Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge branch 'master' into MimecastTIRegional

This commit is contained in:
nipun-crest 2023-09-18 17:55:43 +05:30 коммит произвёл GitHub
Родитель 2250781558 da97c45f30
Коммит 5910151e80
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
542 изменённых файлов: 80617 добавлений и 3837 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

6
.github/workflows/package-command.yaml поставляемый
Просмотреть файл

@ -18,13 +18,13 @@ on:
types: [package-command, Package-command, PACKAGE-command]
jobs:
solutionNameDetails:
if: ${{ !github.event.pull_request.head.repo.fork }}
if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork }}
uses: ./.github/workflows/getSolutionName.yaml
secrets: inherit
# BELOW JOB WILL CHECK IF WE NEED TO SKIP PACKAGE CREATION OR NOT
checkSkipPackagingDetails:
if: ${{ needs.solutionNameDetails.outputs.solutionName != '' && !github.event.pull_request.head.repo.fork }}
if: ${{ github.actor != 'dependabot[bot]' && needs.solutionNameDetails.outputs.solutionName != '' && !github.event.pull_request.head.repo.fork }}
uses: ./.github/workflows/checkSkipPackagingInfo.yaml
secrets: inherit
needs: solutionNameDetails
@ -34,7 +34,7 @@ jobs:
neworexistingsolution:
needs: [solutionNameDetails, checkSkipPackagingDetails]
uses: ./.github/workflows/neworexistingsolution.yaml
if: ${{ needs.solutionNameDetails.outputs.solutionName != '' && needs.checkSkipPackagingDetails.outputs.isPackagingRequired == 'True' }}
if: ${{ github.actor != 'dependabot[bot]' && needs.solutionNameDetails.outputs.solutionName != '' && needs.checkSkipPackagingDetails.outputs.isPackagingRequired == 'True' }}
with:
solutionName: "${{ needs.solutionNameDetails.outputs.solutionName }}"
secrets: inherit

8
.github/workflows/package-on-merge.yaml поставляемый
Просмотреть файл

@ -21,17 +21,17 @@ on:
- closed
jobs:
checkAutomatedPR:
if: ${{ github.event.pull_request.merged && !github.event.pull_request.head.repo.fork }}
if: ${{ github.actor != 'dependabot[bot]' && github.event.pull_request.merged && !github.event.pull_request.head.repo.fork }}
uses: ./.github/workflows/checkAutomatedPR.yaml
solutionNameDetails:
if: ${{ github.event.pull_request.merged && !github.event.pull_request.head.repo.fork }}
if: ${{ github.actor != 'dependabot[bot]' && github.event.pull_request.merged && !github.event.pull_request.head.repo.fork }}
needs: checkAutomatedPR
uses: ./.github/workflows/getSolutionName.yaml
secrets: inherit
checkSkipPackagingDetails:
if: ${{ github.event.pull_request.merged && !github.event.pull_request.head.repo.fork && needs.solutionNameDetails.outputs.solutionName != '' }}
if: ${{ github.actor != 'dependabot[bot]' && github.event.pull_request.merged && !github.event.pull_request.head.repo.fork && needs.solutionNameDetails.outputs.solutionName != '' }}
uses: ./.github/workflows/checkSkipPackagingInfo.yaml
secrets: inherit
needs: solutionNameDetails
@ -41,7 +41,7 @@ jobs:
neworexistingsolution:
needs: [solutionNameDetails, checkSkipPackagingDetails]
uses: ./.github/workflows/neworexistingsolution.yaml
if: ${{ needs.solutionNameDetails.outputs.solutionName != '' && needs.checkSkipPackagingDetails.outputs.isPackagingRequired == 'True' }}
if: ${{ github.actor != 'dependabot[bot]' && needs.solutionNameDetails.outputs.solutionName != '' && needs.checkSkipPackagingDetails.outputs.isPackagingRequired == 'True' }}
with:
solutionName: "${{ needs.solutionNameDetails.outputs.solutionName }}"
secrets: inherit

4
.script/tests/KqlvalidationsTests/CustomTables/CloudAppEvents.json
Просмотреть файл

@ -140,6 +140,10 @@
{
"name": "Type",
"type": "String"
},
{
"name": "PerformedByDisplayName",
"type": "String"
}
]
}

165
.script/tests/KqlvalidationsTests/CustomTables/DataminrPulseAlerts.json Normal file
Просмотреть файл

@ -0,0 +1,165 @@
{
"Name": "DataminrPulseAlerts",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "EventVendor",
"Type": "string"
},
{
"Name": "EventProduct",
"Type": "string"
},
{
"Name": "AlertId",
"Type": "string"
},
{
"Name": "AlertType",
"Type": "string"
},
{
"Name": "AvailableRelatedAlerts",
"Type": "real"
},
{
"Name": "Caption",
"Type": "string"
},
{
"Name": "Company",
"Type": "string"
},
{
"Name": "CompanyNames",
"Type": "string"
},
{
"Name": "Category",
"Type": "string"
},
{
"Name": "CategoryNames",
"Type": "string"
},
{
"Name": "Latitude",
"Type": "real"
},
{
"Name": "Longitude",
"Type": "real"
},
{
"Name": "EventLocationName",
"Type": "string"
},
{
"Name": "EventLocationPlace",
"Type": "string"
},
{
"Name": "EventLocationProbability",
"Type": "real"
},
{
"Name": "EventLocationRadius",
"Type": "real"
},
{
"Name": "EventSource",
"Type": "string"
},
{
"Name": "EventTime",
"Type": "real"
},
{
"Name": "EventVolume",
"Type": "real"
},
{
"Name": "EmbeddedLabels",
"Type": "string"
},
{
"Name": "PostLanguagae",
"Type": "string"
},
{
"Name": "PostLink",
"Type": "string"
},
{
"Name": "PostMedia",
"Type": "string"
},
{
"Name": "PostText",
"Type": "string"
},
{
"Name": "PostTimestamp",
"Type": "real"
},
{
"Name": "PostTranslatedText",
"Type": "string"
},
{
"Name": "PublisherCategoryName",
"Type": "string"
},
{
"Name": "RelatedTerms",
"Type": "string"
},
{
"Name": "Sectors",
"Type": "string"
},
{
"Name": "SourceChannels",
"Type": "string"
},
{
"Name": "SourceDisplayName",
"Type": "string"
},
{
"Name": "SourceEntityName",
"Type": "string"
},
{
"Name": "SourceLink",
"Type": "string"
},
{
"Name": "SourceVerified",
"Type": "string"
},
{
"Name": "SubCaptionBulletsContent",
"Type": "string"
},
{
"Name": "SubCaptionBulletsMedia",
"Type": "string"
},
{
"Name": "SubCaptionBulletsSource",
"Type": "string"
},
{
"Name": "WatchlistsMatchedByType",
"Type": "string"
},
{
"Name": "WatchlistNames",
"Type": "string"
}
]
}

81
.script/tests/KqlvalidationsTests/CustomTables/DataminrPulse_Alerts_CL.json Normal file
Просмотреть файл

@ -0,0 +1,81 @@
{
"Name": "DataminrPulse_Alerts_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "EventVendor",
"Type": "string"
},
{
"Name": "EventProduct",
"Type": "string"
},
{
"Name": "index_s",
"Type": "string"
},
{
"Name": "alertType_name_s",
"Type": "string"
},
{
"Name": "availableRelatedAlerts_d",
"Type": "real"
},
{
"Name": "headline_s",
"Type": "string"
},
{
"Name": "companies_s",
"Type": "string"
},
{
"Name": "categories_s",
"Type": "string"
},
{
"Name": "location_latitude_d",
"Type": "real"
},
{
"Name": "location_longitude_d",
"Type": "real"
},
{
"Name": "timestamp_d",
"Type": "real"
},
{
"Name": "EventVolume",
"Type": "real"
},
{
"Name": "_embedded_labels_s",
"Type": "string"
},
{
"Name": "relatedAlerts_s",
"Type": "string"
},
{
"Name": "dataMap_headlineMds_content_s",
"Type": "string"
},
{
"Name": "odsStatus_timestamp_d",
"Type": "real"
},
{
"Name": "watchlistsMatchedByType_s",
"Type": "string"
},
{
"Name": "location_name_s",
"Type": "string"
}
]
}

57
.script/tests/KqlvalidationsTests/CustomTables/MimecastAudit_CL.json Normal file
Просмотреть файл

@ -0,0 +1,57 @@
{
"Name":"MimecastAudit_CL",
"Properties":[
{
"Name":"id_s",
"Type":"String"
},
{
"Name":"auditType_s",
"Type":"String"
},
{
"Name":"user_s",
"Type":"String"
},
{
"Name":"eventTime_d",
"Type":"DateTIme"
},
{
"Name":"eventInfo_s",
"Type":"String"
},
{
"Name":"category_s",
"Type":"String"
},
{
"Name":"mimecastEventId_s",
"Type":"String"
},
{
"Name":"mimecastEventCategory_s",
"Type":"String"
},
{
"Name":"time_generated",
"Type":"DateTime"
},
{
"Name":"app_s",
"Type":"String"
},
{
"Name":"src_s",
"Type":"String"
},
{
"Name":"method_s",
"Type":"String"
},
{
"name": "TimeGenerated",
"type": "DateTime"
}
]
}

73
.script/tests/KqlvalidationsTests/CustomTables/MimecastTTPAttachment_CL.json Normal file
Просмотреть файл

@ -0,0 +1,73 @@
{
"Name":"MimecastTTPAttachment_CL",
"Properties":[
{
"Name":"senderAddress_s",
"Type":"String"
},
{
"Name":"recipientAddress_s",
"Type":"String"
},
{
"Name":"fileName_s",
"Type":"String"
},
{
"Name":"fileType_s",
"Type":"String"
},
{
"Name":"result_s",
"Type":"String"
},
{
"Name":"actionTriggered_s",
"Type":"String"
},
{
"Name":"date_t",
"Type":"DateTime"
},
{
"Name":"details_s",
"Type":"String"
},
{
"Name":"route_s",
"Type":"String"
},
{
"Name":"messageId_s",
"Type":"String"
},
{
"Name":"subject_s",
"Type":"String"
},
{
"Name":"fileHash_s",
"Type":"String"
},
{
"Name":"definition_s",
"Type":"String"
},
{
"Name":"mimecastEventId_s",
"Type":"String"
},
{
"Name":"mimecastEventCategory_s",
"Type":"String"
},
{
"Name":"time_generated",
"Type":"DateTime"
},
{
"name": "TimeGenerated",
"type": "DateTime"
}
]
}

77
.script/tests/KqlvalidationsTests/CustomTables/MimecastTTPImpersonation_CL.json Normal file
Просмотреть файл

@ -0,0 +1,77 @@
{
"Name":"MimecastTTPImpersonation_CL",
"Properties":[
{
"Name":"id_s",
"Type":"String"
},
{
"Name":"senderAddress_s",
"Type":"String"
},
{
"Name":"recipientAddress_s",
"Type":"String"
},
{
"Name":"subject_s",
"Type":"String"
},
{
"Name":"definition_s",
"Type":"String"
},
{
"Name":"hits_s",
"Type":"String"
},
{
"Name":"identifiers_s",
"Type":"String"
},
{
"Name":"action_s",
"Type":"String"
},
{
"Name":"taggedExternal_b",
"Type":"Bool"
},
{
"Name":"taggedMalicious_b",
"Type":"Bool"
},
{
"Name":"senderIpAddress_s",
"Type":"String"
},
{
"Name":"eventTime_t",
"Type":"DateTime"
},
{
"Name":"impersonationResults_s",
"Type":"String"
},
{
"Name":"messageId_s",
"Type":"String"
},
{
"Name":"mimecastEventId_s",
"Type":"String"
},
{
"Name":"mimecastEventCategory_s",
"Type":"String"
},
{
"Name":"time_generated",
"Type":"DateTime"
},
{
"name": "TimeGenerated",
"type": "DateTime"
}
]
}

105
.script/tests/KqlvalidationsTests/CustomTables/MimecastTTPUrl_CL.json Normal file
Просмотреть файл

@ -0,0 +1,105 @@
{
"Name": "MimecastTTPUrl_CL",
"Properties": [
{
"Name": "userEmailAddress_s",
"Type": "String"
},
{
"Name": "fromUserEmailAddress_s",
"Type": "String"
},
{
"Name": "url_s",
"Type": "String"
},
{
"Name": "ttpDefinition_s",
"Type": "String"
},
{
"Name": "subject_s",
"Type": "String"
},
{
"Name": "action_s",
"Type": "String"
},
{
"Name": "adminOverride_s",
"Type": "String"
},
{
"Name": "userOverride_s",
"Type": "String"
},
{
"Name": "scanResult_s",
"Type": "String"
},
{
"Name": "category_s",
"Type": "String"
},
{
"Name": "sendingIp_s",
"Type": "String"
},
{
"Name": "advancedPhishingResult_CredentialTheftBrands_s",
"Type": "String"
},
{
"Name": "advancedPhishingResult_CredentialTheftTags_s",
"Type": "String"
},
{
"Name": "advancedPhishingResult_CredentialTheftEvidence_s",
"Type": "String"
},
{
"Name": "userAwarenessAction_s",
"Type": "String"
},
{
"Name": "date_t",
"Type": "DateTime"
},
{
"Name": "actions_s",
"Type": "String"
},
{
"Name": "route_s",
"Type": "String"
},
{
"Name": "creationMethod_s",
"Type": "String"
},
{
"Name": "emailPartsDescription_s",
"Type": "String"
},
{
"Name": "messageId_s",
"Type": "String"
},
{
"Name": "mimecastEventId_s",
"Type": "String"
},
{
"Name": "mimecastEventCategory_s",
"Type": "String"
},
{
"Name": "time_generated",
"Type": "DateTime"
},
{
"name": "TimeGenerated",
"type": "DateTime"
}
]
}

4
.script/tests/KqlvalidationsTests/CustomTables/NXLog_DNS_Server_CL.json
Просмотреть файл

@ -1,6 +1,10 @@
{
"Name": "NXLog_DNS_Server_CL",
"Properties": [
{
"Name": "_ItemId",
"Type": "String"
},
{
"Name": "TenantId",
"Type": "String"

117
.script/tests/KqlvalidationsTests/CustomTables/SpyCloudBreachDataWatchlist.json Normal file
Просмотреть файл

@ -0,0 +1,117 @@
{
"Name": "SpyCloudBreachDataWatchlist_CL",
"Properties": [
{
"Name": "Document_Id_g",
"Type": "Guid"
},
{
"Name": "Domain_s",
"Type": "String"
},
{
"Name": "Email_s",
"Type": "String"
},
{
"Name": "IP_Address_s",
"Type": "String"
},
{
"Name": "Infected_Machine_Id",
"Type": "String"
},
{
"Name": "Infected_Machine_Id_g",
"Type": "Guid"
},
{
"Name": "Infected_Path_s",
"Type": "String"
},
{
"Name": "Infected_Time_t",
"Type": "DateTime"
},
{
"Name": "Password_s",
"Type": "String"
},
{
"Name": "Password_Plaintext_s",
"Type": "String"
},
{
"Name": "Severity_s",
"Type": "String"
},
{
"Name": "Source_Id_s",
"Type": "String"
},
{
"Name": "SpyCloud_Publish_Date_t",
"Type": "DateTime"
},
{
"Name": "Target_Domain_s",
"Type": "String"
},
{
"Name": "Target_SubDomain_s",
"Type": "String"
},
{
"Name": "Target_URL_s",
"Type": "String"
},
{
"Name": "User_Hostname_s",
"Type": "String"
},
{
"Name": "User_OS_s",
"Type": "String"
},
{
"Name": "Username_s",
"Type": "String"
},
{
"Name": "TenantID",
"Type": "String"
},
{
"Name": "SourceSystem",
"Type": "String"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "Computer",
"Type": "String"
},
{
"Name": "MG",
"Type": "String"
},
{
"Name": "ManagementGroupName",
"Type": "String"
},
{
"Name": "RawData",
"Type": "String"
},
{
"Name": "Type",
"Type": "String"
},
{
"Name": "_ResourceId",
"Type": "String"
}
]
}

205
.script/tests/KqlvalidationsTests/CustomTables/ZeroFoxAlertPoller_CL.json Normal file
Просмотреть файл

@ -0,0 +1,205 @@
{
"Name": "ZeroFoxAlertPoller_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "alert_type_s",
"Type": "String"
},
{
"Name": "logs_s",
"Type": "String"
},
{
"Name": "offending_content_url_s",
"Type": "String"
},
{
"Name": "asset_term_s",
"Type": "String"
},
{
"Name": "assignee_s",
"Type": "String"
},
{
"Name": "entity_id_d",
"Type": "Double"
},
{
"Name": "entity_name_s",
"Type": "String"
},
{
"Name": "entity_image_s",
"Type": "String"
},
{
"Name": "entity_labels_s",
"Type": "String"
},
{
"Name": "entity_entity_group_id_d",
"Type": "Double"
},
{
"Name": "entity_entity_group_name_s",
"Type": "String"
},
{
"Name": "entity_term_s",
"Type": "String"
},
{
"Name": "content_created_at_t",
"Type": "DateTime"
},
{
"Name": "id_d",
"Type": "Double"
},
{
"Name": "Severity",
"Type": "Double"
},
{
"Name": "perpetrator_name_s",
"Type": "String"
},
{
"Name": "perpetrator_display_name_s",
"Type": "String"
},
{
"Name": "perpetrator_id_d",
"Type": "Double"
},
{
"Name": "perpetrator_url_s",
"Type": "String"
},
{
"Name": "perpetrator_content_s",
"Type": "String"
},
{
"Name": "perpetrator_type_s",
"Type": "String"
},
{
"Name": "perpetrator_timestamp_t",
"Type": "DateTime"
},
{
"Name": "perpetrator_network_s",
"Type": "String"
},
{
"Name": "rule_group_id_d",
"Type": "Double"
},
{
"Name": "asset_id_d",
"Type": "Double"
},
{
"Name": "asset_name_s",
"Type": "String"
},
{
"Name": "asset_image_s",
"Type": "String"
},
{
"Name": "asset_labels_s",
"Type": "String"
},
{
"Name": "asset_entity_group_id_d",
"Type": "Double"
},
{
"Name": "asset_entity_group_name_s",
"Type": "String"
},
{
"Name": "entered_by_s",
"Type": "String"
},
{
"Name": "metadata_s",
"Type": "String"
},
{
"Name": "status_s",
"Type": "String"
},
{
"Name": "timestamp_t",
"Type": "DateTime"
},
{
"Name": "rule_name_s",
"Type": "String"
},
{
"Name": "last_modified_t",
"Type": "DateTime"
},
{
"Name": "protected_locations_s",
"Type": "String"
},
{
"Name": "darkweb_term_s",
"Type": "String"
},
{
"Name": "business_network_s",
"Type": "String"
},
{
"Name": "reviewed_b",
"Type": "Boolean"
},
{
"Name": "escalated_b",
"Type": "Boolean"
},
{
"Name": "network_s",
"Type": "String"
},
{
"Name": "protected_social_object_s",
"Type": "String"
},
{
"Name": "notes_s",
"Type": "String"
},
{
"Name": "reviews_s",
"Type": "String"
},
{
"Name": "rule_id_d",
"Type": "Double"
},
{
"Name": "entity_account_s",
"Type": "String"
},
{
"Name": "entity_email_receiver_id_s",
"Type": "String"
},
{
"Name": "tags_s",
"Type": "String"
}
]
}

33
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_C2_CL.json Normal file
Просмотреть файл

@ -0,0 +1,33 @@
{
"Name": "ZeroFox_CTI_C2_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "domain_s",
"Type": "String"
},
{
"Name": "port_d",
"Type": "Double"
},
{
"Name": "tags_s",
"Type": "String"
},
{
"Name": "ip_addresses_s",
"Type": "String"
},
{
"Name": "updated_at_t",
"Type": "DateTime"
},
{
"Name": "created_at_t",
"Type": "DateTime"
}
]
}

78
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_advanced_dark_web_CL.json Normal file
Просмотреть файл

@ -0,0 +1,78 @@
{
"Name": "ZeroFox_CTI_advanced_dark_web_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "id_d",
"Type": "Double"
},
{
"Name": "created_at_t",
"Type": "DateTime"
},
{
"Name": "title_s",
"Type": "String"
},
{
"Name": "confidence_s",
"Type": "String"
},
{
"Name": "reliability_s",
"Type": "String"
},
{
"Name": "tlp",
"Type": "String"
},
{
"Name": "contents_s",
"Type": "String"
},
{
"Name": "comments_s",
"Type": "String"
},
{
"Name": "threat_types_s",
"Type": "String"
},
{
"Name": "target_targets_s",
"Type": "String"
},
{
"Name": "target_regions_s",
"Type": "String"
},
{
"Name": "target_industries_s",
"Type": "String"
},
{
"Name": "languages_s",
"Type": "String"
},
{
"Name": "actors_s",
"Type": "String"
},
{
"Name": "tags_s",
"Type": "String"
}
,
{
"Name": "source_urls_s",
"Type": "String"
},
{
"Name": "source_names_s",
"Type": "String"
}
]
}

89
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_botnet_CL.json Normal file
Просмотреть файл

@ -0,0 +1,89 @@
{
"Name": "ZeroFox_CTI_botnet_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "listed_at_t",
"Type": "DateTime"
},
{
"Name": "bot_name_s",
"Type": "String"
},
{
"Name": "c2_ip_address_s",
"Type": "String"
},
{
"Name": "c2_domain_s",
"Type": "String"
},
{
"Name": "is_common_domain_b",
"Type": "Boolean"
},
{
"Name": "file_location_s",
"Type": "String"
},
{
"Name": "operating_system_s",
"Type": "String"
},
{
"Name": "anti_viruses_s",
"Type": "String"
},
{
"Name": "country_code_s",
"Type": "String"
},
{
"Name": "zip_code_s",
"Type": "String"
},
{
"Name": "location_s",
"Type": "String"
},
{
"Name": "current_language_s",
"Type": "String"
},
{
"Name": "available_keyboards_s",
"Type": "String"
},
{
"Name": "uac_s",
"Type": "String"
},
{
"Name": "process_elevation_s",
"Type": "String"
},
{
"Name": "acquired_at_t",
"Type": "DateTime"
},
{
"Name": "logged_at_t",
"Type": "DateTime"
},
{
"Name": "estimated_infected_at_t",
"Type": "DateTime"
},
{
"Name": "breached_at",
"Type": "DateTime"
},
{
"Name": "tags_s",
"Type": "String"
}
]
}

85
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_breaches_CL.json Normal file
Просмотреть файл

@ -0,0 +1,85 @@
{
"Name": "ZeroFox_CTI_breaches_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "id_s",
"Type": "Double"
},
{
"Name": "name_s",
"Type": "String"
},
{
"Name": "description_s",
"Type": "String"
},
{
"Name": "breach_date_t",
"Type": "DateTime"
},
{
"Name": "created_at_t",
"Type": "DateTime"
},
{
"Name": "included_fields_s",
"Type": "String"
},
{
"Name": "record_count_d",
"Type": "Double"
},
{
"Name": "threat_type_s",
"Type": "String"
},
{
"Name": "geography_region_code_s",
"Type": "String"
},
{
"Name": "geography_sub_region_code_s",
"Type": "String"
},
{
"Name": "geography_country_code_s",
"Type": "String"
},
{
"Name": "geography_country_iso_alpha3_code_s",
"Type": "String"
},
{
"Name": "geography_region_s",
"Type": "String"
},
{
"Name": "geography_sub_region_s",
"Type": "String"
},
{
"Name": "geography_country_s",
"Type": "String"
},
{
"Name": "confidence_s",
"Type": "String"
},
{
"Name": "reliability_s",
"Type": "String"
},
{
"Name": "tlp_s",
"Type": "String"
},
{
"Name": "industry_s",
"Type": "String"
}
]
}

41
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_compromised_credentials_CL.json Normal file
Просмотреть файл

@ -0,0 +1,41 @@
{
"Name": "ZeroFox_CTI_compromised_credentials_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "domain_s",
"Type": "String"
},
{
"Name": "email_s",
"Type": "String"
},
{
"Name": "username_s",
"Type": "String"
},
{
"Name": "password_s",
"Type": "String"
},
{
"Name": "breach_name_s",
"Type": "String"
},
{
"Name": "breach_id_s",
"Type": "String"
},
{
"Name": "impacted_domain_s",
"Type": "String"
},
{
"Name": "created_at_t",
"Type": "DateTime"
}
]
}

45
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_credit_cards_CL.json Normal file
Просмотреть файл

@ -0,0 +1,45 @@
{
"Name": "ZeroFox_CTI_credit_cards_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "cc_num_s",
"Type": "String"
},
{
"Name": "month_s",
"Type": "String"
},
{
"Name": "year_s",
"Type": "String"
},
{
"Name": "cvv_s",
"Type": "Double"
},
{
"Name": "issuer_s",
"Type": "String"
},
{
"Name": "source_s",
"Type": "String"
},
{
"Name": "cc_bin_s",
"Type": "String"
},
{
"Name": "breach_name_s",
"Type": "String"
},
{
"Name": "created_at_t",
"Type": "DateTime"
}
]
}

82
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_dark_web_CL.json Normal file
Просмотреть файл

@ -0,0 +1,82 @@
{
"Name": "ZeroFox_CTI_dark_web_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "content_audience_s",
"Type": "String"
},
{
"Name": "forum_name_s",
"Type": "String"
},
{
"Name": "forum_uuid_g",
"Type": "GUID"
},
{
"Name": "general_topic_s",
"Type": "String"
},
{
"Name": "language_code_s",
"Type": "String"
},
{
"Name": "network_type_s",
"Type": "String"
},
{
"Name": "parent_uuid_g",
"Type": "GUID"
},
{
"Name": "post_body_s",
"Type": "String"
},
{
"Name": "timestamp_t",
"Type": "DateTime"
},
{
"Name": "post_member_name_s",
"Type": "String"
},
{
"Name": "post_type_s",
"Type": "String"
},
{
"Name": "post_uuid_g",
"Type": "GUID"
},
{
"Name": "sequence_number_d",
"Type": "Double"
},
{
"Name": "thread_name_s",
"Type": "String"
},
{
"Name": "thread_url_s",
"Type": "String"
},
{
"Name": "thread_uuid_g",
"Type": "GUID"
},
{
"Name": "domain_s",
"Type": "String"
},
{
"Name": "created_at_t",
"Type": "DateTime"
}
]
}

33
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_discord_CL.json Normal file
Просмотреть файл

@ -0,0 +1,33 @@
{
"Name": "ZeroFox_CTI_discord_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "author_id_s",
"Type": "String"
},
{
"Name": "author_username_s",
"Type": "String"
},
{
"Name": "channel_name_s",
"Type": "String"
},
{
"Name": "content_s",
"Type": "String"
},
{
"Name": "server_name_s",
"Type": "String"
},
{
"Name": "timestamp_t",
"Type": "DateTime"
}
]
}

61
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_disruption_CL.json Normal file
Просмотреть файл

@ -0,0 +1,61 @@
{
"Name": "ZeroFox_CTI_disruption_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "url_s",
"Type": "String"
},
{
"Name": "fqdn_s",
"Type": "String"
},
{
"Name": "ip_s",
"Type": "String"
},
{
"Name": "host_s",
"Type": "String"
},
{
"Name": "registrar_s",
"Type": "String"
},
{
"Name": "threat_type_s",
"Type": "String"
},
{
"Name": "http_status_d",
"Type": "Double"
},
{
"Name": "asn_d",
"Type": "Double"
},
{
"Name": "iana_d",
"Type": "Double"
},
{
"Name": "created_at_t",
"Type": "DateTime"
},
{
"Name": "updated_at_t",
"Type": "DateTime"
},
{
"Name": "category_s",
"Type": "String"
},
{
"Name": "network_s",
"Type": "String"
}
]
}

25
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_email_addresses_CL.json Normal file
Просмотреть файл

@ -0,0 +1,25 @@
{
"Name": "ZeroFox_CTI_email_addresses_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "created_at_t",
"Type": "DateTime"
},
{
"Name": "email_s",
"Type": "String"
},
{
"Name": "domain_s",
"Type": "String"
},
{
"Name": "tags_s",
"Type": "String"
}
]
}

25
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_exploits_CL.json Normal file
Просмотреть файл

@ -0,0 +1,25 @@
{
"Name": "ZeroFox_CTI_exploits_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "created_at_t",
"Type": "DateTime"
},
{
"Name": "cve_s",
"Type": "String"
},
{
"Name": "urls_s",
"Type": "String"
},
{
"Name": "exploit_s",
"Type": "String"
}
]
}

69
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_identity_breach_CL.json Normal file
Просмотреть файл

@ -0,0 +1,69 @@
{
"Name": "ZeroFox_CTI_identity_breach_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "cac_username_hash_s",
"Type": "String"
},
{
"Name": "cac_email_hash_s",
"Type": "String"
},
{
"Name": "cac_password_hash_s",
"Type": "String"
},
{
"Name": "ncid_id_hash_s",
"Type": "String"
},
{
"Name": "cc_num_hash_s",
"Type": "String"
},
{
"Name": "passport_id_hash_s",
"Type": "String"
},
{
"Name": "bank_account_id_hash_s",
"Type": "String"
},
{
"Name": "medical_account_id_hash_s",
"Type": "String"
},
{
"Name": "phone_number_e164_hash_s",
"Type": "String"
},
{
"Name": "dl_id_hash_s",
"Type": "String"
},
{
"Name": "ui_discovered_ts_s",
"Type": "String"
},
{
"Name": "ui_insertion_ts_s",
"Type": "String"
},
{
"Name": "ui_breach_id_d",
"Type": "Double"
},
{
"Name": "ui_breach_name_s",
"Type": "String"
},
{
"Name": "ui_breach_description_s",
"Type": "String"
}
]
}

53
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_irc_CL.json Normal file
Просмотреть файл

@ -0,0 +1,53 @@
{
"Name": "ZeroFox_CTI_irc_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "channel_s",
"Type": "String"
},
{
"Name": "message_s",
"Type": "String"
},
{
"Name": "sender_s",
"Type": "String"
},
{
"Name": "timestamp_t",
"Type": "DateTime"
},
{
"Name": "username_s",
"Type": "String"
},
{
"Name": "hostname_s",
"Type": "String"
},
{
"Name": "real_name_s",
"Type": "String"
},
{
"Name": "server_s",
"Type": "String"
},
{
"Name": "server_info_s",
"Type": "String"
},
{
"Name": "secure_b",
"Type": "Boolean"
},
{
"Name": "account_s",
"Type": "String"
}
]
}

45
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_malware_CL.json Normal file
Просмотреть файл

@ -0,0 +1,45 @@
{
"Name": "ZeroFox_CTI_malware_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "created_at_t",
"Type": "DateTime"
},
{
"Name": "family_s",
"Type": "String"
},
{
"Name": "md5_s",
"Type": "String"
},
{
"Name": "sha1_s",
"Type": "String"
},
{
"Name": "sha256_s",
"Type": "String"
},
{
"Name": "sha512_s",
"Type": "String"
},
{
"Name": "tags_s",
"Type": "String"
},
{
"Name": "botnet_s",
"Type": "String"
},
{
"Name": "c2_s",
"Type": "String"
}
]
}

41
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_national_ids_CL.json Normal file
Просмотреть файл

@ -0,0 +1,41 @@
{
"Name": "ZeroFox_CTI_national_ids_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "national_identifier_s",
"Type": "String"
},
{
"Name": "country_s",
"Type": "String"
},
{
"Name": "first_name_s",
"Type": "String"
},
{
"Name": "last_name_s",
"Type": "String"
},
{
"Name": "person_name_s",
"Type": "String"
},
{
"Name": "created_at_t",
"Type": "DateTime"
},
{
"Name": "source_s",
"Type": "String"
},
{
"Name": "breach_name_s",
"Type": "String"
}
]
}

45
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_phishing_CL.json Normal file
Просмотреть файл

@ -0,0 +1,45 @@
{
"Name": "ZeroFox_CTI_phishing_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "scanned_t",
"Type": "DateTime"
},
{
"Name": "domain_s",
"Type": "String"
},
{
"Name": "url_s",
"Type": "String"
},
{
"Name": "cert_authority_s",
"Type": "String"
},
{
"Name": "cert_fingerprint_s",
"Type": "String"
},
{
"Name": "cert_issued_s",
"Type": "String"
},
{
"Name": "host_ip_s",
"Type": "String"
},
{
"Name": "host_asn_d",
"Type": "Double"
},
{
"Name": "host_geo_s",
"Type": "String"
}
]
}

17
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_phone_numbers_CL.json Normal file
Просмотреть файл

@ -0,0 +1,17 @@
{
"Name": "ZeroFox_CTI_phone_numbers_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "phone_number_s",
"Type": "String"
},
{
"Name": "created_at_t",
"Type": "DateTime"
}
]
}

53
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_ransomware_CL.json Normal file
Просмотреть файл

@ -0,0 +1,53 @@
{
"Name": "ZeroFox_CTI_ransomware_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "created_at_t",
"Type": "DateTime"
},
{
"Name": "md5_s",
"Type": "String"
},
{
"Name": "sha1_s",
"Type": "String"
},
{
"Name": "sha256_s",
"Type": "String"
},
{
"Name": "sha512_s",
"Type": "String"
},
{
"Name": "emails_s",
"Type": "String"
},
{
"Name": "ransom_note_s",
"Type": "String"
},
{
"Name": "note_urls_s",
"Type": "String"
},
{
"Name": "crypto_wallets_s",
"Type": "String"
},
{
"Name": "ransomware_name_s",
"Type": "String"
},
{
"Name": "tags_s",
"Type": "String"
}
]
}

37
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_telegram_CL.json Normal file
Просмотреть файл

@ -0,0 +1,37 @@
{
"Name": "ZeroFox_CTI_telegram_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "channel_name_s",
"Type": "String"
},
{
"Name": "timestamp_t",
"Type": "DateTime"
},
{
"Name": "first_name_s",
"Type": "String"
},
{
"Name": "last_name_s",
"Type": "String"
},
{
"Name": "message_s",
"Type": "String"
},
{
"Name": "user_s",
"Type": "String"
},
{
"Name": "message_url_s",
"Type": "String"
}
]
}

57
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_threat_actors_CL.json Normal file
Просмотреть файл

@ -0,0 +1,57 @@
{
"Name": "ZeroFox_CTI_threat_actors_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "id_d",
"Type": "Double"
},
{
"Name": "mitre_id_s",
"Type": "String"
},
{
"Name": "name_s",
"Type": "String"
},
{
"Name": "created_at_t",
"Type": "DateTime"
},
{
"Name": "updated_at_t",
"Type": "DateTime"
},
{
"Name": "description_s",
"Type": "String"
},
{
"Name": "references_s",
"Type": "String"
},
{
"Name": "software_s",
"Type": "String"
},
{
"Name": "associated_groups_s",
"Type": "String"
},
{
"Name": "target_geo_s",
"Type": "String"
},
{
"Name": "target_industries_s",
"Type": "String"
},
{
"Name": "mitre_ttps_s",
"Type": "String"
}
]
}

53
.script/tests/KqlvalidationsTests/CustomTables/ZeroFox_CTI_vulnerabilities_CL.json Normal file
Просмотреть файл

@ -0,0 +1,53 @@
{
"Name": "ZeroFox_CTI_vulnerabilities_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "base_score_d",
"Type": "Double"
},
{
"Name": "description_s",
"Type": "String"
},
{
"Name": "exploitability_score_d",
"Type": "Double"
},
{
"Name": "impact_score_d",
"Type": "Double"
},
{
"Name": "created_at_t",
"Type": "DateTime"
},
{
"Name": "updated_at_t",
"Type": "DateTime"
},
{
"Name": "vector_string_s",
"Type": "String"
},
{
"Name": "cve_s",
"Type": "String"
},
{
"Name": "summary_s",
"Type": "String"
},
{
"Name": "remediation_s",
"Type": "String"
},
{
"Name": "products_s",
"Type": "String"
}
]
}

17
.script/tests/KqlvalidationsTests/CustomTables/_ASIM_GetSourceBySourceType.json Normal file
Просмотреть файл

@ -0,0 +1,17 @@
{
"Name": "_ASIM_GetSourceBySourceType",
"Properties": [
{
"Name": "SourceType",
"Type": "string"
},
{
"Name": "Source",
"Type": "String"
},
{
"Name": "print_0",
"Type": "dynamic"
}
]
}

7
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Просмотреть файл

@ -72,6 +72,7 @@
"DNS",
"Darktrace",
"DarktraceRESTConnector",
"DataminrPulseAlerts",
"DigitalGuardianDLP",
"DigitalShadows",
"Dynamics365",
@ -196,8 +197,12 @@
"DynatraceAuditLogs",
"DynatraceProblems",
"MicrosoftDefenderThreatIntelligence",
"ZeroFox_Alert_Polling",
"CortexXDR",
"MimecastTTPAPI",
"MimecastAuditAPI",
"PingFederateAma",
"vArmourACAma",
"ContrastProtectAma"
"ContrastProtectAma",
"ClarotyAma"
]

3
.script/utils/workbookCheckers/WorkbookPreviewImageValidationSkipList.json
Просмотреть файл

@ -28,6 +28,7 @@
"BloodHoundEnterpriseAttackPathWorkbook",
"BloodHoundEnterprisePostureWorkbook",
"UserWorkbook-alexdemichieli-github-update-1",
"SalemDashboard"
"SalemDashboard",
"ZNAccessOrchestratorAudit"
]
}

2
ASIM/deploy/EmptyCustomUnifyingParsers/ASim_AuditEventCustom.json
Просмотреть файл

@ -26,7 +26,7 @@
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "ASim_DnsCustom",
"name": "ASim_AuditEventCustom",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
],

2
ASIM/deploy/EmptyCustomUnifyingParsers/Im_AuditEventCustom.json
Просмотреть файл

@ -26,7 +26,7 @@
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "Im_DnsCustom",
"name": "Im_AuditEventCustom",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
],

42
ASIM/dev/ASimTester/ASimTester.csv
Просмотреть файл

@ -812,16 +812,25 @@ Rule,string,Optional,Dns,,,
Rule,string,Optional,FileEvent,,,
Rule,string,Optional,NetworkSession,,,
Rule,string,Optional,WebSession,,,
Rule,string,Alias,RegistryEvent,,,RuleName
Rule,string,Alias,UserManagement,,,RuleName
Rule,string,Alias,Dhcp,,,RuleName
RuleName,string,Optional,AuditEvent,,,
RuleName,string,Optional,Authentication,,,
RuleName,string,Optional,Dns,,,
RuleName,string,Optional,FileEvent,,,
RuleName,string,Optional,WebSession,,,
RuleName,string,Optional,RegistryEvent,,,
RuleName,string,Optional,UserManagement,,,
RuleName,string,Optional,Dhcp,,,
RuleNumber,int,Optional,AuditEvent,,,
RuleNumber,int,Optional,Authentication,,,
RuleNumber,int,Optional,Dns,,,
RuleNumber,int,Optional,FileEvent,,,
RuleNumber,int,Optional,WebSession,,,
RuleNumber,int,Optional,RegistryEvent,,,
RuleNumber,int,Optional,UserManagement,,,
RuleNumber,int,Optional,Dhcp,,,
SessionId,string,Alias,Dhcp,,,DhcpSessionId
SessionId,string,Alias,Dns,,,DnsSessionId
SessionId,string,Alias,NetworkSession,,,NetworkSessionId
@ -1170,18 +1179,27 @@ ThreatCategory,string,Optional,Dns,,,
ThreatCategory,string,Optional,FileEvent,,,
ThreatCategory,string,Optional,NetworkSession,,,
ThreatCategory,string,Optional,WebSession,,,
ThreatCategory,string,Optional,RegistryEvent,,,
ThreatCategory,string,Optional,UserManagement,,,
ThreatCategory,string,Optional,Dhcp,,,
ThreatConfidence,int,Optional,AuditEvent,ConfidenceLevel,,
ThreatConfidence,int,Optional,Authentication,ConfidenceLevel,,
ThreatConfidence,int,Optional,Dns,ConfidenceLevel,,
ThreatConfidence,int,Optional,FileEvent,,,
ThreatConfidence,int,Optional,NetworkSession,,,
ThreatConfidence,int,Optional,WebSession,,,
ThreatConfidence,int,Optional,RegistryEvent,,,
ThreatConfidence,int,Optional,UserManagement,,,
ThreatConfidence,int,Optional,Dhcp,,,
ThreatField,string,Conditional,AuditEvent,Enumerated,,ThreatIpAddr
ThreatField,string,Conditional,FileEvent,Enumerated,,ThreatFilePath
ThreatField,string,Conditional,NetworkSession,Enumerated,,ThreatIpAddr
ThreatField,string,Optional,Authentication,,,
ThreatField,string,Optional,Dns,,,
ThreatField,string,Optional,WebSession,,,
ThreatField,string,Optional,RegistryEvent,,,
ThreatField,string,Optional,UserManagement,,,
ThreatField,string,Optional,Dhcp,,,
ThreatFilePath,string,Optional,FileEvent,string,,
ThreatFirstReportedTime,datetime,Optional,AuditEvent,,,
ThreatFirstReportedTime,datetime,Optional,Authentication,,,
@ -1189,12 +1207,18 @@ ThreatFirstReportedTime,datetime,Optional,Dns,,,
ThreatFirstReportedTime,datetime,Optional,FileEvent,,,
ThreatFirstReportedTime,datetime,Optional,NetworkSession,,,
ThreatFirstReportedTime,datetime,Optional,WebSession,,,
ThreatFirstReportedTime,datetime,Optional,RegistryEvent,,,
ThreatFirstReportedTime,datetime,Optional,UserManagement,,,
ThreatFirstReportedTime,datetime,Optional,Dhcp,,,
ThreatId,string,Optional,AuditEvent,,,
ThreatId,string,Optional,Authentication,,,
ThreatId,string,Optional,Dns,,,
ThreatId,string,Optional,FileEvent,,,
ThreatId,string,Optional,NetworkSession,,,
ThreatId,string,Optional,WebSession,,,
ThreatId,string,Optional,RegistryEvent,,,
ThreatId,string,Optional,UserManagement,,,
ThreatId,string,Optional,Dhcp,,,
ThreatIpAddr,string,Optional,AuditEvent,IP Address,,
ThreatIpAddr,string,Optional,Authentication,IP Address,,
ThreatIpAddr,string,Optional,Dns,IP Address,,
@ -1206,36 +1230,54 @@ ThreatIsActive,bool,Optional,Dns,,,
ThreatIsActive,bool,Optional,FileEvent,,,
ThreatIsActive,bool,Optional,NetworkSession,,,
ThreatIsActive,bool,Optional,WebSession,,,
ThreatIsActive,bool,Optional,RegistryEvent,,,
ThreatIsActive,bool,Optional,UserManagement,,,
ThreatIsActive,bool,Optional,Dhcp,,,
ThreatLastReportedTime,datetime,Optional,AuditEvent,,,
ThreatLastReportedTime,datetime,Optional,Authentication,,,
ThreatLastReportedTime,datetime,Optional,Dns,,,
ThreatLastReportedTime,datetime,Optional,FileEvent,,,
ThreatLastReportedTime,datetime,Optional,NetworkSession,,,
ThreatLastReportedTime,datetime,Optional,WebSession,,,
ThreatLastReportedTime,datetime,Optional,RegistryEvent,,,
ThreatLastReportedTime,datetime,Optional,UserManagement,,,
ThreatLastReportedTime,datetime,Optional,Dhcp,,,
ThreatName,string,Optional,AuditEvent,,,
ThreatName,string,Optional,Authentication,,,
ThreatName,string,Optional,Dns,,,
ThreatName,string,Optional,FileEvent,,,
ThreatName,string,Optional,NetworkSession,,,
ThreatName,string,Optional,WebSession,,,
ThreatName,string,Optional,RegistryEvent,,,
ThreatName,string,Optional,UserManagement,,,
ThreatName,string,Optional,Dhcp,,,
ThreatOriginalConfidence,string,Optional,AuditEvent,,,
ThreatOriginalConfidence,string,Optional,Authentication,,,
ThreatOriginalConfidence,string,Optional,Dns,,,
ThreatOriginalConfidence,string,Optional,FileEvent,,,
ThreatOriginalConfidence,string,Optional,NetworkSession,,,
ThreatOriginalConfidence,string,Optional,WebSession,,,
ThreatOriginalConfidence,string,Optional,RegistryEvent,,,
ThreatOriginalConfidence,string,Optional,UserManagement,,,
ThreatOriginalConfidence,string,Optional,Dhcp,,,
ThreatOriginalRiskLevel,string,Optional,AuditEvent,,,
ThreatOriginalRiskLevel,string,Optional,Authentication,,,
ThreatOriginalRiskLevel,string,Optional,Dns,,,
ThreatOriginalRiskLevel,string,Optional,FileEvent,,,
ThreatOriginalRiskLevel,string,Optional,NetworkSession,,,
ThreatOriginalRiskLevel,string,Optional,WebSession,,,
ThreatOriginalRiskLevel,string,Optional,RegistryEvent,,,
ThreatOriginalRiskLevel,string,Optional,UserManagement,,,
ThreatOriginalRiskLevel,string,Optional,Dhcp,,,
ThreatRiskLevel,int,Optional,AuditEvent,RiskLevel,,
ThreatRiskLevel,int,Optional,Authentication,RiskLevel,,
ThreatRiskLevel,int,Optional,Dns,RiskLevel,,
ThreatRiskLevel,int,Optional,FileEvent,RiskLevel,,
ThreatRiskLevel,int,Optional,NetworkSession,RiskLevel,,
ThreatRiskLevel,int,Optional,WebSession,RiskLevel,,
ThreatRiskLevel,int,Optional,RegistryEvent,,,
ThreatRiskLevel,int,Optional,UserManagement,,,
ThreatRiskLevel,int,Optional,Dhcp,,,
TimeGenerated,datetime,Mandatory,AuditEvent,,,
TimeGenerated,datetime,Mandatory,Authentication,,,
TimeGenerated,datetime,Mandatory,Common,,,

1 ColumnName ColumnType Class Schema LogicalType ListOfValues Aliased
812 Rule string Optional FileEvent
813 Rule string Optional NetworkSession
814 Rule string Optional WebSession
815 Rule string Alias RegistryEvent RuleName
816 Rule string Alias UserManagement RuleName
817 Rule string Alias Dhcp RuleName
818 RuleName string Optional AuditEvent
819 RuleName string Optional Authentication
820 RuleName string Optional Dns
821 RuleName string Optional FileEvent
822 RuleName string Optional WebSession
823 RuleName string Optional RegistryEvent
824 RuleName string Optional UserManagement
825 RuleName string Optional Dhcp
826 RuleNumber int Optional AuditEvent
827 RuleNumber int Optional Authentication
828 RuleNumber int Optional Dns
829 RuleNumber int Optional FileEvent
830 RuleNumber int Optional WebSession
831 RuleNumber int Optional RegistryEvent
832 RuleNumber int Optional UserManagement
833 RuleNumber int Optional Dhcp
834 SessionId string Alias Dhcp DhcpSessionId
835 SessionId string Alias Dns DnsSessionId
836 SessionId string Alias NetworkSession NetworkSessionId
1179 ThreatCategory string Optional FileEvent
1180 ThreatCategory string Optional NetworkSession
1181 ThreatCategory string Optional WebSession
1182 ThreatCategory string Optional RegistryEvent
1183 ThreatCategory string Optional UserManagement
1184 ThreatCategory string Optional Dhcp
1185 ThreatConfidence int Optional AuditEvent ConfidenceLevel
1186 ThreatConfidence int Optional Authentication ConfidenceLevel
1187 ThreatConfidence int Optional Dns ConfidenceLevel
1188 ThreatConfidence int Optional FileEvent
1189 ThreatConfidence int Optional NetworkSession
1190 ThreatConfidence int Optional WebSession
1191 ThreatConfidence int Optional RegistryEvent
1192 ThreatConfidence int Optional UserManagement
1193 ThreatConfidence int Optional Dhcp
1194 ThreatField string Conditional AuditEvent Enumerated ThreatIpAddr
1195 ThreatField string Conditional FileEvent Enumerated ThreatFilePath
1196 ThreatField string Conditional NetworkSession Enumerated ThreatIpAddr
1197 ThreatField string Optional Authentication
1198 ThreatField string Optional Dns
1199 ThreatField string Optional WebSession
1200 ThreatField string Optional RegistryEvent
1201 ThreatField string Optional UserManagement
1202 ThreatField string Optional Dhcp
1203 ThreatFilePath string Optional FileEvent string
1204 ThreatFirstReportedTime datetime Optional AuditEvent
1205 ThreatFirstReportedTime datetime Optional Authentication
1207 ThreatFirstReportedTime datetime Optional FileEvent
1208 ThreatFirstReportedTime datetime Optional NetworkSession
1209 ThreatFirstReportedTime datetime Optional WebSession
1210 ThreatFirstReportedTime datetime Optional RegistryEvent
1211 ThreatFirstReportedTime datetime Optional UserManagement
1212 ThreatFirstReportedTime datetime Optional Dhcp
1213 ThreatId string Optional AuditEvent
1214 ThreatId string Optional Authentication
1215 ThreatId string Optional Dns
1216 ThreatId string Optional FileEvent
1217 ThreatId string Optional NetworkSession
1218 ThreatId string Optional WebSession
1219 ThreatId string Optional RegistryEvent
1220 ThreatId string Optional UserManagement
1221 ThreatId string Optional Dhcp
1222 ThreatIpAddr string Optional AuditEvent IP Address
1223 ThreatIpAddr string Optional Authentication IP Address
1224 ThreatIpAddr string Optional Dns IP Address
1230 ThreatIsActive bool Optional FileEvent
1231 ThreatIsActive bool Optional NetworkSession
1232 ThreatIsActive bool Optional WebSession
1233 ThreatIsActive bool Optional RegistryEvent
1234 ThreatIsActive bool Optional UserManagement
1235 ThreatIsActive bool Optional Dhcp
1236 ThreatLastReportedTime datetime Optional AuditEvent
1237 ThreatLastReportedTime datetime Optional Authentication
1238 ThreatLastReportedTime datetime Optional Dns
1239 ThreatLastReportedTime datetime Optional FileEvent
1240 ThreatLastReportedTime datetime Optional NetworkSession
1241 ThreatLastReportedTime datetime Optional WebSession
1242 ThreatLastReportedTime datetime Optional RegistryEvent
1243 ThreatLastReportedTime datetime Optional UserManagement
1244 ThreatLastReportedTime datetime Optional Dhcp
1245 ThreatName string Optional AuditEvent
1246 ThreatName string Optional Authentication
1247 ThreatName string Optional Dns
1248 ThreatName string Optional FileEvent
1249 ThreatName string Optional NetworkSession
1250 ThreatName string Optional WebSession
1251 ThreatName string Optional RegistryEvent
1252 ThreatName string Optional UserManagement
1253 ThreatName string Optional Dhcp
1254 ThreatOriginalConfidence string Optional AuditEvent
1255 ThreatOriginalConfidence string Optional Authentication
1256 ThreatOriginalConfidence string Optional Dns
1257 ThreatOriginalConfidence string Optional FileEvent
1258 ThreatOriginalConfidence string Optional NetworkSession
1259 ThreatOriginalConfidence string Optional WebSession
1260 ThreatOriginalConfidence string Optional RegistryEvent
1261 ThreatOriginalConfidence string Optional UserManagement
1262 ThreatOriginalConfidence string Optional Dhcp
1263 ThreatOriginalRiskLevel string Optional AuditEvent
1264 ThreatOriginalRiskLevel string Optional Authentication
1265 ThreatOriginalRiskLevel string Optional Dns
1266 ThreatOriginalRiskLevel string Optional FileEvent
1267 ThreatOriginalRiskLevel string Optional NetworkSession
1268 ThreatOriginalRiskLevel string Optional WebSession
1269 ThreatOriginalRiskLevel string Optional RegistryEvent
1270 ThreatOriginalRiskLevel string Optional UserManagement
1271 ThreatOriginalRiskLevel string Optional Dhcp
1272 ThreatRiskLevel int Optional AuditEvent RiskLevel
1273 ThreatRiskLevel int Optional Authentication RiskLevel
1274 ThreatRiskLevel int Optional Dns RiskLevel
1275 ThreatRiskLevel int Optional FileEvent RiskLevel
1276 ThreatRiskLevel int Optional NetworkSession RiskLevel
1277 ThreatRiskLevel int Optional WebSession RiskLevel
1278 ThreatRiskLevel int Optional RegistryEvent
1279 ThreatRiskLevel int Optional UserManagement
1280 ThreatRiskLevel int Optional Dhcp
1281 TimeGenerated datetime Mandatory AuditEvent
1282 TimeGenerated datetime Mandatory Authentication
1283 TimeGenerated datetime Mandatory Common

2
ASIM/schemas/ASimAuthentication.yaml
Просмотреть файл

@ -117,7 +117,7 @@ Fields:
- Name: LogonMethod
Class: Optional
Type: string
Type: string
Description: The method used to perform authentication.
Example: Username & Password

138
ASIM/schemas/ASimDHCPEvent.yaml Normal file
Просмотреть файл

@ -0,0 +1,138 @@
Schema:
Schema: Dhcp
Version: '0.1.0'
Last Updated: Sept 12 2023
References:
- Title: ASIM DHCP Schema
Link: https://aka.ms/ASimDhcpDoc
- Title: ASIM
Link: https://aka.ms/AboutASIM
Include:
# Metadata
- Name: Enumerations
File: common/ASimEnumerations.yaml
# Common fields
- Name: Event Fields
File: common/ASimEventFields.yaml
- Name: Inspection fields
File: common/ASimInspectionFields.yaml
# Entities
- Name: Dvc
File: entities/ASimDvc.yaml
- Name: Source user entity
File: entities/ASimUser.yaml
Role: Src
- Name: Source system entity
File: entities/ASimSystem.yaml
Role: Src
Fields:
# Common fields overrides and additions
- Name: EventType
Type: string
Class: Mandatory
Logical type: Enumerated
List of values: [ Assign, Renew, Release, DNS Update ]
Description: Indicate the operation reported by the record.
- Name: EventSchema
Type: string
Class: Mandatory
Logical type: Enumerated
List of values: [ Dhcp ]
# Aliases
- Name: User
Type: string
Class: Alias
Logical type: Username
Description: Alias for SrcUsername
Aliases: SrcUsername
- Name: IpAddr
Type: string
Class: Alias
Logical type: IP Address
Description: Alias to SrcIpAddr
Aliases: SrcIpAddr
- Name: Hostname
Type: string
Class: Alias
Description: Alias to SrcHostname
Aliases: SrcHostname
# DHCP event fields
- Name: RequestedIpAddr
Class: Optional
Type: string
Description: The IP address requested by the DHCP client, when available.
Example: '192.168.12.3'
- Name: DhcpLeaseDuration
Class: Optional
Type: integer
Description: The length of the lease granted to a client, in seconds.
- Name: DhcpSessionId
Class: Optional
Type: string
Description: The session identifier as reported by the reporting device. For the Windows DHCP server, set this to the TransactionID field.
Example: '2099570186'
- Name: SessionId
Class: Alias
Type: string
Description: Alias to DhcpSessionId.
Aliases: DhcpSessionId
- Name: DhcpSessionDuration
Class: Optional
Type: integer
Description: The amount of time, in milliseconds, for the completion of the DHCP session.
Example: 1500
- Name: Duration
Class: Alias
Type: integer
Description: Alias to DhcpSessionDuration
Aliases: DhcpSessionDuration
- Name: DhcpSrcDHCId
Class: Optional
Type: string
Description: The DHCP client ID, as defined by RFC4701.
- Name: DhcpCircuitId
Class: Recommended
Type: string
Description: The DHCP circuit ID, as defined by RFC3046.
- Name: DhcpSubscriberId
Class: Optional
Type: string
Description: The DHCP subscriber ID, as defined by RFC3993.
- Name: DhcpVendorClassId
Class: Optional
Type: string
Description: The DHCP Vendor Class Id, as defined by RFC3925.
- Name: DhcpVendorClass
Class: Optional
Type: string
Description: The DHCP Vendor Class, as defined by RFC3925.
- Name: DhcpUserClassId
Class: Optional
Type: string
Description: The DHCP User Class Id, as defined by RFC3004.
- Name: DhcpUserClass
Class: Optional
Type: string
Description: The DHCP User Class, as defined by RFC3004.

