Windows Forwarded Events TemlateSpec Solution
This commit is contained in:
Родитель
d1e500c3de
Коммит
6b44f50030
|
@ -2,7 +2,8 @@ id: 4d173248-439b-4741-8b37-f63ad0c896ae
|
|||
name: Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021
|
||||
description: |
|
||||
'Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.'
|
||||
severity: Low
|
||||
severity: Low
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: WindowsSecurityEvents
|
||||
dataTypes:
|
|
@ -2,7 +2,8 @@ id: 066395ac-ef91-4993-8bf6-25c61ab0ca5a
|
|||
name: SOURGUM Actor IOC - July 2021
|
||||
description: |
|
||||
'Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM'
|
||||
severity: High
|
||||
severity: High
|
||||
status: Available
|
||||
requiredDataConnectors:
|
||||
- connectorId: WindowsSecurityEvents
|
||||
dataTypes:
|
|
@ -0,0 +1,89 @@
|
|||
{
|
||||
"id": "WindowsForwardedEvents",
|
||||
"title": "Windows Forwarded Events",
|
||||
"publisher": "Microsoft",
|
||||
"descriptionMarkdown": "You can stream all Windows Event Forwarding (WEF) logs from the Windows Servers connected to your Microsoft Sentinel workspace using Azure Monitor Agent (AMA).\n\tThis connection enables you to view dashboards, create custom alerts, and improve investigation.\n\tThis gives you more insight into your organization’s network and improves your security operation capabilities.",
|
||||
"graphQueries": [
|
||||
{
|
||||
"metricName": "Total data received",
|
||||
"legend": "WindowsEvents",
|
||||
"baseQuery": "WindowsEvent"
|
||||
}
|
||||
],
|
||||
"sampleQueries": [
|
||||
{
|
||||
"description": "All logs",
|
||||
"query": "WindowsEvent\n | sort by TimeGenerated"
|
||||
}
|
||||
],
|
||||
"connectivityCriterias": [
|
||||
{
|
||||
"type": "WindowsForwardedEvents",
|
||||
"value": null
|
||||
}
|
||||
],
|
||||
"dataTypes": [
|
||||
{
|
||||
"name": "WindowsEvents",
|
||||
"lastDataReceivedQuery": "WindowsEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
|
||||
}
|
||||
],
|
||||
"availability": {
|
||||
"status": 2,
|
||||
"isPreview": false,
|
||||
"featureFlag": {
|
||||
"feature": "WindowsForwardedEventsFeature",
|
||||
"featureStates": {
|
||||
"1": 2,
|
||||
"2": 2,
|
||||
"3": 2,
|
||||
"4": 2,
|
||||
"5": 2
|
||||
}
|
||||
}
|
||||
},
|
||||
"permissions": {
|
||||
"resourceProvider": [
|
||||
{
|
||||
"provider": "Microsoft.OperationalInsights/workspaces/datasources",
|
||||
"permissionsDisplayText": "read and write permissions.",
|
||||
"providerDisplayName": "Workspace data sources",
|
||||
"scope": "Workspace",
|
||||
"requiredPermissions": {
|
||||
"read": true,
|
||||
"write": true
|
||||
}
|
||||
}
|
||||
],
|
||||
"customs": [
|
||||
{
|
||||
"description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
|
||||
}
|
||||
]
|
||||
},
|
||||
"instructionSteps": [
|
||||
{
|
||||
"title": "Enable data collection rule",
|
||||
"description": "> Windows Forwarded Events logs are collected only from **Windows** agents.",
|
||||
"instructions": [
|
||||
{
|
||||
"type": "WindowsForwardedEvents"
|
||||
},
|
||||
{
|
||||
"parameters": {
|
||||
"linkType": "OpenCreateDataCollectionRule",
|
||||
"dataCollectionRuleType": 1
|
||||
},
|
||||
"type": "InstallAgent"
|
||||
},
|
||||
{
|
||||
"parameters": {
|
||||
"linkType": "OpenCustomDeploymentBlade",
|
||||
"dataCollectionRuleType": 1
|
||||
},
|
||||
"type": "InstallAgent"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,18 @@
|
|||
{
|
||||
"Name": "Windows Forwarded Events",
|
||||
"Author": "Microsoft - support@microsoft.com",
|
||||
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
|
||||
"Description": "The Windows Forwarded Events solution allows you to ingest all [Windows Event Forwarding](https://docs.microsoft.com/advanced-threat-analytics/configure-event-collection) (WEF) logs from the Windows Servers connected to your Microsoft Sentinel workspace using Azure Monitor Agent (AMA).\n\n**Underlying Microsoft Technologies used:**\n\nThis solution is dependent on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Agent based logs collection from Windows and Linux machines](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-custom-logs)",
|
||||
"Data Connectors": [
|
||||
"Data Connectors/WindowsForwardedEvents.json"
|
||||
],
|
||||
"Analytic Rules": [
|
||||
"Analytic Rules/ChiaCryptoMining_WindowsEvent.yaml",
|
||||
"Analytic Rules/SOURGUM_IOC_WindowsEvent.yaml"
|
||||
],
|
||||
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Windows Forwarded Events",
|
||||
"Version": "2.0.0",
|
||||
"Metadata": "SolutionMetadata.json",
|
||||
"TemplateSpec": true,
|
||||
"Is1Pconnector": true
|
||||
}
|
Двоичный файл не отображается.
|
@ -0,0 +1,141 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
|
||||
"handler": "Microsoft.Azure.CreateUIDef",
|
||||
"version": "0.1.2-preview",
|
||||
"parameters": {
|
||||
"config": {
|
||||
"isWizard": false,
|
||||
"basics": {
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Windows Forwarded Events solution allows you to ingest all [Windows Event Forwarding](https://docs.microsoft.com/advanced-threat-analytics/configure-event-collection) (WEF) logs from the Windows Servers connected to your Microsoft Sentinel workspace using Azure Monitor Agent (AMA).\n\n**Underlying Microsoft Technologies used:**\n\nThis solution is dependent on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Agent based logs collection from Windows and Linux machines](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-custom-logs)\n\n**Data Connectors:** 1, **Analytic Rules:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"subscription": {
|
||||
"resourceProviders": [
|
||||
"Microsoft.OperationsManagement/solutions",
|
||||
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
|
||||
"Microsoft.Insights/workbooks",
|
||||
"Microsoft.Logic/workflows"
|
||||
]
|
||||
},
|
||||
"location": {
|
||||
"metadata": {
|
||||
"hidden": "Hiding location, we get it from the log analytics workspace"
|
||||
},
|
||||
"visible": false
|
||||
},
|
||||
"resourceGroup": {
|
||||
"allowExisting": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"basics": [
|
||||
{
|
||||
"name": "getLAWorkspace",
|
||||
"type": "Microsoft.Solutions.ArmApiControl",
|
||||
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
|
||||
"condition": "[greater(length(resourceGroup().name),0)]",
|
||||
"request": {
|
||||
"method": "GET",
|
||||
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "workspace",
|
||||
"type": "Microsoft.Common.DropDown",
|
||||
"label": "Workspace",
|
||||
"placeholder": "Select a workspace",
|
||||
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
|
||||
"constraints": {
|
||||
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
|
||||
"required": true
|
||||
},
|
||||
"visible": true
|
||||
}
|
||||
],
|
||||
"steps": [
|
||||
{
|
||||
"name": "dataconnectors",
|
||||
"label": "Data Connectors",
|
||||
"bladeTitle": "Data Connectors",
|
||||
"elements": [
|
||||
{
|
||||
"name": "dataconnectors1-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This Solution installs the data connector for Windows Forwarded Events. You can get Windows Forwarded Events custom log data in your Microsoft Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. This data connector creates custom log table(s) WindowsEvents in your Microsoft Sentinel / Azure Log Analytics workspace."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "dataconnectors-link2",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"link": {
|
||||
"label": "Learn more about connecting data sources",
|
||||
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytics",
|
||||
"label": "Analytics",
|
||||
"subLabel": {
|
||||
"preValidation": "Configure the analytics",
|
||||
"postValidation": "Done"
|
||||
},
|
||||
"bladeTitle": "Analytics",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytics-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "analytics-link",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"link": {
|
||||
"label": "Learn more",
|
||||
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "analytic1",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic1-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity."
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic2",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "SOURGUM Actor IOC - July 2021",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic2-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"outputs": {
|
||||
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
|
||||
"location": "[location()]",
|
||||
"workspace": "[basics('workspace')]"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,591 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"metadata": {
|
||||
"author": "Microsoft - support@microsoft.com",
|
||||
"comments": "Solution template for Windows Forwarded Events"
|
||||
},
|
||||
"parameters": {
|
||||
"location": {
|
||||
"type": "string",
|
||||
"minLength": 1,
|
||||
"defaultValue": "[resourceGroup().location]",
|
||||
"metadata": {
|
||||
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
|
||||
}
|
||||
},
|
||||
"workspace-location": {
|
||||
"type": "string",
|
||||
"defaultValue": "",
|
||||
"metadata": {
|
||||
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
|
||||
}
|
||||
},
|
||||
"workspace": {
|
||||
"defaultValue": "",
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
|
||||
}
|
||||
}
|
||||
},
|
||||
"variables": {
|
||||
"solutionId": "azuresentinel.azure-sentinel-solution-windowsforwardedevents-preview",
|
||||
"_solutionId": "[variables('solutionId')]",
|
||||
"email": "support@microsoft.com",
|
||||
"_email": "[variables('email')]",
|
||||
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
|
||||
"uiConfigId1": "WindowsForwardedEvents",
|
||||
"_uiConfigId1": "[variables('uiConfigId1')]",
|
||||
"dataConnectorContentId1": "WindowsForwardedEvents",
|
||||
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
|
||||
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
|
||||
"_dataConnectorId1": "[variables('dataConnectorId1')]",
|
||||
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
|
||||
"dataConnectorVersion1": "1.0.0",
|
||||
"analyticRuleVersion1": "1.0.1",
|
||||
"analyticRulecontentId1": "4d173248-439b-4741-8b37-f63ad0c896ae",
|
||||
"_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
|
||||
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
|
||||
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]",
|
||||
"analyticRuleVersion2": "1.0.0",
|
||||
"analyticRulecontentId2": "066395ac-ef91-4993-8bf6-25c61ab0ca5a",
|
||||
"_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
|
||||
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
|
||||
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2')))]"
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.Resources/templateSpecs",
|
||||
"apiVersion": "2021-05-01",
|
||||
"name": "[variables('dataConnectorTemplateSpecName1')]",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"tags": {
|
||||
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
|
||||
"hidden-sentinelContentType": "DataConnector"
|
||||
},
|
||||
"properties": {
|
||||
"description": "Windows Forwarded Events data connector with template",
|
||||
"displayName": "Windows Forwarded Events template"
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/templateSpecs/versions",
|
||||
"apiVersion": "2021-05-01",
|
||||
"name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"tags": {
|
||||
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
|
||||
"hidden-sentinelContentType": "DataConnector"
|
||||
},
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "Windows Forwarded Events data connector with template version 2.0.0",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('dataConnectorVersion1')]",
|
||||
"parameters": {},
|
||||
"variables": {},
|
||||
"resources": [
|
||||
{
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
|
||||
"apiVersion": "2021-03-01-preview",
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"kind": "StaticUI",
|
||||
"properties": {
|
||||
"connectorUiConfig": {
|
||||
"id": "[variables('_uiConfigId1')]",
|
||||
"title": "Windows Forwarded Events",
|
||||
"publisher": "Microsoft",
|
||||
"descriptionMarkdown": "You can stream all Windows Event Forwarding (WEF) logs from the Windows Servers connected to your Microsoft Sentinel workspace using Azure Monitor Agent (AMA).\n\tThis connection enables you to view dashboards, create custom alerts, and improve investigation.\n\tThis gives you more insight into your organization’s network and improves your security operation capabilities.",
|
||||
"graphQueries": [
|
||||
{
|
||||
"metricName": "Total data received",
|
||||
"legend": "WindowsEvents",
|
||||
"baseQuery": "WindowsEvent"
|
||||
}
|
||||
],
|
||||
"connectivityCriterias": [
|
||||
{
|
||||
"type": "WindowsForwardedEvents",
|
||||
"value": null
|
||||
}
|
||||
],
|
||||
"dataTypes": [
|
||||
{
|
||||
"name": "WindowsEvents",
|
||||
"lastDataReceivedQuery": "WindowsEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
|
||||
"apiVersion": "2022-01-01-preview",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
|
||||
"properties": {
|
||||
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
|
||||
"contentId": "[variables('_dataConnectorContentId1')]",
|
||||
"kind": "DataConnector",
|
||||
"version": "[variables('dataConnectorVersion1')]",
|
||||
"source": {
|
||||
"kind": "Solution",
|
||||
"name": "Windows Forwarded Events",
|
||||
"sourceId": "[variables('_solutionId')]"
|
||||
},
|
||||
"author": {
|
||||
"name": "Microsoft",
|
||||
"email": "[variables('_email')]"
|
||||
},
|
||||
"support": {
|
||||
"name": "Microsoft Corporation",
|
||||
"email": "support@microsoft.com",
|
||||
"tier": "Microsoft",
|
||||
"link": "https://support.microsoft.com"
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
|
||||
"apiVersion": "2022-01-01-preview",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
|
||||
"dependsOn": [
|
||||
"[variables('_dataConnectorId1')]"
|
||||
],
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"properties": {
|
||||
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
|
||||
"contentId": "[variables('_dataConnectorContentId1')]",
|
||||
"kind": "DataConnector",
|
||||
"version": "[variables('dataConnectorVersion1')]",
|
||||
"source": {
|
||||
"kind": "Solution",
|
||||
"name": "Windows Forwarded Events",
|
||||
"sourceId": "[variables('_solutionId')]"
|
||||
},
|
||||
"author": {
|
||||
"name": "Microsoft",
|
||||
"email": "[variables('_email')]"
|
||||
},
|
||||
"support": {
|
||||
"name": "Microsoft Corporation",
|
||||
"email": "support@microsoft.com",
|
||||
"tier": "Microsoft",
|
||||
"link": "https://support.microsoft.com"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
|
||||
"apiVersion": "2021-03-01-preview",
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"kind": "StaticUI",
|
||||
"properties": {
|
||||
"connectorUiConfig": {
|
||||
"title": "Windows Forwarded Events",
|
||||
"publisher": "Microsoft",
|
||||
"descriptionMarkdown": "You can stream all Windows Event Forwarding (WEF) logs from the Windows Servers connected to your Microsoft Sentinel workspace using Azure Monitor Agent (AMA).\n\tThis connection enables you to view dashboards, create custom alerts, and improve investigation.\n\tThis gives you more insight into your organization’s network and improves your security operation capabilities.",
|
||||
"graphQueries": [
|
||||
{
|
||||
"metricName": "Total data received",
|
||||
"legend": "WindowsEvents",
|
||||
"baseQuery": "WindowsEvent"
|
||||
}
|
||||
],
|
||||
"dataTypes": [
|
||||
{
|
||||
"name": "WindowsEvents",
|
||||
"lastDataReceivedQuery": "WindowsEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
|
||||
}
|
||||
],
|
||||
"connectivityCriterias": [
|
||||
{
|
||||
"type": "WindowsForwardedEvents",
|
||||
"value": null
|
||||
}
|
||||
],
|
||||
"id": "[variables('_uiConfigId1')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/templateSpecs",
|
||||
"apiVersion": "2021-05-01",
|
||||
"name": "[variables('analyticRuleTemplateSpecName1')]",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"tags": {
|
||||
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
|
||||
"hidden-sentinelContentType": "AnalyticsRule"
|
||||
},
|
||||
"properties": {
|
||||
"description": "Windows Forwarded Events Analytics Rule 1 with template",
|
||||
"displayName": "Windows Forwarded Events Analytics Rule template"
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/templateSpecs/versions",
|
||||
"apiVersion": "2021-05-01",
|
||||
"name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"tags": {
|
||||
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
|
||||
"hidden-sentinelContentType": "AnalyticsRule"
|
||||
},
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "ChiaCryptoMining_WindowsEvent_AnalyticalRules Analytics Rule with template version 2.0.0",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('analyticRuleVersion1')]",
|
||||
"parameters": {},
|
||||
"variables": {},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
|
||||
"name": "[variables('AnalyticRulecontentId1')]",
|
||||
"apiVersion": "2022-04-01-preview",
|
||||
"kind": "Scheduled",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"properties": {
|
||||
"description": "Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.",
|
||||
"displayName": "Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021",
|
||||
"enabled": false,
|
||||
"query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet process = (iocs | where Type =~ \"process\" | project IoC);\n//This query uses sysmon data, sections that have - | where Source == \"Microsoft-Windows-Sysmon\" - may need to be updated with latest\nWindowsEvent\n| where EventID == '4688' and EventData has_any (process)\n| extend NewProcessName = tostring(EventData.NewProcessName)\n| where NewProcessName has_any (process)\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\n , Account = strcat(tostring(EventData.SubjectDomainName),\"\\\\\", tostring(EventData.SubjectUserName))\n , NewProcessId = tostring(EventData.NewProcessId)\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, '\\\\', -1)[-1]), AlertDetail = 'Chia crypto IOC detected'\n| extend FilePath = replace_string(NewProcessName, File, '')\n| project TimeGenerated, timestamp, File, AlertDetail, FilePath,Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\n",
|
||||
"queryFrequency": "PT6H",
|
||||
"queryPeriod": "PT6H",
|
||||
"severity": "Low",
|
||||
"suppressionDuration": "PT1H",
|
||||
"suppressionEnabled": false,
|
||||
"triggerOperator": "GreaterThan",
|
||||
"triggerThreshold": 0,
|
||||
"status": "Available",
|
||||
"requiredDataConnectors": [
|
||||
{
|
||||
"dataTypes": [
|
||||
"SecurityEvents"
|
||||
],
|
||||
"connectorId": "WindowsSecurityEvents"
|
||||
},
|
||||
{
|
||||
"dataTypes": [
|
||||
"WindowsEvent"
|
||||
],
|
||||
"connectorId": "WindowsForwardedEvents"
|
||||
}
|
||||
],
|
||||
"tactics": [
|
||||
"Impact"
|
||||
],
|
||||
"entityMappings": [
|
||||
{
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "AccountCustomEntity",
|
||||
"identifier": "FullName"
|
||||
}
|
||||
],
|
||||
"entityType": "Account"
|
||||
},
|
||||
{
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "HostCustomEntity",
|
||||
"identifier": "FullName"
|
||||
}
|
||||
],
|
||||
"entityType": "Host"
|
||||
},
|
||||
{
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "IPCustomEntity",
|
||||
"identifier": "Address"
|
||||
}
|
||||
],
|
||||
"entityType": "IP"
|
||||
},
|
||||
{
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "FileCustomEntity",
|
||||
"identifier": "Name"
|
||||
},
|
||||
{
|
||||
"columnName": "FilePathCustomEntity",
|
||||
"identifier": "Directory"
|
||||
}
|
||||
],
|
||||
"entityType": "File"
|
||||
},
|
||||
{
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "FileHashAlgo",
|
||||
"identifier": "Algorithm"
|
||||
},
|
||||
{
|
||||
"columnName": "FileHashCustomEntity",
|
||||
"identifier": "Value"
|
||||
}
|
||||
],
|
||||
"entityType": "FileHash"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
|
||||
"apiVersion": "2022-01-01-preview",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
|
||||
"properties": {
|
||||
"description": "Windows Forwarded Events Analytics Rule 1",
|
||||
"parentId": "[variables('analyticRuleId1')]",
|
||||
"contentId": "[variables('_analyticRulecontentId1')]",
|
||||
"kind": "AnalyticsRule",
|
||||
"version": "[variables('analyticRuleVersion1')]",
|
||||
"source": {
|
||||
"kind": "Solution",
|
||||
"name": "Windows Forwarded Events",
|
||||
"sourceId": "[variables('_solutionId')]"
|
||||
},
|
||||
"author": {
|
||||
"name": "Microsoft",
|
||||
"email": "[variables('_email')]"
|
||||
},
|
||||
"support": {
|
||||
"name": "Microsoft Corporation",
|
||||
"email": "support@microsoft.com",
|
||||
"tier": "Microsoft",
|
||||
"link": "https://support.microsoft.com"
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/templateSpecs",
|
||||
"apiVersion": "2021-05-01",
|
||||
"name": "[variables('analyticRuleTemplateSpecName2')]",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"tags": {
|
||||
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
|
||||
"hidden-sentinelContentType": "AnalyticsRule"
|
||||
},
|
||||
"properties": {
|
||||
"description": "Windows Forwarded Events Analytics Rule 2 with template",
|
||||
"displayName": "Windows Forwarded Events Analytics Rule template"
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Resources/templateSpecs/versions",
|
||||
"apiVersion": "2021-05-01",
|
||||
"name": "[concat(variables('analyticRuleTemplateSpecName2'),'/',variables('analyticRuleVersion2'))]",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"tags": {
|
||||
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
|
||||
"hidden-sentinelContentType": "AnalyticsRule"
|
||||
},
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]"
|
||||
],
|
||||
"properties": {
|
||||
"description": "SOURGUM_IOC_WindowsEvent_AnalyticalRules Analytics Rule with template version 2.0.0",
|
||||
"mainTemplate": {
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "[variables('analyticRuleVersion2')]",
|
||||
"parameters": {},
|
||||
"variables": {},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
|
||||
"name": "[variables('AnalyticRulecontentId2')]",
|
||||
"apiVersion": "2022-04-01-preview",
|
||||
"kind": "Scheduled",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"properties": {
|
||||
"description": "Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM",
|
||||
"displayName": "SOURGUM Actor IOC - July 2021",
|
||||
"enabled": false,
|
||||
"query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet domains = (iocs | where Type =~ \"domainname\"| project IoC);\nlet sha256Hashes = (iocs | where Type =~ \"sha256\" | project IoC);\nlet file_path1 = (iocs | where Type =~ \"filepath1\" | project IoC);\nlet file_path2 = (iocs | where Type =~ \"filepath2\" | project IoC);\nlet file_path3 = (iocs | where Type =~ \"filepath3\" | project IoC);\nlet reg_key = (iocs | where Type =~ \"regkey\" | project IoC);\nWindowsEvent\n| where EventID == 4688 and (EventData has_any (file_path1) or EventData has_any (file_path2) or EventData has_any (file_path3) or EventData has_any ('reg add') or EventData has_any (reg_key) )\n| extend CommandLine = tostring(EventData.CommandLine)\n| extend NewProcessName = tostring(EventData.NewProcessName)\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\n| where (CommandLine has_any (file_path1)) or\n (CommandLine has_any (file_path3)) or\n (CommandLine has 'reg add' and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or \n (NewProcessName has_any (file_path1)) or\n (NewProcessName has_any (file_path3)) or\n (ParentProcessName has_any (file_path1)) or \n (ParentProcessName has_any (file_path3)) \n| extend Account = strcat(EventData.SubjectDomainName,\"\\\\\", EventData.SubjectUserName)\n| extend NewProcessId = tostring(EventData.NewProcessId)\n| extend IPCustomEntity = tostring(EventData.IpAddress)\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, IPCustomEntity\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected'\n",
|
||||
"queryFrequency": "PT6H",
|
||||
"queryPeriod": "PT6H",
|
||||
"severity": "High",
|
||||
"suppressionDuration": "PT1H",
|
||||
"suppressionEnabled": false,
|
||||
"triggerOperator": "GreaterThan",
|
||||
"triggerThreshold": 0,
|
||||
"status": "Available",
|
||||
"requiredDataConnectors": [
|
||||
{
|
||||
"dataTypes": [
|
||||
"SecurityEvents"
|
||||
],
|
||||
"connectorId": "WindowsSecurityEvents"
|
||||
},
|
||||
{
|
||||
"dataTypes": [
|
||||
"WindowsEvent"
|
||||
],
|
||||
"connectorId": "WindowsForwardedEvents"
|
||||
}
|
||||
],
|
||||
"tactics": [
|
||||
"Persistence"
|
||||
],
|
||||
"entityMappings": [
|
||||
{
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "AccountCustomEntity",
|
||||
"identifier": "FullName"
|
||||
}
|
||||
],
|
||||
"entityType": "Account"
|
||||
},
|
||||
{
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "HostCustomEntity",
|
||||
"identifier": "FullName"
|
||||
}
|
||||
],
|
||||
"entityType": "Host"
|
||||
},
|
||||
{
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "IPCustomEntity",
|
||||
"identifier": "Address"
|
||||
}
|
||||
],
|
||||
"entityType": "IP"
|
||||
},
|
||||
{
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "ProcessCustomEntity",
|
||||
"identifier": "ProcessId"
|
||||
}
|
||||
],
|
||||
"entityType": "Process"
|
||||
},
|
||||
{
|
||||
"fieldMappings": [
|
||||
{
|
||||
"columnName": "AlgorithmCustomEntity",
|
||||
"identifier": "Algorithm"
|
||||
},
|
||||
{
|
||||
"columnName": "FileHashCustomEntity",
|
||||
"identifier": "Value"
|
||||
}
|
||||
],
|
||||
"entityType": "FileHash"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
|
||||
"apiVersion": "2022-01-01-preview",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
|
||||
"properties": {
|
||||
"description": "Windows Forwarded Events Analytics Rule 2",
|
||||
"parentId": "[variables('analyticRuleId2')]",
|
||||
"contentId": "[variables('_analyticRulecontentId2')]",
|
||||
"kind": "AnalyticsRule",
|
||||
"version": "[variables('analyticRuleVersion2')]",
|
||||
"source": {
|
||||
"kind": "Solution",
|
||||
"name": "Windows Forwarded Events",
|
||||
"sourceId": "[variables('_solutionId')]"
|
||||
},
|
||||
"author": {
|
||||
"name": "Microsoft",
|
||||
"email": "[variables('_email')]"
|
||||
},
|
||||
"support": {
|
||||
"name": "Microsoft Corporation",
|
||||
"email": "support@microsoft.com",
|
||||
"tier": "Microsoft",
|
||||
"link": "https://support.microsoft.com"
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
|
||||
"apiVersion": "2022-01-01-preview",
|
||||
"location": "[parameters('workspace-location')]",
|
||||
"properties": {
|
||||
"version": "2.0.0",
|
||||
"kind": "Solution",
|
||||
"contentSchemaVersion": "2.0.0",
|
||||
"contentId": "[variables('_solutionId')]",
|
||||
"parentId": "[variables('_solutionId')]",
|
||||
"source": {
|
||||
"kind": "Solution",
|
||||
"name": "Windows Forwarded Events",
|
||||
"sourceId": "[variables('_solutionId')]"
|
||||
},
|
||||
"author": {
|
||||
"name": "Microsoft",
|
||||
"email": "[variables('_email')]"
|
||||
},
|
||||
"support": {
|
||||
"name": "Microsoft Corporation",
|
||||
"email": "support@microsoft.com",
|
||||
"tier": "Microsoft",
|
||||
"link": "https://support.microsoft.com"
|
||||
},
|
||||
"dependencies": {
|
||||
"operator": "AND",
|
||||
"criteria": [
|
||||
{
|
||||
"kind": "DataConnector",
|
||||
"contentId": "[variables('_dataConnectorContentId1')]",
|
||||
"version": "[variables('dataConnectorVersion1')]"
|
||||
},
|
||||
{
|
||||
"kind": "AnalyticsRule",
|
||||
"contentId": "[variables('analyticRulecontentId1')]",
|
||||
"version": "[variables('analyticRuleVersion1')]"
|
||||
},
|
||||
{
|
||||
"kind": "AnalyticsRule",
|
||||
"contentId": "[variables('analyticRulecontentId2')]",
|
||||
"version": "[variables('analyticRuleVersion2')]"
|
||||
}
|
||||
]
|
||||
},
|
||||
"firstPublishDate": "2022-05-02",
|
||||
"providers": [
|
||||
"Microsoft"
|
||||
],
|
||||
"categories": {
|
||||
"domains": [
|
||||
"IT Operations"
|
||||
]
|
||||
}
|
||||
},
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
|
||||
}
|
||||
],
|
||||
"outputs": {}
|
||||
}
|
|
@ -0,0 +1,20 @@
|
|||
{
|
||||
"publisherId": "azuresentinel",
|
||||
"offerId": "azure-sentinel-solution-windowsforwardedevents",
|
||||
"firstPublishDate": "2022-05-02",
|
||||
"providers": ["Microsoft"],
|
||||
"categories": {
|
||||
"domains" : ["IT Operations"],
|
||||
"verticals": []
|
||||
},
|
||||
"support": {
|
||||
"name": "Microsoft Corporation",
|
||||
"email": "support@microsoft.com",
|
||||
"tier": "Microsoft",
|
||||
"link": "https://support.microsoft.com"
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
Загрузка…
Ссылка в новой задаче