Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge branch 'master' into v-vdixit/SOC-Handbook-repackaging

This commit is contained in:
v-sabiraj 2023-06-05 16:36:45 +05:30
Родитель cdac2cff8f 3648612708
Коммит 800de45aa0
35 изменённых файлов: 3172 добавлений и 2674 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

4
.script/SolutionValidations/solutionValidator.ts
Просмотреть файл

@ -3,7 +3,7 @@ import * as logger from "./../utils/logger";
import { ExitCode } from "./../utils/exitCode";
import { IsValidSolutionDomainsVerticals } from "./validDomainsVerticals";
import { IsValidSupportObject } from "./validSupportObject";
//import { IsValidBrandingContent } from "./validMSBranding";
import { IsValidBrandingContent } from "./validMSBranding";
import { MainTemplateDomainVerticalValidationError, MainTemplateSupportObjectValidationError, InvalidFileContentError } from "../utils/validationError";
@ -12,7 +12,7 @@ import { MainTemplateDomainVerticalValidationError, MainTemplateSupportObjectVal
export async function IsValidSolution(filePath: string): Promise<ExitCode> {
IsValidSolutionDomainsVerticals(filePath);
IsValidSupportObject(filePath);
//IsValidBrandingContent(filePath);
IsValidBrandingContent(filePath);
return ExitCode.SUCCESS;
}

57
.script/SolutionValidations/validMSBranding.ts
Просмотреть файл

@ -2,8 +2,17 @@ import { InvalidFileContentError } from "./../utils/validationError";
import { ExitCode } from "../utils/exitCode";
import fs from "fs";
export function IsValidBrandingContent(filePath: string): ExitCode {
type AttributeConfig = {
mainTemplateAttributes: string[];
createUIDefinitionAttributes: string[];
};
const attributeConfig: AttributeConfig = {
mainTemplateAttributes: ["descriptionMarkdown", "description"],
createUIDefinitionAttributes: ["text", "description"],
};
export function IsValidBrandingContent(filePath: string): ExitCode {
// Skip validation if file path contains "SentinelOne"
if (filePath.includes("SentinelOne")) {
return ExitCode.SUCCESS;
@ -12,17 +21,10 @@ export function IsValidBrandingContent(filePath: string): ExitCode {
const errors: string[] = [];
// check if the file is mainTemplate.json or createUiDefinition.json
if (filePath.endsWith("mainTemplate.json") || filePath.endsWith("createUiDefinition.json")) {
// check if the file content contains " Sentinel" without being preceded by "Microsoft" and not part of a hyphenated word
const fileContent = fs.readFileSync(filePath, "utf8");
const sentinelRegex = /(?<!Microsoft\s)(?<!-)\bSentinel\b/g;
let match;
while ((match = sentinelRegex.exec(fileContent))) {
errors.push(`Inaccurate product branding used at index ${match.index + 1}. Use "Microsoft Sentinel" instead of "Sentinel"`);
}
// If the file is not identified correctly, log a warning message
if (filePath.endsWith("mainTemplate.json")) {
validateFileContent(filePath, attributeConfig.mainTemplateAttributes, errors);
} else if (filePath.endsWith("createUiDefinition.json")) {
validateFileContent(filePath, attributeConfig.createUIDefinitionAttributes, errors);
} else {
console.warn(`Could not identify JSON file as mainTemplate.json or createUiDefinition.json. Skipping. File path: ${filePath}`);
}
@ -35,3 +37,34 @@ export function IsValidBrandingContent(filePath: string): ExitCode {
// Return success code after completion of the check
return ExitCode.SUCCESS;
}
function validateFileContent(filePath: string, attributeNames: string[], errors: string[]): void {
const fileContent = fs.readFileSync(filePath, "utf8");
const jsonContent = JSON.parse(fileContent);
traverseAttributes(jsonContent, attributeNames, errors);
}
function traverseAttributes(jsonContent: any, attributeNames: string[], errors: string[]): void {
for (const key in jsonContent) {
if (jsonContent.hasOwnProperty(key)) {
const attributeValue = jsonContent[key];
if (attributeNames.includes(key) && typeof attributeValue === "string") {
validateAttribute(attributeValue, key, errors);
}
if (typeof attributeValue === "object" && attributeValue !== null) {
traverseAttributes(attributeValue, attributeNames, errors);
}
}
}
}
function validateAttribute(attributeValue: string, attributeName: string, errors: string[]): void {
const sentinelRegex = /(?<!Microsoft\s)(?<!-)\bSentinel\b/g;
const updatedValue = attributeValue.replace(sentinelRegex, "Microsoft Sentinel");
if (attributeValue !== updatedValue) {
const error = `Inaccurate product branding used in '${attributeName}' for '${attributeValue}'. Use "Microsoft Sentinel" instead of "Sentinel"`;
errors.push(error);
}
}

2
ASIM/deploy/EmptyCustomUnifyingParsers/Im_WebSessionCustom.json
Просмотреть файл

@ -37,7 +37,7 @@
"FunctionAlias": "Im_WebSessionCustom",
"query": "union ASimEmptyView\n",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False,pack:bool=false"
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',eventresultdetails_has_any:dynamic=dynamic([]),disabled:bool=false,pack:bool=false"
}
}
]

69
Detections/SigninLogs/NewCountryValidCreds.yaml Normal file
Просмотреть файл

@ -0,0 +1,69 @@
id: 7808c05a-3afd-4d13-998a-a59e2297693f
name: New country signIn with correct password
description: |
'Identifies an interrupted sign-in session from a country the user has not sign-in before in the last 7 days, where the password was correct. Although the session is interrupted by other controls such as multi factor authentication or conditional access policies, the user credentials should be reset due to logs indicating a correct password was observed during sign-in.'
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
queryFrequency: 1d
queryPeriod: 7d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- CredentialAccess
relevantTechniques:
- T1078
- T1110
query: |
// Creating a list of successful sign-in by users in the last 7 days.
let KnownUserCountry = (
SigninLogs
| where TimeGenerated between (ago(7d) .. ago(1d) )
| where ResultType == 0
| summarize KnownCountry = make_set(Location,1048576) by UserPrincipalName
);
// Identify sign-ins that are no successful but have the auth details indicating a correct password.
SigninLogs
| where TimeGenerated >= ago(1d)
| where ResultType != 0
| extend ParseAuth = parse_json(AuthenticationDetails)
| extend AuthMethod = tostring(ParseAuth.[0].authenticationMethod),
PasswordResult = tostring(ParseAuth.[0].authenticationStepResultDetail),
AuthSucceeded = tostring(ParseAuth.[0].succeeded)
| where PasswordResult == "Correct Password" or AuthSucceeded == "true"
| where AuthMethod == "Password"
| extend failureReason = tostring(Status.failureReason)
| summarize NewCountry = make_set(Location,1048576), LastObservedTime = max(TimeGenerated), AppName = make_set(AppDisplayName,1048576) by UserPrincipalName, PasswordResult, AuthSucceeded, failureReason
// Combining both tables by user
| join kind=inner KnownUserCountry on UserPrincipalName
// Compare both arrays and identify if the country has been observed in the past.
| extend CountryDiff = set_difference(NewCountry,KnownCountry)
| extend CountryDiffCount = array_length(CountryDiff)
// Count the new column to only alert if there is a difference between both arrays
| where CountryDiffCount != 0
| extend NewCountryEvent = CountryDiff
// Getting UserName and Domain
| extend Name = split(UserPrincipalName,"@",0),
Domain = split(UserPrincipalName,"@",1)
| mv-expand Name,Domain
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Name
- identifier: NTDomain
columnName: Domain
customDetails:
LastObservedTime: LastObservedTime
AppName: AppName
NewCountryEvent: NewCountryEvent
PasswordResult: PasswordResult
AuthSucceeded: AuthSucceeded
failureReason: failureReason
eventGroupingSettings:
aggregationKind: SingleAlert
version: 1.0.0
kind: Scheduled

2
Parsers/ASimRegistryEvent/ARM/imRegistry/imRegistry.json
Просмотреть файл

@ -35,7 +35,7 @@
"displayName": "Registry Event ASIM Parser",
"category": "ASIM",
"FunctionAlias": "imRegistry",
"query": "union isfuzzy=true\n vimRegistryEventEmpty,\n vimRegistryEventMicrosoft365D,\n vimRegistryEventMicrosoftSysmon,\n vimRegistryEventMicrosoftSecurityEvents,\n vimRegistryEventMicrosoftWindowsEvent",
"query": "union isfuzzy=true\n vimRegistryEventEmpty,\n vimRegistryEventMicrosoft365D,\n vimRegistryEventMicrosoftSysmon,\n // vimRegistryEventMicrosoftSecurityEvents, // Deprecated, now included in vimRegistryEventMicrosoftWindowsEvent. \n vimRegistryEventMicrosoftWindowsEvent",
"version": 1
}
}

8
Parsers/ASimRegistryEvent/Parsers/imRegistry.yaml
Просмотреть файл

@ -1,12 +1,12 @@
Parser:
Title: Registry Event ASIM Parser
Version: '0.1.0'
LastUpdated: June 23, 2021
Version: '0.1.1'
LastUpdated: June 04, 2022
Product:
Name: Source Agnostic
Normalization:
Schema: RegistryEvent
Version: '0.1.0'
Version: '0.1.2'
References:
- Title: ASIM Registry Schema
Link: https://aka.ms/ASimRegistryEventDoc
@ -21,5 +21,5 @@ ParserQuery: |
vimRegistryEventEmpty,
vimRegistryEventMicrosoft365D,
vimRegistryEventMicrosoftSysmon,
vimRegistryEventMicrosoftSecurityEvents,
// vimRegistryEventMicrosoftSecurityEvents, // Deprecated, now included in vimRegistryEventMicrosoftWindowsEvent.
vimRegistryEventMicrosoftWindowsEvent

4
Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Data/Solution_CybersecurityMaturityModelCertification(CMMC)2.0.json
Просмотреть файл

@ -5,7 +5,7 @@
"Description": "The Microsoft Sentinel Cybersecurity Maturity Model Certification (CMMC) 2.0 solution provides a mechanism for viewing log queries aligned to CMMC 2.0 requirements across the Microsoft portfolio. This solution enables governance and compliance teams to design, build, monitor, and respond to CMMC 2.0 requirements across 25+ Microsoft products. While only Microsoft Sentinel is required to get started, the solution is enhanced with numerous Microsoft offerings. This solution enables Security Architects, Engineers, SecOps Analysts, Managers, and IT Pros to gain situational awareness visibility for the security posture of cloud workloads. There are also recommendations for selecting, designing, deploying, and configuring Microsoft offerings for alignment with respective security best practice.",
"Analytic Rules": [
"Analytic Rules/CMMC2.0Level1FoundationalPosture.yaml",
"Analytic Rules/CMMC2.0Level2AdvancedPosture.yaml"
"Analytic Rules/CMMC2.0Level2AdvancedPosture.yaml"
],
"Playbooks": [
"Playbooks/Notify_GovernanceComplianceTeam-CMMCV2/Notify_GovernanceComplianceTeam.json",
@ -17,7 +17,7 @@
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\CybersecurityMaturityModelCertification(CMMC)2.0",
"Version": "2.0.3",
"Version": "2.0.4",
"TemplateSpec": true,
"Is1Pconnector": true
}

Двоичные данные
Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Package/2.0.3.zip
Просмотреть файл

Двоичный файл не отображается.

Двоичные данные
Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Package/2.0.4.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

54
Solutions/CybersecurityMaturityModelCertification(CMMC)2.0/Package/mainTemplate.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

4
Solutions/Digital Shadows/Data/Solution_DigitalShadowsSearchlight.json
Просмотреть файл

@ -2,7 +2,7 @@
"Name": "Digital Shadows",
"Author": "Digital Shadows - support@digitalshadows.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/DigitalShadowsLogo.svg\" width=\"75px\" height=\"75px\">",
"Description": "Solution for Microsoft Sentinel using Digital Shadows SearchLight.",
"Description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/DigitalShadowsLogo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Digital Shadows](https://www.digitalshadows.com/) Solution provides ingestion of the incidents and alerts from Digital Shadows Searchlight into the Microsoft Sentinel using the REST API. \n\n **Underlying Microsoft Technologies used:** \r \n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \n\n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 2, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"Workbooks": [
"Workbooks/DigitalShadows.json"
],
@ -17,7 +17,7 @@
"Data Connectors/Digital Shadows/DigitalShadowsSearchlight_API_functionApp.json"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Digital Shadows",
"Version": "2.0.1",
"Version": "2.0.2",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false

Двоичные данные
Solutions/Digital Shadows/Package/2.0.2.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

4
Solutions/Digital Shadows/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/DigitalShadowsLogo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nSolution for Microsoft Sentinel using Digital Shadows SearchLight.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 2, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/DigitalShadowsLogo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Digital Shadows](https://www.digitalshadows.com/) Solution provides ingestion of the incidents and alerts from Digital Shadows Searchlight into the Microsoft Sentinel using the REST API. \n\n **Underlying Microsoft Technologies used:** \r \n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \n\n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 2, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@ -60,7 +60,7 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The Digital Shadows data connector provides ingestion of the incidents and alerts from Digital Shadows Searchlight into the Microsoft Sentinel using the REST API. The connector will provide the incidents and alerts information such that it helps to examine, diagnose and analyse the potential security risks and threats. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
"text": "This Solution installs the data connector for Digital Shadows. You can get Digital Shadows custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{

2624
Solutions/Digital Shadows/Package/mainTemplate.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

5
Solutions/Legacy IOC based Threat Protection/Analytic Rules/CadetBlizzard_Jan2022_IOC.yaml
Просмотреть файл

@ -2,6 +2,7 @@ id: 961b6a81-5c53-40b6-9800-4f661a8faea7
name: "[Deprecated] - Cadet Blizzard Actor IOC - January 2022"
description: |
'This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy'
severity: High
status: Available
requiredDataConnectors:
- connectorId: CiscoASA
@ -93,5 +94,5 @@ entityMappings:
columnName: AlgorithmCustomEntity
- identifier: Value
columnName: FileHashCustomEntity
version: 2.0.0
kind: Scheduled
version: 2.0.1
kind: Scheduled

Двоичные данные
Solutions/MailRisk/Data Connectors/MailRiskSentinelIntegration.zip
Просмотреть файл

Двоичный файл не отображается.

2
Solutions/MailRisk/Data Connectors/requirements.txt
Просмотреть файл

@ -5,4 +5,4 @@
azure-functions==1.7.0
azure-identity==1.6.0
azure-keyvault-secrets==4.3.0
requests==2.28.2
requests==2.31.0

2
Solutions/MailRisk/Data/Solution_SecurePracticeMailRisk.json
Просмотреть файл

@ -7,7 +7,7 @@
"Data Connectors/SecurePractice_MailRisk.json"
],
"BasePath": "C:/Azure-Sentinel/Solutions/MailRisk",
"Version": "2.0.0",
"Version": "2.0.1",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false

Двоичные данные
Solutions/MailRisk/Package/2.0.1.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

12
Solutions/MailRisk/Package/mainTemplate.json
Просмотреть файл

@ -47,7 +47,7 @@
"resources": [
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2021-05-01",
"apiVersion": "2022-02-01",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"tags": {
@ -61,7 +61,7 @@
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2021-05-01",
"apiVersion": "2022-02-01",
"name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
@ -72,7 +72,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
],
"properties": {
"description": "MailRisk data connector with template version 2.0.0",
"description": "MailRisk data connector with template version 2.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@ -88,7 +88,7 @@
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
"title": "MailRisk by Secure Practice (using Azure Function)",
"title": "MailRisk by Secure Practice (using Azure Functions)",
"publisher": "Secure Practice",
"descriptionMarkdown": "Data connector to push emails from MailRisk into Microsoft Sentinel Log Analytics.",
"graphQueries": [
@ -294,7 +294,7 @@
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "MailRisk by Secure Practice (using Azure Function)",
"title": "MailRisk by Secure Practice (using Azure Functions)",
"publisher": "Secure Practice",
"descriptionMarkdown": "Data connector to push emails from MailRisk into Microsoft Sentinel Log Analytics.",
"graphQueries": [
@ -419,7 +419,7 @@
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "2.0.0",
"version": "2.0.1",
"kind": "Solution",
"contentSchemaVersion": "2.0.0",
"contentId": "[variables('_solutionId')]",

Двоичные данные
Solutions/Microsoft Defender Threat Intelligence/Package/2.0.4.zip
Просмотреть файл

Двоичный файл не отображается.

356
Solutions/Microsoft Defender Threat Intelligence/Package/mainTemplate.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

100
Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Automated-Triage/azuredeploy.json
Просмотреть файл

@ -5,19 +5,16 @@
"comments": "Perform automated triage actions on the Microsoft Sentinels Incident based on MDTI Reputation data.",
"title": "MDTI-Automated-Triage",
"description": "This playbook uses the MDTI Reputation data to automatically enrich incidents generated by Microsoft Sentinel. Indicators from an incident will be evaluated with MDTI reputation data. If any indicators are labeled as 'suspicious', the incident will be tagged as such and its severity will be marked as 'medium'. If any indicators are labeled as 'malicious', the incident will be tagged as such and its severity will be marked as 'high'. Regardless of the reputation state, comments will be added to the incident outlining the reputation details with links to further information if applicable.",
"prerequisites": [
"This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) prior to deploying this playbook. If you have trouble accessing your account or your credentials contact your account representative or (mdtidiscussion[@]microsoft.com)."
],
"lastUpdateTime": "2023-03-09T00:00:00.000Z",
"entities": [],
"prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) prior to deploying this playbook. If you have trouble accessing your account or your credentials contact your account representative or (mdtidiscussion[@]microsoft.com)."],
"lastUpdateTime": "2023-03-09T00:00:00.000Z",
"entities": [],
"tags": [],
"postDeployment": [
"After deploying the playbook, you must authorize the connections leveraged.",
"1. Visit the playbook resource.",
"2. Under 'Development Tools' (located on the left), click 'API Connections'.",
"3. Ensure each connection has been authorized.",
"**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**"
],
"3. Ensure each connection has been authorized.",
"**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**"],
"support": {
"tier": "microsoft"
},
@ -26,12 +23,12 @@
},
"releaseNotes": [
{
"version": "1.0.1",
"title": "MDTI Automated Triage",
"notes": [
"Updated version with Secure Inputs for HTTP REST and Secure Output for MDTI-Base actions"
]
}
"version": "1.0.0",
"title": "MDTI Automated Triage",
"notes": [
"Initial version"
]
}
]
},
"parameters": {
@ -43,17 +40,17 @@
"variables": {
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
"resources": [{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
@ -74,6 +71,7 @@
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
@ -179,6 +177,7 @@
}
},
"Get_Reputation_for_host": {
"runAfter": {},
"type": "Http",
"inputs": {
"authentication": {
@ -193,13 +192,18 @@
},
"method": "GET",
"uri": "https://@{body('MDTI-Base')?['MDTI-BaseUrl']}/@{body('MDTI-Base')?['Api-Version']}/security/threatIntelligence/hosts('@{items('For_each_Host')?['HostName']}.@{items('For_each_Host')?['DnsDomain']}')/reputation"
}
},
"Reset_host_variable": {
"runAfter": {
"Add_comment_to_incident_(V3)": [
"Succeeded"
]
},
"runtimeConfiguration": {
"secureData": {
"properties": [
"inputs"
]
}
"type": "SetVariable",
"inputs": {
"name": "result_output_host",
"value": []
}
},
"Set_host_variable": {
@ -271,6 +275,7 @@
}
},
"Get_reputation": {
"runAfter": {},
"type": "Http",
"inputs": {
"authentication": {
@ -285,13 +290,18 @@
},
"method": "GET",
"uri": "https://@{body('MDTI-Base')?['MDTI-BaseUrl']}/@{body('MDTI-Base')?['Api-Version']}/security/threatIntelligence/hosts('@{items('For_each_IP_Address')?['Address']}')/reputation"
}
},
"Reset_IP_Variable": {
"runAfter": {
"Add_comment_to_incident_(V3)_2": [
"Succeeded"
]
},
"runtimeConfiguration": {
"secureData": {
"properties": [
"inputs"
]
}
"type": "SetVariable",
"inputs": {
"name": "result_output_ip",
"value": []
}
},
"Set_IP_variable": {
@ -366,6 +376,7 @@
}
},
"MDTI-Base": {
"runAfter": {},
"type": "Workflow",
"inputs": {
"host": {
@ -374,13 +385,6 @@
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/MDTI-Base')]"
}
}
},
"runtimeConfiguration": {
"secureData": {
"properties": [
"outputs"
]
}
}
},
"Malicious_or_Suspicious": {
@ -388,6 +392,7 @@
"Condition_2": {
"actions": {
"Update_incident": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": {
@ -414,9 +419,11 @@
}
}
},
"runAfter": {},
"else": {
"actions": {
"Update_incident_2": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": {
@ -483,16 +490,17 @@
},
"type": "If"
}
}
},
"outputs": {}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
}
}

271
Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Base/azuredeploy.json
Просмотреть файл

@ -1,36 +1,33 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"metadata": {
"comments": "Establish the needed base resources to leverage with all MDTI playbooks.",
"title": "MDTI-Base",
"title": "MDTI-Base",
"description": "This playbook creates a shared API Connection for all MDTI playbooks to leverage. This eases the configuration process for a user during deployment of the Microsoft Defender Threat Intelligence(MDTI) solution. In time, this base playbook may be extended to set more functionality. Azure AD App Registration credentials(ClientId/ClientSecret/TenantId) with MDTI API Permissions are needed when configuring this playbook. Those can be found on your [Azure Client App](https://learn.microsoft.com/en-us/rest/api/azure/#register-your-client-application-with-azure-ad) page. If you have trouble accessing your account or your credentials contact your account representative (mdtidiscussion[@]microsoft.com).",
"prerequisites": [
"None"
],
"lastUpdateTime": "2023-03-09T00:00:00.000Z",
"entities": [],
"tags": [],
"prerequisites": ["None"],
"lastUpdateTime": "2023-03-09T00:00:00.000Z",
"entities": [],
"tags": [],
"postDeployment": [
"After deploying the playbook, you must authorize the connections leveraged.",
"1. Visit the playbook resource.",
"2. Under 'Development Tools' (located on the left), click 'API Connections'.",
"3. Ensure each connection has been authorized."
],
"After deploying the playbook, you must authorize the connections leveraged.",
"1. Visit the playbook resource.",
"2. Under 'Development Tools' (located on the left), click 'API Connections'.",
"3. Ensure each connection has been authorized."],
"support": {
"tier": "microsoft"
"tier": "microsoft"
},
"author": {
"name": "Ajay Kallur, Microsoft"
},
"releaseNotes": [
{
"version": "1.0.1",
"title": "MDTI Base",
"notes": [
"Updated version with Key Vault to hold secret"
]
}
{
"version": "1.0.0",
"title": "MDTI Base",
"notes": [
"Initial version"
]
}
]
},
"parameters": {
@ -38,144 +35,34 @@
"defaultValue": "MDTI-Base",
"type": "String"
},
"Client-Id": {
"type": "String"
},
"Client-Secret": {
"type": "securestring"
},
"MDTI-Resource": {
"defaultValue": "https://graph.microsoft.com",
"type": "String"
},
"MDTI-BaseUrl": {
"Client-Id": {
"defaultValue": "Client-ID",
"type": "String"
},
"Client-Secret": {
"defaultValue": "Client-Secret",
"type": "securestring"
},
"MDTI-Resource": {
"defaultValue": "https://graph.microsoft.com",
"type": "String"
},
"MDTI-BaseUrl": {
"defaultValue": "graph.microsoft.com",
"type": "String"
},
"Api-Version": {
"defaultValue": "beta",
"type": "String"
},
"Key-Vault-Name": {
"defaultValue": "[concat('kv-mdti-', uniqueString(parameters('Client-Id'), utcNow()))]",
"type": "string"
},
"Key-Vault-Sku": {
"defaultValue": "standard",
"type": "string",
"metadata": {
"description": "Key Vault SKU name"
},
"allowedValues": [
"premium",
"standard"
]
},
"Key-Vault-Secret-Name": {
"defaultValue": "mdti-api",
"type": "string",
"metadata": {
"description": "The name for the Service Principal Client Secret in the Key Vault"
}
},
"User-Object-Id": {
"defaultValue": "00000000-0000-0000-0000-000000000000",
"type": "string",
"metadata": {
"description": "Object ID, aka Principal ID, of the User to assign Key Vault Administrator role. If left unchanged, then a role must be assigned manually the Key Vault Access Control (IAM) in order to view Key Vault contents"
}
}
},
"variables": {
"connections_keyvault_name": "[format('keyvault-{0}', parameters('PlaybookName'))]"
},
"variables": {},
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2022-07-01",
"name": "[parameters('Key-Vault-Name')]",
"location": "[resourceGroup().location]",
"properties": {
"sku": {
"family": "A",
"name": "[parameters('Key-Vault-Sku')]"
},
"tenantId": "[subscription().tenantId]",
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": false,
"enableRbacAuthorization": true,
"networkAcls": {
"defaultAction": "Allow",
"bypass": "AzureServices"
}
}
},
{
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2021-10-01",
"name": "[format('{0}/{1}', parameters('Key-Vault-Name'), parameters('Key-Vault-Secret-Name'))]",
"properties": {
"value": "[parameters('Client-Secret')]"
},
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', parameters('Key-Vault-Name'))]"
]
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-10-01-preview",
"scope": "[format('Microsoft.KeyVault/vaults/{0}', parameters('Key-Vault-Name'))]",
"name": "[guid('4633458b-17de-408a-b874-0445c86b69e6', resourceId('Microsoft.KeyVault/vaults', parameters('Key-Vault-Name')))]",
"properties": {
"principalId": "[reference(resourceId('Microsoft.Logic/workflows', parameters('PlaybookName')), '2017-07-01', 'full').identity.principalId]",
"roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')]",
"principalType": "ServicePrincipal"
},
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', parameters('Key-Vault-Name'))]",
"[resourceId('Microsoft.Logic/workflows', parameters('PlaybookName'))]"
]
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-10-01-preview",
"scope": "[format('Microsoft.KeyVault/vaults/{0}', parameters('Key-Vault-Name'))]",
"name": "[guid('00482a5a-887f-4fb3-b363-3b7fe8e74483', resourceId('Microsoft.KeyVault/vaults', parameters('Key-Vault-Name')))]",
"properties": {
"principalId": "[parameters('User-Object-Id')]",
"roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]",
"principalType": "User"
},
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', parameters('Key-Vault-Name'))]"
]
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('connections_keyvault_name')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "keyvault",
"api": {
"id": "[subscriptionResourceId('Microsoft.Web/locations/managedApis', resourceGroup().location, 'keyvault')]"
},
"parameterValueType": "Alternative",
"alternativeParameterValues": {
"vaultName": "[parameters('Key-Vault-Name')]"
}
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"tags": {
"Source": "MDTI"
},
@ -185,24 +72,24 @@
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
},
"Client-Id": {
"defaultValue": "[parameters('Client-Id')]",
"defaultValue": "Client-Id",
"type": "String"
},
"Client-Secret": {
"defaultValue": "Client-Secret",
"type": "securestring"
},
"MDTI-Resource": {
"defaultValue": "[parameters('MDTI-Resource')]",
"defaultValue": "https://graph.microsoft.com",
"type": "String"
},
"MDTI-BaseUrl": {
"defaultValue": "[parameters('MDTI-BaseUrl')]",
"MDTI-BaseUrl": {
"defaultValue": "graph.microsoft.com",
"type": "String"
},
"Api-Version": {
"defaultValue": "[parameters('Api-Version')]",
"defaultValue": "beta",
"type": "String"
},
"ResourceGroupName": {
@ -221,32 +108,29 @@
"triggers": {
"manual": {
"type": "Request",
"kind": "Http"
"kind": "Http",
"inputs": {}
}
},
"actions": {
"Response": {
"runAfter": {
"Get_Client_Secret": [
"Succeeded"
]
},
"runtimeConfiguration": {
"secureData": {
"properties": [
"inputs"
]
}
},
"runAfter": {},
"runtimeConfiguration": {
"secureData": {
"properties": [
"inputs"
]
}
},
"type": "Response",
"kind": "Http",
"inputs": {
"body": {
"clientId": "@parameters('Client-Id')",
"clientSecret": "@body('Get_Client_Secret')?['value']",
"clientSecret": "@parameters('Client-Secret')",
"resource": "@{parameters('MDTI-Resource')}",
"tenantId": "@parameters('Tenant-Id')",
"MDTI-BaseUrl": "@{parameters('MDTI-BaseUrl')}",
"MDTI-BaseUrl": "@{parameters('MDTI-BaseUrl')}",
"Api-Version": "@parameters('Api-Version')"
},
"headers": {
@ -277,43 +161,28 @@
},
"statusCode": 200
}
},
"Get_Client_Secret": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['keyvault']['connectionId']"
}
},
"method": "get",
"path": "[format('/secrets/@{{encodeURIComponent(''{0}'')}}/value', parameters('Key-Vault-Secret-Name'))]"
}
}
},
"outputs": {}
},
"parameters": {
"$connections": {
"value": {
"keyvault": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('connections_keyvault_name'))]",
"connectionName": "keyvault-MDTI-Base",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
},
"id": "[subscriptionResourceId('Microsoft.Web/locations/managedApis', resourceGroup().location, 'keyvault')]"
}
}
}
}
},
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('connections_keyvault_name'))]"
]
"Client-Id": {
"value": "[parameters('Client-Id')]"
},
"Client-Secret": {
"value": "[parameters('Client-Secret')]"
},
"MDTI-Resource": {
"value": "[parameters('MDTI-Resource')]"
},
"MDTI-BaseUrl": {
"value": "[parameters('MDTI-BaseUrl')]"
},
"Api-Version": {
"value": "[parameters('Api-Version')]"
}
}
}
}
]
}

644
Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Data-Cookies/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,644 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on MDTI Internet data.",
"title": "MDTI-Data-Cookies",
"description": "This playbook uses the MDTI Components data to automatically enrich incidents generated by Microsoft Sentinel. Leverage this playbook in order to enrich your incidents with [Cookies](https://learn.microsoft.com/en-us/defender/threat-intelligence/data-sets#cookies) data hosted by the indicators found within the incident. These values sometimes contain a state for the application or little bits of tracking data. Defender TI highlights and indexes cookie names observed when crawling a website and allows users to dig into everywhere we have observed specific cookie names across its crawling and data collection.",
"prerequisites": [
"This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) prior to deploying this playbook. If you have trouble accessing your account or your credentials contact your account representative (mdtidiscussion[@]microsoft.com)."
],
"lastUpdateTime": "2023-04-24T00:00:00.000Z",
"entities": [],
"tags": [],
"postDeployment": [
"After deploying the playbook, you must authorize the connections leveraged.",
"1. Visit the playbook resource.",
"2. Under 'Development Tools' (located on the left), click 'API Connections'.",
"3. Ensure each connection has been authorized.",
"**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**"
],
"support": {
"tier": "microsoft"
},
"author": {
"name": "Yaniv Shasha, Microsoft"
},
"releaseNotes": [{
"version": "1.0.1",
"title": "MDTI Data Cookies",
"notes": [
"Updated version with Secure Inputs for HTTP REST and Secure Output for MDTI-Base actions"
]
}
]
},
"parameters": {
"PlaybookName": {
"defaultValue": "MDTI-Data-Cookies",
"type": "String"
}
},
"variables": {
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
},
"resources": [{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
},
"parameterValueType": "Alternative",
"displayName": "",
"alternativeParameterValues": {}
}
}, {
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
"tags": {
"LogicAppsCategory": "security",
"Source": "MDTI"
},
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"type": "Object"
}
},
"triggers": {
"When_Azure_Sentinel_incident_creation_rule_was_triggered": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"Entities_-_Get_Hosts": {
"runAfter": {
"MDTI-Base": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/host"
}
},
"Entities_-_Get_IPs": {
"runAfter": {
"MDTI-Base": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/entities/ip"
}
},
"For_each_Host": {
"foreach": "@body('Entities_-_Get_Hosts')?['Hosts']",
"actions": {
"Add_comment_to_incident_(V3)_4": {
"runAfter": {
"Condition": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>MDTI Cookies for Indicator: @{items('For_each_host')?['HostName']}.@{items('For_each_host')?['DnsDomain']}<br>\n@{variables('Domain_comment')}</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
},
"Condition": {
"actions": {
"Create_Cookies_HtmlTable": {
"runAfter": {},
"type": "Table",
"inputs": {
"format": "HTML",
"from": "@variables('result_output_host')"
}
},
"Set_domain_comment": {
"runAfter": {
"Create_Cookies_HtmlTable": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "Domain_comment",
"value": "@body('Create_Cookies_HtmlTable')"
}
}
},
"runAfter": {
"For_each": [
"Succeeded"
]
},
"else": {
"actions": {
"Set_domain_comment_empty": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "Domain_comment",
"value": "No results found."
}
}
}
},
"expression": {
"and": [
{
"greater": [
"@length(variables('result_output_host'))",
0
]
}
]
},
"type": "If"
},
"Cookies_by_Hostname": {
"runAfter": {},
"type": "Http",
"inputs": {
"authentication": {
"audience": "@body('MDTI-Base')?['resource']",
"clientId": "@body('MDTI-Base')?['clientId']",
"secret": "@body('MDTI-Base')?['clientSecret']",
"tenant": "@body('MDTI-Base')?['tenantId']",
"type": "ActiveDirectoryOAuth"
},
"headers": {
"Content-Type": "application/json"
},
"method": "GET",
"uri": "https://@{body('MDTI-Base')?['MDTI-BaseUrl']}/@{body('MDTI-Base')?['Api-Version']}/security/threatIntelligence/hosts('@{items('For_each_Host')?['HostName']}.@{items('For_each_Host')?['DnsDomain']}')/cookies?$count=true"
}
},
"For_each": {
"foreach": "@body('Parse_results_from_Get_request_for_Cookies')?['value']",
"actions": {
"Append_to_array_variable": {
"runAfter": {},
"type": "AppendToArrayVariable",
"inputs": {
"name": "result_output_host",
"value": {
"First": "@{items('For_each')?['firstSeenDateTime']}",
"Last": "@{items('For_each')?['lastSeenDateTime']}",
"Name": "@{items('For_each')?['name']}",
"domain": "@{items('For_each')?['domain']}"
}
}
}
},
"runAfter": {
"Parse_results_from_Get_request_for_Cookies": [
"Succeeded"
]
},
"type": "Foreach"
},
"Parse_results_from_Get_request_for_Cookies": {
"runAfter": {
"Cookies_by_Hostname": [
"Succeeded"
]
},
"type": "ParseJson",
"inputs": {
"content": "@body('Cookies_by_Hostname')",
"schema": {
"properties": {
"@@odata.context": {
"type": "string"
},
"@@odata.count": {
"type": "integer"
},
"value": {
"items": {
"properties": {
"domain": {
"type": "string"
},
"firstSeenDateTime": {
"type": "string"
},
"host": {
"properties": {
"id": {
"type": "string"
}
},
"type": "object"
},
"id": {
"type": "string"
},
"lastSeenDateTime": {
"type": "string"
},
"name": {
"type": "string"
}
},
"required": [
"id",
"firstSeenDateTime",
"lastSeenDateTime",
"domain",
"name",
"host"
],
"type": "object"
},
"type": "array"
}
},
"type": "object"
}
}
},
"Set_variable": {
"runAfter": {
"Add_comment_to_incident_(V3)_4": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "result_output_host",
"value": []
}
}
},
"runAfter": {
"intialize_domain_comment": [
"Succeeded"
]
},
"type": "Foreach",
"runtimeConfiguration": {
"concurrency": {
"repetitions": 1
}
}
},
"For_each_IP_Address": {
"foreach": "@body('Entities_-_Get_IPs')?['IPs']",
"actions": {
"Add_comment_to_incident_(V3)_2": {
"runAfter": {
"Condition_2": [
"Succeeded"
]
},
"type": "ApiConnection",
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
"message": "<p>MDTI Cookies for Indicator: @{items('For_each_IP_Address')?['Address']}<br>\n@{variables('IPcomment')}</p>"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"method": "post",
"path": "/Incidents/Comment"
}
},
"Condition_2": {
"actions": {
"Cookies_for_IP_address_Results_HTML_Table": {
"runAfter": {},
"type": "Table",
"inputs": {
"format": "HTML",
"from": "@variables('result_output_ip')"
}
},
"Set_variable_2": {
"runAfter": {
"Cookies_for_IP_address_Results_HTML_Table": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "IPcomment",
"value": "@body('Cookies_for_IP_address_Results_HTML_Table')"
}
}
},
"runAfter": {
"For_each_2": [
"Succeeded"
]
},
"else": {
"actions": {
"Set_variable_3": {
"runAfter": {},
"type": "SetVariable",
"inputs": {
"name": "IPcomment",
"value": "No results found."
}
}
}
},
"expression": {
"and": [
{
"greater": [
"@length(variables('result_output_ip'))",
0
]
}
]
},
"type": "If"
},
"Cookies_by_IP_Address": {
"runAfter": {},
"type": "Http",
"inputs": {
"authentication": {
"audience": "@body('MDTI-Base')?['resource']",
"clientId": "@body('MDTI-Base')?['clientId']",
"secret": "@body('MDTI-Base')?['clientSecret']",
"tenant": "@body('MDTI-Base')?['tenantId']",
"type": "ActiveDirectoryOAuth"
},
"headers": {
"Content-Type": "application/json"
},
"method": "GET",
"uri": "https://@{body('MDTI-Base')?['MDTI-BaseUrl']}/@{body('MDTI-Base')?['Api-Version']}/security/threatIntelligence/hosts('@{items('For_each_IP_Address')?['Address']}')/cookies?$count=true"
}
},
"For_each_2": {
"foreach": "@body('Parse_results_from_Get_request_for_Cookies_')?['value']",
"actions": {
"Append_to_array_variable_2": {
"runAfter": {},
"type": "AppendToArrayVariable",
"inputs": {
"name": "result_output_ip",
"value": {
"First": "@{items('For_each_2')?['firstSeenDateTime']}",
"Last": "@{items('For_each_2')?['lastSeenDateTime']}",
"Name": "@{items('For_each_2')?['name']}",
"domain": "@{items('For_each_2')?['domain']}"
}
}
}
},
"runAfter": {
"Parse_results_from_Get_request_for_Cookies_": [
"Succeeded"
]
},
"type": "Foreach"
},
"Parse_results_from_Get_request_for_Cookies_": {
"runAfter": {
"Cookies_by_IP_Address": [
"Succeeded"
]
},
"type": "ParseJson",
"inputs": {
"content": "@body('Cookies_by_IP_Address')",
"schema": {
"properties": {
"@@odata.context": {
"type": "string"
},
"@@odata.count": {
"type": "integer"
},
"value": {
"items": {
"properties": {
"domain": {
"type": "string"
},
"firstSeenDateTime": {
"type": "string"
},
"host": {
"properties": {
"id": {
"type": "string"
}
},
"type": "object"
},
"id": {
"type": "string"
},
"lastSeenDateTime": {
"type": "string"
},
"name": {
"type": "string"
}
},
"required": [
"id",
"firstSeenDateTime",
"lastSeenDateTime",
"domain",
"name",
"host"
],
"type": "object"
},
"type": "array"
}
},
"type": "object"
}
}
},
"Reset_IP_variable": {
"runAfter": {
"Add_comment_to_incident_(V3)_2": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "result_output_ip",
"value": []
}
}
},
"runAfter": {
"Initializa_IP_Comment": [
"Succeeded"
]
},
"type": "Foreach",
"runtimeConfiguration": {
"concurrency": {
"repetitions": 1
}
}
},
"Init_Result_Host": {
"runAfter": {
"Entities_-_Get_Hosts": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "result_output_host",
"type": "array"
}
]
}
},
"Init_Result_IP": {
"runAfter": {
"Entities_-_Get_IPs": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "result_output_ip",
"type": "array"
}
]
}
},
"Initializa_IP_Comment": {
"runAfter": {
"Init_Result_IP": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "IPcomment",
"type": "string"
}
]
}
},
"MDTI-Base": {
"runAfter": {},
"type": "Workflow",
"inputs": {
"host": {
"triggerName": "manual",
"workflow": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/MDTI-Base')]"
}
}
}
},
"intialize_domain_comment": {
"runAfter": {
"Init_Result_Host": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "Domain_comment",
"type": "string"
}
]
}
}
}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
}
}
}
}
}
}
]
}

26
Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Data-Cookies/readme.md Normal file
Просмотреть файл

@ -0,0 +1,26 @@
# MDTI-Data-Cookies
## Overview
This playbook uses the [Microsoft Defender Threat Intelligence](https://learn.microsoft.com/en-us/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti) Cookies data to automatically enrich incidents generated by Microsoft Sentinel. Leverage this playbook in order to enrich your incidents with [Cookies](https://learn.microsoft.com/en-us/defender/threat-intelligence/data-sets#cookies) data hosted by the indicators found within the incident. Cookies are small pieces of data sent from a server to a client as the user browses the internet. These values sometimes contain a state for the application or little bits of tracking data. Defender TI highlights and indexes cookie names observed when crawling a website and allows users to dig into everywhere we have observed specific cookie names across its crawling and data collection. Cookies are also used by malicious actors to keep track of infected victims or store data to be used later.
## Prerequisites
1. This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) this playbook. If you have trouble accessing your account or your credentials contact your account representative or reach to discussMDTI[@]microsoft.com.
2. This playbook requires "Microsoft Sentinel Contributor" role to update Incidents.
## Deployment
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMicrosoft%2520Defender%2520Threat%2520Intelligence%2FPlaybooks%2FMDTI-Data-Cookies%2Fazuredeploy.json" target="_blank">
<img src="https://aka.ms/deploytoazurebutton"/>
</a>
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMicrosoft%2520Defender%2520Threat%2520Intelligence%2FPlaybooks%2FMDTI-Data-Cookies%2Fazuredeploy.json" target="_blank">
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
</a>
### Post-Deployment Instructions
After deploying the playbook, you must authorize the connections leveraged.
1. Visit the playbook resource.
2. Under "Development Tools" (located on the left), click "API Connections".
3. Ensure each connection has been authorized.
**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intellingence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**

99
Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Data-WebComponents/azuredeploy.json
Просмотреть файл

@ -3,35 +3,32 @@
"contentVersion": "1.0.0.0",
"metadata": {
"comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on MDTI Internet data.",
"title": "MDTI-Data-WebComponents",
"title": "MDTI-Data-WebComponents",
"description": "This playbook uses the MDTI Components data to automatically enrich incidents generated by Microsoft Sentinel. Leverage this playbook in order to enrich your incidents with [Webcomponents](https://learn.microsoft.com/en-us/defender/threat-intelligence/data-sets#components) data hosted by the indicators found within the incident. These components allow a user to understand the makeup of a webpage or the technology and services driving a specific piece of infrastructure. Pivoting on unique components can find actors' infrastructure or other sites that are compromised. Users can also understand if a website might be vulnerable to a specific attack or compromise based on the technologies that it is running.",
"prerequisites": [
"This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) prior to deploying this playbook. If you have trouble accessing your account or your credentials contact your account representative (mdtidiscussion[@]microsoft.com)."
],
"lastUpdateTime": "2023-03-09T00:00:00.000Z",
"entities": [],
"tags": [],
"prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) prior to deploying this playbook. If you have trouble accessing your account or your credentials contact your account representative (mdtidiscussion[@]microsoft.com)."],
"lastUpdateTime": "2023-03-09T00:00:00.000Z",
"entities": [],
"tags": [],
"postDeployment": [
"After deploying the playbook, you must authorize the connections leveraged.",
"1. Visit the playbook resource.",
"2. Under 'Development Tools' (located on the left), click 'API Connections'.",
"3. Ensure each connection has been authorized.",
"**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**"
],
"After deploying the playbook, you must authorize the connections leveraged.",
"1. Visit the playbook resource.",
"2. Under 'Development Tools' (located on the left), click 'API Connections'.",
"3. Ensure each connection has been authorized.",
"**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**"],
"support": {
"tier": "microsoft"
"tier": "microsoft"
},
"author": {
"name": "Ajay Kallur, Microsoft"
},
"releaseNotes": [
{
"version": "1.0.1",
"title": "MDTI Data WebComponents",
"notes": [
"Updated version with Secure Inputs for HTTP REST and Secure Output for MDTI-Base actions"
]
}
{
"version": "1.0.0",
"title": "MDTI Data WebComponents",
"notes": [
"Initial version"
]
}
]
},
"parameters": {
@ -41,21 +38,20 @@
}
},
"variables": {
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
},
{
}
},{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
@ -64,9 +60,9 @@
"LogicAppsCategory": "security",
"Source": "MDTI"
},
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
],
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
],
"properties": {
"state": "Enabled",
"definition": {
@ -74,6 +70,7 @@
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
@ -170,6 +167,7 @@
"foreach": "@body('Parse_host_components')",
"actions": {
"Append_to_array_variable": {
"runAfter": {},
"type": "AppendToArrayVariable",
"inputs": {
"name": "result_output_host",
@ -190,6 +188,7 @@
"type": "Foreach"
},
"Get_components_for_host": {
"runAfter": {},
"type": "Http",
"inputs": {
"authentication": {
@ -208,13 +207,6 @@
"$top": "25"
},
"uri": "https://@{body('MDTI-Base')?['MDTI-BaseUrl']}/@{body('MDTI-Base')?['Api-Version']}/security/threatIntelligence/hosts('@{items('For_each_Host')?['HostName']}.@{items('For_each_Host')?['DnsDomain']}')/components"
},
"runtimeConfiguration": {
"secureData": {
"properties": [
"inputs"
]
}
}
},
"Parse_host_components": {
@ -336,6 +328,7 @@
"foreach": "@body('Parse_components')",
"actions": {
"Append_to_Result_IP": {
"runAfter": {},
"type": "AppendToArrayVariable",
"inputs": {
"name": "result_output_ip",
@ -356,6 +349,7 @@
"type": "Foreach"
},
"Get_components": {
"runAfter": {},
"type": "Http",
"inputs": {
"authentication": {
@ -374,13 +368,6 @@
"$top": "25"
},
"uri": "https://@{body('MDTI-Base')?['MDTI-BaseUrl']}/@{body('MDTI-Base')?['Api-Version']}/security/threatIntelligence/hosts('@{items('For_each_IP_Address')?['Address']}')/components"
},
"runtimeConfiguration": {
"secureData": {
"properties": [
"inputs"
]
}
}
},
"Parse_components": {
@ -497,6 +484,7 @@
}
},
"MDTI-Base": {
"runAfter": {},
"type": "Workflow",
"inputs": {
"host": {
@ -505,13 +493,6 @@
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/MDTI-Base')]"
}
}
},
"runtimeConfiguration": {
"secureData": {
"properties": [
"outputs"
]
}
}
}
},
@ -522,9 +503,9 @@
"value": {
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
}
}

128
Solutions/Microsoft Defender Threat Intelligence/Playbooks/MDTI-Intel-Reputation/azuredeploy.json
Просмотреть файл

@ -3,59 +3,54 @@
"contentVersion": "1.0.0.0",
"metadata": {
"comments": "Perform automated enrichment on the Microsoft Sentinel Incidents based on MDTI Reputation data.",
"title": "MDTI-Intel-Reputation",
"title": "MDTI-Intel-Reputation",
"description": "This playbook uses the MDTI API to automatically enrich incidents generated by Microsoft Sentinel. Reputation information provides analyst with a decision as to whether an indicator is considered benign, suspicious or malicious. Analysts can leverage this playbook in order to enrich indicators found within an incident. Each reputation result is contained within a comment and will include detailed scoring information noting why a given indicator is considered suspicious or malicious with links back to the MDTI platform for more information.",
"prerequisites": [
"This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) prior to deploying this playbook. If you have trouble accessing your account or your credentials contact your account representative (mdtidiscussion[@]microsoft.com)."
],
"lastUpdateTime": "2023-03-09T00:00:00.000Z",
"entities": [],
"tags": [],
"prerequisites": ["This playbook inherits API connections created and established within a base playbook. Ensure you have deployed [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) prior to deploying this playbook. If you have trouble accessing your account or your credentials contact your account representative (mdtidiscussion[@]microsoft.com)."],
"lastUpdateTime": "2023-03-09T00:00:00.000Z",
"entities": [],
"tags": [],
"postDeployment": [
"After deploying the playbook, you must authorize the connections leveraged.",
"1. Visit the playbook resource.",
"2. Under 'Development Tools' (located on the left), click 'API Connections'.",
"3. Ensure each connection has been authorized.",
"**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**"
],
"After deploying the playbook, you must authorize the connections leveraged.",
"1. Visit the playbook resource.",
"2. Under 'Development Tools' (located on the left), click 'API Connections'.",
"3. Ensure each connection has been authorized.",
"**Note: If you've deployed the [MDTI-Base](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Microsoft%20Defender%20Threat%20Intelligence/Playbooks/MDTI-Base/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection.**"],
"support": {
"tier": "microsoft"
"tier": "microsoft"
},
"author": {
"name": "Ajay Kallur, Microsoft"
},
"releaseNotes": [
{
"version": "1.0.1",
"title": "MDTI Intel Reputation",
"notes": [
"Updated version with Secure Inputs for HTTP REST and Secure Output for MDTI-Base actions"
]
}
{
"version": "1.0.0",
"title": "MDTI Intel Reputation",
"notes": [
"Initial version"
]
}
]
},
"parameters": {
"PlaybookName": {
"defaultValue": "MDTI-Intel-Reputation",
"type": "String"
}
}
},
"variables": {
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
"resources": [{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('AzureSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"properties": {
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
},
{
}
},{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[parameters('PlaybookName')]",
@ -64,9 +59,9 @@
"LogicAppsCategory": "security",
"Source": "MDTI"
},
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
],
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
],
"properties": {
"state": "Enabled",
"definition": {
@ -74,6 +69,7 @@
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
@ -167,6 +163,7 @@
}
},
"Get_reputation_for_host": {
"runAfter": {},
"type": "Http",
"inputs": {
"authentication": {
@ -182,13 +179,6 @@
"method": "GET",
"path": "/reputation",
"uri": "https://@{body('MDTI-Base')?['MDTI-BaseUrl']}/@{body('MDTI-Base')?['Api-Version']}/security/threatIntelligence/hosts('@{items('For_each_Host')?['HostName']}.@{items('For_each_Host')?['DnsDomain']}')/reputation"
},
"runtimeConfiguration": {
"secureData": {
"properties": [
"outputs"
]
}
}
},
"Set_host_variable": {
@ -202,6 +192,18 @@
"name": "result_output_host",
"value": "@body('Get_reputation_for_host')?['rules']"
}
},
"Reset_host_variable": {
"runAfter": {
"Add_comment_to_incident_(V3)": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "result_output_host",
"value": []
}
}
},
"runAfter": {
@ -248,6 +250,7 @@
}
},
"Get_reputation": {
"runAfter": {},
"type": "Http",
"inputs": {
"authentication": {
@ -263,13 +266,6 @@
"method": "GET",
"path": "/reputation",
"uri": "https://@{body('MDTI-Base')?['MDTI-BaseUrl']}/@{body('MDTI-Base')?['Api-Version']}/security/threatIntelligence/hosts('@{items('For_each_IP_Address')?['Address']}')/reputation"
},
"runtimeConfiguration": {
"secureData": {
"properties": [
"inputs"
]
}
}
},
"Set_ip_variable": {
@ -283,6 +279,18 @@
"name": "result_output_ip",
"value": "@body('Get_reputation')?['rules']"
}
},
"Reset_IP_variable": {
"runAfter": {
"Add_comment_to_incident_(V3)_2": [
"Succeeded"
]
},
"type": "SetVariable",
"inputs": {
"name": "result_output_ip",
"value": []
}
}
},
"runAfter": {
@ -327,6 +335,7 @@
}
},
"MDTI-Base": {
"runAfter": {},
"type": "Workflow",
"inputs": {
"host": {
@ -335,13 +344,6 @@
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/MDTI-Base')]"
}
}
},
"runtimeConfiguration": {
"secureData": {
"properties": [
"outputs"
]
}
}
}
},
@ -351,10 +353,10 @@
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"connectionName": "[variables('AzureSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
}
}
}
}

27
Solutions/Threat Intelligence/Analytic Rules/URLEntity_SecurityAlerts.yaml
Просмотреть файл

@ -28,6 +28,7 @@ tactics:
query: |
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let URLRegex = "((https?|ftp|ldap|wss?|file):\\/\\/(([\\:\\%\\w\\_\\-]+(\\.|@))*((xn--)?[a-zA-Z0-9\\-]+\\.)+(xn--[a-z0-9]+|[A-Za-z]+)|\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{0,3})[.,:\\w@?^=%&\\/~+#-]*[\\w@?^=%&\\/~+#-])";
ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
@ -36,17 +37,19 @@ query: |
| where isnotempty(Url)
// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
| join kind=innerunique (
SecurityAlert
| where TimeGenerated >= ago(dt_lookBack)
| extend MSTI = case(AlertName has "TI map" and VendorName == "Microsoft" and ProductName == 'Azure Sentinel', true, false)
| where MSTI == false
// Extract URL from JSON data
| extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)", 1,Entities)
// We only want alerts that actually contain URL data
| where isnotempty(Url)
// Extract hostname from JSON data for entity mapping
| extend Compromised_Host = tostring(parse_json(ExtendedProperties).["Compromised Host"])
| extend Alert_TimeGenerated = TimeGenerated
SecurityAlert
| where TimeGenerated >= ago(dt_lookBack)
| extend MSTI = case(AlertName has "TI map" and VendorName == "Microsoft" and ProductName == 'Azure Sentinel', true, false)
| where MSTI == false
// Extract URL from JSON data
| extend Url = todynamic(dynamic_to_json(extract_all(URLRegex, dynamic([1]), Entities)))
| mv-expand Url
| extend Url = tostring(Url[0])
// We only want alerts that actually contain URL data
| where isnotempty(Url)
// Extract hostname from JSON data for entity mapping
| extend Compromised_Host = tostring(parse_json(ExtendedProperties).["Compromised Host"])
| extend Alert_TimeGenerated = TimeGenerated
) on Url
| where Alert_TimeGenerated < ExpirationDateTime
| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName
@ -60,5 +63,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: Url
version: 1.2.5
version: 1.2.6
kind: Scheduled

2
Solutions/Threat Intelligence/Data/Solution_ThreatIntelligenceTemplateSpec.json
Просмотреть файл

@ -60,7 +60,7 @@
"Solutions/Threat Intelligence/Analytic Rules/Threat Intel Matches to GitHub Audit Logs.yaml"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel",
"Version": "2.0.4",
"Version": "2.0.5",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": true

Двоичные данные
Solutions/Threat Intelligence/Package/2.0.5.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

1322
Solutions/Threat Intelligence/Package/mainTemplate.json
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

8
Solutions/Zinc Open Source/Analytic Rules/ZincOctober2022_Filename_Commandline_IOC.yaml
Просмотреть файл

@ -100,10 +100,6 @@ entityMappings:
- identifier: Algorithm
columnName: AlgorithmEntity
- identifier: Value
columnName: FileHashEntity
- entityType: URL
fieldMappings:
- identifier: Url
columnName: RemoteUrl
version: 1.0.2
columnName: FileHashEntity
version: 1.0.3
kind: Scheduled

8
Solutions/Zinc Open Source/Analytic Rules/ZincOctober2022_IP_Domain_Hash_IOC.yaml
Просмотреть файл

@ -182,10 +182,6 @@ entityMappings:
- identifier: Algorithm
columnName: AlgorithmEntity
- identifier: Value
columnName: FileHashEntity
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlEntity
version: 1.0.1
columnName: FileHashEntity
version: 1.0.2
kind: Scheduled

2
Tools/Create-Azure-Sentinel-Solution/V2/createSolutionV2.ps1
Просмотреть файл

@ -988,7 +988,7 @@ foreach ($inputFile in $(Get-ChildItem $path)) {
if ($null -ne $playbookData -and $null -ne $playbookData.parameters){
foreach($param in $playbookData.parameters.PsObject.Properties)
{
if($functionAppList.ContainsKey($param.Value.defaultValue))
if($param.Value -match "defaultValue" -and $functionAppList.ContainsKey($param.Value.defaultValue))
{
$playbookDependencies += [PSCustomObject] @{
kind = "AzureFunction";