Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #7353 from NCsteven/NetCleanProActive 

Initial
This commit is contained in:
v-dvedak 2023-06-12 14:00:38 +05:30 коммит произвёл GitHub
Родитель 2f64f0da33 7f989e8ce8
Коммит 6d6e7dd1b6
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
11 изменённых файлов: 3155 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

189
.script/tests/KqlvalidationsTests/CustomTables/Netclean_Incidents_CL.json Normal file
Просмотреть файл

@ -0,0 +1,189 @@
{
"Name": "Netclean_Incidents_CL",
"Properties": [
{
"Name": "TenantId",
"type": "string"
},
{
"Name": "SourceSystem",
"type": "string"
},
{
"Name": "MG",
"type": "Guid"
},
{
"Name": "ManagementGroupName",
"type": "string"
},
{
"Name": "TimeGenerated",
"type": "datetime"
},
{
"Name": "Computer",
"type": "string"
},
{
"Name": "RawData",
"type": "string"
},
{
"Name": "Hostname_s",
"type": "string"
},
{
"Name": "agentType_s",
"type": "string"
},
{
"Name": "Identifier_g",
"type": "string"
},
{
"Name": "type_s",
"type": "string"
},
{
"Name": "version_s",
"type": "string"
},
{
"Name": "foundTime_t",
"type": "datetime"
},
{
"Name": "detectionMethod_s",
"type": "string"
},
{
"Name": "agentInformatonIdentifier_s",
"type": "string"
},
{
"Name": "osVersion_s",
"type": "string"
},
{
"Name": "machineName_s",
"type": "string"
},
{
"Name": "microsoftCultureId_s",
"type": "string"
},
{
"Name": "timeZoneId_s",
"type": "string"
},
{
"Name": "microsoftGeoId_s",
"type": "string"
},
{
"Name": "domainname_s",
"type": "string"
},
{
"Name": "Agentversion_s",
"type": "string"
},
{
"Name": "Agentidentifier_g",
"type": "string"
},
{
"Name": "loggedOnUsers_s",
"type": "string"
},
{
"Name": "size_s",
"type": "string"
},
{
"Name": "creationTime_t",
"type": "datetime"
},
{
"Name": "lastAccessTime_t",
"type": "datetime"
},
{
"Name": "lastWriteTime_t",
"type": "datetime"
},
{
"Name": "sha1_s",
"type": "string"
},
{
"Name": "nearbyFiles_sha1_s",
"type": "string"
},
{
"Name": "externalIP_s",
"type": "string"
},
{
"Name": "domain_s",
"type": "string"
},
{
"Name": "hasCollectedNearbyFiles_s",
"type": "string"
},
{
"Name": "filePath_s",
"type": "string"
},
{
"Name": "m365WebUrl_s",
"type": "string"
},
{
"Name": "m365CreatedBymail_s",
"type": "string"
},
{
"Name": "m365LastModifiedByMail_s",
"type": "string"
},
{
"Name": "m365LibraryId_s",
"type": "string"
},
{
"Name": "m365LibraryDisplayName_s",
"type": "string"
},
{
"Name": "m365Librarytype_s",
"type": "string"
},
{
"Name": "m365siteid_s",
"type": "string"
},
{
"Name": "m365sitedisplayName_s",
"type": "string"
},
{
"Name": "m365sitename_s",
"type": "string"
},
{
"Name": "countOfAllNearByFiles_s",
"type": "string"
},
{
"Name": "Type",
"type": "string"
},
{
"Name": "_ResourceId",
"type": "string"
}
]
}

1
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Просмотреть файл

@ -1,4 +1,5 @@
[
"Netclean_ProActive_Incidents",
"42CrunchAPIProtection",
"AIVectraDetect",
"AIVectraStream",

21
Logos/NetCleanImpactLogo.svg Normal file
Просмотреть файл

@ -0,0 +1,21 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 96 96">
<path d="M-.1 0h96v96h-96z" fill="#0e2343"></path>
<defs>
<path id="32107c20-0d95-48af-bb4f-166c97fbc658" d="M11.3 12.6H82v70.7H11.3z"></path>
</defs>
<clipPath id="a3cb2b70-ce10-473d-be64-4cd9106404dd">
<use href="#32107c20-0d95-48af-bb4f-166c97fbc658"></use>
</clipPath>
<g clip-path="url(#a3cb2b70-ce10-473d-be64-4cd9106404dd)" fill="#fff">
<path d="M79.6 43.3H58.8c-.3 0-.5-.4-.3-.6l16.6-16.6c.2-.2.2-.4.2-.6v-2.3c0-.2-.1-.4-.2-.6l-3-3c-.2-.2-.4-.2-.6-.2h-2.3c-.2 0-.4.1-.6.2L52 36.1c-.2.2-.6.1-.6-.3V15.1c0-.2-.1-.4-.2-.6l-1.7-1.7c-.2-.2-.4-.2-.6-.2h-4.3c-.2 0-.4.1-.6.2l-1.7 1.7c-.2.2-.2.4-.2.6v31.2c0 .2.1.4.2.6l5.4 5.4c.2.2.4.2.6.2h31.2c.2 0 .4-.1.6-.2l1.7-1.7c.2-.2.2-.4.2-.6v-4.3c0-.2-.1-.4-.2-.6l-1.7-1.7c-.1 0-.3-.1-.5-.1h0z" fill-rule="evenodd"></path>
<path d="M23.6 64.6l-.6.6c-.2.2-.2.4 0 .6l5.9 5.9a.37.37 0 0 0 .6 0l.7-.7a.37.37 0 0 0 0-.6l-5.9-5.9c-.2-.1-.5-.1-.7.1z"></path>
<path d="M18.3 52.6H20c.2 0 .3-.2.1-.4l-7.5-7.5c-.1-.1-.3-.1-.5 0l-.5.5-.3.3c-.1.1-.1.3 0 .5l6.4 6.4c.2.1.4.2.6.2h0z" fill-rule="evenodd"></path>
<path d="M25.7 62.5l-.7.6c-.2.2-.2.4 0 .6l5.9 5.9a.37.37 0 0 0 .6 0l.7-.7a.37.37 0 0 0 0-.6l-5.9-5.9a.47.47 0 0 0-.6.1zm4.2-4.2l-.7.7c-.2.2-.2.4 0 .6l5.9 5.9c.2.2.4.2.6 0l.7-.7c.2-.2.2-.4 0-.6l-5.9-5.9c-.2-.1-.5-.1-.6 0zM19.5 68.7l-.7.7a.37.37 0 0 0 0 .6l5.9 5.9a.37.37 0 0 0 .6 0l.7-.7c.2-.2.2-.4 0-.6l-5.9-5.9c-.2-.2-.5-.2-.6 0zm2.1-2.1l-.7.7c-.2.2-.2.4 0 .6l5.9 5.9a.37.37 0 0 0 .6 0l.7-.7a.37.37 0 0 0 0-.6l-5.9-5.9c-.2-.1-.5-.1-.6 0z"></path>
<path d="M18.1 71.4v1.7c0 .1 0 .2.1.3l3.1 3.1c.1.1.2.1.3.1h1.6c.2 0 .3-.2.1-.4l-4.9-4.9c0-.1-.3-.1-.3.1h0z" fill-rule="evenodd"></path>
<path d="M31.9 56.3l-.7.7c-.2.2-.2.4 0 .6l5.9 5.9a.37.37 0 0 0 .6 0l.7-.7c.2-.2.2-.4 0-.6l-5.9-5.9c-.1-.2-.4-.2-.6 0zm-4.1 4.1l-.7.7c-.2.2-.2.4 0 .6l5.9 5.9c.2.2.4.2.6 0l.7-.7a.37.37 0 0 0 0-.6l-5.9-5.9c-.2-.1-.5-.1-.6 0zm6.2-6.2l-.7.7c-.2.2-.2.4 0 .6l5.9 5.9a.37.37 0 0 0 .6 0l.7-.7c.2-.2.2-.4 0-.6l-5.9-5.9a.37.37 0 0 0-.6 0z"></path>
<g fill-rule="evenodd">
<path d="M27.6 43.3h-1.7c-.2 0-.3.2-.1.4L51 69c.1.1.4 0 .4-.1V67c0-.1 0-.2-.1-.3L28 43.5c-.1-.1-.2-.2-.4-.2h0zm8.3 0h-1.7c-.2 0-.3.2-.1.4l17 17c.1.1.4 0 .4-.1v-1.8c0-.1 0-.2-.1-.3l-15.1-15c-.1-.1-.2-.2-.4-.2h0zm4.6 2.2v-1.9c0-.1-.1-.2-.2-.2h-1.9c-.2 0-.3.2-.1.4l1.9 1.9s.3 0 .3-.2zm1.6 16.8V64c0 .2.1.3.2.4l8.7 8.7c.1.1.4 0 .4-.1v-1.7c0-.2-.1-.3-.2-.4l-8.7-8.7c-.1-.2-.4-.1-.4.1h0zm9.1-8.1h-2c-.2 0-.3.2-.1.4l2 2c.1.1.4 0 .4-.1v-2c-.1-.2-.2-.3-.3-.3zM31.8 43.3H30c-.2 0-.3.2-.1.4L51 64.8c.1.1.4 0 .4-.1v-1.8c0-.1 0-.2-.1-.3L32.2 43.5a.76.76 0 0 0-.4-.2h0zm-5.2 9.3h1.7c.2 0 .3-.2.1-.4l-8.7-8.7a.76.76 0 0 0-.4-.2h-1.7c-.2 0-.3.2-.1.4l8.7 8.7c0 .1.2.2.4.2h0zm-4.2 0h1.7c.2 0 .3-.2.1-.4l-8.7-8.7a.76.76 0 0 0-.4-.2h-1.7c-.2 0-.3.2-.1.4l8.7 8.7a.76.76 0 0 0 .4.2h0zm-.8-8.9l8.7 8.7a.76.76 0 0 0 .4.2h1.7c.2 0 .3-.2.1-.4l-8.7-8.7a.76.76 0 0 0-.4-.2h-1.7c-.2 0-.3.2-.1.4h0zM14 52.6h1.8c.2 0 .3-.2.1-.4l-4.3-4.3c-.1-.1-.4 0-.4.1v1.8c0 .1 0 .2.1.3l2.3 2.3c.2.1.3.2.4.2h0zm28.1 13.8v1.7c0 .2.1.3.2.4l8.7 8.7c.1.1.4 0 .4-.1v-1.7c0-.2-.1-.3-.2-.4l-8.7-8.7c-.1-.2-.4-.1-.4.1h0zm0 10v-1.7c0-.2.2-.3.4-.1L50 82c.1.1.1.3 0 .5l-.5.5-.3.3c-.1.1-.3.1-.5 0l-6.4-6.4c-.1-.1-.2-.3-.2-.5h0zm0-4.1v-1.7c0-.2.2-.3.4-.1l8.7 8.7a.76.76 0 0 1 .2.4v1.7c0 .2-.2.3-.4.1l-8.7-8.7a.76.76 0 0 1-.2-.4zm0 8.4v-1.8c0-.2.2-.3.4-.1l4.3 4.3c.1.1 0 .4-.1.4h-1.8c-.1 0-.2 0-.3-.1L42.3 81c-.1-.1-.2-.2-.2-.3z"></path>
</g>
</g>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 3.5 KiB

2162
Sample Data/Custom/Netclean_Incidents_CL.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

48
Solutions/NetClean ProActive/Analytic Rules/NetClean_Sentinel_analytic_rule.yaml Normal file
Просмотреть файл

@ -0,0 +1,48 @@
id: 77548170-5c60-42e5-bdac-b0360d0779bb
name: NetClean ProActive Incidents
description: |
'NetClean Incident'
severity: High
requiredDataConnectors:
- connectorId: Netclean_ProActive_Incidents
dataTypes:
- Netclean_ProActive_Incidents
status: Available
queryFrequency: 10m
queryPeriod: 10m
triggerOperator: gt
triggerThreshold: 0
suppressionDuration: 5h
tactics:
- Discovery
relevantTechniques:
- T1083
query: |
Netclean_Incidents_CL | where version_s == 1
entityMappings:
- entityType: FileHash
fieldMappings:
- identifier: Value
columnName: sha1_s
- identifier: Algorithm
columnName: detectionMethod_s
- entityType: DNS
fieldMappings:
- identifier: DomainName
columnName: domain_s
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: Hostname_s
- entityType: IP
fieldMappings:
- identifier: Address
columnName: externalIP_s
alertDetailsOverride:
alertDisplayNameFormat: NetClean {{agentType_s}} {{type_s}}
alertDescriptionFormat: A new NetClean {{agentType_s}} {{type_s}} has been Created {{TimeGenerated}}
version: 1.0.1
kind: Scheduled

115
Solutions/NetClean ProActive/Data Connectors/Connector_NetClean.json Normal file
Просмотреть файл

@ -0,0 +1,115 @@
{
"id": "Netclean_ProActive_Incidents",
"title": "Netclean ProActive Incidents",
"publisher": "NetClean Technologies",
"descriptionMarkdown": "This connector uses the Netclean Webhook (required) and Logic Apps to push data into Microsoft Sentinel Log Analytics",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "Netclean_Incidents_CL",
"baseQuery": "Netclean_Incidents_CL"
}
],
"sampleQueries": [
{
"description" : "Netclean - All Activities.",
"query": "Netclean_Incidents_CL | sort by TimeGenerated desc"
}
],
"dataTypes": [
{
"name": "Netclean_Incidents_CL",
"lastDataReceivedQuery": "Netclean_Incidents_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"Netclean_Incidents_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"title": "",
"description": ">**NOTE:** The data connector relies on Azure Logic Apps to receive and push data to Log Analytics This might result in additional data ingestion costs.\n It's possible to test this without Logic Apps or NetClean Proactive see option 2",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
},
{
"title": " Option 1: deploy Logic app (requires NetClean Proactive)",
"description": "1. Download and install the Logic app here:\n https://portal.azure.com/#create/netcleantechnologiesab1651557549734.netcleanlogicappnetcleanproactivelogicapp)\n2. Configure Send Data: \n2.1 Go to your newly created logic app \n In your Logic app designer, click +New Step and search for “Azure Log Analytics Data Collector” click it and select “Send Data” \n Enter the Custom Log Name: Netclean_Incidents and a dummy value in the Json request body and click save \n Go to code view on the top ribbon and scroll down to line ~100 it should start with \"Body\" \n replace the line entirly with: \n \"body\": \"{\\n\\\"Hostname\\\":\\\"@{variables('machineName')}\\\",\\n\\\"agentType\\\":\\\"@{triggerBody()['value']['agent']['type']}\\\",\\n\\\"Identifier\\\":\\\"@{triggerBody()?['key']?['identifier']}\\\",\\n\\\"type\\\":\\\"@{triggerBody()?['key']?['type']}\\\",\\n\\\"version\\\":\\\"@{triggerBody()?['value']?['incidentVersion']}\\\",\\n\\\"foundTime\\\":\\\"@{triggerBody()?['value']?['foundTime']}\\\",\\n\\\"detectionMethod\\\":\\\"@{triggerBody()?['value']?['detectionHashType']}\\\",\\n\\\"agentInformatonIdentifier\\\":\\\"@{triggerBody()?['value']?['device']?['identifier']}\\\",\\n\\\"osVersion\\\":\\\"@{triggerBody()?['value']?['device']?['operatingSystemVersion']}\\\",\\n\\\"machineName\\\":\\\"@{variables('machineName')}\\\",\\n\\\"microsoftCultureId\\\":\\\"@{triggerBody()?['value']?['device']?['microsoftCultureId']}\\\",\\n\\\"timeZoneId\\\":\\\"@{triggerBody()?['value']?['device']?['timeZoneName']}\\\",\\n\\\"microsoftGeoId\\\":\\\"@{triggerBody()?['value']?['device']?['microsoftGeoId']}\\\",\\n\\\"domainname\\\":\\\"@{variables('domain')}\\\",\\n\\\"Agentversion\\\":\\\"@{triggerBody()['value']['agent']['version']}\\\",\\n\\\"Agentidentifier\\\":\\\"@{triggerBody()['value']['identifier']}\\\",\\n\\\"loggedOnUsers\\\":\\\"@{variables('Usernames')}\\\",\\n\\\"size\\\":\\\"@{triggerBody()?['value']?['file']?['size']}\\\",\\n\\\"creationTime\\\":\\\"@{triggerBody()?['value']?['file']?['creationTime']}\\\",\\n\\\"lastAccessTime\\\":\\\"@{triggerBody()?['value']?['file']?['lastAccessTime']}\\\",\\n\\\"lastWriteTime\\\":\\\"@{triggerBody()?['value']?['file']?['lastModifiedTime']}\\\",\\n\\\"sha1\\\":\\\"@{triggerBody()?['value']?['file']?['calculatedHashes']?['sha1']}\\\",\\n\\\"nearbyFiles_sha1\\\":\\\"@{variables('nearbyFiles_sha1s')}\\\",\\n\\\"externalIP\\\":\\\"@{triggerBody()?['value']?['device']?['resolvedExternalIp']}\\\",\\n\\\"domain\\\":\\\"@{variables('domain')}\\\",\\n\\\"hasCollectedNearbyFiles\\\":\\\"@{variables('hasCollectedNearbyFiles')}\\\",\\n\\\"filePath\\\":\\\"@{replace(triggerBody()['value']['file']['path'], '\\\\', '\\\\\\\\')}\\\",\\n\\\"m365WebUrl\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['webUrl']}\\\",\\n\\\"m365CreatedBymail\\\":\\\"@{triggerBody()?['value']?['file']?['createdBy']?['graphIdentity']?['user']?['mail']}\\\",\\n\\\"m365LastModifiedByMail\\\":\\\"@{triggerBody()?['value']?['file']?['lastModifiedBy']?['graphIdentity']?['user']?['mail']}\\\",\\n\\\"m365LibraryId\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['library']?['id']}\\\",\\n\\\"m365LibraryDisplayName\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['library']?['displayName']}\\\",\\n\\\"m365Librarytype\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['library']?['type']}\\\",\\n\\\"m365siteid\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['site']?['id']}\\\",\\n\\\"m365sitedisplayName\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['site']?['displayName']}\\\",\\n\\\"m365sitename\\\":\\\"@{triggerBody()?['value']?['file']?['microsoft365']?['parent']?['name']}\\\",\\n\\\"countOfAllNearByFiles\\\":\\\"@{variables('countOfAllNearByFiles')}\\\",\\n\\n}\", \n click save \n3. Copy the HTTP POST URL\n4. Go to your NetClean ProActive web console, and go to settings, Under Webhook configure a new webhook using the URL copied from step 3 \n 5. Verify functionality by triggering a Demo Incident."
},
{
"title": " Option 2 (Testing only)",
"description": "Ingest data using a api function. please use the script found on\n https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell \nReplace the CustomerId and SharedKey values with your values\nReplace the content in $json variable to the sample data.\nSet the LogType varible to **Netclean_Incidents_CL**\nRun the script"
}
]
}
],
"metadata": {
"id": "d6a16a5e-19c0-4599-bbbc-04d6c38b00d4",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "solution",
"name": "Netclean ProActive Incidents"
},
"author": {
"name": "NetClean"
},
"support": {
"tier": "developer",
"name": "NetClean support",
"email": "Support@netclean.com",
"link":"www.netclean.com"
}
}
}

Двоичные данные
Solutions/NetClean ProActive/Workbooks/Images/NetCleanProActiveBlack1.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 83 KiB

Двоичные данные
Solutions/NetClean ProActive/Workbooks/Images/NetCleanProActiveBlack2.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 208 KiB

Двоичные данные
Solutions/NetClean ProActive/Workbooks/Images/NetCleanProActiveWhite1.png.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 103 KiB

Двоичные данные
Solutions/NetClean ProActive/Workbooks/Images/NetCleanProActiveWhite2.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 93 KiB

619
Solutions/NetClean ProActive/Workbooks/NetCleanProActiveWorkbook.json Normal file
Просмотреть файл

@ -0,0 +1,619 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "## NetClean Overview last 30 Days\nShows only original incident, please specify the incident you would like to view to include near by files\n"
},
"name": "text - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Netclean_Incidents_CL | where version_s == 1 |summarize Count=count() by Type, type_s\n",
"size": 1,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "categoricalbar",
"chartSettings": {
"xAxis": "type_s",
"yAxis": [
"Count"
]
}
},
"name": "query - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Netclean_Incidents_CL | where version_s == 1 |summarize Count=count() by sha1_s",
"size": 4,
"title": "SHA1",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"name": "SHA1",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Netclean_Incidents_CL | where version_s == 1 |summarize Count=count() by agentType_s",
"size": 4,
"title": "Agent Type",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"name": "Agent Type"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Netclean_Incidents_CL | where version_s == 1 |summarize Count=count() by Hostname_s",
"size": 4,
"title": "Hostname",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"name": "Hostname"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Netclean_Incidents_CL | where version_s == 1 | distinct Identifier_g, TimeGenerated, agentType_s | sort by TimeGenerated desc | project-rename Incident_Identifier=Identifier_g, TimeGenerated, Agent_Type=agentType_s ",
"size": 0,
"title": "List of incidents ",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"sortBy": []
},
"name": "List of incidents "
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Netclean_Incidents_CL | where version_s == 1 | sort by TimeGenerated asc\n| summarize Count=count() by format_datetime (TimeGenerated,'yy-MM-dd '), Identifier_g\n",
"size": 0,
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "Week",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"graphSettings": {
"type": 0
},
"chartSettings": {
"xAxis": "TimeGenerated",
"yAxis": [
"Count"
],
"xSettings": {
"numberFormatSettings": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": false
},
"missingSparkDataOption": "Zero"
}
},
"ySettings": {
"numberFormatSettings": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true
}
}
}
},
"mapSettings": {
"locInfo": "LatLong",
"sizeSettings": "count_",
"sizeAggregation": "Sum",
"legendMetric": "count_",
"legendAggregation": "Sum",
"itemColorSettings": {
"type": "heatmap",
"colorAggregation": "Sum",
"nodeColorField": "count_",
"heatmapPalette": "greenRed"
}
}
},
"name": "query - 4"
}
]
},
"name": "NetClean Oerview"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 1,
"content": {
"json": "## NetClean Incident"
},
"name": "text - 4"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "1e3b2c62-399e-43e6-a643-8a7484ac5c91",
"version": "KqlParameterItem/1.0",
"name": "incident",
"type": 2,
"query": "Netclean_Incidents_CL |where version_s == 1 | sort by TimeGenerated desc | project Identifier_g ",
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"value": "ebcd8124-27b4-416c-8ca7-45011691b9dc"
},
{
"id": "a3554367-06f8-4027-8134-07af2b82675b",
"version": "KqlParameterItem/1.0",
"name": "agentType",
"type": 2,
"isRequired": true,
"query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | distinct agentType_s",
"typeSettings": {
"additionalResourceOptions": [
"value::1"
],
"showDefault": false
},
"defaultValue": "value::1",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 2"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | top 1 by TimeGenerated | project sha1_s",
"size": 4,
"title": "SHA1",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "card",
"textSettings": {
"style": "bignumber"
}
},
"name": "SHA1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | top 1 by TimeGenerated | project filePath_s",
"size": 4,
"title": "File Path",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "card",
"textSettings": {
"style": "bignumber"
}
},
"name": "File Path"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" |summarize Count=count()",
"size": 4,
"title": "Number of log entrys for specified incident",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"min": 1,
"palette": "purpleDark"
},
"tooltipFormat": {
"tooltip": "Number of log entrys for specified incident"
}
},
"showBorder": false
}
},
"customWidth": "20",
"name": "Number of log entrys for specified incident"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | top 1 by TimeGenerated | project hasCollectedNearbyFiles_s",
"size": 4,
"title": "Has Collected Nearby Files",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "hasCollectedNearbyFiles_s",
"formatter": 1,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal"
}
}
},
"showBorder": false,
"size": "auto"
}
},
"customWidth": "20",
"name": "hasCollectedNearbyFiles"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | top 1 by TimeGenerated | project domain_s",
"size": 4,
"title": "Domain",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "domain_s",
"formatter": 1,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal"
}
}
},
"showBorder": false,
"size": "auto"
}
},
"customWidth": "20",
"name": "domain"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | top 1 by TimeGenerated | project countOfAllNearByFiles_s\n\n\n\n\n",
"size": 4,
"title": "Number of nearby files",
"noDataMessage": "0",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"sortBy": [],
"tileSettings": {
"titleContent": {
"columnMatch": "countOfAllNearByFiles_s",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal"
},
"emptyValCustomText": "0"
}
},
"showBorder": true,
"size": "auto"
}
},
"customWidth": "20",
"name": "Number of nearby files"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | where hasCollectedNearbyFiles_s == true | top 1 by countof(nearbyFiles_sha1_s, \",\") | project countof(nearbyFiles_sha1_s, \",\")\n\n\n\n\n",
"size": 4,
"title": "Number of nearby files with match",
"noDataMessage": "0",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"sortBy": [],
"tileSettings": {
"titleContent": {
"columnMatch": "Column1",
"formatter": 12,
"formatOptions": {
"palette": "orange"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal"
},
"emptyValCustomText": "0"
}
},
"showBorder": true,
"size": "auto"
}
},
"customWidth": "20",
"name": "Number of nearby files with match"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | top 1 by TimeGenerated | project Hostname_s, osVersion_s, hasCollectedNearbyFiles_s, externalIP_s\n\n\n\n",
"size": 4,
"title": "Hostname",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"sortBy": [
{
"itemKey": "hasCollectedNearbyFiles_s",
"sortOrder": 1
}
]
},
"sortBy": [
{
"itemKey": "hasCollectedNearbyFiles_s",
"sortOrder": 1
}
],
"tileSettings": {
"titleContent": {
"columnMatch": "Hostname_s",
"formatter": 1,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal"
}
}
},
"showBorder": false,
"sortCriteriaField": "hasCollectedNearbyFiles_s",
"sortOrderField": 1,
"size": "auto"
},
"textSettings": {
"style": "header"
}
},
"conditionalVisibility": {
"parameterName": "agentType",
"comparison": "isEqualTo",
"value": "computer"
},
"name": "Hostname"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | top 1 by TimeGenerated | mvexpand LoggedOnUsers=split(loggedOnUsers_s, '|') to typeof(string) | project LoggedOnUsers\n ",
"size": 0,
"title": "All Logged On Users",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"tileSettings": {
"titleContent": {
"columnMatch": "loggedOnUsers_s",
"formatter": 1
},
"showBorder": true,
"size": "auto"
}
},
"conditionalVisibility": {
"parameterName": "agentType",
"comparison": "isEqualTo",
"value": "computer"
},
"name": "LoggedOnUsers"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | top 1 by TimeGenerated | mvexpand LoggedOnUser=split(loggedOnUsers_s, '|') to typeof(string) | where LoggedOnUser hassuffix Hostname_s or LoggedOnUser endswith domain_s | where LoggedOnUser !contains \"WORKGROUP\" |distinct LoggedOnUser",
"size": 4,
"title": "Users where domain matches hostname or domainname",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"conditionalVisibility": {
"parameterName": "agentType",
"comparison": "isEqualTo",
"value": "computer"
},
"name": "user"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | top 1 by TimeGenerated\n| project format_datetime (creationTime_t,'yyyy-MM-dd HH:mm:ss'), format_datetime (lastAccessTime_t,'yyyy-MM-dd HH:mm:ss'), format_datetime (lastWriteTime_t,'yyyy-MM-dd HH:mm:ss'), format_datetime (TimeGenerated,'yyyy-MM-dd HH:mm:ss'), format_datetime (foundTime_t,'yyyy-MM-dd HH:mm:ss') ",
"size": 4,
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"tileSettings": {
"titleContent": {
"columnMatch": "creationTime_t",
"numberFormat": {
"unit": 27,
"options": {
"style": "decimal"
}
}
},
"showBorder": true,
"size": "auto"
},
"graphSettings": {
"type": 0,
"topContent": {},
"nodeIdField": "foundTime_t",
"sourceIdField": "foundTime_t",
"targetIdField": "foundTime_t",
"graphOrientation": 3,
"showOrientationToggles": false,
"nodeSize": null,
"staticNodeSize": 100,
"colorSettings": null,
"hivesMargin": 5
},
"mapSettings": {
"locInfo": "LatLong"
}
},
"name": "query - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Netclean_Incidents_CL | where Identifier_g == \"{incident}\" | top 1 by TimeGenerated | project m365LibraryDisplayName_s,m365Librarytype_s, m365WebUrl_s, m365LibraryId_s, m365siteid_s, m365CreatedBymail_s, m365LastModifiedByMail_s, m365sitedisplayName_s, m365sitename_s\n\n",
"size": 4,
"title": "Cloud Agent ",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table"
},
"conditionalVisibility": {
"parameterName": "agentType",
"comparison": "isEqualTo",
"value": "microsoft365"
},
"name": "Cloud Agent "
}
]
},
"name": "group - 5"
}
],
"fromTemplateId": "sentinel-NetCleanProActiveWorkbook",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}