Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #11037 from recordedfuture/RecordedFutureIdentityFixes 

Recorded Future Identity Bugfixes and solution pack fixes
This commit is contained in:
v-prasadboke 2024-09-11 18:11:03 +05:30 коммит произвёл GitHub
Родитель 121e147e85 62c066ac78
Коммит 7dbea3e296
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
7 изменённых файлов: 102 добавлений и 49 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

14
Solutions/Recorded Future Identity/Data/Solution_RecordedFutureIdentity.json
Просмотреть файл

@ -5,15 +5,15 @@
"Description": "[Recorded Future](https://www.recordedfuture.com/) Identity Intelligence enables security and IT teams to detect identity compromises, for both employees and customers. To do this, Recorded Future automates the collection, analysis, and production of identity intelligence from a vast range of sources. Organizations can incorporate identity intelligence into automated workflows that regularly monitor for compromised credentials and take immediate action with applications such as Azure Active Directory and Microsoft Sentinel.\nThere are many ways organizations can utilize Recorded Future Identity Intelligence; the playbooks in this Solution are just a quick introduction to some of those ways. In particular, these playbooks include several actions that can be coordinated, or used separately. They include:\n1. searches for compromised workforce or external customer users\n2. looking up existing users and saving the compromised user data to a Log file\n3. confirming high risk Azure Active Directory (AAD) users\n4. adding a compromised user to an AAD security group\n\nFor more information, see the [Documentation for this Solution](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Recorded%20Future%20Identity/Playbooks).\n\nThe playbooks have internal dependencies where you have to install: \n- RecordedFutureIdentity-add-EntraID-security-group-user \n- RecordedFutureIdentity-confirm-EntraID-risky-user \n- RecordedFutureIdentity-lookup-and-save-user \n\nBefore: \n- RecordedFutureIdentity-search-workforce-user \n- RecordedFutureIdentity-search-external-user.\n\nThis solution depends on underlying Microsoft technologies. Some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:\n* [Log Analytics](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design)\n* [Logic apps](https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-pricing)\n",
"PlaybooksBladeDescription": "This solution will install playbooks that import users with leaked credentials from Recorded Future and set them as RiskyUsers in Azure Active Directory.",
"Playbooks": [
"/Playbooks/RFI-CustomConnector-0-1-0/azuredeploy.json",
"/Playbooks/RFI-add-EntraID-security-group-user/azuredeploy.json",
"/Playbooks/RFI-confirm-EntraID-risky-user/azuredeploy.json",
"/Playbooks/RFI-lookup-and-save-user/azuredeploy.json",
"/Playbooks/RFI-search-workforce-user/azuredeploy.json",
"/Playbooks/RFI-search-external-user/azuredeploy.json"
"Playbooks/RFI-CustomConnector-0-1-0/azuredeploy.json",
"Playbooks/RFI-add-EntraID-security-group-user/azuredeploy.json",
"Playbooks/RFI-confirm-EntraID-risky-user/azuredeploy.json",
"Playbooks/RFI-lookup-and-save-user/azuredeploy.json",
"Playbooks/RFI-search-workforce-user/azuredeploy.json",
"Playbooks/RFI-search-external-user/azuredeploy.json"
],
"BasePath": "D:\\Azure-Sentinel\\Solutions\\Recorded Future Identity\\",
"Version": "3.0.0",
"Version": "3.0.1",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false

Двоичные данные
Solutions/Recorded Future Identity/Package/3.0.1.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

82
Solutions/Recorded Future Identity/Package/mainTemplate.json
Просмотреть файл

@ -33,8 +33,8 @@
"email": "support@recordedfuture.com",
"_email": "[variables('email')]",
"_solutionName": "Recorded Future Identity",
"_solutionVersion": "3.0.0",
"solutionId": "recordedfuture1605638642586.recorded_future_identity_sentinel_solution",
"_solutionVersion": "3.0.1",
"solutionId": "recordedfuture1605638642586.recorded_future_identity_solution",
"_solutionId": "[variables('solutionId')]",
"RFI-CustomConnector-0-1-0": "RFI-CustomConnector-0-1-0",
"_RFI-CustomConnector-0-1-0": "[variables('RFI-CustomConnector-0-1-0')]",
@ -73,7 +73,7 @@
"_RFI-search-workforce-user": "[variables('RFI-search-workforce-user')]",
"TemplateEmptyObject": "[json('{}')]",
"blanks": "[replace('b', 'b', '')]",
"playbookVersion5": "1.1",
"playbookVersion5": "1.2",
"playbookContentId5": "RFI-search-workforce-user",
"_playbookContentId5": "[variables('playbookContentId5')]",
"playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]",
@ -81,7 +81,7 @@
"_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]",
"RFI-search-external-user": "RFI-search-external-user",
"_RFI-search-external-user": "[variables('RFI-search-external-user')]",
"playbookVersion6": "1.1",
"playbookVersion6": "1.2",
"playbookContentId6": "RFI-search-external-user",
"_playbookContentId6": "[variables('playbookContentId6')]",
"playbookId6": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId6'))]",
@ -99,7 +99,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RFI-CustomConnector-0-1-0 Playbook with template version 3.0.0",
"description": "RFI-CustomConnector-0-1-0 Playbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
@ -464,7 +464,7 @@
"title": "From",
"description": "YYYY-MM-DD (until today)",
"type": "string",
"example": "2017-07-21T23:02:28+05:30",
"example": "2017-07-21T19:32:28+02:00",
"x-ms-visibility": "important"
},
"properties": {
@ -745,7 +745,7 @@
"format": "date-time",
"description": "YYYY-MM-DD (until today)",
"type": "string",
"example": "2022-02-08T16:02:37.951+05:30"
"example": "2022-02-08T11:32:37.951+01:00"
},
"name": {
"type": "string",
@ -1393,7 +1393,7 @@
"format": "date-time",
"description": "YYYY-MM-DD (until today)",
"type": "string",
"example": "2022-02-08T16:02:37.951+05:30"
"example": "2022-02-08T11:32:37.951+01:00"
},
"name": {
"type": "string",
@ -1995,7 +1995,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RFI-add-EntraID-security-group-user Playbook with template version 3.0.0",
"description": "RFI-add-EntraID-security-group-user Playbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion2')]",
@ -2443,7 +2443,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RFI-confirm-EntraID-risky-user Playbook with template version 3.0.0",
"description": "RFI-confirm-EntraID-risky-user Playbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion3')]",
@ -2924,7 +2924,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RFI-lookup-and-save-user Playbook with template version 3.0.0",
"description": "RFI-lookup-and-save-user Playbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion4')]",
@ -3398,7 +3398,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RFI-search-workforce-user Playbook with template version 3.0.0",
"description": "RFI-search-workforce-user Playbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion5')]",
@ -3407,6 +3407,13 @@
"defaultValue": "RFI-search-workforce-user",
"type": "string"
},
"workspace_name": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "Microsoft Log Analytic Workspace Name"
}
},
"Playbook-Name-add-EntraID-security-group-user": {
"defaultValue": "RFI-add-EntraID-security-group-user",
"type": "string"
@ -3441,7 +3448,7 @@
"name": "[[parameters('PlaybookName')]",
"location": "[[variables('workspace-location-inline')]",
"tags": {
"hidden-SentinelTemplateVersion": "1.1",
"hidden-SentinelTemplateVersion": "1.2",
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
},
"dependsOn": [
@ -3901,10 +3908,10 @@
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "RF",
"resourcename": "RF-log-analyitics",
"resourcegroups": "[[resourceGroup().name]",
"resourcename": "[[parameters('workspace_name')]",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "@subscription().subscriptionId",
"subscriptions": "[[subscription().subscriptionId]",
"timerange": "@{formatDateTime(addDays(utcNow(), parameters('search_lookback_days')), 'yyyy-MM-dd')}"
}
}
@ -3926,10 +3933,10 @@
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "RF",
"resourcename": "RF-log-analyitics",
"resourcegroups": "[[resourceGroup().name]",
"resourcename": "[[parameters('workspace_name')]",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "@subscription().subscriptionId",
"subscriptions": "[[subscription().subscriptionId]",
"timerange": "@{formatDateTime(addDays(utcNow(), parameters('search_lookback_days')), 'yyyy-MM-dd')}"
}
}
@ -4087,7 +4094,7 @@
"metadata": {
"title": "RFI-search-workforce-user",
"description": "This playbook searches the Recorded Future Identity Intelligence Module for compromised workforce users.\n\nThis playbook depends on:\n- RFI-add-EntraID-security-group-user\n- RFI-confirm-EntraID-risky-user\n- RFI-lookup-and-save-user\n\n Those playbooks need to be installed **manually** before installing current playbook.",
"lastUpdateTime": "2024-06-11T14:25:00Z",
"lastUpdateTime": "2024-08-27T14:25:00Z",
"tags": [
"Identity protection"
],
@ -4105,6 +4112,13 @@
"notes": [
"Added subscriptionId as a parameter and updated solution to match V3. Change PlaybookName prefix to RFI."
]
},
{
"version": "1.2",
"title": "Updates",
"notes": [
"Added workspace_name as a parameter."
]
}
]
}
@ -4131,7 +4145,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "RFI-search-external-user Playbook with template version 3.0.0",
"description": "RFI-search-external-user Playbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion6')]",
@ -4140,6 +4154,13 @@
"defaultValue": "RFI-search-external-user",
"type": "string"
},
"workspace_name": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "Microsoft Log Analytic Workspace Name"
}
},
"Playbook-Name-add-EntraID-security-group-user": {
"defaultValue": "RFI-add-EntraID-security-group-user",
"type": "string"
@ -4174,7 +4195,7 @@
"name": "[[parameters('PlaybookName')]",
"location": "[[variables('workspace-location-inline')]",
"tags": {
"hidden-SentinelTemplateVersion": "1.1",
"hidden-SentinelTemplateVersion": "1.2",
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
},
"dependsOn": [
@ -4486,10 +4507,10 @@
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "RF",
"resourcename": "RF-log-analyitics",
"resourcegroups": "[[resourceGroup().name]",
"resourcename": "[[parameters('workspace_name')]",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "@subscription().subscriptionId",
"subscriptions": "[[subscription().subscriptionId]",
"timerange": "@{formatDateTime(addDays(utcNow(), parameters('search_lookback_days')), 'yyyy-MM-dd')}"
}
}
@ -4616,7 +4637,7 @@
"metadata": {
"title": "RFI-search-external-user",
"description": "This playbook searches the Recorded Future Identity Intelligence Module for compromised external (customer) users.\n\nThis playbook depends on:\n- RFI-add-EntraID-security-group-user\n- RFI-confirm-EntraID-risky-user\n- RFI-lookup-and-save-user\n\n Those playbooks need to be installed **manually** before installing current playbook.",
"lastUpdateTime": "2024-06-11T14:25:00Z",
"lastUpdateTime": "2024-08-27T14:25:00Z",
"tags": [
"Identity protection"
],
@ -4634,6 +4655,13 @@
"notes": [
"Added subscriptionId as a parameter and updated solution to match V3. Change PlaybookName prefix to RFI."
]
},
{
"version": "1.2",
"title": "Updates",
"notes": [
"Added Log Analytic Workspace as a parameter."
]
}
]
}
@ -4656,7 +4684,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "3.0.0",
"version": "3.0.1",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Recorded Future Identity",

22
Solutions/Recorded Future Identity/Playbooks/RFI-search-external-user/azuredeploy.json
Просмотреть файл

@ -4,7 +4,7 @@
"metadata": {
"title": "RFI-search-external-user",
"description": "This playbook searches the Recorded Future Identity Intelligence Module for compromised external (customer) users.\n\nThis playbook depends on:\n- RFI-add-EntraID-security-group-user\n- RFI-confirm-EntraID-risky-user\n- RFI-lookup-and-save-user\n\n Those playbooks need to be installed **manually** before installing current playbook.",
"lastUpdateTime": "2024-06-11T14:25:00.000Z",
"lastUpdateTime": "2024-08-27T14:25:00.000Z",
"entities": [],
"tags": ["Identity protection"],
"support": {
@ -23,6 +23,11 @@
"version": "1.1",
"title": "Updates",
"notes": [ "Added subscriptionId as a parameter and updated solution to match V3. Change PlaybookName prefix to RFI." ]
},
{
"version": "1.2",
"title": "Updates",
"notes": [ "Added Log Analytic Workspace as a parameter." ]
}
]
},
@ -31,6 +36,13 @@
"defaultValue": "RFI-search-external-user",
"type": "string"
},
"workspace_name": {
"type": "string",
"defaultValue": "",
"metadata": {
"description" : "Microsoft Log Analytic Workspace Name"
}
},
"Playbook-Name-add-EntraID-security-group-user": {
"defaultValue": "RFI-add-EntraID-security-group-user",
"type": "string"
@ -56,7 +68,7 @@
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"tags": {
"hidden-SentinelTemplateVersion": "1.1"
"hidden-SentinelTemplateVersion": "1.2"
},
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('LogAnalyticsDataCollectorConnectionName'))]",
@ -373,10 +385,10 @@
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "RF",
"resourcename": "RF-log-analyitics",
"resourcegroups": "[resourceGroup().name]",
"resourcename": "[parameters('workspace_name')]",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "@subscription().subscriptionId",
"subscriptions": "[subscription().subscriptionId]",
"timerange": "@{formatDateTime(addDays(utcNow(), parameters('search_lookback_days')), 'yyyy-MM-dd')}"
}
}

30
Solutions/Recorded Future Identity/Playbooks/RFI-search-workforce-user/azuredeploy.json
Просмотреть файл

@ -4,7 +4,7 @@
"metadata": {
"title": "RFI-search-workforce-user",
"description": "This playbook searches the Recorded Future Identity Intelligence Module for compromised workforce users.\n\nThis playbook depends on:\n- RFI-add-EntraID-security-group-user\n- RFI-confirm-EntraID-risky-user\n- RFI-lookup-and-save-user\n\n Those playbooks need to be installed **manually** before installing current playbook.",
"lastUpdateTime": "2024-06-11T14:25:00.000Z",
"lastUpdateTime": "2024-08-27T14:25:00.000Z",
"entities": [],
"tags": ["Identity protection"],
"support": {
@ -19,10 +19,15 @@
"title": "Initial version",
"notes": [ "Initial version" ]
},
{
{
"version": "1.1",
"title": "Updates",
"notes": [ "Added subscriptionId as a parameter and updated solution to match V3. Change PlaybookName prefix to RFI." ]
},
{
"version": "1.2",
"title": "Updates",
"notes": [ "Added workspace_name as a parameter." ]
}
]
},
@ -31,6 +36,13 @@
"defaultValue": "RFI-search-workforce-user",
"type": "string"
},
"workspace_name": {
"type": "string",
"defaultValue": "",
"metadata": {
"description" : "Microsoft Log Analytic Workspace Name"
}
},
"Playbook-Name-add-EntraID-security-group-user": {
"defaultValue": "RFI-add-EntraID-security-group-user",
"type": "string"
@ -56,7 +68,7 @@
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"tags": {
"hidden-SentinelTemplateVersion": "1.1"
"hidden-SentinelTemplateVersion": "1.2"
},
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('LogAnalyticsDataCollectorConnectionName'))]",
@ -525,10 +537,10 @@
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "RF",
"resourcename": "RF-log-analyitics",
"resourcegroups": "[resourceGroup().name]",
"resourcename": "[parameters('workspace_name')]",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "@subscription().subscriptionId",
"subscriptions": "[subscription().subscriptionId]",
"timerange": "@{formatDateTime(addDays(utcNow(), parameters('search_lookback_days')), 'yyyy-MM-dd')}"
}
}
@ -550,10 +562,10 @@
"method": "post",
"path": "/queryData",
"queries": {
"resourcegroups": "RF",
"resourcename": "RF-log-analyitics",
"resourcegroups": "[resourceGroup().name]",
"resourcename": "[parameters('workspace_name')]",
"resourcetype": "Log Analytics Workspace",
"subscriptions": "@subscription().subscriptionId",
"subscriptions": "[subscription().subscriptionId]",
"timerange": "@{formatDateTime(addDays(utcNow(), parameters('search_lookback_days')), 'yyyy-MM-dd')}"
}
}

1
Solutions/Recorded Future Identity/ReleaseNotes.md
Просмотреть файл

@ -1,4 +1,5 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
| 3.0.1 | 27-08-2024 | Fixedhardcoded Resource Group and Analytics Workspace Name in search **playbooks**. |
| 3.0.0 | 15-04-2024 | Fixedhardcoded SubscriptionID.<br> Entra ID renaming of **Playbooks** and readme.<br> Using solution format V3<br>Change prefix on all logic app installation names from RecordedFutureIdentity to RFI due to logic app name size limitation of 64 characters. |
| 2.0.0 | 14-09-2022 | Initial Solution Release |

2
Solutions/Recorded Future Identity/SolutionMetadata.json
Просмотреть файл

@ -1,6 +1,6 @@
{
"publisherId": "recordedfuture1605638642586",
"offerId": "recorded_future_identity_sentinel_solution",
"offerId": "recorded_future_identity_solution",
"firstPublishDate": "2022-09-06",
"lastPublishDate":"2022-09-06",
"providers": ["Recorded Future"],