Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

CiscoSEG Solution Update 1.0.3

This commit is contained in:
NikTripathi 2022-01-20 10:27:11 +05:30
Родитель f50fa057bf
Коммит 668a85882a
7 изменённых файлов: 1742 добавлений и 21 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

43
Solutions/CiscoSEG/Data/Solution_CiscoSEG.json Normal file
Просмотреть файл

@ -0,0 +1,43 @@
{
"Name": "Cisco SEG",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/cisco-logo-72px.svg\" width=\"75px\" height=\"75px\">",
"Description": "[Cisco Secure Email Gateway (SEG)](https://www.cisco.com/c/en/us/products/security/email-security/index.html) provides the best protection for your email against cyber threats. Secure Email's comprehensive protection for on-premises and cloud-based email stops the most common and damaging cyber threats.",
"Analytic Rules" : [
"Analytic Rules/CiscoSEGDLPViolation.yaml",
"Analytic Rules/CiscoSEGMaliciousAttachmentNotBlocked.yaml",
"Analytic Rules/CiscoSEGMultipleLargeEmails.yaml",
"Analytic Rules/CiscoSEGMultipleSuspiciousEmails.yaml",
"Analytic Rules/CiscoSEGPossibleOutbreak.yaml",
"Analytic Rules/CiscoSEGPotentialLinkToMalwareDownload.yaml",
"Analytic Rules/CiscoSEGSuspiciousLink.yaml",
"Analytic Rules/CiscoSEGSuspiciousSenderDomain.yaml",
"Analytic Rules/CiscoSEGUnclassifiedLink.yaml",
"Analytic Rules/CiscoSEGUnexpextedAttachment.yaml",
"Analytic Rules/CiscoSEGUnscannableAttachment.yaml"
],
"Hunting Queries" : [
"Hunting Queries/CiscoSEGDroppedInMails.yaml",
"Hunting Queries/CiscoSEGDroppedOutMails.yaml",
"Hunting Queries/CiscoSEGFailedDKIMFailure.yaml",
"Hunting Queries/CiscoSEGFailedDMARKFailure.yaml",
"Hunting Queries/CiscoSEGFailedSPFFailure.yaml",
"Hunting Queries/CiscoSEGFailedTLSIn.yaml",
"Hunting Queries/CiscoSEGFailedTLSOut.yaml",
"Hunting Queries/CiscoSEGInsecureProtocol.yaml",
"Hunting Queries/CiscoSEGSpamMails.yaml",
"Hunting Queries/CiscoSEGUsersReceivedSpam.yaml"
],
"Parsers": [
"Parsers/CiscoSEGEvent.txt"
],
"Data Connectors": [
"Data Connectors/Connector_Cisco_SEG_CEF.json"
],
"Workbooks" : [
"Workbooks/CiscoSEG.json"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\CiscoSEG",
"Version": "1.0.3"
}

Двоичные данные
Solutions/CiscoSEG/Package/1.0.3.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

482
Solutions/CiscoSEG/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,482 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/cisco-logo-72px.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Microsoft Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n[Cisco Secure Email Gateway (SEG)](https://www.cisco.com/c/en/us/products/security/email-security/index.html) provides the best protection for your email against cyber threats. Secure Email's comprehensive protection for on-premises and cloud-based email stops the most common and damaging cyber threats.\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 11, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for Cisco SEG. You can get Cisco SEG CommonSecurityLog data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. The logs will be received in the CommonSecurityLog table in your Azure Sentinel / Azure Log Analytics workspace."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The Solution installs a parser that transforms the ingested data into Azure Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Azure Sentinel."
}
},
{
"name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about normalized format",
"uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema"
}
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
},
{
"name": "workbooks",
"label": "Workbooks",
"subLabel": {
"preValidation": "Configure the workbooks",
"postValidation": "Done"
},
"bladeTitle": "Workbooks",
"elements": [
{
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Azure Sentinel and combine them into unified interactive experiences.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
},
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
"label": "Cisco SEG",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock"
},
{
"name": "workbook1-name",
"type": "Microsoft.Common.TextBox",
"label": "Display Name",
"defaultValue": "Cisco SEG",
"toolTip": "Display name for the workbook.",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a workbook name"
}
}
]
}
]
},
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs analytic rules for Cisco SEG that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "Cisco SEG - DLP policy violation",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects DLP policy violation."
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "Cisco SEG - Malicious attachment not blocked",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects mails with malicious attachments which were not blocked."
}
}
]
},
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
"label": "Cisco SEG - Multiple large emails sent to external recipient",
"elements": [
{
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects possible data exfiltration."
}
}
]
},
{
"name": "analytic4",
"type": "Microsoft.Common.Section",
"label": "Cisco SEG - Multiple suspiciuos attachments received",
"elements": [
{
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects possibly phishing emails."
}
}
]
},
{
"name": "analytic5",
"type": "Microsoft.Common.Section",
"label": "Cisco SEG - Possible outbreak",
"elements": [
{
"name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects possible outbreak activity."
}
}
]
},
{
"name": "analytic6",
"type": "Microsoft.Common.Section",
"label": "Cisco SEG - Potential phishing link",
"elements": [
{
"name": "analytic6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects mails with suspicious links."
}
}
]
},
{
"name": "analytic7",
"type": "Microsoft.Common.Section",
"label": "Cisco SEG - Suspicious link",
"elements": [
{
"name": "analytic7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects mails with suspicious links."
}
}
]
},
{
"name": "analytic8",
"type": "Microsoft.Common.Section",
"label": "Cisco SEG - Suspicious sender domain",
"elements": [
{
"name": "analytic8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects suspicious sender domain age."
}
}
]
},
{
"name": "analytic9",
"type": "Microsoft.Common.Section",
"label": "Cisco SEG - Unexpected link",
"elements": [
{
"name": "analytic9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects mails with suspicious links."
}
}
]
},
{
"name": "analytic10",
"type": "Microsoft.Common.Section",
"label": "Cisco SEG - Unexpected attachment",
"elements": [
{
"name": "analytic10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects possibly malicious attachments."
}
}
]
},
{
"name": "analytic11",
"type": "Microsoft.Common.Section",
"label": "Cisco SEG - Unscannable attacment",
"elements": [
{
"name": "analytic11-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects unscannable attachments in mails."
}
}
]
}
]
},
{
"name": "huntingqueries",
"label": "Hunting Queries",
"bladeTitle": "Hunting Queries",
"elements": [
{
"name": "huntingqueries-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs hunting queries for Cisco SEG that you can run in Azure Sentinel. These hunting queries will be deployed in the Hunting gallery of your Azure Sentinel workspace. Run these hunting queries to hunt for threats in the Hunting gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/hunting"
}
}
},
{
"name": "huntingquery1",
"type": "Microsoft.Common.Section",
"label": "Cisco SEG - Dropped incoming mails",
"elements": [
{
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for dropped mails. It depends on the CiscoSEG data connector and CiscoSEGEvent data type and CiscoSEG parser."
}
}
]
},
{
"name": "huntingquery2",
"type": "Microsoft.Common.Section",
"label": "Cisco SEG - Dropped outgoing mails",
"elements": [
{
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for dropped outgoing mails. It depends on the CiscoSEG data connector and CiscoSEGEvent data type and CiscoSEG parser."
}
}
]
},
{
"name": "huntingquery3",
"type": "Microsoft.Common.Section",
"label": "Cisco SEG - DKIM failures",
"elements": [
{
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for mails with DKIM failure status. It depends on the CiscoSEG data connector and CiscoSEGEvent data type and CiscoSEG parser."
}
}
]
},
{
"name": "huntingquery4",
"type": "Microsoft.Common.Section",
"label": "Cisco SEG - DMARK failures",
"elements": [
{
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for mails with DMARK failure status. It depends on the CiscoSEG data connector and CiscoSEGEvent data type and CiscoSEG parser."
}
}
]
},
{
"name": "huntingquery5",
"type": "Microsoft.Common.Section",
"label": "Cisco SEG - SPF failures",
"elements": [
{
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for mails with SPF failure status. It depends on the CiscoSEG data connector and CiscoSEGEvent data type and CiscoSEG parser."
}
}
]
},
{
"name": "huntingquery6",
"type": "Microsoft.Common.Section",
"label": "Cisco SEG - Failed incoming TLS connections",
"elements": [
{
"name": "huntingquery6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches failed TLS incoming connections. It depends on the CiscoSEG data connector and CiscoSEGEvent data type and CiscoSEG parser."
}
}
]
},
{
"name": "huntingquery7",
"type": "Microsoft.Common.Section",
"label": "Cisco SEG - Failed outgoing TLS connections",
"elements": [
{
"name": "huntingquery7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches failed TLS outgoing connections. It depends on the CiscoSEG data connector and CiscoSEGEvent data type and CiscoSEG parser."
}
}
]
},
{
"name": "huntingquery8",
"type": "Microsoft.Common.Section",
"label": "Cisco SEG - Insecure protocol",
"elements": [
{
"name": "huntingquery8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for connections with insecure protocol. It depends on the CiscoSEG data connector and CiscoSEGEvent data type and CiscoSEG parser."
}
}
]
},
{
"name": "huntingquery9",
"type": "Microsoft.Common.Section",
"label": "Cisco SEG - Sources of spam mails",
"elements": [
{
"name": "huntingquery9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for sources of spam mails. It depends on the CiscoSEG data connector and CiscoSEGEvent data type and CiscoSEG parser."
}
}
]
},
{
"name": "huntingquery10",
"type": "Microsoft.Common.Section",
"label": "Cisco SEG - Top users receiving spam mails",
"elements": [
{
"name": "huntingquery10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for top users receiving spam mails. It depends on the CiscoSEG data connector and CiscoSEGEvent data type and CiscoSEG parser."
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(filter.id, toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
"workspace": "[basics('workspace')]",
"workbook1-name": "[steps('workbooks').workbook1.workbook1-name]"
}
}
}

1159
Solutions/CiscoSEG/Package/mainTemplate.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

15
Solutions/CiscoSEG/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"publisherId": "azuresentinel",
"offerId": "azure-sentinel-solution-ciscoseg",
"firstPublishDate": "2021-06-23",
"providers": ["Cisco"],
"categories": {
"domains" : ["Security - Threat Protection"]
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}

43
Tools/Create-Azure-Sentinel-Solution/input/Solution_CiscoSEG.json Normal file
Просмотреть файл

@ -0,0 +1,43 @@
{
"Name": "Cisco SEG",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/cisco-logo-72px.svg\" width=\"75px\" height=\"75px\">",
"Description": "[Cisco Secure Email Gateway (SEG)](https://www.cisco.com/c/en/us/products/security/email-security/index.html) provides the best protection for your email against cyber threats. Secure Email's comprehensive protection for on-premises and cloud-based email stops the most common and damaging cyber threats.",
"Analytic Rules" : [
"Analytic Rules/CiscoSEGDLPViolation.yaml",
"Analytic Rules/CiscoSEGMaliciousAttachmentNotBlocked.yaml",
"Analytic Rules/CiscoSEGMultipleLargeEmails.yaml",
"Analytic Rules/CiscoSEGMultipleSuspiciousEmails.yaml",
"Analytic Rules/CiscoSEGPossibleOutbreak.yaml",
"Analytic Rules/CiscoSEGPotentialLinkToMalwareDownload.yaml",
"Analytic Rules/CiscoSEGSuspiciousLink.yaml",
"Analytic Rules/CiscoSEGSuspiciousSenderDomain.yaml",
"Analytic Rules/CiscoSEGUnclassifiedLink.yaml",
"Analytic Rules/CiscoSEGUnexpextedAttachment.yaml",
"Analytic Rules/CiscoSEGUnscannableAttachment.yaml"
],
"Hunting Queries" : [
"Hunting Queries/CiscoSEGDroppedInMails.yaml",
"Hunting Queries/CiscoSEGDroppedOutMails.yaml",
"Hunting Queries/CiscoSEGFailedDKIMFailure.yaml",
"Hunting Queries/CiscoSEGFailedDMARKFailure.yaml",
"Hunting Queries/CiscoSEGFailedSPFFailure.yaml",
"Hunting Queries/CiscoSEGFailedTLSIn.yaml",
"Hunting Queries/CiscoSEGFailedTLSOut.yaml",
"Hunting Queries/CiscoSEGInsecureProtocol.yaml",
"Hunting Queries/CiscoSEGSpamMails.yaml",
"Hunting Queries/CiscoSEGUsersReceivedSpam.yaml"
],
"Parsers": [
"Parsers/CiscoSEGEvent.txt"
],
"Data Connectors": [
"Data Connectors/Connector_Cisco_SEG_CEF.json"
],
"Workbooks" : [
"Workbooks/CiscoSEG.json"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\CiscoSEG",
"Version": "1.0.3"
}

21
Tools/Create-Azure-Sentinel-Solution/input/Solution_SIGNL4.json
Просмотреть файл

@ -1,21 +0,0 @@
{
"Name": "SIGNL4",
"Author": "Ronald Czachara - ron@signl4.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/signl4/signl4-logo/main/signl4.svg\" width=\"75px\" height=\"75px\">",
"Description": "SIGNL4 offers critical alerting, incident response and service dispatching for operating critical infrastructure. It alerts you persistently via app push, SMS text and voice calls including tracking, escalation, collaboration and duty planning. \n\n[Learn more >](https://www.signl4.com)",
"WorkbookDescription": [],
"Workbooks": [],
"Analytic Rules": [],
"Playbooks": [
"Playbooks/azuredeploy.json"
],
"Parsers": [],
"Hunting Queries": [],
"Data Connectors": [
"Data Connectors/DerdackSIGNL4.json"
],
"Watchlists": [],
"BasePath": "C:/GitHub/Azure-Sentinel/Solutions/SIGNL4/",
"Version": "1.0.0",
"Metadata": "SolutionMetadata.json"
}