Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Initial work on the NXLogDnsLogs Azure Sentinel solution 

- Added parsers:
    - NXLog_parsed_DNS_Server_ASim_view
    - NXLog_parsed_DNS_Server_view
    - NXLog_parsed_DNS_Analytical_view
    - NXLog_parsed_DNS_Audit_view
- Added the NXLogDnsLogs (JSON) Data Connector definition (WIP)
    - Still need to add sample queries
    - Need to reduce the size of the sample data (currently has 10,104 events)
This commit is contained in:
John Kirch 2021-09-08 01:17:16 -05:00
Родитель ffcb20d6d9
Коммит 7575b425f6
5 изменённых файлов: 569 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

98
Solutions/NXLogDnsLogs/Data Connectors/NXLogDnsLogs.json Normal file
Просмотреть файл

@ -0,0 +1,98 @@
{
"id": "NXLogDnsLogs",
"title": "NXLog DNS Logs",
"publisher": "NXLog",
"descriptionMarkdown": "The NXLog DNS Logs data connector uses Event Tracing for Windows ([ETW](https://docs.microsoft.com/windows/apps/trace-processing/overview)) for collecting both Audit and Analytical DNS Server events. The [NXLog *im_etw* module](https://nxlog.co/documentation/nxlog-user-guide/im_etw.html) reads event tracing data directly for maximum efficiency, without the need to capture the event trace into an .etl file. This REST API connector can forward DNS Server events to Azure Sentinel in real time.",
"additionalRequirementBanner": "This data connector depends on parsers based on Kusto functions deployed with the Azure Sentinel Solution to work as expected. The [**NXLog_parsed_DNS_Server_ASim_view**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Server_ASim_view.txt) is designed to leverage Azure Sentinel's built-in DNS-related analytics capabilities. The other fucntions, [**NXLog_parsed_DNS_Server_view**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Server_view.txt), [**NXLog_parsed_DNS_Audit_view**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Audit_view.txt), and [**NXLog_parsed_DNS_Analytical_view**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Analytical_view.txt) are designed to work with custom analytics that use the NXLog schema for Windows DNS Server events.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "NXLog_parsed_DNS_Server_ASim_view",
"baseQuery": "NXLog_parsed_DNS_Server_ASim_view"
}
],
"sampleQueries": [
{
"description" : "",
"query": ""
},
{
"description" : "",
"query" : ""
}
],
"dataTypes": [
{
"name": "NXLog_parsed_DNS_Server_ASim_view",
"lastDataReceivedQuery": "NXLog_parsed_DNS_Server_ASim_view | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"NXLog_parsed_DNS_Server_ASim_view | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"title": "",
"description": ">**NOTE:** This data connector depends on parsers based on Kusto functions deployed with the Azure Sentinel Solution to work as expected. The [**NXLog_parsed_DNS_Server_ASim_view**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Server_ASim_view.txt) is designed to leverage Azure Sentinel's built-in DNS-related analytics capabilities. The other fucntions, [**NXLog_parsed_DNS_Server_view**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Server_view.txt), [**NXLog_parsed_DNS_Audit_view**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Audit_view.txt), and [**NXLog_parsed_DNS_Analytical_view**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Analytical_view.txt) are designed to work with custom analytics that use the NXLog schema for Windows DNS Server events.",
"instructions": [
]
},
{
"title": "",
"description": "Follow the step-by-step instructions in the *NXLog User Guide* Integration Topic [Microsoft Azure Sentinel](https://nxlog.co/documentation/nxlog-user-guide/sentinel.html) to configure this connector.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
}
]
}

79
Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Analytical_view.txt Normal file
Просмотреть файл

@ -0,0 +1,79 @@
// Usage Instructions:
// Paste the query below into the Log Analytics query editor.
// Click the "Save" button and select "Save as function".
// Enter "NXLog_parsed_DNS_Analytical_view" in the "Function name" field.
// For "Legacy category:" enter "DNS Server logs".
// "Paramters" are not needed.
// Function usually takes 10-15 minutes to activate.
// You can then use this function from any other queries (e.g. NXLog_parsed_DNS_Analytical_view | take 10).
// Reference: Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
let NXLog_parsed_DNS_Analytical_view = view () {
DNS_Server_CL
| where EventID_d < 281
| project-rename
AA=AA_s,
AccountName=AccountName_s,
AccountType=AccountType_s,
AD=AD_s,
AdditionalInfo=AdditionalInfo_s,
BufferSize=BufferSize_s,
CacheScope=CacheScope_s,
ChannelID=ChannelID_d,
CustomLogName=Type,
Destination=Destination_s,
DNSSEC=DNSSEC_s,
Domain=Domain_s,
ElapsedTime=ElapsedTime_s,
EventReceivedTime=EventReceivedTime_t,
EventID=EventID_d,
EventTime=EventTime_t,
EventType=EventType_s,
ExecutionProcessID=ExecutionProcessID_d,
ExecutionThreadID=ExecutionThreadID_d,
FilePath=FilePath_s,
Flags=Flags_s,
GUID=GUID_g,
Hostname=Hostname_s,
InterfaceIP=InterfaceIP_s,
Keywords=Keywords_s,
Lookup=Lookup_s,
NAME=NAME_s,
Name=Name_s,
NewValue=NewValue_s,
OpcodeValue=OpcodeValue_d,
PacketData=PacketData_s,
PolicyName=PolicyName_s,
Port=Port_s,
PropertyKey=PropertyKey_s,
ProviderGuid=ProviderGuid_g,
QNAME=QNAME_s,
QTYPE=QTYPE_s,
QXID=QXID_s,
RCODE=RCODE_s,
RD=RD_s,
RDATA=RDATA_s,
Reason=Reason_s,
RecursionDepth=RecursionDepth_s,
RecursionScope=RecursionScope_s,
ReplicationScope=ReplicationScope_s,
Scope=Scope_s,
Severity=Severity_s,
SeverityValue=SeverityValue_d,
Source=Source_s,
SourceModuleName=SourceModuleName_s,
SourceModuleType=SourceModuleType_s,
SourceName=SourceName_s,
TaskValue=TaskValue_d,
TCP=TCP_s,
TTL=TTL_s,
UserID=UserID_s,
Version=Version_d,
VirtualizationID=VirtualizationID_s,
XID=XID_s,
Zone=Zone_s,
ZoneFile=ZoneFile_s,
ZoneScope=ZoneScope_s
| project-rename
Type=Type_s
};
NXLog_parsed_DNS_Analytical_view();

79
Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Audit_view.txt Normal file
Просмотреть файл

@ -0,0 +1,79 @@
// Usage Instructions:
// Paste the query below into the Log Analytics query editor.
// Click the "Save" button and select "Save as function".
// Enter "NXLog_parsed_DNS_Audit_view" in the "Function name" field.
// For "Legacy category:" enter "DNS Server logs".
// "Paramters" are not needed.
// Function usually takes 10-15 minutes to activate.
// You can then use this function from any other queries (e.g. NXLog_parsed_DNS_Audit_view | take 10).
// Reference: Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
let NXLog_parsed_DNS_Audit_view = view () {
DNS_Server_CL
| where EventID_d > 511
| project-rename
AA=AA_s,
AccountName=AccountName_s,
AccountType=AccountType_s,
AD=AD_s,
AdditionalInfo=AdditionalInfo_s,
BufferSize=BufferSize_s,
CacheScope=CacheScope_s,
ChannelID=ChannelID_d,
CustomLogName=Type,
Destination=Destination_s,
DNSSEC=DNSSEC_s,
Domain=Domain_s,
ElapsedTime=ElapsedTime_s,
EventReceivedTime=EventReceivedTime_t,
EventID=EventID_d,
EventTime=EventTime_t,
EventType=EventType_s,
ExecutionProcessID=ExecutionProcessID_d,
ExecutionThreadID=ExecutionThreadID_d,
FilePath=FilePath_s,
Flags=Flags_s,
GUID=GUID_g,
Hostname=Hostname_s,
InterfaceIP=InterfaceIP_s,
Keywords=Keywords_s,
Lookup=Lookup_s,
NAME=NAME_s,
Name=Name_s,
NewValue=NewValue_s,
OpcodeValue=OpcodeValue_d,
PacketData=PacketData_s,
PolicyName=PolicyName_s,
Port=Port_s,
PropertyKey=PropertyKey_s,
ProviderGuid=ProviderGuid_g,
QNAME=QNAME_s,
QTYPE=QTYPE_s,
QXID=QXID_s,
RCODE=RCODE_s,
RD=RD_s,
RDATA=RDATA_s,
Reason=Reason_s,
RecursionDepth=RecursionDepth_s,
RecursionScope=RecursionScope_s,
ReplicationScope=ReplicationScope_s,
Scope=Scope_s,
Severity=Severity_s,
SeverityValue=SeverityValue_d,
Source=Source_s,
SourceModuleName=SourceModuleName_s,
SourceModuleType=SourceModuleType_s,
SourceName=SourceName_s,
TaskValue=TaskValue_d,
TCP=TCP_s,
TTL=TTL_s,
UserID=UserID_s,
Version=Version_d,
VirtualizationID=VirtualizationID_s,
XID=XID_s,
Zone=Zone_s,
ZoneFile=ZoneFile_s,
ZoneScope=ZoneScope_s
| project-rename
Type=Type_s
};
NXLog_parsed_DNS_Audit_view();

235
Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Server_ASim_view.txt Normal file
Просмотреть файл

@ -0,0 +1,235 @@
// Usage Instructions:
// Paste the query below into the Log Analytics query editor.
// Click the "Save" button and select "Save as function".
// Enter "NXLog_parsed_AIX_Audit_view" in the "Function name" field.
// For "Legacy category:" enter "AIX Security Audit".
// "Paramters" are not needed.
// Function usually takes 10-15 minutes to activate.
// You can then use this function from any other queries (e.g. NXLog_parsed_DNS_Server_ASim_view | take 10).
// Reference: Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
let NXLog_parsed_DNS_Server_ASim_view = view () {
let EventTypeTable=datatable(EventOriginalType:real,EventType:string)[
256, 'Query'
, 257, 'Query'
, 258, 'Query'
, 259, 'Query'
, 260, 'Query'
, 261, 'Query'
, 262, 'Query'
, 263, 'Dynamic update'
, 264, 'Dynamic update'
, 265, 'Zone XFR'
, 266, 'Zone XFR'
, 267, 'Zone XFR'
, 268, 'Zone XFR'
, 269, 'Zone XFR'
, 270, 'Zone XFR'
, 271, 'Zone XFR'
, 272, 'Zone XFR'
, 273, 'Zone XFR'
, 274, 'Zone XFR'
, 275, 'Zone XFR'
, 276, 'Zone XFR'
, 277, 'Dynamic update'
, 278, 'Dynamic update'
, 279, 'Query'
, 280, 'Query'
];
let EventSubTypeTable=datatable(EventOriginalType:real,EventSubType:string)[
256, 'request'
, 257, 'response'
, 258, 'response'
, 259, 'response'
, 260, 'request'
, 261, 'response'
, 262, 'request'
, 263, 'response'
, 264, 'response'
, 265, 'request'
, 266, 'request'
, 267, 'response'
, 268, 'response'
, 269, 'request'
, 270, 'request'
, 271, 'response'
, 272, 'response'
, 273, 'response'
, 274, 'response'
, 275, 'response'
, 276, 'response'
, 277, 'response'
, 278, 'response'
, 279, 'request'
, 280, 'request'
];
let EventResultTable=datatable(EventOriginalType:real,EventResult:string)[
256, 'NA'
, 257, 'Success'
, 258, 'Failure'
, 259, 'Failure'
, 260, 'NA'
, 261, 'Success'
, 262, 'Failure'
, 263, 'Success'
, 264, 'Success'
, 265, 'NA'
, 266, 'NA'
, 267, 'Success'
, 268, 'Success'
, 269, 'NA'
, 270, 'NA'
, 271, 'Success'
, 272, 'Success'
, 273, 'Success'
, 274, 'Success'
, 275, 'Success'
, 276, 'Success'
, 277, 'Success'
, 278, 'Success'
, 279, 'NA'
, 280, 'NA'
];
let RCodeTable=datatable(DnsResponseCode:int,ResponseCodeName:string)[
0, 'NOERROR'
, 1, 'FORMERR'
, 2,'SERVFAIL'
, 3,'NXDOMAIN'
, 4,'NOTIMP'
, 5,'REFUSED'
, 6,'YXDOMAIN'
, 7,'YXRRSET'
, 8,'NXRRSET'
, 9,'NOTAUTH'
, 10,'NOTZONE'
, 11,'DSOTYPENI'
, 16,'BADVERS'
, 16,'BADSIG'
, 17,'BADKEY'
, 18,'BADTIME'
, 19,'BADMODE'
, 20,'BADNAME'
, 21,'BADALG'
, 22,'BADTRUNC'
, 23,'BADCOOKIE'
];
let QTypeTable=datatable(DnsQueryType:int,QTypeName:string)[
0, 'Reserved'
, 1, 'A'
, 2, 'NS'
, 3, 'MD'
, 4, 'MF'
, 5, 'CNAME'
, 6, 'SOA'
, 7, 'MB'
, 8 ,'MG'
, 9 ,'MR'
, 10,'NULL'
, 11,'WKS'
, 12,'PTR'
, 13,'HINFO'
, 14,'MINFO'
, 15,'MX'
, 16,'TXT'
, 17,'RP'
, 18,'AFSDB'
, 19,'X25'
, 20,'ISDN'
, 21,'RT'
, 22,'NSAP'
, 23,'NSAP-PTR'
, 24,'SIG'
, 25,'KEY'
, 26,'PX'
, 27,'GPOS'
, 28,'AAAA'
, 29,'LOC'
, 30,'NXT'
, 31,'EID'
, 32,'NIMLOC'
, 33,'SRV'
];
DNS_Server_CL
| where EventID_d < 281
| project-rename
DnsFlags=Flags_s,
DnsQuery=QNAME_s,
DnsQueryType=QTYPE_s,
DnsResponseCode=RCODE_s,
DnsResponseName=PacketData_s,
Dvc=Hostname_s,
DvcIpAddr=InterfaceIP_s,
EventOriginalType=EventID_d,
EventOriginalUid=GUID_g,
EventStartTime=EventTime_t,
SrcPortNumber=Port_s,
SrcIpAddr=Source_s
| extend
DnsQuery=trim_end(".",DnsQuery),
DnsQueryType=toint(DnsQueryType),
DnsResponseCode=toint(DnsResponseCode),
DvcHostname=Dvc,
EventEndTime=EventStartTime,
EventProduct="Microsoft DNS Server",
EventSchemaVersion="0.1.1",
EventVendor="Microsoft",
NetworkProtocol=iff(TCP_s == "0","UDP","TCP"),
TransactionIdHex=tohex(toint(XID_s))
| lookup EventTypeTable on EventOriginalType
| lookup EventSubTypeTable on EventOriginalType
| lookup EventResultTable on EventOriginalType
| lookup RCodeTable on DnsResponseCode
| lookup QTypeTable on DnsQueryType
| extend
EventResultDetails = case (isnotempty(ResponseCodeName), ResponseCodeName
, DnsResponseCode between (3841 .. 4095), 'Reserved for Private Use'
, 'Unassigned')
| extend
Domain=DnsQuery,
DnsResponseCodeName=EventResultDetails,
DnsQueryTypeName = case (isnotempty(QTypeName), QTypeName
, DnsQueryType between (66 .. 98), 'Unassigned'
, DnsQueryType between (110 .. 248), 'Unassigned'
, DnsQueryType between (261 .. 32767), 'Unassigned'
, 'Unassigned'),
EventResult=iff (DnsResponseCode == 0 and EventResult == 'Informational','Success',EventResult)
| project-away
AA_s,
AD_s,
AdditionalInfo_s,
BufferSize_s,
AccountName_s,
AccountType_s,
CacheScope_s,
ChannelID_d,
Destination_s,
DNSSEC_s,
Domain_s,
ElapsedTime_s,
EventReceivedTime_t,
EventType_s,
ExecutionProcessID_d,
ExecutionThreadID_d,
Keywords_s,
OpcodeValue_d,
PolicyName_s,
ProviderGuid_g,
QXID_s,
RD_s,
Reason_s,
RecursionDepth_s,
RecursionScope_s,
ResponseCodeName,
Scope_s,
Severity_s,
SeverityValue_d,
SourceModuleName_s,
SourceModuleType_s,
SourceName_s,
TaskValue_d,
TCP_s,
UserID_s,
Version_d,
XID_s,
Zone_s
};
NXLog_parsed_DNS_Server_ASim_view();

78
Solutions/NXLogDnsLogs/Parsers/NXLog_parsed_DNS_Server_view.txt Normal file
Просмотреть файл

@ -0,0 +1,78 @@
// Usage Instructions:
// Paste the query below into the Log Analytics query editor.
// Click the "Save" button and select "Save as function".
// Enter "NXLog_parsed_DNS_Server_view" in the "Function name" field.
// For "Legacy category:" enter "DNS Server logs".
// "Paramters" are not needed.
// Function usually takes 10-15 minutes to activate.
// You can then use this function from any other queries (e.g. NXLog_parsed_DNS_Server_view | take 10).
// Reference: Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
let NXLog_parsed_DNS_Server_view = view () {
DNS_Server_CL
| project-rename
AA=AA_s,
AccountName=AccountName_s,
AccountType=AccountType_s,
AD=AD_s,
AdditionalInfo=AdditionalInfo_s,
BufferSize=BufferSize_s,
CacheScope=CacheScope_s,
ChannelID=ChannelID_d,
CustomLogName=Type,
Destination=Destination_s,
DNSSEC=DNSSEC_s,
Domain=Domain_s,
ElapsedTime=ElapsedTime_s,
EventReceivedTime=EventReceivedTime_t,
EventID=EventID_d,
EventTime=EventTime_t,
EventType=EventType_s,
ExecutionProcessID=ExecutionProcessID_d,
ExecutionThreadID=ExecutionThreadID_d,
FilePath=FilePath_s,
Flags=Flags_s,
GUID=GUID_g,
Hostname=Hostname_s,
InterfaceIP=InterfaceIP_s,
Keywords=Keywords_s,
Lookup=Lookup_s,
NAME=NAME_s,
Name=Name_s,
NewValue=NewValue_s,
OpcodeValue=OpcodeValue_d,
PacketData=PacketData_s,
PolicyName=PolicyName_s,
Port=Port_s,
PropertyKey=PropertyKey_s,
ProviderGuid=ProviderGuid_g,
QNAME=QNAME_s,
QTYPE=QTYPE_s,
QXID=QXID_s,
RCODE=RCODE_s,
RD=RD_s,
RDATA=RDATA_s,
Reason=Reason_s,
RecursionDepth=RecursionDepth_s,
RecursionScope=RecursionScope_s,
ReplicationScope=ReplicationScope_s,
Scope=Scope_s,
Severity=Severity_s,
SeverityValue=SeverityValue_d,
Source=Source_s,
SourceModuleName=SourceModuleName_s,
SourceModuleType=SourceModuleType_s,
SourceName=SourceName_s,
TaskValue=TaskValue_d,
TCP=TCP_s,
TTL=TTL_s,
UserID=UserID_s,
Version=Version_d,
VirtualizationID=VirtualizationID_s,
XID=XID_s,
Zone=Zone_s,
ZoneFile=ZoneFile_s,
ZoneScope=ZoneScope_s
| project-rename
Type=Type_s
};
NXLog_parsed_DNS_Server_view();