Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Windows Forwarded Events TemlateSpec Solution

This commit is contained in:
v-atulyadav 2022-05-23 16:15:31 +05:30
Родитель d1e500c3de
Коммит 6b44f50030
9 изменённых файлов: 863 добавлений и 1604 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

3
Detections/WindowsEvent/ChiaCryptoMining_WindowsEvent.yaml → Solutions/Windows Forwarded Events/Analytic Rules/ChiaCryptoMining_WindowsEvent.yaml
Просмотреть файл

@ -2,7 +2,8 @@ id: 4d173248-439b-4741-8b37-f63ad0c896ae
name: Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021
description: |
'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.'
severity: Low
severity: Low
status: Available
requiredDataConnectors:
- connectorId: WindowsSecurityEvents
dataTypes:

3
Detections/WindowsEvent/SOURGUM_IOC_WindowsEvent.yaml → Solutions/Windows Forwarded Events/Analytic Rules/SOURGUM_IOC_WindowsEvent.yaml
Просмотреть файл

@ -2,7 +2,8 @@ id: 066395ac-ef91-4993-8bf6-25c61ab0ca5a
name: SOURGUM Actor IOC - July 2021
description: |
'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM'
severity: High
severity: High
status: Available
requiredDataConnectors:
- connectorId: WindowsSecurityEvents
dataTypes:

89
Solutions/Windows Forwarded Events/Data Connectors/WindowsForwardedEvents.JSON Normal file
Просмотреть файл

@ -0,0 +1,89 @@
{
"id": "WindowsForwardedEvents",
"title": "Windows Forwarded Events",
"publisher": "Microsoft",
"descriptionMarkdown": "You can stream all Windows Event Forwarding (WEF) logs from the Windows Servers connected to your Microsoft Sentinel workspace using Azure Monitor Agent (AMA).\n\tThis connection enables you to view dashboards, create custom alerts, and improve investigation.\n\tThis gives you more insight into your organizations network and improves your security operation capabilities.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "WindowsEvents",
"baseQuery": "WindowsEvent"
}
],
"sampleQueries": [
{
"description": "All logs",
"query": "WindowsEvent\n | sort by TimeGenerated"
}
],
"connectivityCriterias": [
{
"type": "WindowsForwardedEvents",
"value": null
}
],
"dataTypes": [
{
"name": "WindowsEvents",
"lastDataReceivedQuery": "WindowsEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"availability": {
"status": 2,
"isPreview": false,
"featureFlag": {
"feature": "WindowsForwardedEventsFeature",
"featureStates": {
"1": 2,
"2": 2,
"3": 2,
"4": 2,
"5": 2
}
}
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces/datasources",
"permissionsDisplayText": "read and write permissions.",
"providerDisplayName": "Workspace data sources",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true
}
}
],
"customs": [
{
"description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
}
]
},
"instructionSteps": [
{
"title": "Enable data collection rule",
"description": "> Windows Forwarded Events logs are collected only from **Windows** agents.",
"instructions": [
{
"type": "WindowsForwardedEvents"
},
{
"parameters": {
"linkType": "OpenCreateDataCollectionRule",
"dataCollectionRuleType": 1
},
"type": "InstallAgent"
},
{
"parameters": {
"linkType": "OpenCustomDeploymentBlade",
"dataCollectionRuleType": 1
},
"type": "InstallAgent"
}
]
}
]
}

18
Solutions/Windows Forwarded Events/Data/Solution_Windows Forwarded Events.json Normal file
Просмотреть файл

@ -0,0 +1,18 @@
{
"Name": "Windows Forwarded Events",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "The Windows Forwarded Events solution allows you to ingest all [Windows Event Forwarding](https://docs.microsoft.com/advanced-threat-analytics/configure-event-collection) (WEF) logs from the Windows Servers connected to your Microsoft Sentinel workspace using Azure Monitor Agent (AMA).\n\n**Underlying Microsoft Technologies used:**\n\nThis solution is dependent on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Agent based logs collection from Windows and Linux machines](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-custom-logs)",
"Data Connectors": [
"Data Connectors/WindowsForwardedEvents.json"
],
"Analytic Rules": [
"Analytic Rules/ChiaCryptoMining_WindowsEvent.yaml",
"Analytic Rules/SOURGUM_IOC_WindowsEvent.yaml"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Windows Forwarded Events",
"Version": "2.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": true
}

