deployment via Visual Studio Code)."
},
{
"description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-AliCloudAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. AliCloudXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
},
{
"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAliCloudAccessKeyId\n\t\tAliCloudAccessKey\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n\t\tAliCloudProjects (optional)\n\t\tAliCloudWorkers (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**."
}
],
"metadata": {
"id": "Unique Identifier (GUID) used to identify dependencies and content from solutions or community.",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Microsoft"
},
"support": {
"tier": "community",
"name": "Microsoft",
"link": "https://github.com/Azure/Azure-Sentinel/issues"
}
}
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "Alibaba Cloud",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
],
"location": "[parameters('workspace-location')]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "Alibaba Cloud",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "AliCloud (using Azure Function)",
"publisher": "AliCloud",
"descriptionMarkdown": "The [AliCloud](https://www.alibabacloud.com/product/log-service) data connector provides the capability to retrieve logs from cloud applications using the Cloud API and more events into Microsoft Sentinel through the [REST API](https://aliyun-log-python-sdk.readthedocs.io/api.html). The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "AliCloud_CL",
"baseQuery": "AliCloud_CL"
}
],
"dataTypes": [
{
"name": "AliCloud_CL",
"lastDataReceivedQuery": "AliCloud_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"AliCloud_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"sampleQueries": [
{
"description": "AliCloud Events - All Activities.",
"query": "AliCloud\n | sort by TimeGenerated desc"
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions on the workspace are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "Microsoft.Web/sites permissions",
"description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
},
{
"name": "REST API Credentials/permissions",
"description": "**AliCloudAccessKeyId** and **AliCloudAccessKey** are required for making API calls."
}
]
},
"instructionSteps": [
{
"description": ">**NOTE:** This connector uses Azure Functions to connect to the Azure Blob Storage API to pull logs into Microsoft Sentinel. This might result in additional costs for data ingestion and for storing data in Azure Blob Storage costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) and [Azure Blob Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) for details."
},
{
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
},
{
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**AliCloud**](https://aka.ms/sentinel-AliCloud-parser) which is deployed with the Microsoft Sentinel Solution."
},
{
"description": "**STEP 1 - Configuration steps for the AliCloud API**\n\n Follow the instructions to obtain the credentials.\n\n1. Obtain the **AliCloudAccessKeyId** and **AliCloudAccessKey**: log in the account, click on AccessKey Management then click View Secret.\n2. Save credentials for using in the data connector."
},
{
"description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the AliCloud data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
},
{
"description": "**Option 1 - Azure Resource Manager (ARM) Template**\n\nUse this method for automated deployment of the AliCloud data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-AliCloudAPI-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **AliCloudEnvId**, **AliCloudAppName**, **AliCloudUsername** and **AliCloudPassword** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
},
{
"description": "**Option 2 - Manual Deployment of Azure Functions**\n\nUse the following step-by-step instructions to deploy the AliCloud data connector manually with Azure Functions (Deployment via Visual Studio Code)."
},
{
"description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-AliCloudAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. AliCloudXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
},
{
"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAliCloudAccessKeyId\n\t\tAliCloudAccessKey\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n\t\tAliCloudProjects (optional)\n\t\tAliCloudWorkers (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**."
}
],
"id": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_uiConfigId1'))]",
"additionalRequirementBanner": ">This data connector depends on a parser based on a Kusto Function to work as expected [**AliCloud**](https://aka.ms/sentinel-AliCloud-parser) which is deployed with the Microsoft Sentinel Solution."
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "2.0.0",
"kind": "Solution",
"contentSchemaVersion": "2.0.0",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
"kind": "Solution",
"name": "Alibaba Cloud",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "Parser",
"contentId": "[variables('_parserContentId1')]",
"version": "[variables('parserVersion1')]"
},
{
"kind": "DataConnector",
"contentId": "[variables('_dataConnectorContentId1')]",
"version": "[variables('dataConnectorVersion1')]"
}
]
},
"firstPublishDate": "2022-06-27",
"providers": [
"AliCloud"
],
"categories": {
"domains": [
"Cloud Provider"
]
}
},
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
}
],
"outputs": {}
}

2
Solutions/AliCloud/Parsers/AliCloud.txt → Solutions/Alibaba Cloud/Parsers/AliCloud.txt
Просмотреть файл

@ -1,6 +1,6 @@
// Usage Instructions: // Usage Instructions:
// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name as AliCloud and specifying Legacy Category. // Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name as AliCloud and specifying Legacy Category.
// This function maps Alibaba Cloud events to Azure Sentinel Information Model (ASIM) (https://docs.microsoft.com/azure/sentinel/normalization). // This function maps Alibaba Cloud events to Microsoft Sentinel Information Model (ASIM) (https://docs.microsoft.com/azure/sentinel/normalization).
// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. AliCloud | take 10). // Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. AliCloud | take 10).
// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions // Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
AliCloud_CL AliCloud_CL

15
Solutions/Alibaba Cloud/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"publisherId": "azuresentinel",
"offerId": "azure-sentinel-solution-alibabacloud",
"firstPublishDate": "2022-06-27",
"providers": ["AliCloud"],
"categories": {
"domains" : ["Cloud Provider"]
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}

15
Solutions/ApigeeX/Data/Solution_ApigeeX.json
Просмотреть файл

@ -1,15 +0,0 @@
{
"Name": "ApigeeX",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/google_logo.svg\"width=\"75px\"height=\"75px\">",
"Description": "The [Google ApigeeX](https://cloud.google.com/apigee/docs) data connector provides the capability to ingest ApigeeX audit logs into Azure Sentinel using the GCP Logging API. Refer to [GCP Logging API documentation](https://cloud.google.com/logging/docs/reference/v2/rest) for more information.",
"Data Connectors": [
"Data Connectors/ApigeeX_FunctionApp.json"
],
"Parsers": [
"Parsers/ApigeeX.txt"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\ApigeeX",
"Version": "1.0.0"
}

257
Solutions/ApigeeX/Package/mainTemplate.json
Просмотреть файл

@ -1,257 +0,0 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"comments": "Solution template for ApigeeX"
},
"parameters": {
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"minLength": 1,
"defaultValue": "[parameters('location')]",
"metadata": {
"description": "Region to deploy solution resources"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Sentinel is setup"
}
},
"connector1-name": {
"type": "string",
"defaultValue": "1ccdee2b-630b-49b6-8391-1159c1748b77"
}
},
"variables": {
"connector1-source": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'),'/providers/Microsoft.SecurityInsights/dataConnectors/',parameters('connector1-name'))]",
"_connector1-source": "[variables('connector1-source')]",
"ApigeeXDataConnectorConnector": "ApigeeXDataConnectorConnector",
"_ApigeeXDataConnectorConnector": "[variables('ApigeeXDataConnectorConnector')]",
"workspace-dependency": "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspace'))]",
"ApigeeX_Parser": "ApigeeX_Parser",
"_ApigeeX_Parser": "[variables('ApigeeX_Parser')]",
"sourceId": "azuresentinel.azure-sentinel-solution-googleapigeex",
"_sourceId": "[variables('sourceId')]"
},
"resources": [
{
"id": "[variables('_connector1-source')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('connector1-name'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "Google ApigeeX",
"publisher": "Google",
"descriptionMarkdown": "The [Google ApigeeX](https://cloud.google.com/apigee/docs) data connector provides the capability to ingest ApigeeX audit logs into Azure Sentinel using the GCP Logging API. Refer to [GCP Logging API documentation](https://cloud.google.com/logging/docs/reference/v2/rest) for more information.",
"graphQueries": [
{
"metricName": "ApigeeX logs",
"legend": "ApigeeX_CL",
"baseQuery": "ApigeeX_CL"
}
],
"sampleQueries": [
{
"description": "All ApigeeX logs",
"query": "ApigeeX_CL\n| sort by TimeGenerated desc"
}
],
"dataTypes": [
{
"name": "ApigeeX_CL",
"lastDataReceivedQuery": "ApigeeX_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"ApigeeX_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(1d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions on the workspace are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "Microsoft.Web/sites permissions",
"description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
},
{
"name": "GCP service account",
"description": "GCP service account with permissions to read logs is required for GCP Logging API. Also json file with service account key is required. See the documentation to learn more about [required permissions](https://cloud.google.com/iam/docs/audit-logging#audit_log_permissions), [creating service account](https://cloud.google.com/iam/docs/creating-managing-service-accounts) and [creating service account key](https://cloud.google.com/iam/docs/creating-managing-service-account-keys)."
}
]
},
"instructionSteps": [
{
"description": ">**NOTE:** This connector uses Azure Functions to connect to the GCP API to pull logs into Azure Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
},
{
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
},
{
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ApigeeX**](https://aka.ms/sentinel-ApigeeXDataConnector-parser) which is deployed with the Azure Sentinel Solution."
},
{
"description": "**STEP 1 - Configuring GCP and obtaining credentials**\n\n1. Make sure that Logging API is [enabled](https://cloud.google.com/apis/docs/getting-started#enabling_apis). \n\n2. [Create service account](https://cloud.google.com/iam/docs/creating-managing-service-accounts) with [required permissions](https://cloud.google.com/iam/docs/audit-logging#audit_log_permissions) and [get service account key json file](https://cloud.google.com/iam/docs/creating-managing-service-account-keys).\n\n3. Prepare GCP project ID where ApigeeX is located."
},
{
"description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as Azure Blob Storage connection string and container name, readily available.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
},
{
"description": "Use this method for automated deployment of the data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ApigeeXDataConnector-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Google Cloud Platform Project Id**, **Google Cloud Platform Credentials File Content**, **Azure Sentinel Workspace Id**, **Azure Sentinel Shared Key**\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.\n5. Click **Purchase** to deploy.",
"title": "Option 1 - Azure Resource Manager (ARM) Template"
},
{
"description": "Use the following step-by-step instructions to deploy the data connector manually with Azure Functions (Deployment via Visual Studio Code).",
"title": "Option 2 - Manual Deployment of Azure Functions"
},
{
"description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/create-first-function-vs-code-python) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-ApigeeXDataConnector-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions.\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Azure Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
},
{
"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tRESOURCE_NAMES\n\t\tCREDENTIALS_FILE_CONTENT\n\t\tWORKSPACE_ID\n\t\tSHARED_KEY\n\t\tlogAnalyticsUri (Optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://WORKSPACE_ID.ods.opinsights.azure.us`. \n4. Once all application settings have been entered, click **Save**."
}
],
"additionalRequirementBanner": ">This data connector depends on a parser based on a Kusto Function to work as expected [**ApigeeX**](https://aka.ms/sentinel-ApigeeXDataConnector-parser) which is deployed with the Azure Sentinel Solution."
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2020-08-01",
"name": "[parameters('workspace')]",
"location": "[parameters('workspace-location')]",
"resources": [
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "ApigeeX Data Parser",
"dependsOn": [
"[variables('workspace-dependency')]"
],
"properties": {
"eTag": "*",
"displayName": "ApigeeX Data Parser",
"category": "Samples",
"functionAlias": "ApigeeX",
"query": "\nApigeeX_CL\r\n| extend EventVendor = 'Google'\r\n| extend EventProduct = 'ApigeeX'\r\n| project-rename\r\n EventSeverity=severity_s,\r\n EventEndTime=timestamp_t,\r\n SrcIpAddr=payload_requestMetadata_callerIp_s,\r\n HttpUserAgentOriginal=payload_requestMetadata_callerSuppliedUserAgent_s",
"version": 1
}
}
]
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2021-03-01-preview",
"properties": {
"version": "1.0.0",
"kind": "Solution",
"contentId": "[variables('_sourceId')]",
"parentId": "[variables('_sourceId')]",
"source": {
"kind": "Solution",
"name": "ApigeeX",
"sourceId": "[variables('_sourceId')]"
},
"author": {
"name": "Nikhil Tripathi",
"email": "v-ntripathi@microsoft.com"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "DataConnector",
"contentId": "[variables('_ApigeeXDataConnectorConnector')]",
"version": "1.0.0"
},
{
"kind": "Parser",
"contentId": "[variables('_ApigeeX_Parser')]",
"version": "1.0.0"
}
]
},
"firstPublishDate": "2021-10-28",
"providers": [
"Google"
],
"categories": {
"domains": [
"DevOps"
]
}
},
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_sourceId'))]"
}
],
"outputs": {}
}

5
Solutions/Azure Batch Account/Data Connectors/AzureBatchAccount_CCP.JSON
Просмотреть файл

@ -22,7 +22,10 @@
], ],
"connectivityCriterias": [ "connectivityCriterias": [
{ {
"type": "IsPolicyConnected" "type": "IsConnectedQuery",
"value": [
"AzureDiagnostics | where ResourceProvider == \"MICROSOFT.BATCH\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
]
} }
], ],
"dataTypes": [ "dataTypes": [

5
Solutions/Azure Cognitive Search/Data Connectors/AzureCognitiveSearch_CCP.JSON
Просмотреть файл

@ -22,7 +22,10 @@
], ],
"connectivityCriterias": [ "connectivityCriterias": [
{ {
"type": "IsPolicyConnected" "type": "IsConnectedQuery",
"value": [
"AzureDiagnostics | where ResourceProvider == \"MICROSOFT.SEARCH\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
]
} }
], ],
"dataTypes": [ "dataTypes": [

5
Solutions/Azure Data Lake Storage Gen1/Data Connectors/AzureDataLakeStorageGen1_CCP.JSON
Просмотреть файл

@ -22,7 +22,10 @@
], ],
"connectivityCriterias": [ "connectivityCriterias": [
{ {
"type": "IsPolicyConnected" "type": "IsConnectedQuery",
"value": [
"AzureDiagnostics | where ResourceProvider == \"MICROSOFT.DATALAKESTORE\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
]
} }
], ],
"dataTypes": [ "dataTypes": [

5
Solutions/Azure Event Hub/Data Connectors/AzureEventHub_CCP.JSON
Просмотреть файл

@ -22,7 +22,10 @@
], ],
"connectivityCriterias": [ "connectivityCriterias": [
{ {
"type": "IsPolicyConnected" "type": "IsConnectedQuery",
"value": [
"AzureDiagnostics | where ResourceProvider == \"MICROSOFT.EVENTHUB\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
]
} }
], ],
"dataTypes": [ "dataTypes": [

5
Solutions/Azure Logic Apps/Data Connectors/AzureLogicApps_CCP.JSON
Просмотреть файл

@ -22,7 +22,10 @@
], ],
"connectivityCriterias": [ "connectivityCriterias": [
{ {
"type": "IsPolicyConnected" "type": "IsConnectedQuery",
"value": [
"AzureDiagnostics | where ResourceProvider == \"MICROSOFT.LOGIC\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
]
} }
], ],
"dataTypes": [ "dataTypes": [

5
Solutions/Azure Service Bus/Data Connectors/AzureServiceBus_CCP.JSON
Просмотреть файл

@ -22,7 +22,10 @@
], ],
"connectivityCriterias": [ "connectivityCriterias": [
{ {
"type": "IsPolicyConnected" "type": "IsConnectedQuery",
"value": [
"AzureDiagnostics | where ResourceProvider == \"MICROSOFT.SERVICEBUS\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
]
} }
], ],
"dataTypes": [ "dataTypes": [

5
Solutions/Azure Stream Analytics/Data Connectors/AzureStreamAnalytics_CCP.JSON
Просмотреть файл

@ -22,7 +22,10 @@
], ],
"connectivityCriterias": [ "connectivityCriterias": [
{ {
"type": "IsPolicyConnected" "type": "IsConnectedQuery",
"value": [
"AzureDiagnostics | where ResourceProvider == \"MICROSOFT.STREAMANALYTICS\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
]
} }
], ],
"dataTypes": [ "dataTypes": [

1
Solutions/GitLab/Analytic Rules/GitLab_BruteForce.yaml
Просмотреть файл

@ -3,6 +3,7 @@ name: GitLab - Brute-force Attempts
description: | description: |
'This query relies on GitLab Application Logs to get failed logins to highlight brute-force attempts from different IP addresses in a short space of time.' 'This query relies on GitLab Application Logs to get failed logins to highlight brute-force attempts from different IP addresses in a short space of time.'
severity: Medium severity: Medium
status: Available
requiredDataConnectors: requiredDataConnectors:
- connectorId: Syslog - connectorId: Syslog
dataTypes: dataTypes:

1
Solutions/GitLab/Analytic Rules/GitLab_ExternalUser.yaml
Просмотреть файл

@ -3,6 +3,7 @@ name: GitLab - External User Added to GitLab
description: | description: |
'This queries GitLab Application logs to list external user accounts (i.e.: account not in allow-listed domains) which have been added to GitLab users.' 'This queries GitLab Application logs to list external user accounts (i.e.: account not in allow-listed domains) which have been added to GitLab users.'
severity: Medium severity: Medium
status: Available
requiredDataConnectors: requiredDataConnectors:
- connectorId: Syslog - connectorId: Syslog
dataTypes: dataTypes:

1
Solutions/GitLab/Analytic Rules/GitLab_Impersonation.yaml
Просмотреть файл

@ -4,6 +4,7 @@ description: |
'This queries GitLab Audit Logs for user impersonation. A malicious operator or a compromised admin account could leverage the impersonation feature of GitLab to change code or 'This queries GitLab Audit Logs for user impersonation. A malicious operator or a compromised admin account could leverage the impersonation feature of GitLab to change code or
repository settings bypassing usual processes. This hunting queries allows you to track the audit actions done under impersonation.' repository settings bypassing usual processes. This hunting queries allows you to track the audit actions done under impersonation.'
severity: Medium severity: Medium
status: Available
requiredDataConnectors: requiredDataConnectors:
- connectorId: Syslog - connectorId: Syslog
dataTypes: dataTypes:

1
Solutions/GitLab/Analytic Rules/GitLab_LocalAuthNoMFA.yaml
Просмотреть файл

@ -3,6 +3,7 @@ name: GitLab - Local Auth - No MFA
description: | description: |
'This query checks GitLab Audit Logs to see if a user authenticated without MFA. Ot might mean that MFA was disabled for the GitLab server or that an external authentication provider was bypassed. This rule focuses on 'admin' privileges but the parameter can be adapted to also include all users.' 'This query checks GitLab Audit Logs to see if a user authenticated without MFA. Ot might mean that MFA was disabled for the GitLab server or that an external authentication provider was bypassed. This rule focuses on 'admin' privileges but the parameter can be adapted to also include all users.'
severity: Medium severity: Medium
status: Available
requiredDataConnectors: requiredDataConnectors:
- connectorId: Syslog - connectorId: Syslog
dataTypes: dataTypes:

1
Solutions/GitLab/Analytic Rules/GitLab_MaliciousIP.yaml
Просмотреть файл

@ -3,6 +3,7 @@ name: GitLab - TI - Connection from Malicious IP
description: | description: |
'This query correlates Threat Intelligence data from Sentinel with GitLab NGINX Access Logs (available in GitLab CE as well) to identify access from potentially TI-flagged IPs.' 'This query correlates Threat Intelligence data from Sentinel with GitLab NGINX Access Logs (available in GitLab CE as well) to identify access from potentially TI-flagged IPs.'
severity: Medium severity: Medium
status: Available
requiredDataConnectors: requiredDataConnectors:
- connectorId: ThreatIntelligence - connectorId: ThreatIntelligence
dataTypes: dataTypes:

1
Solutions/GitLab/Analytic Rules/GitLab_PAT_Repo.yaml
Просмотреть файл

@ -5,6 +5,7 @@ description: |
This hunting queries allows you to track the personal access tokens creation for each of your repositories. This hunting queries allows you to track the personal access tokens creation for each of your repositories.
The visualization allow you to quickly identify anomalies/excessive creation, to further investigate repo access & permissions.' The visualization allow you to quickly identify anomalies/excessive creation, to further investigate repo access & permissions.'
severity: Medium severity: Medium
status: Available
requiredDataConnectors: requiredDataConnectors:
- connectorId: Syslog - connectorId: Syslog
dataTypes: dataTypes:

1
Solutions/GitLab/Analytic Rules/GitLab_RepoVisibilityChange.yaml
Просмотреть файл

@ -3,6 +3,7 @@ name: GitLab - Repository visibility to Public
description: | description: |
'This query leverages GitLab Audit Logs. A repository in GitLab changed visibility from Private or Internal to Public which could indicate compromise, error or misconfiguration leading to exposing the repository to the public.' 'This query leverages GitLab Audit Logs. A repository in GitLab changed visibility from Private or Internal to Public which could indicate compromise, error or misconfiguration leading to exposing the repository to the public.'
severity: Medium severity: Medium
status: Available
requiredDataConnectors: requiredDataConnectors:
- connectorId: Syslog - connectorId: Syslog
dataTypes: dataTypes:

1
Solutions/GitLab/Analytic Rules/GitLab_Repo_Deletion.yaml
Просмотреть файл

@ -3,6 +3,7 @@ name: GitLab - Abnormal number of repositories deleted
description: | description: |
'This hunting queries identify an unusual increase of repo deletion activities adversaries may want to disrupt availability or compromise integrity by deleting business data.' 'This hunting queries identify an unusual increase of repo deletion activities adversaries may want to disrupt availability or compromise integrity by deleting business data.'
severity: Medium severity: Medium
status: Available
requiredDataConnectors: requiredDataConnectors:
- connectorId: Syslog - connectorId: Syslog
dataTypes: dataTypes:

1
Solutions/GitLab/Analytic Rules/GitLab_SignInBurst.yaml
Просмотреть файл

@ -3,6 +3,7 @@ name: GitLab - SSO - Sign-Ins Burst
description: | description: |
'This query relies on Azure Active Directory sign-in activity when Azure AD is used for SSO with GitLab to highlights GitLab accounts associated with multiple authentications from different geographical locations in a short space of time.' 'This query relies on Azure Active Directory sign-in activity when Azure AD is used for SSO with GitLab to highlights GitLab accounts associated with multiple authentications from different geographical locations in a short space of time.'
severity: Medium severity: Medium
status: Available
requiredDataConnectors: requiredDataConnectors:
- connectorId: AzureActiveDirectory - connectorId: AzureActiveDirectory
dataTypes: dataTypes:

6
Solutions/GitLab/Data Connectors/Connector_Syslog_GitLab.json
Просмотреть файл

@ -3,7 +3,7 @@
"title": "GitLab", "title": "GitLab",
"publisher": "Microsoft", "publisher": "Microsoft",
"descriptionMarkdown": "The GitLab connector allows you to easily connect your GitLab (GitLab Enterprise Edition - Standalone) logs with Microsoft Sentinel. This gives you more security insight into your organization's DevOps pipelines.", "descriptionMarkdown": "The GitLab connector allows you to easily connect your GitLab (GitLab Enterprise Edition - Standalone) logs with Microsoft Sentinel. This gives you more security insight into your organization's DevOps pipelines.",
"additionalRequirementBanner": "This data connector depends on three parsers based on a Kusto Function to work as expected [**GitLab Access Logs**](https://github.com/tuxnam/Azure-Sentinel/blob/gitlab/Parsers/GitLab/GitLabAccess), [**GitLab Audit Logs**](https://github.com/tuxnam/Azure-Sentinel/blob/gitlab/Parsers/GitLab/GitLabAudit) and [**GitLab Application Logs**](https://github.com/tuxnam/Azure-Sentinel/blob/gitlab/Parsers/GitLab/GitLabApp) which are deployed with the Azure Sentinel Solution.", "additionalRequirementBanner": "This data connector depends on three parsers based on a Kusto Function to work as expected [**GitLab Access Logs**](https://aka.ms/sentinel-GitLabAccess-parser), [**GitLab Audit Logs**](https://aka.ms/sentinel-GitLabAudit-parser) and [**GitLab Application Logs**](https://aka.ms/sentinel-GitLabApp-parser) which are deployed with the Microsoft Sentinel Solution.",
"graphQueries": [ "graphQueries": [
{ {
"metricName": "Total data received", "metricName": "Total data received",
@ -49,7 +49,7 @@
], ],
"availability": { "availability": {
"status": 1, "status": 1,
"isPreview": true "isPreview": false
}, },
"permissions": { "permissions": {
"resourceProvider": [ "resourceProvider": [
@ -68,7 +68,7 @@
"instructionSteps": [ "instructionSteps": [
{ {
"title": "Configuration", "title": "Configuration",
"description": ">This data connector depends on three parsers based on a Kusto Function to work as expected [**GitLab Access Logs**](https://github.com/tuxnam/Azure-Sentinel/blob/gitlab/Parsers/GitLab/GitLabAccess), [**GitLab Audit Logs**](https://github.com/tuxnam/Azure-Sentinel/blob/gitlab/Parsers/GitLab/GitLabAudit) and [**GitLab Application Logs**](https://github.com/tuxnam/Azure-Sentinel/blob/gitlab/Parsers/GitLab/GitLabApp) which are deployed with the Azure Sentinel Solution.", "description": ">This data connector depends on three parsers based on a Kusto Function to work as expected [**GitLab Access Logs**](https://aka.ms/sentinel-GitLabAccess-parser), [**GitLab Audit Logs**](https://aka.ms/sentinel-GitLabAudit-parser) and [**GitLab Application Logs**](https://aka.ms/sentinel-GitLabApp-parser) which are deployed with the Microsoft Sentinel Solution.",
"instructions": [ "instructions": [
] ]
}, },

30
Solutions/GitLab/Data/Solution_Gitlab.json Normal file
Просмотреть файл

@ -0,0 +1,30 @@
{
"Name": "GitLab",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "The GitLab solution allows you to easily connect your GitLab (GitLab Enterprise Edition - Standalone) logs into Microsoft Sentinel. This gives you more security insight into your organization's DevOps pipelines. .\r\n \r\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \r\n \r\n a. [Agent-based log collection (Syslog)](https://docs.microsoft.com/azure/sentinel/connect-syslog)",
"Data Connectors": [
"Data Connectors/Connector_Syslog_GitLab.json"
],
"Parsers": [
"Parsers/GitLabAccess",
"Parsers/GitLabApp",
"Parsers/GitLabAudit"
],
"Analytic Rules": [
"Analytic Rules/GitLab_BruteForce.yaml",
"Analytic Rules/GitLab_ExternalUser.yaml",
"Analytic Rules/GitLab_Impersonation.yaml",
"Analytic Rules/GitLab_LocalAuthNoMFA.yaml",
"Analytic Rules/GitLab_MaliciousIP.yaml",
"Analytic Rules/GitLab_PAT_Repo.yaml",
"Analytic Rules/GitLab_RepoVisibilityChange.yaml",
"Analytic Rules/GitLab_Repo_Deletion.yaml",
"Analytic Rules/GitLab_SignInBurst.yaml"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\GitLab",
"Version": "2.0.0",
"TemplateSpec": true,
"Is1PConnector": false
}

Двоичные данные
Solutions/GitLab/Package/2.0.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

246
Solutions/GitLab/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,246 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe GitLab solution allows you to easily connect your GitLab (GitLab Enterprise Edition - Standalone) logs into Microsoft Sentinel. This gives you more security insight into your organization's DevOps pipelines. .\r\n \r\n\r\n **Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \r\n \r\n a. [Agent-based log collection (Syslog)](https://docs.microsoft.com/azure/sentinel/connect-syslog)\n\n**Data Connectors:** 1, **Parsers:** 3, **Analytic Rules:** 9\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the data connector that allows to connect your GitLab (GitLab Enterprise Edition - Standalone) logs into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the GitLab Kusto Function alias."
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
},
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
}
},
{
"name": "analytics-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "GitLab - Brute-force Attempts",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query relies on GitLab Application Logs to get failed logins to highlight brute-force attempts from different IP addresses in a short space of time."
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "GitLab - External User Added to GitLab",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This queries GitLab Application logs to list external user accounts (i.e.: account not in allow-listed domains) which have been added to GitLab users."
}
}
]
},
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
"label": "GitLab - User Impersonation",
"elements": [
{
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This queries GitLab Audit Logs for user impersonation. A malicious operator or a compromised admin account could leverage the impersonation feature of GitLab to change code or\nrepository settings bypassing usual processes. This hunting queries allows you to track the audit actions done under impersonation."
}
}
]
},
{
"name": "analytic4",
"type": "Microsoft.Common.Section",
"label": "GitLab - Local Auth - No MFA",
"elements": [
{
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query checks GitLab Audit Logs to see if a user authenticated without MFA. Ot might mean that MFA was disabled for the GitLab server or that an external authentication provider was bypassed. This rule focuses on 'admin' privileges but the parameter can be adapted to also include all users."
}
}
]
},
{
"name": "analytic5",
"type": "Microsoft.Common.Section",
"label": "GitLab - TI - Connection from Malicious IP",
"elements": [
{
"name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query correlates Threat Intelligence data from Sentinel with GitLab NGINX Access Logs (available in GitLab CE as well) to identify access from potentially TI-flagged IPs."
}
}
]
},
{
"name": "analytic6",
"type": "Microsoft.Common.Section",
"label": "GitLab - Personal Access Tokens creation over time",
"elements": [
{
"name": "analytic6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This queries GitLab Audit Logs for access tokens. Attacker can exfiltrate data from you GitLab repository after gaining access to it by generating or hijacking access tokens. \nThis hunting queries allows you to track the personal access tokens creation for each of your repositories. \nThe visualization allow you to quickly identify anomalies/excessive creation, to further investigate repo access & permissions."
}
}
]
},
{
"name": "analytic7",
"type": "Microsoft.Common.Section",
"label": "GitLab - Repository visibility to Public",
"elements": [
{
"name": "analytic7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query leverages GitLab Audit Logs. A repository in GitLab changed visibility from Private or Internal to Public which could indicate compromise, error or misconfiguration leading to exposing the repository to the public."
}
}
]
},
{
"name": "analytic8",
"type": "Microsoft.Common.Section",
"label": "GitLab - Abnormal number of repositories deleted",
"elements": [
{
"name": "analytic8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This hunting queries identify an unusual increase of repo deletion activities adversaries may want to disrupt availability or compromise integrity by deleting business data."
}
}
]
},
{
"name": "analytic9",
"type": "Microsoft.Common.Section",
"label": "GitLab - SSO - Sign-Ins Burst",
"elements": [
{
"name": "analytic9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query relies on Azure Active Directory sign-in activity when Azure AD is used for SSO with GitLab to highlights GitLab accounts associated with multiple authentications from different geographical locations in a short space of time."
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}

2070
Solutions/GitLab/Package/mainTemplate.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

41
Solutions/GitLab/SolutionMetadata.json
Просмотреть файл

@ -1,35 +1,16 @@
{ {
"publisherId": "azuresentinel", "publisherId": "azuresentinel",
"offerId": "azure-sentinel-solution-gitlab", "offerId": "azure-sentinel-solution-gitlab",
"version": "1.0.0", "firstPublishDate": "2022-04-27",
"dependencies": { "lastPublishDate": "2022-06-27",
"criteria": [ "providers": ["GitLab"],
{ "kind": "AnalyticsRule", "contentId": "2238d13a-cf05-4973-a83f-d12a25dbb153", "version": "1.0.0" }, "categories": {
{ "kind": "AnalyticsRule", "contentId": "c1544d8f-cbbd-4e35-8d32-5b9312279833", "version": "1.0.0" }, "domains": ["DevOps"]
{ "kind": "AnalyticsRule", "contentId": "0f4f16a2-b464-4c10-9a42-993da3e15a40", "version": "1.0.0" },
{ "kind": "AnalyticsRule", "contentId": "e0b45487-5c79-482d-8ac0-695de8c031af", "version": "1.0.0" },
{ "kind": "AnalyticsRule", "contentId": "7241740a-5280-4b74-820a-862312d721a8", "version": "1.0.0" },
{ "kind": "AnalyticsRule", "contentId": "4d6d8b0e-6d9a-4857-a141-f5d89393cddb", "version": "1.0.0" },
{ "kind": "AnalyticsRule", "contentId": "8b291c3d-90ba-4ebf-af2c-0283192d430e", "version": "1.0.0" },
{ "kind": "AnalyticsRule", "contentId": "3efd09bd-a582-4410-b7ec-5ff21cfad7bd", "version": "1.0.0" },
{ "kind": "AnalyticsRule", "contentId": "57b1634b-531d-4eab-a456-8b855887428f", "version": "1.0.0" },
{ "kind": "DataConnector", "contentId": "GitLab", "version": "1.0.0" },
{ "kind": "Parser", "contentId": "GitLabAccess", "version": "1.0.0" },
{ "kind": "Parser", "contentId": "GitLabAudit", "version": "1.0.0" },
{ "kind": "Parser", "contentId": "GitLabApp", "version": "1.0.0" }
]
}, },
"firstPublishDate": "2022-03-13", "support": {
"lastPublishDate": "2022-03-13", "name": "Microsoft Corporation",
"providers": ["Cisco"], "email": "support@microsoft.com",
"categories": { "tier": "Microsoft",
"verticals": [], "link": "https://support.microsoft.com"
"domains": ["Security - Others"] }
},
"support": {
"tier": "Microsoft",
"email": "support@microsoft.com",
"name": "Azure Sentinel, Microsoft Corporation",
"link": "https://support.microsoft.com/"
}
} }

0
Solutions/ApigeeX/Data Connectors/ApigeeXConn.zip → Solutions/Google Apigee/Data Connectors/ApigeeXConn.zip
Просмотреть файл

14
Solutions/ApigeeX/Data Connectors/ApigeeX_FunctionApp.json → Solutions/Google Apigee/Data Connectors/ApigeeX_FunctionApp.json
Просмотреть файл

@ -2,8 +2,8 @@
"id": "ApigeeXDataConnector", "id": "ApigeeXDataConnector",
"title": "Google ApigeeX", "title": "Google ApigeeX",
"publisher": "Google", "publisher": "Google",
"descriptionMarkdown": "The [Google ApigeeX](https://cloud.google.com/apigee/docs) data connector provides the capability to ingest ApigeeX audit logs into Azure Sentinel using the GCP Logging API. Refer to [GCP Logging API documentation](https://cloud.google.com/logging/docs/reference/v2/rest) for more information.", "descriptionMarkdown": "The [Google ApigeeX](https://cloud.google.com/apigee/docs) data connector provides the capability to ingest ApigeeX audit logs into Microsoft Sentinel using the GCP Logging API. Refer to [GCP Logging API documentation](https://cloud.google.com/logging/docs/reference/v2/rest) for more information.",
"additionalRequirementBanner": ">This data connector depends on a parser based on a Kusto Function to work as expected [**ApigeeX**](https://aka.ms/sentinel-ApigeeXDataConnector-parser) which is deployed with the Azure Sentinel Solution.", "additionalRequirementBanner": ">This data connector depends on a parser based on a Kusto Function to work as expected [**ApigeeX**](https://aka.ms/sentinel-ApigeeXDataConnector-parser) which is deployed with the Microsoft Sentinel Solution.",
"graphQueries": [ "graphQueries": [
{ {
"metricName": "ApigeeX logs", "metricName": "ApigeeX logs",
@ -33,7 +33,7 @@
], ],
"availability": { "availability": {
"status": 1, "status": 1,
"isPreview": true "isPreview": false
}, },
"permissions": { "permissions": {
"resourceProvider": [ "resourceProvider": [
@ -72,7 +72,7 @@
"instructionSteps": [ "instructionSteps": [
{ {
"title": "", "title": "",
"description": ">**NOTE:** This connector uses Azure Functions to connect to the GCP API to pull logs into Azure Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." "description": ">**NOTE:** This connector uses Azure Functions to connect to the GCP API to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
}, },
{ {
"title": "", "title": "",
@ -80,7 +80,7 @@
}, },
{ {
"title": "", "title": "",
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ApigeeX**](https://aka.ms/sentinel-ApigeeXDataConnector-parser) which is deployed with the Azure Sentinel Solution." "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ApigeeX**](https://aka.ms/sentinel-ApigeeXDataConnector-parser) which is deployed with the Microsoft Sentinel Solution."
}, },
{ {
"title": "", "title": "",
@ -112,7 +112,7 @@
}, },
{ {
"title": "Option 1 - Azure Resource Manager (ARM) Template", "title": "Option 1 - Azure Resource Manager (ARM) Template",
"description": "Use this method for automated deployment of the data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ApigeeXDataConnector-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Google Cloud Platform Project Id**, **Google Cloud Platform Credentials File Content**, **Azure Sentinel Workspace Id**, **Azure Sentinel Shared Key**\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.\n5. Click **Purchase** to deploy." "description": "Use this method for automated deployment of the data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ApigeeXDataConnector-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Google Cloud Platform Project Id**, **Google Cloud Platform Credentials File Content**, **Microsoft Sentinel Workspace Id**, **Microsoft Sentinel Shared Key**\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.\n5. Click **Purchase** to deploy."
}, },
{ {
"title": "Option 2 - Manual Deployment of Azure Functions", "title": "Option 2 - Manual Deployment of Azure Functions",
@ -120,7 +120,7 @@
}, },
{ {
"title": "", "title": "",
"description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/create-first-function-vs-code-python) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-ApigeeXDataConnector-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions.\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Azure Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/create-first-function-vs-code-python) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-ApigeeXDataConnector-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions.\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
}, },
{ {
"title": "", "title": "",

0
Solutions/ApigeeX/Data Connectors/AzureFunctionApigeeX/function.json → Solutions/Google Apigee/Data Connectors/AzureFunctionApigeeX/function.json
Просмотреть файл

0
Solutions/ApigeeX/Data Connectors/AzureFunctionApigeeX/main.py → Solutions/Google Apigee/Data Connectors/AzureFunctionApigeeX/main.py
Просмотреть файл

0
Solutions/ApigeeX/Data Connectors/AzureFunctionApigeeX/sentinel_connector.py → Solutions/Google Apigee/Data Connectors/AzureFunctionApigeeX/sentinel_connector.py
Просмотреть файл

0
Solutions/ApigeeX/Data Connectors/AzureFunctionApigeeX/state_manager.py → Solutions/Google Apigee/Data Connectors/AzureFunctionApigeeX/state_manager.py
Просмотреть файл

0
Solutions/ApigeeX/Data Connectors/azuredeploy_ApigeeX_FunctionApp.json → Solutions/Google Apigee/Data Connectors/azuredeploy_ApigeeX_FunctionApp.json
Просмотреть файл

0
Solutions/ApigeeX/Data Connectors/host.json → Solutions/Google Apigee/Data Connectors/host.json
Просмотреть файл

0
Solutions/ApigeeX/Data Connectors/proxies.json → Solutions/Google Apigee/Data Connectors/proxies.json
Просмотреть файл

0
Solutions/ApigeeX/Data Connectors/requirements.txt → Solutions/Google Apigee/Data Connectors/requirements.txt
Просмотреть файл

17
Solutions/Google Apigee/Data/Solution_Google Apigee.json Normal file
Просмотреть файл

@ -0,0 +1,17 @@
{
"Name": "Google Apigee",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [Google ApigeeX](https://cloud.google.com/apigee/docs) solution provides the capability to ingest ApigeeX audit logs into Microsoft Sentinel using the GCP Logging API. Refer to [GCP Logging API documentation](https://cloud.google.com/logging/docs/reference/v2/rest) for more information.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)",
"Data Connectors": [
"Data Connectors/ApigeeX_FunctionApp.json"
],
"Parsers": [
"Parsers/ApigeeX.txt"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Google Apigee",
"Version": "2.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false
}

0
Solutions/ApigeeX/Package/1.0.0.zip → Solutions/Google Apigee/Package/1.0.0.zip
Просмотреть файл

Двоичные данные
Solutions/Google Apigee/Package/2.0.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

92
Solutions/Google Apigee/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,92 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Google ApigeeX](https://cloud.google.com/apigee/docs) solution provides the capability to ingest ApigeeX audit logs into Microsoft Sentinel using the GCP Logging API. Refer to [GCP Logging API documentation](https://cloud.google.com/logging/docs/reference/v2/rest) for more information.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the data connector that uses the ApigeeX audit logs into Microsoft Sentinel using the GCP Logging API. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the ApigeeX Kusto Function alias."
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
}
],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}

599
Solutions/Google Apigee/Package/mainTemplate.json Normal file
Просмотреть файл

@ -0,0 +1,599 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Microsoft - support@microsoft.com",
"comments": "Solution template for Google Apigee"
},
"parameters": {
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
}
},
"variables": {
"solutionId": "azuresentinel.azure-sentinel-solution-googleapigeex",
"_solutionId": "[variables('solutionId')]",
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"uiConfigId1": "ApigeeXDataConnector",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "ApigeeXDataConnector",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
"dataConnectorVersion1": "1.0.0",
"parserVersion1": "1.0.0",
"parserContentId1": "ApigeeX-Parser",
"_parserContentId1": "[variables('parserContentId1')]",
"parserName1": "ApigeeX",
"_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
"parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"_parserId1": "[variables('parserId1')]",
"parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]"
},
"resources": [
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2021-05-01",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "DataConnector"
},
"properties": {
"description": "Google Apigee data connector with template",
"displayName": "Google Apigee template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2021-05-01",
"name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "DataConnector"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
],
"properties": {
"description": "Google Apigee data connector with template version 2.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
"title": "Google ApigeeX (using Azure Function)",
"publisher": "Google",
"descriptionMarkdown": "The [Google ApigeeX](https://cloud.google.com/apigee/docs) data connector provides the capability to ingest ApigeeX audit logs into Microsoft Sentinel using the GCP Logging API. Refer to [GCP Logging API documentation](https://cloud.google.com/logging/docs/reference/v2/rest) for more information.",
"additionalRequirementBanner": ">This data connector depends on a parser based on a Kusto Function to work as expected [**ApigeeX**](https://aka.ms/sentinel-ApigeeXDataConnector-parser) which is deployed with the Microsoft Sentinel Solution.",
"graphQueries": [
{
"metricName": "ApigeeX logs",
"legend": "ApigeeX_CL",
"baseQuery": "ApigeeX_CL"
}
],
"sampleQueries": [
{
"description": "All ApigeeX logs",
"query": "ApigeeX_CL\n| sort by TimeGenerated desc"
}
],
"dataTypes": [
{
"name": "ApigeeX_CL",
"lastDataReceivedQuery": "ApigeeX_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"ApigeeX_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(1d)"
]
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions on the workspace are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "Microsoft.Web/sites permissions",
"description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
},
{
"name": "GCP service account",
"description": "GCP service account with permissions to read logs is required for GCP Logging API. Also json file with service account key is required. See the documentation to learn more about [required permissions](https://cloud.google.com/iam/docs/audit-logging#audit_log_permissions), [creating service account](https://cloud.google.com/iam/docs/creating-managing-service-accounts) and [creating service account key](https://cloud.google.com/iam/docs/creating-managing-service-account-keys)."
}
]
},
"instructionSteps": [
{
"description": ">**NOTE:** This connector uses Azure Functions to connect to the GCP API to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
},
{
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
},
{
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ApigeeX**](https://aka.ms/sentinel-ApigeeXDataConnector-parser) which is deployed with the Microsoft Sentinel Solution."
},
{
"description": "**STEP 1 - Configuring GCP and obtaining credentials**\n\n1. Make sure that Logging API is [enabled](https://cloud.google.com/apis/docs/getting-started#enabling_apis). \n\n2. [Create service account](https://cloud.google.com/iam/docs/creating-managing-service-accounts) with [required permissions](https://cloud.google.com/iam/docs/audit-logging#audit_log_permissions) and [get service account key json file](https://cloud.google.com/iam/docs/creating-managing-service-account-keys).\n\n3. Prepare GCP project ID where ApigeeX is located."
},
{
"description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as Azure Blob Storage connection string and container name, readily available.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
},
{
"description": "Use this method for automated deployment of the data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ApigeeXDataConnector-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Google Cloud Platform Project Id**, **Google Cloud Platform Credentials File Content**, **Microsoft Sentinel Workspace Id**, **Microsoft Sentinel Shared Key**\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.\n5. Click **Purchase** to deploy.",
"title": "Option 1 - Azure Resource Manager (ARM) Template"
},
{
"description": "Use the following step-by-step instructions to deploy the data connector manually with Azure Functions (Deployment via Visual Studio Code).",
"title": "Option 2 - Manual Deployment of Azure Functions"
},
{
"description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/create-first-function-vs-code-python) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-ApigeeXDataConnector-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions.\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
},
{
"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tRESOURCE_NAMES\n\t\tCREDENTIALS_FILE_CONTENT\n\t\tWORKSPACE_ID\n\t\tSHARED_KEY\n\t\tlogAnalyticsUri (Optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://WORKSPACE_ID.ods.opinsights.azure.us`. \n4. Once all application settings have been entered, click **Save**."
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "Google Apigee",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
],
"location": "[parameters('workspace-location')]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "Google Apigee",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "Google ApigeeX (using Azure Function)",
"publisher": "Google",
"descriptionMarkdown": "The [Google ApigeeX](https://cloud.google.com/apigee/docs) data connector provides the capability to ingest ApigeeX audit logs into Microsoft Sentinel using the GCP Logging API. Refer to [GCP Logging API documentation](https://cloud.google.com/logging/docs/reference/v2/rest) for more information.",
"graphQueries": [
{
"metricName": "ApigeeX logs",
"legend": "ApigeeX_CL",
"baseQuery": "ApigeeX_CL"
}
],
"dataTypes": [
{
"name": "ApigeeX_CL",
"lastDataReceivedQuery": "ApigeeX_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"ApigeeX_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(1d)"
]
}
],
"sampleQueries": [
{
"description": "All ApigeeX logs",
"query": "ApigeeX_CL\n| sort by TimeGenerated desc"
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions on the workspace are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "Microsoft.Web/sites permissions",
"description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
},
{
"name": "GCP service account",
"description": "GCP service account with permissions to read logs is required for GCP Logging API. Also json file with service account key is required. See the documentation to learn more about [required permissions](https://cloud.google.com/iam/docs/audit-logging#audit_log_permissions), [creating service account](https://cloud.google.com/iam/docs/creating-managing-service-accounts) and [creating service account key](https://cloud.google.com/iam/docs/creating-managing-service-account-keys)."
}
]
},
"instructionSteps": [
{
"description": ">**NOTE:** This connector uses Azure Functions to connect to the GCP API to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
},
{
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
},
{
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ApigeeX**](https://aka.ms/sentinel-ApigeeXDataConnector-parser) which is deployed with the Microsoft Sentinel Solution."
},
{
"description": "**STEP 1 - Configuring GCP and obtaining credentials**\n\n1. Make sure that Logging API is [enabled](https://cloud.google.com/apis/docs/getting-started#enabling_apis). \n\n2. [Create service account](https://cloud.google.com/iam/docs/creating-managing-service-accounts) with [required permissions](https://cloud.google.com/iam/docs/audit-logging#audit_log_permissions) and [get service account key json file](https://cloud.google.com/iam/docs/creating-managing-service-account-keys).\n\n3. Prepare GCP project ID where ApigeeX is located."
},
{
"description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as Azure Blob Storage connection string and container name, readily available.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
},
{
"description": "Use this method for automated deployment of the data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ApigeeXDataConnector-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Google Cloud Platform Project Id**, **Google Cloud Platform Credentials File Content**, **Microsoft Sentinel Workspace Id**, **Microsoft Sentinel Shared Key**\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.\n5. Click **Purchase** to deploy.",
"title": "Option 1 - Azure Resource Manager (ARM) Template"
},
{
"description": "Use the following step-by-step instructions to deploy the data connector manually with Azure Functions (Deployment via Visual Studio Code).",
"title": "Option 2 - Manual Deployment of Azure Functions"
},
{
"description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/create-first-function-vs-code-python) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-ApigeeXDataConnector-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions.\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
},
{
"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tRESOURCE_NAMES\n\t\tCREDENTIALS_FILE_CONTENT\n\t\tWORKSPACE_ID\n\t\tSHARED_KEY\n\t\tlogAnalyticsUri (Optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://WORKSPACE_ID.ods.opinsights.azure.us`. \n4. Once all application settings have been entered, click **Save**."
}
],
"id": "[variables('_uiConfigId1')]",
"additionalRequirementBanner": ">This data connector depends on a parser based on a Kusto Function to work as expected [**ApigeeX**](https://aka.ms/sentinel-ApigeeXDataConnector-parser) which is deployed with the Microsoft Sentinel Solution."
}
}
},
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2021-05-01",
"name": "[variables('parserTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "Parser"
},
"properties": {
"description": "ApigeeX Data Parser with template",
"displayName": "ApigeeX Data Parser template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2021-05-01",
"name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "Parser"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
],
"properties": {
"description": "ApigeeX Data Parser with template version 2.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
"name": "[variables('_parserName1')]",
"apiVersion": "2020-08-01",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "ApigeeX",
"category": "Samples",
"functionAlias": "ApigeeX",
"query": "\nApigeeX_CL\r\n| extend EventVendor = 'Google'\r\n| extend EventProduct = 'ApigeeX'\r\n| project-rename\r\n EventSeverity=severity_s,\r\n EventEndTime=timestamp_t,\r\n SrcIpAddr=payload_requestMetadata_callerIp_s,\r\n HttpUserAgentOriginal=payload_requestMetadata_callerSuppliedUserAgent_s",
"version": 1,
"tags": [
{
"name": "description",
"value": "ApigeeX"
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
"dependsOn": [
"[variables('_parserName1')]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"contentId": "[variables('_parserContentId1')]",
"kind": "Parser",
"version": "[variables('parserVersion1')]",
"source": {
"name": "Google Apigee",
"kind": "Solution",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2021-06-01",
"name": "[variables('_parserName1')]",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "ApigeeX",
"category": "Samples",
"functionAlias": "ApigeeX",
"query": "\nApigeeX_CL\r\n| extend EventVendor = 'Google'\r\n| extend EventProduct = 'ApigeeX'\r\n| project-rename\r\n EventSeverity=severity_s,\r\n EventEndTime=timestamp_t,\r\n SrcIpAddr=payload_requestMetadata_callerIp_s,\r\n HttpUserAgentOriginal=payload_requestMetadata_callerSuppliedUserAgent_s",
"version": 1
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
"dependsOn": [
"[variables('_parserId1')]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"contentId": "[variables('_parserContentId1')]",
"kind": "Parser",
"version": "[variables('parserVersion1')]",
"source": {
"kind": "Solution",
"name": "Google Apigee",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "2.0.0",
"kind": "Solution",
"contentSchemaVersion": "2.0.0",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
"kind": "Solution",
"name": "Google Apigee",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "DataConnector",
"contentId": "[variables('_dataConnectorContentId1')]",
"version": "[variables('dataConnectorVersion1')]"
},
{
"kind": "Parser",
"contentId": "[variables('_parserContentId1')]",
"version": "[variables('parserVersion1')]"
}
]
},
"firstPublishDate": "2021-10-28",
"providers": [
"Google"
],
"categories": {
"domains": [
"DevOps"
]
}
},
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
}
],
"outputs": {}
}

0
Solutions/ApigeeX/Parsers/ApigeeX.txt → Solutions/Google Apigee/Parsers/ApigeeX.txt
Просмотреть файл

3
Solutions/ApigeeX/SolutionMetadata.json → Solutions/Google Apigee/SolutionMetadata.json
Просмотреть файл

@ -4,7 +4,8 @@
"firstPublishDate": "2021-10-28", "firstPublishDate": "2021-10-28",
"providers": ["Google"], "providers": ["Google"],
"categories": { "categories": {
"domains" : ["DevOps"] "domains" : ["DevOps"],
"verticals": []
}, },
"support": { "support": {
"name": "Microsoft Corporation", "name": "Microsoft Corporation",

Двоичные данные
Solutions/PCI DSS Compliance/Workbooks/Images/Preview/PCIDSSComplianceBlack01.PNG Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 186 KiB

Двоичные данные
Solutions/PCI DSS Compliance/Workbooks/Images/Preview/PCIDSSComplianceBlack02.PNG Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 176 KiB

Двоичные данные
Solutions/PCI DSS Compliance/Workbooks/Images/Preview/PCIDSSComplianceWhite01.PNG Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 191 KiB

Двоичные данные
Solutions/PCI DSS Compliance/Workbooks/Images/Preview/PCIDSSComplianceWhite02.PNG Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 152 KiB

849
Solutions/PCI DSS Compliance/Workbooks/PCIDSSCompliance.json Normal file
Просмотреть файл

@ -0,0 +1,849 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## PCI-DSS Compliance Reporting and Analysis"
},
"name": "text - 1",
"styleSettings": {
"margin": "0"
}
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "3f9981ce-9bb6-4645-aad3-d400f17d898e",
"version": "KqlParameterItem/1.0",
"name": "SubscriptionToken",
"label": "Subscription",
"type": 6,
"description": "Choose your subscription in which PCI assets are deployed",
"isRequired": true,
"typeSettings": {
"additionalResourceOptions": [],
"includeAll": true,
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
}
},
{
"id": "ca9065a5-b239-43ca-913a-e300bc5e174f",
"version": "KqlParameterItem/1.0",
"name": "WorkspaceToken",
"label": "Workspace",
"type": 5,
"description": "Choose Workspace where PCI assets reports logs",
"isRequired": true,
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
}
},
{
"id": "70c7dce2-4f4a-4fe2-a0c7-e632a5fd97d7",
"version": "KqlParameterItem/1.0",
"name": "TimeToken",
"label": "Time",
"type": 4,
"description": "Choose the time range apporpriate for your analysis",
"isRequired": true,
"value": {
"durationMs": 2592000000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 259200000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2592000000
}
],
"allowCustom": true
},
"timeContext": {
"durationMs": 86400000
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 0"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "4d1f108b-c166-44fb-af69-77838051c673",
"cellValue": "selTab",
"linkTarget": "parameter",
"linkLabel": "Getting Started",
"subTarget": "Getting Started",
"style": "link"
},
{
"id": "8895f25c-1d00-49b9-97fb-322a528d35a1",
"cellValue": "selTab",
"linkTarget": "parameter",
"linkLabel": "Overview",
"subTarget": "Overview",
"style": "link"
},
{
"id": "dc7ceb39-fd9c-4f61-be4b-f13d0966b6f8",
"cellValue": "selTab",
"linkTarget": "parameter",
"linkLabel": "Audit Trail Reporting",
"subTarget": "Audit Trail Reporting",
"style": "link"
},
{
"id": "942892a0-c339-459f-97f9-efdd82153262",
"cellValue": "selTab",
"linkTarget": "parameter",
"linkLabel": "Further Analysis",
"subTarget": "Further Analysis",
"style": "link"
}
]
},
"name": "linktab"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "The Microsoft Sentinel Solution for PCI Compliance provides real-time insights into activity and potential threats in your cardholder data environment. This solution is designed for Compliance Teams, Architects, Analysts, and Consultants to define and monitor their PCI assets, as well as identify and investigate compliance issues. This Solution is presented in two parts, as a Workbook and a Watchlist, with the ability to export data from pre-written queries for further exploration. \r\n<br>\r\nThe Microsoft Sentinel team welcomes your feedback on this PCI-DSS Solution, and how we can expand our compliance content to better meet your organizations needs. Please share any feedback with us [Here](https://forms.office.com/r/ChitppJ5T8). ",
"style": "info"
},
"name": "text - 0"
},
{
"type": 1,
"content": {
"json": "### Getting Started \r\n\r\nThere are two pre-requisites to getting started with the PCI-DSS Compliance Solution:<br>\r\n1. <u>Connect Data Sources:</u> Users will need to connect applicable data sources to populate the reports. This Solution provides support for the following data sources:\r\n - AzureDaignostics (firewalls and other network devices)\r\n - SecurityEvent (windows VM)\r\n\t- SecurityAlert (For anamolies detection)\r\n\t- Syslog (linux VM)\r\n\t- OracleDatabaseAuditEvent (Oracle Database Audit solution)\r\n2. <u>Define PCI Assets:</u> Users will need to define the PCI Assets within their compliance scope via the PCI Assets Watchlist\r\n - Save the CSV file with all your pci assets name under column \"asset\".\r\n - Open your workspace in sentinel\r\n\t- Go to watchlist under configration tab\r\n\t- Click on Add new \r\n\t- Enter \"pciassets\" in Name field\r\n\t- Enter Description \r\n\t- Enter \"pciassets\" in Alias field\r\n\t- SourceType should be LocalFile\r\n\t- File type CSV\r\n\t- Upload the CSV file here \r\n\t- Enter \"asset\" as search key\r\n\t- click on Review and Create and then Create\r\n<br>\r\n\r\n### Included in the Microsoft Sentinel PCI-DSS Compliance Solution \r\nThis Solution enables Microsoft Sentinel users to harness the power of their SIEM to assist in meeting PCI-DSS 3.2.1 requirements. This Solution comes with pre-defined dashboards, visualizations, and reports, providing users with immediate insights in their PCI environment. \r\n<br>\r\nThe Watchlist included in this Solution allows users to define the PCI Assets included in their organizations compliance scope. The Workbook included in this Solution contains three tabs, with the following information: \r\n\r\n\r\n<u>Overview Tab</u> This Workbook tab provides an overview of recent activity on the PCI Assets you define and trends over time, through the following tables and charts: \r\n1. PCI Asset Status: Online and offline status of PCI assets, including how long a device has been offline \r\n2. PCI Network Asset Status: Online and offline status of network assets in PCI scope, including how long a network device has been offline \r\n3. Anomalous Activity Detected: summary of potentially anomalous activity detected on PCI assets, and correlation to the MITRE ATT&CK framework \r\n4. Network Traffic and Activity Events Over Time: Visualization of data movement over PCI assets \r\n5. Top 10 Activities: Visualization of the top 10 activities occurring on PCI assets \r\n6. Failed vs. Successful Log Ins: summary of login attempts and status on PCI assets \r\n7. Network Data Processed Over Time: Visualization of all network traffic passing through PCI assets, over time \r\n8. Top Actions on Cardholder DB: Visualization of top 10 actions performed on data within the defined cardholder databases\r\n\r\n<u>Audit Trail Reporting Tab</u> This Workbook tab provides a more in-depth look at the data summarized in the Overview, through the following tables and charts: \r\n1. Security Events, Network Traffic Logs, Process Running on PCI Assets: provides an audit trail of activities occurring on PCI assets \r\n2. Login Activities: provides an audit trail of invalid logical access attempts on PCI assets \r\n3. Security Events: provides an audit trail of all actions taken by an individual with root or administrative privileges. This includes use of or changes to identification and authentication mechanisms, creation of new accounts, elevation of privileges, and all changes, additions, deletions to accounts with root or administrative privileges \r\n4. All Activities by User on Cardholder DB: provides audit trail of all events occurring on PCI servers that store cardholder data \r\n\r\n<u>Further Analysis Tab</u> This Workbook tab provides users with the ability to dive deeper into these results, with pre-written queries provided for export and further exploration. \r\n\t",
"style": "upsell"
},
"name": "text - 1"
}
]
},
"conditionalVisibility": {
"parameterName": "selTab",
"comparison": "isEqualTo",
"value": "Getting Started"
},
"name": "SummaryGroup"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let watchlist = (_GetWatchlist('pciassets') | project asset);\r\nHeartbeat\r\n|where Computer in~ (watchlist)\r\n|extend Lastlog = TimeGenerated\r\n|summarize arg_max(Lastlog, *) by Computer\r\n|extend Current = now()\r\n|extend Offline_past_hours = datetime_diff('hour',now(),Lastlog)\r\n|project Computer,Lastlog,Current,Offline_past_hours",
"size": 1,
"title": "PCI Assets status",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{WorkspaceToken}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Offline_past_hours",
"formatter": 8,
"formatOptions": {
"min": 10,
"max": 24,
"palette": "red"
}
}
],
"sortBy": [
{
"itemKey": "$gen_heatmap_Offline_past_hours_3",
"sortOrder": 1
}
]
},
"sortBy": [
{
"itemKey": "$gen_heatmap_Offline_past_hours_3",
"sortOrder": 1
}
]
},
"customWidth": "50",
"name": "query - 4",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let watchlist = (_GetWatchlist('pciassets') | project asset);\r\nAzureDiagnostics \r\n|where Resource in~ (watchlist)\r\n|extend Lastlog = TimeGenerated\r\n|summarize arg_max(Lastlog, *) by Resource\r\n|extend Current = now()\r\n|extend Offline_past_hour = datetime_diff('hour',now(),Lastlog)\r\n|project Resource,Lastlog,Current,Offline_past_hour",
"size": 1,
"title": "PCI Network assets status",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{WorkspaceToken}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Offline_past_hour",
"formatter": 8,
"formatOptions": {
"min": 2,
"max": 10,
"palette": "red"
}
}
]
}
},
"customWidth": "50",
"name": "query - 6",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let watchlist = (_GetWatchlist('pciassets') | project asset);\r\nAnomalies\r\n|where Entities has_any (watchlist) or AnomalyReasons has_any (watchlist)\r\n|summarize count() by RuleName, UserName,Tactics,Techniques, tostring(AnomalyReasons) ",
"size": 0,
"title": "Anomalous Activity Detected",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{WorkspaceToken}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Tactics",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "20ch"
}
},
{
"columnMatch": "Techniques",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "16ch"
}
},
{
"columnMatch": "AnomalyReasons",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "100ch"
}
},
{
"columnMatch": "count_",
"formatter": 8,
"formatOptions": {
"min": 0,
"max": 10,
"palette": "turquoise"
}
}
]
}
},
"name": "query - 7",
"styleSettings": {
"margin": "0px",
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let watchlist = (_GetWatchlist('pciassets') | project asset);\r\nAzureDiagnostics \r\n|where Resource in~ (watchlist)\r\n|make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeToken:start} to {TimeToken:end} step {TimeToken:grain};",
"size": 1,
"title": "Network traffic events over time",
"color": "lightBlue",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{WorkspaceToken}"
],
"visualization": "unstackedbar"
},
"customWidth": "50",
"name": "query - 5",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let watchlist = (_GetWatchlist('pciassets') | project asset);\r\nunion Event,Syslog\r\n|where Computer in~ (watchlist)\r\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeToken:start} to {TimeToken:end} step {TimeToken:grain};",
"size": 1,
"title": "Activity Events over time",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"customWidth": "50",
"name": "query - 4",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let watchlist = (_GetWatchlist('pciassets') | project asset);\r\nSecurityEvent \r\n|where Computer in~ (watchlist)\r\n|summarize count() by Activity,Computer\r\n|sort by count_\r\n|take 10",
"size": 2,
"title": "Top 10 activities",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{WorkspaceToken}"
],
"visualization": "piechart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "Activity",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "Activity",
"formatter": 1
},
"centerContent": {
"columnMatch": "count_",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"chartSettings": {
"yAxis": [
"count_"
],
"group": "Activity",
"createOtherGroup": 10
},
"mapSettings": {
"locInfo": "LatLong",
"sizeSettings": "count_",
"sizeAggregation": "Sum",
"legendMetric": "count_",
"legendAggregation": "Sum",
"itemColorSettings": {
"type": "heatmap",
"colorAggregation": "Sum",
"nodeColorField": "count_",
"heatmapPalette": "greenRed"
}
}
},
"customWidth": "50",
"name": "query - 4",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let watchlist = (_GetWatchlist('pciassets') | project asset);\r\nSecurityEvent \r\n|where Computer in~ (watchlist)\r\n|where Activity has_any (\"An account failed to log on\",\"An account was successfully logged on\")\r\n|where SubjectUserName !has (\"$\")\r\n|summarize count() by Activity",
"size": 2,
"title": "Failed Vs Successful login",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{WorkspaceToken}"
],
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 5",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "AzureMetrics \r\n|where MetricName == \"DataProcessed\"\r\n|project TimeGenerated ,Resource , Average\r\n|extend Average = log10(Average) \r\n",
"size": 0,
"title": "Network Data Processed over time",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{WorkspaceToken}"
],
"visualization": "areachart",
"chartSettings": {
"xAxis": "TimeGenerated",
"yAxis": [
"Average"
],
"group": "Resource",
"createOtherGroup": 10,
"seriesLabelSettings": [
{
"seriesName": "PCIFIREWALL",
"color": "orange"
}
],
"ySettings": {
"min": 4,
"max": 10
}
}
},
"name": "query - 6",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let watchlist = (_GetWatchlist('pciassets') | project asset);\r\nOracleDatabaseAuditEvent\r\n|where SrcDvcHostname has_any (watchlist)\r\n| where isnotempty(DbAction)\r\n| summarize TotalEvents = count() by DbAction",
"size": 2,
"title": "Top actions on card holder DB",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{WorkspaceToken}"
],
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 8"
}
]
},
"conditionalVisibility": {
"parameterName": "selTab",
"comparison": "isEqualTo",
"value": "Overview"
},
"name": "OverviewGroup"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let watchlist = (_GetWatchlist('pciassets') | project asset);\r\nAzureDiagnostics\r\n| where Resource in~ (watchlist)\r\n|summarize count() by msg_s,Resource\r\n|project-away count_ ",
"size": 0,
"title": "Network Traffic logs",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{WorkspaceToken}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "msg_s",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "93ch"
}
},
{
"columnMatch": "Resource",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "16ch"
}
}
]
}
},
"customWidth": "50",
"name": "query - 0",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let watchlist = (_GetWatchlist('pciassets') | project asset);\r\nunion SecurityEvent,Syslog \r\n|where Computer in (watchlist)\r\n|where Process != \"\"\r\n|extend Process = coalesce(Process,ProcessName)\r\n|summarize count() by Process,Computer\r\n|project-away count_",
"size": 0,
"title": "Process running on PCI assets",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{WorkspaceToken}"
]
},
"customWidth": "50",
"name": "query - 1",
"styleSettings": {
"padding": "15px",
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let watchlist = (_GetWatchlist('pciassets') | project asset);\r\nSecurityEvent \r\n|where Computer in~ (watchlist)\r\n| summarize count() by Account , AccountType ,Computer , Activity ,ParentProcessName",
"size": 0,
"title": "Security Events",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{WorkspaceToken}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Activity",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "80ch"
}
},
{
"columnMatch": "count_",
"formatter": 8,
"formatOptions": {
"min": 100,
"max": 3000,
"palette": "pink"
}
}
]
}
},
"name": "query - 2",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let watchlist = (_GetWatchlist('pciassets') | project asset);\r\nSecurityEvent \r\n|where Computer in~ (watchlist)\r\n|where Activity has_any (\"An account failed to log on\",\"An account was successfully logged on\")\r\n|where SubjectUserName !has (\"$\")\r\n|summarize count() by Account, AccountType,Computer , Activity ,WorkstationName",
"size": 0,
"title": "Login Activities",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{WorkspaceToken}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Account",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "35ch"
}
},
{
"columnMatch": "AccountType",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "22ch"
}
},
{
"columnMatch": "Computer",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "20ch"
}
},
{
"columnMatch": "Activity",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "55ch"
}
},
{
"columnMatch": "WorkstationName",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "26ch"
}
},
{
"columnMatch": "count_",
"formatter": 8,
"formatOptions": {
"min": 2,
"max": 10,
"palette": "magenta",
"customColumnWidthSetting": "12ch"
}
}
]
}
},
"name": "query - 3",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let watchlist = (_GetWatchlist('pciassets') | project asset);\r\nSecurityEvent \r\n|where Computer has_any (watchlist)\r\n|project TimeGenerated , Account , Activity , Process\r\n|where Activity has \"privileged\"\r\n|distinct *\r\n|sort by TimeGenerated",
"size": 0,
"title": "All actions taken by any individual with root or administrative privileges ",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{WorkspaceToken}"
]
},
"name": "query - 5",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let watchlist = (_GetWatchlist('pciassets') | project asset);\r\nHeartbeat\r\n|where Computer in~ (watchlist) \r\n|project Computer ,ComputerIP,Category,OSType,OSName,tostring(ComputerPrivateIPs)\r\n|distinct *",
"size": 0,
"title": "Assets information",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{WorkspaceToken}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Computer",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "20ch"
}
},
{
"columnMatch": "ComputerIP",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "22ch"
}
},
{
"columnMatch": "Category",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "25ch"
}
},
{
"columnMatch": "OSType",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "20ch"
}
},
{
"columnMatch": "OSName",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "35ch"
}
},
{
"columnMatch": "ComputerPrivateIPs",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "26ch"
}
}
]
}
},
"name": "query - 4",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let watchlist = (_GetWatchlist('pciassets') | project asset);\r\nOracleDatabaseAuditEvent\r\n|where SrcDvcHostname has_any (watchlist)",
"size": 0,
"title": "All activities by user on card holder DB",
"timeContextFromParameter": "TimeToken",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{WorkspaceToken}"
]
},
"name": "query - 6",
"styleSettings": {
"showBorder": true
}
}
]
},
"conditionalVisibility": {
"parameterName": "selTab",
"comparison": "isEqualTo",
"value": "Audit Trail Reporting"
},
"name": "ReportingGroup"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "## For complete analaysis, We are providing the analytic KQL queries through which more in depth detailed can be extracted .",
"style": "info"
},
"name": "text - 0"
},
{
"type": 1,
"content": {
"json": "### Steps on how to run the query :\r\n\r\n1> Search and Select microsoft sentinel on azure portal </br>\r\n2> choose the correct workspace </br>\r\n3> choose logs and then paste the query </br>\r\n4> Run it for suitable time range </br>",
"style": "info"
},
"name": "text - 1"
},
{
"type": 1,
"content": {
"json": "## Query for extracting the failed and succesfull login attempts </br>\r\nlet watchlist = (_GetWatchlist('pciassets') | project asset); </br>\r\nSecurityEvent </br>\r\n|where Computer in~ (watchlist) </br>\r\n|where Activity has_any (\"An account failed to log on\",\"An account was successfully logged on\")</br> \r\n|where SubjectUserName !has (\"$\")</br>\r\n</br>\r\n</br>\r\n## Query for fetching the traffic logs </br>\r\nlet watchlist = (_GetWatchlist('pciassets') | project asset); </br>\r\nAzureDiagnostics </br>\r\n|where Resource in~ (watchlist) </br>\r\n|summarize count() by msg_s, Resource</br>\r\n|project-away count_ </br>\r\n</br>\r\n</br>\r\n## Query for getting the details of process running on PCI servers</br>\r\nlet watchlist = (_GetWatchlist('pciassets') | project asset);</br>\r\nSecurityEvent </br>\r\n|where Computer in (watchlist)</br>\r\n|where Process != \"\"</br>\r\n|summarize count() by Process,Computer</br>\r\n</br>\r\n</br>\r\n## Query for checking the activities on PCI servers </br>\r\nlet watchlist = (_GetWatchlist('pciassets') | project asset);</br>\r\nSecurityEvent </br>\r\n|where Computer in~ (watchlist)</br>\r\n|summarize count() by Activity,Computer</br>\r\n</br>\r\n</br>\r\n## Query for checking the status of PCI assets</br>\r\nlet watchlist = (_GetWatchlist('pciassets') | project asset);</br>\r\nHeartbeat</br>\r\n|where Computer in~ (watchlist)</br>\r\n|extend Lastlog = TimeGenerated</br>\r\n|summarize arg_max(Lastlog, *) by Computer</br>\r\n|extend Current = now()</br>\r\n|extend Diffrence = datetime_diff('minute',now(),Lastlog)</br>\r\n|project Computer,Lastlog,Current,Diffrence</br>\r\n</br>\r\n</br>\r\n## Query for fetching the activities performed by user</br>\r\nlet watchlist = (_GetWatchlist('pciassets') | project asset);</br>\r\nSecurityEvent </br>\r\n|where Computer in~ (watchlist)</br>\r\n|where SubjectUserName !has (\"$\")</br>\r\n|where SubjectUserName != \"\"</br>\r\n|project SubjectUserName , Activity, Process , ProcessName</br>\r\n|distinct *</br>\r\n<br>\r\n<br>\r\n## All actions taken by any individual with root or administrative privileges<br>\r\nlet watchlist = (_GetWatchlist('pciassets') | project asset);<br>\r\nSecurityEvent <br>\r\n|where Computer has_any (watchlist)<br>\r\n|where Activity has \"privileged\"<br>\r\n|distinct *<br>\r\n|sort by TimeGenerated<br>\r\n<br>\r\n<br>\r\n## All activities by user on card holder DB<br>\r\nlet watchlist = (_GetWatchlist('pciassets') | project asset);<br>\r\nOracleDatabaseAuditEvent<br>\r\n|where SrcDvcHostname has_any (watchlist)<br>\r\n\r\n\r\n\r\n",
"style": "upsell"
},
"name": "text - 2"
}
]
},
"conditionalVisibility": {
"parameterName": "selTab",
"comparison": "isEqualTo",
"value": "Further Analysis"
},
"name": "AnalysisGroup"
}
],
"fromTemplateId": "sentinel-PCIDSSCompliance",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}

135
Solutions/Palo Alto - XDR (Cortex)/Data Connectors/Connector_PaloAlto_XDR_CEF.json Normal file
Просмотреть файл

@ -0,0 +1,135 @@
{
"id": "PaloAltoNetworksCortex",
"title": "Palo Alto Networks Cortex XDR",
"publisher": "Palo Alto Networks",
"descriptionMarkdown": "The Palo Alto Networks Cortex XDR connector gives you an easy way to connect to your Cortex XDR logs with Microsoft Sentinel. This increases the visibility of your endpoint security. It will give you better ability to monitor your resources by creating custom Workbooks, analytics rules, Incident investigation, and evidence gathering.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "PaloAltoNetworksCortex",
"baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct == \"Cortex XDR\""
}
],
"sampleQueries": [
{
"description" : "All logs",
"query": "\nCommonSecurityLog\n | where DeviceVendor == \"Palo Alto Networks\"\n | where DeviceProduct == \"Cortex XDR\"\n | sort by TimeGenerated"
},
{
"description" : "Alert By Severity",
"query": "\nCommonSecurityLog\n | where DeviceVendor == \"Palo Alto Networks\"\n | where DeviceProduct == \"Cortex XDR\"\n | where DeviceAction == \"Prevented (Blocked)\"\n | where LogSeverity =~ \"6\"\n | summarize by TimeGenerated,DeviceProduct, DeviceEventClassID, LogSeverity, Activity, DeviceAction, Computer, DeviceVersion, FileHash, FileName, FilePath, RequestURL, SourceHostName, SourceUserName\n | sort by TimeGenerated"
}
],
"dataTypes": [
{
"name": "CommonSecurityLog (PaloAltoNetworksCortex)",
"lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct == \"Cortex XDR\"\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"CommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct == \"Cortex XDR\"\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"title": "1. Linux Syslog agent configuration",
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Azure Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
"innerSteps": [
{
"title": "1.1 Select or create a Linux machine",
"description": "Select or create a Linux machine that Azure Sentinel will use as the proxy between your security solution and Azure Sentinel this machine can be on your on-prem environment, Azure or other clouds."
},
{
"title": "1.2 Install the CEF collector on the Linux machine",
"description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Azure Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId",
"PrimaryKey"
],
"label": "Run the following command to install and apply the CEF collector:",
"value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
},
"type": "CopyableLabel"
}
]
}
]
},
{
"title": "2. Forward Palo Alto Networks (Cortex) logs to Syslog agent",
"description": "\n\n> 1. Go to [Cortex Settings and Configurations](https://inspira.xdr.in.paloaltonetworks.com/configuration/external-alerting) and Click to add New Server under External Applications.\n\n> 2. Then specify the name and Give public IP of your syslog server in Destination. \n\n> 3. Give Port number as 514 and from Facility field select FAC_SYSLOG from dropdown. \n\n> 4. Select Protocol as UDP and hit Create."
},
{
"title": "3. Validate connection",
"description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Run the following command to validate your connectivity:",
"value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
},
"type": "CopyableLabel"
}
]
},
{
"title": "4. Secure your machine ",
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
}
],
"metadata": {
"id": "32512c5f-aa20-4d6b-a9e5-f21958cefa63",
"version": "V2.0",
"kind": "dataConnector",
"source": {
"kind": "solution",
"name": "PaloAltoXDR"
},
"author": {
"name": "Vikas Chaturvedi"
},
"support": {
"tier": "community",
"name": "Microsoft",
"email": "v-chaturvedi01@outlook.com"
}
}
}

46
Solutions/Palo Alto - XDR (Cortex)/Detection Queries/High Severity Cortex Incidents. yaml Normal file
Просмотреть файл

@ -0,0 +1,46 @@
id: be8325a4-530c-484d-b301-e01be23395e2
name: Palo Alto XDR High Severity Incidents
description: |
'The query checks for all High Log Severity Alerts and fire incidents in Cortex to return information of the entities.'
severity: High
requiredDataConnectors:
- connectorId: PaloAltoNetworksCortex
dataTypes:
- PaloAltoNetworksCortex
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
CommonSecurityLog
| where DeviceVendor == "Palo Alto Networks"
| where DeviceProduct == "Cortex XDR"
| where LogSeverity has_any (2,3,4,5,6)
| sort by TimeGenerated
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: SourceUserName
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: SourceHostName
- entityType: File
fieldMappings:
- identifier: Name
columnName: FileName
- entityType: File
fieldMappings:
- identifier: Name
columnName: FilePath
- entityType: URL
fieldMappings:
- identifier: Url
columnName: RequestURL
version: 1.0.0
kind: Scheduled

52
Solutions/Palo Alto - XDR (Cortex)/Detection Queries/Preventive Alerts.yaml Normal file
Просмотреть файл

@ -0,0 +1,52 @@
id: 5180e347-32fb-4a0a-9cfa-d6e0e10fc4eb
name: Palo Alto Prevention alert
description: |
'The query checks for all malicious events prevented events across all devices having LogSeverity of '6' and summarize the result.'
severity: Medium
requiredDataConnectors:
- connectorId: PaloAltoNetworksCortex
dataTypes:
- PaloAltoNetworksCortex
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
CommonSecurityLog
| where DeviceVendor == "Palo Alto Networks"
| where DeviceProduct == "Cortex XDR"
| where DeviceAction == "Prevented (Blocked)"
| where LogSeverity =~ "6"
| summarize by TimeGenerated,DeviceProduct, DeviceEventClassID, LogSeverity, Activity, DeviceAction, Computer, DeviceVersion, FileHash, FileName, FilePath, RequestURL, SourceHostName, SourceUserName
| sort by TimeGenerated
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: SourceUserName
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: SourceHostName
- entityType: File hash
fieldMappings:
- identifier: Value
columnName: FileHash
- entityType: File
fieldMappings:
- identifier: Name
columnName: FileName
- entityType: File
fieldMappings:
- identifier: Name
columnName: FilePath
- entityType: URL
fieldMappings:
- identifier: Url
columnName: RequestURL
version: 1.0.0
kind: Scheduled

36
Solutions/Palo Alto - XDR (Cortex)/Detection Queries/WildFire Malware Detection.yaml Normal file
Просмотреть файл

@ -0,0 +1,36 @@
id: 961672e7-15db-4df1-9bab-dc4f032b9b6f
name: Palo Alto WildFire Malware Detection
description: |
'The query checks for specifically WildFire Malware and returns the result with Entities and hosts involved and count of attakcs.'
severity: High
requiredDataConnectors:
- connectorId: PaloAltoNetworksCortex
dataTypes:
- PaloAltoNetworksCortex
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
CommonSecurityLog
| where ingestion_time() > ago(1d)
| where DeviceVendor == "Palo Alto Networks"
| where DeviceProduct == "Cortex XDR"
| where Activity == "WildFire Malware"
| summarize (Timestamp, ReportId,Severity, AttackType)=arg_max(TimeGenerated, ExternalID, LogSeverity, Activity, SourceUserName, SourceHostName), count() by Computer
| where count_ > 5
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: SourceUserName
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: SourceHostName
version: 1.0.0
kind: Scheduled

17
Solutions/Palo Alto - XDR (Cortex)/PaloAltoXDRMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,17 @@
{
"publisherId": "",
"offerId": "",
"firstPublishDate": "2022-05-16",
"lastPublishDate": "2022-05-16",
"providers": "Palo Alto",
"categories": {
"domains" : "Security",
"verticals": "XDR"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}

61
Solutions/Palo Alto - XDR (Cortex)/Playbook/README.md Normal file
Просмотреть файл

@ -0,0 +1,61 @@
# Palo Alto Cortx XDR Logic App and Playbook Template
## Table of Contents
1. [Overview](#overview)
1. [Prerequisites](#prerequisites)
1. [Deploy Palo Alot XDR playbook](#deployall)
1. [Deployment Instructions](#instructions)
1. [Post-Deployment Instructions](#postdeployment)
1. [References](#references)
<a name="overview">
# Overview
Palo Alto XDR playbook is used in Alert triaging and executing the automated response towards issue, and it also helps in evidence collection.
<a name="prerequisites">
# Prerequisites
- This playbook uses Microsoft Teams connector and VirusTotal connector to enrich the investigation, so you should set up your account if not already to use the Microsoft ID to authorize the teams connector and you will also have to visit this VirusTotal site create your free account, After successful account creation you shall get a standard free public API Key. This key will be required to authorize the VT connector. Reference link - https://www.virustotal.com/
This Video demonstarte on how to obtain the API Key https://youtu.be/9ftKViq71eQ.
<a name="deployall">
# Deploy the Playbook
- You may copy the JSON file and deploy the custom template in azure with variables of own choice or do single click deploy from below tab.
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FPalo%2520Alto%2520-%2520XDR%2520(Cortex)%2FPlaybook%2Fazuredeploy.json)
[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FPalo%2520Alto%2520-%2520XDR%2520(Cortex)%2FPlaybook%2Fazuredeploy.json)
<a name="instructions">
# Deployment Instructions
- Deploy the Palo Alto XDR Playbooks by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
- Fill in the required parameters and then proceed with review and create.
<a name="postdeployment">
# Post Deployment Instructions
## Authorize Connections
* Once deployment is complete, you will need to authorize each connection.
- Click the Teams connection resource
- Click edit API connection
- Click Authorize
- Sign in
- Click Save
- Repeat steps for other connections as well.
* In Logic App designer authorize Teams channel connection as well, for playbooks posting adaptive cards.
* For VirusTotal connector please enter the valid API key to activate the connector.
* For Log analytics workspace action you will have to provide the Resouirce group name where your deployment is done, specify the resource name, resource type will be Log Analytics Workspace, your Subscription detail, time range can be like Last 12 hours, and then configure the desired query which your analysts should receive prior to their investigation as a kick starter.
<a name="references">
# References
https://docs.microsoft.com/power-automate/create-adaptive-cards-teams

480
Solutions/Palo Alto - XDR (Cortex)/Playbook/azuredeploy.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

653
Solutions/Palo Alto - XDR (Cortex)/Workbook/PaloAltoXDR.json Normal file
Просмотреть файл

@ -0,0 +1,653 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "<div style=\"font-size: 200%;\">Palo Alto Networks Cortex XDR overview</div>"
},
"name": "text - 2"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "851602d3-cd7f-4cbb-909e-93ac064917ef",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isGlobal": true,
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"timeContext": {
"durationMs": 86400000
},
"value": {
"durationMs": 2592000000
}
},
{
"id": "86d6172c-9273-425e-8802-fbbf553762ee",
"version": "KqlParameterItem/1.0",
"name": "Subscription",
"type": 6,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"includeAll": false,
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
},
"value": [
"/subscriptions/{SubscriptionID}"
]
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog \r\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"Cortex XDR\" \r\n| summarize count() by Activity",
"size": 0,
"title": "Attack Activity View",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "graph",
"graphSettings": {
"type": 2,
"topContent": {
"columnMatch": "Activity",
"formatter": 8,
"formatOptions": {
"palette": "greenRed"
}
},
"centerContent": {
"columnMatch": "count_",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"nodeIdField": "Activity",
"graphOrientation": 3,
"showOrientationToggles": false,
"nodeSize": null,
"staticNodeSize": 80,
"colorSettings": {
"nodeColorField": "Activity",
"type": 1,
"colorPalette": "default",
"emptyValueColor": "green"
},
"hivesMargin": 10
}
},
"customWidth": "30",
"name": "query - 6"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"Cortex XDR\"\r\n| summarize count() by DeviceAction",
"size": 0,
"title": "Palo Alto Incidents coverage",
"noDataMessage": "Please customize the time range to view beter results.",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "DeviceAction",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "DeviceAction",
"formatter": 1
},
"centerContent": {
"columnMatch": "count_",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"mapSettings": {
"locInfo": "LatLong",
"sizeSettings": "count_",
"sizeAggregation": "Sum",
"legendMetric": "count_",
"legendAggregation": "Sum",
"itemColorSettings": {
"type": "heatmap",
"colorAggregation": "Sum",
"nodeColorField": "count_",
"heatmapPalette": "greenRed"
}
}
},
"customWidth": "30",
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"Cortex XDR\"\r\n| summarize count() by DeviceEventClassID",
"size": 0,
"title": "Device Event Class IDs",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "30",
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"Cortex XDR\"\r\n| where Activity == \"WildFire Malware\"",
"size": 0,
"title": "WILDFIRE Alerts",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "graph",
"graphSettings": {
"type": 2,
"topContent": {
"columnMatch": "TenantId",
"formatter": 1
},
"centerContent": {
"columnMatch": "SourceHostName",
"formatter": 8,
"formatOptions": {
"palette": "categorical"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
}
}
},
"nodeIdField": "SourceHostName",
"graphOrientation": 3,
"showOrientationToggles": false,
"nodeSize": null,
"staticNodeSize": 100,
"colorSettings": {
"nodeColorField": "SourceHostName",
"type": 4,
"heatmapPalette": "categorical",
"heatmapMin": null,
"heatmapMax": null
},
"hivesMargin": 5
}
},
"customWidth": "50",
"name": "query - 10"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n | where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"Cortex XDR\"\r\n | where LogSeverity has_any (6,7,8,9)",
"size": 0,
"title": "Alerts by Log Severity 6, 7, 8, 9 ",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "graph",
"graphSettings": {
"type": 2,
"topContent": {
"columnMatch": "SourceHostName",
"formatter": 8,
"formatOptions": {
"palette": "redGreen"
}
},
"centerContent": {
"columnMatch": "count_",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
}
}
},
"nodeIdField": "SourceHostName",
"graphOrientation": 3,
"showOrientationToggles": false,
"nodeSize": null,
"staticNodeSize": 80,
"colorSettings": {
"nodeColorField": "LogSeverity",
"type": 4,
"heatmapPalette": "redGreen",
"heatmapMin": null,
"heatmapMax": null
},
"hivesMargin": 10
}
},
"customWidth": "50",
"name": "query - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"Cortex XDR\"\r\n| summarize count() by SourceHostName, LogSeverity, DeviceCustomString6",
"size": 0,
"title": "Alerts by Source Vendor",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "AdditionalExtensions",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "AdditionalExtensions",
"formatter": 1
},
"centerContent": {
"columnMatch": "count_",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"mapSettings": {
"locInfo": "LatLong",
"sizeSettings": "count_",
"sizeAggregation": "Sum",
"legendMetric": "count_",
"legendAggregation": "Sum",
"itemColorSettings": {
"type": "heatmap",
"colorAggregation": "Sum",
"nodeColorField": "count_",
"heatmapPalette": "greenRed"
}
}
},
"customWidth": "30",
"name": "query - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"Cortex XDR\"\r\n| summarize count() by SourceHostName, LogSeverity, DeviceCustomString6",
"size": 0,
"title": "Source Host, Log Severity and Vendor signature",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "categoricalbar",
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "SourceHostName",
"formatter": 1
},
"centerContent": {
"columnMatch": "count_",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
}
}
},
"rightContent": {
"columnMatch": "SourceHostName",
"formatter": 11
},
"nodeIdField": "SourceHostName",
"sourceIdField": "DeviceCustomString6",
"targetIdField": "LogSeverity",
"graphOrientation": 2,
"showOrientationToggles": false,
"edgeSize": "DeviceCustomString6",
"edgeLabel": "SourceHostName",
"nodeSize": {
"sizeField": "LogSeverity",
"minSize": 10,
"maxSize": 100
},
"staticNodeSize": 100,
"colorSettings": {
"nodeColorField": "SourceHostName",
"type": 2,
"emptyValueColor": "orange"
},
"hivesMargin": 5
}
},
"customWidth": "70",
"name": "query - 8",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"Cortex XDR\"\r\n| summarize count() by TimeGenerated, DeviceVendor, SourceHostName, DeviceAction, Activity, LogSeverity, DeviceEventClassID",
"size": 0,
"title": "Devices list by Alert generated",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "SourceHostName",
"formatter": 8,
"formatOptions": {
"palette": "categorical"
}
},
{
"columnMatch": "DeviceAction",
"formatter": 8,
"formatOptions": {
"palette": "green"
}
},
{
"columnMatch": "Activity",
"formatter": 8,
"formatOptions": {
"palette": "blue"
}
},
{
"columnMatch": "LogSeverity",
"formatter": 8,
"formatOptions": {
"palette": "greenRed"
}
}
]
},
"sortBy": []
},
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"Cortex XDR\"\r\n| summarize count() by DeviceCustomString3",
"size": 0,
"title": "Singatures provided by",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "graph",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "DeviceCustomString3",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"graphSettings": {
"type": 2,
"topContent": {
"columnMatch": "DeviceCustomString3",
"formatter": 8,
"formatOptions": {
"palette": "greenRed"
}
},
"centerContent": {
"columnMatch": "count_",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"nodeIdField": "DeviceCustomString3",
"graphOrientation": 3,
"showOrientationToggles": false,
"nodeSize": null,
"staticNodeSize": 100,
"colorSettings": {
"nodeColorField": "DeviceCustomString3",
"type": 4,
"heatmapPalette": "categorical",
"heatmapMin": null,
"heatmapMax": null
},
"hivesMargin": 5
}
},
"customWidth": "30",
"name": "query - 9"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"Cortex XDR\"\r\n| summarize count() by SourceHostName",
"size": 0,
"title": "Hosts by Attacked frequency",
"timeContext": {
"durationMs": 8899200000,
"endTime": "2022-05-15T15:59:00.000Z"
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "count_",
"formatter": 8,
"formatOptions": {
"palette": "orange"
}
}
]
}
},
"customWidth": "30",
"name": "query - 12"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "CommonSecurityLog\r\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"Cortex XDR\"\r\n| summarize count() by DeviceVendor",
"size": 0,
"title": "Device Networking",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "30",
"name": "query - 3"
}
],
"styleSettings": {},
"fromTemplateId": "sentinel-PaloAltoXDR",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}

2
Solutions/PostgreSQL/Data Connectors/Connector_PostgreSQL.json
Просмотреть файл

@ -33,7 +33,7 @@
], ],
"availability": { "availability": {
"status": 1, "status": 1,
"isPreview": true "isPreview": false
}, },
"permissions": { "permissions": {
"resourceProvider": [ "resourceProvider": [

17
Solutions/PostgreSQL/Data/Solution_PostgresSQL.json Normal file
Просмотреть файл

@ -0,0 +1,17 @@
{
"Name": "PostgreSQL",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "The PostgreSQL solution provides the capability to ingest [PostgreSQL](https://www.postgresql.org/) events into Microsoft Sentinel. Refer to [PostgreSQL documentation](https://www.postgresql.org/docs/current/index.html) for more information.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [ Agent based logs collection from Windows and Linux machines ](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-custom-logs)\r\n\n",
"Parsers": [
"Parsers/PostgreSQLEvent.txt"
],
"Data Connectors": [
"Data Connectors/Connector_PostgreSQL.json"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\PostgreSQL",
"Version": "2.0.0",
"TemplateSpec": true,
"Is1PConnector": false
}

Двоичные данные
Solutions/PostgreSQL/Package/2.0.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше