Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Repackaging - DNS Essentials

This commit is contained in:
v-shukore 2024-03-13 10:12:17 +05:30
Родитель 2e7389fda9
Коммит 4daabfa638
5 изменённых файлов: 235 добавлений и 105 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

5
Solutions/DNS Essentials/Data/Solution_DNS.json
Просмотреть файл

@ -14,7 +14,8 @@
"Analytic Rules/PotentialDGADetectedviaRepetitiveFailuresAnomalyBased.yaml",
"Analytic Rules/PotentialDGADetectedviaRepetitiveFailuresStaticThresholdBased.yaml",
"Analytic Rules/RareClientObservedWithHighReverseDNSLookupCountAnomalyBased.yaml",
"Analytic Rules/RareClientObservedWithHighReverseDNSLookupCountStaticThresholdBased.yaml"
"Analytic Rules/RareClientObservedWithHighReverseDNSLookupCountStaticThresholdBased.yaml",
"Analytic Rules/NgrokReverseProxyOnNetwork.yaml"
],
"Playbooks": [
"Playbooks/SummarizeData_DNSEssentials/azuredeploy.json"
@ -32,7 +33,7 @@
"Hunting Queries/UnexpectedTopLevelDomains.yaml"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\DNS Essentials",
"Version": "3.0.1",
"Version": "3.0.2",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false

Двоичные данные
Solutions/DNS Essentials/Package/3.0.2.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

16
Solutions/DNS Essentials/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/DNS%20Essentials/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThis is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below, as well as any other connector or data source normalized to the [ASIM](https://aka.ms/AboutASIM).\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. Windows Server DNS \n 2. Azure Firewall \n 3. Cisco Umbrella \n 4. Corelight Zeek \n 5. Google Cloud Platform DNS \n 6. Infoblox NIOS \n 7. ISC Bind \n 8. Vectra AI \n 9. Zscaler Internet Access \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n 2. Logic app for data summarization\n\n**Recommendation :-**\n\nIt is highly recommended to use the **Summarize Data for DNS Essentials Solution** logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.\n\n**Workbooks:** 1, **Analytic Rules:** 8, **Hunting Queries:** 10, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/DNS%20Essentials/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThis is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below, as well as any other connector or data source normalized to the [ASIM](https://aka.ms/AboutASIM).\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. Windows Server DNS \n 2. Azure Firewall \n 3. Cisco Umbrella \n 4. Corelight Zeek \n 5. Google Cloud Platform DNS \n 6. Infoblox NIOS \n 7. ISC Bind \n 8. Vectra AI \n 9. Zscaler Internet Access \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n 2. Logic app for data summarization\n\n**Recommendation :-**\n\nIt is highly recommended to use the **Summarize Data for DNS Essentials Solution** logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.\n\n**Workbooks:** 1, **Analytic Rules:** 9, **Hunting Queries:** 10, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@ -230,6 +230,20 @@
}
}
]
},
{
"name": "analytic9",
"type": "Microsoft.Common.Section",
"label": "Ngrok Reverse Proxy on Network (ASIM DNS Solution)",
"elements": [
{
"name": "analytic9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This detection identifies the top four Ngrok domains from DNS resolution. Ngrok reverse proxy can bypass network defense. While not inherently harmful, it has been used for malicious activities recently."
}
}
]
}
]
},

318
Solutions/DNS Essentials/Package/mainTemplate.json
Просмотреть файл

@ -41,7 +41,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "DNS Essentials",
"_solutionVersion": "3.0.1",
"_solutionVersion": "3.0.2",
"solutionId": "azuresentinel.azure-sentinel-solution-dns-domain",
"_solutionId": "[variables('solutionId')]",
"workbookVersion1": "1.0.0",
@ -107,6 +107,13 @@
"analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('77b7c820-5f60-4779-8bdb-f06e21add5f1')))]",
"_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','77b7c820-5f60-4779-8bdb-f06e21add5f1','-', '1.0.2')))]"
},
"analyticRuleObject9": {
"analyticRuleVersion9": "1.0.0",
"_analyticRulecontentId9": "50b0dfb7-2c94-4eaf-a332-a5936d78c263",
"analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '50b0dfb7-2c94-4eaf-a332-a5936d78c263')]",
"analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('50b0dfb7-2c94-4eaf-a332-a5936d78c263')))]",
"_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','50b0dfb7-2c94-4eaf-a332-a5936d78c263','-', '1.0.0')))]"
},
"SummarizeData_DNSEssentials": "SummarizeData_DNSEssentials",
"_SummarizeData_DNSEssentials": "[variables('SummarizeData_DNSEssentials')]",
"playbookVersion1": "1.0",
@ -177,7 +184,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "DNSSolutionWorkbook Workbook with template version 3.0.1",
"description": "DNSSolutionWorkbook Workbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@ -252,7 +259,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "ExcessiveNXDOMAINDNSQueriesAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.1",
"description": "ExcessiveNXDOMAINDNSQueriesAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@ -262,7 +269,7 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"apiVersion": "2022-04-01-preview",
"apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@ -278,7 +285,6 @@
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [],
"tactics": [
"CommandAndControl"
],
@ -288,21 +294,21 @@
],
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
"identifier": "Address",
"columnName": "SrcIpAddr"
}
]
],
"entityType": "IP"
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"customDetails": {
"baseline": "baseline",
"AnomalyScore": "score",
"baseline": "baseline",
"Total": "Total",
"DNSQueries": "DNSQueries"
},
@ -363,7 +369,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "ExcessiveNXDOMAINDNSQueriesStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.1",
"description": "ExcessiveNXDOMAINDNSQueriesStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@ -373,7 +379,7 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"apiVersion": "2022-04-01-preview",
"apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@ -389,7 +395,6 @@
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [],
"tactics": [
"CommandAndControl"
],
@ -399,13 +404,13 @@
],
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
"identifier": "Address",
"columnName": "SrcIpAddr"
}
]
],
"entityType": "IP"
}
],
"eventGroupingSettings": {
@ -473,7 +478,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "MultipleErrorsReportedForSameDNSQueryAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.1",
"description": "MultipleErrorsReportedForSameDNSQueryAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@ -483,7 +488,7 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"apiVersion": "2022-04-01-preview",
"apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@ -499,7 +504,6 @@
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [],
"tactics": [
"CommandAndControl"
],
@ -510,23 +514,23 @@
],
"entityMappings": [
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "DnsQuery",
"identifier": "DomainName"
"identifier": "DomainName",
"columnName": "DnsQuery"
}
]
],
"entityType": "DNS"
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"customDetails": {
"baseline": "baseline",
"AnomalyScore": "score",
"TotalIPs": "TotalIPs",
"SrcIps": "SrcIps"
"SrcIps": "SrcIps",
"baseline": "baseline",
"TotalIPs": "TotalIPs"
},
"alertDetailsOverride": {
"alertDescriptionFormat": "Multiple errors were detected on different clients for the same DNS query. These unsuccessful responses can be an indication of C2 communication. \n\nBaseline for total clients reporting errors for this DNS query: '{{baseline}}'\n\nCurrent count of clients reporting errors for this DNS query: '{{TotalIPs}}'\n\nClients requesting this DNS query include:\n'{{SrcIps}}'",
@ -585,7 +589,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "MultipleErrorsReportedForSameDNSQueryStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.1",
"description": "MultipleErrorsReportedForSameDNSQueryStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@ -595,7 +599,7 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"apiVersion": "2022-04-01-preview",
"apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@ -611,7 +615,6 @@
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [],
"tactics": [
"CommandAndControl"
],
@ -622,62 +625,62 @@
],
"entityMappings": [
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "DnsQuery",
"identifier": "DomainName"
"identifier": "DomainName",
"columnName": "DnsQuery"
}
]
],
"entityType": "DNS"
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIP",
"identifier": "Address"
"identifier": "Address",
"columnName": "SrcIP"
}
]
],
"entityType": "IP"
},
{
"entityType": "AzureResource",
"fieldMappings": [
{
"columnName": "ResourceId",
"identifier": "ResourceId"
"identifier": "ResourceId",
"columnName": "ResourceId"
}
]
],
"entityType": "AzureResource"
},
{
"entityType": "Url",
"fieldMappings": [
{
"columnName": "DnsQuery",
"identifier": "Url"
"identifier": "Url",
"columnName": "DnsQuery"
}
]
],
"entityType": "Url"
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "HostName",
"identifier": "HostName"
"identifier": "HostName",
"columnName": "HostName"
},
{
"columnName": "HostNameDomain",
"identifier": "NTDomain"
"identifier": "NTDomain",
"columnName": "HostNameDomain"
}
]
],
"entityType": "Host"
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"customDetails": {
"TotalIPs": "TotalIPs",
"IPCountthreshold": "IPCountthreshold",
"SrcIPs": "SrcIPs"
"SrcIPs": "SrcIPs",
"TotalIPs": "TotalIPs"
},
"alertDetailsOverride": {
"alertDescriptionFormat": "Multiple errors were detected on different clients for the same DNS query. These unsuccessful responses can be an indication of C2 communication. \n\nThreshold for total clients reporting errors: '{{IPCountthreshold}}'\n\nCurrent count of clients reporting errors for this DNS query: '{{TotalIPs}}'\n\nClients requesting this DNSQuery include:\n\n'{{SrcIPs}}'",
@ -736,7 +739,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PotentialDGADetectedviaRepetitiveFailuresAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.1",
"description": "PotentialDGADetectedviaRepetitiveFailuresAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@ -746,7 +749,7 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
"apiVersion": "2022-04-01-preview",
"apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@ -762,7 +765,6 @@
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [],
"tactics": [
"CommandAndControl"
],
@ -772,21 +774,21 @@
],
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
"identifier": "Address",
"columnName": "SrcIpAddr"
}
]
],
"entityType": "IP"
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"customDetails": {
"baseline": "baseline",
"AnomalyScore": "score",
"baseline": "baseline",
"Total": "Total",
"DNSQueries": "DNSQueries"
},
@ -847,7 +849,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PotentialDGADetectedviaRepetitiveFailuresStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.1",
"description": "PotentialDGADetectedviaRepetitiveFailuresStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@ -857,7 +859,7 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
"apiVersion": "2022-04-01-preview",
"apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@ -873,7 +875,6 @@
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [],
"tactics": [
"CommandAndControl"
],
@ -883,22 +884,22 @@
],
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
"identifier": "Address",
"columnName": "SrcIpAddr"
}
]
],
"entityType": "IP"
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"customDetails": {
"DNSQueryThreshold": "DNSQueryThreshold",
"DNSQueryCount": "DNSQueryCount",
"DNSQueries": "DNSQueries"
"DNSQueries": "DNSQueries",
"DNSQueryThreshold": "DNSQueryThreshold"
},
"alertDetailsOverride": {
"alertDescriptionFormat": "Client has been identified with high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). This client is found to be communicating with multiple Domains which do not exist.\n\nDGA DNS query count baseline is: '{{DNSQueryThreshold}}'\n\nCurrent failed DNS query count from this client: '{{DNSQueryCount}}'\n\nDNS queries requested by this client inlcude: '{{DNSQueries}}'",
@ -957,7 +958,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RareClientObservedWithHighReverseDNSLookupCountAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.1",
"description": "RareClientObservedWithHighReverseDNSLookupCountAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@ -967,7 +968,7 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
"apiVersion": "2022-04-01-preview",
"apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@ -983,7 +984,6 @@
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [],
"tactics": [
"Reconnaissance"
],
@ -992,21 +992,21 @@
],
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
"identifier": "Address",
"columnName": "SrcIpAddr"
}
]
],
"entityType": "IP"
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"customDetails": {
"baseline": "baseline",
"AnomalyScore": "score",
"baseline": "baseline",
"Total": "Total",
"DNSQueries": "DNSQueries"
},
@ -1067,7 +1067,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RareClientObservedWithHighReverseDNSLookupCountStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.1",
"description": "RareClientObservedWithHighReverseDNSLookupCountStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@ -1077,7 +1077,7 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
"apiVersion": "2022-04-01-preview",
"apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@ -1093,7 +1093,6 @@
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [],
"tactics": [
"Reconnaissance"
],
@ -1102,22 +1101,22 @@
],
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
"identifier": "Address",
"columnName": "SrcIpAddr"
}
]
],
"entityType": "IP"
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"customDetails": {
"DNSQuerythreshold": "DNSQuerythreshold",
"DNSQueryCount": "DNSQueryCount",
"DNSQueries": "DNSQueries"
"DNSQueries": "DNSQueries",
"DNSQuerythreshold": "DNSQuerythreshold"
},
"alertDetailsOverride": {
"alertDescriptionFormat": "Client identified as making high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\n\nReverse DNS lookup threshold is: '{{DNSQuerythreshold}}'\n\nCurrent reverse DNS lookup count from this client is : '{{DNSQueryCount}}'\n\nDNS queries requested by this client inlcude: '{{DNSQueries}}'",
@ -1167,6 +1166,116 @@
"version": "[variables('analyticRuleObject8').analyticRuleVersion8]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "NgrokReverseProxyOnNetwork_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
"apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "This detection identifies the top four Ngrok domains from DNS resolution. Ngrok reverse proxy can bypass network defense. While not inherently harmful, it has been used for malicious activities recently.",
"displayName": "Ngrok Reverse Proxy on Network (ASIM DNS Solution)",
"enabled": false,
"query": "// Define a list of Ngrok domains\nlet NgrokDomains = dynamic([\"ngrok.com\", \"ngrok.io\", \"ngrok\", \"tunnel.com\", \"korgn\", \"lennut.com\"]);\n// Query the _Im_Dns function for the past 1 hour\n_Im_Dns(starttime=ago(1h))\n| where isnotempty(DnsQuery) // Filter out empty DNS queries\n| where DnsQuery has_any (NgrokDomains) // Filter DNS queries that match any of the Ngrok domains\n| summarize Starttime = min(EventStartTime),Endtime=max(EventEndTime),EventsCount=sum(EventCount),EventResults=make_set(EventResult,4) by DnsQuery, Domain, SrcIpAddr, Dvc\n// Summarize the data by Domain, DNS query, source IP address, and device Dvc\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"status": "Available",
"tactics": [
"CommandAndControl"
],
"techniques": [
"T1572",
"T1090",
"T1102"
],
"entityMappings": [
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SrcIpAddr"
}
],
"entityType": "IP"
},
{
"fieldMappings": [
{
"identifier": "DomainName",
"columnName": "Domain"
}
],
"entityType": "DNS"
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]",
"properties": {
"description": "DNS Essentials Analytics Rule 9",
"parentId": "[variables('analyticRuleObject9').analyticRuleId9]",
"contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
"kind": "AnalyticsRule",
"version": "[variables('analyticRuleObject9').analyticRuleVersion9]",
"source": {
"kind": "Solution",
"name": "DNS Essentials",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
"contentKind": "AnalyticsRule",
"displayName": "Ngrok Reverse Proxy on Network (ASIM DNS Solution)",
"contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]",
"id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]",
"version": "[variables('analyticRuleObject9').analyticRuleVersion9]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@ -1176,7 +1285,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "SummarizeDNSData_DNSEssentials Playbook with template version 3.0.1",
"description": "SummarizeDNSData_DNSEssentials Playbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
@ -1685,7 +1794,7 @@
"Initial version"
]
},
"lastUpdateTime": "2024-01-31T14:39:27.720Z"
"lastUpdateTime": "2024-03-12T17:30:34.996Z"
}
},
"packageKind": "Solution",
@ -1710,7 +1819,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "AnomalousIncreaseInDNSActivityByClients_HuntingQueries Hunting Query with template version 3.0.1",
"description": "AnomalousIncreaseInDNSActivityByClients_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@ -1795,7 +1904,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "ConnectionToUnpopularWebsiteDetected_HuntingQueries Hunting Query with template version 3.0.1",
"description": "ConnectionToUnpopularWebsiteDetected_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@ -1880,7 +1989,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "CVE-2020-1350 (SIGRED)ExploitationPattern_HuntingQueries Hunting Query with template version 3.0.1",
"description": "CVE-2020-1350 (SIGRED)ExploitationPattern_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@ -1965,7 +2074,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "DNSQueryWithFailuresInLast24Hours_HuntingQueries Hunting Query with template version 3.0.1",
"description": "DNSQueryWithFailuresInLast24Hours_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@ -2050,7 +2159,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "DomainsWithLargeNumberOfSubDomains_HuntingQueries Hunting Query with template version 3.0.1",
"description": "DomainsWithLargeNumberOfSubDomains_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@ -2135,7 +2244,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "IncreaseInDNSRequestsByClientThanTheDailyAverageCount_HuntingQueries Hunting Query with template version 3.0.1",
"description": "IncreaseInDNSRequestsByClientThanTheDailyAverageCount_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
@ -2220,7 +2329,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PossibleDNSTunnelingOrDataExfiltrationActivity_HuntingQueries Hunting Query with template version 3.0.1",
"description": "PossibleDNSTunnelingOrDataExfiltrationActivity_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
@ -2305,7 +2414,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "PotentialBeaconingActivity_HuntingQueries Hunting Query with template version 3.0.1",
"description": "PotentialBeaconingActivity_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
@ -2390,7 +2499,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Sources(Clients)WithHighNumberOfErrors_HuntingQueries Hunting Query with template version 3.0.1",
"description": "Sources(Clients)WithHighNumberOfErrors_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]",
@ -2475,7 +2584,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "UnexpectedTopLevelDomains_HuntingQueries Hunting Query with template version 3.0.1",
"description": "UnexpectedTopLevelDomains_HuntingQueries Hunting Query with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]",
@ -2556,12 +2665,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "3.0.1",
"version": "3.0.2",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "DNS Essentials",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
"descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>This is a <a href=\"https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&amp;data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&amp;reserved=0\">domain solution</a> and does not include any data connectors. The content in this solution requires one of the product solutions below, as well as any other connector or data source normalized to the <a href=\"https://aka.ms/AboutASIM\">ASIM</a>.</p>\n<p><strong>Prerequisite :-</strong></p>\n<p>Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.</p>\n<ol>\n<li>Windows Server DNS</li>\n<li>Azure Firewall</li>\n<li>Cisco Umbrella</li>\n<li>Corelight Zeek</li>\n<li>Google Cloud Platform DNS</li>\n<li>Infoblox NIOS</li>\n<li>ISC Bind</li>\n<li>Vectra AI</li>\n<li>Zscaler Internet Access</li>\n</ol>\n<p><strong>Underlying Microsoft Technologies used:</strong></p>\n<p>This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:</p>\n<ol>\n<li>Product solutions as described above</li>\n<li>Logic app for data summarization</li>\n</ol>\n<p><strong>Recommendation :-</strong></p>\n<p>It is highly recommended to use the <strong>Summarize Data for DNS Essentials Solution</strong> logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules &amp; Hunting queries.</p>\n<p><strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 8, <strong>Hunting Queries:</strong> 10, <strong>Playbooks:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/DNS%20Essentials/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>This is a <a href=\"https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&amp;data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&amp;reserved=0\">domain solution</a> and does not include any data connectors. The content in this solution requires one of the product solutions below, as well as any other connector or data source normalized to the <a href=\"https://aka.ms/AboutASIM\">ASIM</a>.</p>\n<p><strong>Prerequisite :-</strong></p>\n<p>Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.</p>\n<ol>\n<li>Windows Server DNS</li>\n<li>Azure Firewall</li>\n<li>Cisco Umbrella</li>\n<li>Corelight Zeek</li>\n<li>Google Cloud Platform DNS</li>\n<li>Infoblox NIOS</li>\n<li>ISC Bind</li>\n<li>Vectra AI</li>\n<li>Zscaler Internet Access</li>\n</ol>\n<p><strong>Underlying Microsoft Technologies used:</strong></p>\n<p>This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:</p>\n<ol>\n<li>Product solutions as described above</li>\n<li>Logic app for data summarization</li>\n</ol>\n<p><strong>Recommendation :-</strong></p>\n<p>It is highly recommended to use the <strong>Summarize Data for DNS Essentials Solution</strong> logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules &amp; Hunting queries.</p>\n<p><strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 9, <strong>Hunting Queries:</strong> 10, <strong>Playbooks:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
@ -2631,6 +2740,11 @@
"contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
"version": "[variables('analyticRuleObject8').analyticRuleVersion8]"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
"version": "[variables('analyticRuleObject9').analyticRuleVersion9]"
},
{
"kind": "Playbook",
"contentId": "[variables('_SummarizeData_DNSEssentials')]",

1
Solutions/DNS Essentials/ReleaseNotes.md
Просмотреть файл

@ -1,3 +1,4 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
| 3.0.1 | 31-01-2023 | Updated the solution to fix Analytic Rules deployment issue |
| 3.0.2 | 12-03-2024 | Added new Analytic rule and repackaged solution |