Двоичные данные
Solutions/Windows Forwarded Events/Package/2.0.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

141
Solutions/Windows Forwarded Events/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,141 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Windows Forwarded Events solution allows you to ingest all [Windows Event Forwarding](https://docs.microsoft.com/advanced-threat-analytics/configure-event-collection) (WEF) logs from the Windows Servers connected to your Microsoft Sentinel workspace using Azure Monitor Agent (AMA).\n\n**Underlying Microsoft Technologies used:**\n\nThis solution is dependent on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Agent based logs collection from Windows and Linux machines](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-custom-logs)\n\n**Data Connectors:** 1, **Analytic Rules:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for Windows Forwarded Events. You can get Windows Forwarded Events custom log data in your Microsoft Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. This data connector creates custom log table(s) WindowsEvents in your Microsoft Sentinel / Azure Log Analytics workspace."
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
},
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
}
},
{
"name": "analytics-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity."
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "SOURGUM Actor IOC - July 2021",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM"
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}

591
Solutions/Windows Forwarded Events/Package/mainTemplate.json Normal file
Просмотреть файл

@ -0,0 +1,591 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Microsoft - support@microsoft.com",
"comments": "Solution template for Windows Forwarded Events"
},
"parameters": {
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
}
},
"variables": {
"solutionId": "azuresentinel.azure-sentinel-solution-windowsforwardedevents-preview",
"_solutionId": "[variables('solutionId')]",
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"uiConfigId1": "WindowsForwardedEvents",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "WindowsForwardedEvents",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
"dataConnectorVersion1": "1.0.0",
"analyticRuleVersion1": "1.0.1",
"analyticRulecontentId1": "4d173248-439b-4741-8b37-f63ad0c896ae",
"_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]",
"analyticRuleVersion2": "1.0.0",
"analyticRulecontentId2": "066395ac-ef91-4993-8bf6-25c61ab0ca5a",
"_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2')))]"
},
"resources": [
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2021-05-01",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "DataConnector"
},
"properties": {
"description": "Windows Forwarded Events data connector with template",
"displayName": "Windows Forwarded Events template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2021-05-01",
"name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "DataConnector"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
],
"properties": {
"description": "Windows Forwarded Events data connector with template version 2.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "StaticUI",
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
"title": "Windows Forwarded Events",
"publisher": "Microsoft",
"descriptionMarkdown": "You can stream all Windows Event Forwarding (WEF) logs from the Windows Servers connected to your Microsoft Sentinel workspace using Azure Monitor Agent (AMA).\n\tThis connection enables you to view dashboards, create custom alerts, and improve investigation.\n\tThis gives you more insight into your organizations network and improves your security operation capabilities.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "WindowsEvents",
"baseQuery": "WindowsEvent"
}
],
"connectivityCriterias": [
{
"type": "WindowsForwardedEvents",
"value": null
}
],
"dataTypes": [
{
"name": "WindowsEvents",
"lastDataReceivedQuery": "WindowsEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "Windows Forwarded Events",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
],
"location": "[parameters('workspace-location')]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "Windows Forwarded Events",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "StaticUI",
"properties": {
"connectorUiConfig": {
"title": "Windows Forwarded Events",
"publisher": "Microsoft",
