Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Sysmon deploy

This commit is contained in:
Ofer Shezaf 2021-09-14 14:03:33 +03:00
Родитель 5cc94ed051
Коммит 882fa03c41
2 изменённых файлов: 262 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

25
Parsers/ASim Sysmon for Windows/README.md Normal file
Просмотреть файл

@ -0,0 +1,25 @@
# ASIM parsers for Sysmon for Windows
This template deploys all the [Sysmon for Windows](https://docs.microsoft.com/sysinternals/downloads/sysmon) Azure Sentinel ASIM parsers. The template is part of the [Azure Sentinel Information Mode (ASIM)](https://aka.ms/AzSentinelNormalization). The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
When deploying the parsers, you:
- Make sure that telemetry from Sysmon is analyzed using the built-in Azure Sentinel Analytics. You also enable analysts easier access to the telemetry using a known, standard, schema.
- That events collected to the Event table and to the WindowsEvent tables (used by WEF) are both both available to analysts and in the same format.
**Note: to get the best value from ASIM and make sure that Sysmon telemetry is included in Azure Sentinel Analytics, deploy the [full ASIM parser suite](https://aka.ms/AzSentinelASim).**
<br>
[![Deploy to Azure Sentinel](https://aka.ms/deploytoazurebutton)](https://aka.ms/AzSentinelSysmonARM)
<br>
The template deploys the following:
- ASIM Sysmon File Activity (11, 23 and 26) parsers - vimFileEventMicrosoftSysmonCreated, vimFileEventMicrosoftSysmonDeleted
- ASIM Sysmon Process Events (1 and 5) parsers - vimProcessCreateMicrosoftSysmon, vimProcessTerminateMicrosoftSysmon
- ASIM Sysmon Registry Events (12,13 and 14) parser - vimNetworkSessionLinuxSysmon
- ASIM Sysmon DNS event (22) parsers - ASimDnsMicrosoftSysmon (regular), vimDnsMicrosoftSysmon (parametrized)
<br>

237
Parsers/ASim Sysmon for Windows/SysmonFullDeployment.json Normal file
Просмотреть файл

@ -0,0 +1,237 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "string"
},
"location": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimFileEventMicrosoftSysmonCreated",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimFileEvent/ARM/FileEventMicrosoftSysmonFileCreated/FileEventMicrosoftSysmonFileCreated.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
},
"location": {
"value": "[parameters('location')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "vimFileEventMicrosoftSysmonDeleted",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimFileEvent/ARM/FileEventMicrosoftSysmonFileDeleted/FileEventMicrosoftSysmonFileDeleted.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
},
"location": {
"value": "[parameters('location')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedFileEventEmpty",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimFileEvent/ARM/FileEventEmpty/FileEventEmpty.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
},
"location": {
"value": "[parameters('location')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimProcessCreateMicrosoftSysmon",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimProcessEvent/ARM/ProcessEventMicrosoftSysmonCreate/ProcessEventMicrosoftSysmonCreate.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
},
"location": {
"value": "[parameters('location')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimProcessTerminateMicrosoftSysmon",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimProcessEvent/ARM/ProcessEventMicrosoftSysmonTerminate/ProcessEventMicrosoftSysmonTerminate.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
},
"location": {
"value": "[parameters('location')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedEmptyimProcess",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimProcessEvent/ARM/ProcessEventEmpty/ProcessEventEmpty.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
},
"location": {
"value": "[parameters('location')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimRegistryEventMicrosoftSysmon",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimRegistry/ARM/RegistryEventMicrosoftSysmon/RegistryEventMicrosoftSysmon.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
},
"location": {
"value": "[parameters('location')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedEmptyimRegistry",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimRegistry/ARM/RegistryEventEmpty/RegistryEventEmpty.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
},
"location": {
"value": "[parameters('location')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedvimDnsMicrosoftSysmon",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsMicrosoftSysmon/vimDnsMicrosoftSysmon.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
},
"location": {
"value": "[parameters('location')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedASimDnsMicrosoftSysmon",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsMicrosoftSysmon/ASimDnsMicrosoftSysmon.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
},
"location": {
"value": "[parameters('location')]"
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "linkedDnsEmpty",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/DnsEmpty/DnsEmpty.json",
"contentVersion": "1.0.0.0"
},
"parameters": {
"workspaceName": {
"value": "[parameters('workspaceName')]"
},
"location": {
"value": "[parameters('location')]"
}
}
}
}
],
"outputs": {
}
}