Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Fix comments

This commit is contained in:
Avital Merberg 2021-12-12 13:46:17 +02:00
Родитель fd3930ff27
Коммит 6c44fd51c7
6 изменённых файлов: 142 добавлений и 115 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

6
Sample Data/Custom/DSTIMFunctions/DSTIMCorrelatedLogs.kql → Parsers/DSTIM/DSTIMCorrelatedLogs.txt
Просмотреть файл

@ -1,6 +1,10 @@
// Usage Instruction :
// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as DSTIMCorrelatedLogs
// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. DSTIMCorrelatedLogs | take 10).
// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
let DSTIMCorrelatedLogs = (_startDate:datetime, _endDate: datetime, _subscriptions:dynamic = dynamic("*"), _resourceGroups:dynamic = dynamic(["*"]), _userAccounts:dynamic = dynamic(["*"]))
{
let noClassificationView = datatable(Classification: string, CorrelationId:string, AssetType:string, SensitivityLabelName:string)
let noClassificationView = datatable(Classification: string, CorrelationId:string, AssetType:string, SensitivityLabelName:string)
['[{"Id":"","Name":"no classification","Count":"0","Confidence":"0","UniqueCount":"0"}]', "", "Unknown", "no label"];
DSTIMAccess_CL
| project

4
Sample Data/Custom/DSTIMFunctions/GetClassificationList.kql → Parsers/DSTIM/GetClassificationList.txt
Просмотреть файл

@ -1,3 +1,7 @@
// Usage Instruction :
// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as GetClassificationList.
// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. GetClassificationList | take 10).
// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
let GetClassificationList = (_startDate:datetime, _endDate: datetime, _subscriptions:dynamic = dynamic("*"), _resourceGroups:dynamic = dynamic(["*"]), _userAccounts:dynamic = dynamic(["*"]))
{
DSTIMCorrelatedLogs(_dateStart, _dateEnd, _subscriptions, _resourceGroups, _userAccounts)

122
Sample Data/Custom/DSTIMAccess_CL.json
Просмотреть файл

@ -1,60 +1,62 @@
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2021-11-18T21:58:38.0289591Z",
"Computer": "",
"RawData": "",
"TimeDiscovered_t": "2021-06-18T21:58:38.0289591Z",
"Location_s": "eastus",
"OperationName": "GetBlob",
"StatusCode_s": "200",
"Uri_s": "https://aipclptest.blob.core.windows.net/test2/es-ssn (1).docx",
"CallerIPAddress": "10.1.0.38",
"UserAgentHeader_s": "Azure-Storage/9.3.0 (.NET CLR 4.0.30319.42000; Win32NT 6.2.9200.0)",
"ResourceSubscriptionId_g": "bbbabe37-eda3-48ea-98ed-f0a70c31a45b",
"ResourceGroup": "BreachManagement-dev",
"StorageAccountName_s": "breachmanagement-dev",
"ResponseBodySize_s": "26070",
"RequesterUpn_s": "MeganB@seccxp.ninja",
"RequesterAppId_s": "7d466dae-af28-449e-a12a-c7ae13a25ca8",
"AuthenticationType_s": "Application",
"AggregationLastEventTime_t": "2021-06-18T21:58:38.0289591Z",
"AggregationCount_s": "1",
"Category": "StorageRead",
"CorrelationId": "437701000000000000",
"RequesterAppId_g": "",
"Type": "DSTIMAccess_CL",
"_ResourceId": ""
},
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2021-11-18T21:58:38.0289591Z",
"Computer": "",
"RawData": "",
"TimeDiscovered_t": "2021-06-18T21:58:38.0289591Z",
"Location_s": "eastus",
"OperationName": "GetBlob",
"StatusCode_s": "200",
"Uri_s": "https://aipclptest.blob.core.windows.net/test2/es-ssn (2).docx",
"CallerIPAddress": "10.1.0.38",
"UserAgentHeader_s": "Azure-Storage/9.3.0 (.NET CLR 4.0.30319.42000; Win32NT 6.2.9200.0)",
"ResourceSubscriptionId_g": "bbbabe37-eda3-48ea-98ed-f0a70c31a45b",
"ResourceGroup": "BreachManagement-dev",
"StorageAccountName_s": "breachmanagement-dev",
"ResponseBodySize_s": "26070",
"RequesterUpn_s": "MeganB@seccxp.ninja",
"RequesterAppId_s": "7d466dae-af28-449e-a12a-c7ae13a25ca8",
"AuthenticationType_s": "Application",
"AggregationLastEventTime_t": "2021-06-18T21:58:38.0289591Z",
"AggregationCount_s": "1",
"Category": "StorageRead",
"CorrelationId": "3167380000000000000",
"RequesterAppId_g": "",
"Type": "DSTIMAccess_CL",
"_ResourceId": ""
}
[
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2021-11-18T21:58:38.0289591Z",
"Computer": "",
"RawData": "",
"TimeDiscovered": "2021-06-18T21:58:38.0289591Z",
"Location": "eastus",
"OperationName": "GetBlob",
"StatusCode": "200",
"Uri": "https://aipclptest.blob.core.windows.net/test2/es-ssn (1).docx",
"CallerIPAddress": "10.1.0.38",
"UserAgentHeader": "Azure-Storage/9.3.0 (.NET CLR 4.0.30319.42000; Win32NT 6.2.9200.0)",
"ResourceSubscriptionId": "bbbabe37-eda3-48ea-98ed-f0a70c31a45b",
"ResourceGroup": "BreachManagement-dev",
"StorageAccountName": "breachmanagement-dev",
"ResponseBodySize": "26070",
"RequesterUpn": "MeganB@seccxp.ninja",
"RequesterAppId": "7d466dae-af28-449e-a12a-c7ae13a25ca8",
"AuthenticationType": "Application",
"AggregationLastEventTime": "2021-06-18T21:58:38.0289591Z",
"AggregationCount": "1",
"Category": "StorageRead",
"CorrelationId": "437701000000000000",
"RequesterAppId": "",
"Type": "DSTIMAccess_CL",
"_ResourceId": ""
},
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2021-11-18T21:58:38.0289591Z",
"Computer": "",
"RawData": "",
"TimeDiscovered": "2021-06-18T21:58:38.0289591Z",
"Location": "eastus",
"OperationName": "GetBlob",
"StatusCode": "200",
"Uri": "https://aipclptest.blob.core.windows.net/test2/es-ssn (2).docx",
"CallerIPAddress": "10.1.0.38",
"UserAgentHeader": "Azure-Storage/9.3.0 (.NET CLR 4.0.30319.42000; Win32NT 6.2.9200.0)",
"ResourceSubscriptionId": "bbbabe37-eda3-48ea-98ed-f0a70c31a45b",
"ResourceGroup": "BreachManagement-dev",
"StorageAccountName": "breachmanagement-dev",
"ResponseBodySize": "26070",
"RequesterUpn": "MeganB@seccxp.ninja",
"RequesterAppId": "7d466dae-af28-449e-a12a-c7ae13a25ca8",
"AuthenticationType": "Application",
"AggregationLastEventTime": "2021-06-18T21:58:38.0289591Z",
"AggregationCount": "1",
"Category": "StorageRead",
"CorrelationId": "3167380000000000000",
"RequesterAppId": "",
"Type": "DSTIMAccess_CL",
"_ResourceId": ""
}
]

58
Sample Data/Custom/DSTIMClassification_CL.json
Просмотреть файл

@ -1,28 +1,30 @@
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2021-11-18T21:58:38.0289591Z",
"Computer": "",
"RawData": "",
"Classification" : "[{\"Id\":\"54115c6e-5a50-468a-88cb-fc537eb48e69\",\"Name\":\"Credit Card Number\",\"Count\":\"4\",\"Confidence\":\"85\",\"UniqueCount\":\"4\"},{\"Id"\:\"0e9b3178-9678-47dd-a509-37222ca96b42\",\"Name\":\"EU Debit Card Number\",\"Count\":\"5\",\"Confidence\":\"85\",\"UniqueCount\":\"5\"}]",
"CorrelationId": "437701000000000000",
"AssetType": "file",
"Type": "DSTIMClassification_CL",
"_ResourceId": ""
},
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2021-11-18T21:58:38.0289591Z",
"Computer": "",
"RawData": "",
"Classification" : "[{\"Id\":\"5df987c0-8eae-4bce-ace7-b316347f3070\",\"Name\":\"Spain Social Security Number(SSN)\",\"Count\":\"4\",\"Confidence\":\"85\",\"UniqueCount\":\"4\"}]",
"CorrelationId": "3167380000000000000",
"AssetType": "file",
"Type": "DSTIMClassification_CL",
"_ResourceId": ""
}
[
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2021-11-18T21:58:38.0289591Z",
"Computer": "",
"RawData": "",
"Classification": "[{\"Id\":\"54115c6e-5a50-468a-88cb-fc537eb48e69\",\"Name\":\"Credit Card Number\",\"Count\":\"4\",\"Confidence\":\"85\",\"UniqueCount\":\"4\"}, {\"Id\": \"0e9b3178-9678-47dd-a509-37222ca96b42\",\"Name\":\"EU Debit Card Number\",\"Count\":\"5\",\"Confidence\":\"85\",\"UniqueCount\":\"5\"}]",
"CorrelationId": "437701000000000000",
"AssetType": "file",
"Type": "DSTIMClassification_CL",
"_ResourceId": ""
},
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2021-11-18T21:58:38.0289591Z",
"Computer": "",
"RawData": "",
"Classification": "[{\"Id\":\"5df987c0-8eae-4bce-ace7-b316347f3070\",\"Name\":\"Spain Social Security Number(SSN)\",\"Count\":\"4\",\"Confidence\":\"85\",\"UniqueCount\":\"4\"}]",
"CorrelationId": "3167380000000000000",
"AssetType": "file",
"Type": "DSTIMClassification_CL",
"_ResourceId": ""
}
]

54
Sample Data/Custom/DSTIMSensitivity_CL.json
Просмотреть файл

@ -1,26 +1,28 @@
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2021-11-18T21:58:38.0289591Z",
"Computer": "",
"RawData": "",
"SensitivityLabelName_s" : "Confidential",
"CorrelationId": "437701000000000000",
"Type": "DSTIMSensitivity_CL",
"_ResourceId": ""
},
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2021-11-18T21:58:38.0289591Z",
"Computer": "",
"RawData": "",
"SensitivityLabelName_s" : "Confidential",
"CorrelationId": "3167380000000000000",
"Type": "DSTIMSensitivity_CL",
"_ResourceId": ""
}
[
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2021-11-18T21:58:38.0289591Z",
"Computer": "",
"RawData": "",
"SensitivityLabelName_s": "Confidential",
"CorrelationId": "437701000000000000",
"Type": "DSTIMSensitivity_CL",
"_ResourceId": ""
},
{
"TenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"SourceSystem": "RestAPI",
"MG": "",
"ManagementGroupName": "",
"TimeGenerated": "2021-11-18T21:58:38.0289591Z",
"Computer": "",
"RawData": "",
"SensitivityLabelName_s": "Confidential",
"CorrelationId": "3167380000000000000",
"Type": "DSTIMSensitivity_CL",
"_ResourceId": ""
}
]

13
Workbooks/WorkbooksMetadata.json
Просмотреть файл

@ -1468,5 +1468,18 @@
"templateRelativePath": "AdvancedKQL.json",
"subtitle": "",
"provider": "Azure Sentinel Community"
},
{
"workbookKey": "DSTIMWorkbook",
"logoFileName": "DSTIM.svg",
"description": "Identify sensitive data blast radius (i.e., who accessed sensitive data, what kinds of sensitive data, from where and when) in a given data security incident investigation or as part of Threat Hunting. Prioritize your investigation based on insights provided with integrations with Watchlists, Threat Intelligence feed, UEBA baselines and much more.",
"dataTypesDependencies": [ "DSTIMAccess_CL", "DSTIMClassification_CL", "DSTIMSensitivity_CL", "DSTIMCorrelatedLogs", "GetClassificationList", "Anomalies", "_GetWatchlist", "ThreatIntelligenceIndicator", "IdentityInfo", "SecurityAlert" ],
"dataConnectorsDependencies": [],
"previewImagesFileNames": [ "DSTIMWorkbookDark.png", "DSTIMWorkbookLight.png" ],
"version": "1.0",
"title": "Data Security – Sensitive data Impact Assessment",
"templateRelativePath": "DSTIMWorkbook.json",
"subtitle": "",
"provider": "Azure Sentinel Community"
}
]