"descriptionMarkdown": "You can stream all Windows Event Forwarding (WEF) logs from the Windows Servers connected to your Microsoft Sentinel workspace using Azure Monitor Agent (AMA).\n\tThis connection enables you to view dashboards, create custom alerts, and improve investigation.\n\tThis gives you more insight into your organizations network and improves your security operation capabilities.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "WindowsEvents",
"baseQuery": "WindowsEvent"
}
],
"dataTypes": [
{
"name": "WindowsEvents",
"lastDataReceivedQuery": "WindowsEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "WindowsForwardedEvents",
"value": null
}
],
"id": "[variables('_uiConfigId1')]"
}
}
},
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2021-05-01",
"name": "[variables('analyticRuleTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "AnalyticsRule"
},
"properties": {
"description": "Windows Forwarded Events Analytics Rule 1 with template",
"displayName": "Windows Forwarded Events Analytics Rule template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2021-05-01",
"name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "AnalyticsRule"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]"
],
"properties": {
"description": "ChiaCryptoMining_WindowsEvent_AnalyticalRules Analytics Rule with template version 2.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('AnalyticRulecontentId1')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.",
"displayName": "Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021",
"enabled": false,
"query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet process = (iocs | where Type =~ \"process\" | project IoC);\n//This query uses sysmon data, sections that have - | where Source == \"Microsoft-Windows-Sysmon\" - may need to be updated with latest\nWindowsEvent\n| where EventID == '4688' and EventData has_any (process)\n| extend NewProcessName = tostring(EventData.NewProcessName)\n| where NewProcessName has_any (process)\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\n , Account = strcat(tostring(EventData.SubjectDomainName),\"\\\\\", tostring(EventData.SubjectUserName))\n , NewProcessId = tostring(EventData.NewProcessId)\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, '\\\\', -1)[-1]), AlertDetail = 'Chia crypto IOC detected'\n| extend FilePath = replace_string(NewProcessName, File, '')\n| project TimeGenerated, timestamp, File, AlertDetail, FilePath,Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\n",
"queryFrequency": "PT6H",
"queryPeriod": "PT6H",
"severity": "Low",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
{
"dataTypes": [
"SecurityEvents"
],
"connectorId": "WindowsSecurityEvents"
},
{
"dataTypes": [
"WindowsEvent"
],
"connectorId": "WindowsForwardedEvents"
}
],
"tactics": [
"Impact"
],
"entityMappings": [
{
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Account"
},
{
"fieldMappings": [
{
"columnName": "HostCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Host"
},
{
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
}
],
"entityType": "IP"
},
{
"fieldMappings": [
{
"columnName": "FileCustomEntity",
"identifier": "Name"
},
{
"columnName": "FilePathCustomEntity",
"identifier": "Directory"
}
],
"entityType": "File"
},
{
"fieldMappings": [
{
"columnName": "FileHashAlgo",
"identifier": "Algorithm"
},
{
"columnName": "FileHashCustomEntity",
"identifier": "Value"
}
],
"entityType": "FileHash"
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
"properties": {
"description": "Windows Forwarded Events Analytics Rule 1",
"parentId": "[variables('analyticRuleId1')]",
"contentId": "[variables('_analyticRulecontentId1')]",
"kind": "AnalyticsRule",
"version": "[variables('analyticRuleVersion1')]",
"source": {
"kind": "Solution",
"name": "Windows Forwarded Events",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
}
}
},
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2021-05-01",
"name": "[variables('analyticRuleTemplateSpecName2')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "AnalyticsRule"
},
"properties": {
"description": "Windows Forwarded Events Analytics Rule 2 with template",
"displayName": "Windows Forwarded Events Analytics Rule template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2021-05-01",
"name": "[concat(variables('analyticRuleTemplateSpecName2'),'/',variables('analyticRuleVersion2'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "AnalyticsRule"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]"
],
"properties": {
"description": "SOURGUM_IOC_WindowsEvent_AnalyticalRules Analytics Rule with template version 2.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion2')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('AnalyticRulecontentId2')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM",
"displayName": "SOURGUM Actor IOC - July 2021",
"enabled": false,
"query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet domains = (iocs | where Type =~ \"domainname\"| project IoC);\nlet sha256Hashes = (iocs | where Type =~ \"sha256\" | project IoC);\nlet file_path1 = (iocs | where Type =~ \"filepath1\" | project IoC);\nlet file_path2 = (iocs | where Type =~ \"filepath2\" | project IoC);\nlet file_path3 = (iocs | where Type =~ \"filepath3\" | project IoC);\nlet reg_key = (iocs | where Type =~ \"regkey\" | project IoC);\nWindowsEvent\n| where EventID == 4688 and (EventData has_any (file_path1) or EventData has_any (file_path2) or EventData has_any (file_path3) or EventData has_any ('reg add') or EventData has_any (reg_key) )\n| extend CommandLine = tostring(EventData.CommandLine)\n| extend NewProcessName = tostring(EventData.NewProcessName)\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\n| where (CommandLine has_any (file_path1)) or\n (CommandLine has_any (file_path3)) or\n (CommandLine has 'reg add' and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or \n (NewProcessName has_any (file_path1)) or\n (NewProcessName has_any (file_path3)) or\n (ParentProcessName has_any (file_path1)) or \n (ParentProcessName has_any (file_path3)) \n| extend Account = strcat(EventData.SubjectDomainName,\"\\\\\", EventData.SubjectUserName)\n| extend NewProcessId = tostring(EventData.NewProcessId)\n| extend IPCustomEntity = tostring(EventData.IpAddress)\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, IPCustomEntity\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected'\n",
"queryFrequency": "PT6H",
"queryPeriod": "PT6H",
"severity": "High",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"status": "Available",
"requiredDataConnectors": [
{
"dataTypes": [
"SecurityEvents"
],
"connectorId": "WindowsSecurityEvents"
},
{
"dataTypes": [
"WindowsEvent"
],
"connectorId": "WindowsForwardedEvents"
}
],
"tactics": [
"Persistence"
],
"entityMappings": [
{
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Account"
},
{
"fieldMappings": [
{
"columnName": "HostCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Host"
},
{
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
}
],
"entityType": "IP"
},
{
"fieldMappings": [
{
"columnName": "ProcessCustomEntity",
"identifier": "ProcessId"
}
],
"entityType": "Process"
},
{
"fieldMappings": [
{
"columnName": "AlgorithmCustomEntity",
"identifier": "Algorithm"
},
{
"columnName": "FileHashCustomEntity",
"identifier": "Value"
}
],
"entityType": "FileHash"
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
"properties": {
"description": "Windows Forwarded Events Analytics Rule 2",
"parentId": "[variables('analyticRuleId2')]",
"contentId": "[variables('_analyticRulecontentId2')]",
"kind": "AnalyticsRule",
"version": "[variables('analyticRuleVersion2')]",
"source": {
"kind": "Solution",
"name": "Windows Forwarded Events",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "2.0.0",
"kind": "Solution",
"contentSchemaVersion": "2.0.0",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
"kind": "Solution",
"name": "Windows Forwarded Events",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Microsoft",
"email": "[variables('_email')]"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "DataConnector",
"contentId": "[variables('_dataConnectorContentId1')]",
"version": "[variables('dataConnectorVersion1')]"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRulecontentId1')]",
"version": "[variables('analyticRuleVersion1')]"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRulecontentId2')]",
"version": "[variables('analyticRuleVersion2')]"
}
]
},
"firstPublishDate": "2022-05-02",
"providers": [
"Microsoft"
],
"categories": {
"domains": [
"IT Operations"
]
}
},
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
}
],
"outputs": {}
}

20
Solutions/Windows Forwarded Events/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,20 @@
{
"publisherId": "azuresentinel",
"offerId": "azure-sentinel-solution-windowsforwardedevents",
"firstPublishDate": "2022-05-02",
"providers": ["Microsoft"],
"categories": {
"domains" : ["IT Operations"],
"verticals": []
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}

1602
Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу