Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Solution packaged

This commit is contained in:
v-shukore 2024-09-05 12:35:35 +05:30
Родитель 33d4ce2b4a
Коммит 84cc7e7e9d
5 изменённых файлов: 2807 добавлений и 7 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

1
Solutions/Global Secure Access/Data/Solution_GlobalSecureAccess.json
Просмотреть файл

@ -12,7 +12,6 @@
],
"Analytic Rules": [
"Analytic Rules/Identity - AfterHoursActivity.yaml",
"Analytic Rules/Identity - NewCountry.yaml",
"Analytic Rules/Identity - SharedSessions.yaml",
"Analytic Rules/Office 365 - exchange_auditlogdisabled.yaml",
"Analytic Rules/Office 365 - External User added to Team and immediately uploads file.yaml",

Двоичные данные
Solutions/Global Secure Access/Package/3.0.0.zip
Просмотреть файл

Двоичный файл не отображается.

254
Solutions/Global Secure Access/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/gsa.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Global%20Secure%20Access/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Global Secure Access](https://aka.ms/GlobalSecureAccess) is a [domain solution](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution requires one of the product solutions below.\n\n**Prerequisite:**\n\nInstall one or more of the listed solutions to unlock the value provided by this solution.\n1. Microsoft Entra ID \n\n**Underlying Microsoft Technologies used:**\n\nThis solution depends on the following technologies, and some of these dependencies may either be in Preview state or might result in additional ingestion or operational costs:\n1. Product solutions as described above\n\n\n**Workbooks:** 2, **Analytic Rules:** 1, **Hunting Queries:** 21\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/gsa.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Global%20Secure%20Access/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Global Secure Access](https://aka.ms/GlobalSecureAccess) is a [domain solution](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and does not include any data connectors. The content in this solution requires one of the product solutions below.\n\n**Prerequisite:**\n\nInstall one or more of the listed solutions to unlock the value provided by this solution.\n1. Microsoft Entra ID \n\n**Underlying Microsoft Technologies used:**\n\nThis solution depends on the following technologies, and some of these dependencies may either be in Preview state or might result in additional ingestion or operational costs:\n1. Product solutions as described above\n\n\n**Workbooks:** 2, **Analytic Rules:** 19, **Hunting Queries:** 21\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@ -146,6 +146,258 @@
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "Detect IP Address Changes and Overlapping Sessions",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query identifies network sessions based on DeviceId and UserPrincipalName, then checks for changed IP addresses and overlapping session times."
}
}
]
},
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
"label": "Exchange AuditLog Disabled",
"elements": [
{
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Identifies when the exchange audit logging has been disabled which may be an adversary attempt to evade detection or avoid other defenses."
}
}
]
},
{
"name": "analytic4",
"type": "Microsoft.Common.Section",
"label": "Accessed files shared by temporary external user",
"elements": [
{
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This detection identifies when an external user is added to a Team or Teams chat and shares a file which is accessed by many users (>10) and the users is removed within short period of time. This might be an indicator of suspicious activity."
}
}
]
},
{
"name": "analytic5",
"type": "Microsoft.Common.Section",
"label": "External User Added and Removed in Short Timeframe",
"elements": [
{
"name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This detection flags the occurrences of external user accounts that are added to a Team and then removed within one hour."
}
}
]
},
{
"name": "analytic6",
"type": "Microsoft.Common.Section",
"label": "Mail redirect via ExO transport rule",
"elements": [
{
"name": "analytic6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Identifies when Exchange Online transport rule configured to forward emails.\nThis could be an adversary mailbox configured to collect mail from multiple user accounts."
}
}
]
},
{
"name": "analytic7",
"type": "Microsoft.Common.Section",
"label": "Malicious Inbox Rule",
"elements": [
{
"name": "analytic7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.\n This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this.\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/"
}
}
]
},
{
"name": "analytic8",
"type": "Microsoft.Common.Section",
"label": "Multiple Teams deleted by a single user",
"elements": [
{
"name": "analytic8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This detection flags the occurrences of deleting multiple teams within an hour.\nThis data is a part of Office 365 Connector in Microsoft Sentinel."
}
}
]
},
{
"name": "analytic9",
"type": "Microsoft.Common.Section",
"label": "Multiple Users Email Forwarded to Same Destination",
"elements": [
{
"name": "analytic9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Identifies when multiple (more than one) users' mailboxes are configured to forward to the same destination. \nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts."
}
}
]
},
{
"name": "analytic10",
"type": "Microsoft.Common.Section",
"label": "Office Policy Tampering",
"elements": [
{
"name": "analytic10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Identifies if any tampering is done to either audit log, ATP Safelink, SafeAttachment, AntiPhish, or Dlp policy. \nAn adversary may use this technique to evade detection or avoid other policy-based defenses.\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps."
}
}
]
},
{
"name": "analytic11",
"type": "Microsoft.Common.Section",
"label": "New Executable via Office FileUploaded Operation",
"elements": [
{
"name": "analytic11-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\nList currently includes exe, inf, gzip, cmd, bat file extensions.\nAdditionally, identifies when a given user is uploading these files to another user's workspace.\nThis may be an indication of a staging location for malware or other malicious activity."
}
}
]
},
{
"name": "analytic12",
"type": "Microsoft.Common.Section",
"label": "Rare and Potentially High-Risk Office Operations",
"elements": [
{
"name": "analytic12-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Identifies Office operations that are typically rare and can provide capabilities useful to attackers."
}
}
]
},
{
"name": "analytic13",
"type": "Microsoft.Common.Section",
"label": "SharePoint File Operation via Previously Unseen IPs",
"elements": [
{
"name": "analytic13-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Identifies anomalies using user behavior by setting a threshold for significant changes in file upload/download activities from new IP addresses. It establishes a baseline of typical behavior, compares it to recent activity, and flags deviations exceeding a default threshold of 25."
}
}
]
},
{
"name": "analytic14",
"type": "Microsoft.Common.Section",
"label": "SharePointFileOperation via devices with previously unseen user agents",
"elements": [
{
"name": "analytic14-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Identifies anomalies if the number of documents uploaded or downloaded from device(s) associated with a previously unseen user agent exceeds a threshold (default is 5) and deviation (default is 25%)."
}
}
]
},
{
"name": "analytic15",
"type": "Microsoft.Common.Section",
"label": "Office365 Sharepoint File Transfer Above Threshold",
"elements": [
{
"name": "analytic15-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Identifies Office365 Sharepoint File Transfers above a certain threshold in a 15-minute time period.\nPlease note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur."
}
}
]
},
{
"name": "analytic16",
"type": "Microsoft.Common.Section",
"label": "Office365 Sharepoint File Transfer Above Threshold",
"elements": [
{
"name": "analytic16-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Identifies Office365 Sharepoint File Transfers with a distinct folder count above a certain threshold in a 15-minute time period.\nPlease note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur."
}
}
]
},
{
"name": "analytic17",
"type": "Microsoft.Common.Section",
"label": "Detect Abnormal Deny Rate for Source to Destination IP",
"elements": [
{
"name": "analytic17-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access, or C2, where an attacker tries to exploit the same vulnerability on machines in the organization but is being blocked by firewall rules."
}
}
]
},
{
"name": "analytic18",
"type": "Microsoft.Common.Section",
"label": "Detect Protocol Changes for Destination Ports",
"elements": [
{
"name": "analytic18-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Identifies changes in the protocol used for specific destination ports, comparing the current runtime with a learned baseline. This can indicate potential protocol misuse or configuration changes."
}
}
]
},
{
"name": "analytic19",
"type": "Microsoft.Common.Section",
"label": "Detect Source IP Scanning Multiple Open Ports",
"elements": [
{
"name": "analytic19-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Identifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access."
}
}
]
}
]
},

2556
Solutions/Global Secure Access/Package/mainTemplate.json
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

3
Solutions/Global Secure Access/ReleaseNotes.md Normal file
Просмотреть файл

@ -0,0 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|-----------------------------------------------------------------------------------------|
| 3.0.0 | 05-09-2024 | Initial Solution release |