40
ASIM/schemas/ASimDns.yaml
Просмотреть файл

@ -51,7 +51,7 @@ Fields:
Type: string
Class: Mandatory
Logical type: Enumerated
List of values: [ request response ]
List of values: [ request, response ]
Notes: For most sources, only the responses are logged, and therefore the value is often response.
- Name: EventResultDetails
@ -74,7 +74,7 @@ Fields:
Type: string
Logical type: Enumerated
Description: The field for which a threat was identified. The value is either SrcIpAddr, DstIpAddr, Domain, or DnsResponseName..
List of values: [SrcIpAddr DstIpAddr Domain DnsResponseName]
List of values: [SrcIpAddr, DstIpAddr, Domain, DnsResponseName]
- Name: ThreatIpAddr
Class: Optional
@ -111,7 +111,7 @@ Fields:
# DNS event fields
- Name: DnsQuery
Class: Mandatory
Type: string
Type: string
Description: The domain that the request tries to resolve.
Notes: |
- Some sources send valid FQDN queries in a different format. For example, in the DNS protocol itself, the query includes a dot (.) at the end, which must be removed.
@ -134,7 +134,7 @@ Fields:
- Name: DnsQueryTypeName
Class: Recommended
Type: string
Logical type: Enumerated
Logical type: Enumerated
List of values: TBD
Description: The DNS Resource Record Type names.
Notes: |
@ -146,7 +146,7 @@ Fields:
- Name: DnsResponseName
Class: Optional
Type: string
Type: string
Description: The content of the response, as included in the record.
Notes: The DNS response data is inconsistent across reporting devices, is complex to parse, and has less value for source-agnostic analytics. Therefore the information model doesn't require parsing and normalization, and Microsoft Sentinel uses an auxiliary function to provide response information. For more information, see Handling DNS response.
@ -158,37 +158,37 @@ Fields:
- Name: DnsResponseCode
Class: Optional
Type: integer
Type: integer
Description: The DNS numerical response code.
Example: 3
- Name: TransactionIdHex
Class: Recommended
Type: string
Description: The DNS query unique ID as assigned by the DNS client, in hexadecimal format. Note that this value is part of the DNS protocol and different from DnsSessionId, the network layer session ID, typically assigned by the reporting device.
Class: Recommended
Type: string
Description: The DNS query unique ID as assigned by the DNS client, in hexadecimal format. Note that this value is part of the DNS protocol and different from DnsSessionId, the network layer session ID, typically assigned by the reporting device.
- Name: NetworkProtocol
Class: Optional
Type: string
Logical type: Enumerated
List of values: [TCP UDP]
Logical type: Enumerated
List of values: [TCP, UDP]
Description: The transport protocol used by the network resolution event. The value can be UDP or TCP, and is most commonly set to UDP for DNS.
Example: UDP
- Name: NetworkProtocolVersion
Class: Optional
Type: string
Logical type: Enumerated
Logical type: Enumerated
List of values: TBD
- Name: DnsQueryClass
Class: Optional
Type: integer
Type: integer
Description: The DNS class ID. In practice, only the IN class (ID 1) is used, and therefore this field is less valuable.
- Name: DnsQueryClassName
Class: Optional
Type: string
Type: string
Logical type: Enumerated
List of values: TBD
Description: The DNS class name. In practice, only the IN class (ID 1) is used, and therefore this field is less valuable.
@ -203,8 +203,8 @@ Fields:
- Name: DnsNetworkDuration
Class: Optional
Type: integer
Description: The amount of time, in milliseconds, for the completion of DNS request.
Type: integer
Description: The amount of time, in milliseconds, for the completion of DNS request.
Example: 1500
- Name: Duration
@ -216,7 +216,7 @@ Fields:
- Name: DnsFlagsAuthenticated
Class: Optional
Type: bool
Description: The DNS AD flag, which is related to DNSSEC, indicates in a response that all data included in the answer and authority sections of the response have been verified by the server according to the policies of that server. For more information, see RFC 3655 Section 6.1 for more information.
Description: The DNS AD flag, which is related to DNSSEC, indicates in a response that all data included in the answer and authority sections of the response have been verified by the server according to the policies of that server. For more information, see RFC 3655 Section 6.1 for more information.
- Name: DnsFlagsAuthoritative
Class: Optional
@ -251,7 +251,7 @@ Fields:
- Name: DnsSessionId
Class: Optional
Type: string
Description: The DNS session identifier as reported by the reporting device. This value is different from TransactionIdHex, the DNS query unique ID as assigned by the DNS client.
Description: The DNS session identifier as reported by the reporting device. This value is different from TransactionIdHex, the DNS query unique ID as assigned by the DNS client.
Example: EB4BFA28-2EAD-4EF7-BC8A-51DF4FDF5B55
- Name: SessionId
@ -284,14 +284,14 @@ Fields:
- Name: DnsResponseIpLatitude
Class: Optional
Type: float
Logical type: Latitude
Logical type: Latitude
Description: The latitude of the geographical coordinate associated with one of the IP addresses in the DNS response. For more information, see Logical types.
Example: 44.475833
- Name: DnsResponseIpLongitude
Class: Optional
Type: float
Logical type: Longitude
Logical type: Longitude
Description: The longitude of the geographical coordinate associated with one of the IP addresses in the DNS response. For more information, see Logical types.
Example: 73.211944

47
ASIM/schemas/ASimFileEvent.yaml
Просмотреть файл

@ -1,7 +1,7 @@
Schema:
Schema: FileEvent
Version: '0.2.1'
Last Updated: Dec 27, 2022
Version: '0.2.3'
Last Updated: Sept 12 2023
References:
- Title: ASIM File Event Schema
Link: https://aka.ms/ASimFileEventDoc
@ -25,9 +25,6 @@ Include:
File: entities/ASimDvc.yaml
- Name: Actor entity
File: entities/ASimActor.yaml
- Name: Target user entity
File: entities/ASimUser.yaml
Role: Target
- Name: Target application entity
File: entities/ASimApp.yaml
Role: Target
@ -130,7 +127,7 @@ Fields:
- Name: TargetFileName
Class: Recommended
Type: string
Description: The name of the target file, without a path or a location, but with an extension if relevant. This field should be similar to the final element in the TargetFilePath field.
Description: The name of the target file, without a path or a location, but with an extension if relevant. This field should be similar to the final element in the TargetFilePath field.
- Name: FileName
Type: string
@ -138,7 +135,7 @@ Fields:
Aliases: TargetFileName
- Name: TargetFilePath
Class: Mandatory
Class: Mandatory
Type: String
Description: The full, normalized path of the target file, including the folder or location, the file name, and the extension. If the record does not include folder or location information, store the filename only here.
Example: C:\Windows\System32\notepad.exe
@ -146,7 +143,7 @@ Fields:
- Name: TargetFilePathType
Class: Conditional
Type: string
Logical type: Enumerated
Logical type: Enumerated
Description: The type of TargetFilePath. For more information.
List of values: [ Windows Local, Windows Share, Unix, URL ]
Follows: TargetFilePath
@ -160,21 +157,21 @@ Fields:
- Name: TargetFileMD5
Class: Optional
Type: string
Logical type: MD5
Logical type: MD5
Description: The MD5 hash of the target file.
Example: 75a599802f1fa166cdadb360960b1dd0
- Name: TargetFileSHA1
Class: Optional
Type: string
Logical type: SHA1
Logical type: SHA1
Description: The SHA-1 hash of the target file.
Example: d55c5a4df19b46db8c54c801c4665d3338acdab0
- Name: TargetFileSHA256
Class: Optional
Type: string
Logical type: SHA256
Logical type: SHA256
Description: The SHA-256 hash of the target file.
Example: e81bb824c4a09a811af17deae22f22dd2e1ec8cbb00b22629d2899f7c68da274
@ -186,9 +183,9 @@ Fields:
- Name: Hash
Type: string
Class: Conditional
Class: Alias
Description: Alias to the best available Target File hash.
Follows: [TargetFileMD5, TargetFileSHA1, TargetFileSHA256, TargetFileSHA512]
Aliases: [TargetFileMD5, TargetFileSHA1, TargetFileSHA256, TargetFileSHA512]
- Name: HashType
Class: Conditional
@ -199,7 +196,7 @@ Fields:
- Name: TargetFileSize
Class: Optional
Type: long
Type: long
Description: The size of the target file in bytes.
# Source file fields
@ -228,10 +225,10 @@ Fields:
- Name: SrcFileName
Class: Recommended
Type: string
Description: The name of the target file, without a path or a location, but with an extension if relevant. This field should be similar to the final element in the SrcFilePath field.
Description: The name of the target file, without a path or a location, but with an extension if relevant. This field should be similar to the final element in the SrcFilePath field.
- Name: SrcFilePath
Class: Mandatory
Class: Mandatory
Type: String
Description: The full, normalized path of the target file, including the folder or location, the file name, and the extension. If the record does not include folder or location information, store the filename only here.
Example: C:\Windows\System32\notepad.exe
@ -239,7 +236,7 @@ Fields:
- Name: SrcFilePathType
Class: Conditional
Type: string
Logical type: Enumerated
Logical type: Enumerated
Description: The type of SrcFilePath. For more information.
List of values: [ Windows Local, Windows Share, Unix, URL ]
Follows: SrcFilePath
@ -247,21 +244,21 @@ Fields:
- Name: SrcFileMD5
Class: Optional
Type: string
Logical type: MD5
Logical type: MD5
Description: The MD5 hash of the target file.
Example: 75a599802f1fa166cdadb360960b1dd0
- Name: SrcFileSHA1
Class: Optional
Type: string
Logical type: SHA1
Logical type: SHA1
Description: The SHA-1 hash of the target file.
Example: d55c5a4df19b46db8c54c801c4665d3338acdab0
- Name: SrcFileSHA256
Class: Optional
Type: string
Logical type: SHA256
Logical type: SHA256
Description: The SHA-256 hash of the target file.
Example: e81bb824c4a09a811af17deae22f22dd2e1ec8cbb00b22629d2899f7c68da274
@ -273,17 +270,17 @@ Fields:
- Name: SrcFileSize
Class: Optional
Type: long
Type: long
Description: The size of the target file in bytes.
# Additional fields
- Name: HttpUserAgent
Class: Optional
Type: string
Description: When the operation is initiated by a remote system using HTTP or HTTPS, the user agent used.
Type: string
Description: When the operation is initiated by a remote system using HTTP or HTTPS, the user agent used.
Example: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
- Name: NetworkApplicationProtocol
Class: Optional
Type: string
Description: When the operation is initiated by a remote system, this value is the application layer protocol used in the OSI model. While this field is not enumerated, and any value is accepted, preferable values include HTTP, HTTPS, SMB,FTP, and SSH.
Type: string
Description: When the operation is initiated by a remote system, this value is the application layer protocol used in the OSI model. While this field is not enumerated, and any value is accepted, preferable values include HTTP, HTTPS, SMB,FTP, and SSH.

4
ASIM/schemas/ASimProcessEvent.yaml
Просмотреть файл

@ -1,6 +1,6 @@
Schema:
Schema: ProcessEvent
Version: '0.1.4'
Version: '0.1.5'
Last Updated: Mar 06, 2023
References:
- Title: ASIM Process Event Schema
@ -17,6 +17,8 @@ Include:
# Common fields
- Name: Event Fields
File: common/ASimEventFields.yaml
- Name: Inspection fields
File: common/ASimInspectionFields.yaml
# Entities
- Name: Dvc

110
ASIM/schemas/ASimRegistryEvent.yaml Normal file
Просмотреть файл

@ -0,0 +1,110 @@
Schema:
Schema: RegistryEvent
Version: '0.1.0'
Last Updated: Sept 12 2023
References:
- Title: ASIM DHCP Schema
Link: https://aka.ms/ASimRegistryEventDoc
- Title: ASIM
Link: https://aka.ms/AboutASIM
Include:
# Metadata
- Name: Enumerations
File: common/ASimEnumerations.yaml
# Common fields
- Name: Event Fields
File: common/ASimEventFields.yaml
- Name: Inspection fields
File: common/ASimInspectionFields.yaml
# Entities
- Name: Dvc
File: entities/ASimDvc.yaml
- Name: Actor entity
File: entities/ASimActor.yaml
- Name: Acting process entity
File: entities/ASimProcess.yaml
Role: Acting
- Name: Parent process entity
File: entities/ASimProcess.yaml
Role: Parent
Fields:
# Common fields overrides and additions
- Name: EventType
Type: string
Class: Mandatory
Logical type: Enumerated
List of values: [ RegistryKeyCreated, RegistryKeyDeleted, RegistryKeyRenamed, RegistryValueDeleted, RegistryValueSet ]
Description: Describes the operation reported by the record.
- Name: EventSchema
Type: string
Class: Mandatory
Logical type: Enumerated
List of values: [ RegistryEvent ]
# Aliases
- Name: User
Type: string
Class: Alias
Description: Alias to the ActorUsername field.
Aliases: ActorUsername
- Name: Process
Type: string
Class: Alias
Description: Alias to the ActingProcessName field.
Aliases: ActingProcessName
# Registry event fields
- Name: RegistryKey
Class: Mandatory
Type: string
Description: The registry key associated with the operation, normalized to standard root key naming conventions.
Example: 'HKEY_LOCAL_MACHINE\SOFTWARE\MTG'
- Name: RegistryValue
Class: Recommended
Type: string
Description: The registry value associated with the operation. Registry values are similar to files in file systems.
Example: Path
- Name: RegistryValueType
Class: Recommended
Type: string
Description: The type of registry value, normalized to standard form.
Example: 'Reg_Expand_Sz'
- Name: RegistryValueData
Class: Recommended
Type: string
Description: The data stored in the registry value.
Example: 'C:\Windows\system32;C:\Windows;'
- Name: RegistryPreviousKey
Class: Recommended
Type: string
Description: For operations that modify the registry, the original registry key, normalized to standard root key naming.
Example: 'HKEY_LOCAL_MACHINE\SOFTWARE\MTG'
- Name: RegistryPreviousValue
Class: Recommended
Type: string
Description: For operations that modify the registry, the original value type, normalized to the standard form.
Example: Path
- Name: RegistryPreviousValueType
Class: Recommended
Type: string
Description: For operations that modify the registry, the original value type.
Example: 'Reg_Expand_Sz'
- Name: RegistryPreviousValueData
Class: Recommended
Type: string
Description: The original registry data, for operations that modify the registry.
Example: 'C:\Windows\system32;C:\Windows;'

2
ASIM/schemas/ASimUserManagement.yaml
Просмотреть файл

@ -1,7 +1,7 @@
Schema:
Schema: User Management
Version: '0.1.1'
Last Updated: 18 Jul, 2023
Last Updated: Sept 12 2023
References:
- Title: ASIM Authentication Schema
Link: https://aka.ms/ASimUserManagementDoc

2
ASIM/schemas/entities/ASimApp.yaml
Просмотреть файл

@ -28,4 +28,4 @@ Fields:
Type: string
Class: Optional
Description: The user agent header accosiated with the application, when communicating using HTTP or HTTPS.
For roles: [ Actor, Src ]
For roles: [ Actor, Src, Acting ]

10
ASIM/schemas/entities/ASimSystem.yaml
Просмотреть файл

@ -34,6 +34,12 @@ Fields:
Logical type: Hostname
Description: The device hostname, excluding domain information. If no device name is available, store the relevant IP address in this field.
- Name: <<Role>>MacAddr
Type: string
Class: Optional
Logical type: MAC address
Description: The MAC address of the device.
- Name: <<Role>>Domain
Type: string
Class: Optional
@ -94,12 +100,12 @@ Fields:
Description: The country associated with the IP address.
- Name: <<Role>>GeoLatitude
Type: real
Type: Double
Class: Optional
Description: The latitude of the geographical coordinate associated with the IP address.
- Name: <<Role>>GeoLongitude
Type: real
Type: Double
Class: Optional
DstDescription: The longitude of the geographical coordinate associated with the IP address.

Двоичные данные
DataConnectors/AWS-SecurityHubFindings/AzFunAWSSecurityHubIngestion.zip
Просмотреть файл

Двоичный файл не отображается.

54
DataConnectors/M365Defender-VulnerabilityManagement/azureDeploy.json
Просмотреть файл

@ -5,7 +5,7 @@
"_generator": {
"name": "bicep",
"version": "0.13.1.58284",
"templateHash": "565765809013731276"
"templateHash": "11347846636968529735"
}
},
"parameters": {
@ -46,14 +46,14 @@
},
"FunctionAppPackageUri": {
"type": "string",
"defaultValue": "https://raw.githubusercontent.com/anders-alex/Azure-Sentinel/DataConnector-M365Defender-VulnerabilityManagement/DataConnectors/M365Defender-VulnerabilityManagement/functionPackage.zip",
"defaultValue": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/M365Defender-VulnerabilityManagement/functionPackage.zip",
"metadata": {
"description": "Uri where the Function App package is located. Use default value unless you are hosting the package somewhere else."
}
},
"DeploymentScriptUri": {
"type": "string",
"defaultValue": "https://raw.githubusercontent.com/anders-alex/Azure-Sentinel/DataConnector-M365Defender-VulnerabilityManagement/DataConnectors/M365Defender-VulnerabilityManagement/deploymentScript.ps1",
"defaultValue": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/M365Defender-VulnerabilityManagement/deploymentScript.ps1",
"metadata": {
"description": "Uri where the post deployment script is located. This is used to publish the Function App code after the resources have been deploted. Use default value unless you are hosting the script somewhere else."
}
@ -392,9 +392,9 @@
}
},
"properties": {
"azPowerShellVersion": "8.3",
"azPowerShellVersion": "10.0",
"retentionInterval": "PT1H",
"timeout": "PT5M",
"timeout": "PT15M",
"cleanupPreference": "Always",
"primaryScriptUri": "[parameters('DeploymentScriptUri')]",
"arguments": "[format('-PackageUri {0} -SubscriptionId {1} -ResourceGroupName {2} -FunctionAppName {3} -FAScope {4} -UAMIPrincipalId {5}', parameters('FunctionAppPackageUri'), split(subscription().id, '/')[2], resourceGroup().name, parameters('FunctionAppName'), resourceId('Microsoft.Web/sites', parameters('FunctionAppName')), reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('UserAssignedManagedIdentityName')), '2022-01-31-preview').principalId)]"
@ -554,7 +554,7 @@
"_generator": {
"name": "bicep",
"version": "0.13.1.58284",
"templateHash": "18108567286443164898"
"templateHash": "6267106311640858417"
}
},
"parameters": {
@ -681,7 +681,7 @@
},
{
"type": "Microsoft.Insights/dataCollectionRules",
"apiVersion": "2021-09-01-preview",
"apiVersion": "2022-06-01",
"name": "[parameters('DataCollectionRuleName')]",
"location": "[parameters('LogAnalyticsWorkspaceLocation')]",
"properties": {
@ -817,10 +817,6 @@
},
"Custom-MDVMRecommendations_CL": {
"columns": [
{
"name": "activeAlert",
"type": "boolean"
},
{
"name": "associatedThreats",
"type": "dynamic"
@ -916,6 +912,10 @@
{
"name": "transactionId",
"type": "string"
},
{
"name": "activeAlert",
"type": "boolean"
}
]
},
@ -1141,10 +1141,6 @@
},
"Custom-MDVMNISTConfigurations_CL": {
"columns": [
{
"name": "configurationNumber",
"type": "int"
},
{
"name": "configurationOperator",
"type": "string"
@ -1200,6 +1196,10 @@
{
"name": "transactionId",
"type": "string"
},
{
"name": "configurationNumber",
"type": "int"
}
]
}
@ -1306,7 +1306,7 @@
"value": "Analytics"
},
"retention": {
"value": 730
"value": 90
},
"columns": {
"value": [
@ -1437,7 +1437,7 @@
"value": "Analytics"
},
"retention": {
"value": 730
"value": 90
},
"columns": {
"value": [
@ -1588,14 +1588,10 @@
"value": "Analytics"
},
"retention": {
"value": 730
"value": 90
},
"columns": {
"value": [
{
"name": "configurationNumber",
"type": "int"
},
{
"name": "configurationOperator",
"type": "string"
@ -1651,6 +1647,10 @@
{
"name": "transactionId",
"type": "string"
},
{
"name": "configurationNumber",
"type": "int"
}
]
}
@ -1724,10 +1724,6 @@
},
"columns": {
"value": [
{
"name": "activeAlert",
"type": "boolean"
},
{
"name": "associatedThreats",
"type": "dynamic"
@ -1823,6 +1819,10 @@
{
"name": "transactionId",
"type": "string"
},
{
"name": "activeAlert",
"type": "boolean"
}
]
}
@ -2221,7 +2221,7 @@
"outputs": {
"DcrImmutableId": {
"type": "string",
"value": "[reference(resourceId('Microsoft.Insights/dataCollectionRules', parameters('DataCollectionRuleName')), '2021-09-01-preview').immutableId]"
"value": "[reference(resourceId('Microsoft.Insights/dataCollectionRules', parameters('DataCollectionRuleName')), '2022-06-01').immutableId]"
},
"DceUri": {
"type": "string",

56
DataConnectors/M365Defender-VulnerabilityManagement/azureDeployNetworkRestricted.json
Просмотреть файл

@ -5,7 +5,7 @@
"_generator": {
"name": "bicep",
"version": "0.13.1.58284",
"templateHash": "8888576794211067773"
"templateHash": "8260351119578024976"
}
},
"parameters": {
@ -53,14 +53,14 @@
},
"FunctionAppPackageUri": {
"type": "string",
"defaultValue": "https://raw.githubusercontent.com/anders-alex/Azure-Sentinel/DataConnector-M365Defender-VulnerabilityManagement/DataConnectors/M365Defender-VulnerabilityManagement/functionPackage.zip",
"defaultValue": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/M365Defender-VulnerabilityManagement/functionPackage.zip",
"metadata": {
"description": "Uri where the Function App package is located. Use default value unless you are hosting the package somewhere else."
}
},
"DeploymentScriptUri": {
"type": "string",
"defaultValue": "https://raw.githubusercontent.com/anders-alex/Azure-Sentinel/DataConnector-M365Defender-VulnerabilityManagement/DataConnectors/M365Defender-VulnerabilityManagement/deploymentScript.ps1",
"defaultValue": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/M365Defender-VulnerabilityManagement/deploymentScript.ps1",
"metadata": {
"description": "Uri where the post deployment script is located. This is used to publish the Function App code after the resources have been deploted. Use default value unless you are hosting the script somewhere else."
}
@ -192,7 +192,7 @@
},
"VirtualNetworkName": {
"type": "string",
"defaultValue": "[format('vnet-mdvm-{0}', uniqueString(resourceGroup().id))]",
"defaultValue": "vnet-mdvm",
"metadata": {
"description": "Name for Virtual Network resource that will be deployed."
}
@ -736,9 +736,9 @@
}
},
"properties": {
"azPowerShellVersion": "8.3",
"azPowerShellVersion": "10.0",
"retentionInterval": "PT1H",
"timeout": "PT5M",
"timeout": "PT15M",
"cleanupPreference": "Always",
"primaryScriptUri": "[parameters('DeploymentScriptUri')]",
"arguments": "[format('-PackageUri {0} -SubscriptionId {1} -ResourceGroupName {2} -FunctionAppName {3} -FAScope {4} -VnetScope {5} -UAMIPrincipalId {6} -RestrictedIPs {7}', parameters('FunctionAppPackageUri'), split(subscription().id, '/')[2], resourceGroup().name, parameters('FunctionAppName'), resourceId('Microsoft.Web/sites', parameters('FunctionAppName')), resourceId('Microsoft.Network/virtualNetworks', parameters('VirtualNetworkName')), reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('UserAssignedManagedIdentityName')), '2022-01-31-preview').principalId, parameters('TrustedIPAddressRanges'))]"
@ -782,7 +782,7 @@
"_generator": {
"name": "bicep",
"version": "0.13.1.58284",
"templateHash": "18108567286443164898"
"templateHash": "6267106311640858417"
}
},
"parameters": {
@ -909,7 +909,7 @@
},
{
"type": "Microsoft.Insights/dataCollectionRules",
"apiVersion": "2021-09-01-preview",
"apiVersion": "2022-06-01",
"name": "[parameters('DataCollectionRuleName')]",
"location": "[parameters('LogAnalyticsWorkspaceLocation')]",
"properties": {
@ -1045,10 +1045,6 @@
},
"Custom-MDVMRecommendations_CL": {
"columns": [
{
"name": "activeAlert",
"type": "boolean"
},
{
"name": "associatedThreats",
"type": "dynamic"
@ -1144,6 +1140,10 @@
{
"name": "transactionId",
"type": "string"
},
{
"name": "activeAlert",
"type": "boolean"
}
]
},
@ -1369,10 +1369,6 @@
},
"Custom-MDVMNISTConfigurations_CL": {
"columns": [
{
"name": "configurationNumber",
"type": "int"
},
{
"name": "configurationOperator",
"type": "string"
@ -1428,6 +1424,10 @@
{
"name": "transactionId",
"type": "string"
},
{
"name": "configurationNumber",
"type": "int"
}
]
}
@ -1534,7 +1534,7 @@
"value": "Analytics"
},
"retention": {
"value": 730
"value": 90
},
"columns": {
"value": [
@ -1665,7 +1665,7 @@
"value": "Analytics"
},
"retention": {
"value": 730
"value": 90
},
"columns": {
"value": [
@ -1816,14 +1816,10 @@
"value": "Analytics"
},
"retention": {
"value": 730
"value": 90
},
"columns": {
"value": [
{
"name": "configurationNumber",
"type": "int"
},
{
"name": "configurationOperator",
"type": "string"
@ -1879,6 +1875,10 @@
{
"name": "transactionId",
"type": "string"
},
{
"name": "configurationNumber",
"type": "int"
}
]
}
@ -1952,10 +1952,6 @@
},
"columns": {
"value": [
{
"name": "activeAlert",
"type": "boolean"
},
{
"name": "associatedThreats",
"type": "dynamic"
@ -2051,6 +2047,10 @@
{
"name": "transactionId",
"type": "string"
},
{
"name": "activeAlert",
"type": "boolean"
}
]
}
@ -2449,7 +2449,7 @@
"outputs": {
"DcrImmutableId": {
"type": "string",
"value": "[reference(resourceId('Microsoft.Insights/dataCollectionRules', parameters('DataCollectionRuleName')), '2021-09-01-preview').immutableId]"
"value": "[reference(resourceId('Microsoft.Insights/dataCollectionRules', parameters('DataCollectionRuleName')), '2022-06-01').immutableId]"
},
"DceUri": {
"type": "string",

8
DataConnectors/M365Defender-VulnerabilityManagement/main.bicep
Просмотреть файл

@ -9,9 +9,9 @@ param DeployApplicationInsights bool = true
@description('Name for the Applications Insights resource that will be used by the Function App if enabled in the DeployApplicationInsights parameter.')
param AppInsightsName string = 'ai-mdvm-${uniqueString(resourceGroup().id)}'
@description('Uri where the Function App package is located. Use default value unless you are hosting the package somewhere else.')
param FunctionAppPackageUri string = 'https://raw.githubusercontent.com/anders-alex/Azure-Sentinel/DataConnector-M365Defender-VulnerabilityManagement/DataConnectors/M365Defender-VulnerabilityManagement/functionPackage.zip'
param FunctionAppPackageUri string = 'https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/M365Defender-VulnerabilityManagement/functionPackage.zip'
@description('Uri where the post deployment script is located. This is used to publish the Function App code after the resources have been deploted. Use default value unless you are hosting the script somewhere else.')
param DeploymentScriptUri string = 'https://raw.githubusercontent.com/anders-alex/Azure-Sentinel/DataConnector-M365Defender-VulnerabilityManagement/DataConnectors/M365Defender-VulnerabilityManagement/deploymentScript.ps1'
param DeploymentScriptUri string = 'https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/M365Defender-VulnerabilityManagement/deploymentScript.ps1'
@description('Name for App Service Plan resource that will be deployed. This is where the Function App will run.')
param AppServicePlanName string = 'asp-mdvm-${uniqueString(resourceGroup().id)}'
@description('Globally unique name for the Storage Account used by the Function App.')
@ -325,9 +325,9 @@ resource deploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
}
}
properties: {
azPowerShellVersion: '8.3'
azPowerShellVersion: '10.0'
retentionInterval: 'PT1H'
timeout: 'PT5M'
timeout: 'PT15M'
cleanupPreference: 'Always'
primaryScriptUri: DeploymentScriptUri
arguments: '-PackageUri ${FunctionAppPackageUri} -SubscriptionId ${split(subscription().id, '/')[2]} -ResourceGroupName ${resourceGroup().name} -FunctionAppName ${functionApp.name} -FAScope ${functionApp.id} -UAMIPrincipalId ${userAssignedMi.properties.principalId}'

10
DataConnectors/M365Defender-VulnerabilityManagement/mainNetworkRestricted.bicep
Просмотреть файл

@ -11,9 +11,9 @@ param DeployApplicationInsights bool = true
@description('Name for the Applications Insights resource that will be used by the Function App if enabled in the DeployApplicationInsights parameter.')
param AppInsightsName string = 'ai-mdvm-${uniqueString(resourceGroup().id)}'
@description('Uri where the Function App package is located. Use default value unless you are hosting the package somewhere else.')
param FunctionAppPackageUri string = 'https://raw.githubusercontent.com/anders-alex/Azure-Sentinel/DataConnector-M365Defender-VulnerabilityManagement/DataConnectors/M365Defender-VulnerabilityManagement/functionPackage.zip'
param FunctionAppPackageUri string = 'https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/M365Defender-VulnerabilityManagement/functionPackage.zip'
@description('Uri where the post deployment script is located. This is used to publish the Function App code after the resources have been deploted. Use default value unless you are hosting the script somewhere else.')
param DeploymentScriptUri string = 'https://raw.githubusercontent.com/anders-alex/Azure-Sentinel/DataConnector-M365Defender-VulnerabilityManagement/DataConnectors/M365Defender-VulnerabilityManagement/deploymentScript.ps1'
param DeploymentScriptUri string = 'https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/M365Defender-VulnerabilityManagement/deploymentScript.ps1'
@description('Name for App Service Plan resource that will be deployed. This is where the Function App will run.')
param AppServicePlanName string = 'asp-mdvm-${uniqueString(resourceGroup().id)}'
@description('Globally unique name for the Storage Account used by the Function App.')
@ -99,7 +99,7 @@ param LogAnalyticsWorkspaceLocation string
@description('Specify a comma separated list of CIDR formatted IP address ranges to restrict connecting to the Function App from (i.e. 192.168.1.0/24,172.16.2.5/32).')
param TrustedIPAddressRanges string = '0.0.0.0/0'
@description('Name for Virtual Network resource that will be deployed.')
param VirtualNetworkName string = 'vnet-mdvm-${uniqueString(resourceGroup().id)}'
param VirtualNetworkName string = 'vnet-mdvm'
@description('Name for Virtual Network resource that will be deployed.')
param VirtualNetworkIPAddressPrefix string = '10.0.0.0/16'
@description('Azure Resource Id of the Virtual Network to place private endpoints and Function App VNet integration.')
@ -563,9 +563,9 @@ resource deploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
}
}
properties: {
azPowerShellVersion: '8.3'
azPowerShellVersion: '10.0'
retentionInterval: 'PT1H'
timeout: 'PT5M'
timeout: 'PT15M'
cleanupPreference: 'Always'
primaryScriptUri: DeploymentScriptUri
arguments: '-PackageUri ${FunctionAppPackageUri} -SubscriptionId ${split(subscription().id, '/')[2]} -ResourceGroupName ${resourceGroup().name} -FunctionAppName ${functionApp.name} -FAScope ${functionApp.id} -VnetScope ${virtualNetwork.id} -UAMIPrincipalId ${userAssignedMi.properties.principalId} -RestrictedIPs ${TrustedIPAddressRanges}'

44
DataConnectors/M365Defender-VulnerabilityManagement/maintenance/customDcrTables.json
Просмотреть файл

@ -5,7 +5,7 @@
"_generator": {
"name": "bicep",
"version": "0.13.1.58284",
"templateHash": "18108567286443164898"
"templateHash": "6267106311640858417"
}
},
"parameters": {
@ -132,7 +132,7 @@
},
{
"type": "Microsoft.Insights/dataCollectionRules",
"apiVersion": "2021-09-01-preview",
"apiVersion": "2022-06-01",
"name": "[parameters('DataCollectionRuleName')]",
"location": "[parameters('LogAnalyticsWorkspaceLocation')]",
"properties": {
@ -268,10 +268,6 @@
},
"Custom-MDVMRecommendations_CL": {
"columns": [
{
"name": "activeAlert",
"type": "boolean"
},
{
"name": "associatedThreats",
"type": "dynamic"
@ -367,6 +363,10 @@
{
"name": "transactionId",
"type": "string"
},
{
"name": "activeAlert",
"type": "boolean"
}
]
},
@ -592,10 +592,6 @@
},
"Custom-MDVMNISTConfigurations_CL": {
"columns": [
{
"name": "configurationNumber",
"type": "int"
},
{
"name": "configurationOperator",
"type": "string"
@ -651,6 +647,10 @@
{
"name": "transactionId",
"type": "string"
},
{
"name": "configurationNumber",
"type": "int"
}
]
}
@ -757,7 +757,7 @@
"value": "Analytics"
},
"retention": {
"value": 730
"value": 90
},
"columns": {
"value": [
@ -888,7 +888,7 @@
"value": "Analytics"
},
"retention": {
"value": 730
"value": 90
},
"columns": {
"value": [
@ -1039,14 +1039,10 @@
"value": "Analytics"
},
"retention": {
"value": 730
"value": 90
},
"columns": {
"value": [
{
"name": "configurationNumber",
"type": "int"
},
{
"name": "configurationOperator",
"type": "string"
@ -1102,6 +1098,10 @@
{
"name": "transactionId",
"type": "string"
},
{
"name": "configurationNumber",
"type": "int"
}
]
}
@ -1175,10 +1175,6 @@
},
"columns": {
"value": [
{
"name": "activeAlert",
"type": "boolean"
},
{
"name": "associatedThreats",
"type": "dynamic"
@ -1274,6 +1270,10 @@
{
"name": "transactionId",
"type": "string"
},
{
"name": "activeAlert",
"type": "boolean"
}
]
}
@ -1672,7 +1672,7 @@
"outputs": {
"DcrImmutableId": {
"type": "string",
"value": "[reference(resourceId('Microsoft.Insights/dataCollectionRules', parameters('DataCollectionRuleName')), '2021-09-01-preview').immutableId]"
"value": "[reference(resourceId('Microsoft.Insights/dataCollectionRules', parameters('DataCollectionRuleName')), '2022-06-01').immutableId]"
},
"DceUri": {
"type": "string",

40
DataConnectors/M365Defender-VulnerabilityManagement/modules/customDcrTables.bicep
Просмотреть файл

@ -91,7 +91,7 @@ resource roleAssignmentDcr 'Microsoft.Authorization/roleAssignments@2020-10-01-p
}
}
resource dcr 'Microsoft.Insights/dataCollectionRules@2021-09-01-preview' = {
resource dcr 'Microsoft.Insights/dataCollectionRules@2022-06-01' = {
dependsOn: [
tableMDVMCveKb
tableMDVMRecommendations
@ -234,10 +234,6 @@ resource dcr 'Microsoft.Insights/dataCollectionRules@2021-09-01-preview' = {
}
'Custom-MDVMRecommendations_CL': {
columns: [
{
name: 'activeAlert'
type: 'boolean'
}
{
name: 'associatedThreats'
type: 'dynamic'
@ -334,6 +330,10 @@ resource dcr 'Microsoft.Insights/dataCollectionRules@2021-09-01-preview' = {
name: 'transactionId'
type: 'string'
}
{
name: 'activeAlert'
type: 'boolean'
}
]
}
'Custom-MDVMSecureConfigurationsByDevice_CL': {
@ -558,10 +558,6 @@ resource dcr 'Microsoft.Insights/dataCollectionRules@2021-09-01-preview' = {
}
'Custom-MDVMNISTConfigurations_CL': {
columns: [
{
name: 'configurationNumber'
type: 'int'
}
{
name: 'configurationOperator'
type: 'string'
@ -618,6 +614,10 @@ resource dcr 'Microsoft.Insights/dataCollectionRules@2021-09-01-preview' = {
name: 'transactionId'
type: 'string'
}
{
name: 'configurationNumber'
type: 'int'
}
]
}
}
@ -701,7 +701,7 @@ module tableMDVMCveKb 'lawCustomTable.bicep' = {
lawName: split(LogAnalyticsWorkspaceResourceId, '/')[8]
tableName: 'MDVMCVEKB_CL'
plan: 'Analytics'
retention: 730
retention: 90
columns: [
{
name: 'cvssV3'
@ -770,7 +770,7 @@ module tableMDVMNistCveKb 'lawCustomTable.bicep' = {
lawName: split(LogAnalyticsWorkspaceResourceId, '/')[8]
tableName: 'MDVMNISTCVEKB_CL'
plan: 'Analytics'
retention: 730
retention: 90
columns: [
{
name: 'cveId'
@ -859,12 +859,8 @@ module tableMDVMNistConfigurations 'lawCustomTable.bicep' = {
lawName: split(LogAnalyticsWorkspaceResourceId, '/')[8]
tableName: 'MDVMNISTConfigurations_CL'
plan: 'Analytics'
retention: 730
retention: 90
columns: [
{
name: 'configurationNumber'
type: 'int'
}
{
name: 'configurationOperator'
type: 'string'
@ -921,6 +917,10 @@ module tableMDVMNistConfigurations 'lawCustomTable.bicep' = {
name: 'transactionId'
type: 'string'
}
{
name: 'configurationNumber'
type: 'int'
}
]
}
}
@ -933,10 +933,6 @@ module tableMDVMRecommendations 'lawCustomTable.bicep' = {
tableName: 'MDVMRecommendations_CL'
plan: 'Analytics'
columns: [
{
name: 'activeAlert'
type: 'boolean'
}
{
name: 'associatedThreats'
type: 'dynamic'
@ -1033,6 +1029,10 @@ module tableMDVMRecommendations 'lawCustomTable.bicep' = {
name: 'transactionId'
type: 'string'
}
{
name: 'activeAlert'
type: 'boolean'
}
]
}
}

6
DataConnectors/M365Defender-VulnerabilityManagement/readme.md
Просмотреть файл

@ -64,17 +64,17 @@ foreach ($appRole in $appRoles) {
### Non-Network Restricted Deployment
No virtual network or Private Endpoints are deployed and public network access to the Function App and Storage Account is unrestricted. The Key Vault is restricted to only allow access from Function App public IP addresses. Use this for test environments or if you prefer to implement network restrictions yourself after deployment.
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fanders-alex%2FAzure-Sentinel%2FDataConnector-M365Defender-VulnerabilityManagement%2FDataConnectors%2FM365Defender-VulnerabilityManagement%2FazureDeploy.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FM365Defender-VulnerabilityManagement%2FazureDeploy.json)
### Network Restricted Deployment
Function App public access is restricted and a virtual network along with the appropriate Private DNS Zones are created to provide out of the box Private Endpoint connectivity between the Function App and its dependencies (Key Vault and Storage Account).
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fanders-alex%2FAzure-Sentinel%2FDataConnector-M365Defender-VulnerabilityManagement%2FDataConnectors%2FM365Defender-VulnerabilityManagement%2FazureDeployNetworkRestricted.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FM365Defender-VulnerabilityManagement%2FazureDeployNetworkRestricted.json)
### Workbook Deployment
A modified version of the Defender for Cloud "Vulnerability Assessment Findings" workbook to include the MDVM data collected by this connector.
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fanders-alex%2FAzure-Sentinel%2FDataConnector-M365Defender-VulnerabilityManagement%2FDataConnectors%2FM365Defender-VulnerabilityManagement%2Fworkbooks%2FazureDeploy.json)
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDataConnectors%2FM365Defender-VulnerabilityManagement%2Fworkbooks%2FazureDeploy.json)
![image](https://user-images.githubusercontent.com/50784041/232255325-974cce56-b0ca-41df-827e-f97f65589e33.png)

2
DataConnectors/M365Defender-VulnerabilityManagement/workbooks/azureDeploy.json
Просмотреть файл

@ -5,7 +5,7 @@
"_generator": {
"name": "bicep",
"version": "0.13.1.58284",
"templateHash": "12428279436367741536"
"templateHash": "15537029820804678138"
}
},
"parameters": {

2
DataConnectors/Zoom/azuredeploy.json
Просмотреть файл

@ -3,7 +3,7 @@
"contentVersion": "1.0.0.0",
"parameters": {
"FunctionName": {
"defaultValue": "ZoomLogs",
"defaultValue": "[concat('ZoomLogs',uniqueString(subscription().subscriptionId))]",
"type": "string"
},
"customLogName": {

4
DataConnectors/Zoom/azuredeploy_kv.json
Просмотреть файл

@ -3,7 +3,7 @@
"contentVersion": "1.0.0.0",
"parameters": {
"FunctionName": {
"defaultValue": "ZoomLogs",
"defaultValue": "[concat('ZoomLogs',uniqueString(subscription().subscriptionId))]",
"type": "String"
}
},
@ -42,4 +42,4 @@
}
}
]
}
}

102
Detections/MultipleDataSources/BrutforceAttemptOnAzurePortalAndAWSConsolAtSameTime.yaml Normal file
Просмотреть файл

@ -0,0 +1,102 @@
id: 1f40ed57-f54b-462f-906a-ac3a89cc90d4
name: Cross-Cloud Password Spray detection
description: |
'This detection focuses on identifying potential cross-cloud brute force / Password Spray attempts involving Azure and AWS platforms. It monitors sign-in activities within the Azure Portal and AWS ConsoleLogins where brute force attempts are successful on both platforms in a synchronized manner.'
severity: Medium
requiredDataConnectors:
- connectorId: AWS
dataTypes:
- AWSCloudTrail
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
- connectorId: BehaviorAnalytics
dataTypes:
- IdentityInfo
- connectorId: MicrosoftThreatProtection
dataTypes:
- SecurityAlert
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
relevantTechniques:
- T1110
query: |
// Materialize a table named "Azure_Bruforce" containing Azure Portal sign-in logs within the last 1 day
let Azure_Bruforce = materialize (
SigninLogs
// Filter sign-in logs related to the Azure Portal
| where AppDisplayName == "Azure Portal"
// Exclude entries with empty OriginalRequestId
| where isnotempty(OriginalRequestId)
// Summarize various counts and sets based on brute force criteria
| summarize
AzureSuccessfulEvent = countif(ResultType == 0),
AzureFailedEvent = countif(ResultType != 0),
totalAzureLoginEventId = dcount(OriginalRequestId),
AzureFailedEventsCount = dcountif(OriginalRequestId, ResultType != 0),
AzureSuccessfuleventsCount = dcountif(OriginalRequestId, ResultType == 0),
AzureSetOfFailedevents = makeset(iff(ResultType != 0, OriginalRequestId, ""), 5),
AzureSetOfSuccessfulEvents = makeset(iff(ResultType == 0, OriginalRequestId, ""), 5)
by
IPAddress,
UserPrincipalName,
bin(TimeGenerated, 1min),
UserAgent,
ConditionalAccessStatus,
OperationName,
RiskDetail,
AuthenticationRequirement,
ClientAppUsed
// Extracting the name and UPN suffix from UserPrincipalName
| extend
Name = tostring(split(UserPrincipalName, '@')[0]),
UPNSuffix = tostring(split(UserPrincipalName, '@')[1]));
// Materialize a table named "AWS_Bruforce" containing AWS CloudTrail events related to ConsoleLogins within the last 1 day
let AWS_Bruforce = materialize (
AWSCloudTrail
// Filter CloudTrail events related to ConsoleLogin
| where EventName == "ConsoleLogin"
// Extract ActionType from ResponseElements JSON
| extend ActionType = tostring(parse_json(ResponseElements).ConsoleLogin)
// Summarize various counts and sets based on brute force criteria
| summarize
AWSSuccessful=countif(ActionType == "Success"),
AWSFailed = countif(ActionType == "Failure"),
totalAwsEventId= dcount(AwsEventId),
AWSFailedEventsCount = dcountif(AwsEventId, ActionType == "Failure"),
AWSSuccessfuleventsCount = dcountif(AwsEventId, ActionType == "Success"),
AWSFailedevents = makeset(iff(ActionType == "Failure", AwsEventId, ""), 5),
AWSSuccessfulEvents = makeset(iff(ActionType == "Success", AwsEventId, ""), 5)
// Grouping by various attributes
by
SourceIpAddress,
UserIdentityUserName,
bin(TimeGenerated, 1min),
UserAgent );
// Joining the Azure_Bruforce and AWS_Bruforce tables on matching IP addresses and UserAgents
Azure_Bruforce
| join kind=inner AWS_Bruforce on $left.IPAddress == $right.SourceIpAddress and $left.UserAgent == $right.UserAgent
// Filtering based on conditions for failed and successful events
| where (AWSFailedEventsCount >= 4 and AzureFailedEventsCount >= 5) and ((AzureSuccessfuleventsCount >= 1 and AzureFailedEvent > AzureSuccessfulEvent) or (AWSSuccessfuleventsCount >= 1 and AWSFailedEventsCount > AWSSuccessfuleventsCount))
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIpAddress
customDetails:
AwsUser: UserIdentityUserName
UserAgent: UserAgent
AzureUser: UserPrincipalName
AzureClientAppUsed: ClientAppUsed
kind: Scheduled
version: 1.0.0

149
Detections/MultipleDataSources/CrossCloudUnauthorizedCredentialsAccessDetection.yaml Normal file
Просмотреть файл

@ -0,0 +1,149 @@
id: 122fbc6a-57ab-4aa7-b9a9-51ac4970cac1
name: Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login
description: |
'
This detection correlates AWS GuardDuty Credential Access alerts related to Amazon Relational Database Service (RDS) activity with Azure portal sign-in activities. It identifies successful and failed logins, anomalous behavior, and malicious IP access. By joining these datasets on network entities and IP addresses, it detects unauthorized credential access attempts across AWS and Azure resources, enhancing cross-cloud security monitoring.
'
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
- connectorId: AWSS3
dataTypes:
- AWSGuardDuty
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
- InitialAccess
relevantTechniques:
- T1557
- T1110
- T1110.003
- T1110.004
- T1606
- T1556
- T1133
query: |
// Define variable 'AwsAlert' to collect AWS GuardDuty CredentialAccess alerts related to Amazon Relational Database Service (RDS) activity
let AwsAlert = materialize (
AWSGuardDuty
| where ActivityType has_any (
"CredentialAccess:RDS/TorIPCaller.SuccessfulLogin",
"CredentialAccess:RDS/TorIPCaller.FailedLogin",
"CredentialAccess:RDS/AnomalousBehavior.SuccessfulBruteForce",
"CredentialAccess:RDS/AnomalousBehavior.SuccessfulLogin",
"CredentialAccess:RDS/MaliciousIPCaller.SuccessfulLogin",
"CredentialAccess:RDS/MaliciousIPCaller.FailedLogin"
)
| extend
AWSAlertId = Id,
AWSAlertTitle = Title,
AWSAlertDescription = Description,
AWSresourceType = tostring(parse_json(ResourceDetails).resourceType),
AWSNetworkEntity = tostring(parse_json(ServiceDetails).action.rdsLoginAttemptAction.remoteIpDetails.ipAddressV4),
RDSInstanceId = tostring(parse_json(ResourceDetails).rdsDbInstanceDetails.dbInstanceIdentifier),
RDSUser = tostring(parse_json(ResourceDetails).rdsDbUserDetails.user),
RDSApplication = tostring(parse_json(ResourceDetails).rdsDbUserDetails.application),
RDSactionType = tostring(parse_json(ServiceDetails).action.actionType),
AWSAlertTime = TimeCreated,
AWSAlertLink= tostring(strcat('https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=',Id)),
Severity =
case (
Severity >= 7.0, "High",
Severity between (4.0 .. 6.9), "Medium",
Severity between (1.0 .. 3.9), "Low",
"Unknown")
| distinct
AWSAlertTime,
ActivityType,
AWSAlertId,
AWSAlertLink,
AWSAlertTitle,
AWSAlertDescription,
AWSresourceType,
Arn,
Severity,
RDSactionType,
RDSApplication,
RDSInstanceId,
RDSUser,
AWSNetworkEntity
);
// Define variable 'Azure_sigin' to collect Azure portal sign-in activities
let Azure_sigin = materialize (
SigninLogs
| where AppDisplayName == "Azure Portal"
| where isnotempty(OriginalRequestId)
| summarize
AzureSuccessfulEvent = countif(ResultType == 0),
AzureFailedEvent = countif(ResultType != 0),
totalAzureLoginEventId = dcount(OriginalRequestId),
AzureFailedEventsCount = dcountif(OriginalRequestId, ResultType != 0),
AzureSuccessfuleventsCount = dcountif(OriginalRequestId, ResultType == 0),
AzureSetOfFailedevents = makeset(iff(ResultType != 0, OriginalRequestId, ""), 5),
AzureSetOfSuccessfulEvents = makeset(iff(ResultType == 0, OriginalRequestId, ""), 5)
by
IPAddress,
UserPrincipalName,
bin(TimeGenerated, 1min),
UserAgent,
ConditionalAccessStatus,
OperationName,
RiskDetail,
AuthenticationRequirement,
ClientAppUsed
// Extracting the name and UPN suffix from UserPrincipalName
| extend
Name = tostring(split(UserPrincipalName, '@')[0]),
UPNSuffix = tostring(split(UserPrincipalName, '@')[1])
);
// Join 'AwsAlert' and 'Azure_sigin' on the AWS Network Entity and Azure IP Address
AwsAlert
| join kind=inner Azure_sigin on $left.AWSNetworkEntity == $right.IPAddress
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
customDetails:
AWSAlertUserName: RDSUser
AWSArn: Arn
AWSresourceType: AWSresourceType
AWSInstanceType: RDSactionType
AWSAplicationName: RDSApplication
AWSInstanceId: RDSInstanceId
AzureUserAgent: UserAgent
AzureUser: UserPrincipalName
AzureClientAppUsed: ClientAppUsed
AzConditionalAccess: ConditionalAccessStatus
AzureOperationName: OperationName
AzureRiskDetail: RiskDetail
AzAuthRequirement: AuthenticationRequirement
alertSeverity: Severity
alertDetailsOverride:
alertDisplayNameFormat: "IP address {{IPAddress}} in {{AWSAlertTitle}} seen in Azure Signin Logs with {{UserPrincipalName}}"
alertDescriptionFormat: "This detection correlates AWS GuardDuty Credential Access alert described '{{AWSAlertDescription}}' related to Amazon Relational Database Service (RDS) activity with Azure portal sign-in activities. It identifies successful and failed logins, anomalous behavior, and malicious IP access. By joining these datasets on network entities and IP addresses, it detects unauthorized credential access attempts across AWS and Azure resources, enhancing cross-cloud security monitoring. \n\n AWS ALert Link : '{{AWSAlertLink}}' \n\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html"
alertSeverityColumnName: Severity
alertDynamicProperties:
- alertProperty: AlertLink
value: AWSAlertLink
- alertProperty: ProviderName
value: "AWS"
- alertProperty: ProductName
value: "AWSGuardDuty"
- alertProperty: ProductComponentName
value: "AWSGuardDuty"
- alertProperty: Severity
value: Severity
kind: Scheduled
version: 1.0.0

123
Detections/MultipleDataSources/SuccessfulAWSConsoleLoginfromIPAddressObservedConductingPasswordSpray.yaml Normal file
Просмотреть файл

@ -0,0 +1,123 @@
id: 188db479-d50a-4a9c-a041-644bae347d1f
name: Successful AWS Console Login from IP Address Observed Conducting Password Spray
description: |
'This query aims to detect instances of successful AWS console login events followed by multiple failed app logons alerts generated by Microsoft Cloud App Security or password spray alerts generated by Defender Products.
Specifically, it focuses on scenarios where the successful login takes place within a 60-minute timeframe of the high-severity alert.
The login is considered relevant if it originates from an IP address associated with potential attackers.'
severity: Medium
requiredDataConnectors:
- connectorId: AWS
dataTypes:
- AWSCloudTrail
- connectorId: MicrosoftDefenderAdvancedThreatProtection
dataTypes:
- SecurityAlert
- connectorId: AzureActiveDirectoryIdentityProtection
dataTypes:
- SecurityAlert (IPC)
- connectorId: BehaviorAnalytics
dataTypes:
- IdentityInfo
- connectorId: MicrosoftThreatProtection
dataTypes:
- SecurityAlert
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- CredentialAccess
relevantTechniques:
- T1110
- T1078
query: |
SecurityAlert
// Filtering alerts based on Microsoft product names and Relevent alert names
| where ProductName in ( "Microsoft Cloud App Security","Azure Active Directory Identity Protection")
|where AlertName in ("Multiple failed user log on attempts to an app","Password Spray")
// Parsing and extending the 'Entities' column as JSON objects
| extend Entities = parse_json(Entities)
// Exploring IP entities within the alert entities
| mv-apply Entity = Entities on
(
where Entity.Type == 'ip'
| extend EntityIp = tostring(Entity.Address)
)
// Exploring account entities within the alert entities
| mv-apply Entity = Entities on
(
where Entity.Type == 'account'
| extend AccountObjectId = tostring(Entity.AadUserId)
)
// Filtering out alerts with missing IP or account information
| where isnotempty(EntityIp) and isnotempty(AccountObjectId)
// Summarizing relevant fields for further analysis
| summarize
by
AlertName,
ProductName,
ProviderName,
AlertSeverity,
EntityIp,
Tactics,
Techniques,
AlertTime= bin(TimeGenerated, 1min),
AccountObjectId,
AlertTimeGenerated=TimeGenerated
// Joining with IdentityInfo to obtain additional account details
| join kind=inner (
IdentityInfo
| where TimeGenerated >= ago(1d)
| distinct AccountObjectId, AccountUPN=tolower(AccountUPN)
)
on AccountObjectId
|extend Name = tostring(split(AccountUPN,'@')[0]), UPNSuffix =tostring(split(AccountUPN,'@')[1])
// Joining with AWSCloudTrail data to correlate AWS console logins
| join kind=inner (
AWSCloudTrail
| where EventName == "ConsoleLogin"
| extend CTUPN= tolower(tostring(tolower(split(UserIdentityArn, "/", 2)[0])))
| extend ActionType= tostring(parse_json(ResponseElements).ConsoleLogin)
| where ActionType == "Success"
| extend AWSTime= bin(TimeGenerated, 1min)
| project
EventName,
EventSource,
EventTypeName,
RecipientAccountId,
ResponseElements,
SessionMfaAuthenticated,
SourceIpAddress,
TimeGenerated,
UserAgent,
UserIdentityArn,
UserIdentityType,
CTUPN,
AWSTime,
UserIdentityUserName
)
on $left.EntityIp == $right.SourceIpAddress
// Filtering login event after the Alert generation time
| where AlertTimeGenerated between ((AWSTime - 1h)..(AWSTime + 1h))
// Calculating the time difference between alert generation and AWS login
| extend timediff = datetime_diff('minute', AlertTimeGenerated, TimeGenerated)
// Filtering alerts with a time difference of up to 60 minutes
| where timediff <= 60
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIpAddress
customDetails:
AWSUser: UserIdentityArn
UserAgent: UserAgent
AWSUserUPN: CTUPN
kind: Scheduled
version: 1.0.0

128
Detections/MultipleDataSources/SuspiciousAWSConsolLoginByCredentialAceessAlerts.yaml Normal file
Просмотреть файл

@ -0,0 +1,128 @@
id: b51fe620-62ad-4ed2-9d40-5c97c0a8231f
name: Suspicious AWS console logins by credential access alerts
description: |
'This query aims to detect instances of successful AWS console logins that align with high-severity credential access or Initial Access alerts generated by Defender Products.
Specifically, it focuses on scenarios where the successful login takes place within a 60-minute timeframe of the high-severity alert. The login is considered relevant if it originates from an IP address associated with potential attackers.'
severity: Medium
requiredDataConnectors:
- connectorId: OfficeATP
dataTypes:
- SecurityAlert
- connectorId: AWS
dataTypes:
- AWSCloudTrail
- connectorId: MicrosoftDefenderAdvancedThreatProtection
dataTypes:
- SecurityAlert
- connectorId: AzureActiveDirectoryIdentityProtection
dataTypes:
- SecurityAlert (IPC)
- connectorId: BehaviorAnalytics
dataTypes:
- IdentityInfo
- connectorId: MicrosoftThreatProtection
dataTypes:
- SecurityAlert
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- CredentialAccess
relevantTechniques:
- T1078
query: |
SecurityAlert
// Filtering alerts based on Microsoft product names
| where ProductName in ("Microsoft 365 Defender", "Azure Active Directory", "Microsoft Defender Advanced Threat Protection", "Microsoft Cloud App Security","Azure Active Directory Identity Protection", "Microsoft Defender ATP")
// Narrowing down alerts to specific tactics
| where Tactics in("CredentialAccess", "InitialAccess")
// Focusing on high-severity alerts
| where AlertSeverity == "High"
// Parsing and extending the 'Entities' column as JSON objects
| extend Entities = parse_json(Entities)
// Exploring IP entities within the alert entities
| mv-apply Entity = Entities on
(
where Entity.Type == 'ip'
| extend EntityIp = tostring(Entity.Address)
)
// Exploring account entities within the alert entities
| mv-apply Entity = Entities on
(
where Entity.Type == 'account'
| extend AccountObjectId = tostring(Entity.AadUserId)
)
// Filtering out alerts with missing IP or account information
| where isnotempty(EntityIp) and isnotempty(AccountObjectId)
// Summarizing relevant fields for further analysis
| summarize
by
AlertName,
ProductName,
ProviderName,
AlertSeverity,
EntityIp,
Tactics,
Techniques,
AlertTime= bin(TimeGenerated, 1min),
AccountObjectId,
AlertTimeGenerated=TimeGenerated
// Joining with IdentityInfo to obtain additional account details
| join kind=inner (
IdentityInfo
| where TimeGenerated >= ago(1d)
| distinct AccountObjectId, AccountUPN=tolower(AccountUPN)
)
on AccountObjectId
|extend Name = tostring(split(AccountUPN,'@')[0]), UPNSuffix =tostring(split(AccountUPN,'@')[1])
// Joining with AWSCloudTrail data to correlate AWS console logins
| join kind=inner (
AWSCloudTrail
| where EventName == "ConsoleLogin"
| extend CTUPN= tolower(tostring(tolower(split(UserIdentityArn, "/", 2)[0])))
| extend ActionType= tostring(parse_json(ResponseElements).ConsoleLogin)
| where ActionType == "Success"
| extend AWSTime= bin(TimeGenerated, 1min)
| project
EventName,
EventSource,
EventTypeName,
RecipientAccountId,
ResponseElements,
SessionMfaAuthenticated,
SourceIpAddress,
TimeGenerated,
UserAgent,
UserIdentityArn,
UserIdentityType,
CTUPN,
AWSTime,
UserIdentityUserName
)
on $left.EntityIp == $right.SourceIpAddress
// Filtering login event after the Alert generation time
| where AlertTimeGenerated >= AWSTime
// Calculating the time difference between alert generation and AWS login
| extend timediff = datetime_diff('minute', AlertTimeGenerated, TimeGenerated)
// Filtering alerts with a time difference of up to 60 minutes
| where timediff between ((-60)..(60))
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIpAddress
customDetails:
AWSUSerUPN: CTUPN
AzureUserUPN: AccountUPN
ComonIp: SourceIpAddress
UserAgent: UserAgent
kind: Scheduled
version: 1.0.0

147
Detections/MultipleDataSources/Unauthorized_user_access_across_AWS_and_Azure.yaml Normal file
Просмотреть файл

@ -0,0 +1,147 @@
id: 60f31001-018a-42bf-8045-a92e1f361b7b
name: Unauthorized user access across AWS and Azure
description: |
'
This detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty with Azure portal sign-in activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The ditection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources.
'
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
- connectorId: AWSS3
dataTypes:
- AWSGuardDuty
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
- Exfiltration
- Discovery
relevantTechniques:
- T1557
- T1110
- T1110.003
- T1110.004
- T1212
- T1048
- T1087
- T1580
query: |
// Define a variable 'AwsAlert' to collect Unauthorized user access alerts from AWS GuardDuty table
let AwsAlert = materialize (
AWSGuardDuty
| where ActivityType has_any ("UnauthorizedAccess:IAMUser/TorIPCaller", "UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom",
"UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS", "UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS",
"UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B","UnauthorizedAccess:IAMUser/MaliciousIPCaller")
| extend
AWSAlertId = Id,
AWSAlertTitle = Title,
AWSAlertDescription = Description,
AWSresourceType = tostring(parse_json(ResourceDetails).resourceType),
AWSNetworkEntity = tostring(parse_json(ServiceDetails).action.awsApiCallAction.remoteIpDetails.ipAddressV4),
AWSAlertUserNameEntity = tostring(parse_json(ResourceDetails).accessKeyDetails.userName),
InstanceType = tostring(parse_json(ResourceDetails).instanceDetails.instanceType),
AWSTargetingService = parse_json(ServiceDetails).additionalInfo.apiCalls,
AWSAlertTime = TimeCreated,
AWSAlertLink= tostring(strcat('https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=',Id)),
Severity =
case (
Severity >= 7.0, "High",
Severity between (4.0 .. 6.9), "Medium",
Severity between (1.0 .. 3.9), "Low",
"Unknown")
| mv-apply AIPCall = AWSTargetingService on
(
where AIPCall has "name"
| extend APICallName = tostring(AIPCall.name), APICallCount = tostring(AIPCall["count"])
)
| distinct
AWSAlertTime,
ActivityType,
Severity,
AWSAlertId,
AWSAlertTitle,
AWSAlertDescription,
AWSAlertLink,
Arn,
AWSresourceType,
AWSNetworkEntity,
AWSAlertUserNameEntity,
InstanceType,
APICallName,
APICallCount
);
// Define a variable 'Azure_sigin' to collect Azure portal Signing activity from SigninLogs Table
let Azure_sigin = materialize (SigninLogs
| where AppDisplayName == "Azure Portal"
| where isnotempty(OriginalRequestId)
| summarize
totalAzureLoginEventId = dcount(OriginalRequestId),
AzureFailedEventsCount = dcountif(OriginalRequestId, ResultType != 0),
AzureSuccessfulEventsCount = dcountif(OriginalRequestId, ResultType == 0),
AzureSetOfFailedEvents = makeset(iff(ResultType != 0, OriginalRequestId, ""), 5),
AzureSetOfSuccessfulEvents = makeset(iff(ResultType == 0, OriginalRequestId, ""), 5)
by
IPAddress,
UserPrincipalName,
bin(TimeGenerated, 1min),
UserAgent,
ConditionalAccessStatus,
OperationName,
RiskDetail,
AuthenticationRequirement,
ClientAppUsed
// Extracting the name and UPN suffix from UserPrincipalName
| extend
Name = tostring(split(UserPrincipalName, "@")[0]),
UPNSuffix = tostring(split(UserPrincipalName, "@")[1])
);
// Join 'AwsAlert' and 'Azure_sigin' on the AWS Network Entity and Azure IP Address
AwsAlert
| join kind=inner Azure_sigin on $left.AWSNetworkEntity == $right.IPAddress
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
customDetails:
AWSAlertUserName: AWSAlertUserNameEntity
AWSArn: Arn
AWSresourceType: AWSresourceType
AWSInstanceType: InstanceType
AWSAPICallName: APICallName
AWSAPICallCount: APICallCount
AzureUserAgent: UserAgent
AzureUser: UserPrincipalName
AzureClientAppUsed: ClientAppUsed
AzConditionalAccess: ConditionalAccessStatus
AzureOperationName: OperationName
AzureRiskDetail: RiskDetail
AzAuthRequirement: AuthenticationRequirement
alertSeverity: Severity
alertDetailsOverride:
alertDisplayNameFormat: "{{AWSNetworkEntity}} from {{AWSAlertTitle}} observed in Azure Singins with {{UserPrincipalName}}"
alertDescriptionFormat: " This detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty With Alert Description '{{AWSAlertDescription}}' with Azure portal sign-in activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources. \n\n AWS ALert Link : '{{AWSAlertLink}}' \n\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html"
alertSeverityColumnName: Severity
alertDynamicProperties:
- alertProperty: AlertLink
value: AWSAlertLink
- alertProperty: ProviderName
value: "AWS"
- alertProperty: ProductName
value: "AWSGuardDuty"
- alertProperty: ProductComponentName
value: "AWSGuardDuty"
- alertProperty: Severity
value: severity
kind: Scheduled
version: 1.0.0

68
Detections/MultipleDataSources/UserImpersonateByAAID.yaml Normal file
Просмотреть файл

@ -0,0 +1,68 @@
id: 11c3d541-5fa5-49df-8218-d1c98584473b
name: User impersonation by Identity Protection alerts
description: |
'This detection focuses on identifying user-related events involving IAM roles, groups, user access, and password changes. It examines instances where the user's IP address matches and alerts generated by Identity Protection share the same IP address. The analysis occurs within a time window of 1 hour, helping to flag potential cases of user impersonation.'
severity: Medium
requiredDataConnectors:
- connectorId: AWS
dataTypes:
- AWSCloudTrail
- connectorId: AzureActiveDirectoryIdentityProtection
dataTypes:
- SecurityAlert (IPC)
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1134
query: |
// Retrieve SecurityAlerts generated within the last day
SecurityAlert
// Filter alerts for Azure Active Directory Identity Protection and High severity
| where ProductName has "Azure Active Directory Identity Protection"
| where AlertSeverity == "High"
// Extract IP address entities from the 'Entities' field
| extend ipAddress = extract(@'\b(?:\d{1,3}\.){3}\d{1,3}\b', 0, Entities)
// Filter out alerts without IP address entities
| where isnotempty(ipAddress)
// Summarize entities per unique combination of attributes
| summarize make_set(Entities)
by
AlertTime = TimeGenerated,
ipAddress,
AlertName,
ProductName,
AlertSeverity
// Perform an inner join with AWS CloudTrail events
| join kind=inner (
AWSCloudTrail
| where isempty(ErrorMessage)
| extend UserType = tostring(parse_json(RequestParameters).userType)
| where EventName in~ ("CreateRole", "DeleteRole", "CreateUser", "CreateAccessKey", "DeleteAccessKey", "CreateGroup", "AddUserToGroup", "ChangePassword", "DeleteGroup", "DeleteUser", "RemoveUserFromGroup", "CreateVirtualMFADevice", "DeleteLoginProfile")
| summarize
make_set(RequestParameters),
make_set(ResponseElements)
by
SourceIpAddress,
UserIdentityArn,
UserIdentityType,
EventName,
EventTime = TimeGenerated
)
on $left.ipAddress == $right.SourceIpAddress
// Filter results based on temporal correlation
| where AlertTime between ((EventTime - 1h) .. (EventTime + 1h))
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIpAddress
customDetails:
AWSUser: UserIdentityArn
AlertIp : ipAddress
AlertName: AlertName
kind: Scheduled
version: 1.0.0

72
Detections/MultipleDataSources/UserImpersonateByRiskyUser.yaml Normal file
Просмотреть файл

@ -0,0 +1,72 @@
id: f4a28082-2808-4783-9736-33c1ae117475
name: High-Risk Cross-Cloud User Impersonation
description: |
'This detection focuses on identifying high-risk cross-cloud activities and sign-in anomalies that may indicate potential security threats. The query starts by analyzing Azure AD Signin Logs to pinpoint instances where specific applications, risk levels, and result types align. It then correlates this information with relevant AWS CloudTrail events to identify activities across Azure and AWS environments.'
severity: Medium
requiredDataConnectors:
- connectorId: AWS
dataTypes:
- AWSCloudTrail
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1134
- T1078.002
- T1078.004
query: |
// Retrieve Azure AD SigninLogs within the last day
SigninLogs
// Filter for specific AppDisplayNames, ResultType, and Risk Levels
| where AppDisplayName in ("Azure Portal", "ADFS Trust", "Microsoft Azure PowerShell")
and RiskLevelAggregated == "high"
and RiskLevelDuringSignIn == "high"
// Summarize AppDisplayNames by relevant attributes
| extend Result = iff(ResultType == 0, "Successful Signin", "Failed Signin")
| summarize make_set(AppDisplayName)
by
IPAddress,
signInTime=TimeGenerated,
UserPrincipalName,
RiskEventTypes,
RiskEventTypes_V2
// Inner join with AWS CloudTrail events
| join kind=inner (
AWSCloudTrail
| where isempty(ErrorMessage)
| where EventSource in ("iam.amazonaws.com", "identitystore.amazonaws.com", "workmail.amazonaws.com", "workdocs.amazonaws.com")
// List of AWS event names
| where EventName in~ ("CreateRole", "DeleteRole", "CreateUser", "CreateAccessKey", "DeleteAccessKey", "CreateGroup", "AddUserToGroup", "ChangePassword", "DeleteGroup", "DeleteUser", "RemoveUserFromGroup", "CreateVirtualMFADevice", "DeleteLoginProfile", "CreateOrganization", "SetDefaultMailDomain", "SetMailUserDetails", "CreateMailUser", "ResetPassword", "RegisterToWorkMail", "DisableMailUsers", "EnableMailUsers", "DeleteServiceSpecificCredential", "CreateServiceSpecificCredential", "UpdateAccountEmailAddress", "DeleteGroupPolicy", "UploadServerCertificate")
// Summarize relevant attributes
| summarize make_set(RequestParameters), make_set(ResponseElements)
by
SourceIpAddress,
UserIdentityArn,
UserIdentityType,
EventName,
EventTime=TimeGenerated,
EventSource
)
on $left.IPAddress == $right.SourceIpAddress
// Calculate time difference in hours between AWS event and Azure sign-in
| extend timedef = datetime_diff("hour", EventTime, signInTime)
// Filter for time differences within a certain range
| where timedef between (0 .. 8)
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIpAddress
customDetails:
AwsUser: UserIdentityArn
RiskEventTypes: RiskEventTypes
AzureUser: UserPrincipalName
AWSEventName: EventName
kind: Scheduled
version: 1.0.0

28
Hunting Queries/Microsoft 365 Defender/Cloud Apps/aad-group-adds.yaml Normal file
Просмотреть файл

@ -0,0 +1,28 @@
id: f5e4d3c2-b1a0-4f9d-8e7c-6b5a4d3e2c1f
name: AAD group adds in the last 7 days
description: |
This query looks for AAD group adds identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Privilege Escalation
relevantTechniques:
- T1548
query: >
let LookBack = 7d;
CloudAppEvents
| where ActionType in ("Add member to group.") and AccountType == "Regular" and Timestamp > ago(LookBack)
| extend SecondElement = RawEventData.ModifiedProperties[1]
| extend UserAddedId = RawEventData.ObjectId
| extend GroupName = SecondElement.NewValue
| project Timestamp, ActionType,UserAddedId,PerformedBy = AccountDisplayName,GroupName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: DisplayName
columnName: UserAddedId
- identifier: DisplayName
columnName: PerformedBy
version: 1.0.0

34
Hunting Queries/Microsoft 365 Defender/Cloud Apps/aad-role-adds.yaml Normal file
Просмотреть файл

@ -0,0 +1,34 @@
id: d7f6e5c4-b3a2-4e9f-8d7c-6a5b4c3d2e1f
name: AAD role adds in the last 7 days
description: |
This query looks for AAD role adds identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Privilege Escalation
relevantTechniques:
- T1548
query: >
let LookBack = 7d;
CloudAppEvents
| where ActionType in ("Add member to role.") and Timestamp > ago(LookBack)
| extend FirstElement = ActivityObjects[0], SecondElement = ActivityObjects[1], ThirdElement = ActivityObjects[2]
| extend Type = FirstElement.ServiceObjectType
| extend RoleName = FirstElement.Name
| extend UserAddedName = SecondElement.Name
| extend UserAddedObjectId = SecondElement.Id
| project Timestamp,Type,ActionType,RoleName,UserAddedName,UserAddedObjectId,PerformedByObjectId = AccountId,PerformedByDisplayName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: DisplayName
columnName: UserAddedName
- identifier: ObjectGuid
columnName: UserAddedObjectId
- identifier: ObjectGuid
columnName: PerformedByObjectId
- identifier: DisplayName
columnName: PerformedByDisplayName
version: 1.0.0

29
Hunting Queries/Microsoft 365 Defender/Cloud Apps/mass-downloads.yaml Normal file
Просмотреть файл

@ -0,0 +1,29 @@
id: a1b2c3d4-e5f6-4g7h-8i9j-k0l1m2n3o4p5
name: Mass Downloads in the last 7 days
description: |
This query looks for mass downloads identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Exfiltration
relevantTechniques:
- T1020
query: >
let lookback = 7d; //set the period to query
let threshold = 50; //set the threshold for number of downloads
let downloadTimeframe = 5m; //set the bin timeframe to group the events
CloudAppEvents
| where ActionType == "FileDownloaded" and Timestamp > ago(lookback) // Filter to only "Download" actions
| summarize DownloadCount=count() by AccountDisplayName, AccountObjectId, bin(Timestamp,downloadTimeframe) //bin the results into a timeframe by the account
| where DownloadCount > threshold //filter the records that don't meet the threshold
| project AccountDisplayName,AccountObjectId,DownloadCount
entityMappings:
- entityType: Account
fieldMappings:
- identifier: ObjectGuid
columnName: AccountObjectId
- identifier: DisplayName
columnName: AccountDisplayName
version: 1.0.0

4
Logos/DataminrPulse.svg Normal file
Просмотреть файл

@ -0,0 +1,4 @@
<svg width="75" height="75" viewBox="0 0 75 75" fill="none" xmlns="http://www.w3.org/2000/svg">
<path fill-rule="evenodd" clip-rule="evenodd" d="M22.5735 0H8V37.3223V62.2038H22.5735V37.3223H36.9692H37.1469V37.3214C47.3713 37.2261 55.6304 28.9081 55.6304 18.6611C55.6304 8.41416 47.3713 0.0961907 37.1469 0.000828258V0H36.9692H22.5735Z" fill="#0054BB"/>
<path d="M28.2607 75V42.8318H28.7117C37.3954 42.8318 46.8444 43.0684 53.5787 37.5861C61.6963 30.9777 63.3167 20.1156 59.3626 12.0853C64.9076 19.0521 67.1825 31.2796 67.1825 37.3223C66.4716 66.8957 46.8626 74.8223 37.147 75H28.2607Z" fill="#3D88F9"/>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 610 B

26
Logos/SpyCloud_Enterprise_Protection.svg Normal file
Просмотреть файл

@ -0,0 +1,26 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Generator: Adobe Illustrator 26.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
<svg version="1.1" id="961f48f1-9bca-4e48-9245-b71f47f76a6a"
xmlns="http://www.w3.org/2000/svg" x="0px" y="0px" viewBox="0 0 155 51.6"
xml:space="preserve">
<g>
<path d="M16.1,20.4L11.7,20c-4-0.3-4.2-0.6-4.2-3.3c0-3.2,0.3-3.5,6.4-3.5c3.5,0,5.5,0.2,6.9,0.5l0.3-0.3v-1.1
c0-1.9-0.7-2.6-8.2-2.6c-8.3,0-10.2,1.1-10.2,7.3c0,5.6,1,6.9,6.3,7.4l4.6,0.5c3.9,0.3,4.2,0.6,4.2,3.4c0,3.4-0.3,4-6.2,4
c-4.2,0-7.2-0.3-8.8-0.7l-0.2,0.2v1.3c0,2.3,0.8,3,9.1,3c9.4,0,11-1.5,11-7.9C22.5,21.6,21.4,20.9,16.1,20.4z"/>
<path d="M36.3,16.9c-3.2,0-4.5,0.8-5.5,2.2c-0.2-1.6-0.8-1.9-2.2-1.9h-2.1l-0.3,0.3v26.2l4.7-0.7v-9c0.9,1.5,2.4,1.8,5.7,1.8
c5.1,0,6.4-1.3,6.4-9.5C42.9,18.1,42.1,16.9,36.3,16.9z M34.5,32.2c-3.1,0-3.7-0.6-3.7-2.7v-6.2c0-2.5,1-3,3.7-3
c3.4,0,3.8,0.6,3.8,5.9C38.2,31.6,37.9,32.2,34.5,32.2z"/>
<path d="M54.8,31.9h-0.6c-0.7,0-0.8-0.1-1-0.8l-3.4-13.9h-4.9L48.9,32c0.9,3.4,1.5,3.8,4.8,3.8l-0.5,1.9c-0.6,2.3-0.8,2.4-3,2.4
c-0.8,0-1.7,0-2.3-0.1l-0.3,0.3v1c0,1.8,0.7,2.4,3.8,2.4c4.2,0,4.8-0.8,5.9-5.3l5.8-21.2h-4.8L54.8,31.9z"/>
<path d="M78.5,9.6c-9.5,0-10.7,1.3-10.7,13.1S69,35.9,78.4,35.9c6.6,0,7.9-0.6,7.9-1.9v-0.8l-0.2-0.2c-1.3,0.3-3.4,0.6-6.9,0.6
c-7.8,0-8.3-0.6-8.3-10.7S71.4,12,79.2,12c3.4,0,5.7,0.2,6.9,0.5l0.2-0.2v-0.8C86.2,10.1,85.3,9.6,78.5,9.6z"/>
<polygon points="91.1,35.5 93.9,35.5 93.9,7.9 91.1,8.3 "/>
<path d="M106.3,16.9c-6.7,0-7.8,1.4-7.8,9.5c0,8,1,9.5,7.8,9.5c6.9,0,7.8-1.4,7.8-9.5S113,16.9,106.3,16.9z M106.3,33.5
c-4.2,0-4.8-0.6-4.8-7.2c0-6.5,0.6-7.2,4.8-7.2s4.8,0.6,4.8,7.2C111.1,32.9,110.5,33.5,106.3,33.5z"/>
<path d="M129.9,30.4c0,2.7-1.9,3.2-4.9,3.2c-3.4,0-4-0.5-4-4.1V17.1h-2.9v12.3c0,5.5,1.1,6.3,5.9,6.3c3.5,0,4.8-0.6,5.8-2.1
c0.1,1.6,0.6,1.8,1.5,1.8h1.1l0.2-0.2V17.1h-2.9C129.9,17.1,129.9,30.4,129.9,30.4z"/>
<path d="M149.6,8.3v10.4c-0.9-1.5-2.4-1.8-5.6-1.8c-5.7,0-6.7,1.4-6.7,9.5s0.9,9.5,6.6,9.5c3.8,0,4.9-0.7,5.8-2.1
c0.2,1.6,0.6,1.8,1.5,1.8h1.1l0.2-0.2V8L149.6,8.3z M149.6,30.3c0,2.7-1.8,3.3-4.7,3.3c-4.2,0-4.7-0.6-4.7-7.2s0.6-7.2,4.7-7.2
c4,0,4.8,0.8,4.8,3.1v8H149.6z"/>
</g>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 2.1 KiB

11
Logos/foxy-mark.svg Normal file
Просмотреть файл

@ -0,0 +1,11 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg
xmlns="http://www.w3.org/2000/svg" viewBox="0 0 160 160">
<rect width="160" height="160" fill="#fff"></rect>
<g>
<polygon points="87.7 67.69 101.57 58.58 101.57 81.66 106.74 86.87 84.4 108.66 80.02 108.66 80.02 67.69 87.7 67.69" fill="#ba0c2f"></polygon>
<polygon points="72.33 67.69 58.47 58.58 58.47 81.66 53.29 86.87 75.65 108.66 80.02 108.66 80.02 67.69 72.33 67.69" fill="#e4002b"></polygon>
<path d="M41.37,123.22l7.46-10.38a45.32,45.32,0,0,1,52.35-72.91l7.45-10.36a58,58,0,0,0-67.26,93.67Z" fill="#ba0c2f"></path>
<path d="M118.72,36.78l-7.55,10.38a45.32,45.32,0,0,1-52.35,72.91l-7.45,10.36a58,58,0,0,0,67.26-93.67Z" fill="#e4002b"></path>
</g>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 715 B

77
Parsers/ASimDns/Parsers/ASimDnsMicrosoftNXlog.yaml
Просмотреть файл

@ -1,17 +1,19 @@
Parser:
Title: DNS activity ASIM parser for Microsoft DNS logs collected using NXlog
Version: '0.4'
LastUpdated: Dec 11 2022
Version: '0.5.0'
LastUpdated: Sep 06 2023
Product:
Name: MS DNS Events
Normalization:
Schema: Dns
Version: '0.1.3'
Version: '0.1.7'
References:
- Title: ASIM DNS Schema
Link: https://aka.ms/ASimDnsDoc
- Title: ASIM
Link: https://aka.ms/AboutASIM
- Title: Resource Record (RR) TYPEs
Link: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml
Description: |
This ASIM parser supports normalizing Microsoft DNS logs, collected using NXlog, to the ASIM Dns normalized schema.
ParserName: ASimDnsMicrosoftNXlog
@ -161,6 +163,61 @@ ParserQuery: |
, 31,'EID'
, 32,'NIMLOC'
, 33,'SRV'
, 34,'ATMA'
, 35,'NAPTR'
, 36,'KX'
, 37,'CERT'
, 38,'A6'
, 39,'DNAME'
, 40,'SINK'
, 41,'OPT'
, 42,'APL'
, 43,'DS'
, 44,'SSHFP'
, 45,'IPSECKEY'
, 46,'RRSIG'
, 47,'NSEC'
, 48,'DNSKEY'
, 49,'DHCID'
, 50,'NSEC3'
, 51,'NSEC3PARAM'
, 52,'TLSA'
, 53,'SMIMEA'
, 55,'HIP'
, 56,'NINFO'
, 57,'RKEY'
, 58,'TALINK'
, 59,'CDS'
, 60,'CDNSKEY'
, 61,'OPENPGPKEY'
, 62,'CSYNC'
, 63,'ZONEMD'
, 64,'SVCB'
, 65,'HTTPS'
, 99,'SPF'
, 100,'UINFO'
, 101,'UID'
, 102,'GID'
, 103,'UNSPEC'
, 104,'NID'
, 105,'L32'
, 106,'L64'
, 107,'LP'
, 108,'EUI48'
, 109,'EUI64'
, 249,'TKEY'
, 250,'TSIG'
, 251,'IXFR'
, 252,'AXFR'
, 253,'MAILB'
, 254,'MAILA'
, 255,'*'
, 256,'URI'
, 257,'CAA'
, 258,'AVC'
, 259,'DOA'
, 32768,'TA'
, 32769,'DLV'
];
NXLog_DNS_Server_CL | where not(disabled)
| where EventID_d < 281
@ -174,16 +231,18 @@ ParserQuery: |
EventOriginalType=EventID_d,
EventOriginalUid=GUID_g,
EventStartTime=EventTime_t,
SrcIpAddr=Source_s
SrcIpAddr=Source_s,
EventUid=_ItemId
| extend
DnsQuery=trim_end(".",DnsQuery),
DnsQueryType=toint(DnsQueryType),
DnsResponseCode=toint(DnsResponseCode),
SrcPortNumber=toint(Port_s),
DvcHostname=Dvc,
DvcIpAddr=HostIP_s,
EventEndTime=EventStartTime,
EventProduct = "DNS Server",
EventSchemaVersion = "0.1.3",
EventSchemaVersion = "0.1.7",
EventVendor = "Microsoft",
EventSchema = "Dns",
EventCount = int(1),
@ -211,11 +270,11 @@ ParserQuery: |
, DnsQueryType between (261 .. 32767), 'Unassigned'
, 'Unassigned'),
EventResult=iff (EventResult == "Based on RCODE", iff(DnsResponseCode == 0, "Success", "Failure"),EventResult)
| extend
| extend
// Aliases
IpAddr = SrcIpAddr,
Src = SrcIpAddr
| project-away
*_s, *_d, QTypeName, TenantId, SourceSystem, MG, ManagementGroupName, Computer, RawData
};
ASimDnsMicrosoftNXLog(disabled)
*_s, *_d, QTypeName, TenantId, SourceSystem, MG, ManagementGroupName, Computer, RawData, ResponseCodeName, EventReceivedTime_t, ProviderGuid_g, _ResourceId
};
ASimDnsMicrosoftNXLog(disabled=disabled)

92
Parsers/ASimDns/Parsers/vimDnsMicrosoftNXlog.yaml
Просмотреть файл

@ -1,17 +1,19 @@
Parser:
Title: DNS activity ASIM filtering parser for Microsoft DNS logs collected using NXlog
Version: '0.4'
LastUpdated: Dec 11 2022
Version: '0.5.0'
LastUpdated: Sep 06 2023
Product:
Name: MS DNS Events
Normalization:
Schema: Dns
Version: '0.1.3'
Version: '0.1.7'
References:
- Title: ASIM DNS Schema
Link: https://aka.ms/ASimDnsDoc
- Title: ASIM
Link: https://aka.ms/AboutASIM
- Title: Resource Record (RR) TYPEs
Link: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml
Description: |
This ASIM parser supports filtering and normalizing Microsoft DNS logs, collected using NXlog, to the ASIM Dns normalized schema.
ParserName: vimDnsMicrosoftNXlog
@ -192,6 +194,61 @@ ParserQuery: |
, 31,'EID'
, 32,'NIMLOC'
, 33,'SRV'
, 34,'ATMA'
, 35,'NAPTR'
, 36,'KX'
, 37,'CERT'
, 38,'A6'
, 39,'DNAME'
, 40,'SINK'
, 41,'OPT'
, 42,'APL'
, 43,'DS'
, 44,'SSHFP'
, 45,'IPSECKEY'
, 46,'RRSIG'
, 47,'NSEC'
, 48,'DNSKEY'
, 49,'DHCID'
, 50,'NSEC3'
, 51,'NSEC3PARAM'
, 52,'TLSA'
, 53,'SMIMEA'
, 55,'HIP'
, 56,'NINFO'
, 57,'RKEY'
, 58,'TALINK'
, 59,'CDS'
, 60,'CDNSKEY'
, 61,'OPENPGPKEY'
, 62,'CSYNC'
, 63,'ZONEMD'
, 64,'SVCB'
, 65,'HTTPS'
, 99,'SPF'
, 100,'UINFO'
, 101,'UID'
, 102,'GID'
, 103,'UNSPEC'
, 104,'NID'
, 105,'L32'
, 106,'L64'
, 107,'LP'
, 108,'EUI48'
, 109,'EUI64'
, 249,'TKEY'
, 250,'TSIG'
, 251,'IXFR'
, 252,'AXFR'
, 253,'MAILB'
, 254,'MAILA'
, 255,'*'
, 256,'URI'
, 257,'CAA'
, 258,'AVC'
, 259,'DOA'
, 32768,'TA'
, 32769,'DLV'
];
NXLog_DNS_Server_CL | where not(disabled)
| where EventID_d < 281
@ -221,16 +278,18 @@ ParserQuery: |
Dvc=Hostname_s,
EventOriginalUid=GUID_g,
EventStartTime=EventTime_t,
SrcIpAddr=Source_s
SrcIpAddr=Source_s,
EventUid=_ItemId
| extend
DnsQuery=trim_end(".",DnsQuery),
DnsQueryType=toint(DnsQueryType),
DnsResponseCode=toint(DnsResponseCode),
SrcPortNumber=toint(Port_s),
DvcHostname=Dvc,
DvcIpAddr=HostIP_s,
EventEndTime=EventStartTime,
EventProduct = "DNS Server",
EventSchemaVersion = "0.1.3",
EventSchemaVersion = "0.1.7",
EventVendor = "Microsoft",
EventSchema = "Dns",
EventCount = int(1),
@ -256,18 +315,21 @@ ParserQuery: |
, DnsQueryType between (110 .. 248), 'Unassigned'
, DnsQueryType between (261 .. 32767), 'Unassigned'
, 'Unassigned'),
EventResult=iff (EventResult == "Based on RCODE", iff(DnsResponseCode == 0, "Success", "Failure"),EventResult)
EventResult=iff (EventResult == "Based on RCODE", iff(DnsResponseCode == 0, "Success", "Failure"),EventResult)
| extend
// Aliases
IpAddr = SrcIpAddr,
Src = SrcIpAddr,
// Backward compatibility
Query = DnsQuery,
QueryType = DnsQueryType,
QueryTypeName = DnsQueryTypeName,
ResponseCode = DnsResponseCode,
ResponseCodeName = DnsResponseCodeName
Src = SrcIpAddr
| project-away
*_s, *_d, QTypeName, TenantId, SourceSystem, MG, ManagementGroupName, Computer, RawData
*_s, *_d, QTypeName, TenantId, SourceSystem, MG, ManagementGroupName, Computer, RawData, ResponseCodeName, EventReceivedTime_t, ProviderGuid_g, _ResourceId, eventtype
};
ASimDnsMicrosoftNXLog (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)
ASimDnsMicrosoftNXLog (
starttime=starttime,
endtime=endtime,
srcipaddr=srcipaddr,
domain_has_any=domain_has_any,
responsecodename=responsecodename,
response_has_ipv4=response_has_ipv4,
response_has_any_prefix=response_has_any_prefix,
eventtype=eventtype,
disabled=disabled)

14
Parsers/ASimDns/Tests/Microsoft_DNS Server_Dns_DataTest_ASimDnsMicrosoftNXLog.csv Normal file
Просмотреть файл

@ -0,0 +1,14 @@
Result
"(0) Error: 1 invalid value(s) (up to 10 listed) in 120 records (1.3%) for field [EventType] of type [Enumerated]: [""Zone XFR""] (Schema:Dns)"
"(1) Warning: 1 abnormal value(s) (up to 10 listed) in 608 records (6.59%) for field [DnsQuery] of type [RecommendedDnsDomain]: [""aaareretFEREWSD==.moveinto.space""] (Schema:Dns)"
"(1) Warning: 1 abnormal value(s) (up to 10 listed) in 608 records (6.59%) for field [Domain] of type [RecommendedDnsDomain]: [""aaareretFEREWSD==.moveinto.space""] (Schema:Dns)"
"(1) Warning: Empty value in 4065 records (44.05%) in mandatory field [Src] (Schema:Dns)"
"(2) Info: Empty value in 120 records (1.3%) in optional field [DnsQueryType] (Schema:Dns)"
"(2) Info: Empty value in 1324 records (14.35%) in optional field [EventOriginalUid] (Schema:Dns)"
"(2) Info: Empty value in 201 records (2.18%) in optional field [SrcPortNumber] (Schema:Dns)"
"(2) Info: Empty value in 276 records (2.99%) in optional field [DnsResponseName] (Schema:Dns)"
"(2) Info: Empty value in 4065 records (44.05%) in recommended field [SrcIpAddr] (Schema:Dns)"
"(2) Info: Empty value in 4115 records (44.59%) in optional field [DnsFlagsRecursionDesired] (Schema:Dns)"
"(2) Info: Empty value in 5474 records (59.32%) in optional field [DnsFlagsAuthenticated] (Schema:Dns)"
"(2) Info: Empty value in 5474 records (59.32%) in optional field [DnsFlagsAuthoritative] (Schema:Dns)"
"(2) Info: Empty value in 6481 records (70.23%) in optional field [DnsResponseCode] (Schema:Dns)"
1 Result
2 (0) Error: 1 invalid value(s) (up to 10 listed) in 120 records (1.3%) for field [EventType] of type [Enumerated]: ["Zone XFR"] (Schema:Dns)
3 (1) Warning: 1 abnormal value(s) (up to 10 listed) in 608 records (6.59%) for field [DnsQuery] of type [RecommendedDnsDomain]: ["aaareretFEREWSD==.moveinto.space"] (Schema:Dns)
4 (1) Warning: 1 abnormal value(s) (up to 10 listed) in 608 records (6.59%) for field [Domain] of type [RecommendedDnsDomain]: ["aaareretFEREWSD==.moveinto.space"] (Schema:Dns)
5 (1) Warning: Empty value in 4065 records (44.05%) in mandatory field [Src] (Schema:Dns)
6 (2) Info: Empty value in 120 records (1.3%) in optional field [DnsQueryType] (Schema:Dns)
7 (2) Info: Empty value in 1324 records (14.35%) in optional field [EventOriginalUid] (Schema:Dns)
8 (2) Info: Empty value in 201 records (2.18%) in optional field [SrcPortNumber] (Schema:Dns)
9 (2) Info: Empty value in 276 records (2.99%) in optional field [DnsResponseName] (Schema:Dns)
10 (2) Info: Empty value in 4065 records (44.05%) in recommended field [SrcIpAddr] (Schema:Dns)
11 (2) Info: Empty value in 4115 records (44.59%) in optional field [DnsFlagsRecursionDesired] (Schema:Dns)
12 (2) Info: Empty value in 5474 records (59.32%) in optional field [DnsFlagsAuthenticated] (Schema:Dns)
13 (2) Info: Empty value in 5474 records (59.32%) in optional field [DnsFlagsAuthoritative] (Schema:Dns)
14 (2) Info: Empty value in 6481 records (70.23%) in optional field [DnsResponseCode] (Schema:Dns)

12
Parsers/ASimDns/Tests/Microsoft_DNS Server_Dns_DataTest_vimDnsMicrosoftNXLog.csv Normal file
Просмотреть файл

@ -0,0 +1,12 @@
Result
"(1) Warning: 1 abnormal value(s) (up to 10 listed) in 608 records (6.68%) for field [DnsQuery] of type [RecommendedDnsDomain]: [""aaareretFEREWSD==.moveinto.space""] (Schema:Dns)"
"(1) Warning: 1 abnormal value(s) (up to 10 listed) in 608 records (6.68%) for field [Domain] of type [RecommendedDnsDomain]: [""aaareretFEREWSD==.moveinto.space""] (Schema:Dns)"
"(1) Warning: Empty value in 4005 records (43.97%) in mandatory field [Src] (Schema:Dns)"
"(2) Info: Empty value in 1204 records (13.22%) in optional field [EventOriginalUid] (Schema:Dns)"
"(2) Info: Empty value in 216 records (2.37%) in optional field [DnsResponseName] (Schema:Dns)"
"(2) Info: Empty value in 3995 records (43.86%) in optional field [DnsFlagsRecursionDesired] (Schema:Dns)"
"(2) Info: Empty value in 4005 records (43.97%) in recommended field [SrcIpAddr] (Schema:Dns)"
"(2) Info: Empty value in 5354 records (58.78%) in optional field [DnsFlagsAuthenticated] (Schema:Dns)"
"(2) Info: Empty value in 5354 records (58.78%) in optional field [DnsFlagsAuthoritative] (Schema:Dns)"
"(2) Info: Empty value in 6421 records (70.5%) in optional field [DnsResponseCode] (Schema:Dns)"
"(2) Info: Empty value in 81 records (0.89%) in optional field [SrcPortNumber] (Schema:Dns)"
1 Result
2 (1) Warning: 1 abnormal value(s) (up to 10 listed) in 608 records (6.68%) for field [DnsQuery] of type [RecommendedDnsDomain]: ["aaareretFEREWSD==.moveinto.space"] (Schema:Dns)
3 (1) Warning: 1 abnormal value(s) (up to 10 listed) in 608 records (6.68%) for field [Domain] of type [RecommendedDnsDomain]: ["aaareretFEREWSD==.moveinto.space"] (Schema:Dns)
4 (1) Warning: Empty value in 4005 records (43.97%) in mandatory field [Src] (Schema:Dns)
5 (2) Info: Empty value in 1204 records (13.22%) in optional field [EventOriginalUid] (Schema:Dns)
6 (2) Info: Empty value in 216 records (2.37%) in optional field [DnsResponseName] (Schema:Dns)
7 (2) Info: Empty value in 3995 records (43.86%) in optional field [DnsFlagsRecursionDesired] (Schema:Dns)
8 (2) Info: Empty value in 4005 records (43.97%) in recommended field [SrcIpAddr] (Schema:Dns)
9 (2) Info: Empty value in 5354 records (58.78%) in optional field [DnsFlagsAuthenticated] (Schema:Dns)
10 (2) Info: Empty value in 5354 records (58.78%) in optional field [DnsFlagsAuthoritative] (Schema:Dns)
11 (2) Info: Empty value in 6421 records (70.5%) in optional field [DnsResponseCode] (Schema:Dns)
12 (2) Info: Empty value in 81 records (0.89%) in optional field [SrcPortNumber] (Schema:Dns)

109
Parsers/ASimDns/Tests/Microsoft_DNS Server_Dns_SchemaTest_ASimDnsMicrosoftNXLog.csv Normal file
Просмотреть файл

@ -0,0 +1,109 @@
Result
"(1) Warning: Missing recommended field [DnsQueryClassName]"
"(1) Warning: Missing recommended field [Dst]"
"(1) Warning: Missing recommended field [DvcDomain]"
"(1) Warning: Missing recommended field [SrcDomain]"
"(1) Warning: Missing recommended field [SrcHostname]"
"(2) Info: Missing optional alias [DomainCategory] aliasing non-existent column [UrlCategory]"
"(2) Info: Missing optional alias [Duration] aliasing non-existent column [DnsNetworkDuration]"
"(2) Info: Missing optional alias [Process] aliasing non-existent column [SrcProcessName]"
"(2) Info: Missing optional alias [SessionId] aliasing non-existent column [DnsSessionId]"
"(2) Info: Missing optional alias [User] aliasing non-existent column [SrcUsername]"
"(2) Info: Missing optional field [AdditionalFields]"
"(2) Info: Missing optional field [DnsFlagsCheckingDisabled]"
"(2) Info: Missing optional field [DnsFlagsRecursionAvailable]"
"(2) Info: Missing optional field [DnsFlagsTruncated]"
"(2) Info: Missing optional field [DnsFlagsZ]"
"(2) Info: Missing optional field [DnsNetworkDuration]"
"(2) Info: Missing optional field [DnsQueryClass]"
"(2) Info: Missing optional field [DnsResponseIpCity]"
"(2) Info: Missing optional field [DnsResponseIpCountry]"
"(2) Info: Missing optional field [DnsResponseIpLatitude]"
"(2) Info: Missing optional field [DnsResponseIpLongitude]"
"(2) Info: Missing optional field [DnsResponseIpRegion]"
"(2) Info: Missing optional field [DnsSessionId]"
"(2) Info: Missing optional field [DstDescription]"
"(2) Info: Missing optional field [DstDeviceType]"
"(2) Info: Missing optional field [DstDomain]"
"(2) Info: Missing optional field [DstDvcId]"
"(2) Info: Missing optional field [DstDvcScopeId]"
"(2) Info: Missing optional field [DstDvcScope]"
"(2) Info: Missing optional field [DstFQDN]"
"(2) Info: Missing optional field [DstGeoCity]"
"(2) Info: Missing optional field [DstGeoCountry]"
"(2) Info: Missing optional field [DstGeoLatitude]"
"(2) Info: Missing optional field [DstGeoLongitude]"
"(2) Info: Missing optional field [DstGeoRegion]"
"(2) Info: Missing optional field [DstHostname]"
"(2) Info: Missing optional field [DstIpAddr]"
"(2) Info: Missing optional field [DstOriginalRiskLevel]"
"(2) Info: Missing optional field [DstPortNumber]"
"(2) Info: Missing optional field [DstRiskLevel]"
"(2) Info: Missing optional field [DvcAction]"
"(2) Info: Missing optional field [DvcDescription]"
"(2) Info: Missing optional field [DvcFQDN]"
"(2) Info: Missing optional field [DvcId]"
"(2) Info: Missing optional field [DvcInterface]"
"(2) Info: Missing optional field [DvcMacAddr]"
"(2) Info: Missing optional field [DvcOriginalAction]"
"(2) Info: Missing optional field [DvcOsVersion]"
"(2) Info: Missing optional field [DvcOs]"
"(2) Info: Missing optional field [DvcScopeId]"
"(2) Info: Missing optional field [DvcScope]"
"(2) Info: Missing optional field [DvcZone]"
"(2) Info: Missing optional field [EventMessage]"
"(2) Info: Missing optional field [EventOriginalSeverity]"
"(2) Info: Missing optional field [EventOriginalSubType]"
"(2) Info: Missing optional field [EventOwner]"
"(2) Info: Missing optional field [EventProductVersion]"
"(2) Info: Missing optional field [EventReportUrl]"
"(2) Info: Missing optional field [EventSeverity]"
"(2) Info: Missing optional field [NetworkProtocolVersion]"
"(2) Info: Missing optional field [RuleName]"
"(2) Info: Missing optional field [RuleNumber]"
"(2) Info: Missing optional field [Rule]"
"(2) Info: Missing optional field [SrcDescription]"
"(2) Info: Missing optional field [SrcDeviceType]"
"(2) Info: Missing optional field [SrcDvcId]"
"(2) Info: Missing optional field [SrcDvcScopeId]"
"(2) Info: Missing optional field [SrcDvcScope]"
"(2) Info: Missing optional field [SrcFQDN]"
"(2) Info: Missing optional field [SrcGeoCity]"
"(2) Info: Missing optional field [SrcGeoCountry]"
"(2) Info: Missing optional field [SrcGeoLatitude]"
"(2) Info: Missing optional field [SrcGeoLongitude]"
"(2) Info: Missing optional field [SrcGeoRegion]"
"(2) Info: Missing optional field [SrcOriginalRiskLevel]"
"(2) Info: Missing optional field [SrcOriginalUserType]"
"(2) Info: Missing optional field [SrcProcessGuid]"
"(2) Info: Missing optional field [SrcProcessId]"
"(2) Info: Missing optional field [SrcProcessName]"
"(2) Info: Missing optional field [SrcRiskLevel]"
"(2) Info: Missing optional field [SrcUserAWSId]"
"(2) Info: Missing optional field [SrcUserAadId]"
"(2) Info: Missing optional field [SrcUserId]"
"(2) Info: Missing optional field [SrcUserOktaId]"
"(2) Info: Missing optional field [SrcUserScopeId]"
"(2) Info: Missing optional field [SrcUserScope]"
"(2) Info: Missing optional field [SrcUserSessionId]"
"(2) Info: Missing optional field [SrcUserSid]"
"(2) Info: Missing optional field [SrcUserType]"
"(2) Info: Missing optional field [SrcUserUid]"
"(2) Info: Missing optional field [SrcUsername]"
"(2) Info: Missing optional field [TenantId]"
"(2) Info: Missing optional field [ThreatCategory]"
"(2) Info: Missing optional field [ThreatConfidence]"
"(2) Info: Missing optional field [ThreatField]"
"(2) Info: Missing optional field [ThreatFirstReportedTime]"
"(2) Info: Missing optional field [ThreatId]"
"(2) Info: Missing optional field [ThreatIpAddr]"
"(2) Info: Missing optional field [ThreatIsActive]"
"(2) Info: Missing optional field [ThreatLastReportedTime]"
"(2) Info: Missing optional field [ThreatName]"
"(2) Info: Missing optional field [ThreatOriginalConfidence]"
"(2) Info: Missing optional field [ThreatOriginalRiskLevel]"
"(2) Info: Missing optional field [ThreatRiskLevel]"
"(2) Info: Missing optional field [UrlCategory]"
"(2) Info: Missing recommended alias [Hostname] aliasing non-existent column [SrcHostname]"
"(2) Info: extra unnormalized column [Category]"
"(2) Info: extra unnormalized column [Level]"
1 Result
2 (1) Warning: Missing recommended field [DnsQueryClassName]
3 (1) Warning: Missing recommended field [Dst]
4 (1) Warning: Missing recommended field [DvcDomain]
5 (1) Warning: Missing recommended field [SrcDomain]
6 (1) Warning: Missing recommended field [SrcHostname]
7 (2) Info: Missing optional alias [DomainCategory] aliasing non-existent column [UrlCategory]
8 (2) Info: Missing optional alias [Duration] aliasing non-existent column [DnsNetworkDuration]
9 (2) Info: Missing optional alias [Process] aliasing non-existent column [SrcProcessName]
10 (2) Info: Missing optional alias [SessionId] aliasing non-existent column [DnsSessionId]
11 (2) Info: Missing optional alias [User] aliasing non-existent column [SrcUsername]
12 (2) Info: Missing optional field [AdditionalFields]
13 (2) Info: Missing optional field [DnsFlagsCheckingDisabled]
14 (2) Info: Missing optional field [DnsFlagsRecursionAvailable]
15 (2) Info: Missing optional field [DnsFlagsTruncated]
16 (2) Info: Missing optional field [DnsFlagsZ]
17 (2) Info: Missing optional field [DnsNetworkDuration]
18 (2) Info: Missing optional field [DnsQueryClass]
19 (2) Info: Missing optional field [DnsResponseIpCity]
20 (2) Info: Missing optional field [DnsResponseIpCountry]
21 (2) Info: Missing optional field [DnsResponseIpLatitude]
22 (2) Info: Missing optional field [DnsResponseIpLongitude]
23 (2) Info: Missing optional field [DnsResponseIpRegion]
24 (2) Info: Missing optional field [DnsSessionId]
25 (2) Info: Missing optional field [DstDescription]
26 (2) Info: Missing optional field [DstDeviceType]
27 (2) Info: Missing optional field [DstDomain]
28 (2) Info: Missing optional field [DstDvcId]
29 (2) Info: Missing optional field [DstDvcScopeId]
30 (2) Info: Missing optional field [DstDvcScope]
31 (2) Info: Missing optional field [DstFQDN]
32 (2) Info: Missing optional field [DstGeoCity]
33 (2) Info: Missing optional field [DstGeoCountry]
34 (2) Info: Missing optional field [DstGeoLatitude]
35 (2) Info: Missing optional field [DstGeoLongitude]
36 (2) Info: Missing optional field [DstGeoRegion]
37 (2) Info: Missing optional field [DstHostname]
38 (2) Info: Missing optional field [DstIpAddr]
39 (2) Info: Missing optional field [DstOriginalRiskLevel]
40 (2) Info: Missing optional field [DstPortNumber]
41 (2) Info: Missing optional field [DstRiskLevel]
42 (2) Info: Missing optional field [DvcAction]
43 (2) Info: Missing optional field [DvcDescription]
44 (2) Info: Missing optional field [DvcFQDN]
45 (2) Info: Missing optional field [DvcId]
46 (2) Info: Missing optional field [DvcInterface]
47 (2) Info: Missing optional field [DvcMacAddr]
48 (2) Info: Missing optional field [DvcOriginalAction]
49 (2) Info: Missing optional field [DvcOsVersion]
50 (2) Info: Missing optional field [DvcOs]
51 (2) Info: Missing optional field [DvcScopeId]
52 (2) Info: Missing optional field [DvcScope]
53 (2) Info: Missing optional field [DvcZone]
54 (2) Info: Missing optional field [EventMessage]
55 (2) Info: Missing optional field [EventOriginalSeverity]
56 (2) Info: Missing optional field [EventOriginalSubType]
57 (2) Info: Missing optional field [EventOwner]
58 (2) Info: Missing optional field [EventProductVersion]
59 (2) Info: Missing optional field [EventReportUrl]
60 (2) Info: Missing optional field [EventSeverity]
61 (2) Info: Missing optional field [NetworkProtocolVersion]
62 (2) Info: Missing optional field [RuleName]
63 (2) Info: Missing optional field [RuleNumber]
64 (2) Info: Missing optional field [Rule]
65 (2) Info: Missing optional field [SrcDescription]
66 (2) Info: Missing optional field [SrcDeviceType]
67 (2) Info: Missing optional field [SrcDvcId]
68 (2) Info: Missing optional field [SrcDvcScopeId]
69 (2) Info: Missing optional field [SrcDvcScope]
70 (2) Info: Missing optional field [SrcFQDN]
71 (2) Info: Missing optional field [SrcGeoCity]
72 (2) Info: Missing optional field [SrcGeoCountry]
73 (2) Info: Missing optional field [SrcGeoLatitude]
74 (2) Info: Missing optional field [SrcGeoLongitude]
75 (2) Info: Missing optional field [SrcGeoRegion]
76 (2) Info: Missing optional field [SrcOriginalRiskLevel]
77 (2) Info: Missing optional field [SrcOriginalUserType]
78 (2) Info: Missing optional field [SrcProcessGuid]
79 (2) Info: Missing optional field [SrcProcessId]
80 (2) Info: Missing optional field [SrcProcessName]
81 (2) Info: Missing optional field [SrcRiskLevel]
82 (2) Info: Missing optional field [SrcUserAWSId]
83 (2) Info: Missing optional field [SrcUserAadId]
84 (2) Info: Missing optional field [SrcUserId]
85 (2) Info: Missing optional field [SrcUserOktaId]
86 (2) Info: Missing optional field [SrcUserScopeId]
87 (2) Info: Missing optional field [SrcUserScope]
88 (2) Info: Missing optional field [SrcUserSessionId]
89 (2) Info: Missing optional field [SrcUserSid]
90 (2) Info: Missing optional field [SrcUserType]
91 (2) Info: Missing optional field [SrcUserUid]
92 (2) Info: Missing optional field [SrcUsername]
93 (2) Info: Missing optional field [TenantId]
94 (2) Info: Missing optional field [ThreatCategory]
95 (2) Info: Missing optional field [ThreatConfidence]
96 (2) Info: Missing optional field [ThreatField]
97 (2) Info: Missing optional field [ThreatFirstReportedTime]
98 (2) Info: Missing optional field [ThreatId]
99 (2) Info: Missing optional field [ThreatIpAddr]
100 (2) Info: Missing optional field [ThreatIsActive]
101 (2) Info: Missing optional field [ThreatLastReportedTime]
102 (2) Info: Missing optional field [ThreatName]
103 (2) Info: Missing optional field [ThreatOriginalConfidence]
104 (2) Info: Missing optional field [ThreatOriginalRiskLevel]
105 (2) Info: Missing optional field [ThreatRiskLevel]
106 (2) Info: Missing optional field [UrlCategory]
107 (2) Info: Missing recommended alias [Hostname] aliasing non-existent column [SrcHostname]
108 (2) Info: extra unnormalized column [Category]
109 (2) Info: extra unnormalized column [Level]

109
Parsers/ASimDns/Tests/Microsoft_DNS Server_Dns_SchemaTest_vimDnsMicrosoftNXLog.csv Normal file
Просмотреть файл

@ -0,0 +1,109 @@
Result
"(1) Warning: Missing recommended field [DnsQueryClassName]"
"(1) Warning: Missing recommended field [Dst]"
"(1) Warning: Missing recommended field [DvcDomain]"
"(1) Warning: Missing recommended field [SrcDomain]"
"(1) Warning: Missing recommended field [SrcHostname]"
"(2) Info: Missing optional alias [DomainCategory] aliasing non-existent column [UrlCategory]"
"(2) Info: Missing optional alias [Duration] aliasing non-existent column [DnsNetworkDuration]"
"(2) Info: Missing optional alias [Process] aliasing non-existent column [SrcProcessName]"
"(2) Info: Missing optional alias [SessionId] aliasing non-existent column [DnsSessionId]"
"(2) Info: Missing optional alias [User] aliasing non-existent column [SrcUsername]"
"(2) Info: Missing optional field [AdditionalFields]"
"(2) Info: Missing optional field [DnsFlagsCheckingDisabled]"
"(2) Info: Missing optional field [DnsFlagsRecursionAvailable]"
"(2) Info: Missing optional field [DnsFlagsTruncated]"
"(2) Info: Missing optional field [DnsFlagsZ]"
"(2) Info: Missing optional field [DnsNetworkDuration]"
"(2) Info: Missing optional field [DnsQueryClass]"
"(2) Info: Missing optional field [DnsResponseIpCity]"
"(2) Info: Missing optional field [DnsResponseIpCountry]"
"(2) Info: Missing optional field [DnsResponseIpLatitude]"
"(2) Info: Missing optional field [DnsResponseIpLongitude]"
"(2) Info: Missing optional field [DnsResponseIpRegion]"
"(2) Info: Missing optional field [DnsSessionId]"
"(2) Info: Missing optional field [DstDescription]"
"(2) Info: Missing optional field [DstDeviceType]"
"(2) Info: Missing optional field [DstDomain]"
"(2) Info: Missing optional field [DstDvcId]"
"(2) Info: Missing optional field [DstDvcScopeId]"
"(2) Info: Missing optional field [DstDvcScope]"
"(2) Info: Missing optional field [DstFQDN]"
"(2) Info: Missing optional field [DstGeoCity]"
"(2) Info: Missing optional field [DstGeoCountry]"
"(2) Info: Missing optional field [DstGeoLatitude]"
"(2) Info: Missing optional field [DstGeoLongitude]"
"(2) Info: Missing optional field [DstGeoRegion]"
"(2) Info: Missing optional field [DstHostname]"
"(2) Info: Missing optional field [DstIpAddr]"
"(2) Info: Missing optional field [DstOriginalRiskLevel]"
"(2) Info: Missing optional field [DstPortNumber]"
"(2) Info: Missing optional field [DstRiskLevel]"
"(2) Info: Missing optional field [DvcAction]"
"(2) Info: Missing optional field [DvcDescription]"
"(2) Info: Missing optional field [DvcFQDN]"
"(2) Info: Missing optional field [DvcId]"
"(2) Info: Missing optional field [DvcInterface]"
"(2) Info: Missing optional field [DvcMacAddr]"
"(2) Info: Missing optional field [DvcOriginalAction]"
"(2) Info: Missing optional field [DvcOsVersion]"
"(2) Info: Missing optional field [DvcOs]"
"(2) Info: Missing optional field [DvcScopeId]"
"(2) Info: Missing optional field [DvcScope]"
"(2) Info: Missing optional field [DvcZone]"
"(2) Info: Missing optional field [EventMessage]"
"(2) Info: Missing optional field [EventOriginalSeverity]"
"(2) Info: Missing optional field [EventOriginalSubType]"
"(2) Info: Missing optional field [EventOwner]"
"(2) Info: Missing optional field [EventProductVersion]"
"(2) Info: Missing optional field [EventReportUrl]"
"(2) Info: Missing optional field [EventSeverity]"
"(2) Info: Missing optional field [NetworkProtocolVersion]"
"(2) Info: Missing optional field [RuleName]"
"(2) Info: Missing optional field [RuleNumber]"
"(2) Info: Missing optional field [Rule]"
"(2) Info: Missing optional field [SrcDescription]"
"(2) Info: Missing optional field [SrcDeviceType]"
"(2) Info: Missing optional field [SrcDvcId]"
"(2) Info: Missing optional field [SrcDvcScopeId]"
"(2) Info: Missing optional field [SrcDvcScope]"
"(2) Info: Missing optional field [SrcFQDN]"
"(2) Info: Missing optional field [SrcGeoCity]"
"(2) Info: Missing optional field [SrcGeoCountry]"
"(2) Info: Missing optional field [SrcGeoLatitude]"
"(2) Info: Missing optional field [SrcGeoLongitude]"
"(2) Info: Missing optional field [SrcGeoRegion]"
"(2) Info: Missing optional field [SrcOriginalRiskLevel]"
"(2) Info: Missing optional field [SrcOriginalUserType]"
"(2) Info: Missing optional field [SrcProcessGuid]"
"(2) Info: Missing optional field [SrcProcessId]"
"(2) Info: Missing optional field [SrcProcessName]"
"(2) Info: Missing optional field [SrcRiskLevel]"
"(2) Info: Missing optional field [SrcUserAWSId]"
"(2) Info: Missing optional field [SrcUserAadId]"
"(2) Info: Missing optional field [SrcUserId]"
"(2) Info: Missing optional field [SrcUserOktaId]"
"(2) Info: Missing optional field [SrcUserScopeId]"
"(2) Info: Missing optional field [SrcUserScope]"
"(2) Info: Missing optional field [SrcUserSessionId]"
"(2) Info: Missing optional field [SrcUserSid]"
"(2) Info: Missing optional field [SrcUserType]"
"(2) Info: Missing optional field [SrcUserUid]"
"(2) Info: Missing optional field [SrcUsername]"
"(2) Info: Missing optional field [TenantId]"
"(2) Info: Missing optional field [ThreatCategory]"
"(2) Info: Missing optional field [ThreatConfidence]"
"(2) Info: Missing optional field [ThreatField]"
"(2) Info: Missing optional field [ThreatFirstReportedTime]"
"(2) Info: Missing optional field [ThreatId]"
"(2) Info: Missing optional field [ThreatIpAddr]"
"(2) Info: Missing optional field [ThreatIsActive]"
"(2) Info: Missing optional field [ThreatLastReportedTime]"
"(2) Info: Missing optional field [ThreatName]"
"(2) Info: Missing optional field [ThreatOriginalConfidence]"
"(2) Info: Missing optional field [ThreatOriginalRiskLevel]"
"(2) Info: Missing optional field [ThreatRiskLevel]"
"(2) Info: Missing optional field [UrlCategory]"
"(2) Info: Missing recommended alias [Hostname] aliasing non-existent column [SrcHostname]"
"(2) Info: extra unnormalized column [Category]"
"(2) Info: extra unnormalized column [Level]"
1 Result
2 (1) Warning: Missing recommended field [DnsQueryClassName]
3 (1) Warning: Missing recommended field [Dst]
4 (1) Warning: Missing recommended field [DvcDomain]
5 (1) Warning: Missing recommended field [SrcDomain]
6 (1) Warning: Missing recommended field [SrcHostname]
7 (2) Info: Missing optional alias [DomainCategory] aliasing non-existent column [UrlCategory]
8 (2) Info: Missing optional alias [Duration] aliasing non-existent column [DnsNetworkDuration]
9 (2) Info: Missing optional alias [Process] aliasing non-existent column [SrcProcessName]
10 (2) Info: Missing optional alias [SessionId] aliasing non-existent column [DnsSessionId]
11 (2) Info: Missing optional alias [User] aliasing non-existent column [SrcUsername]
12 (2) Info: Missing optional field [AdditionalFields]
13 (2) Info: Missing optional field [DnsFlagsCheckingDisabled]
14 (2) Info: Missing optional field [DnsFlagsRecursionAvailable]
15 (2) Info: Missing optional field [DnsFlagsTruncated]
16 (2) Info: Missing optional field [DnsFlagsZ]
17 (2) Info: Missing optional field [DnsNetworkDuration]
18 (2) Info: Missing optional field [DnsQueryClass]
19 (2) Info: Missing optional field [DnsResponseIpCity]
20 (2) Info: Missing optional field [DnsResponseIpCountry]
21 (2) Info: Missing optional field [DnsResponseIpLatitude]
22 (2) Info: Missing optional field [DnsResponseIpLongitude]
23 (2) Info: Missing optional field [DnsResponseIpRegion]
24 (2) Info: Missing optional field [DnsSessionId]
25 (2) Info: Missing optional field [DstDescription]
26 (2) Info: Missing optional field [DstDeviceType]
27 (2) Info: Missing optional field [DstDomain]
28 (2) Info: Missing optional field [DstDvcId]
29 (2) Info: Missing optional field [DstDvcScopeId]
30 (2) Info: Missing optional field [DstDvcScope]
31 (2) Info: Missing optional field [DstFQDN]
32 (2) Info: Missing optional field [DstGeoCity]
33 (2) Info: Missing optional field [DstGeoCountry]
34 (2) Info: Missing optional field [DstGeoLatitude]
35 (2) Info: Missing optional field [DstGeoLongitude]
36 (2) Info: Missing optional field [DstGeoRegion]
37 (2) Info: Missing optional field [DstHostname]
38 (2) Info: Missing optional field [DstIpAddr]
39 (2) Info: Missing optional field [DstOriginalRiskLevel]
40 (2) Info: Missing optional field [DstPortNumber]
41 (2) Info: Missing optional field [DstRiskLevel]
42 (2) Info: Missing optional field [DvcAction]
43 (2) Info: Missing optional field [DvcDescription]
44 (2) Info: Missing optional field [DvcFQDN]
45 (2) Info: Missing optional field [DvcId]
46 (2) Info: Missing optional field [DvcInterface]
47 (2) Info: Missing optional field [DvcMacAddr]
48 (2) Info: Missing optional field [DvcOriginalAction]
49 (2) Info: Missing optional field [DvcOsVersion]
50 (2) Info: Missing optional field [DvcOs]
51 (2) Info: Missing optional field [DvcScopeId]
52 (2) Info: Missing optional field [DvcScope]
53 (2) Info: Missing optional field [DvcZone]
54 (2) Info: Missing optional field [EventMessage]
55 (2) Info: Missing optional field [EventOriginalSeverity]
56 (2) Info: Missing optional field [EventOriginalSubType]
57 (2) Info: Missing optional field [EventOwner]
58 (2) Info: Missing optional field [EventProductVersion]
59 (2) Info: Missing optional field [EventReportUrl]
60 (2) Info: Missing optional field [EventSeverity]
61 (2) Info: Missing optional field [NetworkProtocolVersion]
62 (2) Info: Missing optional field [RuleName]
63 (2) Info: Missing optional field [RuleNumber]
64 (2) Info: Missing optional field [Rule]
65 (2) Info: Missing optional field [SrcDescription]
66 (2) Info: Missing optional field [SrcDeviceType]
67 (2) Info: Missing optional field [SrcDvcId]
68 (2) Info: Missing optional field [SrcDvcScopeId]
69 (2) Info: Missing optional field [SrcDvcScope]
70 (2) Info: Missing optional field [SrcFQDN]
71 (2) Info: Missing optional field [SrcGeoCity]
72 (2) Info: Missing optional field [SrcGeoCountry]
73 (2) Info: Missing optional field [SrcGeoLatitude]
74 (2) Info: Missing optional field [SrcGeoLongitude]
75 (2) Info: Missing optional field [SrcGeoRegion]
76 (2) Info: Missing optional field [SrcOriginalRiskLevel]
77 (2) Info: Missing optional field [SrcOriginalUserType]
78 (2) Info: Missing optional field [SrcProcessGuid]
79 (2) Info: Missing optional field [SrcProcessId]
80 (2) Info: Missing optional field [SrcProcessName]
81 (2) Info: Missing optional field [SrcRiskLevel]
82 (2) Info: Missing optional field [SrcUserAWSId]
83 (2) Info: Missing optional field [SrcUserAadId]
84 (2) Info: Missing optional field [SrcUserId]
85 (2) Info: Missing optional field [SrcUserOktaId]
86 (2) Info: Missing optional field [SrcUserScopeId]
87 (2) Info: Missing optional field [SrcUserScope]
88 (2) Info: Missing optional field [SrcUserSessionId]
89 (2) Info: Missing optional field [SrcUserSid]
90 (2) Info: Missing optional field [SrcUserType]
91 (2) Info: Missing optional field [SrcUserUid]
92 (2) Info: Missing optional field [SrcUsername]
93 (2) Info: Missing optional field [TenantId]
94 (2) Info: Missing optional field [ThreatCategory]
95 (2) Info: Missing optional field [ThreatConfidence]
96 (2) Info: Missing optional field [ThreatField]
97 (2) Info: Missing optional field [ThreatFirstReportedTime]
98 (2) Info: Missing optional field [ThreatId]
99 (2) Info: Missing optional field [ThreatIpAddr]
100 (2) Info: Missing optional field [ThreatIsActive]
101 (2) Info: Missing optional field [ThreatLastReportedTime]
102 (2) Info: Missing optional field [ThreatName]
103 (2) Info: Missing optional field [ThreatOriginalConfidence]
104 (2) Info: Missing optional field [ThreatOriginalRiskLevel]
105 (2) Info: Missing optional field [ThreatRiskLevel]
106 (2) Info: Missing optional field [UrlCategory]
107 (2) Info: Missing recommended alias [Hostname] aliasing non-existent column [SrcHostname]
108 (2) Info: extra unnormalized column [Category]
109 (2) Info: extra unnormalized column [Level]

0
Parsers/ASimDns/test/README.md → Parsers/ASimDns/Tests/README.md
Просмотреть файл

1
Parsers/ASimNetworkSession/Parsers/imNetworkSession.yaml
Просмотреть файл

@ -73,7 +73,6 @@ ParserParams:
- Name: pack
Type: bool
Default: false
ParserQuery: |
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));
let ASimBuiltInDisabled=toscalar('ExcludevimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers));

39
Parsers/ASimUserManagement/Parsers/ASimUserManagement.yaml Normal file
Просмотреть файл

@ -0,0 +1,39 @@
Parser:
Title: User Management ASIM parser
Version: '0.1.0'
LastUpdated: 16 Jul, 2023
Product:
Name: Source agnostic
Normalization:
Schema: UserManagement
Version: '0.1'
References:
- Title: ASIM UserManagement Schema
Link: https://aka.ms/ASimUserManagementDoc
- Title: ASIM
Link: https://aka.ms/AboutASIM
Description: |
This ASIM parser supports normalizing User Management logs from all supported sources to the ASIM User Management normalized schema.
ParserName: ASimUserManagement
EquivalentBuiltInParser: _ASim_UserManagement
Parsers:
- _Im_UserManagement_Empty
- _ASim_UserManagement_MicrosoftSecurityEvent
ParserParams:
- Name: pack
Type: bool
Default: false
ParserQuery: |
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimUserManagement') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);
let ASimBuiltInDisabled=toscalar('ExcludeASimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers));
let parser=(
pack:bool=false
){
union isfuzzy=true
vimUserManagementEmpty,
ASimUserManagementMicrosoftSecurityEvent (ASimBuiltInDisabled or ('ExcludeASimUserManagementMicrosoftSecurityEvent' in (DisabledParsers))),
ASimUserManagementCiscoISE (ASimBuiltInDisabled or ('ExcludeASimUserManagementCiscoISE in (DisabledParsers)))
};
parser (
pack=pack
)

252
Parsers/ASimUserManagement/Parsers/ASimUserManagementMicrosoftSecurityEvent.yaml Normal file
Просмотреть файл

@ -0,0 +1,252 @@
Parser:
Title: User Management ASIM parser for Microsoft Security Event logs
Version: '0.1.0'
LastUpdated: 16 Jul, 2023
Product:
Name: Microsoft
Normalization:
Schema: UserManagement
Version: '0.1.1'
References:
- Title: ASIM User Management Schema
Link: https://aka.ms/ASimUserManagementDoc
- Title: ASIM
Link: https:/aka.ms/AboutASIM
- Title: Audit User Account Management
Link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
Description: |
This ASIM parser supports normalizing Microsoft Security Event logs delivered using AMA to the ASIM UserManagement normalized schema.
ParserName: ASimUserManagementMicrosoftSecurityEvent
EquivalentBuiltInParser: _ASim_UserManagement_MicrosoftSecurityEvent
ParserParams:
- Name: disabled
Type: bool
Default: false
ParserQuery: |
let parser = (
disabled:bool = false
) {
let EventIDLookup = datatable(EventID:int, EventType:string, EventSubType:string, GroupType:string)
[
"4720", "UserCreated", "UserCreated", "",
"4722", "UserEnabled", "UserModified", "",
"4723", "PasswordChanged", "UserModified", "",
"4724", "PasswordReset", "UserModified", "",
"4725", "UserDisabled", "UserModified", "",
"4726", "UserDeleted", "UserModified", "",
"4727", "GroupCreated", "GroupCreated", "Global Security Enabled",
"4728", "UserAddedToGroup", "GroupModified", "Global Security Enabled",
"4729", "UserRemovedFromGroup", "GroupModified", "Global Security Enabled",
"4730", "GroupDeleted", "GroupModified", "Global Security Enabled",
"4731", "GroupCreated", "GroupCreated", "Local Security Enabled",
"4732", "UserAddedToGroup", "GroupModified", "Local Security Enabled",
"4733", "UserRemovedFromGroup", "GroupModified", "Local Security Enabled",
"4734", "GroupDeleted", "GroupModified", "Local Security Enabled",
"4738", "UserModified", "UserModified", "",
"4740", "UserLocked", "UserModified", "",
"4744", "GroupCreated", "GroupCreated", "Local Distribution",
"4748", "GroupDeleted", "GroupModified", "Local Distribution",
"4749", "GroupCreated", "GroupCreated", "Global Distribution",
"4753", "GroupDeleted", "GroupModified", "Global Distribution",
"4754", "GroupCreated", "GroupCreated", "Universal Security Enabled",
"4756", "UserAddedToGroup", "GroupModified", "Universal Security Enabled",
"4757", "UserRemovedFromGroup", "GroupModified", "Universal Security Enabled",
"4758", "GroupDeleted", "GroupModified", "Universal Security Enabled",
"4759", "GroupCreated", "GroupCreated", "Universal Distribution",
"4763", "GroupDeleted", "GroupModified", "Universal Distribution",
"4767", "UserLocked", "UserModified", "",
"4781", "UserModified", "UserModified", ""
];
let UserTypeLookup = datatable (ActorOriginalUserType:string, ActorUserType:string)
[
'User', 'Regular',
'Machine', 'Machine'
];
let UserEventID = toscalar(
EventIDLookup
| where not(disabled)
| where EventSubType in("UserCreated","UserModified")
| summarize make_set(EventID)
);
let GroupEventID = toscalar(
EventIDLookup
| where not(disabled)
| where EventSubType in("GroupCreated","GroupModified")
| summarize make_set(EventID)
);
union (
WindowsEvent
| where not(disabled)
| where EventID in(UserEventID)
| extend
ActorOriginalUserType = tostring(EventData.AccountType),
ActorSessionId = tostring(EventData.SubjectLogonId),
ActorUserId = tostring(EventData.SubjectUserSid),
NewTargetUserName = tostring(EventData.NewTargetUserName),
OldTargetUserName = tostring(EventData.OldTargetUserName),
SubjectDomainName = tostring(EventData.SubjectDomainName),
SubjectUserName = tostring(EventData.SubjectUserName),
TargetDomain = tostring(EventData.TargetDomainName),
TargetUserId = tostring(EventData.TargetSid),
TargetUsername = tostring(EventData.TargetUserName),
EventMessage = tostring(EventData.Activity)
| project-rename
NewPropertyValue = NewTargetUserName,
PreviousPropertyValue = OldTargetUserName
| extend
TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)
| project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, EventMessage
| extend
TargetUserIdType = iif(isnotempty(TargetUserId), "SID",""),
TargetUsername = iff (TargetDomain == "", TargetUsername, strcat (TargetDomain, '\\', TargetUsername))
),(
SecurityEvent
| where not(disabled)
| where EventID in(UserEventID)
| project-rename
ActorOriginalUserType = AccountType,
ActorSessionId = SubjectLogonId,
ActorUserId = SubjectUserSid,
TargetDomain = TargetDomainName,
TargetUserId = TargetSid,
TargetUsername = TargetUserName,
EventMessage = Activity
| parse-kv EventData as
(
OldTargetUserName:string,
NewTargetUserName:string
)
with (regex=@'<Data Name="(\w+)">{?([^<]*?)}?</Data>')
| project-rename
NewPropertyValue = NewTargetUserName,
PreviousPropertyValue = OldTargetUserName
| extend
TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)
| project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, SourceComputerId, EventMessage
| extend
TargetUserIdType = iif(isnotempty(TargetUserId), "SID",""),
TargetUsername = iff (TargetDomain == "", TargetUsername, strcat (TargetDomain, '\\', TargetUsername))
),(
WindowsEvent
| where not(disabled)
| where EventID in(GroupEventID)
| extend
ActorOriginalUserType = tostring(EventData.AccountType),
ActorSessionId = tostring(EventData.SubjectLogonId),
ActorUserId = tostring(EventData.SubjectUserSid),
GroupDomain = tostring(EventData.TargetDomainName),
GroupId = tostring(EventData.TargetSid),
GroupName = tostring(EventData.TargetUserName),
MemberName = tostring(EventData.MemberName),
MemberSid = tostring(EventData.MemberSid),
NewTargetUserName = tostring(EventData.NewTargetUserName),
OldTargetUserName = tostring(EventData.OldTargetUserName),
SubjectDomainName = tostring(EventData.SubjectDomainName),
SubjectUserName = tostring(EventData.SubjectUserName),
EventMessage = tostring(EventData.Activity)
| extend
GroupName = iff (GroupDomain == "", GroupName, strcat (GroupDomain, "\\" ,GroupName)),
TargetUserId = MemberSid,
TargetUsername = MemberName
| project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, EventMessage
| extend
GroupIdType = iif(isnotempty(GroupId), "SID","")
),(
SecurityEvent
| where not(disabled)
| where not (EventID in (4744, 4748, 4749, 4753, 4759, 4763))
| where EventID in(GroupEventID)
| project-rename
ActorOriginalUserType = AccountType,
ActorSessionId = SubjectLogonId,
ActorUserId = SubjectUserSid,
GroupDomain = TargetDomainName,
GroupId = TargetSid,
GroupName = TargetUserName,
EventMessage = Activity
| extend GroupName = iff (GroupDomain == "", GroupName, strcat (GroupDomain, "\\" ,GroupName))
| parse-kv EventData as
(
MemberName:string,
MemberSid:string
)
with (regex=@'<Data Name="(\w+)">{?([^<]*?)}?</Data>')
| project-rename
TargetUsername = MemberName,
TargetUserId = MemberSid
| project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage
| extend
GroupIdType = iif(isnotempty(GroupId), "SID","")
),(
SecurityEvent
| where not(disabled)
| where EventID in (4744, 4748, 4749, 4753, 4759, 4763)
| parse-kv EventData as
(
TargetUserName:string,
TargetDomainName:string,
TargetSid:string,
SubjectUserSid:string,
AccountType:string,
SubjectLogonId:string,
SubjectDomainName:string,
SubjectUserName:string
)
with (regex=@'<Data Name="(\w+)">{?([^<]*?)}?</Data>')
| project-rename
ActorOriginalUserType = AccountType,
ActorSessionId = SubjectLogonId,
ActorUserId = SubjectUserSid,
GroupDomain = TargetDomainName,
GroupId = TargetSid,
GroupName = TargetUserName,
EventMessage = Activity
| extend GroupName = iff (GroupDomain == "", GroupName, strcat (GroupDomain, "\\" ,GroupName))
| parse-kv EventData as
(
MemberName:string,
MemberSid:string
)
with (regex=@'<Data Name="(\w+)">{?([^<]*?)}?</Data>')
| project-rename
TargetUserId = MemberSid,
TargetUsername = MemberName
| project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage
| extend
GroupIdType = iif(isnotempty(GroupId), "SID","")
)
| lookup EventIDLookup on EventID
| extend UpdatedPropertyName = EventSubType
| invoke _ASIM_ResolveDvcFQDN ("Computer")
| lookup UserTypeLookup on ActorOriginalUserType
| extend
DvcId = coalesce(_ResourceId, SourceComputerId),
EventOriginalType = tostring(EventID)
| project-rename
EventUid = _ItemId
| extend
ActorDomain = SubjectDomainName,
DvcIdType = iff (isnotempty(_ResourceId), "AzureResourceID", ""),
ActorUsername = iff (SubjectDomainName == "", SubjectUserName, strcat (SubjectDomainName, '\\', SubjectUserName)),
Dvc = DvcHostname,
DvcOs = "Windows",
EventCount = int(1),
EventEndTime = TimeGenerated,
EventProduct = 'Security Events',
EventResult = "Success",
EventSchema = "UserManagement",
EventSchemaVersion = "0.1.1",
EventSeverity = "Informational",
EventStartTime = TimeGenerated,
EventVendor = 'Microsoft',
Hostname = DvcHostname
| project-away Subject*, Computer, _ResourceId, SourceComputerId,EventID
| extend
ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),
ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),
GroupNameType = _ASIM_GetUsernameType(GroupName),
TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),
TargetUserType = _ASIM_GetUserType(TargetUsername,TargetUserId),
User = ActorUsername
};
parser (disabled=disabled)

72
Parsers/ASimUserManagement/Parsers/imUserManagement.yaml Normal file
Просмотреть файл

@ -0,0 +1,72 @@
Parser:
Title: User Management ASIM filtering parser
Version: '0.1.0'
LastUpdated: 16 Jul, 2023
Product:
Name: Source agnostic
Normalization:
Schema: UserManagement
Version: '0.1'
References:
- Title: ASIM UserManagement Schema
Link: https://aka.ms/ASimUserManagementDoc
- Title: ASIM
Link: https://aka.ms/AboutASIM
Description: |
This ASIM parser supports normalizing User Management logs from all supported sources to the ASIM User Management normalized schema.
ParserName: imUserManagement
EquivalentBuiltInParser: _Im_UserManagement
Parsers:
- _Im_UserManagement_Empty
- _Im_UserManagement_MicrosoftSecurityEvent
ParserParams:
- Name: starttime
Type: datetime
Default: datetime(null)
- Name: endtime
Type: datetime
Default: datetime(null)
- Name: targetusername_has
Type: string
Default: '*'
- Name: actorusername_has
Type: string
Default: '*'
- Name: targetdomain_has_any
Type: dynamic
Default: dynamic([])
- Name: anydomain_has_any
Type: dynamic
Default: dynamic([])
- Name: pack
Type: bool
Default: false
ParserQuery: |
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimUserManagement') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));
let ASimBuiltInDisabled=toscalar('ExcludevimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers));
let parser=(
starttime:datetime=datetime(null),
endtime:datetime=datetime(null),
targetusername_has:string="*",
actorusername_has:string="",
targetdomain_has_any:dynamic=dynamic([]),
anydomain_has_any:dynamic=dynamic([]),
pack:bool=false)
{
union isfuzzy=true
vimUserManagementEmpty,
vimUserManagementMicrosoftSecurityEvent(starttime, endtime, targetusername_has, actorusername_has, targetdomain_has_any, anydomain_has_any, ASimBuiltInDisabled or ('ExcludevimUserManagementMicrosoftSecurityEvent' in (DisabledParsers) )),
vimUserManagementCiscoISE(starttime, endtime, targetusername_has, actorusername_has, targetdomain_has_any, anydomain_has_any, ASimBuiltInDisabled or ('ExcludevimUserManagementCiscoISE' in (DisabledParsers) ))
};
parser (
starttime=starttime,
endtime=endtime,
targetusername_has=targetusername_has,
actorusername_has=actorusername_has,
targetdomain_has_any=targetdomain_has_any,
anydomain_has_any=anydomain_has_any,
hostname_has_any=hostname_has_any,
dvcaction=dvcaction,
eventresult=eventresult,
pack=pack
)

111
Parsers/ASimUserManagement/Parsers/vimUserManagementEmpty.yaml Normal file
Просмотреть файл

@ -0,0 +1,111 @@
Parser:
Title: User Management ASIM schema function
Version: '0.1.0'
LastUpdated: 17 Jul2023
Product:
Name: Source Agnostic
Normalization:
Schema: UserManagement
Version: '0.1.1'
References:
- Title: ASIM User Management Schema
Link: https://aka.ms/ASimUserManagementDoc
- Title: ASIM
Link: https:/aka.ms/AboutASIM
Description: |
This function returns an empty ASIM UserManagement schema
ParserName: vimUserManagementEmpty
EquivalentBuiltInParser: _Im_UserManagement_Empty
ParserQuery: |
let parser=datatable(
TimeGenerated:datetime,
_ResourceId:string,
Type:string,
ActorUsername:string, // Mandatory
ActorUsernameType:string, // Mandatory
Dvc:string, // Mandatory
EventCount:int, // Mandatory
EventEndTime:datetime, // Mandatory
EventProduct:string, // Mandatory
EventResult:string, // Mandatory
EventSchema:string, // Mandatory
EventSchemaVersion:string, // Mandatory
EventSeverity:string, // Mandatory
EventStartTime:datetime, // Mandatory
EventType:string, // Mandatory
EventVendor:string, // Mandatory
DvcAction:string, // Recommended
DvcDomain:string, // Recommended
DvcDomainType:string, // Recommended
DvcFQDN:string, // Recommended
DvcHostname:string, // Recommended
DvcId:string, // Recommended
DvcIdType:string, // Recommended
DvcIpAddr:string, // Recommended
EventResultDetails:string, // Recommended
EventUid:string, // Recommended
Src:string, // Recommended
SrcDomain:string, // Recommended
SrcDomainType:string, // Recommended
SrcHostname:string, // Recommended
SrcIpAddr:string, // Recommended
ActingAppId:string, // Optional
ActingAppType:string, // Optional
ActiveAppName:string, // Optional
ActorOriginalUserType:string, // Optional
ActorSessionId:string, // Optional
ActorUserId:string, // Optional
ActorUserIdType:string, // Optional
ActorUserType:string, // Optional
AdditionalFields:dynamic, // Optional
DvcDescription:string, // Optional
DvcInterface:string, // Optional
DvcMacAddr:string, // Optional
DvcOriginalAction:string, // Optional
DvcOs:string, // Optional
DvcOsVersion:string, // Optional
DvcScope:string, // Optional
DvcScopeId:string, // Optional
DvcZone:string, // Optional
EventMessage:string, // Optional
EventOriginalResultDetails:string, // Optional
EventOriginalSeverity:string, // Optional
EventOriginalSubType:string, // Optional
EventOriginalType:string, // Optional
EventOriginalUid:string, // Optional
EventOwner:string, // Optional
EventProductVersion:string, // Optional
EventReportUrl:string, // Optional
EventSubType:string, // Optional
GroupId:string, // Optional
GroupIdType:string, // Optional
GroupName:string, // Optional
GroupNameType:string, // Optional
GroupOriginalType:string, // Optional
GroupType:string, // Optional
HttpUserAgent:string, // Optional
NewPropertyValue:string, // Optional
PreviousPropertyValue:string, // Optional
SrcDeviceType:string, // Optional
SrcDvcId:string, // Optional
SrcDvcIdType:string, // Optional
SrcDvcScope:string, // Optional
SrcDvcScopeId:string, // Optional
SrcFQDN:string, // Optional
SrcGeoCity:string, // Optional
SrcGeoCountry:string, // Optional
SrcGeoLatitude:string, // Optional
SrcGeoLongitude:string, // Optional
SrcGeoRegion:string, // Optional
TargetOriginalUserType:string, // Optional
TargetUserId:string, // Optional
TargetUserIdType:string, // Optional
TargetUsername:string, // Optional
TargetUsernameType:string, // Optional
TargetUserType:string, // Optional
Hostname:string, // Alias
IpAddr:string, // Alias
UpdatedPropertyName:string, // Alias
User:string // Alias
)[];
parser

328
Parsers/ASimUserManagement/Parsers/vimUserManagementMicrosoftSecurityEvent.yaml Normal file
Просмотреть файл

@ -0,0 +1,328 @@
Parser:
Title: User Management ASIM parser for Microsoft Security Event logs
Version: '0.1.0'
LastUpdated: 16 Jul, 2023
Product:
Name: Microsoft
Normalization:
Schema: UserManagement
Version: '0.1.1'
References:
- Title: ASIM User Management Schema
Link: https://aka.ms/ASimUserManagementDoc
- Title: ASIM
Link: https:/aka.ms/AboutASIM
- Title: Audit User Account Management
Link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
Description: |
This ASIM parser supports normalizing Microsoft Security Event logs delivered using AMA to the ASIM UserManagement normalized schema.
ParserName: ASimUserManagementMicrosoftSecurityEvent
EquivalentBuiltInParser: _ASim_UserManagement_MicrosoftSecurityEvent
ParserParams:
- Name: starttime
Type: datetime
Default: datetime(null)
- Name: endtime
Type: datetime
Default: datetime(null)
- Name: targetusername_has
Type: string
Default: '*'
- Name: actorusername_has
Type: string
Default: '*'
- Name: targetdomain_has_any
Type: dynamic
Default: dynamic([])
- Name: anydomain_has_any
Type: dynamic
Default: dynamic([])
- Name: disabled
Type: bool
Default: false
ParserQuery: |
let parser = (
starttime:datetime=datetime(null),
endtime:datetime=datetime(null),
targetusername_has:string="*",
actorusername_has:string="",
targetdomain_has_any:dynamic=dynamic([]),
anydomain_has_any:dynamic=dynamic([]),
disabled:bool=false
) {
let EventIDLookup = datatable(EventID:int, EventType:string, EventSubType:string, GroupType:string)
[
"4720", "UserCreated", "UserCreated", "",
"4722", "UserEnabled", "UserModified", "",
"4723", "PasswordChanged", "UserModified", "",
"4724", "PasswordReset", "UserModified", "",
"4725", "UserDisabled", "UserModified", "",
"4726", "UserDeleted", "UserModified", "",
"4727", "GroupCreated", "GroupCreated", "Global Security Enabled",
"4728", "UserAddedToGroup", "GroupModified", "Global Security Enabled",
"4729", "UserRemovedFromGroup", "GroupModified", "Global Security Enabled",
"4730", "GroupDeleted", "GroupModified", "Global Security Enabled",
"4731", "GroupCreated", "GroupCreated", "Local Security Enabled",
"4732", "UserAddedToGroup", "GroupModified", "Local Security Enabled",
"4733", "UserRemovedFromGroup", "GroupModified", "Local Security Enabled",
"4734", "GroupDeleted", "GroupModified", "Local Security Enabled",
"4738", "UserModified", "UserModified", "",
"4740", "UserLocked", "UserModified", "",
"4744", "GroupCreated", "GroupCreated", "Local Distribution",
"4748", "GroupDeleted", "GroupModified", "Local Distribution",
"4749", "GroupCreated", "GroupCreated", "Global Distribution",
"4753", "GroupDeleted", "GroupModified", "Global Distribution",
"4754", "GroupCreated", "GroupCreated", "Universal Security Enabled",
"4756", "UserAddedToGroup", "GroupModified", "Universal Security Enabled",
"4757", "UserRemovedFromGroup", "GroupModified", "Universal Security Enabled",
"4758", "GroupDeleted", "GroupModified", "Universal Security Enabled",
"4759", "GroupCreated", "GroupCreated", "Universal Distribution",
"4763", "GroupDeleted", "GroupModified", "Universal Distribution",
"4767", "UserLocked", "UserModified", "",
"4781", "UserModified", "UserModified", ""
];
let UserTypeLookup = datatable (ActorOriginalUserType:string, ActorUserType:string)
[
'Machine', 'Machine',
'User', 'Regular'
];
let UserEventID = toscalar(
EventIDLookup
| where not(disabled)
| where EventSubType in("UserCreated","UserModified")
| summarize make_set(EventID)
);
let GroupEventID = toscalar(
EventIDLookup
| where not(disabled)
| where EventSubType in("GroupCreated","GroupModified")
| summarize make_set(EventID)
);
union (
WindowsEvent
| where not(disabled)
| where (isnull(starttime) or TimeGenerated >= starttime)
and (isnull(endtime) or TimeGenerated <= endtime)
| where EventID in(UserEventID)
| where (targetusername_has=='*' or (EventData has targetusername_has)) and
(actorusername_has=='*' or (EventData has actorusername_has)) and
(array_length(targetdomain_has_any) == 0 or (EventData has_any (targetdomain_has_any))) and
(array_length(anydomain_has_any) == 0 or (EventData has_any (anydomain_has_any)))
| extend
ActorOriginalUserType = tostring(EventData.AccountType),
ActorSessionId = tostring(EventData.SubjectLogonId),
ActorUserId = tostring(EventData.SubjectUserSid),
NewTargetUserName = tostring(EventData.NewTargetUserName),
OldTargetUserName = tostring(EventData.OldTargetUserName),
SubjectDomainName = tostring(EventData.SubjectDomainName),
SubjectUserName = tostring(EventData.SubjectUserName),
TargetDomain = tostring(EventData.TargetDomainName),
TargetUserId = tostring(EventData.TargetSid),
TargetUsername = tostring(EventData.TargetUserName),
EventMessage = tostring(EventData.Activity)
| where (targetusername_has=='*' or (TargetUsername has targetusername_has)) and
(actorusername_has=='*' or (SubjectUserName has actorusername_has)) and
(array_length(targetdomain_has_any) == 0 or (TargetDomain has_any (targetdomain_has_any))) and
(array_length(anydomain_has_any) == 0 or (TargetDomain has_any (anydomain_has_any)) or (SubjectDomainName has_any (anydomain_has_any)))
| project-rename
NewPropertyValue = NewTargetUserName,
PreviousPropertyValue = OldTargetUserName
| extend
TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)
| project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, EventMessage
| extend
TargetUserIdType = iif(isnotempty(TargetUserId), "SID",""),
TargetUsername = iff (TargetDomain == "", TargetUsername, strcat (TargetDomain, '\\', TargetUsername))
),(
SecurityEvent
| where not(disabled)
| where (isnull(starttime) or TimeGenerated >= starttime)
and (isnull(endtime) or TimeGenerated <= endtime)
| where EventID in(UserEventID)
| where (targetusername_has=='*' or (TargetUserName has targetusername_has)) and
(actorusername_has=='*' or (SubjectUserName has actorusername_has)) and
(array_length(targetdomain_has_any) == 0 or (TargetDomainName has_any (targetdomain_has_any))) and
(array_length(anydomain_has_any) == 0 or (TargetDomainName has_any (anydomain_has_any)) or (SubjectDomainName has_any (anydomain_has_any)))
| project-rename
ActorOriginalUserType = AccountType,
ActorSessionId = SubjectLogonId,
ActorUserId = SubjectUserSid,
TargetDomain = TargetDomainName,
TargetUserId = TargetSid,
TargetUsername = TargetUserName,
EventMessage = Activity
| parse-kv EventData as
(
OldTargetUserName:string,
NewTargetUserName:string
)
with (regex=@'<Data Name="(\w+)">{?([^<]*?)}?</Data>')
| project-rename
NewPropertyValue = NewTargetUserName,
PreviousPropertyValue = OldTargetUserName
| extend
TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)
| project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, SourceComputerId, EventMessage
| extend
TargetUserIdType = iif(isnotempty(TargetUserId), "SID",""),
TargetUsername = iff (TargetDomain == "", TargetUsername, strcat (TargetDomain, '\\', TargetUsername))
),(
WindowsEvent
| where not(disabled)
| where (isnull(starttime) or TimeGenerated >= starttime)
and (isnull(endtime) or TimeGenerated <= endtime)
| where EventID in(GroupEventID)
| where (targetusername_has=='*' or (EventData has targetusername_has)) and
(actorusername_has=='*' or (EventData has actorusername_has)) and
(array_length(targetdomain_has_any) == 0 or (EventData has_any (targetdomain_has_any))) and
(array_length(anydomain_has_any) == 0 or (EventData has_any (anydomain_has_any)))
| extend
ActorOriginalUserType = tostring(EventData.AccountType),
ActorSessionId = tostring(EventData.SubjectLogonId),
ActorUserId = tostring(EventData.SubjectUserSid),
GroupDomain = tostring(EventData.TargetDomainName),
GroupId = tostring(EventData.TargetSid),
GroupName = tostring(EventData.TargetUserName),
MemberName = tostring(EventData.MemberName),
MemberSid = tostring(EventData.MemberSid),
NewTargetUserName = tostring(EventData.NewTargetUserName),
OldTargetUserName = tostring(EventData.OldTargetUserName),
SubjectDomainName = tostring(EventData.SubjectDomainName),
SubjectUserName = tostring(EventData.SubjectUserName),
EventMessage = tostring(EventData.Activity)
| where (targetusername_has=='*' or (NewTargetUserName has targetusername_has) or (OldTargetUserName has targetusername_has) or (MemberName has targetusername_has)) and
(actorusername_has=='*' or (SubjectUserName has actorusername_has)) and
(array_length(targetdomain_has_any) == 0 or (GroupDomain has_any (targetdomain_has_any))) and
(array_length(anydomain_has_any) == 0 or (GroupDomain has_any (anydomain_has_any)) or (SubjectDomainName has_any (anydomain_has_any)))
| extend
GroupName = iff (GroupDomain == "", GroupName, strcat (GroupDomain, "\\" ,GroupName)),
TargetUserId = MemberSid,
TargetUsername = MemberName
| project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, EventMessage
| extend
GroupIdType = iif(isnotempty(GroupId), "SID","")
),(
SecurityEvent
| where not(disabled)
| where (isnull(starttime) or TimeGenerated >= starttime)
and (isnull(endtime) or TimeGenerated <= endtime)
| where not (EventID in (4744, 4748, 4749, 4753, 4759, 4763))
| where EventID in(GroupEventID)
| where (targetusername_has=='*' or (EventData has targetusername_has)) and
(actorusername_has=='*' or (SubjectUserName has actorusername_has)) and
(array_length(targetdomain_has_any) == 0 or (TargetDomainName has_any (targetdomain_has_any))) and
(array_length(anydomain_has_any) == 0 or (TargetDomainName has_any (anydomain_has_any)) or (SubjectDomainName has_any (anydomain_has_any)))
| project-rename
ActorOriginalUserType = AccountType,
ActorSessionId = SubjectLogonId,
ActorUserId = SubjectUserSid,
GroupDomain = TargetDomainName,
GroupId = TargetSid,
GroupName = TargetUserName,
EventMessage = Activity
| extend GroupName = iff (GroupDomain == "", GroupName, strcat (GroupDomain, "\\" ,GroupName))
| parse-kv EventData as
(
MemberName:string,
MemberSid:string
)
with (regex=@'<Data Name="(\w+)">{?([^<]*?)}?</Data>')
| where (targetusername_has=='*' or (MemberName has targetusername_has))
| project-rename
TargetUserId = MemberSid,
TargetUsername = MemberName
| project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage
| extend
GroupIdType = iif(isnotempty(GroupId), "SID","")
),(
SecurityEvent
| where not(disabled)
| where (isnull(starttime) or TimeGenerated >= starttime)
and (isnull(endtime) or TimeGenerated <= endtime)
| where EventID in (4744, 4748, 4749, 4753, 4759, 4763)
| where (targetusername_has=='*' or (EventData has targetusername_has)) and
(actorusername_has=='*' or (EventData has actorusername_has)) and
(array_length(targetdomain_has_any) == 0 or (EventData has_any (targetdomain_has_any))) and
(array_length(anydomain_has_any) == 0 or (EventData has_any (anydomain_has_any)))
| parse-kv EventData as
(
TargetUserName:string,
TargetDomainName:string,
TargetSid:string,
SubjectUserSid:string,
AccountType:string,
SubjectLogonId:string,
SubjectDomainName:string,
SubjectUserName:string
)
with (regex=@'<Data Name="(\w+)">{?([^<]*?)}?</Data>')
| where (actorusername_has=='*' or (SubjectUserName has actorusername_has)) and
(array_length(targetdomain_has_any) == 0 or (TargetDomainName has_any (targetdomain_has_any))) and
(array_length(anydomain_has_any) == 0 or (TargetDomainName has_any (anydomain_has_any)) or (SubjectDomainName has_any (anydomain_has_any)))
| project-rename
ActorOriginalUserType = AccountType,
ActorSessionId = SubjectLogonId,
ActorUserId = SubjectUserSid,
GroupDomain = TargetDomainName,
GroupId = TargetSid,
GroupName = TargetUserName,
EventMessage = Activity
| extend GroupName = iff (GroupDomain == "", GroupName, strcat (GroupDomain, "\\" ,GroupName))
| parse-kv EventData as
(
MemberName:string,
MemberSid:string
)
with (regex=@'<Data Name="(\w+)">{?([^<]*?)}?</Data>')
| where (targetusername_has=='*' or (MemberName has targetusername_has))
| project-rename
TargetUserId = MemberSid,
TargetUsername = MemberName
| project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage
| extend
GroupIdType = iif(isnotempty(GroupId), "SID","")
)
| lookup EventIDLookup on EventID
| extend UpdatedPropertyName = EventSubType
| invoke _ASIM_ResolveDvcFQDN ("Computer")
| lookup UserTypeLookup on ActorOriginalUserType
| extend
DvcId = coalesce(_ResourceId, SourceComputerId),
EventOriginalType = tostring(EventID)
| project-rename
EventUid = _ItemId
| extend
ActorDomain = SubjectDomainName,
ActorUserIdType = iif(isnotempty(ActorUserId), "SID",""),
ActorUsername = iff (SubjectDomainName == "", SubjectUserName, strcat (SubjectDomainName, '\\', SubjectUserName)),
Dvc = DvcHostname,
DvcIdType = iff (isnotempty(_ResourceId), "AzureResourceID", ""),
DvcOs = "Windows",
EventCount = int(1),
EventEndTime = TimeGenerated,
EventProduct = 'Security Events',
EventResult = "Success",
EventSchema = "UserManagement",
EventSchemaVersion = "0.1.1",
EventSeverity = "Informational",
EventStartTime = TimeGenerated,
EventVendor = 'Microsoft',
Hostname = DvcHostname
| project-away Subject*, Computer, _ResourceId, SourceComputerId,EventID
| extend
ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),
ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),
GroupNameType = _ASIM_GetUsernameType(GroupName),
TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),
TargetUserType = _ASIM_GetUserType(TargetUsername,TargetUserId),
User = ActorUsername
};
parser (
starttime = starttime,
endtime = endtime,
targetusername_has = targetusername_has,
actorusername_has = actorusername_has,
targetdomain_has = targetdomain_has,
anydomain_has = anydomain_has,
disabled=disabled
)

17
Parsers/ASimUserManagement/README.md Normal file
Просмотреть файл

@ -0,0 +1,17 @@
# Advanced Security Information Model (ASIM) UserManagement parsers
This template deploys all ASIM UserManagement parsers.
The Advanced Security Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
For more information, see:
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM UserManagement normalization schema reference](https://aka.ms/ASimUserManagementDoc)
<br>
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/ASimUserManagementARM) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/ASimUserManagementARMgov)
<br>

Двоичные данные
Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Add_Contributor_Role_1.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 64 KiB

Двоичные данные
Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Add_Contributor_Role_2.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 93 KiB

Двоичные данные
Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Add_Contributor_Role_3.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 67 KiB

Двоичные данные
Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Add_Contributor_Role_4.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 40 KiB

Двоичные данные
Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_1.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 44 KiB

Двоичные данные
Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_10.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 136 KiB

Двоичные данные
Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_2.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 137 KiB

Двоичные данные
Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_3.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 115 KiB

Двоичные данные
Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_4.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 146 KiB

Двоичные данные
Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_5.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 121 KiB

Двоичные данные
Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_6.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 207 KiB

Двоичные данные
Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_7.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 184 KiB

Двоичные данные
Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_8.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 134 KiB

Двоичные данные
Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_9.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 195 KiB

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше