Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #4702 from Azure/update_oracledbaudit 

Updating content and hunting queries of orcale db audit solution
This commit is contained in:
Manish Kumar 2022-05-20 11:46:07 +05:30 коммит произвёл GitHub
Родитель f9b8494c36 e222bbc0f8
Коммит 87b9561a4b
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
8 изменённых файлов: 508 добавлений и 506 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

6
Solutions/OracleDatabaseAudit/Hunting Queries/OracleDBAuditLargeQueries.yaml
Просмотреть файл

@ -1,7 +1,7 @@
id: ba5e1a88-2054-4bda-a6e0-20008148ae6e
name: OracleDBAudit - Users with new privileges
name: OracleDBAudit - Audit large queries
description: |
'Query for searching user accounts whith new privileges.'
'Query for auditing large queries.'
requiredDataConnectors:
- connectorId: OracleDatabaseAudit
dataTypes:
@ -24,7 +24,7 @@ query: |
| where isnotempty(ActionLength)
| extend a = 1) on a
| where toint(ActionLength) > 2*avg_action_length
| project avg_action_length, ActionLength, Action, DstUserName
| project avg_action_length, ActionLength, Action, DstUserName,SrcIpAddr
| extend AccountCustomEntity = DstUserName
| extend IPCustomEntity = SrcIpAddr
entityMappings:

1
Solutions/OracleDatabaseAudit/Hunting Queries/OracleDBAuditListOfTablesQueried.yaml
Просмотреть файл

@ -1,5 +1,6 @@
id: b8fcb5b8-254c-4d49-865e-403b8453f487
name: OracleDBAudit - Top tables queries
description: |
'Query searches for tables queries.'
requiredDataConnectors:
- connectorId: OracleDatabaseAudit

6
Solutions/OracleDatabaseAudit/Hunting Queries/OracleDBAuditUsersNewPrivilegesAdded.yaml
Просмотреть файл

@ -14,6 +14,7 @@ relevantTechniques:
query: |
let lbtime_30d = 30d;
let lbtime_1d = 1d;
OracleDatabaseAuditEvent
| where TimeGenerated between (ago(lbtime_30d) .. ago(lbtime_1d))
| where isnotempty(Privilege) and isnotempty(DstUserName)
| summarize Privileges = makeset(Privilege) by DstUserName;
@ -22,8 +23,9 @@ query: |
| where isnotempty(DstUserName) and isnotempty(Privilege)
| project DstUserName, Privilege
) on DstUserName
| where Privilege !in (Privileges)
| extend AccountCustomEntity = DstUserName
|mv-expand Privileges
|extend Privileges = tostring(Privileges)
| where Privilege != Privileges
entityMappings:
- entityType: Account
fieldMappings:

2
Solutions/OracleDatabaseAudit/Hunting Queries/OracleDBAuditUsersPrivilegesReview.yaml
Просмотреть файл

@ -17,7 +17,7 @@ query: |
| where TimeGenerated > ago(lbtime)
| where isnotempty(DstUserName)
| where isnotempty(Privilege)
| summarize makeset(Privilege) by DstUserName;
| summarize makeset(Privilege) by DstUserName
| extend AccountCustomEntity = DstUserName
entityMappings:
- entityType: Account

Двоичные данные
Solutions/OracleDatabaseAudit/Package/1.0.3.zip
Просмотреть файл

Двоичный файл не отображается.

Двоичные данные
Solutions/OracleDatabaseAudit/Package/1.0.5.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

924
Solutions/OracleDatabaseAudit/Package/createUiDefinition.json
Просмотреть файл

@ -1,472 +1,468 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/OracleDatabaseAudit/Workbooks/Images/Logo/oracle_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Oracle Database](https://www.oracle.com/database/technologies/security/db-auditing.html) provides robust audit support in both the Enterprise and Standard Edition of the database. Oracle Database Unified Auditing enables selective and effective auditing inside the Oracle database using policies and conditions.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/OracleDatabaseAudit/Workbooks/Images/Logo/oracle_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Oracle Database](https://www.oracle.com/database/technologies/security/db-auditing.html) Audit solution for Microsoft Sentinel enables you to ingest [Oracle Database Unified and Traditional Auditing](https://www.oracle.com/in/database/technologies/security/db-auditing.html) logs into Microsoft Sentinel to improve your Security Monitoring/Operations capabilities.\n\n**Underlying Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\n• [Data collection using Syslog in Microsoft Sentinel](https://docs.microsoft.com/azure/sentinel/connect-syslog)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the data connector for ingesting Oracle database Unified and Traditional audit logs into Microsoft Sentinel using Syslog. After installing the solution, configure and enable this data connector from the Data Connector gallery."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The solution installs a parser that transforms the ingested data. The transformed logs can be accessed using the OracleDatabaseAuditEvent Kusto Function alias."
}
},
{
"name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about normalized format",
"uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema"
}
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
{
"name": "workbooks",
"label": "Workbooks",
"subLabel": {
"preValidation": "Configure the workbooks",
"postValidation": "Done"
},
"visible": false
"bladeTitle": "Workbooks",
"elements": [
{
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The workbook(s) installed with the Oracle Database Audit solution provides insights into your Oracle database audit events. After installation, the workbook(s) will be saved in the My Workbooks gallery in your Microsoft Sentinel workbook gallery.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
},
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
"label": "Oracle Database Audit",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Gain insights into Oracle database audit logs."
}
},
{
"name": "workbook1-name",
"type": "Microsoft.Common.TextBox",
"label": "Display Name",
"defaultValue": "Oracle Database Audit",
"toolTip": "Display name for the workbook.",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a workbook name"
}
}
]
}
]
},
"resourceGroup": {
"allowExisting": true
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The Analytic Rules(s) installed with this solution will be deployed in disabled mode in the analytic rules gallery of your Microsoft Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this solution deploys."
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Connection to database from external IP",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when connection to database is from external IP source."
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Multiple tables dropped in short time",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when user drops many tables in short period of time."
}
}
]
},
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Connection to database from unknown IP",
"elements": [
{
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when user connects to a database from IP address which is not present in AllowList."
}
}
]
},
{
"name": "analytic4",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - User connected to database from new IP",
"elements": [
{
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when a user connects to database from new IP address."
}
}
]
},
{
"name": "analytic5",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - New user account",
"elements": [
{
"name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when an action was made by new user."
}
}
]
},
{
"name": "analytic6",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Query on Sensitive Table",
"elements": [
{
"name": "analytic6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when user queries sensitive tables."
}
}
]
},
{
"name": "analytic7",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - User activity after long inactivity time",
"elements": [
{
"name": "analytic7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when an action was made by a user which last activity was observed more than 30 days ago."
}
}
]
},
{
"name": "analytic8",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - SQL injection patterns",
"elements": [
{
"name": "analytic8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects common known SQL injection patterns used in automated scripts."
}
}
]
},
{
"name": "analytic9",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Unusual user activity on multiple tables",
"elements": [
{
"name": "analytic9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when user queries many tables in short period of time."
}
}
]
},
{
"name": "analytic10",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Shutdown Server",
"elements": [
{
"name": "analytic10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when \"SHUTDOWN\" command was sent to server."
}
}
]
}
]
},
{
"name": "huntingqueries",
"label": "Hunting Queries",
"bladeTitle": "Hunting Queries",
"elements": [
{
"name": "huntingqueries-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The Hunting Queries installed with this solution will be deployed in the Hunting queries gallery of your Microsoft Sentinel workspace. These can be accessed in the Hunting blade of you Microsoft Sentinel workspace after the solution is installed.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/hunting"
}
}
},
{
"name": "huntingquery1",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Action by Ip",
"elements": [
{
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches sources from which DbActions were made. It depends on the Oracle Database Audit data connector and Syslog data type and OracleDatabaseAuditEvent parser."
}
}
]
},
{
"name": "huntingquery2",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Action by user",
"elements": [
{
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches actions made by user. It depends on the Oracle Database Audit data connector and Syslog data type and OracleDatabaseAuditEvent parser."
}
}
]
},
{
"name": "huntingquery3",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Active Users",
"elements": [
{
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query for searching active database user accounts. It depends on the Oracle Database Audit data connector and Syslog data type and OracleDatabaseAuditEvent parser."
}
}
]
},
{
"name": "huntingquery4",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Users connected to databases during non-operational hours.",
"elements": [
{
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for users who have connected to databases during non-operational hours. It depends on the Oracle Database Audit data connector and Syslog data type and OracleDatabaseAuditEvent parser."
}
}
]
},
{
"name": "huntingquery5",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Dropped Tables",
"elements": [
{
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for dropped tables. It depends on the Oracle Database Audit data connector and Syslog data type and OracleDatabaseAuditEvent parser."
}
}
]
},
{
"name": "huntingquery6",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Inactive Users",
"elements": [
{
"name": "huntingquery6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query for searching user accounts which last activity was more than 30 days ago. It depends on the Oracle Database Audit data connector and Syslog data type and OracleDatabaseAuditEvent parser."
}
}
]
},
{
"name": "huntingquery7",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Audit large queries",
"elements": [
{
"name": "huntingquery7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query for auditing large queries.It depends on the Oracle Database Audit data connector and Syslog data type and OracleDatabaseAuditEvent parser."
}
}
]
},
{
"name": "huntingquery8",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Top tables queries 'Query searches for tables queries.'",
"elements": [
{
"name": "huntingquery8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "It depends on the Oracle Database Audit data connector and Syslog data type and OracleDatabaseAuditEvent parser."
}
}
]
},
{
"name": "huntingquery9",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Users with new privileges",
"elements": [
{
"name": "huntingquery9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query for searching user accounts whith new privileges. It depends on the Oracle Database Audit data connector and Syslog data type and OracleDatabaseAuditEvent parser."
}
}
]
},
{
"name": "huntingquery10",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Users Privileges Review",
"elements": [
{
"name": "huntingquery10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for user accounts and their privileges. It depends on the Oracle Database Audit data connector and Syslog data type and OracleDatabaseAuditEvent parser."
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
"workspace": "[basics('workspace')]",
"workbook1-name": "[steps('workbooks').workbook1.workbook1-name]"
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for Oracle Database Audit. You can get Oracle Database Audit Syslog data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. The logs will be received in the Syslog table in your Azure Sentinel / Azure Log Analytics workspace."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The Solution installs a parser that transforms the ingested data into Azure Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Azure Sentinel."
}
},
{
"name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about normalized format",
"uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema"
}
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
},
{
"name": "workbooks",
"label": "Workbooks",
"subLabel": {
"preValidation": "Configure the workbooks",
"postValidation": "Done"
},
"bladeTitle": "Workbooks",
"elements": [
{
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Azure Sentinel and combine them into unified interactive experiences.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
},
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
"label": "Oracle Database Audit",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Gain insights into Oracle database audit logs."
}
},
{
"name": "workbook1-name",
"type": "Microsoft.Common.TextBox",
"label": "Display Name",
"defaultValue": "Oracle Database Audit",
"toolTip": "Display name for the workbook.",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a workbook name"
}
}
]
}
]
},
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs analytic rules for Oracle Database Audit that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Connection to database from external IP",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when connection to database is from external IP source."
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Multiple tables dropped in short time",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when user drops many tables in short period of time."
}
}
]
},
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Connection to database from unknown IP",
"elements": [
{
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when user connects to a database from IP address which is not present in AllowList."
}
}
]
},
{
"name": "analytic4",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - User connected to database from new IP",
"elements": [
{
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when a user connects to database from new IP address."
}
}
]
},
{
"name": "analytic5",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - New user account",
"elements": [
{
"name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when an action was made by new user."
}
}
]
},
{
"name": "analytic6",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Query on Sensitive Table",
"elements": [
{
"name": "analytic6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when user queries sensitive tables."
}
}
]
},
{
"name": "analytic7",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - User activity after long inactivity time",
"elements": [
{
"name": "analytic7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when an action was made by a user which last activity was observed more than 30 days ago."
}
}
]
},
{
"name": "analytic8",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - SQL injection patterns",
"elements": [
{
"name": "analytic8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects common known SQL injection patterns used in automated scripts."
}
}
]
},
{
"name": "analytic9",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Unusual user activity on multiple tables",
"elements": [
{
"name": "analytic9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when user queries many tables in short period of time."
}
}
]
},
{
"name": "analytic10",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Shutdown Server",
"elements": [
{
"name": "analytic10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when \"SHUTDOWN\" command was sent to server."
}
}
]
}
]
},
{
"name": "huntingqueries",
"label": "Hunting Queries",
"bladeTitle": "Hunting Queries",
"elements": [
{
"name": "huntingqueries-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs hunting queries for Oracle Database Audit that you can run in Azure Sentinel. These hunting queries will be deployed in the Hunting gallery of your Azure Sentinel workspace. Run these hunting queries to hunt for threats in the Hunting gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/hunting"
}
}
},
{
"name": "huntingquery1",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Action by Ip",
"elements": [
{
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches sources from which DbActions were made. It depends on the Oracle Database Audit data connector and Syslog data type and OracleDatabaseAuditEvent parser."
}
}
]
},
{
"name": "huntingquery2",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Action by user",
"elements": [
{
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches actions made by user. It depends on the Oracle Database Audit data connector and Syslog data type and OracleDatabaseAuditEvent parser."
}
}
]
},
{
"name": "huntingquery3",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Active Users",
"elements": [
{
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query for searching active database user accounts. It depends on the Oracle Database Audit data connector and Syslog data type and OracleDatabaseAuditEvent parser."
}
}
]
},
{
"name": "huntingquery4",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Users connected to databases during non-operational hours.",
"elements": [
{
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for users who have connected to databases during non-operational hours. It depends on the Oracle Database Audit data connector and Syslog data type and OracleDatabaseAuditEvent parser."
}
}
]
},
{
"name": "huntingquery5",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Dropped Tables",
"elements": [
{
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for dropped tables. It depends on the Oracle Database Audit data connector and Syslog data type and OracleDatabaseAuditEvent parser."
}
}
]
},
{
"name": "huntingquery6",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Inactive Users",
"elements": [
{
"name": "huntingquery6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query for searching user accounts which last activity was more than 30 days ago. It depends on the Oracle Database Audit data connector and Syslog data type and OracleDatabaseAuditEvent parser."
}
}
]
},
{
"name": "huntingquery7",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Users with new privileges",
"elements": [
{
"name": "huntingquery7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query for searching user accounts whith new privileges. It depends on the Oracle Database Audit data connector and Syslog data type and OracleDatabaseAuditEvent parser."
}
}
]
},
{
"name": "huntingquery8",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Top tables queries 'Query searches for tables queries.'",
"elements": [
{
"name": "huntingquery8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "It depends on the Oracle Database Audit data connector and Syslog data type and OracleDatabaseAuditEvent parser."
}
}
]
},
{
"name": "huntingquery9",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Users with new privileges",
"elements": [
{
"name": "huntingquery9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query for searching user accounts whith new privileges. It depends on the Oracle Database Audit data connector and Syslog data type and OracleDatabaseAuditEvent parser."
}
}
]
},
{
"name": "huntingquery10",
"type": "Microsoft.Common.Section",
"label": "OracleDBAudit - Users Privileges Review",
"elements": [
{
"name": "huntingquery10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for user accounts and their privileges. It depends on the Oracle Database Audit data connector and Syslog data type and OracleDatabaseAuditEvent parser."
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[resourceGroup().location]",
"location": "[location()]",
"workspace": "[basics('workspace')]",
"workbook1-name": "[steps('workbooks').workbook1.workbook1-name]"
}
}
}
}

75
Solutions/OracleDatabaseAudit/Package/mainTemplate.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны