Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Resolve branch conflicts.

This commit is contained in:
Jayesh Prajapati 2023-07-28 19:38:11 +05:30
Родитель c7f8bf7dde df13d3eff8
Коммит 89c8a47f77
400 изменённых файлов: 70165 добавлений и 4125 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

10
.github/workflows/checkAutomatedPR.yaml поставляемый
Просмотреть файл

@ -7,9 +7,13 @@ on:
description: "Is Automated PR"
value: ${{ jobs.checkAutomatedPR.outputs.isAutomatedPR }}
permissions:
contents: read
pull-requests: read
env:
BRANCH_NAME: ${{ github.event.client_payload.pull_request.head.ref && github.event.client_payload.pull_request.head.ref || github.event.client_payload.pullRequestBranchName }}
BODY: ${{ github.event.issue.body }}
jobs:
checkAutomatedPR:
@ -20,18 +24,18 @@ jobs:
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
with:
fetch-depth: 0
fetch-depth: 2
ref: "${{ env.BRANCH_NAME }}"
- shell: pwsh
id: ValidateAutomatedPR
run: |
$prBodyContent = "${{ github.event.issue.body }}"
$prBodyContent = "${{ env.BODY }}"
$isAutomatedPR = $false
if ($prBodyContent -like '*Automation have successfully*')
{
Write-Host "This Pull Request is autogenerated!"
$isAutomatedPR = $true
}
Write-Output "isAutomatedPR=$isAutomatedPR" >> $env:GITHUB_OUTPUT
Write-Host "Is this Pull Request autogenerated $isAutomatedPR"

2
.github/workflows/checkPRContentChange.yaml поставляемый
Просмотреть файл

@ -28,7 +28,7 @@ jobs:
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
with:
fetch-depth: 0
fetch-depth: 2
ref: "${{ env.BRANCH_NAME }}"
- name: Identify Changes in PR
shell: pwsh

2
.github/workflows/checkSkipPackagingInfo.yaml поставляемый
Просмотреть файл

@ -24,7 +24,7 @@ jobs:
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
with:
fetch-depth: 0
fetch-depth: 2
ref: "${{ env.BRANCH_NAME }}"
- name: Check Skip Packaging Status
shell: pwsh

2
.github/workflows/deployToPartnerCenter.yaml поставляемый
Просмотреть файл

@ -36,7 +36,7 @@ jobs:
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
with:
fetch-depth: 0
fetch-depth: 2
ref: ${{ env.BRANCH_NAME }}
- shell: pwsh
id: deploy

2
.github/workflows/getSolutionName.yaml поставляемый
Просмотреть файл

@ -19,7 +19,7 @@ jobs:
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
with:
fetch-depth: 0
fetch-depth: 2
ref: "${{ env.BRANCH_NAME }}"
- name: Identify Solution
shell: pwsh

2
.github/workflows/neworexistingsolution.yaml поставляемый
Просмотреть файл

@ -31,7 +31,7 @@ jobs:
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
with:
fetch-depth: 0
fetch-depth: 2
ref: ${{ env.BRANCH_NAME }}
- name: IdentifyNewOrExistingSolution
shell: pwsh

23
.github/workflows/package-command.yaml поставляемый
Просмотреть файл

@ -62,7 +62,7 @@ jobs:
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
with:
fetch-depth: 0
fetch-depth: 2
ref: ${{ env.BRANCH_NAME }}
- shell: pwsh
id: step1
@ -171,11 +171,13 @@ jobs:
}
else
{
$title = $response.title
$body = $response.body
Write-Host "Existing PR Title is $title"
$title = "" + $response.title
$body = "" + $response.body
Write-Output "existingPRTitle=$title" >> $env:GITHUB_OUTPUT
Write-Output "existingPRBody=$body" >> $env:GITHUB_OUTPUT
Write-Output "existingPRBody<<EOF" >> $env:GITHUB_OUTPUT
Write-Output $body >> $env:GITHUB_OUTPUT
Write-Output "EOF" >> $env:GITHUB_OUTPUT
}
}
else
@ -200,6 +202,7 @@ jobs:
pull-requests: write
contents: write
needs: [solutionNameDetails, neworexistingsolution, createpackage, getPullRequestInfo]
continue-on-error: true
env:
BLOBNAME: "${{ needs.createpackage.outputs.blobName }}"
IS_CREATE_PACKAGE: ${{ needs.createpackage.outputs.isCreatePackage }}
@ -214,8 +217,8 @@ jobs:
CURRENT_BRANCH_NAME: "${{ github.event.client_payload.pull_request.head.ref && github.event.client_payload.pull_request.head.ref || github.event.client_payload.pullRequestBranchName }}"
RUNID: "${{ github.event.client_payload.github.runId }}"
APPINSIGHTS: "${{ vars.APPINSIGHTS }}"
EXISITING_PR_TITLE: "${{ needs.getPullRequestInfo.outputs.existingPRTitle }}"
EXISITING_PR_BODY: "${{ needs.getPullRequestInfo.outputs.existingPRBody }}"
EXISTING_PR_TITLE: "${{ needs.getPullRequestInfo.outputs.existingPRTitle }}"
EXISTING_PR_BODY: ${{ needs.getPullRequestInfo.outputs.existingPRBody }}
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
- uses: actions/download-artifact@e9ef242655d12993efdcda9058dee2db83a2cb9b
@ -235,10 +238,12 @@ jobs:
with:
committer: GitHub <noreply@github.com>
commit-message: added/updated package to pr
author: GitHub <noreply@github.com>
signoff: false
branch: "${{ env.CURRENT_BRANCH_NAME }}" # EXISTING BRANCH NAME
title: "${{ env.EXISITING_PR_TITLE }}"
body: "${{ env.EXISITING_PR_BODY }}"
title: "${{ env.EXISTING_PR_TITLE }}"
body: |
${{ env.EXISTING_PR_BODY }}
- shell: pwsh
id: createPREvents

2
.github/workflows/package-on-merge.yaml поставляемый
Просмотреть файл

@ -70,7 +70,7 @@ jobs:
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
with:
fetch-depth: 0
fetch-depth: 2
ref: ${{ env.BRANCH_NAME }}
- shell: pwsh
id: step1

4
.script/dataConnectorValidator.ts
Просмотреть файл

@ -96,6 +96,10 @@ function getConnectorCategory(dataTypes : any, instructionSteps:[])
{
return ConnectorCategory.Dynamics365Activity;
}
else if (dataTypes[0].name.includes("CrowdstrikeReplicatorV2"))
{
return ConnectorCategory.CrowdstrikeReplicatorV2;
}
else if (dataTypes[0].name.includes("BloodHoundEnterprise"))
{
return ConnectorCategory.BloodHoundEnterprise;

15
.script/package-automation/getSolutionName.ps1
Просмотреть файл

@ -28,11 +28,16 @@ try
{
$solutionIndex = $currentFile.IndexOf("Solutions/")
if ($solutionName -eq '' -and $solutionIndex -eq 0)
{
$solutionNameWithSubstring = $currentFile.SubString($solutionIndex + 10)
$firstForwardSlashIndex = $solutionNameWithSubstring.IndexOf("/")
$solutionName = $solutionNameWithSubstring.SubString(0, $firstForwardSlashIndex)
Write-Host "Solution Name is $solutionName"
{
$countForwardSlashes = ($currentFile.Split('/')).count-1
if ($countForwardSlashes -gt 1)
{
# identify solution Name
$solutionNameWithSubstring = $currentFile.SubString($solutionIndex + 10)
$firstForwardSlashIndex = $solutionNameWithSubstring.IndexOf("/")
$solutionName = $solutionNameWithSubstring.SubString(0, $firstForwardSlashIndex)
Write-Host "Solution Name is $solutionName"
}
}
else
{

4
.script/package-automation/package-generator.ps1
Просмотреть файл

@ -102,7 +102,7 @@ try {
$playbookFiles = $playbookFiles -match ([regex]::Escape(".json"))
if ($playbookFiles.Count -gt 0) {
$playbookFiles = $playbookFiles | Where-Object { $_ -notlike '*swagger*' -and $_ -notlike '*gov*' }
$playbookFiles = $playbookFiles | Where-Object { $_ -notlike '*swagger*' -and $_ -notlike '*gov*' } | Where-Object { $_ -notlike '*function.json*' }
}
return $playbookFiles;
@ -576,7 +576,7 @@ try {
#======================================
#check if folder with *Connector Name present inside of Solutions folder or in playbooks folder eg: Check Point or Cisco ISE solution
$filterPath = "$solutionFolderPath" + "*Connector/*"
$playbooksDynamicCustomConnector = $filesList -like ($filterPath)
$playbooksDynamicCustomConnector = $filesList -like ($filterPath) | Where-Object {$_ -notlike '*/Data Connectors/*'} | Where-Object {$_ -notlike '*/DataConnectors/*'}
if ($playbooksDynamicCustomConnector -ne $false -and $playbooksDynamicCustomConnector.Count -gt 0)
{

27
.script/tests/KqlvalidationsTests/CustomFunctions/CrowdStrikeReplicatorV2.json Normal file
Просмотреть файл

@ -0,0 +1,27 @@
{
"FunctionName": "CrowdStrikeReplicatorV2",
"FunctionParameters": [
{
"Name": "starttime",
"Type": "DateTime"
},
{
"Name": "endtime",
"Type": "DateTime"
},
{
"Name": "tablesRequired",
"Type": "Dynamic"
},
{
"Name": "eventTypesRequired",
"Type": "Dynamic"
}
],
"FunctionResultColumns": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
}
]
}

477
.script/tests/KqlvalidationsTests/CustomTables/ASimAuditEventLogs.json Normal file
Просмотреть файл

@ -0,0 +1,477 @@
{
"Name": "ASimAuditEventLogs",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "AdditionalFields",
"Type": "Dynamic"
},
{
"Name": "EventMessage",
"Type": "String"
},
{
"Name": "EventCount",
"Type": "Int"
},
{
"Name": "EventStartTime",
"Type": "DateTime"
},
{
"Name": "EventEndTime",
"Type": "DateTime"
},
{
"Name": "EventType",
"Type": "String"
},
{
"Name": "EventSubType",
"Type": "String"
},
{
"Name": "EventResult",
"Type": "String"
},
{
"Name": "EventResultDetails",
"Type": "String"
},
{
"Name": "EventOriginalUid",
"Type": "String"
},
{
"Name": "EventOriginalType",
"Type": "String"
},
{
"Name": "EventOriginalSubType",
"Type": "String"
},
{
"Name": "EventOriginalResultDetails",
"Type": "String"
},
{
"Name": "EventSeverity",
"Type": "String"
},
{
"Name": "EventOriginalSeverity",
"Type": "String"
},
{
"Name": "EventProduct",
"Type": "String"
},
{
"Name": "EventProductVersion",
"Type": "String"
},
{
"Name": "EventVendor",
"Type": "String"
},
{
"Name": "EventSchemaVersion",
"Type": "String"
},
{
"Name": "EventOwner",
"Type": "String"
},
{
"Name": "EventReportUrl",
"Type": "String"
},
{
"Name": "RuleName",
"Type": "String"
},
{
"Name": "RuleNumber",
"Type": "Int"
},
{
"Name": "ThreatId",
"Type": "String"
},
{
"Name": "ThreatName",
"Type": "String"
},
{
"Name": "ThreatCategory",
"Type": "String"
},
{
"Name": "ThreatRiskLevel",
"Type": "Int"
},
{
"Name": "ThreatOriginalRiskLevel",
"Type": "String"
},
{
"Name": "ThreatConfidence",
"Type": "Int"
},
{
"Name": "ThreatOriginalConfidence",
"Type": "String"
},
{
"Name": "ThreatIsActive",
"Type": "Bool"
},
{
"Name": "ThreatFirstReportedTime",
"Type": "DateTime"
},
{
"Name": "ThreatLastReportedTime",
"Type": "DateTime"
},
{
"Name": "ThreatField",
"Type": "String"
},
{
"Name": "ThreatIpAddr",
"Type": "String"
},
{
"Name": "DvcIpAddr",
"Type": "String"
},
{
"Name": "DvcHostname",
"Type": "String"
},
{
"Name": "DvcDomain",
"Type": "String"
},
{
"Name": "DvcDomainType",
"Type": "String"
},
{
"Name": "DvcFQDN",
"Type": "String"
},
{
"Name": "DvcDescription",
"Type": "String"
},
{
"Name": "DvcId",
"Type": "String"
},
{
"Name": "DvcIdType",
"Type": "String"
},
{
"Name": "DvcMacAddr",
"Type": "String"
},
{
"Name": "DvcZone",
"Type": "String"
},
{
"Name": "DvcOs",
"Type": "String"
},
{
"Name": "DvcOsVersion",
"Type": "String"
},
{
"Name": "DvcAction",
"Type": "String"
},
{
"Name": "DvcOriginalAction",
"Type": "String"
},
{
"Name": "DvcInterface",
"Type": "String"
},
{
"Name": "DvcScopeId",
"Type": "String"
},
{
"Name": "DvcScope",
"Type": "String"
},
{
"Name": "ActorUserId",
"Type": "String"
},
{
"Name": "ActorUserAadId",
"Type": "String"
},
{
"Name": "ActorUserSid",
"Type": "String"
},
{
"Name": "ActorUserIdType",
"Type": "String"
},
{
"Name": "ActorScopeId",
"Type": "String"
},
{
"Name": "ActorScope",
"Type": "String"
},
{
"Name": "ActorUsername",
"Type": "String"
},
{
"Name": "ActorUsernameType",
"Type": "String"
},
{
"Name": "ActorUserType",
"Type": "String"
},
{
"Name": "ActorOriginalUserType",
"Type": "String"
},
{
"Name": "ActorSessionId",
"Type": "String"
},
{
"Name": "TargetAppId",
"Type": "String"
},
{
"Name": "TargetAppName",
"Type": "String"
},
{
"Name": "TargetAppType",
"Type": "String"
},
{
"Name": "TargetUrl",
"Type": "String"
},
{
"Name": "ActingAppId",
"Type": "String"
},
{
"Name": "ActingAppName",
"Type": "String"
},
{
"Name": "ActingAppType",
"Type": "String"
},
{
"Name": "HttpUserAgent",
"Type": "String"
},
{
"Name": "SrcIpAddr",
"Type": "String"
},
{
"Name": "SrcPortNumber",
"Type": "Int"
},
{
"Name": "SrcHostname",
"Type": "String"
},
{
"Name": "SrcDomain",
"Type": "String"
},
{
"Name": "SrcDomainType",
"Type": "String"
},
{
"Name": "SrcFQDN",
"Type": "String"
},
{
"Name": "SrcDescription",
"Type": "String"
},
{
"Name": "SrcDvcId",
"Type": "String"
},
{
"Name": "SrcDvcIdType",
"Type": "String"
},
{
"Name": "SrcDvcScopeId",
"Type": "String"
},
{
"Name": "SrcDvcScope",
"Type": "String"
},
{
"Name": "SrcDeviceType",
"Type": "String"
},
{
"Name": "SrcGeoCountry",
"Type": "String"
},
{
"Name": "SrcGeoLatitude",
"Type": "Double"
},
{
"Name": "SrcGeoLongitude",
"Type": "Double"
},
{
"Name": "SrcGeoRegion",
"Type": "String"
},
{
"Name": "SrcGeoCity",
"Type": "String"
},
{
"Name": "SrcRiskLevel",
"Type": "Int"
},
{
"Name": "SrcOriginalRiskLevel",
"Type": "String"
},
{
"Name": "TargetIpAddr",
"Type": "String"
},
{
"Name": "TargetPortNumber",
"Type": "Int"
},
{
"Name": "TargetHostname",
"Type": "String"
},
{
"Name": "TargetDomain",
"Type": "String"
},
{
"Name": "TargetDomainType",
"Type": "String"
},
{
"Name": "TargetFQDN",
"Type": "String"
},
{
"Name": "TargetDescription",
"Type": "String"
},
{
"Name": "TargetDvcId",
"Type": "String"
},
{
"Name": "TargetDvcIdType",
"Type": "String"
},
{
"Name": "TargetDvcScopeId",
"Type": "String"
},
{
"Name": "TargetDvcScope",
"Type": "String"
},
{
"Name": "TargetDeviceType",
"Type": "String"
},
{
"Name": "TargetGeoCountry",
"Type": "String"
},
{
"Name": "TargetGeoLatitude",
"Type": "Double"
},
{
"Name": "TargetGeoLongitude",
"Type": "Double"
},
{
"Name": "TargetGeoRegion",
"Type": "String"
},
{
"Name": "TargetGeoCity",
"Type": "String"
},
{
"Name": "TargetRiskLevel",
"Type": "Int"
},
{
"Name": "TargetOriginalRiskLevel",
"Type": "String"
},
{
"Name": "TargetDvcOs",
"Type": "String"
},
{
"Name": "Operation",
"Type": "String"
},
{
"Name": "ObjectId",
"Type": "String"
},
{
"Name": "Object",
"Type": "String"
},
{
"Name": "ObjectType",
"Type": "String"
},
{
"Name": "OldValue",
"Type": "String"
},
{
"Name": "NewValue",
"Type": "String"
},
{
"Name": "ValueType",
"Type": "String"
}
]
}

500
.script/tests/KqlvalidationsTests/CustomTables/ASimAuthenticationEventLogs.json Normal file
Просмотреть файл

@ -0,0 +1,500 @@
{
"Name": "ASimAuthenticationEventLogs",
"Properties": [
{
"name": "TimeGenerated",
"type": "DateTime"
},
{
"name": "AdditionalFields",
"type": "Dynamic"
},
{
"name": "EventMessage",
"type": "String"
},
{
"name": "EventCount",
"type": "Int"
},
{
"name": "EventStartTime",
"type": "DateTime"
},
{
"name": "EventEndTime",
"type": "DateTime"
},
{
"name": "EventType",
"type": "String"
},
{
"name": "EventSubType",
"type": "String"
},
{
"name": "EventResult",
"type": "String"
},
{
"name": "EventResultDetails",
"type": "String"
},
{
"name": "EventOriginalUid",
"type": "String"
},
{
"name": "EventOriginalType",
"type": "String"
},
{
"name": "EventOriginalSubType",
"type": "String"
},
{
"name": "EventOriginalResultDetails",
"type": "String"
},
{
"name": "EventSeverity",
"type": "String"
},
{
"name": "EventOriginalSeverity",
"type": "String"
},
{
"name": "EventProduct",
"type": "String"
},
{
"name": "EventProductVersion",
"type": "String"
},
{
"name": "EventVendor",
"type": "String"
},
{
"name": "EventSchemaVersion",
"type": "String"
},
{
"name": "EventOwner",
"type": "String"
},
{
"name": "EventReportUrl",
"type": "String",
"dataTypeHint": "URI"
},
{
"name": "RuleName",
"type": "String"
},
{
"name": "RuleNumber",
"type": "Int"
},
{
"name": "ThreatId",
"type": "String"
},
{
"name": "ThreatName",
"type": "String"
},
{
"name": "ThreatCategory",
"type": "String"
},
{
"name": "ThreatRiskLevel",
"type": "Int"
},
{
"name": "ThreatOriginalRiskLevel",
"type": "String"
},
{
"name": "ThreatConfidence",
"type": "Int"
},
{
"name": "ThreatOriginalConfidence",
"type": "String"
},
{
"name": "ThreatIsActive",
"type": "Bool"
},
{
"name": "ThreatFirstReportedTime",
"type": "DateTime"
},
{
"name": "ThreatLastReportedTime",
"type": "DateTime"
},
{
"name": "ThreatField",
"type": "String"
},
{
"name": "ThreatIpAddr",
"type": "String",
"dataTypeHint": "IP"
},
{
"name": "DvcIpAddr",
"type": "String",
"dataTypeHint": "IP"
},
{
"name": "DvcHostname",
"type": "String"
},
{
"name": "DvcDomain",
"type": "String"
},
{
"name": "DvcDomainType",
"type": "String"
},
{
"name": "DvcFQDN",
"type": "String"
},
{
"name": "DvcDescription",
"type": "String"
},
{
"name": "DvcId",
"type": "String"
},
{
"name": "DvcIdType",
"type": "String"
},
{
"name": "DvcMacAddr",
"type": "String",
"dataTypeHint": "IP"
},
{
"name": "DvcZone",
"type": "String"
},
{
"name": "DvcOs",
"type": "String"
},
{
"name": "DvcOsVersion",
"type": "String"
},
{
"name": "DvcAction",
"type": "String"
},
{
"name": "DvcOriginalAction",
"type": "String"
},
{
"name": "DvcInterface",
"type": "String"
},
{
"name": "DvcScopeId",
"type": "String"
},
{
"name": "DvcScope",
"type": "String"
},
{
"name": "ActorUserId",
"type": "String"
},
{
"name": "ActorUserIdType",
"type": "String"
},
{
"name": "ActorScopeId",
"type": "String"
},
{
"name": "ActorScope",
"type": "String"
},
{
"name": "ActorUsername",
"type": "String"
},
{
"name": "ActorUsernameType",
"type": "String"
},
{
"name": "ActorUserType",
"type": "String"
},
{
"name": "ActorOriginalUserType",
"type": "String"
},
{
"name": "ActorSessionId",
"type": "String"
},
{
"name": "ActingAppId",
"type": "String"
},
{
"name": "ActingAppName",
"type": "String"
},
{
"name": "ActingAppType",
"type": "String"
},
{
"name": "HttpUserAgent",
"type": "String"
},
{
"name": "TargetUserId",
"type": "String"
},
{
"name": "TargetUserIdType",
"type": "String"
},
{
"name": "TargetScopeId",
"type": "String"
},
{
"name": "TargetScope",
"type": "String"
},
{
"name": "TargetUsername",
"type": "String"
},
{
"name": "TargetUsernameType",
"type": "String"
},
{
"name": "TargetUserType",
"type": "String"
},
{
"name": "TargetOriginalUserType",
"type": "String"
},
{
"name": "TargetSessionId",
"type": "String"
},
{
"name": "TargetAppId",
"type": "String"
},
{
"name": "TargetAppName",
"type": "String"
},
{
"name": "TargetAppType",
"type": "String"
},
{
"name": "TargetUrl",
"type": "String",
"dataTypeHint": "URI"
},
{
"name": "SrcIpAddr",
"type": "String",
"dataTypeHint": "IP"
},
{
"name": "SrcPortNumber",
"type": "Int"
},
{
"name": "SrcHostname",
"type": "String"
},
{
"name": "SrcDomain",
"type": "String"
},
{
"name": "SrcDomainType",
"type": "String"
},
{
"name": "SrcFQDN",
"type": "String"
},
{
"name": "SrcDescription",
"type": "String"
},
{
"name": "SrcDvcId",
"type": "String"
},
{
"name": "SrcDvcIdType",
"type": "String"
},
{
"name": "SrcDvcScopeId",
"type": "String"
},
{
"name": "SrcDvcScope",
"type": "String"
},
{
"name": "SrcDeviceType",
"type": "String"
},
{
"name": "SrcGeoCountry",
"type": "String"
},
{
"name": "SrcGeoLatitude",
"type": "Real"
},
{
"name": "SrcGeoLongitude",
"type": "Real"
},
{
"name": "SrcGeoRegion",
"type": "String"
},
{
"name": "SrcGeoCity",
"type": "String"
},
{
"name": "SrcRiskLevel",
"type": "Int"
},
{
"name": "SrcOriginalRiskLevel",
"type": "String"
},
{
"name": "SrcIsp",
"type": "String"
},
{
"name": "SrcDvcOs",
"type": "String"
},
{
"name": "TargetIpAddr",
"type": "String",
"dataTypeHint": "IP"
},
{
"name": "TargetPortNumber",
"type": "Int"
},
{
"name": "TargetHostname",
"type": "String"
},
{
"name": "TargetDomain",
"type": "String"
},
{
"name": "TargetDomainType",
"type": "String"
},
{
"name": "TargetFQDN",
"type": "String"
},
{
"name": "TargetDescription",
"type": "String"
},
{
"name": "TargetDvcId",
"type": "String"
},
{
"name": "TargetDvcIdType",
"type": "String"
},
{
"name": "TargetDvcScopeId",
"type": "String"
},
{
"name": "TargetDvcScope",
"type": "String"
},
{
"name": "TargetDeviceType",
"type": "String"
},
{
"name": "TargetGeoCountry",
"type": "String"
},
{
"name": "TargetGeoLatitude",
"type": "Real"
},
{
"name": "TargetGeoLongitude",
"type": "Real"
},
{
"name": "TargetGeoRegion",
"type": "String"
},
{
"name": "TargetGeoCity",
"type": "String"
},
{
"name": "TargetRiskLevel",
"type": "Int"
},
{
"name": "TargetOriginalRiskLevel",
"type": "String"
},
{
"name": "TargetDvcOs",
"type": "String"
},
{
"name": "LogonMethod",
"type": "String"
},
{
"name": "LogonProtocol",
"type": "String"
}
]
}

500
.script/tests/KqlvalidationsTests/CustomTables/ASimAuthenticationEventLogs_CL.json Normal file
Просмотреть файл

@ -0,0 +1,500 @@
{
"Name": "ASimAuthenticationEventLogs_CL",
"Properties": [
{
"name": "TimeGenerated",
"type": "DateTime"
},
{
"name": "AdditionalFields",
"type": "Dynamic"
},
{
"name": "EventMessage",
"type": "String"
},
{
"name": "EventCount",
"type": "Int"
},
{
"name": "EventStartTime",
"type": "DateTime"
},
{
"name": "EventEndTime",
"type": "DateTime"
},
{
"name": "EventType",
"type": "String"
},
{
"name": "EventSubType",
"type": "String"
},
{
"name": "EventResult",
"type": "String"
},
{
"name": "EventResultDetails",
"type": "String"
},
{
"name": "EventOriginalUid",
"type": "String"
},
{
"name": "EventOriginalType",
"type": "String"
},
{
"name": "EventOriginalSubType",
"type": "String"
},
{
"name": "EventOriginalResultDetails",
"type": "String"
},
{
"name": "EventSeverity",
"type": "String"
},
{
"name": "EventOriginalSeverity",
"type": "String"
},
{
"name": "EventProduct",
"type": "String"
},
{
"name": "EventProductVersion",
"type": "String"
},
{
"name": "EventVendor",
"type": "String"
},
{
"name": "EventSchemaVersion",
"type": "String"
},
{
"name": "EventOwner",
"type": "String"
},
{
"name": "EventReportUrl",
"type": "String",
"dataTypeHint": "URI"
},
{
"name": "RuleName",
"type": "String"
},
{
"name": "RuleNumber",
"type": "Int"
},
{
"name": "ThreatId",
"type": "String"
},
{
"name": "ThreatName",
"type": "String"
},
{
"name": "ThreatCategory",
"type": "String"
},
{
"name": "ThreatRiskLevel",
"type": "Int"
},
{
"name": "ThreatOriginalRiskLevel",
"type": "String"
},
{
"name": "ThreatConfidence",
"type": "Int"
},
{
"name": "ThreatOriginalConfidence",
"type": "String"
},
{
"name": "ThreatIsActive",
"type": "Bool"
},
{
"name": "ThreatFirstReportedTime",
"type": "DateTime"
},
{
"name": "ThreatLastReportedTime",
"type": "DateTime"
},
{
"name": "ThreatField",
"type": "String"
},
{
"name": "ThreatIpAddr",
"type": "String",
"dataTypeHint": "IP"
},
{
"name": "DvcIpAddr",
"type": "String",
"dataTypeHint": "IP"
},
{
"name": "DvcHostname",
"type": "String"
},
{
"name": "DvcDomain",
"type": "String"
},
{
"name": "DvcDomainType",
"type": "String"
},
{
"name": "DvcFQDN",
"type": "String"
},
{
"name": "DvcDescription",
"type": "String"
},
{
"name": "DvcId",
"type": "String"
},
{
"name": "DvcIdType",
"type": "String"
},
{
"name": "DvcMacAddr",
"type": "String",
"dataTypeHint": "IP"
},
{
"name": "DvcZone",
"type": "String"
},
{
"name": "DvcOs",
"type": "String"
},
{
"name": "DvcOsVersion",
"type": "String"
},
{
"name": "DvcAction",
"type": "String"
},
{
"name": "DvcOriginalAction",
"type": "String"
},
{
"name": "DvcInterface",
"type": "String"
},
{
"name": "DvcScopeId",
"type": "String"
},
{
"name": "DvcScope",
"type": "String"
},
{
"name": "ActorUserId",
"type": "String"
},
{
"name": "ActorUserIdType",
"type": "String"
},
{
"name": "ActorScopeId",
"type": "String"
},
{
"name": "ActorScope",
"type": "String"
},
{
"name": "ActorUsername",
"type": "String"
},
{
"name": "ActorUsernameType",
"type": "String"
},
{
"name": "ActorUserType",
"type": "String"
},
{
"name": "ActorOriginalUserType",
"type": "String"
},
{
"name": "ActorSessionId",
"type": "String"
},
{
"name": "ActingAppId",
"type": "String"
},
{
"name": "ActingAppName",
"type": "String"
},
{
"name": "ActingAppType",
"type": "String"
},
{
"name": "HttpUserAgent",
"type": "String"
},
{
"name": "TargetUserId",
"type": "String"
},
{
"name": "TargetUserIdType",
"type": "String"
},
{
"name": "TargetScopeId",
"type": "String"
},
{
"name": "TargetScope",
"type": "String"
},
{
"name": "TargetUsername",
"type": "String"
},
{
"name": "TargetUsernameType",
"type": "String"
},
{
"name": "TargetUserType",
"type": "String"
},
{
"name": "TargetOriginalUserType",
"type": "String"
},
{
"name": "TargetSessionId",
"type": "String"
},
{
"name": "TargetAppId",
"type": "String"
},
{
"name": "TargetAppName",
"type": "String"
},
{
"name": "TargetAppType",
"type": "String"
},
{
"name": "TargetUrl",
"type": "String",
"dataTypeHint": "URI"
},
{
"name": "SrcIpAddr",
"type": "String",
"dataTypeHint": "IP"
},
{
"name": "SrcPortNumber",
"type": "Int"
},
{
"name": "SrcHostname",
"type": "String"
},
{
"name": "SrcDomain",
"type": "String"
},
{
"name": "SrcDomainType",
"type": "String"
},
{
"name": "SrcFQDN",
"type": "String"
},
{
"name": "SrcDescription",
"type": "String"
},
{
"name": "SrcDvcId",
"type": "String"
},
{
"name": "SrcDvcIdType",
"type": "String"
},
{
"name": "SrcDvcScopeId",
"type": "String"
},
{
"name": "SrcDvcScope",
"type": "String"
},
{
"name": "SrcDeviceType",
"type": "String"
},
{
"name": "SrcGeoCountry",
"type": "String"
},
{
"name": "SrcGeoLatitude",
"type": "Real"
},
{
"name": "SrcGeoLongitude",
"type": "Real"
},
{
"name": "SrcGeoRegion",
"type": "String"
},
{
"name": "SrcGeoCity",
"type": "String"
},
{
"name": "SrcRiskLevel",
"type": "Int"
},
{
"name": "SrcOriginalRiskLevel",
"type": "String"
},
{
"name": "SrcIsp",
"type": "String"
},
{
"name": "SrcDvcOs",
"type": "String"
},
{
"name": "TargetIpAddr",
"type": "String",
"dataTypeHint": "IP"
},
{
"name": "TargetPortNumber",
"type": "Int"
},
{
"name": "TargetHostname",
"type": "String"
},
{
"name": "TargetDomain",
"type": "String"
},
{
"name": "TargetDomainType",
"type": "String"
},
{
"name": "TargetFQDN",
"type": "String"
},
{
"name": "TargetDescription",
"type": "String"
},
{
"name": "TargetDvcId",
"type": "String"
},
{
"name": "TargetDvcIdType",
"type": "String"
},
{
"name": "TargetDvcScopeId",
"type": "String"
},
{
"name": "TargetDvcScope",
"type": "String"
},
{
"name": "TargetDeviceType",
"type": "String"
},
{
"name": "TargetGeoCountry",
"type": "String"
},
{
"name": "TargetGeoLatitude",
"type": "Real"
},
{
"name": "TargetGeoLongitude",
"type": "Real"
},
{
"name": "TargetGeoRegion",
"type": "String"
},
{
"name": "TargetGeoCity",
"type": "String"
},
{
"name": "TargetRiskLevel",
"type": "Int"
},
{
"name": "TargetOriginalRiskLevel",
"type": "String"
},
{
"name": "TargetDvcOs",
"type": "String"
},
{
"name": "LogonMethod",
"type": "String"
},
{
"name": "LogonProtocol",
"type": "String"
}
]
}

433
.script/tests/KqlvalidationsTests/CustomTables/ASimFileEventLogs_CL.json Normal file
Просмотреть файл

@ -0,0 +1,433 @@
{
"Name": "ASimFileEventLogs_CL",
"properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "EventMessage",
"Type": "String"
},
{
"Name": "EventCount",
"Type": "Int"
},
{
"Name": "EventStartTime",
"Type": "DateTime"
},
{
"Name": "EventEndTime",
"Type": "DateTime"
},
{
"Name": "EventType",
"Type": "String"
},
{
"Name": "EventSubType",
"Type": "String"
},
{
"Name": "EventResult",
"Type": "String"
},
{
"Name": "EventResultDetails",
"Type": "String"
},
{
"Name": "EventOriginalUid",
"Type": "String"
},
{
"Name": "EventOriginalType",
"Type": "String"
},
{
"Name": "EventOriginalSubType",
"Type": "String"
},
{
"Name": "EventOriginalResultDetails",
"Type": "String"
},
{
"Name": "EventSeverity",
"Type": "String"
},
{
"Name": "EventOriginalSeverity",
"Type": "String"
},
{
"Name": "EventProduct",
"Type": "String"
},
{
"Name": "EventProductVersion",
"Type": "String"
},
{
"Name": "EventVendor",
"Type": "String"
},
{
"Name": "EventSchema",
"Type": "String"
},
{
"Name": "EventSchemaVersion",
"Type": "String"
},
{
"Name": "EventReportUrl",
"Type": "String",
"dataTypeHint": "URI"
},
{
"Name": "EventOwner",
"Type": "String"
},
{
"Name": "Dvc",
"Type": "String"
},
{
"Name": "DvcIpAddr",
"Type": "String",
"dataTypeHint": "IP"
},
{
"Name": "DvcHostname",
"Type": "String"
},
{
"Name": "DvcDomain",
"Type": "String"
},
{
"Name": "DvcDomainType",
"Type": "String"
},
{
"Name": "DvcFQDN",
"Type": "String"
},
{
"Name": "DvcDescription",
"Type": "String"
},
{
"Name": "DvcId",
"Type": "String"
},
{
"Name": "DvcIdType",
"Type": "String"
},
{
"Name": "DvcMacAddr",
"Type": "String"
},
{
"Name": "DvcZone",
"Type": "String"
},
{
"Name": "DvcOs",
"Type": "String"
},
{
"Name": "DvcOsVersion",
"Type": "String"
},
{
"Name": "DvcAction",
"Type": "String"
},
{
"Name": "DvcOriginalAction",
"Type": "String"
},
{
"Name": "DvcInterface",
"Type": "String"
},
{
"Name": "DvcScopeId",
"Type": "String"
},
{
"Name": "DvcScope",
"Type": "String"
},
{
"Name": "AdditionalFields",
"Type": "Dynamic"
},
{
"Name": "TargetFileCreationTime",
"Type": "DateTime"
},
{
"Name": "TargetFileDirectory",
"Type": "String"
},
{
"Name": "TargetFileExtension",
"Type": "String"
},
{
"Name": "TargetFileMimeType",
"Type": "String"
},
{
"Name": "TargetFileName",
"Type": "String"
},
{
"Name": "TargetFilePath",
"Type": "String"
},
{
"Name": "TargetFilePathType",
"Type": "String"
},
{
"Name": "TargetFileMD5",
"Type": "String"
},
{
"Name": "TargetFileSHA1",
"Type": "String"
},
{
"Name": "TargetFileSHA256",
"Type": "String"
},
{
"Name": "TargetFileSHA512",
"Type": "String"
},
{
"Name": "HashType",
"Type": "String"
},
{
"Name": "TargetFileSize",
"Type": "Long"
},
{
"Name": "SrcFileCreationTime",
"Type": "DateTime"
},
{
"Name": "SrcFileDirectory",
"Type": "String"
},
{
"Name": "SrcFileExtension",
"Type": "String"
},
{
"Name": "SrcFileMimeType",
"Type": "String"
},
{
"Name": "SrcFileName",
"Type": "String"
},
{
"Name": "SrcFilePath",
"Type": "String"
},
{
"Name": "SrcFilePathType",
"Type": "String"
},
{
"Name": "SrcFileMD5",
"Type": "String"
},
{
"Name": "SrcFileSHA1",
"Type": "String"
},
{
"Name": "SrcFileSHA256",
"Type": "String"
},
{
"Name": "SrcFileSHA512",
"Type": "String"
},
{
"Name": "SrcFileSize",
"Type": "Long"
},
{
"Name": "ActorUserId",
"Type": "String"
},
{
"Name": "ActorScope",
"Type": "String"
},
{
"Name": "ActorUserIdType",
"Type": "String"
},
{
"Name": "ActorUsername",
"Type": "String"
},
{
"Name": "ActorUsernameType",
"Type": "String"
},
{
"Name": "ActorSessionId",
"Type": "String"
},
{
"Name": "ActorUserType",
"Type": "String"
},
{
"Name": "ActorOriginalUserType",
"Type": "String"
},
{
"Name": "ActingProcessCommandLine",
"Type": "String"
},
{
"Name": "ActingProcessName",
"Type": "String"
},
{
"Name": "ActingProcessId",
"Type": "String"
},
{
"Name": "ActingProcessGuid",
"Type": "String"
},
{
"Name": "HttpUserAgent",
"Type": "String"
},
{
"Name": "NetworkApplicationProtocol",
"Type": "String"
},
{
"Name": "SrcIpAddr",
"Type": "String",
"dataTypeHint": "IP"
},
{
"Name": "SrcGeoCountry",
"Type": "String"
},
{
"Name": "SrcGeoRegion",
"Type": "String"
},
{
"Name": "SrcGeoCity",
"Type": "String"
},
{
"Name": "SrcGeoLatitude",
"Type": "Real"
},
{
"Name": "SrcGeoLongitude",
"Type": "Real"
},
{
"Name": "TargetAppName",
"Type": "String"
},
{
"Name": "TargetAppId",
"Type": "String"
},
{
"Name": "TargetAppType",
"Type": "String"
},
{
"Name": "TargetUrl",
"Type": "String",
"dataTypeHint": "URI"
},
{
"Name": "RuleName",
"Type": "String"
},
{
"Name": "RuleNumber",
"Type": "Int"
},
{
"Name": "ThreatId",
"Type": "String"
},
{
"Name": "ThreatName",
"Type": "String"
},
{
"Name": "ThreatCategory",
"Type": "String"
},
{
"Name": "ThreatRiskLevel",
"Type": "Int"
},
{
"Name": "ThreatOriginalRiskLevel",
"Type": "String"
},
{
"Name": "ThreatFilePath",
"Type": "String"
},
{
"Name": "ThreatField",
"Type": "String"
},
{
"Name": "ThreatConfidence",
"Type": "Int"
},
{
"Name": "ThreatOriginalConfidence",
"Type": "String"
},
{
"Name": "ThreatIsActive",
"Type": "Bool"
},
{
"Name": "ThreatFirstReportedTime",
"Type": "DateTime"
},
{
"Name": "ThreatLastReportedTime",
"Type": "DateTime"
},
{
"Name": "DvcSubscriptionId",
"Type": "String"
},
{
"Name": "Hash",
"Type": "String"
}
]
}

495
.script/tests/KqlvalidationsTests/CustomTables/ASimProcessEventLogs.json Normal file
Просмотреть файл

@ -0,0 +1,495 @@
{
"Name": "ASimProcessEventLogs",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "AdditionalFields",
"Type": "Dynamic"
},
{
"Name": "EventMessage",
"Type": "String"
},
{
"Name": "EventCount",
"Type": "Int"
},
{
"Name": "EventStartTime",
"Type": "DateTime"
},
{
"Name": "EventEndTime",
"Type": "DateTime"
},
{
"Name": "EventType",
"Type": "String"
},
{
"Name": "EventSubType",
"Type": "String"
},
{
"Name": "EventResult",
"Type": "String"
},
{
"Name": "EventResultDetails",
"Type": "String"
},
{
"Name": "EventOriginalUid",
"Type": "String"
},
{
"Name": "EventOriginalType",
"Type": "String"
},
{
"Name": "EventOriginalSubType",
"Type": "String"
},
{
"Name": "EventOriginalResultDetails",
"Type": "String"
},
{
"Name": "EventSeverity",
"Type": "String"
},
{
"Name": "EventOriginalSeverity",
"Type": "String"
},
{
"Name": "EventProduct",
"Type": "String"
},
{
"Name": "EventProductVersion",
"Type": "String"
},
{
"Name": "EventVendor",
"Type": "String"
},
{
"Name": "EventSchemaVersion",
"Type": "String"
},
{
"Name": "EventOwner",
"Type": "String"
},
{
"Name": "EventReportUrl",
"Type": "String"
},
{
"Name": "DvcIpAddr",
"Type": "String",
"dataTypeHint": "IP"
},
{
"Name": "DvcHostname",
"Type": "String"
},
{
"Name": "DvcDomain",
"Type": "String"
},
{
"Name": "DvcDomainType",
"Type": "String"
},
{
"Name": "DvcFQDN",
"Type": "String"
},
{
"Name": "DvcDescription",
"Type": "String"
},
{
"Name": "DvcId",
"Type": "String"
},
{
"Name": "DvcIdType",
"Type": "String"
},
{
"Name": "DvcMacAddr",
"Type": "String",
"dataTypeHint": "IP"
},
{
"Name": "DvcZone",
"Type": "String"
},
{
"Name": "DvcOs",
"Type": "String"
},
{
"Name": "DvcOsVersion",
"Type": "String"
},
{
"Name": "DvcAction",
"Type": "String"
},
{
"Name": "DvcOriginalAction",
"Type": "String"
},
{
"Name": "DvcInterface",
"Type": "String"
},
{
"Name": "DvcScopeId",
"Type": "String"
},
{
"Name": "DvcScope",
"Type": "String"
},
{
"Name": "ActorUserId",
"Type": "String"
},
{
"Name": "ActorUserIdType",
"Type": "String"
},
{
"Name": "ActorScopeId",
"Type": "String"
},
{
"Name": "ActorScope",
"Type": "String"
},
{
"Name": "ActorUsername",
"Type": "String"
},
{
"Name": "ActorUsernameType",
"Type": "String"
},
{
"Name": "ActorUserType",
"Type": "String"
},
{
"Name": "ActorOriginalUserType",
"Type": "String"
},
{
"Name": "ActorSessionId",
"Type": "String"
},
{
"Name": "TargetUserId",
"Type": "String"
},
{
"Name": "TargetUserIdType",
"Type": "String"
},
{
"Name": "TargetScopeId",
"Type": "String"
},
{
"Name": "TargetScope",
"Type": "String"
},
{
"Name": "TargetUsername",
"Type": "String"
},
{
"Name": "TargetUsernameType",
"Type": "String"
},
{
"Name": "TargetUserType",
"Type": "String"
},
{
"Name": "TargetOriginalUserType",
"Type": "String"
},
{
"Name": "TargetUserSessionId",
"Type": "String"
},
{
"Name": "TargetUserSessionGuid",
"Type": "String",
"dataTypeHint": "GUID"
},
{
"Name": "ActingProcessCommandLine",
"Type": "String"
},
{
"Name": "ActingProcessName",
"Type": "String"
},
{
"Name": "ActingProcessFileCompany",
"Type": "String"
},
{
"Name": "ActingProcessFileDescription",
"Type": "String"
},
{
"Name": "ActingProcessFileProduct",
"Type": "String"
},
{
"Name": "ActingProcessFileVersion",
"Type": "String"
},
{
"Name": "ActingProcessFileInternalName",
"Type": "String"
},
{
"Name": "ActingProcessFileOriginalName",
"Type": "String"
},
{
"Name": "ActingProcessFilename",
"Type": "String"
},
{
"Name": "ActingProcessIsHidden",
"Type": "Bool"
},
{
"Name": "ActingProcessInjectedAddress",
"Type": "String"
},
{
"Name": "ActingProcessId",
"Type": "String"
},
{
"Name": "ActingProcessGuid",
"Type": "String",
"dataTypeHint": "GUID"
},
{
"Name": "ActingProcessIntegrityLevel",
"Type": "String"
},
{
"Name": "ActingProcessMD5",
"Type": "String"
},
{
"Name": "ActingProcessSHA1",
"Type": "String"
},
{
"Name": "ActingProcessSHA256",
"Type": "String"
},
{
"Name": "ActingProcessSHA512",
"Type": "String"
},
{
"Name": "ActingProcessIMPHASH",
"Type": "String"
},
{
"Name": "ActingProcessCreationTime",
"Type": "DateTime"
},
{
"Name": "ActingProcessTokenElevation",
"Type": "String"
},
{
"Name": "ActingProcessFileSize",
"Type": "Long"
},
{
"Name": "ParentProcessName",
"Type": "String"
},
{
"Name": "ParentProcessFileCompany",
"Type": "String"
},
{
"Name": "ParentProcessFileDescription",
"Type": "String"
},
{
"Name": "ParentProcessFileProduct",
"Type": "String"
},
{
"Name": "ParentProcessFileVersion",
"Type": "String"
},
{
"Name": "ParentProcessIsHidden",
"Type": "Bool"
},
{
"Name": "ParentProcessInjectedAddress",
"Type": "String"
},
{
"Name": "ParentProcessId",
"Type": "String"
},
{
"Name": "ParentProcessGuid",
"Type": "String",
"dataTypeHint": "GUID"
},
{
"Name": "ParentProcessIntegrityLevel",
"Type": "String"
},
{
"Name": "ParentProcessMD5",
"Type": "String"
},
{
"Name": "ParentProcessSHA1",
"Type": "String"
},
{
"Name": "ParentProcessSHA256",
"Type": "String"
},
{
"Name": "ParentProcessSHA512",
"Type": "String"
},
{
"Name": "ParentProcessIMPHASH",
"Type": "String"
},
{
"Name": "ParentProcessCreationTime",
"Type": "DateTime"
},
{
"Name": "ParentProcessTokenElevation",
"Type": "String"
},
{
"Name": "TargetProcessCommandLine",
"Type": "String"
},
{
"Name": "TargetProcessName",
"Type": "String"
},
{
"Name": "TargetProcessFileCompany",
"Type": "String"
},
{
"Name": "TargetProcessFileDescription",
"Type": "String"
},
{
"Name": "TargetProcessFileProduct",
"Type": "String"
},
{
"Name": "TargetProcessFileVersion",
"Type": "String"
},
{
"Name": "TargetProcessFileInternalName",
"Type": "String"
},
{
"Name": "TargetProcessFileOriginalName",
"Type": "String"
},
{
"Name": "TargetProcessFilename",
"Type": "String"
},
{
"Name": "TargetProcessIsHidden",
"Type": "Bool"
},
{
"Name": "TargetProcessInjectedAddress",
"Type": "String"
},
{
"Name": "TargetProcessId",
"Type": "String"
},
{
"Name": "TargetProcessGuid",
"Type": "String",
"dataTypeHint": "GUID"
},
{
"Name": "TargetProcessIntegrityLevel",
"Type": "String"
},
{
"Name": "TargetProcessMD5",
"Type": "String"
},
{
"Name": "TargetProcessSHA1",
"Type": "String"
},
{
"Name": "TargetProcessSHA256",
"Type": "String"
},
{
"Name": "TargetProcessSHA512",
"Type": "String"
},
{
"Name": "TargetProcessIMPHASH",
"Type": "String"
},
{
"Name": "TargetProcessCreationTime",
"Type": "DateTime"
},
{
"Name": "TargetProcessTokenElevation",
"Type": "String"
},
{
"Name": "TargetProcessFileSize",
"Type": "Long"
},
{
"Name": "TargetProcessCurrentDirectory",
"Type": "String"
},
{
"Name": "TargetProcessStatusCode",
"Type": "String"
}
]
}

495
.script/tests/KqlvalidationsTests/CustomTables/ASimProcessEventLogs_CL.json Normal file
Просмотреть файл

@ -0,0 +1,495 @@
{
"Name": "ASimProcessEventLogs_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "AdditionalFields",
"Type": "Dynamic"
},
{
"Name": "EventMessage",
"Type": "String"
},
{
"Name": "EventCount",
"Type": "Int"
},
{
"Name": "EventStartTime",
"Type": "DateTime"
},
{
"Name": "EventEndTime",
"Type": "DateTime"
},
{
"Name": "EventType",
"Type": "String"
},
{
"Name": "EventSubType",
"Type": "String"
},
{
"Name": "EventResult",
"Type": "String"
},
{
"Name": "EventResultDetails",
"Type": "String"
},
{
"Name": "EventOriginalUid",
"Type": "String"
},
{
"Name": "EventOriginalType",
"Type": "String"
},
{
"Name": "EventOriginalSubType",
"Type": "String"
},
{
"Name": "EventOriginalResultDetails",
"Type": "String"
},
{
"Name": "EventSeverity",
"Type": "String"
},
{
"Name": "EventOriginalSeverity",
"Type": "String"
},
{
"Name": "EventProduct",
"Type": "String"
},
{
"Name": "EventProductVersion",
"Type": "String"
},
{
"Name": "EventVendor",
"Type": "String"
},
{
"Name": "EventSchemaVersion",
"Type": "String"
},
{
"Name": "EventOwner",
"Type": "String"
},
{
"Name": "EventReportUrl",
"Type": "String"
},
{
"Name": "DvcIpAddr",
"Type": "String",
"dataTypeHint": "IP"
},
{
"Name": "DvcHostname",
"Type": "String"
},
{
"Name": "DvcDomain",
"Type": "String"
},
{
"Name": "DvcDomainType",
"Type": "String"
},
{
"Name": "DvcFQDN",
"Type": "String"
},
{
"Name": "DvcDescription",
"Type": "String"
},
{
"Name": "DvcId",
"Type": "String"
},
{
"Name": "DvcIdType",
"Type": "String"
},
{
"Name": "DvcMacAddr",
"Type": "String",
"dataTypeHint": "IP"
},
{
"Name": "DvcZone",
"Type": "String"
},
{
"Name": "DvcOs",
"Type": "String"
},
{
"Name": "DvcOsVersion",
"Type": "String"
},
{
"Name": "DvcAction",
"Type": "String"
},
{
"Name": "DvcOriginalAction",
"Type": "String"
},
{
"Name": "DvcInterface",
"Type": "String"
},
{
"Name": "DvcScopeId",
"Type": "String"
},
{
"Name": "DvcScope",
"Type": "String"
},
{
"Name": "ActorUserId",
"Type": "String"
},
{
"Name": "ActorUserIdType",
"Type": "String"
},
{
"Name": "ActorScopeId",
"Type": "String"
},
{
"Name": "ActorScope",
"Type": "String"
},
{
"Name": "ActorUsername",
"Type": "String"
},
{
"Name": "ActorUsernameType",
"Type": "String"
},
{
"Name": "ActorUserType",
"Type": "String"
},
{
"Name": "ActorOriginalUserType",
"Type": "String"
},
{
"Name": "ActorSessionId",
"Type": "String"
},
{
"Name": "TargetUserId",
"Type": "String"
},
{
"Name": "TargetUserIdType",
"Type": "String"
},
{
"Name": "TargetScopeId",
"Type": "String"
},
{
"Name": "TargetScope",
"Type": "String"
},
{
"Name": "TargetUsername",
"Type": "String"
},
{
"Name": "TargetUsernameType",
"Type": "String"
},
{
"Name": "TargetUserType",
"Type": "String"
},
{
"Name": "TargetOriginalUserType",
"Type": "String"
},
{
"Name": "TargetUserSessionId",
"Type": "String"
},
{
"Name": "TargetUserSessionGuid",
"Type": "String",
"dataTypeHint": "GUID"
},
{
"Name": "ActingProcessCommandLine",
"Type": "String"
},
{
"Name": "ActingProcessName",
"Type": "String"
},
{
"Name": "ActingProcessFileCompany",
"Type": "String"
},
{
"Name": "ActingProcessFileDescription",
"Type": "String"
},
{
"Name": "ActingProcessFileProduct",
"Type": "String"
},
{
"Name": "ActingProcessFileVersion",
"Type": "String"
},
{
"Name": "ActingProcessFileInternalName",
"Type": "String"
},
{
"Name": "ActingProcessFileOriginalName",
"Type": "String"
},
{
"Name": "ActingProcessFilename",
"Type": "String"
},
{
"Name": "ActingProcessIsHidden",
"Type": "Bool"
},
{
"Name": "ActingProcessInjectedAddress",
"Type": "String"
},
{
"Name": "ActingProcessId",
"Type": "String"
},
{
"Name": "ActingProcessGuid",
"Type": "String",
"dataTypeHint": "GUID"
},
{
"Name": "ActingProcessIntegrityLevel",
"Type": "String"
},
{
"Name": "ActingProcessMD5",
"Type": "String"
},
{
"Name": "ActingProcessSHA1",
"Type": "String"
},
{
"Name": "ActingProcessSHA256",
"Type": "String"
},
{
"Name": "ActingProcessSHA512",
"Type": "String"
},
{
"Name": "ActingProcessIMPHASH",
"Type": "String"
},
{
"Name": "ActingProcessCreationTime",
"Type": "DateTime"
},
{
"Name": "ActingProcessTokenElevation",
"Type": "String"
},
{
"Name": "ActingProcessFileSize",
"Type": "Long"
},
{
"Name": "ParentProcessName",
"Type": "String"
},
{
"Name": "ParentProcessFileCompany",
"Type": "String"
},
{
"Name": "ParentProcessFileDescription",
"Type": "String"
},
{
"Name": "ParentProcessFileProduct",
"Type": "String"
},
{
"Name": "ParentProcessFileVersion",
"Type": "String"
},
{
"Name": "ParentProcessIsHidden",
"Type": "Bool"
},
{
"Name": "ParentProcessInjectedAddress",
"Type": "String"
},
{
"Name": "ParentProcessId",
"Type": "String"
},
{
"Name": "ParentProcessGuid",
"Type": "String",
"dataTypeHint": "GUID"
},
{
"Name": "ParentProcessIntegrityLevel",
"Type": "String"
},
{
"Name": "ParentProcessMD5",
"Type": "String"
},
{
"Name": "ParentProcessSHA1",
"Type": "String"
},
{
"Name": "ParentProcessSHA256",
"Type": "String"
},
{
"Name": "ParentProcessSHA512",
"Type": "String"
},
{
"Name": "ParentProcessIMPHASH",
"Type": "String"
},
{
"Name": "ParentProcessCreationTime",
"Type": "DateTime"
},
{
"Name": "ParentProcessTokenElevation",
"Type": "String"
},
{
"Name": "TargetProcessCommandLine",
"Type": "String"
},
{
"Name": "TargetProcessName",
"Type": "String"
},
{
"Name": "TargetProcessFileCompany",
"Type": "String"
},
{
"Name": "TargetProcessFileDescription",
"Type": "String"
},
{
"Name": "TargetProcessFileProduct",
"Type": "String"
},
{
"Name": "TargetProcessFileVersion",
"Type": "String"
},
{
"Name": "TargetProcessFileInternalName",
"Type": "String"
},
{
"Name": "TargetProcessFileOriginalName",
"Type": "String"
},
{
"Name": "TargetProcessFilename",
"Type": "String"
},
{
"Name": "TargetProcessIsHidden",
"Type": "Bool"
},
{
"Name": "TargetProcessInjectedAddress",
"Type": "String"
},
{
"Name": "TargetProcessId",
"Type": "String"
},
{
"Name": "TargetProcessGuid",
"Type": "String",
"dataTypeHint": "GUID"
},
{
"Name": "TargetProcessIntegrityLevel",
"Type": "String"
},
{
"Name": "TargetProcessMD5",
"Type": "String"
},
{
"Name": "TargetProcessSHA1",
"Type": "String"
},
{
"Name": "TargetProcessSHA256",
"Type": "String"
},
{
"Name": "TargetProcessSHA512",
"Type": "String"
},
{
"Name": "TargetProcessIMPHASH",
"Type": "String"
},
{
"Name": "TargetProcessCreationTime",
"Type": "DateTime"
},
{
"Name": "TargetProcessTokenElevation",
"Type": "String"
},
{
"Name": "TargetProcessFileSize",
"Type": "Long"
},
{
"Name": "TargetProcessCurrentDirectory",
"Type": "String"
},
{
"Name": "TargetProcessStatusCode",
"Type": "String"
}
]
}

245
.script/tests/KqlvalidationsTests/CustomTables/ASimRegistryEventLogs_CL.json Normal file
Просмотреть файл

@ -0,0 +1,245 @@
{
"Name": "ASimRegistryEventLogs_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "Datetime"
},
{
"Name": "AdditionalFields",
"Type": "Dynamic"
},
{
"Name": "EventMessage",
"Type": "String"
},
{
"Name": "EventCount",
"Type": "Int"
},
{
"Name": "EventStartTime",
"Type": "Datetime"
},
{
"Name": "EventEndTime",
"Type": "Datetime"
},
{
"Name": "EventType",
"Type": "String"
},
{
"Name": "EventSubType",
"Type": "String"
},
{
"Name": "EventResult",
"Type": "String"
},
{
"Name": "EventResultDetails",
"Type": "String"
},
{
"Name": "EventOriginalUid",
"Type": "String"
},
{
"Name": "EventOriginalType",
"Type": "String"
},
{
"Name": "EventOriginalSubType",
"Type": "String"
},
{
"Name": "EventOriginalResultDetails",
"Type": "String"
},
{
"Name": "EventSeverity",
"Type": "String"
},
{
"Name": "EventOriginalSeverity",
"Type": "String"
},
{
"Name": "EventProduct",
"Type": "String"
},
{
"Name": "EventProductVersion",
"Type": "String"
},
{
"Name": "EventVendor",
"Type": "String"
},
{
"Name": "EventSchemaVersion",
"Type": "String"
},
{
"Name": "EventOwner",
"Type": "String"
},
{
"Name": "EventReportUrl",
"Type": "String"
},
{
"Name": "DvcIpAddr",
"Type": "String"
},
{
"Name": "DvcHostname",
"Type": "String"
},
{
"Name": "DvcDomain",
"Type": "String"
},
{
"Name": "DvcDomainType",
"Type": "String"
},
{
"Name": "DvcFQDN",
"Type": "String"
},
{
"Name": "DvcDescription",
"Type": "String"
},
{
"Name": "DvcId",
"Type": "String"
},
{
"Name": "DvcIdType",
"Type": "String"
},
{
"Name": "DvcMacAddr",
"Type": "String"
},
{
"Name": "DvcZone",
"Type": "String"
},
{
"Name": "DvcOs",
"Type": "String"
},
{
"Name": "DvcOsVersion",
"Type": "String"
},
{
"Name": "DvcAction",
"Type": "String"
},
{
"Name": "DvcOriginalAction",
"Type": "String"
},
{
"Name": "DvcInterface",
"Type": "String"
},
{
"Name": "DvcScopeId",
"Type": "String"
},
{
"Name": "DvcScope",
"Type": "String"
},
{
"Name": "ActorUserId",
"Type": "String"
},
{
"Name": "ActorUserIdType",
"Type": "String"
},
{
"Name": "ActorScopeId",
"Type": "String"
},
{
"Name": "ActorScope",
"Type": "String"
},
{
"Name": "ActorUsername",
"Type": "String"
},
{
"Name": "ActorUsernameType",
"Type": "String"
},
{
"Name": "ActorSessionId",
"Type": "String"
},
{
"Name": "ActingProcessName",
"Type": "String"
},
{
"Name": "ActingProcessId",
"Type": "String"
},
{
"Name": "ActingProcessGuid",
"Type": "String"
},
{
"Name": "ParentProcessName",
"Type": "String"
},
{
"Name": "ParentProcessId",
"Type": "String"
},
{
"Name": "ParentProcessGuid",
"Type": "String"
},
{
"Name": "RegistryKey",
"Type": "String"
},
{
"Name": "RegistryValue",
"Type": "String"
},
{
"Name": "RegistryValueType",
"Type": "String"
},
{
"Name": "RegistryValueData",
"Type": "String"
},
{
"Name": "RegistryPreviousKey",
"Type": "String"
},
{
"Name": "RegistryPreviousValue",
"Type": "String"
},
{
"Name": "RegistryPreviousValueType",
"Type": "String"
},
{
"Name": "RegistryPreviousValueData",
"Type": "String"
}
]
}

353
.script/tests/KqlvalidationsTests/CustomTables/ASimUserManagementLogs_CL.json Normal file
Просмотреть файл

@ -0,0 +1,353 @@
{
"Name": "ASimUserManagementLogs_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "Datetime"
},
{
"Name": "AdditionalFields",
"Type": "dynamic"
},
{
"Name": "EventMessage",
"Type": "String"
},
{
"Name": "EventCount",
"Type": "Int"
},
{
"Name": "EventStartTime",
"Type": "Datetime"
},
{
"Name": "EventEndTime",
"Type": "Datetime"
},
{
"Name": "EventType",
"Type": "String"
},
{
"Name": "EventSubType",
"Type": "String"
},
{
"Name": "EventResult",
"Type": "String"
},
{
"Name": "EventResultDetails",
"Type": "String"
},
{
"Name": "EventOriginalUid",
"Type": "String"
},
{
"Name": "EventOriginalType",
"Type": "String"
},
{
"Name": "EventOriginalSubType",
"Type": "String"
},
{
"Name": "EventOriginalResultDetails",
"Type": "String"
},
{
"Name": "EventSeverity",
"Type": "String"
},
{
"Name": "EventOriginalSeverity",
"Type": "String"
},
{
"Name": "EventProduct",
"Type": "String"
},
{
"Name": "EventProductVersion",
"Type": "String"
},
{
"Name": "EventVendor",
"Type": "String"
},
{
"Name": "EventSchemaVersion",
"Type": "String"
},
{
"Name": "EventOwner",
"Type": "String"
},
{
"Name": "EventReportUrl",
"Type": "String"
},
{
"Name": "DvcIpAddr",
"Type": "String"
},
{
"Name": "DvcHostname",
"Type": "String"
},
{
"Name": "DvcDomain",
"Type": "String"
},
{
"Name": "DvcDomainType",
"Type": "String"
},
{
"Name": "DvcFQDN",
"Type": "String"
},
{
"Name": "DvcDescription",
"Type": "String"
},
{
"Name": "DvcId",
"Type": "String"
},
{
"Name": "DvcIdType",
"Type": "String"
},
{
"Name": "DvcMacAddr",
"Type": "String"
},
{
"Name": "DvcZone",
"Type": "String"
},
{
"Name": "DvcOs",
"Type": "String"
},
{
"Name": "DvcOsVersion",
"Type": "String"
},
{
"Name": "DvcAction",
"Type": "String"
},
{
"Name": "DvcOriginalAction",
"Type": "String"
},
{
"Name": "DvcInterface",
"Type": "String"
},
{
"Name": "DvcScopeId",
"Type": "String"
},
{
"Name": "DvcScope",
"Type": "String"
},
{
"Name": "ActorUserId",
"Type": "String"
},
{
"Name": "ActorUserIdType",
"Type": "String"
},
{
"Name": "ActorScopeId",
"Type": "String"
},
{
"Name": "ActorScope",
"Type": "String"
},
{
"Name": "ActorUsername",
"Type": "String"
},
{
"Name": "ActorUsernameType",
"Type": "String"
},
{
"Name": "ActorUserType",
"Type": "String"
},
{
"Name": "ActorOriginalUserType",
"Type": "String"
},
{
"Name": "ActorSessionId",
"Type": "String"
},
{
"Name": "TargetUserId",
"Type": "String"
},
{
"Name": "TargetUserIdType",
"Type": "String"
},
{
"Name": "TargetScopeId",
"Type": "String"
},
{
"Name": "TargetScope",
"Type": "String"
},
{
"Name": "TargetUsername",
"Type": "String"
},
{
"Name": "TargetUsernameType",
"Type": "String"
},
{
"Name": "TargetUserType",
"Type": "String"
},
{
"Name": "TargetOriginalUserType",
"Type": "String"
},
{
"Name": "GroupId",
"Type": "String"
},
{
"Name": "GroupIdType",
"Type": "String"
},
{
"Name": "GroupName",
"Type": "String"
},
{
"Name": "GroupNameType",
"Type": "String"
},
{
"Name": "GroupType",
"Type": "String"
},
{
"Name": "GroupOriginalType",
"Type": "String"
},
{
"Name": "SrcIpAddr",
"Type": "String"
},
{
"Name": "SrcPortNumber",
"Type": "Int"
},
{
"Name": "SrcHostname",
"Type": "String"
},
{
"Name": "SrcDomain",
"Type": "String"
},
{
"Name": "SrcDomainType",
"Type": "String"
},
{
"Name": "SrcFQDN",
"Type": "String"
},
{
"Name": "SrcDescription",
"Type": "String"
},
{
"Name": "SrcDvcId",
"Type": "String"
},
{
"Name": "SrcDvcIdType",
"Type": "String"
},
{
"Name": "SrcDvcScopeId",
"Type": "String"
},
{
"Name": "SrcDvcScope",
"Type": "String"
},
{
"Name": "SrcDeviceType",
"Type": "String"
},
{
"Name": "SrcGeoCountry",
"Type": "String"
},
{
"Name": "SrcGeoLatitude",
"Type": "Real"
},
{
"Name": "SrcGeoLongitude",
"Type": "Real"
},
{
"Name": "SrcGeoRegion",
"Type": "String"
},
{
"Name": "SrcGeoCity",
"Type": "String"
},
{
"Name": "SrcRiskLevel",
"Type": "Int"
},
{
"Name": "SrcOriginalRiskLevel",
"Type": "String"
},
{
"Name": "ActingAppId",
"Type": "String"
},
{
"Name": "ActingAppName",
"Type": "String"
},
{
"Name": "ActingAppType",
"Type": "String"
},
{
"Name": "HttpUserAgent",
"Type": "String"
},
{
"Name": "PreviousPropertyValue",
"Type": "String"
},
{
"Name": "NewPropertyValue",
"Type": "String"
}
]
}

65
.script/tests/KqlvalidationsTests/CustomTables/Alerts_data_CL.json Normal file
Просмотреть файл

@ -0,0 +1,65 @@
{
"Name": "Alerts_data_CL",
"Properties": [
{
"Name": "EventVendor",
"Type": "string"
},
{
"Name": "EventProduct",
"Type": "string"
},
{
"Name": "GUID",
"Type": "real"
},
{
"Name": "AlertType",
"Type": "string"
},
{
"Name": "AlertDate",
"Type": "string"
},
{
"Name": "StartDate",
"Type": "string"
},
{
"Name": "CompanyName",
"Type": "string"
},
{
"Name": "CompanyGUID",
"Type": "string"
},
{
"Name": "CompanyURL",
"Type": "string"
},
{
"Name": "FolderGUID",
"Type": "string"
},
{
"Name": "FolderName",
"Type": "string"
},
{
"Name": "Severity",
"Type": "string"
},
{
"Name": "Trigger",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
}
]
}

65
.script/tests/KqlvalidationsTests/CustomTables/BitSightAlerts.json Normal file
Просмотреть файл

@ -0,0 +1,65 @@
{
"Name": "BitSightAlerts",
"Properties": [
{
"Name": "EventVendor",
"Type": "string"
},
{
"Name": "EventProduct",
"Type": "string"
},
{
"Name": "GUID",
"Type": "real"
},
{
"Name": "AlertType",
"Type": "string"
},
{
"Name": "AlertDate",
"Type": "string"
},
{
"Name": "StartDate",
"Type": "string"
},
{
"Name": "CompanyName",
"Type": "string"
},
{
"Name": "CompanyGUID",
"Type": "string"
},
{
"Name": "CompanyURL",
"Type": "string"
},
{
"Name": "FolderGUID",
"Type": "string"
},
{
"Name": "FolderName",
"Type": "string"
},
{
"Name": "Severity",
"Type": "string"
},
{
"Name": "Trigger",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
}
]
}

69
.script/tests/KqlvalidationsTests/CustomTables/BitSightBreaches.json Normal file
Просмотреть файл

@ -0,0 +1,69 @@
{
"Name": "BitSightBreaches",
"Properties": [
{
"Name": "EventVendor",
"Type": "string"
},
{
"Name": "EventProduct",
"Type": "string"
},
{
"Name": "GUID",
"Type": "string"
},
{
"Name": "Date",
"Type": "string"
},
{
"Name": "Severity",
"Type": "int"
},
{
"Name": "Text",
"Type": "string"
},
{
"Name": "DateCreated",
"Type": "string"
},
{
"Name": "PreviwURL",
"Type": "string"
},
{
"Name": "EventType",
"Type": "string"
},
{
"Name": "EventTypeDescription",
"Type": "string"
},
{
"Name": "BreachedCompanies",
"Type": "string"
},
{
"Name": "DependentCompanies",
"Type": "string"
},
{
"Name": "Companyname",
"Type": "string"
},
{
"Name": "CompanyGUID",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
}
]
}

209
.script/tests/KqlvalidationsTests/CustomTables/BitSightCompanyDetails.json Normal file
Просмотреть файл

@ -0,0 +1,209 @@
{
"Name": "BitSightCompanyDetails",
"Properties": [
{
"Name": "EventVendor",
"Type": "string"
},
{
"Name": "EventProduct",
"Type": "string"
},
{
"Name": "ComplianceClaimCertifications",
"Type": "string"
},
{
"Name": "ComplianceClaimTrustPage",
"Type": "string"
},
{
"Name": "PrimaryDomain",
"Type": "string"
},
{
"Name": "PrimaryCompanyName",
"Type": "string"
},
{
"Name": "AvailableUpgradeTypes",
"Type": "string"
},
{
"Name": "BulkEmailSenderStatus",
"Type": "string"
},
{
"Name": "CompanyFeatures",
"Type": "string"
},
{
"Name": "CustomerMonitoringCount",
"Type": "real"
},
{
"Name": "Description",
"Type": "string"
},
{
"Name": "DisplayURL",
"Type": "string"
},
{
"Name": "GUID",
"Type": "string"
},
{
"Name": "HasCompanyTree",
"Type": "bool"
},
{
"Name": "HasPreferredContact",
"Type": "bool"
},
{
"Name": "Hompage",
"Type": "string"
},
{
"Name": "InSpmPortfolio",
"Type": "bool"
},
{
"Name": "Industry",
"Type": "string"
},
{
"Name": "IndustrySlug",
"Type": "string"
},
{
"Name": "Ipv4Count",
"Type": "real"
},
{
"Name": "IsBundle",
"Type": "bool"
},
{
"Name": "IsCsp",
"Type": "bool"
},
{
"Name": "IsMycompMysubsBundle",
"Type": "bool"
},
{
"Name": "IsPrimary",
"Type": "bool"
},
{
"Name": "IsUnsampledAllowed",
"Type": "bool"
},
{
"Name": "Name",
"Type": "string"
},
{
"Name": "PeopleCount",
"Type": "real"
},
{
"Name": "PermissionCanAnnotate",
"Type": "bool"
},
{
"Name": "PermissionCanDownloadCompanyReport",
"Type": "bool"
},
{
"Name": "PermissionCanEnableVendorAccess",
"Type": "bool"
},
{
"Name": "PermissionCanViewCompanyReports",
"Type": "bool"
},
{
"Name": "PermissionCanViewForensics",
"Type": "bool"
},
{
"Name": "PermissionCanViewInfrastructure",
"Type": "bool"
},
{
"Name": "PermissionCanViewIpAttributions",
"Type": "bool"
},
{
"Name": "PermissionCanViewServiceProviders",
"Type": "bool"
},
{
"Name": "PermissionsHasControl",
"Type": "bool"
},
{
"Name": "PrimaryDomain",
"Type": "string"
},
{
"Name": "RatingIndustryMedian",
"Type": "string"
},
{
"Name": "Ratings",
"Type": "string"
},
{
"Name": "RelatedCompanies",
"Type": "string"
},
{
"Name": "SearchCount",
"Type": "real"
},
{
"Name": "ServiceProvider",
"Type": "bool"
},
{
"Name": "Shortname",
"Type": "string"
},
{
"Name": "Sparkline",
"Type": "string"
},
{
"Name": "SubIndustry",
"Type": "string"
},
{
"Name": "SubIndustrySlug",
"Type": "string"
},
{
"Name": "SubscriptionType",
"Type": "string"
},
{
"Name": "SubscriptionTypeKey",
"Type": "string"
},
{
"Name": "type",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
}
]
}

65
.script/tests/KqlvalidationsTests/CustomTables/BitSightCompanyRatings.json Normal file
Просмотреть файл

@ -0,0 +1,65 @@
{
"Name": "BitSightCompanyRatings",
"Properties": [
{
"Name": "EventVendor",
"Type": "string"
},
{
"Name": "EventProduct",
"Type": "string"
},
{
"Name": "CompanyName",
"Type": "string"
},
{
"Name": "Beta",
"Type": "bool"
},
{
"Name": "Category",
"Type": "string"
},
{
"Name": "CategoryOrder",
"Type": "real"
},
{
"Name": "DisplayURL",
"Type": "string"
},
{
"Name": "Grade",
"Type": "string"
},
{
"Name": "GradeColor",
"Type": "string"
},
{
"Name": "Name",
"Type": "string"
},
{
"Name": "Order",
"Type": "real"
},
{
"Name": "Percentile",
"Type": "real"
},
{
"Name": "Rating",
"Type": "real"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
}
]
}

37
.script/tests/KqlvalidationsTests/CustomTables/BitSightDiligenceHistoricalStatistics.json Normal file
Просмотреть файл

@ -0,0 +1,37 @@
{
"Name": "BitSightDiligenceHistoricalStatistics",
"Properties": [
{
"Name": "EventVendor",
"Type": "string"
},
{
"Name": "EventProduct",
"Type": "string"
},
{
"Name": "Count",
"Type": "real"
},
{
"Name": "Category",
"Type": "string"
},
{
"Name": "Date",
"Type": "string"
},
{
"Name": "CompanyName",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
}
]
}

73
.script/tests/KqlvalidationsTests/CustomTables/BitSightDiligenceStatistics.json Normal file
Просмотреть файл

@ -0,0 +1,73 @@
{
"Name": "BitSightDiligenceStatistics",
"Properties": [
{
"Name": "EventVendor",
"Type": "string"
},
{
"Name": "EventProduct",
"Type": "string"
},
{
"Name": "Unknown",
"Type": "real"
},
{
"Name": "Bad",
"Type": "real"
},
{
"Name": "Warn",
"Type": "real"
},
{
"Name": "Neutral",
"Type": "real"
},
{
"Name": "Fair",
"Type": "real"
},
{
"Name": "Good",
"Type": "real"
},
{
"Name": "RiskVector",
"Type": "string"
},
{
"Name": "CompanyName",
"Type": "string"
},
{
"Name": "SpearPhishing",
"Type": "real"
},
{
"Name": "BitFlip",
"Type": "real"
},
{
"Name": "TypographicalErrors",
"Type": "real"
},
{
"Name": "TLDVariant",
"Type": "real"
},
{
"Name": "TotalCount",
"Type": "real"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
}
]
}

125
.script/tests/KqlvalidationsTests/CustomTables/BitSightFindingsData.json Normal file
Просмотреть файл

@ -0,0 +1,125 @@
{
"Name": "BitSightFindingsData",
"Properties": [
{
"Name": "EventVendor",
"Type": "datetime"
},
{
"Name": "EventProduct",
"Type": "bool"
},
{
"Name": "Comments",
"Type": "string"
},
{
"Name": "PcapID",
"Type": "string"
},
{
"Name": "Duration",
"Type": "string"
},
{
"Name": "TemporaryId",
"Type": "string"
},
{
"Name": "AffectsRating",
"Type": "bool"
},
{
"Name": "Assets",
"Type": "string"
},
{
"Name": "Details",
"Type": "string"
},
{
"Name": "EvidenceKey",
"Type": "string"
},
{
"Name": "FirstSeen",
"Type": "string"
},
{
"Name": "LastSeen",
"Type": "string"
},
{
"Name": "RelatedFindings",
"Type": "string"
},
{
"Name": "RiskCategory",
"Type": "string"
},
{
"Name": "RiskVector",
"Type": "string"
},
{
"Name": "RiskVectorLabel",
"Type": "string"
},
{
"Name": "RolledupObservationId",
"Type": "string"
},
{
"Name": "Severity",
"Type": "int"
},
{
"Name": "SeverityCategory",
"Type": "string"
},
{
"Name": "Tags",
"Type": "string"
},
{
"Name": "AssetOverrides",
"Type": "string"
},
{
"Name": "AttributedCompanies",
"Type": "string"
},
{
"Name": "CompanyName",
"Type": "string"
},
{
"Name": "RemainingDecay",
"Type": "real"
},
{
"Name": "RemediationHistoryLastRequestedRefreshDate",
"Type": "string"
},
{
"Name": "RemediationHistoryLastRefreshStatusDate",
"Type": "string"
},
{
"Name": "RemediationHistoryLastRefreshStatusLabel",
"Type": "string"
},
{
"Name": "RemediationHistoryLastRefreshReasonCode",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
}
]
}

65
.script/tests/KqlvalidationsTests/CustomTables/BitSightFindingsSummary.json Normal file
Просмотреть файл

@ -0,0 +1,65 @@
{
"Name": "BitSightFindingsSummary",
"Properties": [
{
"Name": "EventVendor",
"Type": "string"
},
{
"Name": "EventProduct",
"Type": "string"
},
{
"Name": "Company",
"Type": "string"
},
{
"Name": "Confidence",
"Type": "string"
},
{
"Name": "Description",
"Type": "string"
},
{
"Name": "EndDate",
"Type": "string"
},
{
"Name": "EventCount",
"Type": "real"
},
{
"Name": "FirstSeen",
"Type": "string"
},
{
"Name": "HostCount",
"Type": "real"
},
{
"Name": "Id",
"Type": "string"
},
{
"Name": "Name",
"Type": "string"
},
{
"Name": "Severity",
"Type": "string"
},
{
"Name": "StartDate",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
}
]
}

41
.script/tests/KqlvalidationsTests/CustomTables/BitSightGraphData.json Normal file
Просмотреть файл

@ -0,0 +1,41 @@
{
"Name": "BitSightGraphData",
"Properties": [
{
"Name": "EventVendor",
"Type": "string"
},
{
"Name": "EventProduct",
"Type": "string"
},
{
"Name": "RatingDate",
"Type": "string"
},
{
"Name": "Rating",
"Type": "real"
},
{
"Name": "CompanyName",
"Type": "string"
},
{
"Name": "RatingDifferance",
"Type": "real"
},
{
"Name": "percentage",
"Type": "real"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
}
]
}

41
.script/tests/KqlvalidationsTests/CustomTables/BitSightIndustrialStatistics.json Normal file
Просмотреть файл

@ -0,0 +1,41 @@
{
"Name": "BitSightIndustrialStatistics",
"Properties": [
{
"Name": "EventVendor",
"Type": "string"
},
{
"Name": "EventProduct",
"Type": "string"
},
{
"Name": "Count",
"Type": "real"
},
{
"Name": "CountPeriod",
"Type": "string"
},
{
"Name": "AverageDurationDays",
"Type": "real"
},
{
"Name": "RiskVector",
"Type": "string"
},
{
"Name": "CompanyName",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
}
]
}

41
.script/tests/KqlvalidationsTests/CustomTables/BitSightObservationStatistics.json Normal file
Просмотреть файл

@ -0,0 +1,41 @@
{
"Name": "BitSightObservationStatistics",
"Properties": [
{
"Name": "EventVendor",
"Type": "string"
},
{
"Name": "EventProduct",
"Type": "string"
},
{
"Name": "Count",
"Type": "real"
},
{
"Name": "CountPeriod",
"Type": "string"
},
{
"Name": "AverageDurationDays",
"Type": "real"
},
{
"Name": "RiskVector",
"Type": "string"
},
{
"Name": "CompanyName",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
}
]
}

69
.script/tests/KqlvalidationsTests/CustomTables/Breaches_data_CL.json Normal file
Просмотреть файл

@ -0,0 +1,69 @@
{
"Name": "Breaches_data_CL",
"Properties": [
{
"Name": "EventVendor",
"Type": "string"
},
{
"Name": "EventProduct",
"Type": "string"
},
{
"Name": "GUID",
"Type": "string"
},
{
"Name": "Date",
"Type": "string"
},
{
"Name": "Severity",
"Type": "int"
},
{
"Name": "Text",
"Type": "string"
},
{
"Name": "DateCreated",
"Type": "string"
},
{
"Name": "PreviwURL",
"Type": "string"
},
{
"Name": "EventType",
"Type": "string"
},
{
"Name": "EventTypeDescription",
"Type": "string"
},
{
"Name": "BreachedCompanies",
"Type": "string"
},
{
"Name": "DependentCompanies",
"Type": "string"
},
{
"Name": "Companyname",
"Type": "string"
},
{
"Name": "CompanyGUID",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
}
]
}

209
.script/tests/KqlvalidationsTests/CustomTables/Company_details_CL.json Normal file
Просмотреть файл

@ -0,0 +1,209 @@
{
"Name": "Company_details_CL",
"Properties": [
{
"Name": "EventVendor",
"Type": "string"
},
{
"Name": "EventProduct",
"Type": "string"
},
{
"Name": "ComplianceClaimCertifications",
"Type": "string"
},
{
"Name": "ComplianceClaimTrustPage",
"Type": "string"
},
{
"Name": "PrimaryDomain",
"Type": "string"
},
{
"Name": "PrimaryCompanyName",
"Type": "string"
},
{
"Name": "AvailableUpgradeTypes",
"Type": "string"
},
{
"Name": "BulkEmailSenderStatus",
"Type": "string"
},
{
"Name": "CompanyFeatures",
"Type": "string"
},
{
"Name": "CustomerMonitoringCount",
"Type": "real"
},
{
"Name": "Description",
"Type": "string"
},
{
"Name": "DisplayURL",
"Type": "string"
},
{
"Name": "GUID",
"Type": "string"
},
{
"Name": "HasCompanyTree",
"Type": "bool"
},
{
"Name": "HasPreferredContact",
"Type": "bool"
},
{
"Name": "Hompage",
"Type": "string"
},
{
"Name": "InSpmPortfolio",
"Type": "bool"
},
{
"Name": "Industry",
"Type": "string"
},
{
"Name": "IndustrySlug",
"Type": "string"
},
{
"Name": "Ipv4Count",
"Type": "real"
},
{
"Name": "IsBundle",
"Type": "bool"
},
{
"Name": "IsCsp",
"Type": "bool"
},
{
"Name": "IsMycompMysubsBundle",
"Type": "bool"
},
{
"Name": "IsPrimary",
"Type": "bool"
},
{
"Name": "IsUnsampledAllowed",
"Type": "bool"
},
{
"Name": "Name",
"Type": "string"
},
{
"Name": "PeopleCount",
"Type": "real"
},
{
"Name": "PermissionCanAnnotate",
"Type": "bool"
},
{
"Name": "PermissionCanDownloadCompanyReport",
"Type": "bool"
},
{
"Name": "PermissionCanEnableVendorAccess",
"Type": "bool"
},
{
"Name": "PermissionCanViewCompanyReports",
"Type": "bool"
},
{
"Name": "PermissionCanViewForensics",
"Type": "bool"
},
{
"Name": "PermissionCanViewInfrastructure",
"Type": "bool"
},
{
"Name": "PermissionCanViewIpAttributions",
"Type": "bool"
},
{
"Name": "PermissionCanViewServiceProviders",
"Type": "bool"
},
{
"Name": "PermissionsHasControl",
"Type": "bool"
},
{
"Name": "PrimaryDomain",
"Type": "string"
},
{
"Name": "RatingIndustryMedian",
"Type": "string"
},
{
"Name": "Ratings",
"Type": "string"
},
{
"Name": "RelatedCompanies",
"Type": "string"
},
{
"Name": "SearchCount",
"Type": "real"
},
{
"Name": "ServiceProvider",
"Type": "bool"
},
{
"Name": "Shortname",
"Type": "string"
},
{
"Name": "Sparkline",
"Type": "string"
},
{
"Name": "SubIndustry",
"Type": "string"
},
{
"Name": "SubIndustrySlug",
"Type": "string"
},
{
"Name": "SubscriptionType",
"Type": "string"
},
{
"Name": "SubscriptionTypeKey",
"Type": "string"
},
{
"Name": "type",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
}
]
}

65
.script/tests/KqlvalidationsTests/CustomTables/Company_rating_details_CL.json Normal file
Просмотреть файл

@ -0,0 +1,65 @@
{
"Name": "Company_rating_details_CL",
"Properties": [
{
"Name": "EventVendor",
"Type": "string"
},
{
"Name": "EventProduct",
"Type": "string"
},
{
"Name": "CompanyName",
"Type": "string"
},
{
"Name": "Beta",
"Type": "bool"
},
{
"Name": "Category",
"Type": "string"
},
{
"Name": "CategoryOrder",
"Type": "real"
},
{
"Name": "DisplayURL",
"Type": "string"
},
{
"Name": "Grade",
"Type": "string"
},
{
"Name": "GradeColor",
"Type": "string"
},
{
"Name": "Name",
"Type": "string"
},
{
"Name": "Order",
"Type": "real"
},
{
"Name": "Percentile",
"Type": "real"
},
{
"Name": "Rating",
"Type": "real"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
}
]
}

1849
.script/tests/KqlvalidationsTests/CustomTables/CrowdStrike_Additional_Events_CL.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

17
.script/tests/KqlvalidationsTests/CustomTables/CrowdStrike_Secondary_Data_CL.json Normal file
Просмотреть файл

@ -0,0 +1,17 @@
{
"Name": "CrowdStrike_Secondary_Data_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "FolderName",
"Type": "String"
},
{
"Name": "AdditionalFields",
"Type": "Dynamic"
}
]
}

37
.script/tests/KqlvalidationsTests/CustomTables/Diligence_historical_statistics_CL.json Normal file
Просмотреть файл

@ -0,0 +1,37 @@
{
"Name": "Diligence_historical_statistics_CL",
"Properties": [
{
"Name": "EventVendor",
"Type": "string"
},
{
"Name": "EventProduct",
"Type": "string"
},
{
"Name": "Count",
"Type": "real"
},
{
"Name": "Category",
"Type": "string"
},
{
"Name": "Date",
"Type": "string"
},
{
"Name": "CompanyName",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
}
]
}

73
.script/tests/KqlvalidationsTests/CustomTables/Diligence_statistics_CL.json Normal file
Просмотреть файл

@ -0,0 +1,73 @@
{
"Name": "Diligence_statistics_CL",
"Properties": [
{
"Name": "EventVendor",
"Type": "string"
},
{
"Name": "EventProduct",
"Type": "string"
},
{
"Name": "Unknown",
"Type": "real"
},
{
"Name": "Bad",
"Type": "real"
},
{
"Name": "Warn",
"Type": "real"
},
{
"Name": "Neutral",
"Type": "real"
},
{
"Name": "Fair",
"Type": "real"
},
{
"Name": "Good",
"Type": "real"
},
{
"Name": "RiskVector",
"Type": "string"
},
{
"Name": "CompanyName",
"Type": "string"
},
{
"Name": "SpearPhishing",
"Type": "real"
},
{
"Name": "BitFlip",
"Type": "real"
},
{
"Name": "TypographicalErrors",
"Type": "real"
},
{
"Name": "TLDVariant",
"Type": "real"
},
{
"Name": "TotalCount",
"Type": "real"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
}
]
}

125
.script/tests/KqlvalidationsTests/CustomTables/Findings_data_CL.json Normal file
Просмотреть файл

@ -0,0 +1,125 @@
{
"Name": "Findings_data_CL",
"Properties": [
{
"Name": "EventVendor",
"Type": "datetime"
},
{
"Name": "EventProduct",
"Type": "bool"
},
{
"Name": "Comments",
"Type": "string"
},
{
"Name": "PcapID",
"Type": "string"
},
{
"Name": "Duration",
"Type": "string"
},
{
"Name": "TemporaryId",
"Type": "string"
},
{
"Name": "AffectsRating",
"Type": "bool"
},
{
"Name": "Assets",
"Type": "string"
},
{
"Name": "Details",
"Type": "string"
},
{
"Name": "EvidenceKey",
"Type": "string"
},
{
"Name": "FirstSeen",
"Type": "string"
},
{
"Name": "LastSeen",
"Type": "string"
},
{
"Name": "RelatedFindings",
"Type": "string"
},
{
"Name": "RiskCategory",
"Type": "string"
},
{
"Name": "RiskVector",
"Type": "string"
},
{
"Name": "RiskVectorLabel",
"Type": "string"
},
{
"Name": "RolledupObservationId",
"Type": "string"
},
{
"Name": "Severity",
"Type": "int"
},
{
"Name": "SeverityCategory",
"Type": "string"
},
{
"Name": "Tags",
"Type": "string"
},
{
"Name": "AssetOverrides",
"Type": "string"
},
{
"Name": "AttributedCompanies",
"Type": "string"
},
{
"Name": "CompanyName",
"Type": "string"
},
{
"Name": "RemainingDecay",
"Type": "real"
},
{
"Name": "RemediationHistoryLastRequestedRefreshDate",
"Type": "string"
},
{
"Name": "RemediationHistoryLastRefreshStatusDate",
"Type": "string"
},
{
"Name": "RemediationHistoryLastRefreshStatusLabel",
"Type": "string"
},
{
"Name": "RemediationHistoryLastRefreshReasonCode",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
}
]
}

65
.script/tests/KqlvalidationsTests/CustomTables/Findings_summary_CL.json Normal file
Просмотреть файл

@ -0,0 +1,65 @@
{
"Name": "Findings_summary_CL",
"Properties": [
{
"Name": "EventVendor",
"Type": "string"
},
{
"Name": "EventProduct",
"Type": "string"
},
{
"Name": "Company",
"Type": "string"
},
{
"Name": "Confidence",
"Type": "string"
},
{
"Name": "Description",
"Type": "string"
},
{
"Name": "EndDate",
"Type": "string"
},
{
"Name": "EventCount",
"Type": "real"
},
{
"Name": "FirstSeen",
"Type": "string"
},
{
"Name": "HostCount",
"Type": "real"
},
{
"Name": "Id",
"Type": "string"
},
{
"Name": "Name",
"Type": "string"
},
{
"Name": "Severity",
"Type": "string"
},
{
"Name": "StartDate",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
}
]
}

41
.script/tests/KqlvalidationsTests/CustomTables/Graph_data_CL.json Normal file
Просмотреть файл

@ -0,0 +1,41 @@
{
"Name": "Graph_data_CL",
"Properties": [
{
"Name": "EventVendor",
"Type": "string"
},
{
"Name": "EventProduct",
"Type": "string"
},
{
"Name": "RatingDate",
"Type": "string"
},
{
"Name": "Rating",
"Type": "real"
},
{
"Name": "CompanyName",
"Type": "string"
},
{
"Name": "RatingDifferance",
"Type": "real"
},
{
"Name": "percentage",
"Type": "real"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
}
]
}

41
.script/tests/KqlvalidationsTests/CustomTables/Industrial_statistics_CL.json Normal file
Просмотреть файл

@ -0,0 +1,41 @@
{
"Name": "Industrial_statistics_CL",
"Properties": [
{
"Name": "EventVendor",
"Type": "string"
},
{
"Name": "EventProduct",
"Type": "string"
},
{
"Name": "Count",
"Type": "real"
},
{
"Name": "CountPeriod",
"Type": "string"
},
{
"Name": "AverageDurationDays",
"Type": "real"
},
{
"Name": "RiskVector",
"Type": "string"
},
{
"Name": "CompanyName",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
}
]
}

41
.script/tests/KqlvalidationsTests/CustomTables/Observation_statistics_CL.json Normal file
Просмотреть файл

@ -0,0 +1,41 @@
{
"Name": "Observation_statistics_CL",
"Properties": [
{
"Name": "EventVendor",
"Type": "string"
},
{
"Name": "EventProduct",
"Type": "string"
},
{
"Name": "Count",
"Type": "real"
},
{
"Name": "CountPeriod",
"Type": "string"
},
{
"Name": "AverageDurationDays",
"Type": "real"
},
{
"Name": "RiskVector",
"Type": "string"
},
{
"Name": "CompanyName",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
}
]
}

45
.script/tests/KqlvalidationsTests/CustomTables/meraki_CL.json Normal file
Просмотреть файл

@ -0,0 +1,45 @@
{
"Name": "meraki_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "Message",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

10
.script/tests/KqlvalidationsTests/FunctionSchemasLoaders/CommonFunctionsLoader.cs
Просмотреть файл

@ -10,13 +10,7 @@ namespace Kqlvalidations.Tests.FunctionSchemasLoaders
{
public IEnumerable<FunctionSchema> Load()
{
List<string> commonFunctionsYamlFiles = (new CommonFunctionsYamlFilesLoader()).GetFilesNames();
if (commonFunctionsYamlFiles.Count == 1 && commonFunctionsYamlFiles[0] == "NoFile.yaml")
{
return Enumerable.Empty<FunctionSchema>(); // Return an empty collection
}
List<string> commonFunctionsYamlFiles = (new CommonFunctionsYamlFilesLoader()).GetFilesNames(true);
return commonFunctionsYamlFiles.Select(GetFunction).ToList();
}
@ -29,7 +23,7 @@ namespace Kqlvalidations.Tests.FunctionSchemasLoaders
private FunctionSchema GetFunction(string fileName)
{
var deserializer = new DeserializerBuilder().Build();
var yaml = deserializer.Deserialize<Dictionary<string, object>> (File.ReadAllText(fileName));
var yaml = deserializer.Deserialize<Dictionary<string, object>>(File.ReadAllText(fileName));
return new FunctionSchema((string)yaml["EquivalentBuiltInFunction"], (string)yaml["FunctionQuery"], GetFunctionParameters(yaml));
}

7
.script/tests/KqlvalidationsTests/FunctionSchemasLoaders/ParsersCustomJsonDirectoryFunctionsLoader.cs
Просмотреть файл

@ -46,12 +46,7 @@ namespace Kqlvalidations.Tests.FunctionSchemasLoaders
private IEnumerable<FunctionSchema> GetFunctions(Dictionary<string, List<Column>> schemaToResultColumnsMapping)
{
var parsersYamlFilesLoader = new ParsersYamlFilesLoader();
var parsersYamlFiles = parsersYamlFilesLoader.GetFilesNames();
if (parsersYamlFiles.Count == 1 && parsersYamlFiles[0] == "NoFile.yaml")
{
return Enumerable.Empty<FunctionSchema>(); // Return an empty collection
}
var parsersYamlFiles = parsersYamlFilesLoader.GetFilesNames(true);
return parsersYamlFiles.Select(fileName =>
{

125
.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json
Просмотреть файл

@ -2588,31 +2588,11 @@
// Temporarily adding Analytic rules and hunting queries id's for TI KQL Validations - Start
{
"id": "85aca4d1-5d15-4001-abd9-acb86ca1786a",
"templateName": "DomainEntity_DnsEvents.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
},
{
"id": "b1832f60-6c3d-4722-a0a5-3d564ee61a63",
"templateName": "DomainEntity_imWebSession.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
},
{
"id": "ec21493c-2684-4acd-9bc2-696dbad72426",
"templateName": "DomainEntity_PaloAlto.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
},
{
"id": "87890d78-3e05-43ec-9ab9-ba32f4e01250",
"templateName": "DomainEntity_SecurityAlert.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
},
{
"id": "532f62c1-fba6-4baa-bbb6-4a32a4ef32fa",
"templateName": "DomainEntity_Syslog.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
},
{
"id": "cca3b4d9-ac39-4109-8b93-65bb284003e6",
"templateName": "EmailEntity_AzureActivity.yaml",
@ -2668,51 +2648,11 @@
"templateName": "imDns_IPEntity_DnsEvents.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
},
{
"id": "f9949656-473f-4503-bf43-a9d9890f7d08",
"templateName": "IPEntity_AppServiceHTTPLogs.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
},
{
"id": "f110287e-1358-490d-8147-ed804b328514",
"templateName": "IPEntity_AWSCloudTrail.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
},
{
"id": "2441bce9-02e4-407b-8cc7-7d597f38b8b0",
"templateName": "IPEntity_AzureActivity.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
},
{
"id": "0b904747-1336-4363-8d84-df2710bfe5e7",
"templateName": "IPEntity_AzureFirewall.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
},
{
"id": "57c7e832-64eb-411f-8928-4133f01f4a25",
"templateName": "IPEntity_AzureKeyVault.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
},
{
"id": "a4025a76-6490-4e6b-bb69-d02be4b03f07",
"templateName": "IPEntity_AzureNetworkAnalytics.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
},
{
"id": "d0aa8969-1bbe-4da3-9e76-09e5f67c9d85",
"templateName": "IPEntity_AzureSQL.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
},
{
"id": "66c81ae2-1f89-4433-be00-2fbbd9ba5ebe",
"templateName": "IPEntity_CustomSecurityLog.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
},
{
"id": "69b7723c-2889-469f-8b55-a2d355ed9c87",
"templateName": "IPEntity_DnsEvents.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
},
{
"id": "d23ed927-5be3-4902-a9c1-85f841eb4fa1",
"templateName": "IPEntity_DuoSecurity.yaml",
@ -2723,31 +2663,11 @@
"templateName": "IPEntity_imNetworkSession.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
},
{
"id": "e2559891-383c-4caf-ae67-55a008b9f89e",
"templateName": "IPEntity_imWebSession.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
},
{
"id": "f15370f4-c6fa-42c5-9be4-1d308f40284e",
"templateName": "IPEntity_OfficeActivity.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
},
{
"id": "f2eb15bd-8a88-4b24-9281-e133edfba315",
"templateName": "IPentity_SigninLogs.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
},
{
"id": "9713e3c0-1410-468d-b79e-383448434b2d",
"templateName": "IPEntity_VMConnection.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
},
{
"id": "5e45930c-09b1-4430-b2d1-cc75ada0dc0f",
"templateName": "IPEntity_W3CIISLog.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
},
{
"id": "35a0792a-1269-431e-ac93-7ae2980d4dde",
"templateName": "ProofpointPODEmailSenderInTIList.yaml",
@ -2842,6 +2762,51 @@
"id": "388e197d-ec9e-46b6-addb-947d74d2a5c4",
"templateName": "RecordedFutureHashObservedInUndergroundinCommonSecurityLog.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
},
{
"id": "0f872637-8817-44a0-bb9d-ceab3dbd4ecd",
"templateName": "Brute Force Attack against GitHub Account.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
},
{
"id": "9657ec20-e013-4cc5-bd45-a3d79dd38558",
"templateName": "Sign-in Burst from Multiple Locations.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
},
{
"id": "90b13e59-63fc-47e5-a19f-fbd9eaadab69",
"templateName": "(Preview) GitHub - Activities from Infrequent Country.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
},
{
"id": "9858b877-0045-4840-94c4-6a79f34c561b",
"templateName": "(Preview) GitHub - Two Factor Authentication Disabled in GitHub.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
},
{
"id": "c030bc9a-406f-4906-8315-8b53ee9c1a00",
"templateName": "CiscoASA-AvgAttackDetectRateIncrease.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
},
{
"id": "10c2b36f-8772-42d4-aa3e-041571cb3480",
"templateName": "CiscoASA-ThreatDetectionMessage.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
},
{
"id": "84476c34-5be4-4485-83ae-d15327a96512",
"templateName": "PaloAlto-NetworkBeaconing.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
},
{
"id": "ce97d55b-b6be-4a13-a23b-5a909ee2d87a",
"templateName": "PaloAlto-PortScanning.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
},
{
"id": "74786750-2e78-4cf2-800c-37ec3ffe310c",
"templateName": "PaloAlto-UnusualThreatSignatures.yaml",
"validationFailReason": "Temporarily Added for Threat Intelligence KQL Queries validation"
}
// Temporarily adding Analytic rules and hunting queries id's for TI KQL Validations - End

12
.script/tests/KqlvalidationsTests/YamlFilesTestData/YamlFilesLoader.cs
Просмотреть файл

@ -12,12 +12,20 @@ namespace Kqlvalidations.Tests
protected abstract List<string> GetDirectoryPaths();
public List<string> GetFilesNames()
//declare load all files on optional parameter loadAllFiles
public List<string> GetFilesNames(bool loadAllFiles=false)
{
if(loadAllFiles)
{
return GetDirectoryPaths()
.SelectMany(directoryPath => Directory.GetFiles(directoryPath, "*.yaml", SearchOption.AllDirectories))
.ToList();
}
int prNumber = 0;
int.TryParse(System.Environment.GetEnvironmentVariable("PRNUM"), out prNumber);
//assign pr number to debug with a pr
//prNumber=8414;
//prNumber=8595;
if (prNumber == 0)
{
Console.WriteLine("PR Number is not set. Running all tests");

11
.script/tests/detectionTemplateSchemaValidation/SkipStrcutreValidationsTemplates.json
Просмотреть файл

@ -486,5 +486,14 @@
"a8f689e5-7f84-4658-b816-75aa94c8b833",
"a2b67846-d66b-4047-bc84-78bfc993d5f3",
"9699e4c9-dca9-404b-be0b-6e342dd31aff",
"6084abc3-c4be-47d0-86f5-3c20fea63cea"
"6084abc3-c4be-47d0-86f5-3c20fea63cea",
"0f872637-8817-44a0-bb9d-ceab3dbd4ecd",
"9657ec20-e013-4cc5-bd45-a3d79dd38558",
"90b13e59-63fc-47e5-a19f-fbd9eaadab69",
"9858b877-0045-4840-94c4-6a79f34c561b",
"c030bc9a-406f-4906-8315-8b53ee9c1a00",
"10c2b36f-8772-42d4-aa3e-041571cb3480",
"84476c34-5be4-4485-83ae-d15327a96512",
"ce97d55b-b6be-4a13-a23b-5a909ee2d87a",
"74786750-2e78-4cf2-800c-37ec3ffe310c"
]

1
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Просмотреть файл

@ -37,6 +37,7 @@
"BehaviorAnalytics",
"BeyondSecuritybeSECURE",
"Bitglass",
"BitSight",
"BlackberryCylancePROTECT",
"BloodHoundEnterprise",
"BoschAIShield",

11
.script/tests/idChangeValidatorTest/SkipIdValidationsTemplates.json
Просмотреть файл

@ -516,5 +516,14 @@
"9699e4c9-dca9-404b-be0b-6e342dd31aff",
"6084abc3-c4be-47d0-86f5-3c20fea63cea",
"cd8faa84-4464-4b4e-96dc-b22f50c27541",
"5533fe80-905e-49d5-889a-df27d2c3976d"
"5533fe80-905e-49d5-889a-df27d2c3976d",
"0f872637-8817-44a0-bb9d-ceab3dbd4ecd",
"9657ec20-e013-4cc5-bd45-a3d79dd38558",
"90b13e59-63fc-47e5-a19f-fbd9eaadab69",
"9858b877-0045-4840-94c4-6a79f34c561b",
"c030bc9a-406f-4906-8315-8b53ee9c1a00",
"10c2b36f-8772-42d4-aa3e-041571cb3480",
"84476c34-5be4-4485-83ae-d15327a96512",
"ce97d55b-b6be-4a13-a23b-5a909ee2d87a",
"74786750-2e78-4cf2-800c-37ec3ffe310c"
]

1
.script/utils/dataConnector.ts
Просмотреть файл

@ -199,5 +199,6 @@ export enum ConnectorCategory {
ThreatIntelligenceIndicator="ThreatIntelligenceIndicator",
MicrosoftPurviewInformationProtection="MicrosoftPurviewInformationProtection",
Dynamics365Activity="Dynamics365Activity",
CrowdstrikeReplicatorV2="CrowdstrikeReplicatorV2",
BloodHoundEnterprise="BloodHoundEnterprise"
}

526
.script/utils/schemas/CrowdstrikeReplicatorV2_ConnectorSchema.json Normal file
Просмотреть файл

@ -0,0 +1,526 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"id": {
"type": "string"
},
"title": {
"type": "string"
},
"publisher": {
"type": "string"
},
"descriptionMarkdown": {
"type": "string"
},
"additionalRequirementBanner": {
"type": "string"
},
"graphQueries": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"metricName": {
"type": "string"
},
"legend": {
"type": "string"
},
"baseQuery": {
"type": "string"
}
},
"required": [
"metricName",
"legend",
"baseQuery"
]
}
]
},
"sampleQueries": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"description": {
"type": "string"
},
"query": {
"type": "string"
}
},
"required": [
"description",
"query"
]
}
]
},
"dataTypes": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"name": {
"type": "string"
},
"lastDataReceivedQuery": {
"type": "string"
}
},
"required": [
"name",
"lastDataReceivedQuery"
]
},
{
"type": "object",
"properties": {
"name": {
"type": "string"
},
"lastDataReceivedQuery": {
"type": "string"
}
},
"required": [
"name",
"lastDataReceivedQuery"
]
},
{
"type": "object",
"properties": {
"name": {
"type": "string"
},
"lastDataReceivedQuery": {
"type": "string"
}
},
"required": [
"name",
"lastDataReceivedQuery"
]
},
{
"type": "object",
"properties": {
"name": {
"type": "string"
},
"lastDataReceivedQuery": {
"type": "string"
}
},
"required": [
"name",
"lastDataReceivedQuery"
]
},
{
"type": "object",
"properties": {
"name": {
"type": "string"
},
"lastDataReceivedQuery": {
"type": "string"
}
},
"required": [
"name",
"lastDataReceivedQuery"
]
},
{
"type": "object",
"properties": {
"name": {
"type": "string"
},
"lastDataReceivedQuery": {
"type": "string"
}
},
"required": [
"name",
"lastDataReceivedQuery"
]
},
{
"type": "object",
"properties": {
"name": {
"type": "string"
},
"lastDataReceivedQuery": {
"type": "string"
}
},
"required": [
"name",
"lastDataReceivedQuery"
]
},
{
"type": "object",
"properties": {
"name": {
"type": "string"
},
"lastDataReceivedQuery": {
"type": "string"
}
},
"required": [
"name",
"lastDataReceivedQuery"
]
},
{
"type": "object",
"properties": {
"name": {
"type": "string"
},
"lastDataReceivedQuery": {
"type": "string"
}
},
"required": [
"name",
"lastDataReceivedQuery"
]
},
{
"type": "object",
"properties": {
"name": {
"type": "string"
},
"lastDataReceivedQuery": {
"type": "string"
}
},
"required": [
"name",
"lastDataReceivedQuery"
]
}
]
},
"connectivityCriterias": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"type": {
"type": "string"
},
"value": {
"type": "array",
"items": [
{
"type": "string"
}
]
}
},
"required": [
"type",
"value"
]
}
]
},
"availability": {
"type": "object",
"properties": {
"status": {
"type": "integer"
},
"isPreview": {
"type": "boolean"
}
},
"required": [
"status",
"isPreview"
]
},
"permissions": {
"type": "object",
"properties": {
"resourceProvider": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"provider": {
"type": "string"
},
"permissionsDisplayText": {
"type": "string"
},
"providerDisplayName": {
"type": "string"
},
"scope": {
"type": "string"
},
"requiredPermissions": {
"type": "object",
"properties": {
"write": {
"type": "boolean"
},
"read": {
"type": "boolean"
},
"delete": {
"type": "boolean"
}
},
"required": [
"write",
"read",
"delete"
]
}
},
"required": [
"provider",
"permissionsDisplayText",
"providerDisplayName",
"scope",
"requiredPermissions"
]
},
{
"type": "object",
"properties": {
"provider": {
"type": "string"
},
"permissionsDisplayText": {
"type": "string"
},
"providerDisplayName": {
"type": "string"
},
"scope": {
"type": "string"
},
"requiredPermissions": {
"type": "object",
"properties": {
"action": {
"type": "boolean"
}
},
"required": [
"action"
]
}
},
"required": [
"provider",
"permissionsDisplayText",
"providerDisplayName",
"scope",
"requiredPermissions"
]
}
]
},
"customs": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"name": {
"type": "string"
},
"description": {
"type": "string"
}
},
"required": [
"name",
"description"
]
},
{
"type": "object",
"properties": {
"name": {
"type": "string"
},
"description": {
"type": "string"
}
},
"required": [
"name",
"description"
]
}
]
}
},
"required": [
"resourceProvider",
"customs"
]
},
"instructionSteps": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"title": {
"type": "string"
},
"description": {
"type": "string"
}
},
"required": [
"title",
"description"
]
},
{
"type": "object",
"properties": {
"title": {
"type": "string"
},
"description": {
"type": "string"
}
},
"required": [
"title",
"description"
]
},
{
"type": "object",
"properties": {
"title": {
"type": "string"
},
"description": {
"type": "string"
}
},
"required": [
"title",
"description"
]
},
{
"type": "object",
"properties": {
"title": {
"type": "string"
},
"description": {
"type": "string"
}
},
"required": [
"title",
"description"
]
},
{
"type": "object",
"properties": {
"title": {
"type": "string"
},
"description": {
"type": "string"
}
},
"required": [
"title",
"description"
]
},
{
"type": "object",
"properties": {
"title": {
"type": "string"
},
"description": {
"type": "string"
}
},
"required": [
"title",
"description"
]
},
{
"type": "object",
"properties": {
"title": {
"type": "string"
},
"description": {
"type": "string"
}
},
"required": [
"title",
"description"
]
},
{
"type": "object",
"properties": {
"title": {
"type": "string"
},
"description": {
"type": "string"
}
},
"required": [
"title",
"description"
]
}
]
}
},
"required": [
"id",
"title",
"publisher",
"descriptionMarkdown",
"additionalRequirementBanner",
"graphQueries",
"sampleQueries",
"dataTypes",
"connectivityCriterias",
"availability",
"permissions",
"instructionSteps"
]
}

2
DataConnectors/AWS-SecurityHubFindings/requirements.txt
Просмотреть файл

@ -6,7 +6,7 @@ azure-functions==1.8.0
boto3==1.9.180
requests==2.31.0
adal==1.2.2
aiohttp==3.6.2
aiohttp==3.8.5
asn1crypto==0.24.0
azure-common==1.1.24
azure-core==1.21.0

11
DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/CHANGELOG.md Normal file
Просмотреть файл

@ -0,0 +1,11 @@
## 1.0.0
* Initial release for output plugin for logstash to Microsoft Sentinel. This is done with the Log Analytics DCR based API.
## 1.1.0
* Increase timeout for read/open connections to 120 seconds.
* Add error handling for when connection timeout occurs.
* Upgrade the rest-client dependency minimum version to 2.1.0 .
* Allow setting different proxy values for api connections.
* Upgrade version for ingestion api to 2023-01-01 .
* Rename the plugin to microsoft-sentinel-log-analytics-logstash-output-plugin.

0
DataConnectors/microsoft-sentinel-logstash-output-plugin/Gemfile → DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/Gemfile
Просмотреть файл

0
DataConnectors/microsoft-sentinel-logstash-output-plugin/LICENSE → DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/LICENSE
Просмотреть файл

234
DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/README.md Normal file
Просмотреть файл

@ -0,0 +1,234 @@
# Microsoft Sentinel output plugin for Logstash
Microsoft Sentinel provides a new output plugin for Logstash. Use this output plugin to send any log via Logstash to the Microsoft Sentinel/Log Analytics workspace. This is done with the Log Analytics DCR-based API.
You may send logs to custom or standard tables.
Plugin version: v1.1.0
Released on: 2023-07-23
This plugin is currently in development and is free to use. We welcome contributions from the open source community on this project, and we request and appreciate feedback from users.
## Steps to implement the output plugin
1) Install the plugin
2) Create a sample file
3) Create the required DCR-related resources
4) Configure Logstash configuration file
5) Basic logs transmission
## 1. Install the plugin
Microsoft Sentinel provides Logstash output plugin to Log analytics workspace using DCR based logs API.
Install the microsoft-sentinel-log-analytics-logstash-output-plugin, use [Logstash Offline Plugin Management instruction](<https://www.elastic.co/guide/en/logstash/current/offline-plugins.html>).
Microsoft Sentinel's Logstash output plugin supports the following versions
- Logstash 7 Between 7.0 and 7.17.10
- Logstash 8 Between 8.0 and 8.8.1
Please note that when using Logstash 8, it is recommended to disable ECS in the pipeline. For more information refer to [Logstash documentation.](<https://www.elastic.co/guide/en/logstash/8.4/ecs-ls.html>)
## 2. Create a sample file
To create a sample file, follow the following steps:
1) Copy the output plugin configuration below to your Logstash configuration file:
```
output {
microsoft-sentinel-log-analytics-logstash-output-plugin {
create_sample_file => true
sample_file_path => "<enter the path to the file in which the sample data will be written>" #for example: "c:\\temp" (for windows) or "/var/log" for Linux.
}
}
```
Note: make sure that the path exists before creating the sample file.
2) Start Logstash. The plugin will write up to 10 records to a sample file named "sampleFile<epoch seconds>.json" in the configured path
(for example: "c:\temp\sampleFile1648453501.json")
### Configurations:
The following parameters are optional and should be used to create a sample file.
- **create_sample_file** - Boolean, False by default. When enabled, up to 10 events will be written to a sample json file.
- **sample_file_path** - Number, Empty by default. Required when create_sample_file is enabled. Should include a valid path in which to place the sample file generated.
### Complete example
1. set the pipeline.conf with the following configuration:
```
input {
generator {
lines => [ "This is a test log message"]
count => 10
}
}
output {
microsoft-sentinel-log-analytics-logstash-output-plugin {
create_sample_file => true
sample_file_path => "<enter the path to the file in which the sample data will be written>" #for example: "c:\\temp" (for windows) or "/var/log" for Linux.
}
}
```
2. the following sample file will be generated:
```
[
{
"host": "logstashMachine",
"sequence": 0,
"message": "This is a test log message",
"ls_timestamp": "2022-10-29T13:19:28.116Z",
"ls_version": "1"
},
...
]
```
## 3. Create the required DCR-related resources
To configure Microsoft Sentinel Logstash plugin you first need to create the DCR-related resources. To create these resources, follow one of the following tutorials:
1) To ingest the data to a custom table use [Tutorial - Send custom logs to Azure Monitor Logs (preview) - Azure Monitor | Microsoft Docs](<https://docs.microsoft.com/azure/azure-monitor/logs/tutorial-custom-logs>) tutorial. Note that as part of creating the table and the DCR you will need to provide the sample file that you've created in the previous section.
2) To ingest the data to a standard table like Syslog or CommonSecurityLog use [Tutorial - Send custom logs to Azure Monitor Logs using resource manager templates - Azure Monitor | Microsoft Docs](<https://docs.microsoft.com/azure/azure-monitor/logs/tutorial-custom-logs-api>).
## 4. Configure Logstash configuration file
Use the tutorial from the previous section to retrieve the following attributes:
- **client_app_Id** - String, The 'Application (client) ID' value created in step #3 of the "Configure Application" section of the tutorial you used in the previous step.
- **client_app_secret** -String, The value of the client secret created in step #5 of the "Configure Application" section of the tutorial you used in the previous step.
- **tenant_id** - String, Your subscription's tenant id. You can find in the following path: Home -> Azure Active Directory -> Overview Under 'Basic Information'.
- **data_collection_endpoint** - String, - The value of the logsIngestion URI (see step #3 of the "Create data collection endpoint" section in Tutorial [Tutorial - Send custom logs to Azure Monitor Logs using resource manager templates - Azure Monitor | Microsoft Docs](<https://docs.microsoft.com/azure/azure-monitor/logs/tutorial-custom-logs-api#create-data-collection-endpoint>).
- **dcr_immutable_id** - String, The value of the DCR immutableId (see the "Collect information from DCR" section in [Tutorial - Send custom logs to Azure Monitor Logs (preview) - Azure Monitor | Microsoft Docs](<https://docs.microsoft.com/azure/azure-monitor/logs/tutorial-custom-logs#collect-information-from-dcr>).
- **dcr_stream_name** - String, The name of the data stream (Go to the json view of the DCR as explained in the "Collect information from DCR" section in [Tutorial - Send custom logs to Azure Monitor Logs (preview) - Azure Monitor | Microsoft Docs](<https://docs.microsoft.com/azure/azure-monitor/logs/tutorial-custom-logs#collect-information-from-dcr>) and copy the value of the "dataFlows -> streams" property (see circled in red in the below example).
After retrieving the required values replace the output section of the Logstash configuration file created in the previous steps with the example below. Then, replace the strings in the brackets below with the corresponding values. Make sure you change the "create_sample_file" attribute to false.
Here is an example for the output plugin configuration section:
```
output {
microsoft-sentinel-log-analytics-logstash-output-plugin {
client_app_Id => "<enter your client_app_id value here>"
client_app_secret => "<enter your client_app_secret value here>"
tenant_id => "<enter your tenant id here>"
data_collection_endpoint => "<enter your DCE logsIngestion URI here>"
dcr_immutable_id => "<enter your DCR immutableId here>"
dcr_stream_name => "<enter your stream name here>"
create_sample_file=> false
sample_file_path => "c:\\temp"
}
}
```
### Optional configuration
- **key_names** – Array of strings, if you wish to send a subset of the columns to Log Analytics.
- **plugin_flush_interval** – Number, 5 by default. Defines the maximal time difference (in seconds) between sending two messages to Log Analytics.
- **retransmission_time** - Number, 10 by default. This will set the amount of time in seconds given for retransmitting messages once sending has failed.
- **compress_data** - Boolean, false by default. When this field is true, the event data is compressed before using the API. Recommended for high throughput pipelines
- **proxy** - String, Empty by default. Specify which proxy URL to use for API calls for all of the communications with Azure.
- **proxy_aad** - String, Empty by default. Specify which proxy URL to use for API calls for the Azure Active Directory service. Overrides the proxy setting.
- **proxy_endpoint** - String, Empty by default. Specify which proxy URL to use when sending log data to the endpoint. Overrides the proxy setting.
#### Note: When setting an empty string as a value for a proxy setting, it will unset any system wide proxy setting.
Security notice: We recommend not to implicitly state client_app_Id, client_app_secret, tenant_id, data_collection_endpoint, and dcr_immutable_id in your Logstash configuration for security reasons.
It is best to store this sensitive information in a Logstash KeyStore as described here- ['Secrets Keystore'](<https://www.elastic.co/guide/en/logstash/current/keystore.html>)
## 5. Basic logs transmission
Here is an example configuration that parses Syslog incoming data into a custom stream named "Custom-MyTableRawData".
### Example Configuration
- Using filebeat input pipe
```
input {
beats {
port => "5044"
}
}
filter {
}
output {
microsoft-sentinel-log-analytics-logstash-output-plugin {
client_app_Id => "619c1731-15ca-4403-9c61-xxxxxxxxxxxx"
client_app_secret => "xxxxxxxxxxxxxxxx"
tenant_id => "72f988bf-86f1-41af-91ab-xxxxxxxxxxxx"
data_collection_endpoint => "https://my-customlogsv2-test-jz2a.eastus2-1.ingest.monitor.azure.com"
dcr_immutable_id => "dcr-xxxxxxxxxxxxxxxxac23b8978251433a"
dcr_stream_name => "Custom-MyTableRawData"
proxy_aad => "http://proxy.example.com"
}
}
```
- Or using the tcp input pipe
```
input {
tcp {
port => "514"
type => syslog #optional, will effect log type in table
}
}
filter {
}
output {
microsoft-sentinel-log-analytics-logstash-output-plugin {
client_app_Id => "619c1731-15ca-4403-9c61-xxxxxxxxxxxx"
client_app_secret => "xxxxxxxxxxxxxxxx"
tenant_id => "72f988bf-86f1-41af-91ab-xxxxxxxxxxxx"
data_collection_endpoint => "https://my-customlogsv2-test-jz2a.eastus2-1.ingest.monitor.azure.com"
dcr_immutable_id => "dcr-xxxxxxxxxxxxxxxxac23b8978251433a"
dcr_stream_name => "Custom-MyTableRawData"
}
}
```
<u>Advanced Configuration</u>
```
input {
syslog {
port => 514
}
}
output {
microsoft-sentinel-log-analytics-logstash-output-plugin {
client_app_Id => "${CLIENT_APP_ID}"
client_app_secret => "${CLIENT_APP_SECRET}"
tenant_id => "${TENANT_ID}"
data_collection_endpoint => "${DATA_COLLECTION_ENDPOINT}"
dcr_immutable_id => "${DCR_IMMUTABLE_ID}"
dcr_stream_name => "Custom-MyTableRawData"
key_names => ['PRI','TIME_TAG','HOSTNAME','MSG']
}
}
```
Now you are able to run logstash with the example configuration and send mock data using the 'logger' command.
For example:
```
logger -p local4.warn --rfc3164 --tcp -t CEF "0|Microsoft|Device|cef-test|example|data|1|here is some more data for the example" -P 514 -d -n 127.0.0.1
```
Which will produce this content in the sample file:
```
[
{
"logsource": "logstashMachine",
"facility": 20,
"severity_label": "Warning",
"severity": 4,
"timestamp": "Apr 7 08:26:04",
"program": "CEF:",
"host": "127.0.0.1",
"facility_label": "local4",
"priority": 164,
"message": "0|Microsoft|Device|cef-test|example|data|1|here is some more data for the example",
"ls_timestamp": "2022-04-07T08:26:04.000Z",
"ls_version": "1"
}
]
```

0
DataConnectors/microsoft-sentinel-logstash-output-plugin/Rakefile → DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/Rakefile
Просмотреть файл

2
DataConnectors/microsoft-sentinel-logstash-output-plugin/examples/logstash-syslog-sentinel.conf → DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/examples/logstash-syslog-sentinel.conf
Просмотреть файл

@ -10,7 +10,7 @@ filter {
}
}
output {
microsoft-sentinel-logstash-output-plugin {
microsoft-sentinel-log-analytics-logstash-output-plugin {
client_app_Id => "${CLIENT_APP_ID}"
client_app_secret => "${CLIENT_APP_SECRET}"
tenant_id => "${TENANT_ID}"

23
DataConnectors/microsoft-sentinel-logstash-output-plugin/lib/logstash/outputs/microsoft-sentinel-logstash-output-plugin.rb → DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/outputs/microsoft-sentinel-log-analytics-logstash-output-plugin.rb
Просмотреть файл

@ -1,14 +1,14 @@
# encoding: utf-8
require "logstash/outputs/base"
require "logstash/namespace"
require "logstash/sentinel/logstashLoganalyticsConfiguration"
require "logstash/sentinel/sampleFileCreator"
require "logstash/sentinel/logsSender"
require "logstash/sentinel_la/logstashLoganalyticsConfiguration"
require "logstash/sentinel_la/sampleFileCreator"
require "logstash/sentinel_la/logsSender"
class LogStash::Outputs::MicrosoftSentinelOutput < LogStash::Outputs::Base
config_name "microsoft-sentinel-logstash-output-plugin"
config_name "microsoft-sentinel-log-analytics-logstash-output-plugin"
# Stating that the output plugin will run in concurrent mode
concurrency :shared
@ -47,8 +47,14 @@ class LogStash::Outputs::MicrosoftSentinelOutput < LogStash::Outputs::Base
# it this is set with amount_resizing=false --> each message will have max_items
config :max_items, :validate => :number, :default => 2000
# Setting proxy to be used for the Azure LogAnalytics REST client
config :proxy, :validate => :string, :default => ''
# Setting default proxy to be used for all communication with azure
config :proxy, :validate => :string
# Setting proxy_aad to be used for communicating with azure active directory service
config :proxy_aad, :validate => :string
# Setting proxy to be used for the LogAnalytics endpoint REST client
config :proxy_endpoint, :validate => :string
# This will set the amount of time given for retransmitting messages once sending is failed
config :retransmission_time, :validate => :number, :default => 10
@ -94,9 +100,10 @@ class LogStash::Outputs::MicrosoftSentinelOutput < LogStash::Outputs::Base
logstash_configuration.decrease_factor = @decrease_factor
logstash_configuration.amount_resizing = @amount_resizing
logstash_configuration.max_items = @max_items
logstash_configuration.proxy = @proxy
logstash_configuration.proxy_aad = @proxy_aad || @proxy || ENV['http_proxy']
logstash_configuration.proxy_endpoint = @proxy_endpoint || @proxy || ENV['http_proxy']
logstash_configuration.retransmission_time = @retransmission_time
return logstash_configuration
end # def build_logstash_configuration

0
DataConnectors/microsoft-sentinel-logstash-output-plugin/lib/logstash/sentinel/customSizeBasedBuffer.rb → DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/customSizeBasedBuffer.rb
Просмотреть файл

2
DataConnectors/microsoft-sentinel-logstash-output-plugin/lib/logstash/sentinel/eventsHandler.rb → DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/eventsHandler.rb
Просмотреть файл

@ -1,5 +1,5 @@
# encoding: utf-8
require "logstash/sentinel/logstashLoganalyticsConfiguration"
require "logstash/sentinel_la/logstashLoganalyticsConfiguration"
module LogStash
module Outputs

36
DataConnectors/microsoft-sentinel-logstash-output-plugin/lib/logstash/sentinel/logAnalyticsAadTokenProvider.rb → DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/logAnalyticsAadTokenProvider.rb
Просмотреть файл

@ -1,5 +1,5 @@
# encoding: utf-8
require "logstash/sentinel/logstashLoganalyticsConfiguration"
require "logstash/sentinel_la/logstashLoganalyticsConfiguration"
require 'rest-client'
require 'json'
require 'openssl'
@ -9,16 +9,17 @@ require 'time'
module LogStash; module Outputs; class MicrosoftSentinelOutputInternal
class LogAnalyticsAadTokenProvider
def initialize (logstashLoganalyticsConfiguration)
set_proxy(logstashLoganalyticsConfiguration.proxy)
scope = CGI.escape("https://monitor.azure.com//.default")
@aad_uri = "https://login.microsoftonline.com"
@token_request_body = sprintf("client_id=%s&scope=%s&client_secret=%s&grant_type=client_credentials", logstashLoganalyticsConfiguration.client_app_Id, scope, logstashLoganalyticsConfiguration.client_app_secret)
@token_request_uri = sprintf("https://login.microsoftonline.com/%s/oauth2/v2.0/token", logstashLoganalyticsConfiguration.tenant_id)
@token_request_uri = sprintf("%s/%s/oauth2/v2.0/token",@aad_uri, logstashLoganalyticsConfiguration.tenant_id)
@token_state = {
:access_token => nil,
:expiry_time => nil,
:token_details_mutex => Mutex.new,
}
@logger = logstashLoganalyticsConfiguration.logger
@logstashLoganalyticsConfiguration = logstashLoganalyticsConfiguration
end # def initialize
# Public methods
@ -59,19 +60,23 @@ class LogAnalyticsAadTokenProvider
# Post the given json to Azure Loganalytics
def post_token_request()
# Create REST request header
header = get_header()
begin
headers = get_header()
while true
begin
# Post REST request
response = RestClient.post(@token_request_uri, @token_request_body, header)
response = RestClient::Request.execute(method: :post, url: @token_request_uri, payload: @token_request_body, headers: headers,
proxy: @logstashLoganalyticsConfiguration.proxy_aad)
if (response.code == 200 || response.code == 201)
return JSON.parse(response.body)
else
@logger.trace("Rest client response from ADD API ['#{response}']")
raise ("Failed to get AAD token: http code " + response.code.to_s)
end
rescue RestClient::ExceptionWithResponse => ewr
@logger.trace("Rest client response from ADD API ['#{ewr.response}']")
raise ("Failed to get AAD token: http code " + ewr.response.code.to_s)
rescue RestClient::ExceptionWithResponse => ewr
@logger.error("Exception while authenticating with AAD API ['#{ewr.response}']")
rescue Exception => ex
@logger.trace("Exception while authenticating with AAD API ['#{ex}']")
end
@logger.error("Error while authenticating with AAD ('#{@aad_uri}'), retrying in 10 seconds.")
sleep 10
end
end # def post_token_request
@ -82,12 +87,5 @@ class LogAnalyticsAadTokenProvider
}
end # def get_header
# Setting proxy for the REST client.
# This option is not used in the output plugin and will be used
#
def set_proxy(proxy='')
RestClient.proxy = proxy.empty? ? ENV['http_proxy'] : proxy
end # def set_proxy
end # end of class
end ;end ;end

23
DataConnectors/microsoft-sentinel-logstash-output-plugin/lib/logstash/sentinel/logAnalyticsClient.rb → DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/logAnalyticsClient.rb
Просмотреть файл

@ -1,5 +1,5 @@
# encoding: utf-8
require "logstash/sentinel/version"
require "logstash/sentinel_la/version"
require 'rest-client'
require 'json'
require 'openssl'
@ -9,16 +9,16 @@ require 'rbconfig'
module LogStash; module Outputs; class MicrosoftSentinelOutputInternal
class LogAnalyticsClient
require "logstash/sentinel/logstashLoganalyticsConfiguration"
require "logstash/sentinel/logAnalyticsAadTokenProvider"
require "logstash/sentinel_la/logstashLoganalyticsConfiguration"
require "logstash/sentinel_la/logAnalyticsAadTokenProvider"
def initialize (logstashLoganalyticsConfiguration)
@logstashLoganalyticsConfiguration = logstashLoganalyticsConfiguration
@logger = @logstashLoganalyticsConfiguration.logger
set_proxy(@logstashLoganalyticsConfiguration.proxy)
la_api_version = "2021-11-01-preview"
la_api_version = "2023-01-01"
@uri = sprintf("%s/dataCollectionRules/%s/streams/%s?api-version=%s",@logstashLoganalyticsConfiguration.data_collection_endpoint, @logstashLoganalyticsConfiguration.dcr_immutable_id, logstashLoganalyticsConfiguration.dcr_stream_name, la_api_version)
@aadTokenProvider=LogAnalyticsAadTokenProvider::new(logstashLoganalyticsConfiguration)
@userAgent = getUserAgent()
@ -29,11 +29,12 @@ require "logstash/sentinel/logAnalyticsAadTokenProvider"
raise ConfigError, 'no json_records' if body.empty?
# Create REST request header
header = get_header()
headers = get_header()
# Post REST request
response = RestClient.post(@uri, body, header)
return response
return RestClient::Request.execute(method: :post, url: @uri, payload: body, headers: headers,
proxy: @logstashLoganalyticsConfiguration.proxy_endpoint, timeout: 120)
end # def post_data
# Static function to return if the response is OK or else
@ -63,12 +64,6 @@ require "logstash/sentinel/logAnalyticsAadTokenProvider"
return headers
end # def get_header
# Setting proxy for the REST client.
# This option is not used in the output plugin and will be used
def set_proxy(proxy='')
RestClient.proxy = proxy.empty? ? ENV['http_proxy'] : proxy
end # def set_proxy
def ruby_agent_version()
case RUBY_ENGINE
when 'jruby'

6
DataConnectors/microsoft-sentinel-logstash-output-plugin/lib/logstash/sentinel/logStashAutoResizeBuffer.rb → DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/logStashAutoResizeBuffer.rb
Просмотреть файл

@ -1,8 +1,8 @@
# encoding: utf-8
require "logstash/sentinel/logstashLoganalyticsConfiguration"
require "logstash/sentinel/customSizeBasedBuffer"
require "logstash/sentinel/logStashEventsBatcher"
require "logstash/sentinel_la/logstashLoganalyticsConfiguration"
require "logstash/sentinel_la/customSizeBasedBuffer"
require "logstash/sentinel_la/logStashEventsBatcher"
# LogStashAutoResizeBuffer class setting a resizable buffer which is flushed periodically
# The buffer resize itself according to Azure Loganalytics and configuration limitations

6
DataConnectors/microsoft-sentinel-logstash-output-plugin/lib/logstash/sentinel/logStashCompressedStream.rb → DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/logStashCompressedStream.rb
Просмотреть файл

@ -1,8 +1,8 @@
# encoding: utf-8
require "logstash/sentinel/logstashLoganalyticsConfiguration"
require "logstash/sentinel/customSizeBasedBuffer"
require "logstash/sentinel/logStashEventsBatcher"
require "logstash/sentinel_la/logstashLoganalyticsConfiguration"
require "logstash/sentinel_la/customSizeBasedBuffer"
require "logstash/sentinel_la/logStashEventsBatcher"
require 'zlib'
module LogStash; module Outputs; class MicrosoftSentinelOutputInternal

54
DataConnectors/microsoft-sentinel-logstash-output-plugin/lib/logstash/sentinel/logStashEventsBatcher.rb → DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/logStashEventsBatcher.rb
Просмотреть файл

@ -1,7 +1,7 @@
# encoding: utf-8
require "logstash/sentinel/logAnalyticsClient"
require "logstash/sentinel/logstashLoganalyticsConfiguration"
require "logstash/sentinel_la/logAnalyticsClient"
require "logstash/sentinel_la/logstashLoganalyticsConfiguration"
# LogStashAutoResizeBuffer class setting a resizable buffer which is flushed periodically
# The buffer resize itself according to Azure Loganalytics and configuration limitations
@ -46,6 +46,7 @@ class LogStashEventsBatcher
force_retry = false
# Retry logic:
# 400 bad request or general exceptions are dropped
# 408 reqeust timeout and client timeout (open/read) will retry the current message
# 429 (too many requests) are retried forever
# All other http errors are retried for total every of @logstashLoganalyticsConfiguration.RETRANSMISSION_DELAY until @logstashLoganalyticsConfiguration.retransmission_time seconds passed
begin
@ -53,21 +54,28 @@ class LogStashEventsBatcher
response = @client.post_data(call_payload)
if LogAnalyticsClient.is_successfully_posted(response)
@logger.info("Successfully posted #{amount_of_documents} logs into log analytics DCR stream [#{@logstashLoganalyticsConfiguration.dcr_stream_name}].")
request_id = get_request_id_from_response(response)
@logger.info("Successfully posted #{amount_of_documents} logs into log analytics DCR stream [#{@logstashLoganalyticsConfiguration.dcr_stream_name}] x-ms-request-id [#{request_id}].")
return
else
@logger.error("#{api_name} request failed. Error code: #{response.code} #{try_get_info_from_error_response(response)}")
@logger.trace("Rest client response ['#{response}']")
@logger.error("#{api_name} request failed. Error code: #{response.code} #{try_get_info_from_error_response(response)}")
end
rescue RestClient::Exceptions::Timeout => eto
@logger.trace("Timeout exception ['#{eto.display}'] when posting data to #{api_name}. Rest client response ['#{eto.response.display}']. [amount_of_documents=#{amount_of_documents}]")
@logger.error("Timeout exception while posting data to #{api_name}. [Exception: '#{eto}'] [amount of documents=#{amount_of_documents}]'")
force_retry = true
rescue RestClient::ExceptionWithResponse => ewr
response = ewr.response
@logger.error("Exception when posting data to #{api_name}. [Exception: '#{ewr}'] #{try_get_info_from_error_response(ewr.response)} [amount of documents=#{amount_of_documents}]'")
@logger.trace("Exception in posting data to #{api_name}. Rest client response ['#{ewr.response}']. [amount_of_documents=#{amount_of_documents} request payload=#{call_payload}]")
@logger.error("Exception when posting data to #{api_name}. [Exception: '#{ewr}'] #{try_get_info_from_error_response(ewr.response)} [amount of documents=#{amount_of_documents}]'")
if ewr.http_code.to_f == 400
@logger.info("Not trying to resend since exception http code is #{ewr.http_code}")
return
elsif ewr.http_code.to_f == 408
force_retry = true
elsif ewr.http_code.to_f == 429
# thrutteling detected, backoff before resending
parsed_retry_after = response.headers.include?(:retry_after) ? response.headers[:retry_after].to_i : 0
@ -77,8 +85,8 @@ class LogStashEventsBatcher
force_retry = true
end
rescue Exception => ex
@logger.error("Exception in posting data to #{api_name}. [Exception: '#{ex}, amount of documents=#{amount_of_documents}]'")
@logger.trace("Exception in posting data to #{api_name}.[amount_of_documents=#{amount_of_documents} request payload=#{call_payload}]")
@logger.error("Exception in posting data to #{api_name}. [Exception: '#{ex}, amount of documents=#{amount_of_documents}]'")
end
is_retry = true
@logger.info("Retrying transmission to #{api_name} in #{seconds_to_sleep} seconds.")
@ -99,17 +107,35 @@ class LogStashEventsBatcher
end
end
def get_request_id_from_response(response)
output =""
begin
if !response.nil? && response.headers.include?(:x_ms_request_id)
output += response.headers[:x_ms_request_id]
end
rescue Exception => ex
@logger.debug("Error while getting reqeust id from success response headers: #{ex.display}")
end
return output
end
# Try to get the values of the x-ms-error-code and x-ms-request-id headers and content of body, decorate it for printing
def try_get_info_from_error_response(response)
output = ""
if response.headers.include?(:x_ms_error_code)
output += " [ms-error-code header: #{response.headers[:x_ms_error_code]}]"
begin
output = ""
if !response.nil?
if response.headers.include?(:x_ms_error_code)
output += " [ms-error-code header: #{response.headers[:x_ms_error_code]}]"
end
if response.headers.include?(:x_ms_request_id)
output += " [x-ms-request-id header: #{response.headers[:x_ms_request_id]}]"
end
end
return output
rescue Exception => ex
@logger.debug("Error while getting reqeust id from headers: #{ex.display}")
return " [response content: #{response.to_s}]"
end
if response.headers.include?(:x_ms_request_id)
output += " [x-ms-request-id header: #{response.headers[:x_ms_request_id]}]"
end
output += " [Response body: #{response.body}]"
return output
end
end

8
DataConnectors/microsoft-sentinel-logstash-output-plugin/lib/logstash/sentinel/logsSender.rb → DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/logsSender.rb
Просмотреть файл

@ -1,8 +1,8 @@
# encoding: utf-8
require "logstash/sentinel/logstashLoganalyticsConfiguration"
require "logstash/sentinel/eventsHandler"
require "logstash/sentinel/logStashAutoResizeBuffer"
require "logstash/sentinel/logStashCompressedStream"
require "logstash/sentinel_la/logstashLoganalyticsConfiguration"
require "logstash/sentinel_la/eventsHandler"
require "logstash/sentinel_la/logStashAutoResizeBuffer"
require "logstash/sentinel_la/logStashCompressedStream"
module LogStash; module Outputs; class MicrosoftSentinelOutputInternal
class LogsSender < EventsHandler

26
DataConnectors/microsoft-sentinel-logstash-output-plugin/lib/logstash/sentinel/logstashLoganalyticsConfiguration.rb → DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/logstashLoganalyticsConfiguration.rb
Просмотреть файл

@ -9,9 +9,9 @@ class LogstashLoganalyticsOutputConfiguration
@dcr_immutable_id = dcr_immutable_id
@dcr_stream_name = dcr_stream_name
@logger = logger
@compress_data = compress_data
@create_sample_file = create_sample_file
@sample_file_path = sample_file_path
@compress_data = compress_data
@create_sample_file = create_sample_file
@sample_file_path = sample_file_path
# Delay between each resending of a message
@RETRANSMISSION_DELAY = 2
@ -76,9 +76,9 @@ class LogstashLoganalyticsOutputConfiguration
def print_missing_parameter_message_and_raise(param_name)
@logger.error("Missing a required setting for the microsoft-sentinel-logstash-output-plugin output plugin:
@logger.error("Missing a required setting for the microsoft-sentinel-log-analytics-logstash-output-plugin output plugin:
output {
microsoft-sentinel-logstash-output-plugin {
microsoft-sentinel-log-analytics-logstash-output-plugin {
#{param_name} => # SETTING MISSING
...
}
@ -103,8 +103,12 @@ class LogstashLoganalyticsOutputConfiguration
@retransmission_time
end
def proxy
@proxy
def proxy_aad
@proxy_aad
end
def proxy_endpoint
@proxy_endpoint
end
def logger
@ -179,8 +183,12 @@ class LogstashLoganalyticsOutputConfiguration
@max_items = new_max_items
end
def proxy=(new_proxy)
@proxy = new_proxy
def proxy_aad=(new_proxy_aad)
@proxy_aad = new_proxy_aad
end
def proxy_endpoint=(new_proxy_endpoint)
@proxy_endpoint = new_proxy_endpoint
end
def retransmission_time=(new_retransmission_time)

4
DataConnectors/microsoft-sentinel-logstash-output-plugin/lib/logstash/sentinel/sampleFileCreator.rb → DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/sampleFileCreator.rb
Просмотреть файл

@ -1,6 +1,6 @@
# encoding: utf-8
require "logstash/sentinel/logstashLoganalyticsConfiguration"
require "logstash/sentinel/eventsHandler"
require "logstash/sentinel_la/logstashLoganalyticsConfiguration"
require "logstash/sentinel_la/eventsHandler"
module LogStash
module Outputs

2
DataConnectors/microsoft-sentinel-logstash-output-plugin/lib/logstash/sentinel/version.rb → DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/version.rb
Просмотреть файл

@ -1,6 +1,6 @@
module LogStash; module Outputs;
class MicrosoftSentinelOutputInternal
VERSION_INFO = [1, 0, 0].freeze
VERSION_INFO = [1, 1, 0].freeze
VERSION = VERSION_INFO.map(&:to_s).join('.').freeze
def self.version

Двоичные данные
DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/microsoft-sentinel-log-analytics-logstash-output-plugin-1.1.0.gem Normal file
Просмотреть файл

Двоичный файл не отображается.

6
DataConnectors/microsoft-sentinel-logstash-output-plugin/microsoft-sentinel-logstash-output-plugin.gemspec → DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/microsoft-sentinel-log-analytics-logstash-output-plugin.gemspec
Просмотреть файл

@ -1,7 +1,7 @@
require File.expand_path('../lib/logstash/sentinel/version', __FILE__)
require File.expand_path('../lib/logstash/sentinel_la/version', __FILE__)
Gem::Specification.new do |s|
s.name = 'microsoft-sentinel-logstash-output-plugin'
s.name = 'microsoft-sentinel-log-analytics-logstash-output-plugin'
s.version = LogStash::Outputs::MicrosoftSentinelOutputInternal::VERSION
s.authors = ["Microsoft Sentinel"]
s.email = 'AzureSentinel@microsoft.com'
@ -20,7 +20,7 @@ Gem::Specification.new do |s|
s.metadata = { "logstash_plugin" => "true", "logstash_group" => "output" }
# Gem dependencies
s.add_runtime_dependency "rest-client", ">= 1.8.0"
s.add_runtime_dependency "rest-client", ">= 2.1.0"
s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
s.add_runtime_dependency "logstash-codec-plain"
s.add_development_dependency "logstash-devutils"

2
DataConnectors/microsoft-sentinel-logstash-output-plugin/CHANGELOG.md
Просмотреть файл

@ -1,2 +0,0 @@
## 1.0.0
* Initial release for output plugin for logstash to Microsoft Sentinel. This is done with the Log Analytics DCR based API.

229
DataConnectors/microsoft-sentinel-logstash-output-plugin/README.md
Просмотреть файл

@ -1,230 +1,3 @@
# Microsoft Sentinel output plugin for Logstash
Microsoft Sentinel provides a new output plugin for Logstash. Use this output plugin to send any log via Logstash to the Microsoft Sentinel/Log Analytics workspace. This is done with the Log Analytics DCR-based API.
You may send logs to custom or standard tables.
Plugin version: v1.0.0
Released on: 2022-11-14
This plugin is currently in development and is free to use. We welcome contributions from the open source community on this project, and we request and appreciate feedback from users.
## Steps to implement the output plugin
1) Install the plugin
2) Create a sample file
3) Create the required DCR-related resources
4) Configure Logstash configuration file
5) Basic logs transmission
## 1. Install the plugin
Microsoft Sentinel provides Logstash output plugin to Log analytics workspace using DCR based logs API.
Install the microsoft-sentinel-logstash-output-plugin, use [Logstash Offline Plugin Management instruction](<https://www.elastic.co/guide/en/logstash/current/offline-plugins.html>).
Microsoft Sentinel's Logstash output plugin supports the following versions
- Logstash 7 Between 7.0 and 7.17.10
- Logstash 8 Between 8.0 and 8.8.1
Please note that when using Logstash 8, it is recommended to disable ECS in the pipeline. For more information refer to [Logstash documentation.](<https://www.elastic.co/guide/en/logstash/8.4/ecs-ls.html>)
## 2. Create a sample file
To create a sample file, follow the following steps:
1) Copy the output plugin configuration below to your Logstash configuration file:
```
output {
microsoft-sentinel-logstash-output-plugin {
create_sample_file => true
sample_file_path => "<enter the path to the file in which the sample data will be written>" #for example: "c:\\temp" (for windows) or "/var/log" for Linux.
}
}
```
Note: make sure that the path exists before creating the sample file.
2) Start Logstash. The plugin will write up to 10 records to a sample file named "sampleFile<epoch seconds>.json" in the configured path
(for example: "c:\temp\sampleFile1648453501.json")
### Configurations:
The following parameters are optional and should be used to create a sample file.
- **create_sample_file** - Boolean, False by default. When enabled, up to 10 events will be written to a sample json file.
- **sample_file_path** - Number, Empty by default. Required when create_sample_file is enabled. Should include a valid path in which to place the sample file generated.
### Complete example
1. set the pipeline.conf with the following configuration:
```
input {
generator {
lines => [ "This is a test log message"]
count => 10
}
}
output {
microsoft-sentinel-logstash-output-plugin {
create_sample_file => true
sample_file_path => "<enter the path to the file in which the sample data will be written>" #for example: "c:\\temp" (for windows) or "/var/log" for Linux.
}
}
```
2. the following sample file will be generated:
```
[
{
"host": "logstashMachine",
"sequence": 0,
"message": "This is a test log message",
"ls_timestamp": "2022-10-29T13:19:28.116Z",
"ls_version": "1"
},
...
]
```
## 3. Create the required DCR-related resources
To configure Microsoft Sentinel Logstash plugin you first need to create the DCR-related resources. To create these resources, follow one of the following tutorials:
1) To ingest the data to a custom table use [Tutorial - Send custom logs to Azure Monitor Logs (preview) - Azure Monitor | Microsoft Docs](<https://docs.microsoft.com/azure/azure-monitor/logs/tutorial-custom-logs>) tutorial. Note that as part of creating the table and the DCR you will need to provide the sample file that you've created in the previous section.
2) To ingest the data to a standard table like Syslog or CommonSecurityLog use [Tutorial - Send custom logs to Azure Monitor Logs using resource manager templates - Azure Monitor | Microsoft Docs](<https://docs.microsoft.com/azure/azure-monitor/logs/tutorial-custom-logs-api>).
## 4. Configure Logstash configuration file
Use the tutorial from the previous section to retrieve the following attributes:
- **client_app_Id** - String, The 'Application (client) ID' value created in step #3 of the "Configure Application" section of the tutorial you used in the previous step.
- **client_app_secret** -String, The value of the client secret created in step #5 of the "Configure Application" section of the tutorial you used in the previous step.
- **tenant_id** - String, Your subscription's tenant id. You can find in the following path: Home -> Azure Active Directory -> Overview Under 'Basic Information'.
- **data_collection_endpoint** - String, - The value of the logsIngestion URI (see step #3 of the "Create data collection endpoint" section in Tutorial [Tutorial - Send custom logs to Azure Monitor Logs using resource manager templates - Azure Monitor | Microsoft Docs](<https://docs.microsoft.com/azure/azure-monitor/logs/tutorial-custom-logs-api#create-data-collection-endpoint>).
- **dcr_immutable_id** - String, The value of the DCR immutableId (see the "Collect information from DCR" section in [Tutorial - Send custom logs to Azure Monitor Logs (preview) - Azure Monitor | Microsoft Docs](<https://docs.microsoft.com/azure/azure-monitor/logs/tutorial-custom-logs#collect-information-from-dcr>).
- **dcr_stream_name** - String, The name of the data stream (Go to the json view of the DCR as explained in the "Collect information from DCR" section in [Tutorial - Send custom logs to Azure Monitor Logs (preview) - Azure Monitor | Microsoft Docs](<https://docs.microsoft.com/azure/azure-monitor/logs/tutorial-custom-logs#collect-information-from-dcr>) and copy the value of the "dataFlows -> streams" property (see circled in red in the below example).
After retrieving the required values replace the output section of the Logstash configuration file created in the previous steps with the example below. Then, replace the strings in the brackets below with the corresponding values. Make sure you change the "create_sample_file" attribute to false.
Here is an example for the output plugin configuration section:
```
output {
microsoft-sentinel-logstash-output-plugin {
client_app_Id => "<enter your client_app_id value here>"
client_app_secret => "<enter your client_app_secret value here>"
tenant_id => "<enter your tenant id here>"
data_collection_endpoint => "<enter your DCE logsIngestion URI here>"
dcr_immutable_id => "<enter your DCR immutableId here>"
dcr_stream_name => "<enter your stream name here>"
create_sample_file=> false
sample_file_path => "c:\\temp"
}
}
```
### Optional configuration
- **key_names** – Array of strings, if you wish to send a subset of the columns to Log Analytics.
- **plugin_flush_interval** – Number, 5 by default. Defines the maximal time difference (in seconds) between sending two messages to Log Analytics.
- **retransmission_time** - Number, 10 by default. This will set the amount of time in seconds given for retransmitting messages once sending has failed.
- **compress_data** - Boolean, false by default. When this field is true, the event data is compressed before using the API. Recommended for high throughput pipelines
- **proxy** - String, Empty by default. Specify which proxy URL to use for all API calls.
Security notice: We recommend not to implicitly state client_app_Id, client_app_secret, tenant_id, data_collection_endpoint, and dcr_immutable_id in your Logstash configuration for security reasons.
It is best to store this sensitive information in a Logstash KeyStore as described here- ['Secrets Keystore'](<https://www.elastic.co/guide/en/logstash/current/keystore.html>)
## 5. Basic logs transmission
Here is an example configuration that parses Syslog incoming data into a custom stream named "Custom-MyTableRawData".
### Example Configuration
- Using filebeat input pipe
```
input {
beats {
port => "5044"
}
}
filter {
}
output {
microsoft-sentinel-logstash-output-plugin {
client_app_Id => "619c1731-15ca-4403-9c61-xxxxxxxxxxxx"
client_app_secret => "xxxxxxxxxxxxxxxx"
tenant_id => "72f988bf-86f1-41af-91ab-xxxxxxxxxxxx"
data_collection_endpoint => "https://my-customlogsv2-test-jz2a.eastus2-1.ingest.monitor.azure.com"
dcr_immutable_id => "dcr-xxxxxxxxxxxxxxxxac23b8978251433a"
dcr_stream_name => "Custom-MyTableRawData"
proxy => "http://proxy.example.com"
}
}
```
- Or using the tcp input pipe
```
input {
tcp {
port => "514"
type => syslog #optional, will effect log type in table
}
}
filter {
}
output {
microsoft-sentinel-logstash-output-plugin {
client_app_Id => "619c1731-15ca-4403-9c61-xxxxxxxxxxxx"
client_app_secret => "xxxxxxxxxxxxxxxx"
tenant_id => "72f988bf-86f1-41af-91ab-xxxxxxxxxxxx"
data_collection_endpoint => "https://my-customlogsv2-test-jz2a.eastus2-1.ingest.monitor.azure.com"
dcr_immutable_id => "dcr-xxxxxxxxxxxxxxxxac23b8978251433a"
dcr_stream_name => "Custom-MyTableRawData"
}
}
```
<u>Advanced Configuration</u>
```
input {
syslog {
port => 514
}
}
output {
microsoft-sentinel-logstash-output-plugin {
client_app_Id => "${CLIENT_APP_ID}"
client_app_secret => "${CLIENT_APP_SECRET}"
tenant_id => "${TENANT_ID}"
data_collection_endpoint => "${DATA_COLLECTION_ENDPOINT}"
dcr_immutable_id => "${DCR_IMMUTABLE_ID}"
dcr_stream_name => "Custom-MyTableRawData"
key_names => ['PRI','TIME_TAG','HOSTNAME','MSG']
}
}
```
Now you are able to run logstash with the example configuration and send mock data using the 'logger' command.
For example:
```
logger -p local4.warn --rfc3164 --tcp -t CEF "0|Microsoft|Device|cef-test|example|data|1|here is some more data for the example" -P 514 -d -n 127.0.0.1
```
Which will produce this content in the sample file:
```
[
{
"logsource": "logstashMachine",
"facility": 20,
"severity_label": "Warning",
"severity": 4,
"timestamp": "Apr 7 08:26:04",
"program": "CEF:",
"host": "127.0.0.1",
"facility_label": "local4",
"priority": 164,
"message": "0|Microsoft|Device|cef-test|example|data|1|here is some more data for the example",
"ls_timestamp": "2022-04-07T08:26:04.000Z",
"ls_version": "1"
}
]
```
The plugin was renamed to microsoft-sentinel-log-analytics-logstash-output-plugin and information about it can be located [here.](<DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/README.md>)

5
Detections/CommonSecurityLog/CiscoASA-AvgAttackDetectRateIncrease.yaml Normal file
Просмотреть файл

@ -0,0 +1,5 @@
id: c030bc9a-406f-4906-8315-8b53ee9c1a00
name: Cisco ASA - average attack detection rate increase
description: |
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoASA/Analytic%20Rules/CiscoASA-AvgAttackDetectRateIncrease.yaml'
version: 1.0.0

5
Detections/CommonSecurityLog/CiscoASA-ThreatDetectionMessage.yaml Normal file
Просмотреть файл

@ -0,0 +1,5 @@
id: 10c2b36f-8772-42d4-aa3e-041571cb3480
name: Cisco ASA - threat detection message fired
description: |
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoASA/Analytic%20Rules/CiscoASA-ThreatDetectionMessage.yaml'
version: 1.0.0

5
Detections/CommonSecurityLog/PaloAlto-NetworkBeaconing.yaml Normal file
Просмотреть файл

@ -0,0 +1,5 @@
id: 84476c34-5be4-4485-83ae-d15327a96512
name: Palo Alto - potential beaconing detected
description: |
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Analytic%20Rules/PaloAlto-NetworkBeaconing.yaml'
version: 1.0.0

5
Detections/CommonSecurityLog/PaloAlto-PortScanning.yaml Normal file
Просмотреть файл

@ -0,0 +1,5 @@
id: ce97d55b-b6be-4a13-a23b-5a909ee2d87a
name: Palo Alto - possible internal to external port scanning
description: |
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Analytic%20Rules/PaloAlto-PortScanning.yaml'
version: 1.0.0

5
Detections/CommonSecurityLog/PaloAlto-UnusualThreatSignatures.yaml Normal file
Просмотреть файл

@ -0,0 +1,5 @@
id: 74786750-2e78-4cf2-800c-37ec3ffe310c
name: Palo Alto Threat signatures from Unusual IP addresses
description: |
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAlto-PAN-OS/Analytic%20Rules/PaloAlto-UnusualThreatSignatures.yaml'
version: 1.0.0

5
Detections/GitHub/(Preview) GitHub - Activities from Infrequent Country.yaml Normal file
Просмотреть файл

@ -0,0 +1,5 @@
id: 90b13e59-63fc-47e5-a19f-fbd9eaadab69
name: GitHub Activites from a New Country
description: |
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic%20Rules/(Preview)%20GitHub%20-%20Activities%20from%20Infrequent%20 Country.yaml'
version: 1.0.0

5
Detections/GitHub/(Preview) GitHub - Two Factor Authentication Disabled in GitHub.yaml Normal file
Просмотреть файл

@ -0,0 +1,5 @@
id: 9858b877-0045-4840-94c4-6a79f34c561b
name: GitHub Two Factor Auth Disable
description: |
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic%20Rules/(Preview)%20GitHub%20-%20Two%20Factor%20Authentication%20 Disabled%20in%20GitHub.yaml'
version: 1.0.0

5
Detections/SigninLogs/Brute Force Attack against GitHub Account.yaml Normal file
Просмотреть файл

@ -0,0 +1,5 @@
id: 0f872637-8817-44a0-bb9d-ceab3dbd4ecd
name: Brute Force Attack against GitHub Account
description: |
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/Brute%20Force%20Attack%20against%20GitHub%20Account.yaml'
version: 1.0.0

5
Detections/SigninLogs/Sign-in Burst from Multiple Locations.yaml Normal file
Просмотреть файл

@ -0,0 +1,5 @@
id: 9657ec20-e013-4cc5-bd45-a3d79dd38558
name: GitHub Signin Burst from Multiple Locations
description: |
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/Sign-in%20Burst%20from%20Multiple%20 Locations.yaml'
version: 1.0.0

50
Hunting Queries/SigninLogs/LegacyAuthAttempt.yaml
Просмотреть файл

@ -3,11 +3,18 @@ name: Login attempts using Legacy Auth
description: |
'This query over Azure AD sign-in activity highlights use of legacy authentication protocol in the
environment. Because conditional access policies are not evaluated when legacy authentication is used,
legacy authentication can be used to circumvent all Azure Conditional Access policies.'
legacy authentication can be used to circumvent all Azure Conditional Access policies.
This query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
- connectorId: BehaviorAnalytics
dataTypes:
- BehaviorAnalytics
- connectorId: IdentityInfo
dataTypes:
- IdentityInfo
tactics:
- InitialAccess
- Persistence
@ -16,6 +23,7 @@ relevantTechniques:
- T1098
query: |
let riskScoreCutoff = 20; //Adjust this based on volume of results
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let lookback = totimespan((endtime-starttime)*7);
@ -41,18 +49,48 @@ query: |
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), AttemptCount = count()
by UserPrincipalName, ClientAppUsed, AppDisplayName, IPAddress, isLegacyAuth, tostring(OS), tostring(Browser), LocationString
| sort by AttemptCount desc nulls last
| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress
| extend timestamp = StartTime, UserPrincipalName = tolower(UserPrincipalName), Account_0_Name = UserPrincipalName, IP_0_Address = IPAddress
| join kind=leftouter (
IdentityInfo
| summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN
| extend BlastRadiusInt = iif(BlastRadius == "High", 1, 0)
| project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled, BlastRadiusInt
| summarize
Tags = make_set(Tags, 1000),
GroupMembership = make_set(GroupMembership, 1000),
AssignedRoles = make_set(AssignedRoles, 1000),
BlastRadiusInt = sum(BlastRadiusInt),
UserType = make_set(UserType, 1000),
UserAccountControl = make_set(UserType, 1000)
by AccountUPN
| extend UserPrincipalName=tolower(AccountUPN)
) on UserPrincipalName
| join kind=leftouter (
BehaviorAnalytics
| where ActivityType in ("FailedLogOn", "LogOn")
| where isnotempty(SourceIPAddress)
| project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress
| project-rename IPAddress = SourceIPAddress
| summarize
UsersInsights = make_set(UsersInsights, 1000),
DevicesInsights = make_set(DevicesInsights, 1000),
IPInvestigationPriority = sum(InvestigationPriority)
by IPAddress
) on IPAddress
| extend UEBARiskScore = BlastRadiusInt + IPInvestigationPriority
| where UEBARiskScore > riskScoreCutoff
| sort by UEBARiskScore desc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- identifier: Name
columnName: UserPrincipalName
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
columnName: IPAddress
version: 2.0.0
metadata:
source:
kind: Community

52
Hunting Queries/SigninLogs/MFAUserBlocked.yaml
Просмотреть файл

@ -1,17 +1,25 @@
id: 75fd68a2-9ed4-4a1c-8bd7-18efe4c99081
name: Login attempt by Blocked MFA user
description: |
'An account could be blocked if there are too many failed authentication attempts in a row. This hunting query identifies if a MFA user account that is set to blocked tries to login to Azure AD.'
'An account could be blocked if there are too many failed authentication attempts in a row. This hunting query identifies if a MFA user account that is set to blocked tries to login to Azure AD.
This query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
- connectorId: BehaviorAnalytics
dataTypes:
- BehaviorAnalytics
- connectorId: IdentityInfo
dataTypes:
- IdentityInfo
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |
let riskScoreCutoff = 20; //Adjust this based on volume of results
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let lookback = starttime - 7d;
@ -38,24 +46,54 @@ query: |
u_MFABlocked
| extend OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)
| extend FullLocation = strcat(Location,'|', LocationDetails.state, '|', LocationDetails.city)
| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress),
| summarize TimeGenerated = make_list(TimeGenerated), Status = make_list(Status), IPAddresses = make_list(IPAddress), IPAddressCount = dcount(IPAddress),
AttemptCount = count() by UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation , CorrelationId
| mvexpand TimeGenerated, IPAddresses, Status
| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)
| project-away IPAddresses
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation
| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress
| extend timestamp = StartTime, UserPrincipalName = tolower(UserPrincipalName), Account_0_Name = UserPrincipalName, IP_0_Address = IPAddress
| join kind=leftouter (
IdentityInfo
| summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN
| extend BlastRadiusInt = iif(BlastRadius == "High", 1, 0)
| project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled, BlastRadiusInt
| summarize
Tags = make_set(Tags, 1000),
GroupMembership = make_set(GroupMembership, 1000),
AssignedRoles = make_set(AssignedRoles, 1000),
BlastRadiusInt = sum(BlastRadiusInt),
UserType = make_set(UserType, 1000),
UserAccountControl = make_set(UserType, 1000)
by AccountUPN
| extend UserPrincipalName=tolower(AccountUPN)
) on UserPrincipalName
| join kind=leftouter (
BehaviorAnalytics
| where ActivityType in ("FailedLogOn", "LogOn")
| where isnotempty(SourceIPAddress)
| project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress
| project-rename IPAddress = SourceIPAddress
| summarize
UsersInsights = make_set(UsersInsights, 1000),
DevicesInsights = make_set(DevicesInsights, 1000),
IPInvestigationPriority = sum(InvestigationPriority)
by IPAddress
) on IPAddress
| extend UEBARiskScore = BlastRadiusInt + IPInvestigationPriority
| where UEBARiskScore > riskScoreCutoff
| sort by UEBARiskScore desc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- identifier: Name
columnName: UserPrincipalName
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
columnName: IPAddress
version: 2.0.0
metadata:
source:
kind: Community

42
Hunting Queries/SigninLogs/SuccessfulSigninFromNon-CompliantDevice.yaml
Просмотреть файл

@ -3,11 +3,18 @@ name: Successful Signin From Non-Compliant Device
description: |
'Detects successful sign ins from devices marked non-compliant.
Best practice is to block sign ins from non-complaint devices, however if allowed monitor these events to ensure they do not lead to other risky activity.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in'
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in
This query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
- connectorId: BehaviorAnalytics
dataTypes:
- BehaviorAnalytics
- connectorId: IdentityInfo
dataTypes:
- IdentityInfo
tactics:
- InitialAccess
relevantTechniques:
@ -16,6 +23,37 @@ query: |
SigninLogs
| where ResultType == 0
| where tostring(DeviceDetail.isCompliant) == "false"
| extend Account_0_Name = tolower(UserPrincipalName)
| extend IP_0_Address = IPAddress
| join kind=leftouter (
IdentityInfo
| summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN
| extend BlastRadiusInt = iif(BlastRadius == "High", 1, 0)
| project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled, BlastRadiusInt
| summarize
Tags = make_set(Tags, 1000),
GroupMembership = make_set(GroupMembership, 1000),
AssignedRoles = make_set(AssignedRoles, 1000),
BlastRadiusInt = sum(BlastRadiusInt),
UserType = make_set(UserType, 1000),
UserAccountControl = make_set(UserType, 1000)
by AccountUPN
| extend Account_0_Name =tolower(AccountUPN)
) on Account_0_Name
| join kind=leftouter (
BehaviorAnalytics
| where ActivityType in ("FailedLogOn", "LogOn")
| where isnotempty(SourceIPAddress)
| project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress
| project-rename IP_0_Address = SourceIPAddress
| summarize
UsersInsights = make_set(UsersInsights, 1000),
DevicesInsights = make_set(DevicesInsights, 1000),
IPInvestigationPriority = sum(InvestigationPriority)
by IP_0_Address
) on IP_0_Address
| extend UEBARiskScore = BlastRadiusInt + IPInvestigationPriority
| sort by UEBARiskScore desc
entityMappings:
- entityType: Account
fieldMappings:
@ -24,4 +62,4 @@ entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IpAddress
columnName: IPAddress

34
Hunting Queries/SigninLogs/UserAccounts-NewSingleFactorAuth.yaml
Просмотреть файл

@ -2,7 +2,8 @@ id: 8eace93b-f38c-47b7-a21d-739556d31db6
name: User Accounts - New Single Factor Auth
description: |
'Identifies users whose single Factor Auth Events in scenarios where it has not been seen before, or where only multi factor auth has been observed.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins'
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins
This query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
@ -10,6 +11,12 @@ requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AADNonInteractiveUserSignInLogs
- connectorId: BehaviorAnalytics
dataTypes:
- BehaviorAnalytics
- connectorId: IdentityInfo
dataTypes:
- IdentityInfo
tactics:
- InitialAccess
relevantTechniques:
@ -22,6 +29,18 @@ query: |
let endtime = totimespan('{{EndTimeISO}}');
let isGUID = "[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}";
let lookback = starttime - 7d;
let behaviorAnalyticsData = materialize(
BehaviorAnalytics
| where ActivityType in ("FailedLogOn", "LogOn")
| where isnotempty(SourceIPAddress)
| project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress
| project-rename IPAddress = SourceIPAddress
| summarize
UsersInsights = make_set(UsersInsights, 1000),
DevicesInsights = make_set(DevicesInsights, 1000),
IPInvestigationPriority = sum(InvestigationPriority)
by IPAddress
);
let aadFunc = (tableName:string){
table(tableName)
| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))
@ -30,17 +49,22 @@ query: |
| where AuthenticationDetails != "[]"
| extend AuthenticationMethod = tostring(todynamic(AuthenticationDetails)[0].authenticationMethod)
| where AuthenticationMethod != "Previously satisfied"
| summarize count(), make_set(AuthenticationRequirement), make_set(AuthenticationMethod), make_set(IPAddress), make_set(Location), LastLogin = max(TimeGenerated) by UserPrincipalName
| join kind=leftouter (
behaviorAnalyticsData
) on IPAddress
| summarize count(), make_set(AuthenticationRequirement, 1000), make_set(AuthenticationMethod, 1000), make_set(IPAddress, 1000), make_set(Location, 1000), LastLogin = max(TimeGenerated), IPInvestigationPriority = sum(IPInvestigationPriority) by UserPrincipalName
| extend noofAuthMehods = array_length(set_AuthenticationMethod), noofAuthReqs = array_length(set_AuthenticationRequirement)
| where noofAuthMehods > 1 or noofAuthReqs > 1
| extend timestamp = LastLogin, AccountCustomEntity = UserPrincipalName
| extend timestamp = LastLogin, Account_0_Name = UserPrincipalName
};
let aadSignin = aadFunc("SigninLogs");
let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
union isfuzzy=true aadSignin, aadNonInt
| sort by IPInvestigationPriority desc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- identifier: Name
columnName: UserPrincipalName
version: 1.0.0

30
Hunting Queries/SigninLogs/UserAccounts-UnusualLogonTimes.yaml
Просмотреть файл

@ -2,11 +2,18 @@ id: f56b2223-0d4d-4347-9de4-822d195624ee
name: User Accounts - Unusual authentications occurring when countries do not conduct normal business operations.
description: |
'Identifies users whose single Factor Auth Events in scenarios where it has not been seen before, or where only multi factor auth has been observed.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins'
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins
This query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
- connectorId: BehaviorAnalytics
dataTypes:
- BehaviorAnalytics
- connectorId: IdentityInfo
dataTypes:
- IdentityInfo
tactics:
- InitialAccess
relevantTechniques:
@ -48,10 +55,25 @@ query: |
DayNumberofWeek == "6.00:00:00", "Saturday","InvalidTimeStamp")
| summarize count(), FirstSuccessfulSignin = min(TimeGenerated), LastSuccessfulSignin = max(TimeGenerated), make_set(IPAddress), make_set(ClientAppUsed), make_set(UserAgent), make_set(AppDisplayName) by HourOfLogin, Location, DayofWeek, UserPrincipalName
) on Location, DayofWeek , HourOfLogin
| extend timestamp = LastSuccessfulSignin, AccountCustomEntity = UserPrincipalName
| extend timestamp = LastSuccessfulSignin, Account_0_Name = UserPrincipalName
| join kind=leftouter (
IdentityInfo
| summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN
| extend BlastRadiusInt = iif(BlastRadius == "High", 1, 0)
| project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled, BlastRadiusInt
| summarize
Tags = make_set(Tags, 1000),
GroupMembership = make_set(GroupMembership, 1000),
AssignedRoles = make_set(AssignedRoles, 1000),
BlastRadiusInt = sum(BlastRadiusInt),
UserType = make_set(UserType, 1000),
UserAccountControl = make_set(UserType, 1000)
by AccountUPN
| extend UserPrincipalName=tolower(AccountUPN)
) on UserPrincipalName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- identifier: Name
columnName: UserPrincipalName
version: 1.0.0

60
Hunting Queries/SigninLogs/UserLoginIPAddressTeleportation.yaml
Просмотреть файл

@ -3,11 +3,18 @@ name: User Login IP Address Teleportation
description: |
'This query over SiginLogs will identify user accounts that have logged in from two different countries
within a specified time window, by default this is a 10 minute window either side of the previous login.
This query will detect users roaming onto VPNs, it is possible to exclude known VPN IP address ranges.'
This query will detect users roaming onto VPNs, it is possible to exclude known VPN IP address ranges.
This query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
- connectorId: BehaviorAnalytics
dataTypes:
- BehaviorAnalytics
- connectorId: IdentityInfo
dataTypes:
- IdentityInfo
tactics:
- InitialAccess
relevantTechniques:
@ -16,6 +23,7 @@ tags:
- DEV-0537
query: |
let riskScoreCutoff = 20; //Adjust this based on volume of results
let windowTime = 20min / 2; //Window to lookup anomalous logins within
let excludeKnownVPN = dynamic(['127.0.0.1', '0.0.0.0']); //Known VPN IP addresses to exclude
SigninLogs
@ -61,24 +69,46 @@ query: |
| where TimeGenerated between (WindowStart .. WindowEnd)
| project Account=UserPrincipalName, AnomalousIP=IPAddress, AnomalousLoginTime=TimeGenerated, AnomalousCountry=country, OtherLoginIP=IPAddress1, OtherLoginCountry=country1, OtherLoginWindowStart=WindowStart, OtherLoginWindowEnd=WindowEnd
| where AnomalousIP !in(excludeKnownVPN) and OtherLoginIP !in(excludeKnownVPN)
| extend timestamp = AnomalousLoginTime, AccountCustomEntity = Account, IPCustomEntity = AnomalousIP
| extend timestamp = AnomalousLoginTime, Account = tolower(Account), Account_0_Name = Account, IP_0_Address = AnomalousIP
| join kind=leftouter (
IdentityInfo
| summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN
| extend BlastRadiusInt = iif(BlastRadius == "High", 1, 0)
| project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled, BlastRadiusInt
| summarize
Tags = make_set(Tags, 1000),
GroupMembership = make_set(GroupMembership, 1000),
AssignedRoles = make_set(AssignedRoles, 1000),
BlastRadiusInt = sum(BlastRadiusInt),
UserType = make_set(UserType, 1000),
UserAccountControl = make_set(UserType, 1000)
by AccountUPN
| extend UserPrincipalName=tolower(AccountUPN)
| project-rename Account = AccountUPN
) on Account
| join kind=leftouter (
BehaviorAnalytics
| where ActivityType in ("FailedLogOn", "LogOn")
| where isnotempty(SourceIPAddress)
| project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress
| project-rename AnomalousIP = SourceIPAddress
| summarize
UsersInsights = make_set(UsersInsights, 1000),
DevicesInsights = make_set(DevicesInsights, 1000),
IPInvestigationPriority = sum(InvestigationPriority)
by AnomalousIP)
on AnomalousIP
| extend UEBARiskScore = BlastRadiusInt + IPInvestigationPriority
| where UEBARiskScore > riskScoreCutoff
| sort by UEBARiskScore desc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- identifier: Name
columnName: Account
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
metadata:
source:
kind: Community
author:
name: Thomas McElroy
support:
tier: Community
categories:
domains: [ "Security - Other", "Identity" ]
columnName: AnomalousIP
version: 2.0.0

38
Hunting Queries/SigninLogs/new_locations_azuread_signin.yaml
Просмотреть файл

@ -3,11 +3,15 @@ name: Azure Active Directory signins from new locations
description: |
'New Azure Active Directory signin locations today versus historical Azure Active Directory signin data.
In the case of password spraying or brute force attacks one might see authentication attempts for many
accounts from a new location.'
accounts from a new location. This query has also been updated to include UEBA logs IdentityInfo and BehaviorAnalytics
for contextual information around the results.'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
- connectorId: IdentityInfo
dataTypes:
- IdentityInfo
tactics:
- InitialAccess
relevantTechniques:
@ -20,6 +24,7 @@ query: |
let countThreshold = 1;
SigninLogs
| where TimeGenerated between(starttime..endtime)
| extend UserPrincipalName = tolower(UserPrincipalName)
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), perIdentityAuthCount = count()
by UserPrincipalName, locationString = strcat(tostring(LocationDetails["countryOrRegion"]), "/", tostring(LocationDetails["state"]), "/",
tostring(LocationDetails["city"]), ";" , tostring(LocationDetails["geoCoordinates"]))
@ -36,19 +41,26 @@ query: |
// select threshold above which #new accounts from a new location is deemed suspicious
| where distinctAccountCount > countThreshold
| mv-expand todynamic(identityList)
| extend timestamp = StartTime, AccountCustomEntity = identityList
| extend timestamp = StartTime, Account_0_Name = identityList
| join kind=leftouter (
IdentityInfo
| summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN
| extend BlastRadiusInt = iif(BlastRadius == "High", 1, 0)
| project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled, BlastRadiusInt
| summarize
Tags = make_set(Tags, 1000),
GroupMembership = make_set(GroupMembership, 1000),
AssignedRoles = make_set(AssignedRoles, 1000),
BlastRadiusInt = sum(BlastRadiusInt),
UserType = make_set(UserType, 1000),
UserAccountControl = make_set(UserType, 1000)
by AccountUPN
| extend UserPrincipalName=tolower(AccountUPN)
| project-rename Account_0_Name = AccountUPN
) on Account_0_Name
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
- identifier: Name
columnName: identityList
version: 1.0.0
metadata:
source:
kind: Community
author:
name: Shain
support:
tier: Community
categories:
domains: [ "Security - Other", "Identity" ]
version: 2.0.0

50
Hunting Queries/SigninLogs/riskSignInWithNewMFAMethod.yaml
Просмотреть файл

@ -2,12 +2,19 @@ id: bfacf634-c75e-4291-998c-ecbc0323d943
name: Risky Sign-in with new MFA method
description: |
'Looks for a new MFA method added to an account that was preceded by medium or high risk
sign-in session for the same user within maximum 6h timeframe'
sign-in session for the same user within maximum 6h timeframe. This query has also been updated
to include UEBA logs IdentityInfo and BehaviorAnalytics for contextual information around the results.'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
- SigninLogs
- connectorId: BehaviorAnalytics
dataTypes:
- BehaviorAnalytics
- connectorId: IdentityInfo
dataTypes:
- IdentityInfo
tactics:
- Persistence
relevantTechniques:
@ -39,16 +46,49 @@ query: |
| join riskySignins on AccountObjectId
| where MfaAddedTimestamp - SignInTimestamp < timeDelta //Time delta between risky sign-in and device registration less than 6h
| project-away AccountObjectId1
| extend timestamp = MfaAddedTimestamp, AccountCustomEntity = AccountUpn, IPCustomEntity = IPAddress
| extend timestamp = MfaAddedTimestamp, AccountCustomEntity = tolower(AccountUpn), IPCustomEntity = IPAddress
| join kind=leftouter (
IdentityInfo
| summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN
| extend BlastRadiusInt = iif(BlastRadius == "High", 1, 0)
| project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled, BlastRadiusInt
| summarize
Tags = make_set(Tags, 1000),
GroupMembership = make_set(GroupMembership, 1000),
AssignedRoles = make_set(AssignedRoles, 1000),
BlastRadiusInt = sum(BlastRadiusInt),
UserType = make_set(UserType, 1000),
UserAccountControl = make_set(UserType, 1000)
by AccountUPN
| extend UserPrincipalName=tolower(AccountUPN)
| project-rename AccountCustomEntity = AccountUPN
) on AccountCustomEntity
| join kind=leftouter (
BehaviorAnalytics
| where ActivityType in ("FailedLogOn", "LogOn")
| where isnotempty(SourceIPAddress)
| project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress
| project-rename IPAddress = SourceIPAddress
| summarize
UsersInsights = make_set(UsersInsights, 1000),
DevicesInsights = make_set(DevicesInsights, 1000),
IPInvestigationPriority = sum(InvestigationPriority)
by IPAddress)
on IPAddress
| extend Account_0_Name = AccountCustomEntity
| extend Account_0_AadUserId = AccountObjectId
| extend IP_0_Address = IPAddress
| extend UEBARiskScore = BlastRadiusInt + IPInvestigationPriority
| sort by UEBARiskScore desc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountUpn
- identifier: Name
columnName: AccountCustomEntity
- identifier: AadUserId
columnName: AccountObjectId
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
version: 1.0.0
version: 2.0.0

24
Logos/BitSight.svg Normal file
Просмотреть файл

@ -0,0 +1,24 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg id="97e3fe64-2798-409b-bebe-b262429fce68" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1159 275">
<defs>
<style>
.cls-1 {
fill: #04a2d1;
}
.cls-2 {
fill: #1a345f;
}
</style>
</defs>
<path class="cls-2" d="M998.97,86.29h-54.35v-29.16h144.09v29.16h-54.92V247.93h-34.82V86.29Z"/>
<path class="cls-2" d="M806.93,57.13v76.43h80.68V57.13h34.83V247.93h-34.83v-84.08h-80.68v84.08h-34.82V57.13h34.82Z"/>
<path class="cls-2" d="M749.42,239.16c-12.18,4.53-35.96,10.76-61.43,10.76-32.28,0-56.62-8.21-74.74-25.48-16.99-16.14-26.89-41.33-26.61-70.2,0-60.3,43.04-99.08,106.16-99.08,23.5,0,41.89,4.81,50.68,9.06l-7.64,28.03c-10.48-4.53-23.21-8.22-43.31-8.22-40.76,0-69.35,24.06-69.35,68.5s26.61,69.08,66.23,69.08c12.46,0,21.81-1.71,26.33-3.97v-47.56h-33.69v-27.45h67.38v96.53Z"/>
<path class="cls-2" d="M564.06,57.13V247.93h-34.82V57.13h34.82Z"/>
<path class="cls-2" d="M392.59,210c11.33,6.51,28.31,12.17,46.15,12.17,22.36,0,34.82-10.48,34.82-26.05,0-14.44-9.62-22.93-33.96-31.71-31.43-11.32-51.53-28.03-51.53-55.48,0-31.14,26.05-54.92,67.38-54.92,20.66,0,35.96,4.53,45.86,9.62l-8.49,28.03c-6.79-3.69-20.1-9.06-37.93-9.06-22.08,0-31.71,11.88-31.71,22.92,0,14.72,11.04,21.52,36.52,31.43,33.11,12.45,49.25,29.15,49.25,56.61,0,30.58-23.21,57.19-72.47,57.19-20.09,0-41.04-5.67-51.52-11.9l7.64-28.87Z"/>
<path class="cls-1" d="M294.06,78.07h-58.04v-20.94h141.26v20.94h-58.32V247.93h-24.91V78.07Z"/>
<path class="cls-1" d="M214.76,57.13V247.93h-24.63V57.13h24.63Z"/>
<path class="cls-1" d="M49.68,59.68c10.75-2.27,27.74-3.96,45.01-3.96,24.63,0,40.49,4.24,52.37,13.88,9.91,7.35,15.86,18.68,15.86,33.69,0,18.39-12.17,34.53-32.27,41.89v.56c18.12,4.53,39.35,19.54,39.35,47.84,0,16.42-6.51,28.87-16.14,38.21-13.31,12.17-34.82,17.83-65.96,17.83-16.99,0-30.01-1.13-38.22-2.26V59.68Zm24.63,78.13h22.36c26.05,0,41.33-13.59,41.33-31.98,0-22.37-16.99-31.14-41.89-31.14-11.33,0-17.83,.84-21.79,1.69v61.43Zm0,91.44c4.81,.85,11.88,1.13,20.66,1.13,25.47,0,48.97-9.33,48.97-37.09,0-26.03-22.36-36.8-49.26-36.8h-20.38v72.76Z"/>
<path class="cls-2" d="M1108.05,32.41c1.03-.21,2.5-.33,3.9-.33,2.17,0,3.58,.4,4.56,1.29,.79,.7,1.24,1.78,1.24,2.99,0,2.08-1.31,3.46-2.97,4.02v.07c1.22,.42,1.94,1.54,2.31,3.18,.51,2.2,.89,3.72,1.22,4.32h-2.1c-.26-.44-.61-1.8-1.05-3.76-.47-2.17-1.31-2.99-3.16-3.06h-1.92v6.82h-2.03v-15.54Zm2.03,7.18h2.08c2.17,0,3.55-1.19,3.55-2.99,0-2.03-1.47-2.92-3.62-2.95-.98,0-1.68,.09-2.01,.19v5.75Z"/>
<path class="cls-2" d="M1112.57,53.67c-7.48,0-13.56-6.08-13.56-13.56s6.08-13.56,13.56-13.56,13.56,6.08,13.56,13.56-6.08,13.56-13.56,13.56Zm0-25.17c-6.4,0-11.61,5.21-11.61,11.61s5.21,11.61,11.61,11.61,11.61-5.21,11.61-11.61-5.21-11.61-11.61-11.61Z"/>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 2.7 KiB

6
Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml
Просмотреть файл

@ -22,6 +22,8 @@ Parsers:
- _ASim_AuditEvent_MicrosoftExchangeAdmin365
- _ASim_AuditEvent_AzureActivity
- _ASim_AuditEvent_MicrosoftWindowsEvents
- _ASim_AuditEvent_CiscoISE
- _ASim_AuditEvent_CiscoMeraki
ParserParams:
- Name: pack
@ -35,4 +37,6 @@ ParserQuery: |
vimAuditEventEmpty,
ASimAuditEventMicrosoftExchangeAdmin365 (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers))),
ASimAuditEventMicrosoftWindowsEvents (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftWindowsEvents' in (DisabledParsers))),
ASimAuditEventAzureActivity (BuiltInDisabled or ('ExcludeASimAuditEventAzureActivity' in (DisabledParsers)))
ASimAuditEventAzureActivity (BuiltInDisabled or ('ExcludeASimAuditEventAzureActivity' in (DisabledParsers))),
ASimAuditEventCiscoISE (BuiltInDisabled or ('ExcludeASimAuditEventCiscoISE' in (DisabledParsers))),
ASimAuditEventCiscoMeraki (BuiltInDisabled or ('ExcludeASimAuditEventCiscoMeraki' in (DisabledParsers)))

295
Parsers/ASimAuditEvent/Parsers/ASimAuditEventCiscoISE.yaml Normal file
Просмотреть файл

@ -0,0 +1,295 @@
Parser:
Title: Audit Event ASIM filtering parser for Cisco ISE
Version: '0.1'
LastUpdated: July 13, 2023
Product:
Name: Cisco ISE
Normalization:
Schema: AuditEvent
Version: '0.1.0'
References:
- Title: ASIM Audit Event Schema
Link: https://aka.ms/ASimAuditEventDoc
- Title: ASIM
Link: https:/aka.ms/AboutASIM
- Title: Cisco ISE Security Events
Link: https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/admin_guide/b_ise_admin_3_2/b_ISE_admin_32_maintain_monitor.html#ID58
Description: |
This ASIM parser supports normalizing administrative activity in the Cisco ISE events to the ASIM Audit Event schema.
ParserName: ASimAuditEventCiscoISE
EquivalentBuiltInParser: _ASim_AuditEvent_CiscoISE
ParserParams:
- Name: disabled
Type: bool
Default: false
ParserQuery: |
let EventFieldsLookup=datatable(
EventOriginalType: int,
EventType: string,
EventResult: string,
EventOriginalSeverity: string,
EventSeverity: string,
Object: string,
Operation: string,
EventMessage: string
)[
"52000", "Create", "Success", "NOTICE", "Informational", "ISE instance", "Added configuration", "Added configuration",
"52001", "Set", "Success", "NOTICE", "Informational", "ISE instance", "Changed configuration", "Changed configuration",
"52002", "Delete", "Success", "NOTICE", "Informational", "ISE instance", "Deleted configuration", "Deleted configuration",
"52003", "Other", "Success", "NOTICE", "Informational", "Node", "Deregister Node", "One of the ISE instances in the deployment has been de-registered.",
"52004", "Other", "Success", "NOTICE", "Informational", "Node", "Register Node", "A new ISE instance has been registered and has joined the deployment.",
"52005", "Enable", "Success", "NOTICE", "Informational", "Node", "Activate Node", "An ISE instance has been activated to receive updates from the Primary node.",
"52006", "Disable", "Success", "NOTICE", "Informational", "Node", "Deactivate ISE Node", "An ISE instance has been deactivated and will no longer receive updates from the Primary node.",
"52007", "Other", "Success", "NOTICE", "Informational", "ISE instance", "Force Full replication", "A Force Full replication has been issued for an ISE instance.",
"52008", "Other", "Success", "NOTICE", "Informational", "ISE instance", "Replacement Register Handler", "A new ISE instance has joined the deployment through hardware replacement.",
"52009", "Other", "Success", "NOTICE", "Informational", "Node", "Promote Node", "A Secondary node has been promoted to be the Primary node of the deployment.",
"52013", "Other", "Success", "NOTICE", "Informational", "ISE instance", "Hardware Replacement", "A new ISE instance has joined the deployment through hardware replacement.",
"52015", "Enable", "Success", "NOTICE", "Informational", "LogCollector Target", "Enable LogCollector Target", "Enable the deployment Log Collector target.",
"52016", "Other", "Success", "NOTICE", "Informational", "LogCollector Node", "Select LogCollector Node", "The Log Collector node for the deployment has been selected.",
"52017", "Other", "Success", "NOTICE", "Informational", "ISE instance", "Apply software update", "Apply a software update to the selected ISE instances.",
"52030", "Other", "Success", "NOTICE", "Informational", "ISE instance", "Full replication succeeded", "Full replication was completed successfully",
"52031", "Other", "Failure", "NOTICE", "Low", "ISE instance", "Full replication failed", "Failed to complete full replication",
"52033", "Other", "Success", "NOTICE", "Informational", "ISE instance", "Registration succeeded", "Registration with the primary node was completed successfully",
"52035", "Other", "Failure", "NOTICE", "Low", "ISE instance", "Registration failed", "Failed to perform the full replication requested by the primary instance",
"52038", "Other", "Success", "NOTICE", "Informational", "ISE instance", "Registration succeeded", "The ISE instance was successfully joined to a distributed ISE deployment",
"52039", "Other", "Failure", "NOTICE", "Low", "ISE instance", "Registration failed", "The ISE instance was unable to join a distributed deployment",
"52042", "Other", "Success", "NOTICE", "Informational", "Primary instance", "Demotion succeeded", "Demotion of the existing primary instance was completed successfully",
"52043", "Other", "Failure", "NOTICE", "Low", "Primary instance", "Demotion failed", "Demotion of the existing primary instance failed",
"52045", "Other", "Success", "NOTICE", "Informational", "Secondary instance", "Promotion succeeded", "Promotion of the secondary instance was completed successfully",
"52046", "Other", "Failure", "NOTICE", "Low", "Secondary instance", "Promotion failed", "Promotion of a secondary instance failed",
"52072", "Other", "Success", "NOTICE", "Informational", "ISE instance", "Deregister succeeded", "Deregistration was completed successfully",
"52073", "Other", "Failure", "NOTICE", "Low", "ISE instance", "Deregister failed", "Deregistration failed",
"52078", "Delete", "Failure", "NOTICE", "Low", "ISE secondary instance", "Delete node failed", "Failed to delete the ISE secondary instance in inactive mode from the deployment",
"52079", "Delete", "Success", "NOTICE", "Informational", "ISE secondary instance", "Delete node succeeded", "The ISE primary instance successfully deleted the secondary instance in inactive mode",
"52080", "Delete", "Failure", "NOTICE", "Low", "ISE secondary instance", "Delete node failed", "Failed to delete the ISE secondary instance in inactive mode from the primary instance",
"52082", "Other", "Failure", "NOTICE", "Low", "ISE secondary instance", "Backup failed", "An immediate backup for the secondary instance failed",
"52084", "Other", "Success", "NOTICE", "Informational", "ISE primary instance", "Backup succeeded", "An immediate backup for the primary instance was completed successfully",
"52085", "Other", "Failure", "NOTICE", "Low", "ISE primary instance", "Backup failed", "An immediate backup for the primary failed",
"52091", "Other", "Failure", "NOTICE", "Low", "Update bundle", "Software update failed", "Software update download of update bundle failed",
"52092", "Other", "Success", "NOTICE", "Informational", "ISE instance", "Software update succeeded", "The software update was completed successfully",
"52093", "Other", "Failure", "NOTICE", "Low", "ISE instance", "Software update failed", "The software update failed",
"57000", "Other", "Success", "NOTICE", "Informational", "Log file(s)", "Deleted rolled-over local log file(s)", "Deleted rolled-over local log file(s)",
"58001", "Other", "Success", "NOTICE", "Informational", "ISE process", "ISE process started", "An ISE process has started",
"58002", "Other", "Success", "NOTICE", "Informational", "ISE process", "ISE process stopped", "An ISE process has stopped",
"58003", "Other", "Success", "NOTICE", "Informational", "ISE processes", "ISE processes started", "All ISE processes have started",
"58004", "Other", "Success", "NOTICE", "Informational", "ISE processes", "ISE processes stopped", "All ISE processes have stopped",
"58005", "Other", "Success", "NOTICE", "Informational", "ISE process", "ISE process was restarted by watchdog service", "The watchdog service has restarted an ISE process",
"60000", "Install", "Success", "NOTICE", "Informational", "Node", "Patch installation completed successfully on the node", "Patch installation completed successfully on the node",
"60001", "Install", "Failure", "NOTICE", "Low", "Node", "Patch installation failed on the node", "Patch installation failed on the node",
"60002", "Other", "Success", "NOTICE", "Informational", "Node", "Patch rollback completed successfully on the node", "Patch rollback completed successfully on the node",
"60003", "Other", "Failure", "NOTICE", "Low", "Node", "Patch rollback failed on the node", "Patch rollback failed on the node",
"60050", "Create", "Success", "NOTICE", "Informational", "Node", "Node added to deployment successfully", "Node added to deployment successfully",
"60051", "Create", "Failure", "NOTICE", "Low", "Node", "Failed to add node to deployment", "Failed to add node to deployment",
"60052", "Delete", "Success", "NOTICE", "Informational", "Node", "Node removed from deployment", "Node removed from deployment",
"60053", "Delete", "Failure", "NOTICE", "Low", "Node", "Failed to remove node from deployment", "Failed to remove node from deployment",
"60054", "Other", "Success", "NOTICE", "Informational", "Node", "Node updated successfully", "Node updated successfully",
"60055", "Other", "Failure", "NOTICE", "Low", "Node", "Failed to update node", "Failed to update node",
"60056", "Other", "Success", "NOTICE", "Informational", "Cluster", "The runtime status of the node group has changed", "There is a change in the cluster state",
"60057", "Other", "Success", "NOTICE", "Informational", "PSN node", "A PSN node went down", "One of the PSN nodes in the node group has gone down",
"60058", "Other", "Success", "NOTICE", "Informational", "Heartbeat System", "The initial status of the heartbeat system", "The initial status of the heartbeat system",
"60059", "Other", "Success", "NOTICE", "Informational", "Node", "Node has successfully registered with MnT", "Node has successfully registered with MnT",
"60060", "Other", "Success", "NOTICE", "Informational", "Policy Service nodes", "Administrator invoked OCSP Clear Cache operation for all Policy Service nodes", "The ISE Administrator invoked OCSP Clear Cache operation for all Policy Service nodes",
"60061", "Other", "Success", "NOTICE", "Informational", "Policy Service nodes", "OCSP Clear Cache operation completed successfully", "OCSP Clear Cache operation completed successfully on all Policy Service nodes",
"60062", "Other", "Failure", "NOTICE", "Low", "Policy Service nodes", "OCSP Clear Cache operation terminated with error", "OCSP Clear Cache clear operation terminated with error on one or more Policy Service nodes",
"60063", "Other", "Success", "NOTICE", "Informational", "ISE secondary node", "Replication to node completed successfully", "Replication of data to secondary node completed successfully",
"60064", "Other", "Failure", "NOTICE", "Low", "ISE secondary node", "Replication to node failed", "Replication of data to secondary node failed",
"60068", "Other", "Success", "INFO", "Informational", "Profiler Feed Service", "Profiler Feed Service - manual download initiated", "The Profiler Feed Service has begun the check and download of new and/or updated Profiles in response to Administrator's request",
"60069", "Other", "Success", "INFO", "Informational", "Profiler Feed Service", "Profiler Feed Service - Profiles Downloaded", "The Profiler Feed Service has downloaded new and/or updated Profiles",
"60070", "Other", "Success", "INFO", "Informational", "Profiler Feed Service", "Profiler Feed Service - No Profiles Downloaded", "The Profiler Feed Service found no new and/or updated Profiles to download",
"60083", "Set", "Success", "INFO", "Informational", "Syslog Server", "Syslog Server configuration change", "Syslog Server configuration change has occurred",
"60084", "Set", "Success", "INFO", "Informational", "ADEOS CLI user", "ADEOS CLI user configuration change", "Configuration change occurred for ADEOS CLI user",
"60085", "Set", "Success", "INFO", "Informational", "ADEOS Repository", "ADEOS Repository configuration change", "Configuration change occurred for ADEOS repository",
"60086", "Set", "Success", "INFO", "Informational", "ADEOS SSH Service", "ADEOS SSH Service configuration change", "Configuration change occurred for ADEOS SSH Service",
"60087", "Set", "Success", "INFO", "Informational", "ADEOS Maximum SSH CLI sessions", "ADEOS Maximum SSH CLI sessions configuration change", "Configuration change occurred for ADEOS Maximum CLI sessions",
"60088", "Set", "Success", "INFO", "Informational", "ADEOS SNMP agent", "ADEOS SNMP agent configuration change", "Configuration change occurred for ADEOS SNMP agent",
"60089", "Set", "Success", "INFO", "Informational", "ADEOS CLI kron scheduler", "ADEOS CLI kron scheduler policy configuration change", "Configuration change occurred for ADEOS CLI kron scheduler policy",
"60090", "Set", "Success", "INFO", "Informational", "ADEOS CLI kron scheduler", "ADEOS CLI kron scheduler occurence configuration change", "Configuration change occurred for ADEOS CLI kron scheduler occurence",
"60091", "Set", "Success", "INFO", "Informational", "ADEOS CLI pre-login banner", "ADEOS CLI pre-login banner configuration change", "Configuration change occurred for ADEOS CLI pre-login banner",
"60092", "Set", "Success", "INFO", "Informational", "ADEOS CLI post-login banner", "ADEOS CLI post-login banner configuration change", "Configuration change occurred for ADEOS CLI post-login banner",
"60094", "Other", "Success", "INFO", "Informational", "ISE instance", "ISE Backup has completed successfully", "ISE Backup has completed successfully",
"60095", "Other", "Failure", "ERROR", "Low", "ISE instance", "ISE Backup has failed", "ISE Backup has failed",
"60097", "Other", "Success", "INFO", "Informational", "ISE instance", "ISE Log Backup has completed successfully", "ISE Log Backup has completed successfully",
"60098", "Other", "Failure", "ERROR", "Low", "ISE instance", "ISE Log Backup has failed", "ISE Log Backup has failed",
"60100", "Other", "Success", "INFO", "Informational", "ISE instance", "ISE Restore has completed successfully", "ISE Restore has completed successfully",
"60101", "Other", "Failure", "ERROR", "Low", "ISE instance", "ISE Restore has failed", "ISE Restore has failed",
"60102", "Install", "Success", "INFO", "Informational", "ISE instance", "Application installation completed successfully", "Application installation completed successfully",
"60103", "Install", "Failure", "ERROR", "Low", "ISE instance", "Application installation failed", "Application installation failed",
"60105", "Delete", "Success", "INFO", "Informational", "ISE instance", "Application remove completed successfully", "Application remove completed successfully",
"60106", "Delete", "Failure", "ERROR", "Low", "ISE instance", "Application remove failed", "Application remove failed",
"60107", "Other", "Failure", "ERROR", "Low", "ISE instance", "Application upgrade failed", "Application upgrade failed",
"60111", "Delete", "Success", "INFO", "Informational", "ISE instance", "Application patch remove has completed successfully", "Application patch remove has completed successfully",
"60112", "Delete", "Failure", "ERROR", "Low", "ISE instance", "Application patch remove has failed", "Application patch remove has failed",
"60113", "Other", "Success", "WARN", "Informational", "ISE server", "ISE server reload has been initiated", "ISE server reload has been initiated",
"60114", "Other", "Success", "WARN", "Informational", "ISE server", "ISE server shutdown has been initiated", "ISE server shutdown has been initiated",
"60118", "Delete", "Success", "INFO", "Informational", "File", "ADEOS CLI user has used delete CLI to delete file", "ADEOS CLI user has used delete CLI to delete file",
"60119", "Execute", "Success", "INFO", "Informational", "File", "ADEOS CLI user has used copy CLI to copy file", "ADEOS CLI user has used copy CLI to copy file",
"60120", "Execute", "Success", "INFO", "Informational", "Directory", "ADEOS CLI user has used mkdir CLI to create a directory", "ADEOS CLI user has used mkdir CLI to create a directory",
"60121", "Other", "Success", "INFO", "Informational", "System Config", "ADEOS CLI user has copied out running system configuration", "ADEOS CLI user has copied out running system configuration",
"60122", "Other", "Success", "INFO", "Informational", "System Config", "ADEOS CLI user has copied in system configuration", "ADEOS CLI user has copied in system configuration",
"60123", "Other", "Success", "INFO", "Informational", "System Config", "ADEOS CLI user has saved running system configuration", "ADEOS CLI user has saved running system configuration",
"60126", "Install", "Failure", "ERROR", "Low", "ISE instance", "Application patch installation failed", "Application patch installation failed",
"60128", "Other", "Failure", "ERROR", "Low", "File", "Failure occurred trying to copy file in from ADEOS CLI", "Failure occurred trying to copy file in from ADEOS CLI",
"60129", "Other", "Failure", "ERROR", "Low", "File", "Failure occurred trying to copy file out from ADEOS CLI", "Failure occurred trying to copy file out from ADEOS CLI",
"60130", "Set", "Success", "INFO", "Informational", "ISE Backup", "ISE Scheduled Backup has been configured", "ISE Scheduled Backup has been configured",
"60131", "Create", "Success", "INFO", "Informational", "ISE Support bundle", "ISE Support bundle has been created from web UI", "ISE Support bundle has been created from web UI",
"60132", "Delete", "Success", "INFO", "Informational", "ISE Support bundle", "ISE Support bundle has been deleted from web UI", "ISE Support bundle has been deleted from web UI",
"60133", "Other", "Failure", "ERROR", "Low", "ISE Support bundle", "ISE Support bundle generation from web UI has failed", "ISE Support bundle generation from web UI has failed",
"60153", "Other", "Success", "INFO", "Informational", "Certificate", "Certificate has been exported", "Certificate has been exported",
"60166", "Other", "", "WARN", "Informational", "Certificate", "Certificate will expire soon", "Certificate Expiration warning",
"60167", "Other", "", "WARN", "Informational", "Certificate", "Certificate has expired", "Certificate has expired",
"60172", "Other", "Success", "INFO", "Informational", "ISE instance", "Alarm(s) has/have been acknowledged", "These alarms are acknowledged and will not be displayed on the Dashboard",
"60173", "Other", "Success", "INFO", "Informational", "ISE instance", "Outdated alarms are purged", "Only latest 15000 alarms would be retained and rest of them are purged",
"60187", "Other", "Success", "INFO", "Informational", "ISE instance", "Application upgrade succeeded", "Application upgrade succeeded",
"60189", "Set", "Success", "INFO", "Informational", "ISE instance", "Terminal Session timeout has been modified", "Configuration change occurred for ADEOS CLI Terminal Session timeout",
"60193", "Set", "Success", "INFO", "Informational", "ISE instance", "RSA key configuration has been modified", "Configuration change occurred for ADEOS CLI RSA key",
"60194", "Set", "Success", "INFO", "Informational", "ISE instance", "Host key configuration has been modified", "Configuration change occurred for ADEOS CLI host key",
"60197", "Disable", "Success", "NOTICE", "Informational", "Certificate", "Revoked ISE CA issued Certificate.", "Certificate issued to Endpoint by ISE CA is revoked by Administrator",
"60198", "Delete", "Success", "INFO", "Informational", "MnT", "MnT purge event occurred", "MnT purge event occurred",
"60199", "Other", "Success", "INFO", "Informational", "ISE instance", "An IP-SGT mapping was deployed successfully", "An IP-SGT mapping was deployed successfully to a TrustSec device",
"60200", "Other", "Failure", "INFO", "Low", "ISE instance", "An IP-SGT mapping has failed deploying", "An IP-SGT mapping has failed deploying to a TrustSec device",
"60201", "Other", "Success", "INFO", "Informational", "ISE instance", "IP-SGT deployment to TrustSec device was successful", "IP-SGT deployment to TrustSec device was successful",
"60202", "Other", "Failure", "INFO", "Low", "ISE instance", "IP-SGT deployment to TrustSec device failed", "IP-SGT deployment to TrustSec device failed",
"60207", "Set", "Success", "INFO", "Informational", "ISE instance", "Logging loglevel configuration has been modified", "Configuration change occurred for ADEOS CLI logging loglevel",
"60208", "Other", "Success", "INFO", "Informational", "ISE instance", "Root CA certificate has been replaced", "Root CA certificate has been replaced",
"60209", "Enable", "Success", "INFO", "Informational", "CA service", "CA service enabled", "CA service enabled",
"60210", "Disable", "Success", "INFO", "Informational", "CA service", "CA service disabled", "CA service disabled",
"60213", "Other", "Success", "INFO", "Informational", "ISE instance", "CA keys were replaced by import operation", "CA keys were replaced by import operation",
"60214", "Other", "Success", "INFO", "Informational", "ISE instance", "CA keys were exported", "CA keys were exported",
"60215", "Other", "Success", "INFO", "Informational", "ISE instance", "Endpoint certs were marked expired", "Endpoint certs were marked expired by daily scheduled job",
"60216", "Delete", "Success", "INFO", "Informational", "ISE instance", "Endpoint certs were purged", "Endpoint certs were purged by daily scheduled job",
"60451", "Enable", "Success", "INFO", "Informational", "ISE instance", "Telemetry is enabled on this deployment", "Telemetry is enabled on this deployment",
"60452", "Disable", "Success", "INFO", "Informational", "ISE instance", "Telemetry is disabled on this deployment", "Telemetry is disabled on this deployment",
"61002", "Other", "Success", "INFO", "Informational", "ISE instance", "ISE has learned a new SGT from IEPG", "ISE has learned a new SGT from IEPG",
"61003", "Other", "Success", "INFO", "Informational", "ISE instance", "ISE has propagated a new EEPG to APIC", "ISE has propagated a new EEPG to APIC.",
"61004", "Other", "Success", "INFO", "Informational", "ISE instance", "ISE has learned a new SXP mapping from APIC endpoint", "ISE has learned a new SXP mapping from APIC endpoint",
"61005", "Other", "Success", "INFO", "Informational", "ISE instance", "ISE has propagated a new endpoint(SXP mapping) to APIC", "ISE has propagated a new endpoint(SXP mapping) to APIC",
"61006", "Delete", "Success", "INFO", "Informational", "SGT", "ISE has removed an SGT due to deleted IEPG", "ISE has removed an SGT due to deleted IEPG",
"61007", "Delete", "Success", "INFO", "Informational", "APIC", "ISE has removed EEPG from APIC due to SGT deletion", "ISE has removed EEPG from APIC due to SGT deletion",
"61008", "Delete", "Success", "INFO", "Informational", "APIC", "ISE has removed an SXP mapping due to endpoint deletion on APIC", "ISE has removed an SXP mapping due to endpoint deletion on APIC",
"61009", "Delete", "Success", "INFO", "Informational", "APIC", "ISE has removed endpoint APIC due to SXP mapping removal a new SXP mapping to APIC", "ISE has removed endpoint APIC due to SXP mapping removal a new SXP mapping to APIC",
"61016", "Other", "Failure", "INFO", "Low", "ISE instance", "ISE failed to refresh EPG subscriber against APIC", "ISE failed to refresh EPG subscriber against APIC",
"61017", "Other", "Failure", "INFO", "Low", "ISE instance", "ISE failed to refresh endpoint subscriber against APIC", "ISE failed to refresh endpoint subscriber against APIC",
"61018", "Other", "Failure", "INFO", "Low", "ISE instance", "ISE failed to refresh EEPG subscriber against APIC", "ISE failed to refresh EEPG subscriber against APIC",
"61020", "Other", "Failure", "INFO", "Low", "ISE instance", "ISE failed to refresh L3EXTOUT subscriber against APIC", "ISE failed to refresh L3EXTOUT subscriber against APIC",
"61022", "Other", "Failure", "INFO", "Low", "ISE instance", "ISE has failed to propagate SGT to EEPG", "ISE has failed to propagate SGT to EEPG",
"61023", "Other", "Failure", "INFO", "Low", "ISE instance", "ISE has failed to learn IEPG from APIC", "ISE has failed to learn IEPG from APIC",
"61024", "Other", "Failure", "INFO", "Low", "ISE instance", "ISE has failed to parse VRF for EPG", "ISE has failed to parse VRF for EPG",
"61030", "Other", "Failure", "INFO", "Low", "ISE instance", "TrustSec deploy verification was canceled.", "TrustSec deployment verification process was canceled as a new TrustSec deploy started.",
"61033", "Other", "Success", "INFO", "Informational", "ISE instance", "TrustSec deployment verification process succeeded.", "ISE trustsec configuration was successfully deployed to all network access devices.",
"61034", "Other", "", "INFO", "Low", "ISE instance", "Maximum resource limit reached.", "Maximum resource limit reached.",
"61051", "Set", "Success", "INFO", "Informational", "ISE instance", "Synflood-limit configured", "Synflood-limit configured",
"61052", "Set", "Success", "INFO", "Informational", "ISE instance", "Rate-limit configured", "Rate-limit configured",
"61100", "Other", "Success", "INFO", "Informational", "ISE instance", "ISE has learned a new tenant from ACI", "ISE has learned a new tenant from ACI",
"61101", "Delete", "Success", "INFO", "Informational", "ACI tenant", "ISE has removed ACI tenant", "ISE has removed ACI tenant",
"61102", "Other", "Failure", "ERROR", "Low", "ISE instance", "Failed to learn new tenant from ACI in ISE", "Failed to learn new tenant from ACI in ISE",
"61103", "Delete", "Failure", "ERROR", "Low", "ISE instance", "Failed to remove ACI tenant in ISE", "Failed to remove ACI tenant in ISE",
"61104", "Other", "Success", "INFO", "Informational", "ISE instance", "ISE has learned a new tenant from SDA", "ISE has learned a new tenant from SDA",
"61105", "Other", "Success", "INFO", "Informational", "ISE instance", "ISE has learned a new VN info", "IISE has learned a new VN info",
"61106", "Create", "Failure", "ERROR", "Low", "ISE instance", "Failed to create VN info in ISE", "Failed to create VN info in ISE",
"61107", "Other", "Success", "INFO", "Informational", "ISE instance", "VN info is updated in ISE", "VN info is updated in ISE",
"61108", "Other", "Failure", "ERROR", "Low", "ISE instance", "Failed to update VN info in ISE", "Failed to update VN info in ISE",
"61109", "Delete", "Success", "INFO", "Informational", "ACI tenant", "VN info is deleted in ISE", "VN info is deleted in ISE",
"61110", "Delete", "Failure", "ERROR", "Low", "ISE instance", "Failed to deleted VN info in ISE", "Failed to deleted VN info in ISE",
"61111", "Other", "Failure", "ERROR", "Low", "ISE instance", "Domain registration process failed", "Domain registration process failed",
"61114", "Other", "Success", "INFO", "Informational", "ISE instance", "Domain registration completed successfully", "Domain registration completed successfully",
"61115", "Other", "Failure", "ERROR", "Low", "ISE instance", "Domain registration failed", "Domain registration failed",
"61116", "Other", "Failure", "ERROR", "Low", "ACI certificate", "Unable to store ACI certificate", "Unable to store ACI certificate",
"61117", "Other", "Success", "INFO", "Informational", "ACI connector", "ACI connector started successfully", "ACI connector started successfully",
"61118", "Other", "Failure", "ERROR", "Low", "ACI connector", "Failed to start ACI connector", "Failed to start ACI connector",
"61120", "Delete", "Success", "INFO", "Informational", "ACI certificate", "Successfully deleted ACI certificate from ISE", "Successfully deleted ACI certificate from ISE",
"61121", "Delete", "Failure", "ERROR", "Low", "ACI certificate", "Failed to delete ACI certificate from ISE", "Failed to delete ACI certificate from ISE",
"61122", "Delete", "Failure", "ERROR", "Low", "ACI keystore", "Failed to delete ACI keystore", "Failed to delete ACI keystore",
"61123", "Other", "Success", "INFO", "Informational", "ISE instance", "ISE has learned a new ACI domain", "ISE has learned a new ACI domain",
"61124", "Other", "Failure", "ERROR", "Low", "ISE instance", "Failed to learn a new ACI domain", "Failed to learn a new ACI domain",
"61125", "Delete", "Success", "INFO", "Informational", "ACI domain", "ISE has removed ACI domain", "ISE has removed ACI domain",
"61126", "Delete", "Failure", "ERROR", "Low", "ACI domain", "Failed to remove ACI domain", "Failed to remove ACI domain",
"61127", "Other", "Success", "INFO", "Informational", "ISE instance", "ISE has learned a new SDA domain", "ISE has learned a new SDA domain",
"61128", "Other", "Failure", "ERROR", "Low", "ISE instance", "Failed to learn a new SDA domain", "Failed to learn a new SDA domain",
"61129", "Delete", "Success", "INFO", "Informational", "SDA domain", "ISE has removed SDA domain", "ISE has removed SDA domain",
"61130", "Delete", "Failure", "ERROR", "Low", "SDA domain", "Failed to remove SDA domain", "Failed to remove SDA domain",
"61158", "Other", "Failure", "ERROR", "Low", "ISE instance", "ISE failed in receiving SDA SXP configuration", "ISE failed in receiving SDA SXP configuration",
"61160", "Other", "Failure", "ERROR", "Low", "ISE instance", "ISE failed to publish Gateway advertisement message to ACI", "ISE failed to publish Gateway advertisement message to ACI",
"61161", "Other", "Success", "INFO", "Informational", "ISE instance", "ISE learned new SXP Listener", "ISE learned new SXP Listener",
"61162", "Other", "Success", "INFO", "Informational", "SXP Listener", "ISE updates VN defined for SXP Listener", "ISE updates VN defined for SXP Listener",
"61163", "Other", "Success", "INFO", "Informational", "SXP Listener", "ISE learned new VN defined for SXP Listener", "ISE learned new VN defined for SXP Listener",
"61164", "Other", "Success", "INFO", "Informational", "SXP Listener", "ISE updates SXP Listener", "ISE updates SXP Listener",
"61165", "Delete", "Success", "INFO", "Informational", "SXP Listener", "ISE removed all SXP connections related to SXP Listener", "ISE removed all SXP connections related to SXP Listener",
"61166", "Other", "Success", "INFO", "Informational", "ACI", "ACI published Gateway advertisement message to SDA", "ACI published Gateway advertisement message to SDA",
"61167", "Other", "Success", "INFO", "Informational", "ISE instance", "Send ACI Gateway advertisement message to ISE", "Send ACI Gateway advertisement message to ISE",
"61168", "Other", "Failure", "ERROR", "Low", "ISE instance", "Failed to send ACI Gateway advertisement message to ISE", "Failed to send ACI Gateway advertisement message to ISE/SDA",
"61169", "Other", "Success", "INFO", "Informational", "ISE instance", "Successfully Send ACI Gateway advertisement message", "Successfully Send ACI Gateway advertisement message",
"61234", "Other", "Success", "WARN", "Informational", "ISE instance", "Got event with unknown properties", "Got event with unknown properties",
"62000", "Execute", "Success", "INFO", "Informational", "ISE instance", "Agentless script execute completed", "Agentless script execute completed",
"62001", "Execute", "Failure", "WARN", "Low", "ISE instance", "Agentless script execute failed", "Agentless script execute failed",
"62002", "Other", "Success", "INFO", "Informational", "ISE instance", "Agentless script upload completed", "Agentless script upload completed",
"62003", "Other", "Failure", "WARN", "Low", "ISE instance", "Agentless script upload failed", "Agentless script upload failed",
"61300", "Other", "Success", "INFO", "Informational", "ISE instance", "Network Access policy request", "Network Access policy request",
"61301", "Other", "Success", "INFO", "Informational", "ISE instance", "Device Admin policy request", "Device Admin policy request",
"61302", "Other", "Success", "INFO", "Informational", "ISE instance", "Policy component request", "Policy component request",
"60467", "Other", "Failure", "ERROR", "Low", "ISE instance", "OCSP Certificate renewal failed", "OCSP Certificate renewal failed.",
"60468", "Other", "Failure", "ERROR", "Low", "ISE instance", "Root CA Regeneration failed", "Regeneration of Root CA failed.",
"62008", "Other", "Success", "INFO", "Informational", "Meraki connector", "Meraki connector sync service starts", "Meraki connector sync service starts",
"62009", "Other", "Success", "INFO", "Informational", "Meraki connector", "Meraki connector sync service stops", "Meraki connector sync service stops",
"62010", "Other", "Failure", "WARN", "Low", "Meraki connector", "Meraki connector sync service failure", "Meraki connector sync service failure",
"62011", "Other", "Success", "INFO", "Informational", "Meraki connector", "Meraki connector sync cycle starts", "Meraki connector sync cycle starts",
"62012", "Other", "Success", "INFO", "Informational", "Meraki connector", "Meraki connector sync cycle stops", "Meraki connector sync cycle stops",
"62013", "Other", "Failure", "WARN", "Low", "Meraki connector", "Meraki connector sync cycle failure", "Meraki connector sync cycle failure",
"62014", "Other", "Success", "INFO", "Informational", "Meraki connector", "Meraki connector sync operation success", "Meraki connector sync operation success",
"62015", "Other", "Failure", "WARN", "Low", "Meraki connector", "Meraki connector sync operation failure", "Meraki connector sync operation failure",
"62016", "Other", "Success", "INFO", "Informational", "ISE instance", "Port 2484 opened for Data Connect", "Port 2484 opened for Data Connect",
"62017", "Other", "Success", "INFO", "Informational", "ISE instance", "Data Connect port 2484 closed", "Data Connect port 2484 closed"];
let EventOriginalTypeList = toscalar(EventFieldsLookup
| summarize make_set(EventOriginalType));
let CiscoISEAuditParser=(disabled: bool=false) {
Syslog
| where not(disabled)
| where ProcessName has_any ("CISE", "CSCO")
| parse SyslogMessage with * " " longvalue:long " " EventOriginalType:int " " *
| where EventOriginalType in (EventOriginalTypeList)
| lookup EventFieldsLookup on EventOriginalType
| parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string, ['Device IP Address']: string) with (pair_delimiter=',', kv_delimiter='=')
| project-rename SrcIpAddr=['Remote-Address'], TargetIpAddr =['Device IP Address']
| extend DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)
| extend ActorUsername = coalesce(['User-Name'], UserName, User)
| extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)
| extend
DvcIpAddr = iif(isnotempty(HostIP) and HostIP != "Unknown IP", HostIP, extract(@"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})", 1, Computer))
, EventStartTime = coalesce(EventTime, TimeGenerated)
, EventEndTime = coalesce(EventTime, TimeGenerated)
, EventVendor = "Cisco"
, EventProduct = "ISE"
, EventProductVersion = "3.2"
, EventCount = int(1)
, EventSchema = "AuditEvent"
, EventSchemaVersion = "0.1.0"
, ObjectType = "Configuration Atom"
, TargetAppName = "ISE"
, TargetAppType = "Service"
// ***************** <Aliases> ********************
| extend
Dvc = coalesce(DvcIpAddr, DvcHostname)
, Application = TargetAppName
, IpAddr = coalesce(SrcIpAddr, TargetIpAddr)
, Dst = TargetIpAddr
, Src = SrcIpAddr
, User = ActorUsername
// ***************** </Aliases> *******************
| project-away
TenantId,
SourceSystem,
MG,
Computer,
EventTime,
Facility,
HostName,
SeverityLevel,
SyslogMessage,
HostIP,
ProcessName,
ProcessID,
_ResourceId,
NetworkDeviceName,
['User-Name'],
UserName
};
CiscoISEAuditParser(disabled=disabled)

231
Parsers/ASimAuditEvent/Parsers/ASimAuditEventCiscoMeraki.yaml Normal file
Просмотреть файл

@ -0,0 +1,231 @@
Parser:
Title: Audit Event ASIM parser for Cisco Meraki
Version: '0.1'
LastUpdated: Jun 20 2023
Product:
Name: Cisco Meraki
Normalization:
Schema: AuditEvent
Version: '0.1'
References:
- Title: ASIM Audit Event Schema
Link: https://aka.ms/ASimAuditEventDoc
- Title: ASIM
Link: https://aka.ms/AboutASIM
- Title: Cisco Meraki Documentation
Link: https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples
Description: |
This ASIM parser supports normalizing Cisco Meraki logs to the ASIM Audit Event normalized schema. Cisco Meraki events are generated from network activity and security events from Meraki devices such as firewalls, switches, and access points. These logs are captured through the Cisco Meraki Sentinel connector which uses a Linux agent to collect logs in Syslog format.
ParserName: ASimAuditEventCiscoMeraki
EquivalentBuiltInParser: _ASim_AuditEvent_CiscoMeraki
ParserParams:
- Name: disabled
Type: bool
Default: false
ParserQuery: |
let EventFieldsLookup = datatable(TempOperation: string, Operation: string, EventResult: string, EventType: string)
[
"vpn_connectivity_change", "VPN connectivity change","Success", "Set",
"purging ISAKMP-SA", "Purging ISAKMP-SA","Partial", "Delete",
"purged ISAKMP-SA", "Purged ISAKMP-SA","Success", "Delete",
"ISAKMP-SA deleted", "ISAKMP-SA deleted","Success", "Delete",
"IPsec-SA request", "IPsec-SA request queued","Failure", "Other",
"failed to get sainfo", "Failed to get sainfo","Failure", "Other",
"failed to pre-process ph2 packet", "Failed to pre-process ph2 packet","Failure", "Other",
"phase2 negotiation failed", "Phase2 negotiation failed","Failure", "Other",
"initiate new phase 1 negotiation", "Initiate new phase 1 negotiation","Success", "Initialize",
"ISAKMP-SA established", "ISAKMP-SA established","Success", "Create",
"initiate new phase 2 negotiation", "Initiate new phase 2 negotiation","Partial", "Initialize",
"IPsec-SA established", "IPsec-SA established","Success", "Create",
"STP role", "Spanning-tree interface role change","Success", "Set",
"STP BPDU", "Spanning-tree guard state change", "", "",
"VRRP transition", "VRRP transition","Success", "Set",
"port status change", "Port status change", "", ""
];
let EventSeverityLookup=datatable(EventResult: string, EventSeverity: string)[
"Success", "Informational",
"Partial", "Informational",
"Failure", "Low"
];
let parser=(disabled: bool=false) {
let allData = union isfuzzy=true
(
meraki_CL
| project-rename LogMessage = Message
),
(
Syslog
| where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))
| project-rename LogMessage = SyslogMessage
);
let PreFilteredData = allData
| where not(disabled)
and LogMessage has "events"
and (LogMessage has_any ("vpn_connectivity_change", "status changed", "VRRP active", "VRRP passive") or LogMessage has_cs "Site-to-site" or LogMessage has_cs "Port")
| extend Parser = extract_all(@"(\d+.\d+)\s([\w\-\_]+)\s([\w\-\_]+)\s([\S\s]+)$", dynamic([1, 2, 3, 4]), LogMessage)[0]
| extend
LogType = tostring(Parser[2]),
Substring = tostring(Parser[3])
| where LogType == "events";
let SiteToSiteData = PreFilteredData
| where Substring has_cs "Site-to-site";
let SiteToSite_deleted = SiteToSiteData
| where Substring has "ISAKMP-SA deleted"
| extend TempOperation = "ISAKMP-SA deleted"
| parse Substring with * " deleted " temp_deletedSrcIp:string "-" temp_deletedTargetIp:string " " temp_restmessage:string
| extend temp_srcipport = temp_deletedSrcIp,
temp_targetipport = temp_deletedTargetIp;
let SiteToSite_negotiation = SiteToSiteData
| where Substring has_any("initiate new phase 1 negotiation", "initiate new phase 2 negotiation")
| parse Substring with * "Site-to-site VPN: " TempOperation:string ": " temp_negotiationSrcIp:string "<=>" temp_negotiationTargetIp:string
| extend temp_srcipport = temp_negotiationSrcIp,
temp_targetipport = temp_negotiationTargetIp;
let SiteToSite_ESP = SiteToSiteData
| where Substring has "phase2 negotiation failed due to time up waiting for phase1"
| parse Substring with * "Site-to-site VPN: " TempOperation:string " due to " EventResultDetails " ESP " temp_espSrcIp:string "->" temp_espTargetIp:string
| extend temp_srcipport = temp_espSrcIp,
temp_targetipport = temp_espTargetIp;
let SiteToSite_tunnel = SiteToSiteData
| where Substring has "IPsec-SA established"
| parse Substring with * "Site-to-site VPN: " TempOperation:string ":" * "Tunnel " temp_tunnelSrcIp:string "->" temp_tunnelTargetIp:string " " temp_restmessage:string
| extend temp_srcipport = temp_tunnelSrcIp,
temp_targetipport = temp_tunnelTargetIp;
let SiteToSite_ISAKMPestablished = SiteToSiteData
| where Substring has "ISAKMP-SA established"
| parse Substring with * "Site-to-site VPN: " TempOperation:string " established " temp_estSrcIp:string "-" temp_estTargetIp:string " " temp_restmessage:string
| extend TempOperation = strcat(TempOperation, ' ', 'established'),
temp_srcipport = temp_estSrcIp,
temp_targetipport = temp_estTargetIp;
let SiteToSite_IPsecSArequest = SiteToSiteData
| where Substring has "IPsec-SA request"
| parse Substring with * "Site-to-site VPN: " TempOperation:string " for " temp_forTaregtSrcIp:string " " * " due to" EventResultDetails:string
| extend temp_targetipport = temp_forTaregtSrcIp;
let SiteToSite_purging = SiteToSiteData
| where Substring has_any("purging ISAKMP-SA", "purged ISAKMP-SA")
| parse Substring with * "Site-to-site VPN: " TempOperation:string " spi=" temp_restmessage:string;
let SiteToSite_failed = SiteToSiteData
| where Substring has_any ("failed to get sainfo", "failed to pre-process ph2 packet")
| parse Substring with * "Site-to-site VPN: " TempOperation:string
| extend TempOperation = tostring(split(TempOperation, ' (')[0]);
let VPNConnectivityChangeData = PreFilteredData
| where Substring has "vpn_connectivity_change"
| parse-kv Substring as (type: string, peer_contact: string, connectivity: string) with (pair_delimiter=" ", kv_delimiter="=", quote="'")
| extend type = trim('"', type),
connectivity = trim('"', connectivity)
| extend TempOperation = type,
temp_srcipport = peer_contact;
let StatusChangedData = PreFilteredData
| where Substring has "status changed"
| parse Substring with * "port " port:string " " portnextpart:string
| extend TempOperation = "port status change";
let PortData = PreFilteredData
| where Substring has_cs "Port"
| parse Substring with * "Port " Port1:string " received an " TempOperation1:string " from " STPMac:string " " temp_restmessage:string
| parse Substring with * "Port " Port2:string " changed " TempOperation2:string " from " PortNextPart:string
| extend Port = coalesce(Port1,Port2)
| extend TempOperation = coalesce(TempOperation1, TempOperation2);
let VRRPData = PreFilteredData
| where Substring has_any("VRRP active", "VRRP passive")
| extend TempOperation = "VRRP transition";
union VPNConnectivityChangeData, StatusChangedData, PortData, VRRPData, SiteToSite_deleted, SiteToSite_ESP, SiteToSite_failed, SiteToSite_IPsecSArequest, SiteToSite_ISAKMPestablished, SiteToSite_negotiation, SiteToSite_purging, SiteToSite_tunnel
| extend Epoch = tostring(Parser[0]),
Device = tostring(Parser[1])
| extend EpochTimestamp = split(Epoch, ".")
| extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))
| lookup EventFieldsLookup on TempOperation
| extend
temp_srcipport = iff(temp_srcipport has "]" and temp_srcipport !has ":", trim(']', temp_srcipport), temp_srcipport),
temp_targetipport = iff(temp_targetipport has "]" and temp_targetipport !has ":", trim(']', temp_targetipport), temp_targetipport)
| extend
temp_srcipport = iff(temp_srcipport has "[" and temp_srcipport !has ":", replace_string(temp_srcipport,'[',':'), temp_srcipport),
temp_targetipport = iff(temp_targetipport has "[" and temp_targetipport !has ":", replace_string(temp_targetipport,'[',':'), temp_targetipport),
DvcMacAddr = iff(Operation == "Spanning-tree guard state change" and isnotempty(STPMac) and STPMac matches regex "([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})|([0-9a-fA-F]{4}\\.[0-9a-fA-F]{4}\\.[0-9a-fA-F]{4})\'*", STPMac, "")
| extend temp_srcipport = iff(isempty(DvcMacAddr) and isnotempty(STPMac) and Operation == "Spanning-tree guard state change", STPMac, temp_srcipport)
| extend
temp_srcipport = trim("'", temp_srcipport),
temp_targetipport = trim("'", temp_targetipport)
| extend
temp_srcipport = trim('"', temp_srcipport),
temp_targetipport = trim('"', temp_targetipport)
| parse temp_srcipport with * "[" temp_srcip "]:" temp_srcport
| extend SrcIpAddr = iff(temp_srcipport has ".", split(temp_srcipport, ":")[0], coalesce(temp_srcip, temp_srcipport))
| parse temp_targetipport with * "[" temp_targetip "]:" temp_targetport
| extend TargetIpAddr = iff(temp_targetipport has ".", split(temp_targetipport, ":")[0], coalesce(temp_targetip, temp_targetipport))
| extend TargetPortNumber = iff(TargetIpAddr has ".", toint(split(temp_targetipport, ":")[1]), toint(coalesce(temp_targetport, "")))
| extend SrcPortNumber = case(
isnotempty(temp_srcipport),
iff(SrcIpAddr has ".", toint(split(temp_srcipport, ":")[1]), toint(coalesce(temp_srcport, ""))),
Substring has_cs "Port",
toint(Port),
Operation == "Port status change",
toint(port),
int(null)
)
| extend EventResult = case(
(Operation == "Port status change" and Substring has "from Down") or (Operation has_cs "Spanning-tree guard state change" and Substring has_any ("connected", "forwarding")),
"Success",
(Operation == "Port status change" and Substring has "to Down") or (Operation has_cs "Spanning-tree guard state change" and Substring has_any ("disconnected", "error disabled", "blocked", "disabled", "not configured")),
"Failure",
Operation has_cs "Spanning-tree guard state change" and Substring has "learning",
"Partial",
EventResult
)
| extend EventType = case(Operation in("Port status change", "Spanning-tree guard state change") and EventResult == "Success", "Enable",
(Operation == "Port status change" and EventResult == "Failure") or (Operation == "Spanning-tree guard state change" and EventResult in ("Partial", "Failure")), "Disable",
EventType
)
| lookup EventSeverityLookup on EventResult
| extend
EventResultDetails = case(
Operation == "VPN connectivity change" and isnotempty(connectivity), strcat("connectivity=", connectivity),
Operation == "IPsec-SA request queued" or Operation == "Phase2 negotiation failed", split(Substring, 'due to')[1],
Substring has "Site-to-site", split(Substring, 'Site-to-site ')[1],
Substring
),
EventMessage = Substring,
EventOriginalType = LogType,
EventUid = _ResourceId
| invoke _ASIM_ResolveDvcFQDN('Device')
| extend
Dvc = DvcHostname,
IpAddr = SrcIpAddr,
Src = SrcIpAddr,
EventEndTime = EventStartTime,
EventCount = int(1),
EventProduct = "Meraki",
EventVendor = "Cisco",
EventSchema = "AuditEvent",
EventSchemaVersion = "0.1"
| project-away
LogMessage,
Parser,
Epoch,
EpochTimestamp,
Device,
Substring,
TempOperation*,
temp*,
STPMac,
peer_contact,
connectivity,
Port*,
port,
portnextpart,
LogType,
type,
TenantId,
SourceSystem,
Computer,
_ResourceId,
MG,
ManagementGroupName,
RawData,
EventTime,
Facility,
HostName,
SeverityLevel,
ProcessID,
HostIP,
ProcessName
};
parser(disabled=disabled)

8
Parsers/ASimAuditEvent/Parsers/imAuditEvent.yaml
Просмотреть файл

@ -21,8 +21,8 @@ Parsers:
- _Im_AuditEvent_MicrosoftExchangeAdmin365
- _Im_AuditEvent_AzureActivity
- _Im_AuditEvent_MicrosoftWindowsEvents
- _Im_AuditEvent_CiscoISE
- _Im_AuditEvent_CiscoMeraki
ParserParams:
- Name: starttime
Type: datetime
@ -62,4 +62,6 @@ ParserQuery: |
vimAuditEventEmpty,
ASimAuditEventMicrosoftExchangeAdmin365 (BuiltInDisabled or ('ExcludevimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers))),
ASimAuditEventMicrosoftWindowsEvents (BuiltInDisabled or ('ExcludevimAuditEventMicrosoftWindowsEvents' in (DisabledParsers))),
ASimAuditEventAzureActivity (BuiltInDisabled or ('ExcludevimAuditEventAzureActivity' in (DisabledParsers)))
ASimAuditEventAzureActivity (BuiltInDisabled or ('ExcludevimAuditEventAzureActivity' in (DisabledParsers))),
ASimAuditEventCiscoISE (BuiltInDisabled or ('ExcludeASimAuditEventCiscoISE' in (DisabledParsers))),
ASimAuditEventCiscoMeraki (BuiltInDisabled or ('ExcludevimAuditEventCiscoMeraki' in (DisabledParsers)))

360
Parsers/ASimAuditEvent/Parsers/vimAuditEventCiscoISE.yaml Normal file
Просмотреть файл

@ -0,0 +1,360 @@
Parser:
Title: Audit Event ASIM filtering parser for Cisco ISE
Version: '0.1'
LastUpdated: July 13, 2023
Product:
Name: Cisco ISE
Normalization:
Schema: AuditEvent
Version: '0.1.0'
References:
- Title: ASIM Audit Event Schema
Link: https://aka.ms/ASimAuditEventDoc
- Title: ASIM
Link: https:/aka.ms/AboutASIM
- Title: Cisco ISE Security Events
Link: https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/admin_guide/b_ise_admin_3_2/b_ISE_admin_32_maintain_monitor.html#ID58
Description: |
This ASIM parser supports normalizing administrative activity in the Cisco ISE events to the ASIM Audit Event schema.
ParserName: vimAuditEventCiscoISE
EquivalentBuiltInParser: _Im_AuditEvent_CiscoISE
ParserParams:
- Name: starttime
Type: datetime
Default: datetime(null)
- Name: endtime
Type: datetime
Default: datetime(null)
- Name: srcipaddr_has_any_prefix
Type: dynamic
Default: dynamic([])
- Name: actorusername_has_any
Type: dynamic
Default: dynamic([])
- Name: operation_has_any
Type: dynamic
Default: dynamic([])
- Name: eventtype_in
Type: dynamic
Default: dynamic([])
- Name: eventresult
Type: string
Default: '*'
- Name: object_has_any
Type: dynamic
Default: dynamic([])
- Name: newvalue_has_any
Type: dynamic
Default: dynamic([])
- Name: disabled
Type: bool
Default: false
ParserQuery: |
let EventFieldsLookup=datatable(
EventOriginalType: int,
EventType: string,
EventResult: string,
EventOriginalSeverity: string,
EventSeverity: string,
Object: string,
Operation: string,
EventMessage: string
)[
"52000", "Create", "Success", "NOTICE", "Informational", "ISE instance", "Added configuration", "Added configuration",
"52001", "Set", "Success", "NOTICE", "Informational", "ISE instance", "Changed configuration", "Changed configuration",
"52002", "Delete", "Success", "NOTICE", "Informational", "ISE instance", "Deleted configuration", "Deleted configuration",
"52003", "Other", "Success", "NOTICE", "Informational", "Node", "Deregister Node", "One of the ISE instances in the deployment has been de-registered.",
"52004", "Other", "Success", "NOTICE", "Informational", "Node", "Register Node", "A new ISE instance has been registered and has joined the deployment.",
"52005", "Enable", "Success", "NOTICE", "Informational", "Node", "Activate Node", "An ISE instance has been activated to receive updates from the Primary node.",
"52006", "Disable", "Success", "NOTICE", "Informational", "Node", "Deactivate ISE Node", "An ISE instance has been deactivated and will no longer receive updates from the Primary node.",
"52007", "Other", "Success", "NOTICE", "Informational", "ISE instance", "Force Full replication", "A Force Full replication has been issued for an ISE instance.",
"52008", "Other", "Success", "NOTICE", "Informational", "ISE instance", "Replacement Register Handler", "A new ISE instance has joined the deployment through hardware replacement.",
"52009", "Other", "Success", "NOTICE", "Informational", "Node", "Promote Node", "A Secondary node has been promoted to be the Primary node of the deployment.",
"52013", "Other", "Success", "NOTICE", "Informational", "ISE instance", "Hardware Replacement", "A new ISE instance has joined the deployment through hardware replacement.",
"52015", "Enable", "Success", "NOTICE", "Informational", "LogCollector Target", "Enable LogCollector Target", "Enable the deployment Log Collector target.",
"52016", "Other", "Success", "NOTICE", "Informational", "LogCollector Node", "Select LogCollector Node", "The Log Collector node for the deployment has been selected.",
"52017", "Other", "Success", "NOTICE", "Informational", "ISE instance", "Apply software update", "Apply a software update to the selected ISE instances.",
"52030", "Other", "Success", "NOTICE", "Informational", "ISE instance", "Full replication succeeded", "Full replication was completed successfully",
"52031", "Other", "Failure", "NOTICE", "Low", "ISE instance", "Full replication failed", "Failed to complete full replication",
"52033", "Other", "Success", "NOTICE", "Informational", "ISE instance", "Registration succeeded", "Registration with the primary node was completed successfully",
"52035", "Other", "Failure", "NOTICE", "Low", "ISE instance", "Registration failed", "Failed to perform the full replication requested by the primary instance",
"52038", "Other", "Success", "NOTICE", "Informational", "ISE instance", "Registration succeeded", "The ISE instance was successfully joined to a distributed ISE deployment",
"52039", "Other", "Failure", "NOTICE", "Low", "ISE instance", "Registration failed", "The ISE instance was unable to join a distributed deployment",
"52042", "Other", "Success", "NOTICE", "Informational", "Primary instance", "Demotion succeeded", "Demotion of the existing primary instance was completed successfully",
"52043", "Other", "Failure", "NOTICE", "Low", "Primary instance", "Demotion failed", "Demotion of the existing primary instance failed",
"52045", "Other", "Success", "NOTICE", "Informational", "Secondary instance", "Promotion succeeded", "Promotion of the secondary instance was completed successfully",
"52046", "Other", "Failure", "NOTICE", "Low", "Secondary instance", "Promotion failed", "Promotion of a secondary instance failed",
"52072", "Other", "Success", "NOTICE", "Informational", "ISE instance", "Deregister succeeded", "Deregistration was completed successfully",
"52073", "Other", "Failure", "NOTICE", "Low", "ISE instance", "Deregister failed", "Deregistration failed",
"52078", "Delete", "Failure", "NOTICE", "Low", "ISE secondary instance", "Delete node failed", "Failed to delete the ISE secondary instance in inactive mode from the deployment",
"52079", "Delete", "Success", "NOTICE", "Informational", "ISE secondary instance", "Delete node succeeded", "The ISE primary instance successfully deleted the secondary instance in inactive mode",
"52080", "Delete", "Failure", "NOTICE", "Low", "ISE secondary instance", "Delete node failed", "Failed to delete the ISE secondary instance in inactive mode from the primary instance",
"52082", "Other", "Failure", "NOTICE", "Low", "ISE secondary instance", "Backup failed", "An immediate backup for the secondary instance failed",
"52084", "Other", "Success", "NOTICE", "Informational", "ISE primary instance", "Backup succeeded", "An immediate backup for the primary instance was completed successfully",
"52085", "Other", "Failure", "NOTICE", "Low", "ISE primary instance", "Backup failed", "An immediate backup for the primary failed",
"52091", "Other", "Failure", "NOTICE", "Low", "Update bundle", "Software update failed", "Software update download of update bundle failed",
"52092", "Other", "Success", "NOTICE", "Informational", "ISE instance", "Software update succeeded", "The software update was completed successfully",
"52093", "Other", "Failure", "NOTICE", "Low", "ISE instance", "Software update failed", "The software update failed",
"57000", "Other", "Success", "NOTICE", "Informational", "Log file(s)", "Deleted rolled-over local log file(s)", "Deleted rolled-over local log file(s)",
"58001", "Other", "Success", "NOTICE", "Informational", "ISE process", "ISE process started", "An ISE process has started",
"58002", "Other", "Success", "NOTICE", "Informational", "ISE process", "ISE process stopped", "An ISE process has stopped",
"58003", "Other", "Success", "NOTICE", "Informational", "ISE processes", "ISE processes started", "All ISE processes have started",
"58004", "Other", "Success", "NOTICE", "Informational", "ISE processes", "ISE processes stopped", "All ISE processes have stopped",
"58005", "Other", "Success", "NOTICE", "Informational", "ISE process", "ISE process was restarted by watchdog service", "The watchdog service has restarted an ISE process",
"60000", "Install", "Success", "NOTICE", "Informational", "Node", "Patch installation completed successfully on the node", "Patch installation completed successfully on the node",
"60001", "Install", "Failure", "NOTICE", "Low", "Node", "Patch installation failed on the node", "Patch installation failed on the node",
"60002", "Other", "Success", "NOTICE", "Informational", "Node", "Patch rollback completed successfully on the node", "Patch rollback completed successfully on the node",
"60003", "Other", "Failure", "NOTICE", "Low", "Node", "Patch rollback failed on the node", "Patch rollback failed on the node",
"60050", "Create", "Success", "NOTICE", "Informational", "Node", "Node added to deployment successfully", "Node added to deployment successfully",
"60051", "Create", "Failure", "NOTICE", "Low", "Node", "Failed to add node to deployment", "Failed to add node to deployment",
"60052", "Delete", "Success", "NOTICE", "Informational", "Node", "Node removed from deployment", "Node removed from deployment",
"60053", "Delete", "Failure", "NOTICE", "Low", "Node", "Failed to remove node from deployment", "Failed to remove node from deployment",
"60054", "Other", "Success", "NOTICE", "Informational", "Node", "Node updated successfully", "Node updated successfully",
"60055", "Other", "Failure", "NOTICE", "Low", "Node", "Failed to update node", "Failed to update node",
"60056", "Other", "Success", "NOTICE", "Informational", "Cluster", "The runtime status of the node group has changed", "There is a change in the cluster state",
"60057", "Other", "Success", "NOTICE", "Informational", "PSN node", "A PSN node went down", "One of the PSN nodes in the node group has gone down",
"60058", "Other", "Success", "NOTICE", "Informational", "Heartbeat System", "The initial status of the heartbeat system", "The initial status of the heartbeat system",
"60059", "Other", "Success", "NOTICE", "Informational", "Node", "Node has successfully registered with MnT", "Node has successfully registered with MnT",
"60060", "Other", "Success", "NOTICE", "Informational", "Policy Service nodes", "Administrator invoked OCSP Clear Cache operation for all Policy Service nodes", "The ISE Administrator invoked OCSP Clear Cache operation for all Policy Service nodes",
"60061", "Other", "Success", "NOTICE", "Informational", "Policy Service nodes", "OCSP Clear Cache operation completed successfully", "OCSP Clear Cache operation completed successfully on all Policy Service nodes",
"60062", "Other", "Failure", "NOTICE", "Low", "Policy Service nodes", "OCSP Clear Cache operation terminated with error", "OCSP Clear Cache clear operation terminated with error on one or more Policy Service nodes",
"60063", "Other", "Success", "NOTICE", "Informational", "ISE secondary node", "Replication to node completed successfully", "Replication of data to secondary node completed successfully",
"60064", "Other", "Failure", "NOTICE", "Low", "ISE secondary node", "Replication to node failed", "Replication of data to secondary node failed",
"60068", "Other", "Success", "INFO", "Informational", "Profiler Feed Service", "Profiler Feed Service - manual download initiated", "The Profiler Feed Service has begun the check and download of new and/or updated Profiles in response to Administrator's request",
"60069", "Other", "Success", "INFO", "Informational", "Profiler Feed Service", "Profiler Feed Service - Profiles Downloaded", "The Profiler Feed Service has downloaded new and/or updated Profiles",
"60070", "Other", "Success", "INFO", "Informational", "Profiler Feed Service", "Profiler Feed Service - No Profiles Downloaded", "The Profiler Feed Service found no new and/or updated Profiles to download",
"60083", "Set", "Success", "INFO", "Informational", "Syslog Server", "Syslog Server configuration change", "Syslog Server configuration change has occurred",
"60084", "Set", "Success", "INFO", "Informational", "ADEOS CLI user", "ADEOS CLI user configuration change", "Configuration change occurred for ADEOS CLI user",
"60085", "Set", "Success", "INFO", "Informational", "ADEOS Repository", "ADEOS Repository configuration change", "Configuration change occurred for ADEOS repository",
"60086", "Set", "Success", "INFO", "Informational", "ADEOS SSH Service", "ADEOS SSH Service configuration change", "Configuration change occurred for ADEOS SSH Service",
"60087", "Set", "Success", "INFO", "Informational", "ADEOS Maximum SSH CLI sessions", "ADEOS Maximum SSH CLI sessions configuration change", "Configuration change occurred for ADEOS Maximum CLI sessions",
"60088", "Set", "Success", "INFO", "Informational", "ADEOS SNMP agent", "ADEOS SNMP agent configuration change", "Configuration change occurred for ADEOS SNMP agent",
"60089", "Set", "Success", "INFO", "Informational", "ADEOS CLI kron scheduler", "ADEOS CLI kron scheduler policy configuration change", "Configuration change occurred for ADEOS CLI kron scheduler policy",
"60090", "Set", "Success", "INFO", "Informational", "ADEOS CLI kron scheduler", "ADEOS CLI kron scheduler occurence configuration change", "Configuration change occurred for ADEOS CLI kron scheduler occurence",
"60091", "Set", "Success", "INFO", "Informational", "ADEOS CLI pre-login banner", "ADEOS CLI pre-login banner configuration change", "Configuration change occurred for ADEOS CLI pre-login banner",
"60092", "Set", "Success", "INFO", "Informational", "ADEOS CLI post-login banner", "ADEOS CLI post-login banner configuration change", "Configuration change occurred for ADEOS CLI post-login banner",
"60094", "Other", "Success", "INFO", "Informational", "ISE instance", "ISE Backup has completed successfully", "ISE Backup has completed successfully",
"60095", "Other", "Failure", "ERROR", "Low", "ISE instance", "ISE Backup has failed", "ISE Backup has failed",
"60097", "Other", "Success", "INFO", "Informational", "ISE instance", "ISE Log Backup has completed successfully", "ISE Log Backup has completed successfully",
"60098", "Other", "Failure", "ERROR", "Low", "ISE instance", "ISE Log Backup has failed", "ISE Log Backup has failed",
"60100", "Other", "Success", "INFO", "Informational", "ISE instance", "ISE Restore has completed successfully", "ISE Restore has completed successfully",
"60101", "Other", "Failure", "ERROR", "Low", "ISE instance", "ISE Restore has failed", "ISE Restore has failed",
"60102", "Install", "Success", "INFO", "Informational", "ISE instance", "Application installation completed successfully", "Application installation completed successfully",
"60103", "Install", "Failure", "ERROR", "Low", "ISE instance", "Application installation failed", "Application installation failed",
"60105", "Delete", "Success", "INFO", "Informational", "ISE instance", "Application remove completed successfully", "Application remove completed successfully",
"60106", "Delete", "Failure", "ERROR", "Low", "ISE instance", "Application remove failed", "Application remove failed",
"60107", "Other", "Failure", "ERROR", "Low", "ISE instance", "Application upgrade failed", "Application upgrade failed",
"60111", "Delete", "Success", "INFO", "Informational", "ISE instance", "Application patch remove has completed successfully", "Application patch remove has completed successfully",
"60112", "Delete", "Failure", "ERROR", "Low", "ISE instance", "Application patch remove has failed", "Application patch remove has failed",
"60113", "Other", "Success", "WARN", "Informational", "ISE server", "ISE server reload has been initiated", "ISE server reload has been initiated",
"60114", "Other", "Success", "WARN", "Informational", "ISE server", "ISE server shutdown has been initiated", "ISE server shutdown has been initiated",
"60118", "Delete", "Success", "INFO", "Informational", "File", "ADEOS CLI user has used delete CLI to delete file", "ADEOS CLI user has used delete CLI to delete file",
"60119", "Execute", "Success", "INFO", "Informational", "File", "ADEOS CLI user has used copy CLI to copy file", "ADEOS CLI user has used copy CLI to copy file",
"60120", "Execute", "Success", "INFO", "Informational", "Directory", "ADEOS CLI user has used mkdir CLI to create a directory", "ADEOS CLI user has used mkdir CLI to create a directory",
"60121", "Other", "Success", "INFO", "Informational", "System Config", "ADEOS CLI user has copied out running system configuration", "ADEOS CLI user has copied out running system configuration",
"60122", "Other", "Success", "INFO", "Informational", "System Config", "ADEOS CLI user has copied in system configuration", "ADEOS CLI user has copied in system configuration",
"60123", "Other", "Success", "INFO", "Informational", "System Config", "ADEOS CLI user has saved running system configuration", "ADEOS CLI user has saved running system configuration",
"60126", "Install", "Failure", "ERROR", "Low", "ISE instance", "Application patch installation failed", "Application patch installation failed",
"60128", "Other", "Failure", "ERROR", "Low", "File", "Failure occurred trying to copy file in from ADEOS CLI", "Failure occurred trying to copy file in from ADEOS CLI",
"60129", "Other", "Failure", "ERROR", "Low", "File", "Failure occurred trying to copy file out from ADEOS CLI", "Failure occurred trying to copy file out from ADEOS CLI",
"60130", "Set", "Success", "INFO", "Informational", "ISE Backup", "ISE Scheduled Backup has been configured", "ISE Scheduled Backup has been configured",
"60131", "Create", "Success", "INFO", "Informational", "ISE Support bundle", "ISE Support bundle has been created from web UI", "ISE Support bundle has been created from web UI",
"60132", "Delete", "Success", "INFO", "Informational", "ISE Support bundle", "ISE Support bundle has been deleted from web UI", "ISE Support bundle has been deleted from web UI",
"60133", "Other", "Failure", "ERROR", "Low", "ISE Support bundle", "ISE Support bundle generation from web UI has failed", "ISE Support bundle generation from web UI has failed",
"60153", "Other", "Success", "INFO", "Informational", "Certificate", "Certificate has been exported", "Certificate has been exported",
"60166", "Other", "", "WARN", "Informational", "Certificate", "Certificate will expire soon", "Certificate Expiration warning",
"60167", "Other", "", "WARN", "Informational", "Certificate", "Certificate has expired", "Certificate has expired",
"60172", "Other", "Success", "INFO", "Informational", "ISE instance", "Alarm(s) has/have been acknowledged", "These alarms are acknowledged and will not be displayed on the Dashboard",
"60173", "Other", "Success", "INFO", "Informational", "ISE instance", "Outdated alarms are purged", "Only latest 15000 alarms would be retained and rest of them are purged",
"60187", "Other", "Success", "INFO", "Informational", "ISE instance", "Application upgrade succeeded", "Application upgrade succeeded",
"60189", "Set", "Success", "INFO", "Informational", "ISE instance", "Terminal Session timeout has been modified", "Configuration change occurred for ADEOS CLI Terminal Session timeout",
"60193", "Set", "Success", "INFO", "Informational", "ISE instance", "RSA key configuration has been modified", "Configuration change occurred for ADEOS CLI RSA key",
"60194", "Set", "Success", "INFO", "Informational", "ISE instance", "Host key configuration has been modified", "Configuration change occurred for ADEOS CLI host key",
"60197", "Disable", "Success", "NOTICE", "Informational", "Certificate", "Revoked ISE CA issued Certificate.", "Certificate issued to Endpoint by ISE CA is revoked by Administrator",
"60198", "Delete", "Success", "INFO", "Informational", "MnT", "MnT purge event occurred", "MnT purge event occurred",
"60199", "Other", "Success", "INFO", "Informational", "ISE instance", "An IP-SGT mapping was deployed successfully", "An IP-SGT mapping was deployed successfully to a TrustSec device",
"60200", "Other", "Failure", "INFO", "Low", "ISE instance", "An IP-SGT mapping has failed deploying", "An IP-SGT mapping has failed deploying to a TrustSec device",
"60201", "Other", "Success", "INFO", "Informational", "ISE instance", "IP-SGT deployment to TrustSec device was successful", "IP-SGT deployment to TrustSec device was successful",
"60202", "Other", "Failure", "INFO", "Low", "ISE instance", "IP-SGT deployment to TrustSec device failed", "IP-SGT deployment to TrustSec device failed",
"60207", "Set", "Success", "INFO", "Informational", "ISE instance", "Logging loglevel configuration has been modified", "Configuration change occurred for ADEOS CLI logging loglevel",
"60208", "Other", "Success", "INFO", "Informational", "ISE instance", "Root CA certificate has been replaced", "Root CA certificate has been replaced",
"60209", "Enable", "Success", "INFO", "Informational", "CA service", "CA service enabled", "CA service enabled",
"60210", "Disable", "Success", "INFO", "Informational", "CA service", "CA service disabled", "CA service disabled",
"60213", "Other", "Success", "INFO", "Informational", "ISE instance", "CA keys were replaced by import operation", "CA keys were replaced by import operation",
"60214", "Other", "Success", "INFO", "Informational", "ISE instance", "CA keys were exported", "CA keys were exported",
"60215", "Other", "Success", "INFO", "Informational", "ISE instance", "Endpoint certs were marked expired", "Endpoint certs were marked expired by daily scheduled job",
"60216", "Delete", "Success", "INFO", "Informational", "ISE instance", "Endpoint certs were purged", "Endpoint certs were purged by daily scheduled job",
"60451", "Enable", "Success", "INFO", "Informational", "ISE instance", "Telemetry is enabled on this deployment", "Telemetry is enabled on this deployment",
"60452", "Disable", "Success", "INFO", "Informational", "ISE instance", "Telemetry is disabled on this deployment", "Telemetry is disabled on this deployment",
"61002", "Other", "Success", "INFO", "Informational", "ISE instance", "ISE has learned a new SGT from IEPG", "ISE has learned a new SGT from IEPG",
"61003", "Other", "Success", "INFO", "Informational", "ISE instance", "ISE has propagated a new EEPG to APIC", "ISE has propagated a new EEPG to APIC.",
"61004", "Other", "Success", "INFO", "Informational", "ISE instance", "ISE has learned a new SXP mapping from APIC endpoint", "ISE has learned a new SXP mapping from APIC endpoint",
"61005", "Other", "Success", "INFO", "Informational", "ISE instance", "ISE has propagated a new endpoint(SXP mapping) to APIC", "ISE has propagated a new endpoint(SXP mapping) to APIC",
"61006", "Delete", "Success", "INFO", "Informational", "SGT", "ISE has removed an SGT due to deleted IEPG", "ISE has removed an SGT due to deleted IEPG",
"61007", "Delete", "Success", "INFO", "Informational", "APIC", "ISE has removed EEPG from APIC due to SGT deletion", "ISE has removed EEPG from APIC due to SGT deletion",
"61008", "Delete", "Success", "INFO", "Informational", "APIC", "ISE has removed an SXP mapping due to endpoint deletion on APIC", "ISE has removed an SXP mapping due to endpoint deletion on APIC",
"61009", "Delete", "Success", "INFO", "Informational", "APIC", "ISE has removed endpoint APIC due to SXP mapping removal a new SXP mapping to APIC", "ISE has removed endpoint APIC due to SXP mapping removal a new SXP mapping to APIC",
"61016", "Other", "Failure", "INFO", "Low", "ISE instance", "ISE failed to refresh EPG subscriber against APIC", "ISE failed to refresh EPG subscriber against APIC",
"61017", "Other", "Failure", "INFO", "Low", "ISE instance", "ISE failed to refresh endpoint subscriber against APIC", "ISE failed to refresh endpoint subscriber against APIC",
"61018", "Other", "Failure", "INFO", "Low", "ISE instance", "ISE failed to refresh EEPG subscriber against APIC", "ISE failed to refresh EEPG subscriber against APIC",
"61020", "Other", "Failure", "INFO", "Low", "ISE instance", "ISE failed to refresh L3EXTOUT subscriber against APIC", "ISE failed to refresh L3EXTOUT subscriber against APIC",
"61022", "Other", "Failure", "INFO", "Low", "ISE instance", "ISE has failed to propagate SGT to EEPG", "ISE has failed to propagate SGT to EEPG",
"61023", "Other", "Failure", "INFO", "Low", "ISE instance", "ISE has failed to learn IEPG from APIC", "ISE has failed to learn IEPG from APIC",
"61024", "Other", "Failure", "INFO", "Low", "ISE instance", "ISE has failed to parse VRF for EPG", "ISE has failed to parse VRF for EPG",
"61030", "Other", "Failure", "INFO", "Low", "ISE instance", "TrustSec deploy verification was canceled.", "TrustSec deployment verification process was canceled as a new TrustSec deploy started.",
"61033", "Other", "Success", "INFO", "Informational", "ISE instance", "TrustSec deployment verification process succeeded.", "ISE trustsec configuration was successfully deployed to all network access devices.",
"61034", "Other", "", "INFO", "Low", "ISE instance", "Maximum resource limit reached.", "Maximum resource limit reached.",
"61051", "Set", "Success", "INFO", "Informational", "ISE instance", "Synflood-limit configured", "Synflood-limit configured",
"61052", "Set", "Success", "INFO", "Informational", "ISE instance", "Rate-limit configured", "Rate-limit configured",
"61100", "Other", "Success", "INFO", "Informational", "ISE instance", "ISE has learned a new tenant from ACI", "ISE has learned a new tenant from ACI",
"61101", "Delete", "Success", "INFO", "Informational", "ACI tenant", "ISE has removed ACI tenant", "ISE has removed ACI tenant",
"61102", "Other", "Failure", "ERROR", "Low", "ISE instance", "Failed to learn new tenant from ACI in ISE", "Failed to learn new tenant from ACI in ISE",
"61103", "Delete", "Failure", "ERROR", "Low", "ISE instance", "Failed to remove ACI tenant in ISE", "Failed to remove ACI tenant in ISE",
"61104", "Other", "Success", "INFO", "Informational", "ISE instance", "ISE has learned a new tenant from SDA", "ISE has learned a new tenant from SDA",
"61105", "Other", "Success", "INFO", "Informational", "ISE instance", "ISE has learned a new VN info", "IISE has learned a new VN info",
"61106", "Create", "Failure", "ERROR", "Low", "ISE instance", "Failed to create VN info in ISE", "Failed to create VN info in ISE",
"61107", "Other", "Success", "INFO", "Informational", "ISE instance", "VN info is updated in ISE", "VN info is updated in ISE",
"61108", "Other", "Failure", "ERROR", "Low", "ISE instance", "Failed to update VN info in ISE", "Failed to update VN info in ISE",
"61109", "Delete", "Success", "INFO", "Informational", "ACI tenant", "VN info is deleted in ISE", "VN info is deleted in ISE",
"61110", "Delete", "Failure", "ERROR", "Low", "ISE instance", "Failed to deleted VN info in ISE", "Failed to deleted VN info in ISE",
"61111", "Other", "Failure", "ERROR", "Low", "ISE instance", "Domain registration process failed", "Domain registration process failed",
"61114", "Other", "Success", "INFO", "Informational", "ISE instance", "Domain registration completed successfully", "Domain registration completed successfully",
"61115", "Other", "Failure", "ERROR", "Low", "ISE instance", "Domain registration failed", "Domain registration failed",
"61116", "Other", "Failure", "ERROR", "Low", "ACI certificate", "Unable to store ACI certificate", "Unable to store ACI certificate",
"61117", "Other", "Success", "INFO", "Informational", "ACI connector", "ACI connector started successfully", "ACI connector started successfully",
"61118", "Other", "Failure", "ERROR", "Low", "ACI connector", "Failed to start ACI connector", "Failed to start ACI connector",
"61120", "Delete", "Success", "INFO", "Informational", "ACI certificate", "Successfully deleted ACI certificate from ISE", "Successfully deleted ACI certificate from ISE",
"61121", "Delete", "Failure", "ERROR", "Low", "ACI certificate", "Failed to delete ACI certificate from ISE", "Failed to delete ACI certificate from ISE",
"61122", "Delete", "Failure", "ERROR", "Low", "ACI keystore", "Failed to delete ACI keystore", "Failed to delete ACI keystore",
"61123", "Other", "Success", "INFO", "Informational", "ISE instance", "ISE has learned a new ACI domain", "ISE has learned a new ACI domain",
"61124", "Other", "Failure", "ERROR", "Low", "ISE instance", "Failed to learn a new ACI domain", "Failed to learn a new ACI domain",
"61125", "Delete", "Success", "INFO", "Informational", "ACI domain", "ISE has removed ACI domain", "ISE has removed ACI domain",
"61126", "Delete", "Failure", "ERROR", "Low", "ACI domain", "Failed to remove ACI domain", "Failed to remove ACI domain",
"61127", "Other", "Success", "INFO", "Informational", "ISE instance", "ISE has learned a new SDA domain", "ISE has learned a new SDA domain",
"61128", "Other", "Failure", "ERROR", "Low", "ISE instance", "Failed to learn a new SDA domain", "Failed to learn a new SDA domain",
"61129", "Delete", "Success", "INFO", "Informational", "SDA domain", "ISE has removed SDA domain", "ISE has removed SDA domain",
"61130", "Delete", "Failure", "ERROR", "Low", "SDA domain", "Failed to remove SDA domain", "Failed to remove SDA domain",
"61158", "Other", "Failure", "ERROR", "Low", "ISE instance", "ISE failed in receiving SDA SXP configuration", "ISE failed in receiving SDA SXP configuration",
"61160", "Other", "Failure", "ERROR", "Low", "ISE instance", "ISE failed to publish Gateway advertisement message to ACI", "ISE failed to publish Gateway advertisement message to ACI",
"61161", "Other", "Success", "INFO", "Informational", "ISE instance", "ISE learned new SXP Listener", "ISE learned new SXP Listener",
"61162", "Other", "Success", "INFO", "Informational", "SXP Listener", "ISE updates VN defined for SXP Listener", "ISE updates VN defined for SXP Listener",
"61163", "Other", "Success", "INFO", "Informational", "SXP Listener", "ISE learned new VN defined for SXP Listener", "ISE learned new VN defined for SXP Listener",
"61164", "Other", "Success", "INFO", "Informational", "SXP Listener", "ISE updates SXP Listener", "ISE updates SXP Listener",
"61165", "Delete", "Success", "INFO", "Informational", "SXP Listener", "ISE removed all SXP connections related to SXP Listener", "ISE removed all SXP connections related to SXP Listener",
"61166", "Other", "Success", "INFO", "Informational", "ACI", "ACI published Gateway advertisement message to SDA", "ACI published Gateway advertisement message to SDA",
"61167", "Other", "Success", "INFO", "Informational", "ISE instance", "Send ACI Gateway advertisement message to ISE", "Send ACI Gateway advertisement message to ISE",
"61168", "Other", "Failure", "ERROR", "Low", "ISE instance", "Failed to send ACI Gateway advertisement message to ISE", "Failed to send ACI Gateway advertisement message to ISE/SDA",
"61169", "Other", "Success", "INFO", "Informational", "ISE instance", "Successfully Send ACI Gateway advertisement message", "Successfully Send ACI Gateway advertisement message",
"61234", "Other", "Success", "WARN", "Informational", "ISE instance", "Got event with unknown properties", "Got event with unknown properties",
"62000", "Execute", "Success", "INFO", "Informational", "ISE instance", "Agentless script execute completed", "Agentless script execute completed",
"62001", "Execute", "Failure", "WARN", "Low", "ISE instance", "Agentless script execute failed", "Agentless script execute failed",
"62002", "Other", "Success", "INFO", "Informational", "ISE instance", "Agentless script upload completed", "Agentless script upload completed",
"62003", "Other", "Failure", "WARN", "Low", "ISE instance", "Agentless script upload failed", "Agentless script upload failed",
"61300", "Other", "Success", "INFO", "Informational", "ISE instance", "Network Access policy request", "Network Access policy request",
"61301", "Other", "Success", "INFO", "Informational", "ISE instance", "Device Admin policy request", "Device Admin policy request",
"61302", "Other", "Success", "INFO", "Informational", "ISE instance", "Policy component request", "Policy component request",
"60467", "Other", "Failure", "ERROR", "Low", "ISE instance", "OCSP Certificate renewal failed", "OCSP Certificate renewal failed.",
"60468", "Other", "Failure", "ERROR", "Low", "ISE instance", "Root CA Regeneration failed", "Regeneration of Root CA failed.",
"62008", "Other", "Success", "INFO", "Informational", "Meraki connector", "Meraki connector sync service starts", "Meraki connector sync service starts",
"62009", "Other", "Success", "INFO", "Informational", "Meraki connector", "Meraki connector sync service stops", "Meraki connector sync service stops",
"62010", "Other", "Failure", "WARN", "Low", "Meraki connector", "Meraki connector sync service failure", "Meraki connector sync service failure",
"62011", "Other", "Success", "INFO", "Informational", "Meraki connector", "Meraki connector sync cycle starts", "Meraki connector sync cycle starts",
"62012", "Other", "Success", "INFO", "Informational", "Meraki connector", "Meraki connector sync cycle stops", "Meraki connector sync cycle stops",
"62013", "Other", "Failure", "WARN", "Low", "Meraki connector", "Meraki connector sync cycle failure", "Meraki connector sync cycle failure",
"62014", "Other", "Success", "INFO", "Informational", "Meraki connector", "Meraki connector sync operation success", "Meraki connector sync operation success",
"62015", "Other", "Failure", "WARN", "Low", "Meraki connector", "Meraki connector sync operation failure", "Meraki connector sync operation failure",
"62016", "Other", "Success", "INFO", "Informational", "ISE instance", "Port 2484 opened for Data Connect", "Port 2484 opened for Data Connect",
"62017", "Other", "Success", "INFO", "Informational", "ISE instance", "Data Connect port 2484 closed", "Data Connect port 2484 closed"
];
let CiscoISEAuditParser=(
starttime: datetime=datetime(null),
endtime: datetime=datetime(null),
srcipaddr_has_any_prefix: dynamic=dynamic([]),
eventresult: string='*',
actorusername_has_any: dynamic=dynamic([]),
eventtype_in: dynamic=dynamic([]),
operation_has_any: dynamic=dynamic([]),
object_has_any: dynamic=dynamic([]),
newvalue_has_any: dynamic=dynamic([]),
disabled: bool = false
) {
let EventOriginalTypeList = toscalar(EventFieldsLookup
| where (eventresult == "*" or eventresult == EventResult)
and (array_length(eventtype_in) == 0 or EventType in (eventtype_in))
and (array_length(object_has_any) == 0 or Object has_any (object_has_any))
| summarize make_set(EventOriginalType));
Syslog
| where not(disabled)
//***************************** <Prefiltering> **************************
| where (isnull(starttime) or TimeGenerated >= starttime)
and (isnull(endtime) or TimeGenerated <= endtime)
//***************************** </Prefiltering> *************************
| where ProcessName has_any ("CISE", "CSCO")
| parse SyslogMessage with * " " longvalue:long " " EventOriginalType:int " " *
| where EventOriginalType in (EventOriginalTypeList)
| where
(array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix))
and (array_length(actorusername_has_any) == 0 or SyslogMessage has_any (actorusername_has_any))
and (array_length(operation_has_any) == 0 or SyslogMessage has_any (operation_has_any))
and (array_length(newvalue_has_any) == 0 or SyslogMessage has_any (newvalue_has_any))
| project
TimeGenerated,
EventTime,
EventOriginalType,
Computer,
HostName,
HostIP,
SyslogMessage
| lookup EventFieldsLookup on EventOriginalType
| parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string, ['Device IP Address']: string) with (pair_delimiter=',', kv_delimiter='=')
| project-rename
SrcIpAddr=['Remote-Address']
, TargetIpAddr =['Device IP Address']
| where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))
| extend DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)
| extend ActorUsername = coalesce(['User-Name'], UserName, User)
| extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)
| where (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any))
| extend
DvcIpAddr = iif(isnotempty(HostIP) and HostIP != "Unknown IP", HostIP, extract(@"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})", 1, Computer))
, EventStartTime = coalesce(EventTime, TimeGenerated)
, EventEndTime = coalesce(EventTime, TimeGenerated)
, EventVendor = "Cisco"
, EventProduct = "ISE"
, EventProductVersion = "3.2"
, EventCount = int(1)
, EventSchema = "AuditEvent"
, EventSchemaVersion = "0.1.0"
, ObjectType = "Configuration Atom"
, TargetAppName = "ISE"
, TargetAppType = "Service"
// ***************** <Aliases> ********************
| extend
Dvc = coalesce(DvcIpAddr, DvcHostname)
, Application = TargetAppName
, IpAddr = coalesce(SrcIpAddr, TargetIpAddr)
, Dst = TargetIpAddr
, Src = SrcIpAddr
, User = ActorUsername
// ***************** </Aliases> *******************
| project-away
EventTime,
Computer,
HostName,
SyslogMessage,
NetworkDeviceName,
['User-Name'],
UserName
};
CiscoISEAuditParser(
starttime = starttime,
endtime = endtime,
srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,
actorusername_has_any = actorusername_has_any,
eventtype_in = eventtype_in,
eventresult = eventresult,
operation_has_any = operation_has_any,
object_has_any=object_has_any,
newvalue_has_any=newvalue_has_any,
disabled=disabled
)

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше