Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge branch 'master' into pr/10450

This commit is contained in:
PrasadBoke 2024-05-21 18:10:06 +05:30
Родитель 9142428af8 bfe8e1c2de
Коммит 6bb4c4faf7
278 изменённых файлов: 18446 добавлений и 2242 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
.github/workflows/convertKqlFunctionYamlToArmTemplate.yaml поставляемый
Просмотреть файл

@ -1,4 +1,4 @@
# Each pull request that updates ASimDns, ASimNetworkSession, or ASimWebSession parsers triggers the script.
# Each pull request that updates ASIM parsers triggers the script.
# The script generates deployable ARM templates based on ASim parsers YAML files and pushes them to the pull request branch.
name: Convert Kql function yaml to ARM template
on:

7
.github/workflows/runAsimSchemaAndDataTesters.yaml поставляемый
Просмотреть файл

@ -1,3 +1,5 @@
# Each pull request that updates ASIM parsers triggers the script.
# The script runs ASIM Schema amd Data testers on the "eco-connector-test" workspace.
name: Run ASIM testers on "eco-connector-test" workspace
on:
pull_request:
@ -8,6 +10,11 @@ on:
- 'Parsers/ASimWebSession/Parsers/**'
- 'Parsers/ASimProcessEvent/Parsers/**'
- 'Parsers/ASimAuditEvent/Parsers/**'
- 'Parsers/ASimAuthentication/Parsers/**'
- 'Parsers/ASimFileEvent/Parsers/**'
- 'Parsers/ASimRegistryEvent/Parsers/**'
- 'Parsers/ASimUserManagement/Parsers/**'
- 'Parsers/ASimDhcpEvent/Parsers/**'
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:

49
.script/tests/KqlvalidationsTests/CustomTables/Illumio_Auditable_Events_CL.json Normal file
Просмотреть файл

@ -0,0 +1,49 @@
{
"name": "Illumio_Auditable_Events_CL",
"Properties": [
{
"name": "TimeGenerated",
"type": "DateTime"
},
{
"name": "href",
"type": "String"
},
{
"name": "pce_fqdn",
"type": "String"
},
{
"name": "created_by",
"type": "dynamic"
},
{
"name": "event_type",
"type": "String"
},
{
"name": "status",
"type": "String"
},
{
"name": "severity",
"type": "String"
},
{
"name": "action",
"type": "dynamic"
},
{
"name": "resource_changes",
"type": "dynamic"
},
{
"name": "notifications",
"type": "dynamic"
},
{
"name": "version",
"type": "int"
}
]
}

125
.script/tests/KqlvalidationsTests/CustomTables/Illumio_Flow_Events_CL.json Normal file
Просмотреть файл

@ -0,0 +1,125 @@
{
"name": "Illumio_Flow_Events_CL",
"Properties": [
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "dst_dbi",
"type": "int"
},
{
"name": "dst_dbo",
"type": "int"
},
{
"name": "dst_tbi",
"type": "int"
},
{
"name": "dst_tbo",
"type": "int"
},
{
"name": "ddms",
"type": "int"
},
{
"name": "tdms",
"type": "int"
},
{
"name": "pn",
"type": "string"
},
{
"name": "un",
"type": "string"
},
{
"name": "src_ip",
"type": "string"
},
{
"name": "dst_ip",
"type": "string"
},
{
"name": "class",
"type": "string"
},
{
"name": "proto",
"type": "int"
},
{
"name": "dst_port",
"type": "int"
},
{
"name": "flow_count",
"type": "int"
},
{
"name": "dir",
"type": "string"
},
{
"name": "org_id",
"type": "int"
},
{
"name": "state",
"type": "string"
},
{
"name": "pd_qualifier",
"type": "int"
},
{
"name": "pd",
"type": "int"
},
{
"name": "src_hostname",
"type": "string"
},
{
"name": "src_href",
"type": "string"
},
{
"name": "dst_hostname",
"type": "string"
},
{
"name": "dst_href",
"type": "string"
},
{
"name": "network",
"type": "string"
},
{
"name": "src_labels",
"type": "dynamic"
},
{
"name": "dst_labels",
"type": "dynamic"
},
{
"name": "interval_sec",
"type": "int"
},
{
"name": "pce_fqdn",
"type": "string"
},
{
"name": "version",
"type": "int"
}
]
}

Двоичные данные
DataConnectors/AWS-SecurityHubFindings/AzFunAWSSecurityHubIngestion.zip
Просмотреть файл

Двоичный файл не отображается.

1
DataConnectors/AWS-SecurityHubFindings/AzFunAWSSecurityHubIngestion/__init__.py
Просмотреть файл

@ -101,6 +101,7 @@ def main(mytimer: func.TimerRequest) -> None:
payload.update({'Resources':finding['Resources']})
payload.update({'WorkflowState':finding['WorkflowState']})
payload.update({'RecordState':finding['RecordState']})
payload.update({'Compliance':finding['Compliance']})
with sentinel:
sentinel.send(payload)

7
Detections/ASimAuthentication/imAuthBruteForce.yaml
Просмотреть файл

@ -1,9 +1,8 @@
id: a6c435a2-b1a0-466d-b730-9f8af69262e8
name: Brute force attack against user credentials (Uses Authentication Normalization)
description: |
'Identifies evidence of brute force activity against a user based on multiple authentication failures
and at least one successful authentication within a given time window. Note that the query does not enforce any sequence,
and does not require the successful authentication to occur last.
'Identifies evidence of brute force activity against a user based on multiple authentication failures and at least one successful authentication within a given time window.
Note that the query does not enforce any sequence, and does not require the successful authentication to occur last.
The default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.
To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)'
severity: Medium
@ -65,7 +64,7 @@ entityMappings:
customDetails:
IpAddresses: IpAddresses
ReportedBy: ReportedBy
version: 1.2.4
version: 1.2.5
kind: Scheduled
metadata:
source:

5
Detections/ASimDNS/imDns_HighNXDomainCount_detection.yaml
Просмотреть файл

@ -1,8 +1,7 @@
id: 983a6922-894d-413c-9f04-d7add0ecc307
name: Potential DGA detected (ASIM DNS Schema)
description: |
'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains
where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with
'Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with
NXDomain records in prior 10-day baseline period).
This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'
severity: Medium
@ -72,7 +71,7 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
version: 1.3.3
version: 1.3.4
kind: Scheduled
metadata:
source:

4
Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml
Просмотреть файл

@ -1,7 +1,7 @@
id: a1bddaf8-982b-4089-ba9e-6590dfcf80ea
name: Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)
description: |
This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.<br><br>
This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.
This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.
severity: Low
requiredDataConnectors:
@ -49,7 +49,7 @@ customDetails:
alertDetailsOverride:
alertDisplayNameFormat: Excessive number of HTTP authentication failures from {{SrcIpAddr}
alertDescriptionFormat: A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.
version: 1.0.4
version: 1.0.5
kind: Scheduled
metadata:
source:

5
Detections/ASimWebSession/PossibleDGAContacts.yaml
Просмотреть файл

@ -1,7 +1,8 @@
id: 9176b18f-a946-42c6-a2f6-0f6d17cd6a8a
name: Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema)
description: |
'This rule identifies communication with hosts that have a domain name that might have been generated by a Domain Generation Algorithm (DGA). DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like nad uses the model to identify domains that may have been randomly generated by an algorithm. You can modify the triThreshold and dgaLengthThreshold query parameters to change Analytic Rule sensitivity. The higher the numbers, the less noisy the rule is. <br>
'This rule identifies communication with hosts that have a domain name that might have been generated by a Domain Generation Algorithm (DGA).
DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like nad uses the model to identify domains that may have been randomly generated by an algorithm. You can modify the triThreshold and dgaLengthThreshold query parameters to change Analytic Rule sensitivity. The higher the numbers, the less noisy the rule is.
This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)'
severity: Medium
requiredDataConnectors:
@ -108,7 +109,7 @@ alertDetailsOverride:
customDetails:
DGAPattern: DGADomain
NameCount: NameCount
version: 1.1.3
version: 1.1.4
kind: Scheduled
metadata:
source:

4
Detections/ASimWebSession/UnusualUAHackTool.yaml
Просмотреть файл

@ -1,7 +1,7 @@
id: 3f0c20d5-6228-48ef-92f3-9ff7822c1954
name: A host is potentially running a hacking tool (ASIM Web Session schema)
description: |
'This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.<br>You can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).<br><br>
'This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.<br>You can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).
This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)'
severity: Medium
tags:
@ -60,7 +60,7 @@ customDetails:
eventGroupingSettings:
aggregationKind: AlertPerResult
version: 1.1.3
version: 1.1.4
kind: Scheduled
metadata:
source:

6
Detections/AzureActivity/RareRunCommandPowerShellScript.yaml
Просмотреть файл

@ -2,9 +2,7 @@ id: 5239248b-abfb-4c6a-8177-b104ade5db56
name: Azure VM Run Command operations executing a unique PowerShell script
description: |
'Identifies when Azure Run command is used to execute a PowerShell script on a VM that is unique.
The uniqueness of the PowerShell script is determined by taking a combined hash of the cmdLets it imports
and the file size of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed
in your environment.'
The uniqueness of the PowerShell script is determined by taking a combined hash of the cmdLets it imports and the file size of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed in your environment.'
severity: Medium
requiredDataConnectors:
- connectorId: AzureActivity
@ -105,7 +103,7 @@ entityMappings:
columnName: VirtualMachineName
- identifier: AzureID
columnName: Scope
version: 1.0.7
version: 1.0.8
kind: Scheduled
metadata:
source:

6
Detections/CommonSecurityLog/CreepySnailURLParameters.yaml
Просмотреть файл

@ -1,8 +1,8 @@
id: baedfdf4-7cc8-45a1-81a9-065821628b83
name: RunningRAT request parameters
description: |
'This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication
presence of this alert means the RunningRAT implant is likely still executing on the source host.'
'This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request.
Id the device blocked this communication presence of this alert means the RunningRAT implant is likely still executing on the source host.'
severity: High
requiredDataConnectors:
- connectorId: Zscaler
@ -52,7 +52,7 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: RequestURL
version: 1.0.1
version: 1.0.2
kind: Scheduled
metadata:
source:

8
Detections/CommonSecurityLog/Fortinet-NetworkBeaconPattern.yaml
Просмотреть файл

@ -3,11 +3,9 @@ name: Fortinet - Beacon pattern detected
description: |
'Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.
Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.
The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a
detection is set to 4.
The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a detection is set to 4.
Increase the lookback period to capture beacons with larger periodicities.
The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with
automatically using series_outliers.
The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with automatically using series_outliers.
Note: In large environments it may be necessary to reduce the lookback period to get fast query times.'
severity: Low
requiredDataConnectors:
@ -74,7 +72,7 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: DestinationIP
version: 1.0.4
version: 1.0.5
kind: Scheduled
metadata:
source:

7
Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml
Просмотреть файл

@ -1,9 +1,8 @@
id: 4acd3a04-2fad-4efc-8a4b-51476594cec4
name: Possible contact with a domain generated by a DGA
description: |
'Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used
by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model
of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.
'Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are difficult to predict in advance.
This detection uses the Alexa Top 1 million domain names to build a model of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.
The triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.
The start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.'
severity: Medium
@ -119,7 +118,7 @@ entityMappings:
fieldMappings:
- identifier: DomainName
columnName: Name
version: 1.0.3
version: 1.0.4
kind: Scheduled
metadata:
source:

12
Detections/Heartbeat/OMI_vulnerability_detection.yaml
Просмотреть файл

@ -1,14 +1,8 @@
id: 3cc5ccd8-b416-4141-bb2d-4eba370e37a5
name: OMI Vulnerability Exploitation
description: |
Following the September 14th, 2021 release of three Elevation of Privilege
(EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one
unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in
the Open Management Infrastructure (OMI) Framework.
This detection validates that any OMS-agent that is reporting to the Microsoft
Sentinel workspace is updated with the patch. The detection will go over the
heartbeats received from all agents over the last day and will create alert
for those agents who are not updated.
Following the September 14th, 2021 release of three Elevation of Privilege (EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in the Open Management Infrastructure (OMI) Framework.
This detection validates that any OMS-agent that is reporting to the Microsoft Sentinel workspace is updated with the patch. The detection will go over the heartbeats received from all agents over the last day and will create alert for those agents who are not updated.
requiredDataConnectors: []
severity: Medium
queryFrequency: 1d
@ -48,7 +42,7 @@ customDetails:
OSType: OSType
OSName: OSName
kind: Scheduled
version: 1.1.3
version: 1.1.4
metadata:
source:
kind: Community

5
Detections/LAQueryLogs/UserSearchingForVIPUserActivity.yaml
Просмотреть файл

@ -1,8 +1,7 @@
id: f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e
name: Users searching for VIP user activity
description: |
This query monitors for users running Log Analytics queries that contain filters
for specific, defined VIP user accounts or the VIPUser watchlist template.
This query monitors for users running Log Analytics queries that contain filters for specific, defined VIP user accounts or the VIPUser watchlist template.
Use this detection to alert for users specifically searching for activity of sensitive users.
severity: Low
requiredDataConnectors: []
@ -38,7 +37,7 @@ entityMappings:
fieldMappings:
- identifier: ResourceId
columnName: RequestTarget
version: 1.1.3
version: 1.1.4
kind: Scheduled
metadata:
source:

5
Detections/MultipleDataSources/AAD_PAVPN_Correlation.yaml
Просмотреть файл

@ -2,8 +2,7 @@ id: ba144bf8-75b8-406f-9420-ed74397f9479
name: IP with multiple failed Microsoft Entra ID logins successfully logs in to Palo Alto VPN
description: |
This query creates a list of IP addresses with the number of failed login attempts to Entra ID
above a set threshold ( default of 5 ). It then looks for any successful Palo Alto VPN logins from any
of these IPs within the same timeframe.
above a set threshold ( default of 5 ). It then looks for any successful Palo Alto VPN logins from any of these IPs within the same timeframe.
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
@ -74,7 +73,7 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: SourceIP
version: 1.0.3
version: 1.0.4
kind: Scheduled
metadata:
source:

5
Detections/MultipleDataSources/AuditPolicyManipulation_using_auditpol.yaml
Просмотреть файл

@ -3,8 +3,7 @@ name: Audit policy manipulation using auditpol utility
description: |
This detects attempts to manipulate audit policies using auditpol command.
This technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.
The process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but
if the results show unrelated false positives, users may want to uncomment it.
The process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but if the results show unrelated false positives, users may want to uncomment it.
Refer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol
Refer to our M365 blog for details on use during the Solorigate attack:
https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
@ -94,7 +93,7 @@ entityMappings:
fieldMappings:
- identifier: HostName
columnName: DeviceName
version: 1.2.2
version: 1.2.3
kind: Scheduled
metadata:
source:

7
Detections/MultipleDataSources/B64IPInURLFromMDE.yaml
Просмотреть файл

@ -1,10 +1,7 @@
id: a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc
name: IP address of Windows host encoded in web request
description: |
'This detection will identify network requests in HTTP proxy data that contains Base64 encoded IP addresses. After identifying candidates the query
joins with DeviceNetworkEvents to idnetify any machine within the network using that IP address. Alerts indicate that the IP address of a machine
within your network was seen with it's IP address base64 encoded in an outbounf web request. This method of egressing the IP was seen used in POLONIUM's
RunningRAT tool, however the detection is generic.'
'This detection will identify network requests in HTTP proxy data that contains Base64 encoded IP addresses. After identifying candidates the query joins with DeviceNetworkEvents to idnetify any machine within the network using that IP address. Alerts indicate that the IP address of a machine within your network was seen with it's IP address base64 encoded in an outbound web request. This method of egressing the IP was seen used in POLONIUM's RunningRAT tool, however the detection is generic.'
severity: Medium
requiredDataConnectors:
- connectorId: Zscaler
@ -91,7 +88,7 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: RequestURL
version: 1.0.1
version: 1.0.2
kind: Scheduled
metadata:
source:

8
Detections/MultipleDataSources/ExchangeWorkerProcessMakingRemoteCall.yaml
Просмотреть файл

@ -1,10 +1,8 @@
id: 2c701f94-783c-4cd4-bc9b-3b3334976090
name: Exchange Worker Process Making Remote Call
description: |
'This query dynamically identifies Exchange servers and then looks for instances where the IIS worker process
initiates a call out to a remote URL using either cmd.exe or powershell.exe. This behaviour was described as
post-compromise behaviour following exploitation of CVE-2022-41040 and CVE-2022-41082, this pattern of activity was
use to download additional tools to the server. This suspicious activity is generic.'
'This query dynamically identifies Exchange servers and then looks for instances where the IIS worker process initiates a call out to a remote URL using either cmd.exe or powershell.exe.
This behaviour was described as post-compromise behaviour following exploitation of CVE-2022-41040 and CVE-2022-41082, this pattern of activity was use to download additional tools to the server. This suspicious activity is generic.'
severity: Medium
requiredDataConnectors:
- connectorId: AzureMonitor(IIS)
@ -59,7 +57,7 @@ entityMappings:
columnName: HostName
- identifier: NTDomain
columnName: HostNameDomain
version: 1.1.1
version: 1.1.2
kind: Scheduled
metadata:
source:

5
Detections/MultipleDataSources/MalformedUserAgents.yaml
Просмотреть файл

@ -1,8 +1,7 @@
id: a357535e-f722-4afe-b375-cff362b2b376
name: Malformed user agent
description: |
'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.
Malformed user agents can be an indication of such malware.'
'Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware. Malformed user agents can be an indication of such malware.'
severity: Medium
requiredDataConnectors:
- connectorId: WAF
@ -97,7 +96,7 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: SourceIP
version: 1.0.5
version: 1.0.6
kind: Scheduled
metadata:
source:

5
Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml
Просмотреть файл

@ -2,8 +2,7 @@ id: 0b9ae89d-8cad-461c-808f-0494f70ad5c4
name: Multiple Password Reset by user
description: |
'This query will determine multiple password resets by user across multiple data sources.
Account manipulation including password reset may aid adversaries in maintaining access to credentials
and certain permission levels within an environment.'
Account manipulation including password reset may aid adversaries in maintaining access to credentials and certain permission levels within an environment.'
severity: Low
requiredDataConnectors:
- connectorId: AzureActiveDirectory
@ -124,7 +123,7 @@ entityMappings:
columnName: TargetName
- identifier: UPNSuffix
columnName: TargetUPNSuffix
version: 2.1.6
version: 2.1.7
kind: Scheduled
metadata:
source:

5
Detections/MultipleDataSources/PrestigeRansomwareIOCsOct22.yaml
Просмотреть файл

@ -1,8 +1,7 @@
id: bca9c877-2afc-4246-a26d-087ab1cdcd5f
name: Prestige ransomware IOCs Oct 2022
description: |
'This query looks for file hashes and AV signatures associated with Prestige ransomware
payload.'
'This query looks for file hashes and AV signatures associated with Prestige ransomware payload.'
severity: High
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
@ -112,7 +111,7 @@ entityMappings:
columnName: HostName
- identifier: NTDomain
columnName: HostNameDomain
version: 1.0.3
version: 1.0.4
kind: Scheduled
metadata:
source:

5
Detections/MultipleDataSources/RunCommandUEBABreach.yaml
Просмотреть файл

@ -1,8 +1,7 @@
id: 11bda520-a965-4654-9a45-d09f372f71aa
name: Azure VM Run Command operation executed during suspicious login window
description: |
'Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address
that has resulted in a recent user entity behaviour alert.'
'Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address that has resulted in a recent user entity behaviour alert.'
severity: High
requiredDataConnectors:
- connectorId: AzureActivity
@ -67,7 +66,7 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: CallerIpAddress
version: 1.0.9
version: 1.0.10
kind: Scheduled
metadata:
source:

5
Detections/MultipleDataSources/SigninFirewallCorrelation.yaml
Просмотреть файл

@ -2,8 +2,7 @@ id: 157c0cfc-d76d-463b-8755-c781608cdc1a
name: Cisco - firewall block but success logon to Microsoft Entra ID
description: |
'Correlate IPs blocked by a Cisco firewall appliance with successful Microsoft Entra ID signins.
Because the IP was blocked by the firewall, that same IP logging on successfully to Entra ID is potentially suspect
and could indicate credential compromise for the user account.'
Because the IP was blocked by the firewall, that same IP logging on successfully to Entra ID is potentially suspect and could indicate credential compromise for the user account.'
severity: Medium
requiredDataConnectors:
- connectorId: CiscoASA
@ -55,7 +54,7 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: SourceIP
version: 1.0.5
version: 1.0.6
kind: Scheduled
metadata:
source:

4
Detections/MultipleDataSources/SuspiciousModificationofGlobalAdminProperties.yaml
Просмотреть файл

@ -1,7 +1,7 @@
id: 48602a24-67cf-4362-b258-3f4249e55def
name: Suspicious modification of Global Administrator user properties
description: |
' This query will detect if user properties of Global Administrator are updated by an existing user. Usually only user administrator or other global administrator can update such properties.
'This query will detect if user properties of Global Administrator are updated by an existing user. Usually only user administrator or other global administrator can update such properties.
Investigate if such user change is an attempt to elevate an existing low privileged identity or rogue administrator activity'
severity: Medium
requiredDataConnectors:
@ -75,7 +75,7 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPAddress
version: 1.0.3
version: 1.0.4
kind: Scheduled
metadata:
source:

6
Detections/MultipleDataSources/SuspiciousVMInstanceCreationActivity.yaml
Просмотреть файл

@ -1,9 +1,7 @@
id: 1cc0ba27-c5ca-411a-a779-fbc89e26be83
name: Suspicious VM Instance Creation Activity Detected
description: |
'
This detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity.
'
'This detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity.'
severity: Medium
requiredDataConnectors:
- connectorId: GCPAuditLogsDefinition
@ -140,4 +138,4 @@ alertDetailsOverride:
- alertProperty: ProductComponentName
value: "Microsoft Defender"
kind: Scheduled
version: 1.0.3
version: 1.0.4

6
Detections/SecurityAlert/Dev-0530AVHits.yaml
Просмотреть файл

@ -1,8 +1,8 @@
id: 5f171045-88ab-4634-baae-a7b6509f483b
name: AV detections related to Dev-0530 actors
description: |
'This query looks for Microsoft Defender AV detections related to Dev-0530 actors. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device,
this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.'
'This query looks for Microsoft Defender AV detections related to Dev-0530 actors.
In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.'
severity: High
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
@ -46,7 +46,7 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: PublicIP
version: 1.0.4
version: 1.0.5
kind: Scheduled
metadata:
source:

6
Detections/SecurityAlert/EuropiumAVHits.yaml
Просмотреть файл

@ -1,8 +1,8 @@
id: 186970ee-5001-41c1-8c73-3178f75ce96a
name: AV detections related to Europium actors
description: |
'This query looks for Microsoft Defender AV detections related to Europium actor. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device,
this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.
'This query looks for Microsoft Defender AV detections related to Europium actor.
In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.
Reference: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government '
severity: High
requiredDataConnectors:
@ -47,7 +47,7 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: PublicIP
version: 1.1.1
version: 1.1.2
kind: Scheduled
metadata:
source:

6
Detections/SecurityAlert/HiveRansomwareAVHits.yaml
Просмотреть файл

@ -1,8 +1,8 @@
id: 4e5914a4-2ccd-429d-a845-fa597f0bd8c5
name: AV detections related to Hive Ransomware
description: |
'This query looks for Microsoft Defender AV detections related to Hive Ransomware . In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device,
this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.'
'This query looks for Microsoft Defender AV detections related to Hive Ransomware.
In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.'
severity: High
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
@ -46,7 +46,7 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: PublicIP
version: 1.0.4
version: 1.0.5
kind: Scheduled
metadata:
source:

5
Detections/SecurityAlert/MDE_hitsforADFandAzureSynapsePipelines.yaml
Просмотреть файл

@ -2,8 +2,7 @@ id: a333d8bf-22a3-4c55-a1e9-5f0a135c0253
name: Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory
description: |
'This query looks for Microsoft Defender for Endpoint detections related to the remote command execution attempts on Azure IR with Managed VNet or SHIR.
In Microsoft Sentinel, the SecurityAlerts table includes the name of the impacted device. Additionally, this query joins the DeviceInfo table to connect other information such as device group,
IP address, signed in users, and others allowing analysts using Microsoft Sentinel to have more context related to the alert.
In Microsoft Sentinel, the SecurityAlerts table includes the name of the impacted device. Additionally, this query joins the DeviceInfo table to connect other information such as device group, IP address, signed in users, and others allowing analysts using Microsoft Sentinel to have more context related to the alert.
Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 ,
https://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972'
severity: High
@ -49,7 +48,7 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: PublicIP
version: 1.0.5
version: 1.0.6
kind: Scheduled
metadata:
source:

4
Detections/SecurityEvent/AccessibilityFeaturesModification.yaml
Просмотреть файл

@ -2,7 +2,7 @@ id: d714ef62-1a56-4779-804f-91c4158e528d
name: Modification of Accessibility Features
description: |
'Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.
Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen. [1]
Two common accessibility programs are C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen. [1]
Ref: https://attack.mitre.org/techniques/T1546/008/'
severity: Medium
requiredDataConnectors:
@ -61,7 +61,7 @@ entityMappings:
columnName: ImageFileName
- identifier: Directory
columnName: ImageDirectory
version: 1.0.3
version: 1.0.4
kind: Scheduled
metadata:
source:

5
Detections/SecurityEvent/GroupCreatedAddedToPrivlegeGroup_1h.yaml
Просмотреть файл

@ -1,8 +1,7 @@
id: a7564d76-ec6b-4519-a66b-fcc80c42332b
name: Group created then added to built in domain local or global group
description: |
'Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the
Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.
'Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.
References: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.'
severity: Medium
requiredDataConnectors:
@ -138,7 +137,7 @@ entityMappings:
columnName: GroupAddHostName
- identifier: DnsDomain
columnName: GroupAddHostNameDomain
version: 1.1.6
version: 1.1.7
kind: Scheduled
metadata:
source:

8
Detections/SecurityEvent/PotentialKerberoast.yaml
Просмотреть файл

@ -3,10 +3,8 @@ name: Potential Kerberoasting
description: |
'A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment.
Each SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment.
An attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains
a hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive
requests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number
of request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.'
An attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains a hash of the Service account. This can then be used for offline cracking.
This hunting query looks for accounts that are generating excessive requests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number of request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.'
severity: Medium
requiredDataConnectors:
- connectorId: SecurityEvents
@ -107,7 +105,7 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: ClientIPAddress
version: 1.1.6
version: 1.1.7
kind: Scheduled
metadata:
source:

5
Detections/SecurityEvent/RDP_Nesting.yaml
Просмотреть файл

@ -1,8 +1,7 @@
id: 69a45b05-71f5-45ca-8944-2e038747fb39
name: RDP Nesting
description: |
'Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system
to another system with the same account within 60 minutes.
'Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system to another system with the same account within 60 minutes.
Connection counts of 5 or more to the same computer set from the same account are excluded.
RDP connections are indicated by the logged EventID 4624 with LogonType = 10.'
severity: Medium
@ -133,7 +132,7 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: FirstIPAddress
version: 1.2.5
version: 1.2.6
kind: Scheduled
metadata:
source:

5
Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml
Просмотреть файл

@ -1,8 +1,7 @@
id: a35f2c18-1b97-458f-ad26-e033af18eb99
name: User account added to built in domain local or global group
description: |
'Identifies when a user account has been added to a privileged built in domain local group or global group
such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.'
'Identifies when a user account has been added to a privileged built in domain local group or global group such as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.'
severity: Low
requiredDataConnectors:
- connectorId: SecurityEvents
@ -100,7 +99,7 @@ entityMappings:
columnName: HostName
- identifier: NTDomain
columnName: HostNameDomain
version: 1.3.7
version: 1.3.8
kind: Scheduled
metadata:
source:

5
Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml
Просмотреть файл

@ -1,8 +1,7 @@
id: 4b93c5af-d20b-4236-b696-a28b8c51407f
name: User account created and deleted within 10 mins
description: |
'Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and
an adversary attempting to hide in the noise.'
'Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.'
severity: Medium
requiredDataConnectors:
- connectorId: SecurityEvents
@ -136,7 +135,7 @@ entityMappings:
columnName: HostName
- identifier: NTDomain
columnName: HostNameDomain
version: 1.2.1
version: 1.2.2
kind: Scheduled
metadata:
source:

5
Detections/SecurityEvent/UserAccountEnabledDisabled_10m.yaml
Просмотреть файл

@ -1,8 +1,7 @@
id: 3d023f64-8225-41a2-9570-2bd7c2c4535e
name: User account enabled and disabled within 10 mins
description: |
'Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and
an adversary attempting to hide in the noise.'
'Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and an adversary attempting to hide in the noise.'
severity: Medium
requiredDataConnectors:
- connectorId: SecurityEvents
@ -137,7 +136,7 @@ entityMappings:
columnName: HostName
- identifier: NTDomain
columnName: HostNameDomain
version: 1.2.2
version: 1.2.3
kind: Scheduled
metadata:
source:

6
Detections/SecurityNestedRecommendation/OMIGODVulnerableMachines.yaml
Просмотреть файл

@ -1,8 +1,8 @@
id: 4d94d4a9-dc96-450a-9dea-4d4d4594199b
name: Vulnerable Machines related to OMIGOD CVE-2021-38647
description: |
'This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and
helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).
'This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647.
OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).
Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).
Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal'
@ -37,7 +37,7 @@ entityMappings:
columnName: HostName
- identifier: NTDomain
columnName: HostNameDomain
version: 1.0.4
version: 1.0.5
kind: Scheduled
metadata:
source:

8
Detections/W3CIISLog/HighFailedLogonCountByClientIP.yaml
Просмотреть файл

@ -3,10 +3,8 @@ name: High count of failed attempts from same client IP
description: |
'Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.
This could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.
Recommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized,
potentially block these connections at the edge device.
If these are expected connections, verify the credentials are properly configured on the system, service, application or device
that is associated with the client IP.
Recommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, potentially block these connections at the edge device.
If these are expected connections, verify the credentials are properly configured on the system, service, application or device that is associated with the client IP.
References:
IIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0
Win32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx'
@ -81,7 +79,7 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: cIP
version: 1.0.3
version: 1.0.4
kind: Scheduled
metadata:
source:

8
Detections/W3CIISLog/ProxyShellPwn2Own.yaml
Просмотреть файл

@ -1,10 +1,8 @@
id: 968358d6-6af8-49bb-aaa4-187b3067fb95
name: Exchange SSRF Autodiscover ProxyShell - Detection
description: |
'This query looks for suspicious request patterns to Exchange servers that fit patterns recently
blogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange
which eventually allows the attacker to execute arbitrary Powershell on the server. In the example
powershell can be used to write an email to disk with an encoded attachment containing a shell.
'This query looks for suspicious request patterns to Exchange servers that fit patterns recently blogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange which eventually allows the attacker to execute arbitrary Powershell on the server.
In the example powershell can be used to write an email to disk with an encoded attachment containing a shell.
Reference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1'
severity: High
requiredDataConnectors:
@ -54,7 +52,7 @@ entityMappings:
fieldMappings:
- identifier: ResourceId
columnName: _ResourceId
version: 1.0.2
version: 1.0.3
kind: Scheduled
metadata:
source:

35
Hunting Queries/CloudAppEvents/SetPolicyConfigInCloudAppEvents.yaml Normal file
Просмотреть файл

@ -0,0 +1,35 @@
id: fcd4d774-a0c2-4d12-9e9f-f51dfc310873
name: Policy configuration changes for CloudApp Events
description: |
"This query searches for any action type with high frequency that involves adding, modifying, or removing something in cloud app policies. It sees where the properties are modified such that the old value and new value are different for every property except for minor property changes such as Display Name."
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- DomainPolicyModification
relevantTechniques:
- T1484
query: |
CloudAppEvents
| where ActionType in ("Update policy.", "Add policy.", "Remove-CrossTenantAccessPolicy", "Add policy to service principal.", "Write PolicyAssignments", "Update authorization policy.", "Delete policy.", "Add owner to policy.", "Write PolicyExemptions", "Remove-LabelPolicy")
| mv-expand ActivityObjects
| where ActivityObjects.Name != "DisplayName"
| where RawEventData["status"] == "Succeeded"
| extend AccountMoniker = RawEventData["AccountMoniker"], AccountMonikerLocation = RawEventData["AccountMonikerLocation"], EventName = RawEventData["EventName"], EventNamespace = RawEventData["EventNamespace"], Role = RawEventData["Role"], RoleInstance = RawEventData["RoleInstance"], RoleLocation = RawEventData["RoleLocation"], HttpRequest = RawEventData["httpRequest"]
| summarize Count = count() by tostring(AccountMoniker), tostring(AccountMonikerLocation), AccountDisplayName, IPAddress, ActionType, ActivityType, tostring(EventName), tostring(EventNamespace), tostring(Role), tostring(RoleInstance), tostring(RoleLocation), tostring(HttpRequest)
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountDisplayName
- identifier: UPNSuffix
columnName: EntityUPNSuffix
- identifier: FullName
columnName: UserId
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
version: 1.0.0
kind: Scheduled

45
Hunting Queries/MultipleDataSources/SuspiciousActivitiesRelatedToConfidentialDocuments.yaml Normal file
Просмотреть файл

@ -0,0 +1,45 @@
id: a1adce9c-5945-4a20-984e-d95b6071a791
name: Integrate Purview with Cloud App Events
description: |
"This query searches for any files in Cloud App Events that have trigger a security alert."
severity: Medium
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
- connectorId: MicrosoftCloudAppSecurity
dataTypes:
- SecurityAlert
tactics:
- Collection
relevantTechniques:
- T1074
query: |
SecurityAlert
| where TimeGenerated >= ago(30d)
| extend EntitiesDynamicArray = parse_json(Entities)
| mv-expand EntitiesDynamicArray
| extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),
EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)
| where Entitytype =~ "file" and EntityName != ""
| join kind=inner(CloudAppEvents
| extend ActivityObjectsDynamicArray = parse_json(ActivityObjects)
| mv-expand ActivityObjectsDynamicArray
| extend Entitytype = tostring(parse_json(ActivityObjectsDynamicArray).Type), EntityName = tostring(RawEventData.SourceFileName),
EntityUPNSuffix = tostring(parse_json(ActivityObjectsDynamicArray).UPNSuffix)
| where Entitytype =~ "file") on $left.EntityName == $right.EntityName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: EntityName
- identifier: UPNSuffix
columnName: EntityUPNSuffix
- identifier: FullName
columnName: UserId
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ClientIP
version: 1.0.0
kind: Scheduled

9
Logos/IllumioLogo.svg Normal file
Просмотреть файл

@ -0,0 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg viewBox="0 0 75 75" xmlns="http://www.w3.org/2000/svg">
<g>
<path d="M28,75H4.8C2.2,75,0,72.8,0,70.2V35.5h7.7v31.8H28V75z M7.7,7.7h11.7V0H4.8C2.2,0,0,2.2,0,4.8v20.4 h7.7V7.7zM67.3,67.3H56.8V75h13.4c2.6,0,4.8-2.2,4.8-4.8V56.8h-7.7V67.3z M70.2,0H29.7v7.7h37.6v38.8H75V4.8C75,2.2,72.8,0,70.2,0z" fill="#64686A"/>
</g>
<g>
<path d="M42.7,32.9l4.5-4.5h9.6c0.9,0,1.7-0.8,1.7-1.7v-9.9c0-0.9-0.8-1.7-1.7-1.7h-9.9c-0.9,0-1.7,0.8-1.7,1.7v9.6l-4.5,4.5h-9.3L25,24.4V19c0-0.6-0.5-1.1-1.1-1.1h-6.3c-0.6,0-1.1,0.5-1.1,1.1v6.3c0,0.6,0.5,1.1,1.1,1.1h5.4l6.5,6.5v9.3l-6.5,6.5h-5.3c-0.6,0-1.1,0.5-1.1,1.1V56c0,0.6,0.5,1.1,1.1,1.1h6.3c0.6,0,1.1-0.5,1.1-1.1v-5.4l6.4-6.4h9.3l4.5,4.5v9.6c0,0.9,0.8,1.7,1.7,1.7h9.9c0.9,0,1.7-0.8,1.7-1.7v-9.9c0-0.9-0.8-1.7-1.7-1.7h-9.6l-4.5-4.5V32.9z" fill="#FA6624"/>
</g>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 834 B

3
Sample Data/Custom/Illumio/Illumio_AuditableEventsIngestedLogs.csv Normal file
Просмотреть файл

@ -0,0 +1,3 @@
"TimeGenerated [Local Time]",href,"pce_fqdn","created_by","event_type",status,severity,action,"resource_changes",notifications,version,TenantId,Type,"_ResourceId"
"4/24/2024, 1:43:34.653 PM","/orgs/1/events/0b2049f3-3bb7-4488-9669-3b9dec49cb40","2x2testvc308.ilabs.io","{""system"":{}}","request.authentication_failed",failure,err,,"[]","[{""uuid"":""96c0b3e6-12c1-4655-ab11-eeb85c3d5fac"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/2/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.28""}}]",2,"d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19","Illumio_Auditable_Events_CL",
"4/24/2024, 1:46:19.772 PM","/orgs/1/events/0f4029ae-3810-4d5a-b432-6291f25193dd","2x2testvc308.ilabs.io","{""system"":{}}","request.authentication_failed",failure,err,,"[]","[{""uuid"":""a64fc1a3-b1f6-4d96-af10-87d7340316ed"",""notification_type"":""request.authentication_failed"",""info"":{""api_endpoint"":""/api/v26/orgs/1/agents/1/put_from_agent"",""api_method"":""PUT"",""src_ip"":""10.2.21.29""}}]",2,"d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19","Illumio_Auditable_Events_CL"
Не удается отобразить этот файл, потому что он имеет неправильное количество полей в строке 3.

46
Sample Data/Custom/Illumio/Illumio_AuditableEventsRawLogs.json Normal file
Просмотреть файл

@ -0,0 +1,46 @@
[
{
"href": "<href>",
"timestamp": "2024-04-24T00:22:18.398Z",
"pce_fqdn": "<fqdn>",
"created_by": {
"agent": {
"href": "/orgs/22/agents/2223921",
"hostname": "kubernetes-driver"
},
"ven": {
"href": "<href>",
"hostname": "kubernetes-driver"
}
},
"event_type": "workload_interfaces.update",
"status": "failure",
"severity": "err",
"action": {
"uuid": "b6234ed7-d255-4c7d-ae57-7bbcaff5cfc7",
"errors": [
{
"token": "agent_clone_detected",
"message": "PCE detected a cloned VEN. Resolve the clone issue, or wait for the clone state to be cleared"
}
],
"api_endpoint": "FILTERED",
"api_method": "PUT",
"http_status_code": 406,
"src_ip": "<ip>"
},
"resource_changes": [],
"notifications": [
{
"uuid": "0b9d93c9-8fd6-435f-9a13-2ff380fc524e",
"notification_type": "request.invalid",
"info": {
"api_endpoint": "/api/v25/orgs/22/agents/2223921/interface_statuses/update",
"api_method": "PUT",
"src_ip": "54.218.211.227"
}
}
],
"version": 2
}
]

1
Sample Data/Custom/Illumio/Illumio_AuditableEventsSchema.csv Normal file
Просмотреть файл

@ -0,0 +1 @@
"TimeGenerated [Local Time]",href,"pce_fqdn","created_by","event_type",status,severity,action,"resource_changes",notifications,version,TenantId,Type,"_ResourceId"
1 TimeGenerated [Local Time] href pce_fqdn created_by event_type status severity action resource_changes notifications version TenantId Type _ResourceId

2
Sample Data/Custom/Illumio/Illumio_FlowEventsIngestedLogs.csv Normal file
Просмотреть файл

@ -0,0 +1,2 @@
"TimeGenerated [Local Time]","dst_dbi","dst_dbo","dst_tbi","dst_tbo",ddms,tdms,pn,un,"src_ip","dst_ip",class,proto,"dst_port","flow_count",dir,"org_id",state,"pd_qualifier",pd,"src_hostname","src_href","dst_hostname","dst_href",network,"src_labels","dst_labels","interval_sec","pce_fqdn",version,TenantId,Type,"_ResourceId"
"5/4/2024, 7:24:37.000 PM",1,1,1,1,1,1,,,"10.2.20.242","10.14.0.201",U,17,53,1,O,1,S,0,3,"self-serve-mnc-1-vm02","/orgs/1/workloads/6c425617-a7af-4ec8-9222-5f80bf71874a",,,Corporate,"{""app"":""App18393"",""env"":""Env33081"",""loc"":""Loc1663""}",,0,"2x2testvc308.ilabs.io",4,"d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19","Illumio_Flow_Events_CL",
1 TimeGenerated [Local Time] dst_dbi dst_dbo dst_tbi dst_tbo ddms tdms pn un src_ip dst_ip class proto dst_port flow_count dir org_id state pd_qualifier pd src_hostname src_href dst_hostname dst_href network src_labels dst_labels interval_sec pce_fqdn version TenantId Type _ResourceId
2 5/4/2024, 7:24:37.000 PM 1 1 1 1 1 1 10.2.20.242 10.14.0.201 U 17 53 1 O 1 S 0 3 self-serve-mnc-1-vm02 /orgs/1/workloads/6c425617-a7af-4ec8-9222-5f80bf71874a Corporate {"app":"App18393","env":"Env33081","loc":"Loc1663"} 0 2x2testvc308.ilabs.io 4 d7ed0f2d-2b8e-4537-8e59-525d4d6fdd19 Illumio_Flow_Events_CL

75
Sample Data/Custom/Illumio/Illumio_FlowEventsRawLogs.json Normal file
Просмотреть файл

@ -0,0 +1,75 @@
[
{
"tdms": 322895,
"ddms": 102596,
"pn": "avahi-daemon",
"un": "avahi",
"src_ip": "10.2.1.45",
"dst_ip": "224.0.0.251",
"class": "M",
"proto": 17,
"dst_port": 5353,
"count": 1,
"dir": "I",
"org_id": 1,
"timestamp": "2024-05-02T01: 39: 34Z",
"state": "T",
"pd_qualifier": 0,
"pd": 1,
"dst_hostname": "self-serve-mnc-1-vm03",
"dst_href": "/orgs/1/workloads/34297509-9d73-48c8-8ab6-d79d12a99899",
"network": "Corporate",
"interval_sec": 118,
"pce_fqdn": "2x2testvc308.ilabs.io",
"version": 4
},
{
"tdms": 30000,
"ddms": 1808,
"src_ip": "10.6.8.77",
"dst_ip": "255.255.255.255",
"class": "B",
"proto": 17,
"dst_port": 67,
"count": 1,
"dir": "I",
"org_id": 1,
"timestamp": "2024-05-01T16:45:14Z",
"state": "T",
"pd_qualifier": 0,
"pd": 1,
"dst_hostname": "self-serve-mnc-1-vm03",
"dst_href": "/orgs/1/workloads/a36e6766-a363-4297-9557-b6166405ecb4",
"network": "Corporate",
"dst_labels": {
"loc": "Loc33444",
"role": "Role18393",
"app": "App64635"
},
"interval_sec": 600,
"pce_fqdn": "2x2testvc308.ilabs.io",
"version": 4
},
{
"tdms": 114219,
"ddms": 95477,
"src_ip": "10.6.9.204",
"dst_ip": "255.255.255.255",
"class": "B",
"proto": 17,
"dst_port": 67,
"count": 1,
"dir": "I",
"org_id": 1,
"timestamp": "2024-05-02T01: 39: 27Z",
"state": "T",
"pd_qualifier": 0,
"pd": 1,
"dst_hostname": "self-serve-mnc-1-vm03",
"dst_href": "/orgs/1/workloads/34297509-9d73-48c8-8ab6-d79d12a99899",
"network": "Corporate",
"interval_sec": 118,
"pce_fqdn": "2x2testvc308.ilabs.io",
"version": 4
}
]

1
Sample Data/Custom/Illumio/Illumio_FlowEventsSchema.csv Normal file
Просмотреть файл

@ -0,0 +1 @@
"TimeGenerated [Local Time]","dst_dbi","dst_dbo","dst_tbi","dst_tbo",ddms,tdms,pn,un,"src_ip","dst_ip",class,proto,"dst_port","flow_count",dir,"org_id",state,"pd_qualifier",pd,"src_hostname","src_href","dst_hostname","dst_href",network,"src_labels","dst_labels","interval_sec","pce_fqdn",version,TenantId,Type,"_ResourceId"
1 TimeGenerated [Local Time] dst_dbi dst_dbo dst_tbi dst_tbo ddms tdms pn un src_ip dst_ip class proto dst_port flow_count dir org_id state pd_qualifier pd src_hostname src_href dst_hostname dst_href network src_labels dst_labels interval_sec pce_fqdn version TenantId Type _ResourceId

5
Solutions/Amazon Web Services/Analytic Rules/AWS_ChangeToVPC.yaml
Просмотреть файл

@ -1,8 +1,7 @@
id: 65360bb0-8986-4ade-a89d-af3cf44d28aa
name: Changes to Amazon VPC settings
description: |
'Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources
in a virtual network that you define.
'Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.
This identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.
More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255
and AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html'
@ -50,5 +49,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: SourceIpAddress
version: 1.0.4
version: 1.0.5
kind: Scheduled

5
Solutions/Amazon Web Services/Analytic Rules/AWS_ConsoleLogonWithoutMFA.yaml
Просмотреть файл

@ -3,8 +3,7 @@ name: Login to AWS Management Console without MFA
description: |
'Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.
You can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.
This is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used
and the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.'
This is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used and the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.'
severity: Low
status: Available
requiredDataConnectors:
@ -52,5 +51,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: SourceIpAddress
version: 1.0.4
version: 1.0.5
kind: Scheduled

5
Solutions/Amazon Web Services/Analytic Rules/NRT_AWS_ConsoleLogonWithoutMFA.yaml
Просмотреть файл

@ -3,8 +3,7 @@ name: NRT Login to AWS Management Console without MFA
description: |
'Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.
You can limit this detection to trigger for administrative accounts if you do not have MFA enabled on all accounts.
This is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used
and the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.'
This is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used and the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.'
severity: Low
status: Available
requiredDataConnectors:
@ -47,5 +46,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: SourceIpAddress
version: 1.0.2
version: 1.0.3
kind: NRT

4
Solutions/Apache Log4j Vulnerability Detection/Analytic Rules/AzureWAFmatching_log4j_vuln.yaml
Просмотреть файл

@ -2,7 +2,7 @@ id: 2de8abd6-a613-450e-95ed-08e503369fb3
name: Azure WAF matching for Log4j vuln(CVE-2021-44228)
description: |
'This query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis.
Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/'
Reference: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/'
severity: High
status: Available
requiredDataConnectors:
@ -43,5 +43,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: MaliciousHost
version: 1.0.3
version: 1.0.4
kind: Scheduled

6
Solutions/Apache Log4j Vulnerability Detection/Analytic Rules/Log4jVulnerableMachines.yaml
Просмотреть файл

@ -1,8 +1,8 @@
id: 3d71fc38-f249-454e-8479-0a358382ef9a
name: Vulnerable Machines related to log4j CVE-2021-44228
description: |
'This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228. Log4j is an open-source Apache logging library that is used in
many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).
'This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228.
Log4j is an open-source Apache logging library that is used in many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).
Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/
Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal
Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271'
@ -34,5 +34,5 @@ entityMappings:
fieldMappings:
- identifier: HostName
columnName: VirtualMachine
version: 1.0.2
version: 1.0.3
kind: Scheduled

6
Solutions/Apache Log4j Vulnerability Detection/Analytic Rules/UserAgentSearch_log4j.yaml
Просмотреть файл

@ -1,8 +1,8 @@
id: 29283b22-a1c0-4d16-b0a9-3460b655a46a
name: User agent search for log4j exploitation attempt
description: |
'This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in
many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation.
'This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern.
Log4j is an open-source Apache logging library that is used in many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation.
Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/'
severity: High
status: Available
@ -97,5 +97,5 @@ entityMappings:
fieldMappings:
- identifier: Name
columnName: Account
version: 1.0.7
version: 1.0.8
kind: Scheduled

8
Solutions/Azure Cloud NGFW by Palo Alto Networks/Analytic Rules/CloudNGFW-PortScanning.yaml
Просмотреть файл

@ -1,10 +1,8 @@
id: 5b72f527-e3f6-4a00-9908-8e4fee14da9f
name: CloudNGFW By Palo Alto Networks - possible internal to external port scanning
description: |
'Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which
results in an "app = incomplete" designation. The server resets coupled with an "Incomplete" app designation can be an indication
of internal to external port scanning or probing attack.
References: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and
'Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which results in an "app = incomplete" designation. The server resets coupled with an "Incomplete" app designation can be an indication of internal to external port scanning or probing attack.
References: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK'
severity: Low
status: Available
@ -52,5 +50,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPAddress
version: 1.0.3
version: 1.0.4
kind: Scheduled

5
Solutions/Azure Key Vault/Analytic Rules/KeyvaultMassSecretRetrieval.yaml
Просмотреть файл

@ -3,8 +3,7 @@ name: Mass secret retrieval from Azure Key Vault
description: |
'Identifies mass secret retrieval from Azure Key Vault observed by a single user.
Mass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications.
You can tweak the EventCountThreshold based on average count seen in your environment
and also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise'
You can tweak the EventCountThreshold based on average count seen in your environment and also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise'
severity: Low
status: Available
requiredDataConnectors:
@ -77,5 +76,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: CallerIPMax
version: 1.0.7
version: 1.0.8
kind: Scheduled

7
Solutions/Azure Key Vault/Analytic Rules/TimeSeriesKeyvaultAccessAnomaly.yaml
Просмотреть файл

@ -1,9 +1,8 @@
id: 0914adab-90b5-47a3-a79f-7cdcac843aa7
name: Azure Key Vault access TimeSeries anomaly
description: |
'Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm
to find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an
indication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.
'Identifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm to find large deviations from baseline Azure Key Vault access patterns.
Any sudden increase in the count of Azure Key Vault accesses can be an indication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.
TimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052'
severity: Low
status: Available
@ -82,5 +81,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: CallerIPAddress
version: 1.0.5
version: 1.0.6
kind: Scheduled

6
Solutions/Azure SQL Database solution for sentinel/Analytic Rules/Detection-VolumeAffectedRowsStatefulAnomalyOnDatabase.yaml
Просмотреть файл

@ -1,8 +1,8 @@
id: 2a632013-379d-4993-956f-615063d31e10
name: Affected rows stateful anomaly on database
description: |
'Goal: To detect anomalous data change/deletion. This query detects SQL queries that changed/deleted a large number of rows, which is significantly higher than normal for this database. The detection is calculated inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window
(defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher threshold will detect only more severe anomalies).'
'Goal: To detect anomalous data change/deletion. This query detects SQL queries that changed/deleted a large number of rows, which is significantly higher than normal for this database.
The detection is calculated inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher threshold will detect only more severe anomalies).'
severity: Medium
requiredDataConnectors:
- connectorId: AzureSql
@ -80,5 +80,5 @@ entityMappings:
fieldMappings:
- identifier: ResourceId
columnName: ResourceId
version: 1.1.1
version: 1.1.2
kind: Scheduled

5
Solutions/Azure SQL Database solution for sentinel/Analytic Rules/Detection-VolumeResponseRowsStatefulAnomalyOnDatabase.yaml
Просмотреть файл

@ -2,8 +2,7 @@ id: 9851c360-5fd5-4bae-a117-b66d8476bf5e
name: Response rows stateful anomaly on database
description: |
'Goal: To detect anomalous data exfiltration. This query detects SQL queries that accessed a large number of rows, which is significantly higher than normal for this database.
The calculation is made inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window
(defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher thresholds will detect only more severe anomalies).'
The calculation is made inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher thresholds will detect only more severe anomalies).'
severity: Medium
requiredDataConnectors:
- connectorId: AzureSql
@ -80,5 +79,5 @@ entityMappings:
fieldMappings:
- identifier: ResourceId
columnName: ResourceId
version: 1.1.1
version: 1.1.2
kind: Scheduled

12
Solutions/Azure Web Application Firewall (WAF)/Analytic Rules/MaliciousWAFSessions.yaml
Просмотреть файл

@ -1,11 +1,8 @@
id: 46ac55ae-47b8-414a-8f94-89ccd1962178
name: A potentially malicious web request was executed against a web server
description: |
'Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the
ratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for
a given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number
of blocked requests and a few unobstructed logs that may be malicious but have passed undetected through the WAF. The successCode
variable defines what the detection thinks is a successful status code and should be altered to fit the environment.'
'Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the ratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric).
A high ratio value for a given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number of blocked requests and a few unobstructed logs that may be malicious but have passed undetected through the WAF. The successCode variable defines what the detection thinks is a successful status code and should be altered to fit the environment.'
severity: Medium
status: Available
requiredDataConnectors:
@ -54,14 +51,13 @@ query: |
take_any(SessionBlockedEnded, SessionBlockedCount)
by hostname_s, clientIp_s, SessionBlockedStarted
| where SessionBlockedCount > SuccessfulAccessCount
| extend timestamp = SessionBlockedStarted, IPCustomEntity = clientIp_s
| extend BlockvsSuccessRatio = SessionBlockedCount/toreal(SuccessfulAccessCount)
| sort by BlockvsSuccessRatio desc, timestamp asc
| sort by BlockvsSuccessRatio desc, SessionBlockedStarted asc
| project-reorder SessionBlockedStarted, SessionBlockedEnded, hostname_s, clientIp_s, SessionBlockedCount, SuccessfulAccessCount, BlockvsSuccessRatio, SuccessCodes, RequestURIs, OriginalRequestURIs, UserAgents
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: clientIp_s
version: 1.0.4
version: 1.0.5
kind: Scheduled

7
Solutions/AzureDevOpsAuditing/Analytic Rules/ADOAgentPoolCreatedDeleted.yaml
Просмотреть файл

@ -2,9 +2,8 @@ id: acfdee3f-b794-404a-aeba-ef6a1fa08ad1
name: Azure DevOps Agent Pool Created Then Deleted
description: |
'As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.
Azure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this
detection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default),
as an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.'
Azure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this detection focuses on the creation of new self-hosted pools.
To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), as an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.'
severity: High
status: Available
requiredDataConnectors: []
@ -54,5 +53,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IpAddress
version: 1.0.3
version: 1.0.4
kind: Scheduled

6
Solutions/AzureDevOpsAuditing/Analytic Rules/ADOAuditStreamDisabled.yaml
Просмотреть файл

@ -1,9 +1,7 @@
id: 4e8238bd-ff4f-4126-a9f6-09b3b6801b3d
name: Azure DevOps Audit Stream Disabled
description: |
'Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams
before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action
its unlikely to have a high false positive rate.'
'Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action its unlikely to have a high false positive rate.'
severity: High
status: Available
requiredDataConnectors: []
@ -35,5 +33,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IpAddress
version: 1.0.3
version: 1.0.4
kind: Scheduled

5
Solutions/AzureDevOpsAuditing/Analytic Rules/ADOPipelineModifiedbyNewUser.yaml
Просмотреть файл

@ -2,8 +2,7 @@ id: 155e9134-d5ad-4a6f-88f3-99c220040b66
name: Azure DevOps Pipeline modified by a new user
description: |
'There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to.
This detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Microsoft Entra ID Protection
in order to show if the user conducting the action has any associated Microsoft Entra ID Protection alerts. You can also choose to filter this detection to only alert when the user also has Microsoft Entra ID Protection alerts associated with them.'
This detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Microsoft Entra ID Protection in order to show if the user conducting the action has any associated Microsoft Entra ID Protection alerts. You can also choose to filter this detection to only alert when the user also has Microsoft Entra ID Protection alerts associated with them.'
severity: Medium
status: Available
requiredDataConnectors: []
@ -62,5 +61,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IpAddress
version: 1.0.6
version: 1.0.7
kind: Scheduled

8
Solutions/AzureDevOpsAuditing/Analytic Rules/ADOVariableModifiedByNewUser.yaml
Просмотреть файл

@ -1,10 +1,8 @@
id: 3b9a44d7-c651-45ed-816c-eae583a6f2f1
name: Azure DevOps Build Variable Modified by New User
description: |
'Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify
or add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users,
just detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed
modifying them before.'
'Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify or add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build.
As variables are often changed by users, just detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed modifying them before.'
severity: Medium
status: Available
requiredDataConnectors: []
@ -51,5 +49,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IpAddress
version: 1.0.4
version: 1.0.5
kind: Scheduled

6
Solutions/AzureDevOpsAuditing/Analytic Rules/AzDOHistoricServiceConnectionAdds.yaml
Просмотреть файл

@ -1,8 +1,8 @@
id: 5efb0cfd-063d-417a-803b-562eae5b0301
name: Azure DevOps Service Connection Addition/Abuse - Historic allow list
description: |
'This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and
not historically included in the allow list Build/Release runs. This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.'
'This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and not historically included in the allow list Build/Release runs.
This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.'
severity: Medium
status: Available
requiredDataConnectors: []
@ -63,5 +63,5 @@ entityMappings:
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
version: 1.0.4
version: 1.0.5
kind: Scheduled

8
Solutions/AzureDevOpsAuditing/Analytic Rules/AzDOPipelineCreatedDeletedOneDay.yaml
Просмотреть файл

@ -1,10 +1,8 @@
id: 17f23fbe-bb73-4324-8ecf-a18545a5dc26
name: Azure DevOps Pipeline Created and Deleted on the Same Day
description: |
'An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines,
or to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements.
An attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines
created and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.'
'An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, or to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements.
An attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines created and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.'
severity: Medium
status: Available
requiredDataConnectors: []
@ -67,5 +65,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: DeletingIP
version: 1.0.2
version: 1.0.3
kind: Scheduled

5
Solutions/AzureDevOpsAuditing/Analytic Rules/AzDOServiceConnectionUsage.yaml
Просмотреть файл

@ -2,8 +2,7 @@ id: d564ff12-8f53-41b8-8649-44f76b37b99f
name: Azure DevOps Service Connection Abuse
description: |
'Flags builds/releases that use a large number of service connections if they aren't manually in the allow list.
This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse
or dump credentials from service connections.'
This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.'
severity: Medium
status: Available
requiredDataConnectors: []
@ -52,5 +51,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IpAddress
version: 1.0.4
version: 1.0.5
kind: Scheduled

6
Solutions/AzureDevOpsAuditing/Analytic Rules/NRT_ADOAuditStreamDisabled.yaml
Просмотреть файл

@ -1,9 +1,7 @@
id: 74ed028d-e392-40b7-baef-e69627bf89d1
name: NRT Azure DevOps Audit Stream Disabled
description: |
'Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams
before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action
its unlikely to have a high false positive rate.'
'Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action its unlikely to have a high false positive rate.'
severity: High
status: Available
requiredDataConnectors: []
@ -31,5 +29,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IpAddress
version: 1.0.2
version: 1.0.3
kind: NRT

6
Solutions/AzureDevOpsAuditing/Analytic Rules/NewAgentAddedToPoolbyNewUserorofNewOS.yaml
Просмотреть файл

@ -2,9 +2,7 @@ id: 4ce177b3-56b1-4f0e-b83e-27eed4cb0b16
name: New Agent Added to Pool by New User or Added to a New OS Type
description: |
'As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks.
An attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have
not added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a
configurable allow list to allow for certain users to be excluded from the logic.'
An attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have not added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a configurable allow list to allow for certain users to be excluded from the logic.'
severity: Medium
status: Available
requiredDataConnectors: []
@ -70,5 +68,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IpAddress
version: 1.0.4
version: 1.0.5
kind: Scheduled

9
Solutions/AzureDevOpsAuditing/Analytic Rules/NewPAPCAPCASaddedtoADO.yaml
Просмотреть файл

@ -2,9 +2,7 @@ id: 35ce9aff-1708-45b8-a295-5e9a307f5f17
name: New PA, PCA, or PCAS added to Azure DevOps
description: |
'In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions.
This detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of
users granted these permissions should be small. Note that permissions can also be granted via Microsoft Entra ID Protection groups and monitoring of these
should also be conducted.'
This detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of users granted these permissions should be small. Note that permissions can also be granted via Microsoft Entra ID Protection groups and monitoring of these should also be conducted.'
severity: Medium
status: Available
requiredDataConnectors: []
@ -29,7 +27,6 @@ query: |
| extend ActorUserId = tostring(Data.MemberId)
| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId
| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent
| extend timestamp = TimeAdded, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress
| extend AccountName = tostring(split(ActorUPN, "@")[0]), AccountUPNSuffix = tostring(split(ActorUPN, "@")[1])
| extend AddingUserAccountName = tostring(split(AddingUser, "@")[0]), AddingUserAccountUPNSuffix = tostring(split(AddingUser, "@")[1])
entityMappings:
@ -53,5 +50,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IpAddress
version: 1.0.4
kind: Scheduled
version: 1.0.5
kind: Scheduled

Двоичные данные
Solutions/BitSight/Package/3.0.1.zip
Просмотреть файл

Двоичный файл не отображается.

2
Solutions/BitSight/Package/mainTemplate.json
Просмотреть файл

@ -42,7 +42,7 @@
"_email": "[variables('email')]",
"_solutionName": "BitSight",
"_solutionVersion": "3.0.1",
"solutionId": "bitsight_technologies_inc.bitsight_sentinel",
"solutionId": "bitsighttechnologiesinc1695119434818.bitsight_v1",
"_solutionId": "[variables('solutionId')]",
"workbookVersion1": "1.0.0",
"workbookContentId1": "BitSightWorkbook",

4
Solutions/BitSight/SolutionMetadata.json
Просмотреть файл

@ -1,6 +1,6 @@
{
"publisherId": "bitsight_technologies_inc",
"offerId": "bitsight_sentinel",
"publisherId": "bitsighttechnologiesinc1695119434818",
"offerId": "bitsight_v1",
"firstPublishDate": "2023-02-20",
"lastPublishDate": "2024-02-20",
"providers": [

5
Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/SuspiciousAccessOfBECRelatedDocuments.yaml
Просмотреть файл

@ -1,7 +1,8 @@
id: cd8d946d-10a4-40a9-bac1-6d0a6c847d65
name: Suspicious access of BEC related documents
description: |
'This query looks for users with suspicious spikes in the number of files accessed that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks. The query looks for access to files in storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need.
'This query looks for users with suspicious spikes in the number of files accessed that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks.
The query looks for access to files in storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need.
This query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities. This query uses the imFileEvent schema from ASIM, you will first need to ensure you have ASIM deployed in your environment. Ref https://learn.microsoft.com/azure/sentinel/normalization-about-parsers'
severity: Medium
requiredDataConnectors: []
@ -83,5 +84,5 @@ alertDetailsOverride:
alertDescriptionFormat: |
This query looks for users (in this case {{User}}) with suspicious spikes in the number of files accessed (in this case {{number_of_files_accessed}} events) that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks. The query looks for access to files in storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need.
This query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities. This query uses the imFileEvent schema from ASIM, you will first need to ensure you have ASIM deployed in your environment. Ref https://learn.microsoft.com/azure/sentinel/normalization-about-parsers
version: 1.0.3
version: 1.0.4
kind: Scheduled

5
Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/SuspiciousAccessOfBECRelatedDocumentsInAWSS3Buckets.yaml
Просмотреть файл

@ -1,7 +1,8 @@
id: f3e2d35f-1202-4215-995c-4654ef07d1d8
name: Suspicious access of BEC related documents in AWS S3 buckets
description: |
'This query looks for users with suspicious spikes in the number of files accessed that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks. The query looks for access to files in AWS S3 storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need.
'This query looks for users with suspicious spikes in the number of files accessed that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks.
The query looks for access to files in AWS S3 storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need.
This query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities.'
severity: Medium
requiredDataConnectors:
@ -67,5 +68,5 @@ alertDetailsOverride:
alertDescriptionFormat: |
This query looks for users (in this case {{UserIdentityUserName}}) with suspicious spikes in the number of files accessed (in this case {{CountOfDocs}})that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks. The query looks for access to files in AWS S3 storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need.
This query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities.
version: 1.0.3
version: 1.0.4
kind: Scheduled

12
Solutions/CiscoStealthwatch/Data Connectors/Cisco_Stealthwatch_syslog.json → Solutions/Cisco Secure Cloud Analytics/Data Connectors/Cisco_Stealthwatch_syslog.json
Просмотреть файл

@ -1,8 +1,8 @@
{
"id": "Stealthwatch",
"title": "Cisco Stealthwatch",
"title": "Cisco Secure Cloud Analytics",
"publisher": "Cisco",
"descriptionMarkdown": "The [Cisco Stealthwatch](https://www.cisco.com/c/en/us/products/security/stealthwatch/index.html) data connector provides the capability to ingest [Cisco Stealthwatch events](https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/management_console/securit_events_alarm_categories/SW_7_2_1_Security_Events_and_Alarm_Categories_DV_1_0.pdf) into Microsoft Sentinel. Refer to [Cisco Stealthwatch documentation](https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/system_installation_configuration/SW_7_3_2_System_Configuration_Guide_DV_1_0.pdf) for more information.",
"descriptionMarkdown": "The [Cisco Secure Cloud Analytics](https://www.cisco.com/c/en/us/products/security/stealthwatch/index.html) data connector provides the capability to ingest [Cisco Secure Cloud Analytics events](https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/management_console/securit_events_alarm_categories/7_4_2_Security_Events_and_Alarm_Categories_DV_2_1.pdf) into Microsoft Sentinel. Refer to [Cisco Secure Cloud Analytics documentation](https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/system_installation_configuration/7_5_0_System_Configuration_Guide_DV_1_3.pdf) for more information.",
"additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**StealthwatchEvent**](https://aka.ms/sentinel-stealthwatch-parser) which is deployed with the Microsoft Sentinel Solution.",
"graphQueries": [{
"metricName": "Total data received",
@ -48,12 +48,12 @@
},
{
"title": "",
"description": ">**NOTE:** This data connector has been developed using Cisco Stealthwatch version 7.3.2",
"description": ">**NOTE:** This data connector has been developed using Cisco Secure Cloud Analytics version 7.3.2",
"instructions": []
},
{
"title": "1. Install and onboard the agent for Linux or Windows",
"description": "Install the agent on the Server where the Cisco Stealthwatch logs are forwarded.\n\n> Logs from Cisco Stealthwatch Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents.",
"description": "Install the agent on the Server where the Cisco Secure Cloud Analytics logs are forwarded.\n\n> Logs from Cisco Secure Cloud Analytics Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents.",
"instructions": [{
"parameters": {
"title": "Choose where to install the Linux agent:",
@ -112,8 +112,8 @@
}]
},
{
"title": "2. Configure Cisco Stealthwatch event forwarding",
"description": "Follow the configuration steps below to get Cisco Stealthwatch logs into Microsoft Sentinel.\n1. Log in to the Stealthwatch Management Console (SMC) as an administrator.\n2. In the menu bar, click **Configuration** **>** **Response Management**.\n3. From the **Actions** section in the **Response Management** menu, click **Add > Syslog Message**.\n4. In the Add Syslog Message Action window, configure parameters.\n5. Enter the following custom format:\n|Lancope|Stealthwatch|7.3|{alarm_type_id}|0x7C|src={source_ip}|dst={target_ip}|dstPort={port}|proto={protocol}|msg={alarm_type_description}|fullmessage={details}|start={start_active_time}|end={end_active_time}|cat={alarm_category_name}|alarmID={alarm_id}|sourceHG={source_host_group_names}|targetHG={target_host_group_names}|sourceHostSnapshot={source_url}|targetHostSnapshot={target_url}|flowCollectorName={device_name}|flowCollectorIP={device_ip}|domain={domain_name}|exporterName={exporter_hostname}|exporterIPAddress={exporter_ip}|exporterInfo={exporter_label}|targetUser={target_username}|targetHostname={target_hostname}|sourceUser={source_username}|alarmStatus={alarm_status}|alarmSev={alarm_severity_name}\n\n6. Select the custom format from the list and click **OK**\n7. Click **Response Management > Rules**.\n8. Click **Add** and select **Host Alarm**.\n9. Provide a rule name in the **Name** field.\n10. Create rules by selecting values from the Type and Options menus. To add more rules, click the ellipsis icon. For a Host Alarm, combine as many possible types in a statement as possible."
"title": "2. Configure Cisco Secure Cloud Analytics event forwarding",
"description": "Follow the configuration steps below to get Cisco Secure Cloud Analytics logs into Microsoft Sentinel.\n1. Log in to the Stealthwatch Management Console (SMC) as an administrator.\n2. In the menu bar, click **Configuration** **>** **Response Management**.\n3. From the **Actions** section in the **Response Management** menu, click **Add > Syslog Message**.\n4. In the Add Syslog Message Action window, configure parameters.\n5. Enter the following custom format:\n|Lancope|Stealthwatch|7.3|{alarm_type_id}|0x7C|src={source_ip}|dst={target_ip}|dstPort={port}|proto={protocol}|msg={alarm_type_description}|fullmessage={details}|start={start_active_time}|end={end_active_time}|cat={alarm_category_name}|alarmID={alarm_id}|sourceHG={source_host_group_names}|targetHG={target_host_group_names}|sourceHostSnapshot={source_url}|targetHostSnapshot={target_url}|flowCollectorName={device_name}|flowCollectorIP={device_ip}|domain={domain_name}|exporterName={exporter_hostname}|exporterIPAddress={exporter_ip}|exporterInfo={exporter_label}|targetUser={target_username}|targetHostname={target_hostname}|sourceUser={source_username}|alarmStatus={alarm_status}|alarmSev={alarm_severity_name}\n\n6. Select the custom format from the list and click **OK**\n7. Click **Response Management > Rules**.\n8. Click **Add** and select **Host Alarm**.\n9. Provide a rule name in the **Name** field.\n10. Create rules by selecting values from the Type and Options menus. To add more rules, click the ellipsis icon. For a Host Alarm, combine as many possible types in a statement as possible."
}
]
}

14
Solutions/Cisco Secure Cloud Analytics/Data/Solution_CiscoStealthwatch.json Normal file
Просмотреть файл

@ -0,0 +1,14 @@
{
"Name": "Cisco Secure Cloud Analytics",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/cisco-logo-72px.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [Cisco Secure Cloud Analytics](https://www.cisco.com/c/en/us/products/security/stealthwatch/index.html) solution provides the capability to ingest [Cisco Secure Cloud Analytics events](https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/management_console/securit_events_alarm_categories/7_4_2_Security_Events_and_Alarm_Categories_DV_2_1.pdf) into Microsoft Sentinel. Refer to [Cisco Secure Cloud Analytics documentation](https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/system_installation_configuration/7_5_0_System_Configuration_Guide_DV_1_3.pdf) for more information.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Agent-based log collection (Syslog) ](https://docs.microsoft.com/azure/sentinel/connect-syslog)\r\n\n",
"Parsers": ["Parsers/StealthwatchEvent.yaml"],
"Data Connectors": ["Data Connectors/Cisco_Stealthwatch_syslog.json"],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Cisco Secure Cloud Analytics",
"Version": "3.0.0",
"TemplateSpec": true,
"Is1PConnector": false
}

0
Solutions/CiscoStealthwatch/Package/1.1.0.zip → Solutions/Cisco Secure Cloud Analytics/Package/1.1.0.zip
Просмотреть файл

0
Solutions/CiscoStealthwatch/Package/2.0.0.zip → Solutions/Cisco Secure Cloud Analytics/Package/2.0.0.zip
Просмотреть файл

0
Solutions/CiscoStealthwatch/Package/2.0.1.zip → Solutions/Cisco Secure Cloud Analytics/Package/2.0.1.zip
Просмотреть файл

0
Solutions/CiscoStealthwatch/Package/2.0.2.zip → Solutions/Cisco Secure Cloud Analytics/Package/2.0.2.zip
Просмотреть файл

Двоичные данные
Solutions/Cisco Secure Cloud Analytics/Package/3.0.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

6
Solutions/CiscoStealthwatch/Package/createUiDefinition.json → Solutions/Cisco Secure Cloud Analytics/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/cisco-logo-72px.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Cisco Stealthwatch](https://www.cisco.com/c/en/us/products/security/stealthwatch/index.html) solution provides the capability to ingest [Cisco Stealthwatch events](https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/management_console/securit_events_alarm_categories/SW_7_2_1_Security_Events_and_Alarm_Categories_DV_1_0.pdf) into Microsoft Sentinel. Refer to [Cisco Stealthwatch documentation](https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/system_installation_configuration/SW_7_3_2_System_Configuration_Guide_DV_1_1.pdf) for more information.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Agent-based log collection (Syslog) ](https://docs.microsoft.com/azure/sentinel/connect-syslog)\r\n\n\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/cisco-logo-72px.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cisco%20Secure%20Cloud%20Analytics/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Cisco Secure Cloud Analytics](https://www.cisco.com/c/en/us/products/security/stealthwatch/index.html) solution provides the capability to ingest [Cisco Secure Cloud Analytics events](https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/management_console/securit_events_alarm_categories/7_4_2_Security_Events_and_Alarm_Categories_DV_2_1.pdf) into Microsoft Sentinel. Refer to [Cisco Secure Cloud Analytics documentation](https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/system_installation_configuration/7_5_0_System_Configuration_Guide_DV_1_3.pdf) for more information.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Agent-based log collection (Syslog) ](https://docs.microsoft.com/azure/sentinel/connect-syslog)\r\n\n\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@ -60,14 +60,14 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the data connector for ingesting Cisco Stealthwatch event logs into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
"text": "This Solution installs the data connector for Cisco Secure Cloud Analytics. You can get Cisco Secure Cloud Analytics Syslog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the StealthwatchEvent Kusto Function alias."
"text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
}
},
{

219
Solutions/CiscoStealthwatch/Package/mainTemplate.json → Solutions/Cisco Secure Cloud Analytics/Package/mainTemplate.json
Просмотреть файл

@ -3,7 +3,7 @@
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Microsoft - support@microsoft.com",
"comments": "Solution template for CiscoStealthwatch"
"comments": "Solution template for Cisco Secure Cloud Analytics"
},
"parameters": {
"location": {
@ -30,79 +30,64 @@
}
},
"variables": {
"solutionId": "azuresentinel.azure-sentinel-solution-ciscostealthwatch",
"_solutionId": "[variables('solutionId')]",
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"parserVersion1": "1.0.0",
"parserContentId1": "StealthwatchEvent-Parser",
"_parserContentId1": "[variables('parserContentId1')]",
"parserName1": "CiscoStealthwatch Data Parser",
"_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
"parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"_parserId1": "[variables('parserId1')]",
"parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_solutionName": "Cisco Secure Cloud Analytics",
"_solutionVersion": "3.0.0",
"solutionId": "azuresentinel.azure-sentinel-solution-ciscostealthwatch",
"_solutionId": "[variables('solutionId')]",
"parserObject1": {
"_parserName1": "[concat(parameters('workspace'),'/','CiscoStealthwatch Data Parser')]",
"_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'CiscoStealthwatch Data Parser')]",
"parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('StealthwatchEvent-Parser')))]",
"parserVersion1": "1.0.0",
"parserContentId1": "StealthwatchEvent-Parser"
},
"uiConfigId1": "Stealthwatch",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "Stealthwatch",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
"dataConnectorVersion1": "1.0.0"
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0.0",
"_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2021-05-01",
"name": "[variables('parserTemplateSpecName1')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('parserObject1').parserTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "Parser"
},
"properties": {
"description": "StealthwatchEvent Data Parser with template",
"displayName": "StealthwatchEvent Data Parser template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2021-05-01",
"name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "Parser"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "StealthwatchEvent Data Parser with template version 2.0.2",
"description": "StealthwatchEvent Data Parser with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserVersion1')]",
"contentVersion": "[variables('parserObject1').parserVersion1]",
"parameters": {},
"variables": {},
"resources": [
{
"name": "[variables('_parserName1')]",
"apiVersion": "2020-08-01",
"name": "[variables('parserObject1')._parserName1]",
"apiVersion": "2022-10-01",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "CiscoStealthwatch Data Parser",
"category": "Samples",
"category": "Microsoft Sentinel Parser",
"functionAlias": "StealthwatchEvent",
"query": "\nSyslog\r\n| where SyslogMessage has 'Stealthwatch'\r\n| extend EventVendor = 'Cisco'\r\n| extend EventProduct = 'Stealthwatch'\r\n| parse-kv SyslogMessage as (start:string, end:string, alarmID:string, alarmSev:string, alarmStatus:string, cat:string, domain:string, dst:string, dstPort:string, msg:string, proto:string, sourceHG:string, sourceHostSnapshot:string, src:string, flowCollectorIP:string, flowCollectorName:string, sourceUser:string, targetUser:string, argetHG:string, targetHostname:string, targetHostSnapshot:string) with (pair_delimiter='|', kv_delimiter='=')\r\n| parse SyslogMessage with * \"argetHG=\" argetHG\"|\" *\r\n| parse SyslogMessage with * \"targetHG=\" targetHG\"|\" *\r\n| extend DstGeoCountry = iff(SyslogMessage contains \"argetHG\",argetHG, targetHG)\r\n| extend EventStartTime=todatetime(start)\r\n| extend EventEndTime=todatetime(end)\r\n| project-rename EventOriginalUid=alarmID\r\n , EventSeverity=alarmSev\r\n , EventStatus=alarmStatus\r\n , EventType=cat\r\n , SrcDvcDomain=domain\r\n , DstIpAddr=dst\r\n , DstPortNumber=dstPort\r\n , EventMessage=msg\r\n , Protocol=proto\r\n , SrcGeoCountry=sourceHG\r\n , SrcHostSnapshot=sourceHostSnapshot\r\n , SrcIpAddr=src\r\n , DvcIpAddr=flowCollectorIP\r\n , DvcHostname=flowCollectorName\r\n , SrcUserName=sourceUser\r\n , DstUserName=targetUser\r\n , DstDvcHostname=targetHostname\r\n , DstHostSnapshot=targetHostSnapshot\r\n| project-away start\r\n , end\r\n , SyslogMessage\r\n\t\t\t , argetHG\r\n\t\t\t , targetHG\r\n",
"version": 1,
"query": "Syslog\n| where SyslogMessage has 'Stealthwatch'\n| extend EventVendor = 'Cisco'\n| extend EventProduct = 'Stealthwatch'\n| parse-kv SyslogMessage as (start:string, end:string, alarmID:string, alarmSev:string, alarmStatus:string, cat:string, domain:string, dst:string, dstPort:string, msg:string, proto:string, sourceHG:string, sourceHostSnapshot:string, src:string, flowCollectorIP:string, flowCollectorName:string, sourceUser:string, targetUser:string, argetHG:string, targetHostname:string, targetHostSnapshot:string) with (pair_delimiter='|', kv_delimiter='=')\n| parse SyslogMessage with * \"argetHG=\" argetHG\"|\" *\n| parse SyslogMessage with * \"targetHG=\" targetHG\"|\" *\n| extend DstGeoCountry = iff(SyslogMessage contains \"argetHG\",argetHG, targetHG)\n| extend EventStartTime=todatetime(start)\n| extend EventEndTime=todatetime(end)\n| project-rename EventOriginalUid=alarmID\n , EventSeverity=alarmSev\n , EventStatus=alarmStatus\n , EventType=cat\n , SrcDvcDomain=domain\n , DstIpAddr=dst\n , DstPortNumber=dstPort\n , EventMessage=msg\n , Protocol=proto\n , SrcGeoCountry=sourceHG\n , SrcHostSnapshot=sourceHostSnapshot\n , SrcIpAddr=src\n , DvcIpAddr=flowCollectorIP\n , DvcHostname=flowCollectorName\n , SrcUserName=sourceUser\n , DstUserName=targetUser\n , DstDvcHostname=targetHostname\n , DstHostSnapshot=targetHostSnapshot\n| project-away start\n , end\n , SyslogMessage\n\t\t\t , argetHG\n\t\t\t , targetHG\n",
"functionParameters": "",
"version": 2,
"tags": [
{
"name": "description",
"value": "CiscoStealthwatch Data Parser"
"value": ""
}
]
}
@ -110,17 +95,17 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
"dependsOn": [
"[variables('_parserName1')]"
"[variables('parserObject1')._parserId1]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"contentId": "[variables('_parserContentId1')]",
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'CiscoStealthwatch Data Parser')]",
"contentId": "[variables('parserObject1').parserContentId1]",
"kind": "Parser",
"version": "[variables('parserVersion1')]",
"version": "[variables('parserObject1').parserVersion1]",
"source": {
"name": "CiscoStealthwatch",
"name": "Cisco Secure Cloud Analytics",
"kind": "Solution",
"sourceId": "[variables('_solutionId')]"
},
@ -137,39 +122,57 @@
}
}
]
}
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('parserObject1').parserContentId1]",
"contentKind": "Parser",
"displayName": "CiscoStealthwatch Data Parser",
"contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
"id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
"version": "[variables('parserObject1').parserVersion1]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2021-06-01",
"name": "[variables('_parserName1')]",
"apiVersion": "2022-10-01",
"name": "[variables('parserObject1')._parserName1]",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "CiscoStealthwatch Data Parser",
"category": "Samples",
"category": "Microsoft Sentinel Parser",
"functionAlias": "StealthwatchEvent",
"query": "\nSyslog\r\n| where SyslogMessage has 'Stealthwatch'\r\n| extend EventVendor = 'Cisco'\r\n| extend EventProduct = 'Stealthwatch'\r\n| parse-kv SyslogMessage as (start:string, end:string, alarmID:string, alarmSev:string, alarmStatus:string, cat:string, domain:string, dst:string, dstPort:string, msg:string, proto:string, sourceHG:string, sourceHostSnapshot:string, src:string, flowCollectorIP:string, flowCollectorName:string, sourceUser:string, targetUser:string, argetHG:string, targetHostname:string, targetHostSnapshot:string) with (pair_delimiter='|', kv_delimiter='=')\r\n| parse SyslogMessage with * \"argetHG=\" argetHG\"|\" *\r\n| parse SyslogMessage with * \"targetHG=\" targetHG\"|\" *\r\n| extend DstGeoCountry = iff(SyslogMessage contains \"argetHG\",argetHG, targetHG)\r\n| extend EventStartTime=todatetime(start)\r\n| extend EventEndTime=todatetime(end)\r\n| project-rename EventOriginalUid=alarmID\r\n , EventSeverity=alarmSev\r\n , EventStatus=alarmStatus\r\n , EventType=cat\r\n , SrcDvcDomain=domain\r\n , DstIpAddr=dst\r\n , DstPortNumber=dstPort\r\n , EventMessage=msg\r\n , Protocol=proto\r\n , SrcGeoCountry=sourceHG\r\n , SrcHostSnapshot=sourceHostSnapshot\r\n , SrcIpAddr=src\r\n , DvcIpAddr=flowCollectorIP\r\n , DvcHostname=flowCollectorName\r\n , SrcUserName=sourceUser\r\n , DstUserName=targetUser\r\n , DstDvcHostname=targetHostname\r\n , DstHostSnapshot=targetHostSnapshot\r\n| project-away start\r\n , end\r\n , SyslogMessage\r\n\t\t\t , argetHG\r\n\t\t\t , targetHG\r\n",
"version": 1
"query": "Syslog\n| where SyslogMessage has 'Stealthwatch'\n| extend EventVendor = 'Cisco'\n| extend EventProduct = 'Stealthwatch'\n| parse-kv SyslogMessage as (start:string, end:string, alarmID:string, alarmSev:string, alarmStatus:string, cat:string, domain:string, dst:string, dstPort:string, msg:string, proto:string, sourceHG:string, sourceHostSnapshot:string, src:string, flowCollectorIP:string, flowCollectorName:string, sourceUser:string, targetUser:string, argetHG:string, targetHostname:string, targetHostSnapshot:string) with (pair_delimiter='|', kv_delimiter='=')\n| parse SyslogMessage with * \"argetHG=\" argetHG\"|\" *\n| parse SyslogMessage with * \"targetHG=\" targetHG\"|\" *\n| extend DstGeoCountry = iff(SyslogMessage contains \"argetHG\",argetHG, targetHG)\n| extend EventStartTime=todatetime(start)\n| extend EventEndTime=todatetime(end)\n| project-rename EventOriginalUid=alarmID\n , EventSeverity=alarmSev\n , EventStatus=alarmStatus\n , EventType=cat\n , SrcDvcDomain=domain\n , DstIpAddr=dst\n , DstPortNumber=dstPort\n , EventMessage=msg\n , Protocol=proto\n , SrcGeoCountry=sourceHG\n , SrcHostSnapshot=sourceHostSnapshot\n , SrcIpAddr=src\n , DvcIpAddr=flowCollectorIP\n , DvcHostname=flowCollectorName\n , SrcUserName=sourceUser\n , DstUserName=targetUser\n , DstDvcHostname=targetHostname\n , DstHostSnapshot=targetHostSnapshot\n| project-away start\n , end\n , SyslogMessage\n\t\t\t , argetHG\n\t\t\t , targetHG\n",
"functionParameters": "",
"version": 2,
"tags": [
{
"name": "description",
"value": ""
}
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]",
"dependsOn": [
"[variables('_parserId1')]"
"[variables('parserObject1')._parserId1]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"contentId": "[variables('_parserContentId1')]",
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'CiscoStealthwatch Data Parser')]",
"contentId": "[variables('parserObject1').parserContentId1]",
"kind": "Parser",
"version": "[variables('parserVersion1')]",
"version": "[variables('parserObject1').parserVersion1]",
"source": {
"kind": "Solution",
"name": "CiscoStealthwatch",
"name": "Cisco Secure Cloud Analytics",
"sourceId": "[variables('_solutionId')]"
},
"author": {
@ -185,33 +188,15 @@
}
},
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2021-05-01",
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "DataConnector"
},
"properties": {
"description": "CiscoStealthwatch data connector with template",
"displayName": "CiscoStealthwatch template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2021-05-01",
"name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "DataConnector"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "CiscoStealthwatch data connector with template version 2.0.2",
"description": "Cisco Secure Cloud Analytics data connector with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@ -227,9 +212,9 @@
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
"title": "Cisco Stealthwatch",
"title": "Cisco Secure Cloud Analytics",
"publisher": "Cisco",
"descriptionMarkdown": "The [Cisco Stealthwatch](https://www.cisco.com/c/en/us/products/security/stealthwatch/index.html) data connector provides the capability to ingest [Cisco Stealthwatch events](https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/management_console/securit_events_alarm_categories/SW_7_2_1_Security_Events_and_Alarm_Categories_DV_1_0.pdf) into Microsoft Sentinel. Refer to [Cisco Stealthwatch documentation](https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/system_installation_configuration/SW_7_3_2_System_Configuration_Guide_DV_1_0.pdf) for more information.",
"descriptionMarkdown": "The [Cisco Secure Cloud Analytics](https://www.cisco.com/c/en/us/products/security/stealthwatch/index.html) data connector provides the capability to ingest [Cisco Secure Cloud Analytics events](https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/management_console/securit_events_alarm_categories/7_4_2_Security_Events_and_Alarm_Categories_DV_2_1.pdf) into Microsoft Sentinel. Refer to [Cisco Secure Cloud Analytics documentation](https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/system_installation_configuration/7_5_0_System_Configuration_Guide_DV_1_3.pdf) for more information.",
"additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**StealthwatchEvent**](https://aka.ms/sentinel-stealthwatch-parser) which is deployed with the Microsoft Sentinel Solution.",
"graphQueries": [
{
@ -281,10 +266,10 @@
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**StealthwatchEvent**](https://aka.ms/sentinel-stealthwatch-parser) which is deployed with the Microsoft Sentinel Solution."
},
{
"description": ">**NOTE:** This data connector has been developed using Cisco Stealthwatch version 7.3.2"
"description": ">**NOTE:** This data connector has been developed using Cisco Secure Cloud Analytics version 7.3.2"
},
{
"description": "Install the agent on the Server where the Cisco Stealthwatch logs are forwarded.\n\n> Logs from Cisco Stealthwatch Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents.",
"description": "Install the agent on the Server where the Cisco Secure Cloud Analytics logs are forwarded.\n\n> Logs from Cisco Secure Cloud Analytics Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents.",
"instructions": [
{
"parameters": {
@ -358,8 +343,8 @@
]
},
{
"description": "Follow the configuration steps below to get Cisco Stealthwatch logs into Microsoft Sentinel.\n1. Log in to the Stealthwatch Management Console (SMC) as an administrator.\n2. In the menu bar, click **Configuration** **>** **Response Management**.\n3. From the **Actions** section in the **Response Management** menu, click **Add > Syslog Message**.\n4. In the Add Syslog Message Action window, configure parameters.\n5. Enter the following custom format:\n|Lancope|Stealthwatch|7.3|{alarm_type_id}|0x7C|src={source_ip}|dst={target_ip}|dstPort={port}|proto={protocol}|msg={alarm_type_description}|fullmessage={details}|start={start_active_time}|end={end_active_time}|cat={alarm_category_name}|alarmID={alarm_id}|sourceHG={source_host_group_names}|targetHG={target_host_group_names}|sourceHostSnapshot={source_url}|targetHostSnapshot={target_url}|flowCollectorName={device_name}|flowCollectorIP={device_ip}|domain={domain_name}|exporterName={exporter_hostname}|exporterIPAddress={exporter_ip}|exporterInfo={exporter_label}|targetUser={target_username}|targetHostname={target_hostname}|sourceUser={source_username}|alarmStatus={alarm_status}|alarmSev={alarm_severity_name}\n\n6. Select the custom format from the list and click **OK**\n7. Click **Response Management > Rules**.\n8. Click **Add** and select **Host Alarm**.\n9. Provide a rule name in the **Name** field.\n10. Create rules by selecting values from the Type and Options menus. To add more rules, click the ellipsis icon. For a Host Alarm, combine as many possible types in a statement as possible.",
"title": "2. Configure Cisco Stealthwatch event forwarding"
"description": "Follow the configuration steps below to get Cisco Secure Cloud Analytics logs into Microsoft Sentinel.\n1. Log in to the Stealthwatch Management Console (SMC) as an administrator.\n2. In the menu bar, click **Configuration** **>** **Response Management**.\n3. From the **Actions** section in the **Response Management** menu, click **Add > Syslog Message**.\n4. In the Add Syslog Message Action window, configure parameters.\n5. Enter the following custom format:\n|Lancope|Stealthwatch|7.3|{alarm_type_id}|0x7C|src={source_ip}|dst={target_ip}|dstPort={port}|proto={protocol}|msg={alarm_type_description}|fullmessage={details}|start={start_active_time}|end={end_active_time}|cat={alarm_category_name}|alarmID={alarm_id}|sourceHG={source_host_group_names}|targetHG={target_host_group_names}|sourceHostSnapshot={source_url}|targetHostSnapshot={target_url}|flowCollectorName={device_name}|flowCollectorIP={device_ip}|domain={domain_name}|exporterName={exporter_hostname}|exporterIPAddress={exporter_ip}|exporterInfo={exporter_label}|targetUser={target_username}|targetHostname={target_hostname}|sourceUser={source_username}|alarmStatus={alarm_status}|alarmSev={alarm_severity_name}\n\n6. Select the custom format from the list and click **OK**\n7. Click **Response Management > Rules**.\n8. Click **Add** and select **Host Alarm**.\n9. Provide a rule name in the **Name** field.\n10. Create rules by selecting values from the Type and Options menus. To add more rules, click the ellipsis icon. For a Host Alarm, combine as many possible types in a statement as possible.",
"title": "2. Configure Cisco Secure Cloud Analytics event forwarding"
}
]
}
@ -367,7 +352,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
@ -376,7 +361,7 @@
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "CiscoStealthwatch",
"name": "Cisco Secure Cloud Analytics",
"sourceId": "[variables('_solutionId')]"
},
"author": {
@ -392,12 +377,23 @@
}
}
]
}
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_dataConnectorContentId1')]",
"contentKind": "DataConnector",
"displayName": "Cisco Secure Cloud Analytics",
"contentProductId": "[variables('_dataConnectorcontentProductId1')]",
"id": "[variables('_dataConnectorcontentProductId1')]",
"version": "[variables('dataConnectorVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
@ -410,7 +406,7 @@
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "CiscoStealthwatch",
"name": "Cisco Secure Cloud Analytics",
"sourceId": "[variables('_solutionId')]"
},
"author": {
@ -433,9 +429,9 @@
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "Cisco Stealthwatch",
"title": "Cisco Secure Cloud Analytics",
"publisher": "Cisco",
"descriptionMarkdown": "The [Cisco Stealthwatch](https://www.cisco.com/c/en/us/products/security/stealthwatch/index.html) data connector provides the capability to ingest [Cisco Stealthwatch events](https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/management_console/securit_events_alarm_categories/SW_7_2_1_Security_Events_and_Alarm_Categories_DV_1_0.pdf) into Microsoft Sentinel. Refer to [Cisco Stealthwatch documentation](https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/system_installation_configuration/SW_7_3_2_System_Configuration_Guide_DV_1_0.pdf) for more information.",
"descriptionMarkdown": "The [Cisco Secure Cloud Analytics](https://www.cisco.com/c/en/us/products/security/stealthwatch/index.html) data connector provides the capability to ingest [Cisco Secure Cloud Analytics events](https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/management_console/securit_events_alarm_categories/7_4_2_Security_Events_and_Alarm_Categories_DV_2_1.pdf) into Microsoft Sentinel. Refer to [Cisco Secure Cloud Analytics documentation](https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/system_installation_configuration/7_5_0_System_Configuration_Guide_DV_1_3.pdf) for more information.",
"graphQueries": [
{
"metricName": "Total data received",
@ -486,10 +482,10 @@
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**StealthwatchEvent**](https://aka.ms/sentinel-stealthwatch-parser) which is deployed with the Microsoft Sentinel Solution."
},
{
"description": ">**NOTE:** This data connector has been developed using Cisco Stealthwatch version 7.3.2"
"description": ">**NOTE:** This data connector has been developed using Cisco Secure Cloud Analytics version 7.3.2"
},
{
"description": "Install the agent on the Server where the Cisco Stealthwatch logs are forwarded.\n\n> Logs from Cisco Stealthwatch Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents.",
"description": "Install the agent on the Server where the Cisco Secure Cloud Analytics logs are forwarded.\n\n> Logs from Cisco Secure Cloud Analytics Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents.",
"instructions": [
{
"parameters": {
@ -563,8 +559,8 @@
]
},
{
"description": "Follow the configuration steps below to get Cisco Stealthwatch logs into Microsoft Sentinel.\n1. Log in to the Stealthwatch Management Console (SMC) as an administrator.\n2. In the menu bar, click **Configuration** **>** **Response Management**.\n3. From the **Actions** section in the **Response Management** menu, click **Add > Syslog Message**.\n4. In the Add Syslog Message Action window, configure parameters.\n5. Enter the following custom format:\n|Lancope|Stealthwatch|7.3|{alarm_type_id}|0x7C|src={source_ip}|dst={target_ip}|dstPort={port}|proto={protocol}|msg={alarm_type_description}|fullmessage={details}|start={start_active_time}|end={end_active_time}|cat={alarm_category_name}|alarmID={alarm_id}|sourceHG={source_host_group_names}|targetHG={target_host_group_names}|sourceHostSnapshot={source_url}|targetHostSnapshot={target_url}|flowCollectorName={device_name}|flowCollectorIP={device_ip}|domain={domain_name}|exporterName={exporter_hostname}|exporterIPAddress={exporter_ip}|exporterInfo={exporter_label}|targetUser={target_username}|targetHostname={target_hostname}|sourceUser={source_username}|alarmStatus={alarm_status}|alarmSev={alarm_severity_name}\n\n6. Select the custom format from the list and click **OK**\n7. Click **Response Management > Rules**.\n8. Click **Add** and select **Host Alarm**.\n9. Provide a rule name in the **Name** field.\n10. Create rules by selecting values from the Type and Options menus. To add more rules, click the ellipsis icon. For a Host Alarm, combine as many possible types in a statement as possible.",
"title": "2. Configure Cisco Stealthwatch event forwarding"
"description": "Follow the configuration steps below to get Cisco Secure Cloud Analytics logs into Microsoft Sentinel.\n1. Log in to the Stealthwatch Management Console (SMC) as an administrator.\n2. In the menu bar, click **Configuration** **>** **Response Management**.\n3. From the **Actions** section in the **Response Management** menu, click **Add > Syslog Message**.\n4. In the Add Syslog Message Action window, configure parameters.\n5. Enter the following custom format:\n|Lancope|Stealthwatch|7.3|{alarm_type_id}|0x7C|src={source_ip}|dst={target_ip}|dstPort={port}|proto={protocol}|msg={alarm_type_description}|fullmessage={details}|start={start_active_time}|end={end_active_time}|cat={alarm_category_name}|alarmID={alarm_id}|sourceHG={source_host_group_names}|targetHG={target_host_group_names}|sourceHostSnapshot={source_url}|targetHostSnapshot={target_url}|flowCollectorName={device_name}|flowCollectorIP={device_ip}|domain={domain_name}|exporterName={exporter_hostname}|exporterIPAddress={exporter_ip}|exporterInfo={exporter_label}|targetUser={target_username}|targetHostname={target_hostname}|sourceUser={source_username}|alarmStatus={alarm_status}|alarmSev={alarm_severity_name}\n\n6. Select the custom format from the list and click **OK**\n7. Click **Response Management > Rules**.\n8. Click **Add** and select **Host Alarm**.\n9. Provide a rule name in the **Name** field.\n10. Create rules by selecting values from the Type and Options menus. To add more rules, click the ellipsis icon. For a Host Alarm, combine as many possible types in a statement as possible.",
"title": "2. Configure Cisco Secure Cloud Analytics event forwarding"
}
],
"id": "[variables('_uiConfigId1')]",
@ -573,18 +569,25 @@
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "2.0.2",
"version": "3.0.0",
"kind": "Solution",
"contentSchemaVersion": "2.0.0",
"contentSchemaVersion": "3.0.0",
"displayName": "Cisco Secure Cloud Analytics",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
"descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cisco%20Secure%20Cloud%20Analytics/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The <a href=\"https://www.cisco.com/c/en/us/products/security/stealthwatch/index.html\">Cisco Secure Cloud Analytics</a> solution provides the capability to ingest <a href=\"https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/management_console/securit_events_alarm_categories/7_4_2_Security_Events_and_Alarm_Categories_DV_2_1.pdf\">Cisco Secure Cloud Analytics events</a> into Microsoft Sentinel. Refer to <a href=\"https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/system_installation_configuration/7_5_0_System_Configuration_Guide_DV_1_3.pdf\">Cisco Secure Cloud Analytics documentation</a> for more information.</p>\n<p><strong>Underlying Microsoft Technologies used:</strong></p>\n<p>This solution takes a dependency on the following technologies, and some of these dependencies either may be in <a href=\"https://azure.microsoft.com/support/legal/preview-supplemental-terms/\">Preview</a> state or might result in additional ingestion or operational costs:</p>\n<ol type=\"a\">\n<li><a href=\"https://docs.microsoft.com/azure/sentinel/connect-syslog\">Agent-based log collection (Syslog) </a></li>\n</ol>\n<p><strong>Data Connectors:</strong> 1, <strong>Parsers:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
"icon": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/cisco-logo-72px.svg\" width=\"75px\" height=\"75px\">",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
"kind": "Solution",
"name": "CiscoStealthwatch",
"name": "Cisco Secure Cloud Analytics",
"sourceId": "[variables('_solutionId')]"
},
"author": {
@ -602,8 +605,8 @@
"criteria": [
{
"kind": "Parser",
"contentId": "[variables('_parserContentId1')]",
"version": "[variables('parserVersion1')]"
"contentId": "[variables('parserObject1').parserContentId1]",
"version": "[variables('parserObject1').parserVersion1]"
},
{
"kind": "DataConnector",

24
Solutions/Cisco Secure Cloud Analytics/Package/testParameters.json Normal file
Просмотреть файл

@ -0,0 +1,24 @@
{
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
}
}

0
Solutions/CiscoStealthwatch/Parsers/StealthwatchEvent.yaml → Solutions/Cisco Secure Cloud Analytics/Parsers/StealthwatchEvent.yaml
Просмотреть файл

5
Solutions/Cisco Secure Cloud Analytics/ReleaseNotes.md Normal file
Просмотреть файл

@ -0,0 +1,5 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
| 3.0.0 | 13-05-2024 | Changes for rebranding from Cisco Stealthwatch to Cisco Secure Cloud Analytics | |

0
Solutions/CiscoStealthwatch/SolutionMetadata.json → Solutions/Cisco Secure Cloud Analytics/SolutionMetadata.json
Просмотреть файл

14
Solutions/CiscoStealthwatch/Data/Solution_CiscoStealthwatch.json
Просмотреть файл

@ -1,14 +0,0 @@
{
"Name": "CiscoStealthwatch",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/cisco-logo-72px.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [Cisco Stealthwatch](https://www.cisco.com/c/en/us/products/security/stealthwatch/index.html) solution provides the capability to ingest [Cisco Stealthwatch events](https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/management_console/securit_events_alarm_categories/SW_7_2_1_Security_Events_and_Alarm_Categories_DV_1_0.pdf) into Microsoft Sentinel. Refer to [Cisco Stealthwatch documentation](https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/system_installation_configuration/SW_7_3_2_System_Configuration_Guide_DV_1_1.pdf) for more information.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Agent-based log collection (Syslog) ](https://docs.microsoft.com/azure/sentinel/connect-syslog)\r\n\n",
"Parsers": ["Parsers/StealthwatchEvent.txt"],
"Data Connectors": ["Data Connectors/Cisco_Stealthwatch_syslog.json"],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\CiscoStealthwatch",
"Version": "2.0.2",
"TemplateSpec": true,
"Is1PConnector": false
}

Двоичные данные
Solutions/Claroty xDome/Package/3.0.0.zip
Просмотреть файл

Двоичный файл не отображается.

2
Solutions/Claroty xDome/Package/mainTemplate.json
Просмотреть файл

@ -32,7 +32,7 @@
"variables": {
"_solutionName": "Claroty xDome",
"_solutionVersion": "3.0.0",
"solutionId": "claroty.microsoft-sentinel-solution-xdome",
"solutionId": "claroty1709722359369.microsoft-sentinel-solution-xdome",
"_solutionId": "[variables('solutionId')]",
"uiConfigId1": "ClarotyxDome",
"_uiConfigId1": "[variables('uiConfigId1')]",

4
Solutions/Claroty xDome/SolutionMetadata.json
Просмотреть файл

@ -1,5 +1,5 @@
{
"publisherId": "claroty",
"publisherId": "claroty1709722359369",
"offerId": "microsoft-sentinel-solution-xdome",
"firstPublishDate": "2024-02-01",
"providers": ["Claroty"],
@ -12,4 +12,4 @@
"link": "https://claroty.com/support-policy",
"tier": "Partner"
}
}
}

8
Solutions/Cloud Identity Threat Protection Essentials/Analytic Rules/NewExtUserGrantedAdmin.yaml
Просмотреть файл

@ -1,10 +1,8 @@
id: d7424fd9-abb3-4ded-a723-eebe023aaa0b
name: New External User Granted Admin Role
description: |
'This query will detect instances where a newly invited external user is granted an administrative role. By default this query
will alert on any granted administrative role, however this can be modified using the roles variable if false positives occur
in your environment. The maximum delta between invite and escalation to admin is 60 minues, this can be configured using the
deltaBetweenInviteEscalation variable.'
'This query will detect instances where a newly invited external user is granted an administrative role.
By default this query will alert on any granted administrative role, however this can be modified using the roles variable if false positives occur in your environment. The maximum delta between invite and escalation to admin is 60 minues, this can be configured using the deltaBetweenInviteEscalation variable.'
severity: Medium
status: Available
requiredDataConnectors:
@ -85,5 +83,5 @@ entityMappings:
columnName: AdminInitiatorName
- identifier: UPNSuffix
columnName: AdminInitiatorUPNSuffix
version: 1.0.2
version: 1.0.3
kind: Scheduled

Двоичные данные
Solutions/Cloudflare/Data Connectors/CloudflareConn.zip
Просмотреть файл

Двоичный файл не отображается.

2
Solutions/Cloudflare/Data Connectors/requirements.txt
Просмотреть файл

@ -1,3 +1,3 @@
azure-storage-blob==12.8.0
aiohttp==3.9.2
aiohttp==3.9.4
azure-functions==1.6.0

Двоичные данные
Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicator/CrowdstrikeFalconAPISentinelConn.zip
Просмотреть файл

Двоичный файл не отображается.

2
Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicator/requirements.txt
Просмотреть файл

@ -2,7 +2,7 @@
# The Python Worker is managed by Azure Functions platform
# Manually managing azure-functions-worker may cause unexpected issues
aiohttp==3.9.2
aiohttp==3.9.4
azure-functions==1.6.0
aiobotocore
gzip_stream

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше