Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Global Secure Access

This commit is contained in:
moti-ba 2024-08-08 14:25:04 +03:00
Родитель 5ab8f2cb62
Коммит 8a089f376b
59 изменённых файлов: 6995 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

197
.script/tests/KqlvalidationsTests/CustomTables/EnrichedMicrosoft365AuditLogs.json Normal file
Просмотреть файл

@ -0,0 +1,197 @@
{
"Name": "EnrichedMicrosoft365AuditLogs",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Id",
"Type": "string"
},
{
"Name": "RecordType",
"Type": "int"
},
{
"Name": "Operation",
"Type": "string"
},
{
"Name": "OrganizationId",
"Type": "string"
},
{
"Name": "UserType",
"Type": "string"
},
{
"Name": "ActorUserType",
"Type": "string"
},
{
"Name": "UserKey",
"Type": "string"
},
{
"Name": "Workload",
"Type": "string"
},
{
"Name": "ResultStatus",
"Type": "string"
},
{
"Name": "ObjectId",
"Type": "string"
},
{
"Name": "UserId",
"Type": "string"
},
{
"Name": "ClientIp",
"Type": "string"
},
{
"Name": "UniqueTokenId",
"Type": "string"
},
{
"Name": "DeviceId",
"Type": "string"
},
{
"Name": "DeviceOperatingSystem",
"Type": "string"
},
{
"Name": "DeviceOperatingSystemVersion",
"Type": "string"
},
{
"Name": "SourceIp",
"Type": "string"
},
{
"Name": "AdditionalProperties",
"Type": "dynamic"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "antId",
"Type": "string"
},
{
"Name": "Action",
"Type": "string"
},
{
"Name": "PolicyRuleId",
"Type": "string"
},
{
"Name": "PolicyId",
"Type": "string"
},
{
"Name": "SentBytes",
"Type": "long"
},
{
"Name": "ReceivedBytes",
"Type": "long"
},
{
"Name": "ReferrerHeader",
"Type": "string"
},
{
"Name": "OriginHeader",
"Type": "string"
},
{
"Name": "XForwardedFor",
"Type": "string"
},
{
"Name": "DestinationWebCategories",
"Type": "string"
},
{
"Name": "FilteringProfileId",
"Type": "string"
},
{
"Name": "FilteringProfileName",
"Type": "string"
},
{
"Name": "PolicyName",
"Type": "string"
},
{
"Name": "RuleName",
"Type": "string"
},
{
"Name": "InitiatingProcessName",
"Type": "string"
},
{
"Name": "ResourceTenantId",
"Type": "string"
},
{
"Name": "ThreatType",
"Type": "string"
},
{
"Name": "DestinationUrl",
"Type": "string"
},
{
"Name": "Description",
"Type": "string"
},
{
"Name": "AppId",
"Type": "string"
},
{
"Name": "ConnectorId",
"Type": "string"
},
{
"Name": "ConnectorName",
"Type": "string"
},
{
"Name": "ConnectorIp",
"Type": "string"
},
{
"Name": "ConnectionStatus",
"Type": "string"
},
{
"Name": "AccessType",
"Type": "string"
},
{
"Name": "ProcessingRegion",
"Type": "string"
}
]
}

61
.script/tests/KqlvalidationsTests/CustomTables/RemoteNetworkHealthLogs.json Normal file
Просмотреть файл

@ -0,0 +1,61 @@
{
"Name": "RemoteNetworkHealthLogs",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "CreatedDateTime",
"Type": "datetime"
},
{
"Name": "Id",
"Type": "string"
},
{
"Name": "RemoteNetworkId",
"Type": "string"
},
{
"Name": "SourceIp",
"Type": "string"
},
{
"Name": "DestinationIp",
"Type": "string"
},
{
"Name": "Description",
"Type": "string"
},
{
"Name": "BgpRoutesAdvertisedCount",
"Type": "int"
},
{
"Name": "SentBytes",
"Type": "long"
},
{
"Name": "ReceivedBytes",
"Type": "long"
},
{
"Name": "Status",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
}
]
}

5
Logos/gsa.svg Normal file
Просмотреть файл

@ -0,0 +1,5 @@
<svg xmlns="http://www.w3.org/2000/svg" width="20" height="20">
<path d="M20 10c0 5.523-4.477 10-10 10S0 15.523 0 10 4.477 0 10 0s10 4.477 10 10Zm0 0" fill="#6df" fill-rule="nonzero" fill-opacity="1"/>
<path d="M10 0c5.523 0 10 4.477 10 10s-4.477 10-10 10S0 15.523 0 10 4.477 0 10 0Zm2.938 14.5H7.061c.653 2.414 1.786 4 2.938 4 1.156 0 2.29-1.586 2.941-4Zm-7.43 0H2.785a8.566 8.566 0 0 0 4.094 3.41c-.52-.82-.953-1.848-1.27-3.015Zm11.707 0h-2.723c-.324 1.332-.793 2.496-1.375 3.41a8.543 8.543 0 0 0 3.91-3.129ZM5.094 8H1.738l-.008.02A8.483 8.483 0 0 0 1.5 10c0 1.059.191 2.066.543 3h3.172C5.075 12.05 5 11.043 5 10c0-.684.031-1.352.094-2Zm8.304 0H6.602a19.41 19.41 0 0 0 .136 5h6.524a19.41 19.41 0 0 0 .137-5Zm4.864 0h-3.356c.063.648.094 1.316.094 2 0 1.043-.074 2.05-.219 3h3.172a8.398 8.398 0 0 0 .547-3c0-.688-.082-1.36-.238-2ZM6.882 2.09l-.023.008A8.547 8.547 0 0 0 2.25 6.5h3.047c.312-1.754.86-3.277 1.582-4.41ZM10 1.5l-.117.004C8.617 1.62 7.398 3.62 6.828 6.5h6.344c-.57-2.871-1.785-4.867-3.047-4.996Zm3.121.59.106.176c.668 1.109 1.175 2.57 1.472 4.234h3.051a8.555 8.555 0 0 0-4.34-4.29Zm0 0" fill="#225086" fill-rule="nonzero" fill-opacity="1"/>
<path d="M10 0a30.898 30.898 0 0 1 1.66 10c0 4.293-.89 7.754-1.66 10 5.484 0 10-4.516 10-10 0-5.523-4.477-10-10-10Zm0 0" fill="#0294e4" fill-rule="nonzero" fill-opacity="1"/>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 1.3 KiB

40
Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml Normal file
Просмотреть файл

@ -0,0 +1,40 @@
id: 4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa
name: Detect Connections Outside Operational Hours
description: This query identifies connections that occur outside of the defined operational hours. It helps in monitoring and flagging any unusual activity that may occur during non-business hours, indicating potential security concerns or policy violations.
severity: High
status: Available
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
queryFrequency: 1h
queryPeriod: 24h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1078
- T1133
query: |
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let operational_start_hour = 8; // Start of operational hours (8 AM)
let operational_end_hour = 18; // End of operational hours (6 PM)
NetworkAccessTraffic
| where TimeGenerated between(starttime .. endtime)
| extend HourOfDay = datetime_part('hour', TimeGenerated)
| where HourOfDay < operational_start_hour or HourOfDay >= operational_end_hour
| project TimeGenerated, UserPrincipalName, SourceIp, DestinationIp, DestinationPort, Action, DeviceId, DeviceOperatingSystem, ConnectionId
| extend IPCustomEntity = SourceIp, AccountCustomEntity = UserPrincipalName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled

47
Solutions/Global Secure Access/Analytic Rules/Identity - SharedSessions.yaml Normal file
Просмотреть файл

@ -0,0 +1,47 @@
id: 57abf863-1c1e-46c6-85b2-35370b712c1e
name: Detect IP Address Changes and Overlapping Sessions
description: |
This query identifies network sessions based on DeviceId and UserPrincipalName, then checks for changed IP addresses and overlapping session times.
severity: High
status: Available
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
queryFrequency: 1h
queryPeriod: 24h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1078
- T1133
query: |
// Identify sessions
let sessions =
NetworkAccessTraffic
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), SourceIps = make_set(SourceIp) by DeviceId, UserPrincipalName, SessionId
| sort by StartTime asc;
// Check for changed IP addresses and overlapping session times
sessions
| extend PreviousSourceIps = prev(SourceIps, 1)
| extend PreviousEndTime = prev(EndTime, 1)
| extend PreviousDeviceId = prev(DeviceId, 1)
| extend PreviousUserPrincipalName = prev(UserPrincipalName, 1)
| where DeviceId == PreviousDeviceId and UserPrincipalName == PreviousUserPrincipalName
| where set_difference(SourceIps, PreviousSourceIps) != dynamic([]) // Check if the current and previous IP sets differ
| where PreviousEndTime > StartTime // Check for overlapping session times
| project DeviceId, UserPrincipalName, SourceIps, PreviousSourceIps, StartTime, EndTime, PreviousEndTime
| extend IPCustomEntity = tostring(array_slice(SourceIps, 0, 1)[0]), PreviousIPCustomEntity = tostring(array_slice(PreviousSourceIps, 0, 1)[0]), AccountCustomEntity = UserPrincipalName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled

86
Solutions/Global Secure Access/Analytic Rules/Office 365 - External User added to Team and immediately uploads file.yaml Normal file
Просмотреть файл

@ -0,0 +1,86 @@
id: bff058b2-500e-4ae5-bb49-a5b1423cbd5b
name: Accessed files shared by temporary external user
description: |
'This detection identifies when an external user is added to a Team or Teams chat and shares a file which is accessed by many users (>10) and the users is removed within short period of time. This might be an indicator of suspicious activity.'
severity: Low
status: Available
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let fileAccessThreshold = 10;
EnrichedMicrosoft365AuditLogs
| where Workload =~ "MicrosoftTeams"
| where Operation =~ "MemberAdded"
| extend MemberAdded = tostring(parse_json(tostring(AdditionalProperties)).Members[0].UPN)
| where MemberAdded contains "#EXT#"
| project TimeAdded = TimeGenerated, Operation, MemberAdded, UserWhoAdded = UserId, TeamName = tostring(parse_json(tostring(AdditionalProperties)).TeamName)
| join kind=inner (
EnrichedMicrosoft365AuditLogs
| where Workload =~ "MicrosoftTeams"
| where Operation =~ "MemberRemoved"
| extend MemberAdded = tostring(parse_json(tostring(AdditionalProperties)).Members[0].UPN)
| where MemberAdded contains "#EXT#"
| project TimeDeleted = TimeGenerated, Operation, MemberAdded, UserWhoDeleted = UserId, TeamName = tostring(parse_json(tostring(AdditionalProperties)).TeamName)
) on MemberAdded, TeamName
| where TimeDeleted > TimeAdded
| join kind=inner (
EnrichedMicrosoft365AuditLogs
| where RecordType == "SharePointFileOperation"
| where Operation == "FileUploaded"
| extend MemberAdded = UserId, SourceRelativeUrl = tostring(parse_json(tostring(AdditionalProperties)).SourceRelativeUrl), TeamName = tostring(parse_json(tostring(AdditionalProperties)).TeamName)
| where SourceRelativeUrl has "Microsoft Teams Chat Files"
| join kind=inner (
EnrichedMicrosoft365AuditLogs
| where RecordType == "SharePointFileOperation"
| where Operation == "FileAccessed"
| extend SourceRelativeUrl = tostring(parse_json(tostring(AdditionalProperties)).SourceRelativeUrl), TeamName = tostring(parse_json(tostring(AdditionalProperties)).TeamName)
| where SourceRelativeUrl has "Microsoft Teams Chat Files"
| summarize FileAccessCount = count() by ObjectId, TeamName
| where FileAccessCount > fileAccessThreshold
) on ObjectId, TeamName
) on MemberAdded, TeamName
| project-away MemberAdded1, MemberAdded2, ObjectId1, Operation1, Operation2
| extend MemberAddedAccountName = tostring(split(MemberAdded, "@")[0]), MemberAddedAccountUPNSuffix = tostring(split(MemberAdded, "@")[1])
| extend UserWhoAddedAccountName = tostring(split(UserWhoAdded, "@")[0]), UserWhoAddedAccountUPNSuffix = tostring(split(UserWhoAdded, "@")[1])
| extend UserWhoDeletedAccountName = tostring(split(UserWhoDeleted, "@")[0]), UserWhoDeletedAccountUPNSuffix = tostring(split(UserWhoDeleted, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: MemberAdded
- identifier: Name
columnName: MemberAddedAccountName
- identifier: UPNSuffix
columnName: MemberAddedAccountUPNSuffix
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserWhoAdded
- identifier: Name
columnName: UserWhoAddedAccountName
- identifier: UPNSuffix
columnName: UserWhoAddedAccountUPNSuffix
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserWhoDeleted
- identifier: Name
columnName: UserWhoDeletedAccountName
- identifier: UPNSuffix
columnName: UserWhoDeletedAccountUPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ClientIP
version: 2.1.1
kind: Scheduled

71
Solutions/Global Secure Access/Analytic Rules/Office 365 - ExternalUserAddedRemovedInTeams.yaml Normal file
Просмотреть файл

@ -0,0 +1,71 @@
id: bff093b2-500e-4ae5-bb49-a5b1423cbd5b
name: External User Added and Removed in Short Timeframe
description: |
This detection flags the occurrences of external user accounts that are added to a Team and then removed within one hour.
severity: Low
status: Available
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
relevantTechniques:
- T1136
query: |
let TeamsAddDel = (Op:string){
EnrichedMicrosoft365AuditLogs
| where Workload =~ "MicrosoftTeams"
| where Operation == Op
| where tostring(AdditionalProperties.Members) has ("#EXT#")
| mv-expand Members = parse_json(tostring(AdditionalProperties.Members))
| extend UPN = tostring(Members.UPN)
| where UPN has ("#EXT#")
| project TimeGenerated, Operation, UPN, UserId, TeamName = tostring(AdditionalProperties.TeamName), ClientIP = SourceIp
};
let TeamsAdd = TeamsAddDel("MemberAdded")
| project TimeAdded = TimeGenerated, Operation, MemberAdded = UPN, UserWhoAdded = UserId, TeamName, ClientIP;
let TeamsDel = TeamsAddDel("MemberRemoved")
| project TimeDeleted = TimeGenerated, Operation, MemberRemoved = UPN, UserWhoDeleted = UserId, TeamName, ClientIP;
TeamsAdd
| join kind = inner (TeamsDel) on $left.MemberAdded == $right.MemberRemoved
| where TimeDeleted > TimeAdded
| project TimeAdded, TimeDeleted, MemberAdded_Removed = MemberAdded, UserWhoAdded, UserWhoDeleted, TeamName
| extend MemberAdded_RemovedAccountName = tostring(split(MemberAdded_Removed, "@")[0]), MemberAddedAccountUPNSuffix = tostring(split(MemberAdded_Removed, "@")[1])
| extend UserWhoAddedAccountName = tostring(split(UserWhoAdded, "@")[0]), UserWhoAddedAccountUPNSuffix = tostring(split(UserWhoAdded, "@")[1])
| extend UserWhoDeletedAccountName = tostring(split(UserWhoDeleted, "@")[0]), UserWhoDeletedAccountUPNSuffix = tostring(split(UserWhoDeleted, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: MemberAdded_Removed
- identifier: Name
columnName: MemberAdded_RemovedAccountName
- identifier: UPNSuffix
columnName: MemberAddedAccountUPNSuffix
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserWhoAdded
- identifier: Name
columnName: UserWhoAddedAccountName
- identifier: UPNSuffix
columnName: UserWhoAddedAccountUPNSuffix
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserWhoDeleted
- identifier: Name
columnName: UserWhoDeletedAccountName
- identifier: UPNSuffix
columnName: UserWhoDeletedAccountUPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ClientIp
version: 2.1.2
kind: Scheduled

55
Solutions/Global Secure Access/Analytic Rules/Office 365 - Mail_redirect_via_ExO_transport_rule.yaml Normal file
Просмотреть файл

@ -0,0 +1,55 @@
id: 500415fb-bba7-4227-a08a-9857fb61b6a7
name: Mail redirect via ExO transport rule
description: |
'Identifies when Exchange Online transport rule configured to forward emails.
This could be an adversary mailbox configured to collect mail from multiple user accounts.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Collection
- Exfiltration
relevantTechniques:
- T1114
- T1020
query: |
EnrichedMicrosoft365AuditLogs
| where Workload == "Exchange"
| where Operation in~ ("New-TransportRule", "Set-TransportRule")
| mv-apply DynamicParameters = todynamic(tostring(AdditionalProperties.Parameters)) on (
summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value))
)
| extend RuleName = case(
Operation =~ "Set-TransportRule", ObjectId, // Assuming ObjectId maps to what was previously OfficeObjectId
Operation =~ "New-TransportRule", ParsedParameters.Name,
"Unknown"
)
| mv-expand ExpandedParameters = todynamic(tostring(AdditionalProperties.Parameters))
| where ExpandedParameters.Name in~ ("BlindCopyTo", "RedirectMessageTo") and isnotempty(ExpandedParameters.Value)
| extend RedirectTo = ExpandedParameters.Value
| extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?([-:](?P<Port>\d+))?', dynamic(["IPAddress", "Port"]), ClientIp)[0]
| extend From = ParsedParameters.From
| project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, From, Operation, RuleName, Parameters = tostring(AdditionalProperties.Parameters)
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserId
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
version: 2.0.4
kind: Scheduled

56
Solutions/Global Secure Access/Analytic Rules/Office 365 - Malicious_Inbox_Rule.yaml Normal file
Просмотреть файл

@ -0,0 +1,56 @@
id: 7b907bf7-77d4-41d0-a208-5643ff75bf9a
name: Malicious Inbox Rule
description: |
'Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.
This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this.
Reference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
- DefenseEvasion
relevantTechniques:
- T1098
- T1078
query: |
let Keywords = dynamic(["helpdesk", "alert", "suspicious", "fake", "malicious", "phishing", "spam", "do not click", "do not open", "hijacked", "Fatal"]);
EnrichedMicrosoft365AuditLogs
| where Workload =~ "Exchange"
| where Operation =~ "New-InboxRule" and (ResultStatus =~ "True" or ResultStatus =~ "Succeeded")
| where tostring(parse_json(tostring(AdditionalProperties)).Parameters) has "Deleted Items" or tostring(parse_json(tostring(AdditionalProperties)).Parameters) has "Junk Email" or tostring(parse_json(tostring(AdditionalProperties)).Parameters) has "DeleteMessage"
| extend Events = parse_json(tostring(AdditionalProperties)).Parameters
| extend SubjectContainsWords = tostring(Events.SubjectContainsWords), BodyContainsWords = tostring(Events.BodyContainsWords), SubjectOrBodyContainsWords = tostring(Events.SubjectOrBodyContainsWords)
| where SubjectContainsWords has_any (Keywords) or BodyContainsWords has_any (Keywords) or SubjectOrBodyContainsWords has_any (Keywords)
| extend ClientIPAddress = case(ClientIp has ".", tostring(split(ClientIp, ":")[0]), ClientIp has "[", tostring(trim_start(@'[[]',tostring(split(ClientIp, "]")[0]))), ClientIp)
| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords), BodyContainsWords, SubjectOrBodyContainsWords)))
| extend RuleDetail = case(ObjectId contains '/', tostring(split(ObjectId, '/')[-1]), tostring(split(ObjectId, '\\')[-1]))
| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, ObjectId, RuleDetail
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserId
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: OriginatingServer
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ClientIPAddress
version: 2.0.4
kind: Scheduled

39
Solutions/Global Secure Access/Analytic Rules/Office 365 - MultipleTeamsDeletes.yaml Normal file
Просмотреть файл

@ -0,0 +1,39 @@
id: 173f8699-6af5-484a-8b06-8c47ba89b380
name: Multiple Teams deleted by a single user
description: |
'This detection flags the occurrences of deleting multiple teams within an hour.
This data is a part of Office 365 Connector in Microsoft Sentinel.'
severity: Low
status: Available
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
relevantTechniques:
- T1485
- T1489
query: |
let max_delete_count = 3;
EnrichedMicrosoft365AuditLogs
| where Workload =~ "MicrosoftTeams"
| where Operation =~ "TeamDeleted"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(tostring(AdditionalProperties.TeamName), 1000) by UserId
| where array_length(DeletedTeams) > max_delete_count
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserId
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
version: 2.0.4
kind: Scheduled

61
Solutions/Global Secure Access/Analytic Rules/Office 365 - Office_MailForwarding.yaml Normal file
Просмотреть файл

@ -0,0 +1,61 @@
id: 871ba14c-88ef-48aa-ad38-810f26760ca3
name: Multiple Users Email Forwarded to Same Destination
description: |
Identifies when multiple (more than one) users' mailboxes are configured to forward to the same destination.
This could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
queryFrequency: 1d
queryPeriod: 7d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Collection
- Exfiltration
relevantTechniques:
- T1114
- T1020
query: |
let queryfrequency = 1d;
let queryperiod = 7d;
EnrichedMicrosoft365AuditLogs
| where TimeGenerated > ago(queryperiod)
| where Workload =~ "Exchange"
//| where Operation in ("Set-Mailbox", "New-InboxRule", "Set-InboxRule") // Uncomment or adjust based on actual field usage
| where tostring(AdditionalProperties.Parameters) has_any ("ForwardTo", "RedirectTo", "ForwardingSmtpAddress")
| mv-apply DynamicParameters = todynamic(tostring(AdditionalProperties.Parameters)) on (
summarize ParsedParameters = make_bag(bag_pack(tostring(DynamicParameters.Name), DynamicParameters.Value))
)
| evaluate bag_unpack(ParsedParameters, columnsConflict='replace_source')
| extend DestinationMailAddress = tolower(case(
isnotempty(column_ifexists("ForwardTo", "")), column_ifexists("ForwardTo", ""),
isnotempty(column_ifexists("RedirectTo", "")), column_ifexists("RedirectTo", ""),
isnotempty(column_ifexists("ForwardingSmtpAddress", "")), trim_start(@"smtp:", column_ifexists("ForwardingSmtpAddress", "")),
""))
| where isnotempty(DestinationMailAddress)
| mv-expand split(DestinationMailAddress, ";")
| extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?([-:](?P<Port>\d+))?', dynamic(["IPAddress", "Port"]), ClientIp)[0]
| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP
| where DistinctUserCount > 1 and EndTime > ago(queryfrequency)
| mv-expand UserId to typeof(string)
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserId
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ClientIP
version: 2.0.3
kind: Scheduled

80
Solutions/Global Secure Access/Analytic Rules/Office 365 - Office_Uploaded_Executables.yaml Normal file
Просмотреть файл

@ -0,0 +1,80 @@
id: d722831e-88f5-4e25-b106-4ef6e29f8c13
name: New Executable via Office FileUploaded Operation
description: |
Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.
List currently includes exe, inf, gzip, cmd, bat file extensions.
Additionally, identifies when a given user is uploading these files to another user's workspace.
This may be an indication of a staging location for malware or other malicious activity.
severity: Low
status: Available
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
queryFrequency: 1d
queryPeriod: 8d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandAndControl
- LateralMovement
relevantTechniques:
- T1105
- T1570
query: |
let threshold = 2;
let uploadOp = 'FileUploaded';
let execExt = dynamic(['exe', 'inf', 'gzip', 'cmd', 'bat']);
let starttime = 8d;
let endtime = 1d;
EnrichedMicrosoft365AuditLogs
| where TimeGenerated >= ago(endtime)
| where Operation == uploadOp
| extend SourceFileExtension = extract(@"\.([^\./]+)$", 1, tostring(parse_json(tostring(AdditionalProperties)).SourceFileName)) // Extract file extension
| where SourceFileExtension in (execExt)
| extend Site_Url = tostring(parse_json(tostring(AdditionalProperties)).SiteUrl)
| extend SourceRelativeUrl = tostring(parse_json(tostring(AdditionalProperties)).SourceRelativeUrl)
| extend SourceFileName = tostring(parse_json(tostring(AdditionalProperties)).SourceFileName)
| project TimeGenerated, Id, Workload, RecordType, Operation, UserType, UserKey, UserId, ClientIp, UserAgent = tostring(parse_json(tostring(AdditionalProperties)).UserAgent), Site_Url, SourceRelativeUrl, SourceFileName
| join kind=leftanti (
EnrichedMicrosoft365AuditLogs
| where TimeGenerated between (ago(starttime) .. ago(endtime))
| where Operation == uploadOp
| extend SourceFileExtension = extract(@"\.([^\./]+)$", 1, tostring(parse_json(tostring(AdditionalProperties)).SourceFileName)) // Extract file extension
| where SourceFileExtension in (execExt)
| extend SourceRelativeUrl = tostring(parse_json(tostring(AdditionalProperties)).SourceRelativeUrl)
| summarize SourceRelativeUrl = make_set(SourceRelativeUrl, 100000), UserId = make_set(UserId, 100000), PrevSeenCount = count() by SourceFileName = tostring(parse_json(tostring(AdditionalProperties)).SourceFileName)
// Uncomment the line below to enforce the threshold
// | where PrevSeenCount > threshold
| mvexpand SourceRelativeUrl, UserId
| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)
) on SourceFileName, SourceRelativeUrl, UserId
| extend SiteUrlUserFolder = tolower(split(Site_Url, '/')[-2])
| extend UserIdUserFolderFormat = tolower(replace_regex(UserId, '@|\\.', '_'))
| extend UserIdDiffThanUserFolder = iff(Site_Url has '/personal/' and SiteUrlUserFolder != UserIdUserFolderFormat, true, false)
| summarize TimeGenerated = make_list(TimeGenerated, 100000), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), UserAgents = make_list(UserAgent, 100000), Ids = make_list(Id, 100000), SourceRelativeUrls = make_list(SourceRelativeUrl, 100000), FileNames = make_list(SourceFileName, 100000)
by Workload, RecordType, Operation, UserType, UserKey, UserId, ClientIp, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserId
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ClientIp
- entityType: URL
fieldMappings:
- identifier: Url
columnName: Site_Url
- entityType: File
fieldMappings:
- identifier: Name
columnName: FileNames
version: 2.0.5
kind: Scheduled

45
Solutions/Global Secure Access/Analytic Rules/Office 365 - RareOfficeOperations.yaml Normal file
Просмотреть файл

@ -0,0 +1,45 @@
id: 957cb240-f45d-4491-9ba5-93430a3c08be
name: Rare and Potentially High-Risk Office Operations
description: |
Identifies Office operations that are typically rare and can provide capabilities useful to attackers.
severity: Low
status: Available
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
- Collection
relevantTechniques:
- T1098
- T1114
query: |
EnrichedMicrosoft365AuditLogs
| where Operation in~ ( "Add-MailboxPermission", "Add-MailboxFolderPermission", "Set-Mailbox", "New-ManagementRoleAssignment", "New-InboxRule", "Set-InboxRule", "Set-TransportRule")
and not(UserId has_any ('NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)', 'NT AUTHORITY\\SYSTEM (Microsoft.Exchange.AdminApi.NetCore)', 'NT AUTHORITY\\SYSTEM (w3wp)', 'devilfish-applicationaccount') and Operation in~ ( "Add-MailboxPermission", "Set-Mailbox"))
| extend ClientIPOnly = tostring(extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?', dynamic(["IPAddress"]), ClientIp)[0])
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserId
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ClientIPOnly
- entityType: CloudApplication
fieldMappings:
- identifier: AppId
columnName: AppId
version: 2.0.5
kind: Scheduled

72
Solutions/Global Secure Access/Analytic Rules/Office 365 - SharePoint_Downloads_byNewIP.yaml Normal file
Просмотреть файл

@ -0,0 +1,72 @@
id: 4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7
name: SharePoint File Operation via Previously Unseen IPs
description: |
Identifies anomalies using user behavior by setting a threshold for significant changes in file upload/download activities from new IP addresses. It establishes a baseline of typical behavior, compares it to recent activity, and flags deviations exceeding a default threshold of 25.
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
queryFrequency: 1d
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1030
query: |
let threshold = 0.25;
let szSharePointFileOperation = "SharePointFileOperation";
let szOperations = dynamic(["FileDownloaded", "FileUploaded"]);
let starttime = 14d;
let endtime = 1d;
// Define a baseline of normal user behavior
let userBaseline = EnrichedMicrosoft365AuditLogs
| where TimeGenerated between(ago(starttime)..ago(endtime))
| where RecordType == szSharePointFileOperation
| where Operation in (szOperations)
| extend UserAgent = tostring(parse_json(tostring(AdditionalProperties)).UserAgent)
| extend Site_Url = tostring(parse_json(tostring(AdditionalProperties)).SiteUrl)
| where isnotempty(UserAgent)
| summarize Count = count() by UserId, Operation, Site_Url, ClientIp
| summarize AvgCount = avg(Count) by UserId, Operation, Site_Url, ClientIp;
// Get recent user activity
let recentUserActivity = EnrichedMicrosoft365AuditLogs
| where TimeGenerated > ago(endtime)
| where RecordType == szSharePointFileOperation
| where Operation in (szOperations)
| extend UserAgent = tostring(parse_json(tostring(AdditionalProperties)).UserAgent)
| extend Site_Url = tostring(parse_json(tostring(AdditionalProperties)).SiteUrl)
| where isnotempty(UserAgent)
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), RecentCount = count() by UserId, UserType, Operation, Site_Url, ClientIp, ObjectId, Workload, UserAgent;
// Join the baseline and recent activity, and calculate the deviation
let UserBehaviorAnalysis = userBaseline
| join kind=inner (recentUserActivity) on UserId, Operation, Site_Url, ClientIp
| extend Deviation = abs(RecentCount - AvgCount) / AvgCount;
// Filter for significant deviations
UserBehaviorAnalysis
| where Deviation > threshold
| project StartTimeUtc, EndTimeUtc, UserId, UserType, Operation, ClientIp, Site_Url, ObjectId, Workload, UserAgent, Deviation, Count=RecentCount
| order by Count desc, ClientIp asc, Operation asc, UserId asc
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserId
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ClientIp
- entityType: URL
fieldMappings:
- identifier: Url
columnName: Site_Url
version: 2.0.4
kind: Scheduled

85
Solutions/Global Secure Access/Analytic Rules/Office 365 - SharePoint_Downloads_byNewUserAgent.yaml Normal file
Просмотреть файл

@ -0,0 +1,85 @@
id: 5dd76a87-9f87-4576-bab3-268b0e2b338b
name: SharePointFileOperation via devices with previously unseen user agents
description: |
Identifies anomalies if the number of documents uploaded or downloaded from device(s) associated with a previously unseen user agent exceeds a threshold (default is 5) and deviation (default is 25%).
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
queryFrequency: 1d
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1030
query: |
// Set threshold for the number of downloads/uploads from a new user agent
let threshold = 5;
// Define constants for SharePoint file operations
let szSharePointFileOperation = "SharePointFileOperation";
let szOperations = dynamic(["FileDownloaded", "FileUploaded"]);
// Define the historical activity for analysis
let starttime = 14d; // Define the start time for historical data (14 days ago)
let endtime = 1d; // Define the end time for historical data (1 day ago)
// Extract the base events for analysis
let Baseevents =
EnrichedMicrosoft365AuditLogs
| where TimeGenerated between (ago(starttime) .. ago(endtime))
| where RecordType == szSharePointFileOperation
| where Operation in (szOperations)
| extend UserAgent = tostring(parse_json(tostring(AdditionalProperties)).UserAgent)
| extend Site_Url = tostring(parse_json(tostring(AdditionalProperties)).SiteUrl)
| where isnotempty(UserAgent);
// Identify frequently occurring user agents
let FrequentUA = Baseevents
| summarize FUACount = count() by UserAgent, RecordType, Operation
| where FUACount >= threshold
| distinct UserAgent;
// Calculate a user baseline for further analysis
let UserBaseLine = Baseevents
| summarize Count = count() by UserId, Operation, Site_Url
| summarize AvgCount = avg(Count) by UserId, Operation, Site_Url;
// Extract recent activity for analysis
let RecentActivity = EnrichedMicrosoft365AuditLogs
| where TimeGenerated > ago(endtime)
| where RecordType == szSharePointFileOperation
| where Operation in (szOperations)
| extend UserAgent = tostring(parse_json(tostring(AdditionalProperties)).UserAgent)
| extend Site_Url = tostring(parse_json(tostring(AdditionalProperties)).SiteUrl)
| where isnotempty(UserAgent)
| where UserAgent in (FrequentUA)
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ObjectIdCount = dcount(ObjectId), ObjectIdList = make_set(ObjectId), UserAgentSeenCount = count()
by RecordType, Operation, UserAgent, UserId, ClientIp, Site_Url;
// Analyze user behavior based on baseline and recent activity
let UserBehaviorAnalysis = UserBaseLine
| join kind=inner (RecentActivity) on UserId, Operation, Site_Url
| extend Deviation = abs(UserAgentSeenCount - AvgCount) / AvgCount;
// Filter and format results for specific user behavior analysis
UserBehaviorAnalysis
| where Deviation > 0.25
| extend UserIdName = tostring(split(UserId, '@')[0]), UserIdUPNSuffix = tostring(split(UserId, '@')[1])
| project-reorder StartTime, EndTime, UserAgent, UserAgentSeenCount, UserId, ClientIp, Site_Url
| order by UserAgentSeenCount desc, UserAgent asc, UserId asc, Site_Url asc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserId
- identifier: Name
columnName: UserIdName
- identifier: UPNSuffix
columnName: UserIdUPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ClientIp
- entityType: URL
fieldMappings:
- identifier: Url
columnName: Site_Url
version: 2.2.4
kind: Scheduled

49
Solutions/Global Secure Access/Analytic Rules/Office 365 - exchange_auditlogdisabled.yaml Normal file
Просмотреть файл

@ -0,0 +1,49 @@
id: 194dd92e-d6e7-4249-85a5-273350a7f5ce
name: Exchange AuditLog Disabled
description: |
'Identifies when the exchange audit logging has been disabled which may be an adversary attempt to evade detection or avoid other defenses.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
EnrichedMicrosoft365AuditLogs
| where Workload =~ "Exchange"
| where UserType in~ ("Admin", "DcAdmin")
| where Operation =~ "Set-AdminAuditLogConfig"
| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(tostring(AdditionalProperties.Parameters)), 3, 3)))[0])).Value)
| where AdminAuditLogEnabledValue =~ "False"
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = SourceIp, ResultStatus, Parameters = tostring(AdditionalProperties.Parameters), AdminAuditLogEnabledValue
| extend AccountName = iff(UserId contains '@', tostring(split(UserId, '@')[0]), UserId)
| extend AccountUPNSuffix = iff(UserId contains '@', tostring(split(UserId, '@')[1]), '')
| extend AccountName = iff(UserId contains '\\', tostring(split(UserId, '\\')[1]), AccountName)
| extend AccountNTDomain = iff(UserId contains '\\', tostring(split(UserId, '\\')[0]), '')
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserId
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountNTDomain
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ClientIP
version: 2.0.6
kind: Scheduled

59
Solutions/Global Secure Access/Analytic Rules/Office 365 - office_policytampering.yaml Normal file
Просмотреть файл

@ -0,0 +1,59 @@
id: fbd72eb8-087e-466b-bd54-1ca6ea08c6d3
name: Office Policy Tampering
description: |
Identifies if any tampering is done to either audit log, ATP Safelink, SafeAttachment, AntiPhish, or Dlp policy.
An adversary may use this technique to evade detection or avoid other policy-based defenses.
References: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
- DefenseEvasion
relevantTechniques:
- T1098
- T1562
query: |
let opList = EnrichedMicrosoft365AuditLogs
| summarize by Operation
| where Operation has_any ("Remove", "Disable")
| where Operation contains "AntiPhish" or Operation contains "SafeAttachment" or Operation contains "SafeLinks" or Operation contains "Dlp" or Operation contains "Audit"
| summarize make_set(Operation, 500);
EnrichedMicrosoft365AuditLogs
| where RecordType == "ExchangeAdmin"
| where UserType in~ ("Admin", "DcAdmin")
| where Operation in~ (opList)
| extend ClientIPOnly = case(
ClientIp has ".", tostring(split(ClientIp, ":")[0]),
ClientIp has "[", tostring(trim_start(@'[[]', tostring(split(ClientIp, "]")[0]))),
ClientIp
)
| extend Port = case(
ClientIp has ".", tostring(split(ClientIp, ":")[1]),
ClientIp has "[", tostring(split(ClientIp, "]:")[1]),
""
)
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters = tostring(AdditionalProperties.Parameters)
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserId
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ClientIP
version: 2.0.3
kind: Scheduled

59
Solutions/Global Secure Access/Analytic Rules/Office 365 - sharepoint_file_transfer_above_threshold.yaml Normal file
Просмотреть файл

@ -0,0 +1,59 @@
id: 299e96a8-5524-41b2-ac72-4527742590f1
name: Office365 Sharepoint File Transfer Above Threshold
description: |
Identifies Office365 Sharepoint File Transfers above a certain threshold in a 15-minute time period.
Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur.
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
queryFrequency: 15m
queryPeriod: 15m
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1020
query: |
let threshold = 5000;
EnrichedMicrosoft365AuditLogs
| where Workload has_any("SharePoint", "OneDrive") and Operation has_any("FileDownloaded", "FileSyncDownloadedFull", "FileSyncUploadedFull", "FileUploaded")
| summarize count_distinct_ObjectId=dcount(ObjectId), fileslist=make_set(ObjectId, 10000) by UserId, ClientIp, bin(TimeGenerated, 15m)
| where count_distinct_ObjectId >= threshold
| extend FileSample = iff(array_length(fileslist) == 1, tostring(fileslist[0]), strcat("SeeFilesListField","_", tostring(hash(tostring(fileslist)))))
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserId
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ClientIp
- entityType: File
fieldMappings:
- identifier: Name
columnName: FileSample
customDetails:
TransferCount: count_distinct_ObjectId
FilesList: fileslist
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: Selected
groupByEntities:
- Account
groupByAlertDetails: []
groupByCustomDetails: []
version: 1.0.4
kind: Scheduled

61
Solutions/Global Secure Access/Analytic Rules/Office 365 - sharepoint_file_transfer_folders_above_threshold.yaml Normal file
Просмотреть файл

@ -0,0 +1,61 @@
id: bfe81463-814b-4fa5-9885-c95a579f1957
name: Office365 Sharepoint File Transfer Above Threshold
description: |
Identifies Office365 Sharepoint File Transfers with a distinct folder count above a certain threshold in a 15-minute time period.
Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur.
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
queryFrequency: 15m
queryPeriod: 15m
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
relevantTechniques:
- T1020
query: |
let threshold = 500;
EnrichedMicrosoft365AuditLogs
| where Workload has_any("SharePoint", "OneDrive") and Operation has_any("FileDownloaded", "FileSyncDownloadedFull", "FileSyncUploadedFull", "FileUploaded")
| extend EventSource = tostring(parse_json(tostring(AdditionalProperties)).EventSource)
| extend UserAgent = tostring(parse_json(tostring(AdditionalProperties)).UserAgent)
| summarize count_distinct_ObjectId = dcount(ObjectId), dirlist = make_set(ObjectId, 10000) by UserId, ClientIp, UserAgent, bin(TimeGenerated, 15m)
| where count_distinct_ObjectId >= threshold
| extend DirSample = iff(array_length(dirlist) == 1, tostring(dirlist[0]), strcat("SeeDirListField","_", tostring(hash(tostring(dirlist)))))
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserId
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ClientIp
- entityType: File
fieldMappings:
- identifier: Name
columnName: DirSample
customDetails:
TransferCount: count_distinct_ObjectId
FilesList: dirlist
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: Selected
groupByEntities:
- Account
groupByAlertDetails: []
groupByCustomDetails: []
version: 1.0.4
kind: Scheduled

58
Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml Normal file
Просмотреть файл

@ -0,0 +1,58 @@
id: e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b
name: Detect Abnormal Deny Rate for Source to Destination IP
description: |
Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access, or C2, where an attacker tries to exploit the same vulnerability on machines in the organization but is being blocked by firewall rules.
configurableParameters:
- minimumOfStdsThreshold: The number of stds to use in the threshold calculation. Default is set to 3.
- learningPeriodTime: Learning period for threshold calculation in days. Default is set to 5.
- binTime: Learning buckets time in hours. Default is set to 1 hour.
- minimumThreshold: Minimum threshold for alert. Default is set to 5.
- minimumBucketThreshold: Minimum learning buckets threshold for alert. Default is set to 5.
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- NetworkAccessTrafficLogs
queryFrequency: 1h
queryPeriod: 25h
triggerOperator: gt
triggerThreshold: 1
tactics:
- InitialAccess
- Exfiltration
- CommandAndControl
relevantTechniques: []
query: |
let NumOfStdsThreshold = 3;
let LearningPeriod = 5d;
let BinTime = 1h;
let MinThreshold = 5.0;
let MinLearningBuckets = 5;
let TrafficLogs = NetworkAccessTraffic
| where Action == 'Denied'
| where isnotempty(DestinationIp) and isnotempty(SourceIp);
let LearningSrcIpDenyRate = TrafficLogs
| where TimeGenerated between (ago(LearningPeriod + 1d) .. ago(1d))
| summarize count() by SourceIp, bin(TimeGenerated, BinTime), DestinationIp
| summarize LearningTimeSrcIpDenyRateAvg = avg(count_), LearningTimeSrcIpDenyRateStd = stdev(count_), LearningTimeBuckets = count() by SourceIp, DestinationIp
| where LearningTimeBuckets > MinLearningBuckets;
let AlertTimeSrcIpDenyRate = TrafficLogs
| where TimeGenerated between (ago(1h) .. now())
| summarize AlertTimeSrcIpDenyRateCount = count() by SourceIp, DestinationIp;
AlertTimeSrcIpDenyRate
| join kind=leftouter (LearningSrcIpDenyRate) on SourceIp, DestinationIp
| extend LearningThreshold = max_of(LearningTimeSrcIpDenyRateAvg + NumOfStdsThreshold * LearningTimeSrcIpDenyRateStd, MinThreshold)
| where AlertTimeSrcIpDenyRateCount > LearningThreshold
| project SourceIp, DestinationIp, AlertTimeSrcIpDenyRateCount, LearningThreshold
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIp
- entityType: URL
fieldMappings:
- identifier: Url
columnName: DestinationIp
version: 1.0.0
kind: Scheduled

54
Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml Normal file
Просмотреть файл

@ -0,0 +1,54 @@
id: f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a
name: Detect Protocol Changes for Destination Ports
description: |
Identifies changes in the protocol used for specific destination ports, comparing the current runtime with a learned baseline. This can indicate potential protocol misuse or configuration changes.
Configurable Parameters:
- Learning period - the time range to establish the baseline. Default is set to 7 days.
- Run time - the time range for current analysis. Default is set to 1 day.
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
queryFrequency: 1h
queryPeriod: 8d
triggerOperator: gt
triggerThreshold: 1
tactics:
- DefenseEvasion
- Exfiltration
- CommandAndControl
relevantTechniques: []
query: |
let LearningPeriod = 7d;
let RunTime = 1d;
let StartLearningPeriod = ago(LearningPeriod + RunTime);
let EndRunTime = ago(RunTime);
let LearningPortToProtocol =
NetworkAccessTraffic
| where TimeGenerated between (StartLearningPeriod .. EndRunTime)
| where isnotempty(DestinationPort)
| summarize LearningTimeCount = count() by LearningTimeDstPort = DestinationPort, LearningTimeProtocol = TransportProtocol, SourceIp, DestinationFqdn;
let AlertTimePortToProtocol =
NetworkAccessTraffic
| where TimeGenerated between (EndRunTime .. now())
| where isnotempty(DestinationPort)
| summarize AlertTimeCount = count() by AlertTimeDstPort = DestinationPort, AlertTimeProtocol = TransportProtocol, SourceIp, DestinationFqdn;
AlertTimePortToProtocol
| join kind=leftouter (LearningPortToProtocol) on $left.AlertTimeDstPort == $right.LearningTimeDstPort and $left.SourceIp == $right.SourceIp and $left.DestinationFqdn == $right.DestinationFqdn
| where isnull(LearningTimeProtocol) or LearningTimeProtocol != AlertTimeProtocol
| project AlertTimeDstPort, AlertTimeProtocol, LearningTimeProtocol, SourceIp, DestinationFqdn
| extend IPCustomEntity = SourceIp, FqdnCustomEntity = DestinationFqdn
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
- entityType: URL
fieldMappings:
- identifier: Url
columnName: FqdnCustomEntity
version: 1.0.0
kind: Scheduled

41
Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml Normal file
Просмотреть файл

@ -0,0 +1,41 @@
id: 82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1
name: Detect Source IP Scanning Multiple Open Ports
description: |
Identifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access.
Configurable Parameters:
- Port scan time - the time range to look for multiple ports scanned. Default is set to 30 seconds.
- Minimum different ports threshold - alert only if more than this number of ports scanned. Default is set to 100.
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 1
tactics:
- Discovery
relevantTechniques:
- T1046
query: |
let port_scan_time = 30s;
let min_ports_threshold = 100;
NetworkAccessTraffic
| where TimeGenerated > ago(1d)
| where Action == 'Allowed'
| summarize PortsScanned = dcount(DestinationPort) by SourceIp, bin(TimeGenerated, port_scan_time)
| where PortsScanned > min_ports_threshold
| project SourceIp, PortsScanned, TimeGenerated
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIp
- entityType: URL
fieldMappings:
- identifier: Url
columnName: Fqdn
version: 1.0.0
kind: Scheduled

66
Solutions/Global Secure Access/Data/Solution_GlobalSecureAccess.json Normal file
Просмотреть файл

@ -0,0 +1,66 @@
{
"Name": "Global Secure Access",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/gsa.svg\" width=\"75px\" height=\"75px\">",
"Description": "[Global Secure Access](https://aka.ms/GlobalSecureAccess) is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below.\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions to unlock the value provided by this solution.\n 1. Microsoft Entra Id \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n",
"WorkbookBladeDescription": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences.",
"AnalyticalRuleBladeDescription": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view.",
"HuntingQueryBladeDescription": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view.",
"Workbooks": [
"Workbooks/GSAM365EnrichedEvents.json",
"Workbooks/GSANetworkTraffic.json"
],
"Analytic Rules": [
"Analytic Rules/Identity - AfterHoursActivity.yaml",
"Analytic Rules/Identity - NewCountry.yaml",
"Analytic Rules/Identity - SharedSessions.yaml",
"Analytic Rules/Office 365 - exchange_auditlogdisabled.yaml",
"Analytic Rules/Office 365 - External User added to Team and immediately uploads file.yaml",
"Analytic Rules/Office 365 - ExternalUserAddedRemovedInTeams.yaml",
"Analytic Rules/Office 365 - Mail_redirect_via_ExO_transport_rule.yaml",
"Analytic Rules/Office 365 - Malicious_Inbox_Rule.yaml",
"Analytic Rules/Office 365 - MultipleTeamsDeletes.yaml",
"Analytic Rules/Office 365 - Office_MailForwarding.yaml",
"Analytic Rules/Office 365 - office_policytampering.yaml",
"Analytic Rules/Office 365 - Office_Uploaded_Executables.yaml",
"Analytic Rules/Office 365 - RareOfficeOperations.yaml",
"Analytic Rules/Office 365 - SharePoint_Downloads_byNewIP.yaml",
"Analytic Rules/Office 365 - SharePoint_Downloads_byNewUserAgent.yaml",
"Analytic Rules/Office 365 - sharepoint_file_transfer_above_threshold.yaml",
"Analytic Rules/Office 365 - sharepoint_file_transfer_folders_above_threshold.yaml",
"Analytic Rules/SWG - Abnormal Deny Rate.yaml",
"Analytic Rules/SWG - Abnormal Port to Protocol.yaml",
"Analytic Rules/SWG - Source IP Port Scan.yaml"
],
"Playbooks": [],
"Hunting Queries": [
"Hunting Queries/AnomolousUserAccessingOtherUsersMailbox.yaml",
"Hunting Queries/ExternalUserAddedRemovedInTeams_HuntVersion.yaml",
"Hunting Queries/ExternalUserFromNewOrgAddedToTeams.yaml",
"Hunting Queries/Mail_redirect_via_ExO_transport_rule_hunting.yaml",
"Hunting Queries/MultiTeamBot.yaml",
"Hunting Queries/MultiTeamOwner.yaml",
"Hunting Queries/MultipleTeamsDeletes.yaml",
"Hunting Queries/NewBotAddedToTeams.yaml",
"Hunting Queries/New_WindowsReservedFileNamesOnOfficeFileServices.yaml",
"Hunting Queries/OfficeMailForwarding_hunting.yaml",
"Hunting Queries/TeamsFilesUploaded.yaml",
"Hunting Queries/UserAddToTeamsAndUploadsFile.yaml",
"Hunting Queries/WindowsReservedFileNamesOnOfficeFileServices.yaml",
"Hunting Queries/double_file_ext_exes.yaml",
"Hunting Queries/new_adminaccountactivity.yaml",
"Hunting Queries/new_sharepoint_downloads_by_IP.yaml",
"Hunting Queries/new_sharepoint_downloads_by_UserAgent.yaml",
"Hunting Queries/nonowner_MailboxLogin.yaml",
"Hunting Queries/powershell_or_nonbrowser_MailboxLogin.yaml",
"Hunting Queries/sharepoint_downloads.yaml",
"Hunting Queries/MultipleUsersEmailForwardedToSameDestination.yaml"
],
"Watchlists": [],
"WatchlistDescription": "",
"BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Global Secure Access",
"Version": "3.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": true
}

62
Solutions/Global Secure Access/Hunting Queries/AnomolousUserAccessingOtherUsersMailbox.yaml Normal file
Просмотреть файл

@ -0,0 +1,62 @@
id: 271e8881-3044-4332-a5f4-42264c2e0315
name: Anomalous access to other users' mailboxes
description: |
'Looks for users accessing multiple other users' mailboxes or accessing multiple folders in another users mailbox.'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
tactics:
- Collection
relevantTechniques:
- T1114.002
tags:
- Solorigate
- NOBELIUM
query: |
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let lookback = totimespan((endtime - starttime) * 2);
// Adjust this value to alter how many mailbox (other than their own) a user needs to access before being included in results
let user_threshold = 1;
// Adjust this value to alter how many mailbox folders in other's email accounts a users needs to access before being included in results.
let folder_threshold = 5;
// Exclude historical as known good (set lookback and timeframe to same value to skip this)
EnrichedMicrosoft365AuditLogs
| where TimeGenerated between (ago(lookback)..starttime)
| where Operation =~ "MailItemsAccessed"
| where ResultStatus =~ "Succeeded"
| extend MailboxOwnerUPN = tostring(parse_json(AdditionalProperties).MailboxOwnerUPN)
| where tolower(MailboxOwnerUPN) != tolower(UserId)
| join kind=rightanti (
EnrichedMicrosoft365AuditLogs
| where TimeGenerated between (starttime..endtime)
| where Operation =~ "MailItemsAccessed"
| where ResultStatus =~ "Succeeded"
| extend MailboxOwnerUPN = tostring(parse_json(AdditionalProperties).MailboxOwnerUPN)
| where tolower(MailboxOwnerUPN) != tolower(UserId)
) on MailboxOwnerUPN, UserId
| where isnotempty(tostring(parse_json(AdditionalProperties).Folders))
| mv-expand Folders = parse_json(AdditionalProperties).Folders
| extend folders = tostring(Folders.Path)
| extend ClientIP = iif(ClientIp startswith "[", extract("\\[([^\\]]*)", 1, ClientIp), ClientIp)
| extend ClientInfoString = tostring(parse_json(AdditionalProperties).ClientInfoString)
| extend MailboxGuid = tostring(parse_json(AdditionalProperties).MailboxGuid)
| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), set_folders = make_set(folders, 100000), set_ClientInfoString = make_set(ClientInfoString, 100000), set_ClientIP = make_set(ClientIP, 100000), set_MailboxGuid = make_set(MailboxGuid, 100000), set_MailboxOwnerUPN = make_set(MailboxOwnerUPN, 100000) by UserId
| extend folder_count = array_length(set_folders)
| extend user_count = array_length(set_MailboxGuid)
| where user_count > user_threshold or folder_count > folder_threshold
| extend Reason = case(user_count > user_threshold and folder_count > folder_threshold, "Both User and Folder Threshold Exceeded", folder_count > folder_threshold and user_count < user_threshold, "Folder Count Threshold Exceeded", "User Threshold Exceeded")
| sort by user_count desc
| project-reorder UserId, user_count, folder_count, set_MailboxOwnerUPN, set_ClientIP, set_ClientInfoString, set_folders
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
| extend Account_0_Name = AccountName
| extend Account_0_UPNSuffix = AccountUPNSuffix
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
version: 2.0.1

42
Solutions/Global Secure Access/Hunting Queries/ExternalUserAddedRemovedInTeams_HuntVersion.yaml Normal file
Просмотреть файл

@ -0,0 +1,42 @@
id: 119d9e1c-afcc-4d23-b239-cdb4e7bf851c
name: External User Added and Removed in a Short Timeframe
description: |
This hunting query identifies external user accounts that are added to a Team and then removed within one hour.
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
tactics:
- Persistence
relevantTechniques:
- T1136
query: |
// If you want to look at user added further than 7 days ago adjust this value
// If you want to change the timeframe of how quickly accounts need to be added and removed change this value
let time_delta = 1h;
EnrichedMicrosoft365AuditLogs
| where Workload == "MicrosoftTeams"
| where Operation == "MemberAdded"
| extend UPN = tostring(parse_json(tostring(AdditionalProperties)).UPN) // Assuming UPN is stored in AdditionalProperties
| where UPN contains "#EXT#"
| project TimeAdded = TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName = tostring(parse_json(tostring(AdditionalProperties)).TeamName), TeamGuid = tostring(parse_json(tostring(AdditionalProperties)).TeamGuid)
| join kind=innerunique (
EnrichedMicrosoft365AuditLogs
| where Workload == "MicrosoftTeams"
| where Operation == "MemberRemoved"
| extend UPN = tostring(parse_json(tostring(AdditionalProperties)).UPN) // Assuming UPN is stored in AdditionalProperties
| where UPN contains "#EXT#"
| project TimeDeleted = TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName = tostring(parse_json(tostring(AdditionalProperties)).TeamName), TeamGuid = tostring(parse_json(tostring(AdditionalProperties)).TeamGuid)
) on UPN, TeamGuid
| where TimeDeleted < (TimeAdded + time_delta)
| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName, TeamGuid
| extend AccountName = tostring(split(UPN, "@")[0]), AccountUPNSuffix = tostring(split(UPN, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
version: 2.0.1
kind: Scheduled

48
Solutions/Global Secure Access/Hunting Queries/ExternalUserFromNewOrgAddedToTeams.yaml Normal file
Просмотреть файл

@ -0,0 +1,48 @@
id: 6fce5baf-bfc2-4c56-a6b7-9c4733fc5a45
name: External user from a new organisation added to Teams
description: |
'This query identifies external users added to Teams where the user's domain is not one previously seen in Teams data.'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
tactics:
- Persistence
relevantTechniques:
- T1136
query: |
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let lookback = totimespan((endtime - starttime) * 7);
let known_orgs = (
EnrichedMicrosoft365AuditLogs
| where TimeGenerated between (ago(lookback) .. starttime)
| where Workload == "MicrosoftTeams"
| where Operation in ("MemberAdded", "TeamsSessionStarted")
// Extract the correct UPN and parse our external organization domain
| extend Members = parse_json(tostring(AdditionalProperties.Members))
| extend UPN = iif(Operation == "MemberAdded", tostring(Members[0].UPN), UserId)
| extend Organization = tostring(split(split(UPN, "_")[1], "#")[0])
| where isnotempty(Organization)
| summarize by Organization
);
EnrichedMicrosoft365AuditLogs
| where TimeGenerated between (starttime .. endtime)
| where Workload == "MicrosoftTeams"
| where Operation == "MemberAdded"
| extend Members = parse_json(tostring(AdditionalProperties.Members))
| extend UPN = tostring(Members[0].UPN)
| extend Organization = tostring(split(split(UPN, "_")[1], "#")[0])
| where isnotempty(Organization)
| where Organization !in (known_orgs)
| extend AccountName = tostring(split(UPN, "@")[0]), AccountUPNSuffix = tostring(split(UPN, "@")[1])
| extend Account_0_Name = AccountName
| extend Account_0_UPNSuffix = AccountUPNSuffix
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
version: 2.0.1

42
Solutions/Global Secure Access/Hunting Queries/Mail_redirect_via_ExO_transport_rule_hunting.yaml Normal file
Просмотреть файл

@ -0,0 +1,42 @@
id: 9891684a-1e3a-4546-9403-3439513cbc70
name: Mail Redirect via ExO Transport Rule
description: |
Identifies when Exchange Online transport rule is configured to forward emails.
This could be an adversary mailbox configured to collect mail from multiple user accounts.
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
tactics:
- Collection
- Exfiltration
relevantTechniques:
- T1114
- T1020
query: |
EnrichedMicrosoft365AuditLogs
| where Workload == "Exchange"
| where Operation in ("New-TransportRule", "Set-TransportRule")
| mv-apply DynamicParameters = todynamic(AdditionalProperties.Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))
| extend RuleName = case(
Operation == "Set-TransportRule", ObjectId,
Operation == "New-TransportRule", ParsedParameters.Name,
"Unknown")
| mv-expand ExpandedParameters = todynamic(AdditionalProperties.Parameters)
| where ExpandedParameters.Name in ("BlindCopyTo", "RedirectMessageTo") and isnotempty(ExpandedParameters.Value)
| extend RedirectTo = ExpandedParameters.Value
| extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?([-:](?P<Port>\d+))?', dynamic(["IPAddress", "Port"]), ClientIp)[0]
| project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, Operation, RuleName, AdditionalProperties
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
version: 2.0.1

39
Solutions/Global Secure Access/Hunting Queries/MultiTeamBot.yaml Normal file
Просмотреть файл

@ -0,0 +1,39 @@
id: 9eb64924-ec8d-44d0-b1f2-10665150fb74
name: Bots added to multiple teams
description: |
'This hunting query helps identify bots added to multiple Teams in a short space of time.'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
tactics:
- Persistence
- Collection
relevantTechniques:
- T1176
- T1119
query: |
// Adjust these thresholds to suit your environment.
let threshold = 2;
let time_threshold = timespan(5m);
EnrichedMicrosoft365AuditLogs
| where Workload == "MicrosoftTeams"
| where Operation == "BotAddedToTeam"
| extend TeamName = tostring(parse_json(tostring(AdditionalProperties)).TeamName)
| summarize Start = max(TimeGenerated), End = min(TimeGenerated), Teams = make_set(TeamName, 10000) by UserId
| extend CountOfTeams = array_length(Teams)
| extend TimeDelta = End - Start
| where CountOfTeams > threshold
| where TimeDelta <= time_threshold
| project Start, End, Teams, CountOfTeams, UserId
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
| extend Account_0_Name = AccountName
| extend Account_0_UPNSuffix = AccountUPNSuffix
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
version: 2.0.1

44
Solutions/Global Secure Access/Hunting Queries/MultiTeamOwner.yaml Normal file
Просмотреть файл

@ -0,0 +1,44 @@
id: 558f15dd-3171-4b11-bf24-31c0610a20e0
name: User made Owner of multiple teams
description: |
This hunting query identifies users who have been made Owner of multiple Teams.
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1078
query: |
// Adjust this value to change how many teams a user is made owner of before detecting
let max_owner_count = 3;
// Identify users who have been made owner of multiple Teams
let high_owner_count = (
EnrichedMicrosoft365AuditLogs
| where Workload == "MicrosoftTeams"
| where Operation == "MemberRoleChanged"
| extend Member = tostring(UserId)
| extend NewRole = toint(parse_json(tostring(AdditionalProperties)).Role)
| where NewRole == 2
| summarize TeamCount = dcount(ObjectId) by Member
| where TeamCount > max_owner_count
| project Member
);
EnrichedMicrosoft365AuditLogs
| where Workload == "MicrosoftTeams"
| where Operation == "MemberRoleChanged"
| extend Member = tostring(UserId)
| extend NewRole = toint(parse_json(tostring(AdditionalProperties)).Role)
| where NewRole == 2
| where Member in (high_owner_count)
| extend AccountName = tostring(split(Member, "@")[0]), AccountUPNSuffix = tostring(split(Member, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
version: 2.0.1
kind: Scheduled

39
Solutions/Global Secure Access/Hunting Queries/MultipleTeamsDeletes.yaml Normal file
Просмотреть файл

@ -0,0 +1,39 @@
id: 64990414-b015-4edf-bef0-343b741e68c5
name: Multiple Teams deleted by a single user
description: |
'This hunting query identifies where multiple Teams have been deleted by a single user in a short timeframe.'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
tactics:
- Impact
relevantTechniques:
- T1485
- T1489
query: |
// Adjust this value to change how many Teams should be deleted before including
let max_delete = 3;
let deleting_users = (
EnrichedMicrosoft365AuditLogs
| where Workload == "MicrosoftTeams"
| where Operation == "TeamDeleted"
| summarize count_ = count() by UserId
| where count_ > max_delete
| project UserId
);
EnrichedMicrosoft365AuditLogs
| where Workload == "MicrosoftTeams"
| where Operation == "TeamDeleted"
| where UserId in (deleting_users)
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
| extend Account_0_Name = AccountName
| extend Account_0_UPNSuffix = AccountUPNSuffix
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
version: 2.0.1

56
Solutions/Global Secure Access/Hunting Queries/MultipleUsersEmailForwardedToSameDestination.yaml Normal file
Просмотреть файл

@ -0,0 +1,56 @@
id: a1551ae4-f61c-4bca-9c57-4d0d681db2e9
name: Multiple Users Email Forwarded to Same Destination
description: |
Identifies when multiple (more than one) users' mailboxes are configured to forward to the same destination.
This could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
queryFrequency: 1d
queryPeriod: 7d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Collection
- Exfiltration
relevantTechniques:
- T1114
- T1020
query: |
let queryfrequency = 1d;
let queryperiod = 7d;
EnrichedMicrosoft365AuditLogs
| where TimeGenerated > ago(queryperiod)
| where Workload == "Exchange"
| where AdditionalProperties has_any ("ForwardTo", "RedirectTo", "ForwardingSmtpAddress")
| mv-apply DynamicParameters = todynamic(AdditionalProperties) on (summarize ParsedParameters = make_bag(bag_pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))
| evaluate bag_unpack(ParsedParameters, columnsConflict='replace_source')
| extend DestinationMailAddress = tolower(case(
isnotempty(column_ifexists("ForwardTo", "")), column_ifexists("ForwardTo", ""),
isnotempty(column_ifexists("RedirectTo", "")), column_ifexists("RedirectTo", ""),
isnotempty(column_ifexists("ForwardingSmtpAddress", "")), trim_start(@"smtp:", column_ifexists("ForwardingSmtpAddress", "")),
""))
| where isnotempty(DestinationMailAddress)
| mv-expand split(DestinationMailAddress, ";")
| extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?([-:](?P<Port>\d+))?', dynamic(["IPAddress", "Port"]), ClientIp)[0]
| extend ClientIp = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIp
| where DistinctUserCount > 1 and EndTime > ago(queryfrequency)
| mv-expand UserId to typeof(string)
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ClientIp
version: 2.0.1
kind: Scheduled

39
Solutions/Global Secure Access/Hunting Queries/NewBotAddedToTeams.yaml Normal file
Просмотреть файл

@ -0,0 +1,39 @@
id: bf76e508-9282-4cf1-9cc1-5c20c3dea2ee
name: Previously Unseen Bot or Application Added to Teams
description: |
This hunting query helps identify new, and potentially unapproved applications or bots being added to Teams.
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
tactics:
- Persistence
- Collection
relevantTechniques:
- T1176
- T1119
query: |
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let lookback = starttime - 14d;
let historical_bots =
EnrichedMicrosoft365AuditLogs
| where TimeGenerated between (lookback .. starttime)
| where Workload == "MicrosoftTeams"
| extend AddonName = tostring(parse_json(tostring(AdditionalProperties)).AddonName)
| where isnotempty(AddonName)
| distinct AddonName;
EnrichedMicrosoft365AuditLogs
| where TimeGenerated between (starttime .. endtime)
| where Workload == "MicrosoftTeams"
| extend AddonName = tostring(parse_json(tostring(AdditionalProperties)).AddonName)
| where AddonName !in (historical_bots)
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
version: 2.0.1

74
Solutions/Global Secure Access/Hunting Queries/New_WindowsReservedFileNamesOnOfficeFileServices.yaml Normal file
Просмотреть файл

@ -0,0 +1,74 @@
id: 641ecd2d-27c9-4f05-8433-8205096b09fc
name: New Windows Reserved Filenames staged on Office file services
description: |
'This identifies new Windows Reserved Filenames on Office services like SharePoint and OneDrive in the past 7 days. It also detects when a user uploads these files to another user's workspace, which may indicate malicious activity.'
description-detailed: |
'Identifies when new Windows Reserved Filenames show up on Office services such as SharePoint and OneDrive in relation to the previous 7 days.
List currently includes ''CON'', ''PRN'', ''AUX'', ''NUL'', ''COM1'', ''COM2'', ''COM3'', ''COM4'', ''COM5'', ''COM6'',
''COM7'', ''COM8'', ''COM9'', ''LPT1'', ''LPT2'', ''LPT3'', ''LPT4'', ''LPT5'', ''LPT6'', ''LPT7'', ''LPT8'', ''LPT9'' file extensions.
Additionally, identifies when a given user is uploading these files to another users workspace.
This may be indication of a staging location for malware or other malicious activity.
References: https://docs.microsoft.com/windows/win32/fileio/naming-a-file'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
tactics:
- CommandAndControl
relevantTechniques:
- T1105
query: |
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let lookback = totimespan((endtime - starttime) * 7);
let Reserved = dynamic(['CON', 'PRN', 'AUX', 'NUL', 'COM1', 'COM2', 'COM3', 'COM4', 'COM5', 'COM6', 'COM7', 'COM8', 'COM9', 'LPT1', 'LPT2', 'LPT3', 'LPT4', 'LPT5', 'LPT6', 'LPT7', 'LPT8', 'LPT9']);
EnrichedMicrosoft365AuditLogs
| where TimeGenerated between (starttime .. endtime)
| extend FileName = tostring(parse_json(tostring(AdditionalProperties)).SourceFileName)
| extend ClientUserAgent = tostring(parse_json(tostring(AdditionalProperties)).ClientUserAgent)
| extend SiteUrl = tostring(parse_json(tostring(AdditionalProperties)).SiteUrl)
| where isnotempty(ObjectId)
| where ObjectId !~ FileName
| where ObjectId in (Reserved) or FileName in (Reserved)
| where ClientUserAgent !has "Mac OS"
| project TimeGenerated, Id, Workload, RecordType, Operation, UserType, UserKey, UserId, ClientIp, ClientUserAgent, SiteUrl, ObjectId, FileName
| join kind=leftanti (
EnrichedMicrosoft365AuditLogs
| where TimeGenerated between (ago(lookback) .. starttime)
| extend FileName = tostring(parse_json(tostring(AdditionalProperties)).SourceFileName)
| extend ClientUserAgent = tostring(parse_json(tostring(AdditionalProperties)).ClientUserAgent)
| extend SiteUrl = tostring(parse_json(tostring(AdditionalProperties)).SiteUrl)
| where isnotempty(ObjectId)
| where ObjectId !~ FileName
| where ObjectId in (Reserved) or FileName in (Reserved)
| where ClientUserAgent !has "Mac OS"
| summarize PrevSeenCount = count() by ObjectId, UserId, FileName
) on ObjectId
| extend SiteUrlUserFolder = tolower(split(SiteUrl, '/')[-2])
| extend UserIdUserFolderFormat = tolower(replace_regex(UserId, '@|\\.', '_'))
| extend UserIdDiffThanUserFolder = iff(SiteUrl has '/personal/' and SiteUrlUserFolder != UserIdUserFolderFormat, true, false)
| summarize TimeGenerated = make_list(TimeGenerated, 100000), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Operations = make_list(Operation, 100000), UserAgents = make_list(ClientUserAgent, 100000),
Ids = make_list(Id, 100000), SourceRelativeUrls = make_list(ObjectId, 100000), FileNames = make_list(FileName, 100000)
by Workload, RecordType, UserType, UserKey, UserId, ClientIp, SiteUrl, ObjectId, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
| extend IP_0_Address = ClientIp
| extend Account_0_Name = AccountName
| extend Account_0_UPNSuffix = AccountUPNSuffix
| extend URL_0_Url = SiteUrl
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IP_0_Address
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- entityType: URL
fieldMappings:
- identifier: Url
columnName: URL_0_Url
version: 2.0.1
kind: Scheduled

83
Solutions/Global Secure Access/Hunting Queries/OfficeMailForwarding_hunting.yaml Normal file
Просмотреть файл

@ -0,0 +1,83 @@
id: d49fc965-aef3-49f6-89ad-10cc4697eb5b
name: Office Mail Forwarding - Hunting Version
description: |
Adversaries often abuse email-forwarding rules to monitor victim activities, steal information, and gain intelligence on the victim or their organization. This query highlights cases where user mail is being forwarded, including to external domains.
description-detailed: |
Adversaries often abuse email-forwarding rules to monitor activities of a victim, steal information and further gain intelligence on
victim or victim's organization. This query over Office Activity data highlights cases where user mail is being forwarded and shows if
it is being forwarded to external domains as well.
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
tactics:
- Collection
- Exfiltration
relevantTechniques:
- T1114
- T1020
query: |
EnrichedMicrosoft365AuditLogs
| where Workload == "Exchange"
| where (Operation == "Set-Mailbox" and tostring(parse_json(tostring(AdditionalProperties))) contains 'ForwardingSmtpAddress')
or (Operation in ('New-InboxRule', 'Set-InboxRule') and (tostring(parse_json(tostring(AdditionalProperties))) contains 'ForwardTo' or tostring(parse_json(tostring(AdditionalProperties))) contains 'RedirectTo'))
| extend parsed = parse_json(tostring(AdditionalProperties))
| extend fwdingDestination_initial = iif(Operation == "Set-Mailbox", tostring(parsed.ForwardingSmtpAddress), coalesce(tostring(parsed.ForwardTo), tostring(parsed.RedirectTo)))
| where isnotempty(fwdingDestination_initial)
| extend fwdingDestination = iff(fwdingDestination_initial has "smtp", (split(fwdingDestination_initial, ":")[1]), fwdingDestination_initial)
| parse fwdingDestination with * '@' ForwardedtoDomain
| parse UserId with *'@' UserDomain
| extend subDomain = ((split(strcat(tostring(split(UserDomain, '.')[-2]), '.', tostring(split(UserDomain, '.')[-1])), '.'))[0])
| where ForwardedtoDomain !contains subDomain
| extend Result = iff(ForwardedtoDomain != UserDomain, "Mailbox rule created to forward to External Domain", "Forward rule for Internal domain")
| extend ClientIPAddress = case(ClientIp has ".", tostring(split(ClientIp, ":")[0]), ClientIp has "[", tostring(trim_start(@'[[]', tostring(split(ClientIp, "]")[0]))), ClientIp)
| extend Port = case(
ClientIp has ".",
(split(ClientIp, ":")[1]),
ClientIp has "[",
tostring(split(ClientIp, "]:")[1]),
ClientIp
)
| project
TimeGenerated,
UserId,
UserDomain,
subDomain,
Operation,
ForwardedtoDomain,
ClientIPAddress,
Result,
Port,
ObjectId,
fwdingDestination,
AdditionalProperties
| extend
AccountName = tostring(split(UserId, "@")[0]),
AccountUPNSuffix = tostring(split(UserId, "@")[1])
| extend Host = tostring(parse_json(tostring(AdditionalProperties)).OriginatingServer)
| extend HostName = tostring(split(Host, ".")[0])
| extend DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))
| extend Account_0_Name = AccountName
| extend Account_0_UPNSuffix = AccountUPNSuffix
| extend IP_0_Address = ClientIPAddress
| extend Host_0_HostName = HostName
| extend Host_0_DnsDomain = DnsDomain
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ClientIPAddress
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: Host_0_HostName
- identifier: DnsDomain
columnName: Host_0_DnsDomain
version: 2.0.1
kind: Scheduled

47
Solutions/Global Secure Access/Hunting Queries/TeamsFilesUploaded.yaml Normal file
Просмотреть файл

@ -0,0 +1,47 @@
id: 90e198a9-efb6-4719-ad89-81b8e93633a7
name: Files uploaded to teams and access summary
description: |
'This hunting query identifies files uploaded to SharePoint via a Teams chat and
summarizes users and IP addresses that have accessed these files. This allows for
identification of anomalous file sharing patterns.'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
tactics:
- InitialAccess
- Exfiltration
relevantTechniques:
- T1199
- T1102
- T1078
query: |
EnrichedMicrosoft365AuditLogs
| where RecordType == "SharePointFileOperation"
| where Operation == "FileUploaded"
| where UserId != "app@sharepoint"
| where ObjectId has "Microsoft Teams Chat Files"
| extend SourceFileName = tostring(parse_json(tostring(AdditionalProperties)).SourceFileName)
| join kind=leftouter (
EnrichedMicrosoft365AuditLogs
| where RecordType == "SharePointFileOperation"
| where Operation == "FileDownloaded" or Operation == "FileAccessed"
| where UserId != "app@sharepoint"
| where ObjectId has "Microsoft Teams Chat Files"
| extend UserId1 = UserId, ClientIp1 = ClientIp
) on ObjectId
| extend userBag = bag_pack("UserId1", UserId1, "ClientIp1", ClientIp1)
| summarize AccessedBy = make_bag(userBag), make_set(UserId1, 10000) by bin(TimeGenerated, 1h), UserId, ObjectId, SourceFileName
| extend NumberOfUsersAccessed = array_length(bag_keys(AccessedBy))
| project timestamp = TimeGenerated, UserId, FileLocation = ObjectId, FileName = SourceFileName, AccessedBy, NumberOfUsersAccessed
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
| extend Account_0_Name = AccountName
| extend Account_0_UPNSuffix = AccountUPNSuffix
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
version: 2.0.1

37
Solutions/Global Secure Access/Hunting Queries/UserAddToTeamsAndUploadsFile.yaml Normal file
Просмотреть файл

@ -0,0 +1,37 @@
id: 3d6d0c04-7337-40cf-ace6-c471d442356d
name: User added to Teams and immediately uploads file
description: |
'This hunting query identifies users who are added to a Teams Channel or Teams chat
and within 1 minute of being added upload a file via the chat. This might be
an indicator of suspicious activity.'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let threshold = 1m;
let MemberAddedEvents = EnrichedMicrosoft365AuditLogs
| where Workload == "MicrosoftTeams"
| where Operation == "MemberAdded"
| extend TeamName = tostring(parse_json(AdditionalProperties).TeamName)
| project TimeGenerated, UploaderID = UserId, TeamName;
let FileUploadEvents = EnrichedMicrosoft365AuditLogs
| where RecordType == "SharePointFileOperation"
| where ObjectId has "Microsoft Teams Chat Files"
| where Operation == "FileUploaded"
| extend SourceFileName = tostring(parse_json(AdditionalProperties).SourceFileName)
| project UploadTime = TimeGenerated, UploaderID = UserId, FileLocation = ObjectId, SourceFileName;
MemberAddedEvents
| join kind=inner (FileUploadEvents) on UploaderID
| where UploadTime > TimeGenerated and UploadTime < TimeGenerated + threshold
| extend timestamp = TimeGenerated, AccountCustomEntity = UploaderID
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
version: 2.0.1

57
Solutions/Global Secure Access/Hunting Queries/WindowsReservedFileNamesOnOfficeFileServices.yaml Normal file
Просмотреть файл

@ -0,0 +1,57 @@
id: 61c28cd7-3139-4731-8ea7-2cbbeabb4684
name: Windows Reserved Filenames Staged on Office File Services
description: |
'This identifies Windows Reserved Filenames on Office services like SharePoint and OneDrive. It also detects when a user uploads these files to another user's workspace, which may indicate malicious activity.'
description-detailed: |
'Identifies when Windows Reserved Filenames show up on Office services such as SharePoint and OneDrive.
List currently includes CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6,
COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, LPT9 file extensions.
Additionally, identifies when a given user is uploading these files to another user's workspace.
This may be an indication of a staging location for malware or other malicious activity.
References: https://docs.microsoft.com/windows/win32/fileio/naming-a-file'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
tactics:
- CommandAndControl
relevantTechniques:
- T1105
query: |
// Reserved FileNames/Extension for Windows
let Reserved = dynamic(['CON', 'PRN', 'AUX', 'NUL', 'COM1', 'COM2', 'COM3', 'COM4', 'COM5', 'COM6', 'COM7', 'COM8', 'COM9', 'LPT1', 'LPT2', 'LPT3', 'LPT4', 'LPT5', 'LPT6', 'LPT7', 'LPT8', 'LPT9']);
EnrichedMicrosoft365AuditLogs
| extend SourceFileName = tostring(parse_json(tostring(AdditionalProperties)).SourceFileName)
| extend UserAgent = tostring(parse_json(tostring(AdditionalProperties)).UserAgent)
| extend Site_Url = tostring(parse_json(tostring(AdditionalProperties)).SiteUrl)
| where isnotempty(ObjectId)
| where ObjectId in (Reserved) or SourceFileName in (Reserved)
| where UserAgent !has "Mac OS"
| extend SiteUrlUserFolder = tolower(split(Site_Url, '/')[-2])
| extend UserIdUserFolderFormat = tolower(replace_regex(UserId, '@|\\.', '_'))
// identify when UserId is not a match to the specific site url personal folder reference
| extend UserIdDiffThanUserFolder = iff(Site_Url has '/personal/' and SiteUrlUserFolder != UserIdUserFolderFormat, true, false)
| summarize TimeGenerated = make_list(TimeGenerated, 100000), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Operations = make_list(Operation, 100000), UserAgents = make_list(UserAgent, 100000), ObjectIds = make_list(Id, 100000), SourceRelativeUrls = make_list(ObjectId, 100000), FileNames = make_list(SourceFileName, 100000)
by Workload, RecordType, UserType, UserKey, UserId, ClientIp, Site_Url, ObjectId, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder
// Use mvexpand on any list items and you can expand out the exact time and other metadata about the hit
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
| extend IP_0_Address = ClientIp
| extend Account_0_Name = AccountName
| extend Account_0_UPNSuffix = AccountUPNSuffix
| extend URL_0_Url = Site_Url
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ClientIp
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- entityType: URL
fieldMappings:
- identifier: Url
columnName: Site_Url
version: 2.0.1

52
Solutions/Global Secure Access/Hunting Queries/double_file_ext_exes.yaml Normal file
Просмотреть файл

@ -0,0 +1,52 @@
id: d12580c2-1474-4125-a8a3-553f50d91215
name: Exes with double file extension and access summary
description: |
'Provides a summary of executable files with double file extensions in SharePoint
and the users and IP addresses that have accessed them.'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
tactics:
- DefenseEvasion
relevantTechniques:
- T1036
query: |
let known_ext = dynamic(["lnk", "log", "option", "config", "manifest", "partial"]);
let excluded_users = dynamic(["app@sharepoint"]);
EnrichedMicrosoft365AuditLogs
| where RecordType == "SharePointFileOperation" and isnotempty(ObjectId)
| where ObjectId has ".exe."
and not(ObjectId endswith ".lnk")
and not(ObjectId endswith ".log")
and not(ObjectId endswith ".option")
and not(ObjectId endswith ".config")
and not(ObjectId endswith ".manifest")
and not(ObjectId endswith ".partial")
| extend Extension = extract("[^.]*\\.[^.]*$", 0, ObjectId)
| extend SourceFileName = tostring(parse_json(tostring(AdditionalProperties)).SourceFileName)
| join kind=leftouter (
EnrichedMicrosoft365AuditLogs
| where RecordType == "SharePointFileOperation" and (Operation == "FileDownloaded" or Operation == "FileAccessed")
| where not(ObjectId endswith ".lnk")
and not(ObjectId endswith ".log")
and not(ObjectId endswith ".option")
and not(ObjectId endswith ".config")
and not(ObjectId endswith ".manifest")
and not(ObjectId endswith ".partial")
) on ObjectId
| where UserId1 !in (excluded_users)
| extend userBag = bag_pack("UserId", UserId1, "ClientIp", ClientIp1)
| summarize make_set(UserId1, 10000), userBag = make_bag(userBag), UploadTime = max(TimeGenerated) by UserId, ObjectId, SourceFileName, Extension
| extend NumberOfUsers = array_length(bag_keys(userBag))
| project UploadTime, Uploader = UserId, FileLocation = ObjectId, FileName = SourceFileName, AccessedBy = userBag, Extension, NumberOfUsers
| extend UploaderName = tostring(split(Uploader, "@")[0]), UploaderUPNSuffix = tostring(split(Uploader, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: UploaderName
- identifier: UPNSuffix
columnName: UploaderUPNSuffix
version: 2.0.1
kind: Scheduled

53
Solutions/Global Secure Access/Hunting Queries/new_adminaccountactivity.yaml Normal file
Просмотреть файл

@ -0,0 +1,53 @@
id: 723c5f46-133f-4f1e-ada6-5c138f811d75
name: New Admin Account Activity Seen Which Was Not Seen Historically
description: |
This will help you discover any new admin account activity which was seen and were not seen historically.
Any new accounts seen in the results can be validated and investigated for any suspicious activities.
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
tactics:
- PrivilegeEscalation
- Collection
relevantTechniques:
- T1078
- T1114
query: |
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let lookback = starttime - 14d;
let historicalActivity =
EnrichedMicrosoft365AuditLogs
| where TimeGenerated between (lookback .. starttime)
| where RecordType == "ExchangeAdmin" and UserType in ("Admin", "DcAdmin")
| summarize historicalCount = count() by UserId;
let recentActivity = EnrichedMicrosoft365AuditLogs
| where TimeGenerated between (starttime .. endtime)
| where UserType in ("Admin", "DcAdmin")
| summarize recentCount = count() by UserId;
recentActivity
| join kind=leftanti (historicalActivity) on UserId
| project UserId, recentCount
| join kind=rightsemi (
EnrichedMicrosoft365AuditLogs
| where TimeGenerated between (starttime .. endtime)
| where RecordType == "ExchangeAdmin"
| where UserType in ("Admin", "DcAdmin")
) on UserId
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by RecordType, Operation, UserType, UserId, ResultStatus
| extend AccountName = iff(UserId contains '@', tostring(split(UserId, '@')[0]), UserId)
| extend AccountUPNSuffix = iff(UserId contains '@', tostring(split(UserId, '@')[1]), '')
| extend AccountName = iff(UserId contains '\\', tostring(split(UserId, '\\')[1]), AccountName)
| extend AccountNTDomain = iff(UserId contains '\\', tostring(split(UserId, '\\')[0]), '')
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- identifier: NTDomain
columnName: AccountNTDomain
version: 2.0.1

50
Solutions/Global Secure Access/Hunting Queries/new_sharepoint_downloads_by_IP.yaml Normal file
Просмотреть файл

@ -0,0 +1,50 @@
id: e3d24cfd-b2a1-4ba7-8f80-0360892f9d57
name: SharePointFileOperation via previously unseen IPs
description: |
'Shows SharePoint upload/download volume by IPs with high-risk ASNs. New IPs with volume spikes may be unauthorized and exfiltrating documents.'
description-detailed: |
'Shows volume of documents uploaded to or downloaded from SharePoint by IPs with ASNs associated with high user lockout or malicious activity.
In stable environments such connections by new IPs may be unauthorized, especially if associated with
spikes in volume which could be associated with large-scale document exfiltration.'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
tactics:
- Exfiltration
relevantTechniques:
- T1030
query: |
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let lookback = starttime - 14d;
let BLOCK_THRESHOLD = 1.0;
let HighBlockRateASNs =
SigninLogs
| where TimeGenerated > lookback
| where isnotempty(AutonomousSystemNumber)
| summarize make_set(IPAddress), TotalIps = dcount(IPAddress), BlockedSignins = countif(ResultType == "50053"), TotalSignins = count() by AutonomousSystemNumber
| extend BlockRatio = 1.00 * BlockedSignins / TotalSignins
| where BlockRatio >= BLOCK_THRESHOLD
| distinct AutonomousSystemNumber;
let ASNIPs =
SigninLogs
| where TimeGenerated > lookback
| where AutonomousSystemNumber in (HighBlockRateASNs)
| distinct IPAddress, AutonomousSystemNumber;
EnrichedMicrosoft365AuditLogs
| where TimeGenerated between (starttime .. endtime)
| where RecordType == "SharePointFileOperation"
| where Operation in ("FileDownloaded", "FileUploaded")
| where ClientIp in (ASNIPs)
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), RecentFileActivities = count() by ClientIp
| extend IP_0_Address = ClientIp
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IP_0_Address
version: 2.0.1

61
Solutions/Global Secure Access/Hunting Queries/new_sharepoint_downloads_by_UserAgent.yaml Normal file
Просмотреть файл

@ -0,0 +1,61 @@
id: f2367171-1514-4c67-88ef-27434b6a1093
name: SharePointFileOperation via devices with previously unseen user agents
description: |
'Tracking via user agent is one way to differentiate between types of connecting device.
In homogeneous enterprise environments the user agent associated with an attacker device may stand out as unusual.'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
tactics:
- Exfiltration
relevantTechniques:
- T1030
query: |
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let lookback = starttime - 14d;
let MINIMUM_BLOCKS = 10;
let SUCCESS_THRESHOLD = 0.2;
let HistoricalActivity =
SigninLogs
| where TimeGenerated > lookback
| where isnotempty(ClientAppUsed)
| summarize SuccessfulSignins = countif(ResultType == "0"), BlockedSignins = countif(ResultType == "50053") by ClientAppUsed
| extend SuccessBlockRatio = 1.00 * SuccessfulSignins / BlockedSignins
| where SuccessBlockRatio < SUCCESS_THRESHOLD
| where BlockedSignins > MINIMUM_BLOCKS;
EnrichedMicrosoft365AuditLogs
| where TimeGenerated between (starttime .. endtime)
| where RecordType == "SharePointFileOperation"
| where Operation in ("FileDownloaded", "FileUploaded")
| extend ClientAppUsed = tostring(parse_json(AdditionalProperties).UserAgent)
| extend SiteUrl = tostring(parse_json(AdditionalProperties).SiteUrl)
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), RecentFileActivities = count() by ClientAppUsed, UserId, ClientIp, SiteUrl
| join kind=innerunique (HistoricalActivity) on ClientAppUsed
| project-away ClientAppUsed1
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
| extend IP_0_Address = ClientIp
| extend Account_0_Name = AccountName
| extend Account_0_UPNSuffix = AccountUPNSuffix
| extend URL_0_Url = SiteUrl
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IP_0_Address
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- entityType: URL
fieldMappings:
- identifier: Url
columnName: URL_0_Url
version: 2.0.1
kind: Scheduled

47
Solutions/Global Secure Access/Hunting Queries/nonowner_MailboxLogin.yaml Normal file
Просмотреть файл

@ -0,0 +1,47 @@
id: 0a8f410d-38b5-4d75-90da-32b472b97230
name: Non-owner mailbox login activity
description: |
'Finds non-owner mailbox access by admin/delegate permissions. Whitelist valid users and check others for unauthorized access.'
description-detailed: |
'This will help you determine if mailbox access observed with Admin/Delegate Logontype.
The logon type indicates mailbox accessed from non-owner user. Exchange allows Admin
and delegate permissions to access other user's inbox.
If your organization has valid admin, delegate access given to users, you can whitelist those and investigate other results.
References: https://docs.microsoft.com/office/office-365-management-api/office-365-management-activity-api-schema#logontype'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
tactics:
- Collection
- Exfiltration
relevantTechniques:
- T1114
- T1020
tags:
- Solorigate
- NOBELIUM
query: |
EnrichedMicrosoft365AuditLogs
| where Workload == "Exchange"
| where Operation == "MailboxLogin"
| extend Logon_Type = tostring(parse_json(tostring(AdditionalProperties)).LogonType)
| extend MailboxOwnerUPN = tostring(parse_json(tostring(AdditionalProperties)).MailboxOwnerUPN)
| where Logon_Type != "Owner"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Operation, UserType, UserId, MailboxOwnerUPN, Logon_Type, ClientIp
| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
| extend IP_0_Address = ClientIp
| extend Account_0_Name = AccountName
| extend Account_0_UPNSuffix = AccountUPNSuffix
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IP_0_Address
version: 2.0.1

46
Solutions/Global Secure Access/Hunting Queries/powershell_or_nonbrowser_MailboxLogin.yaml Normal file
Просмотреть файл

@ -0,0 +1,46 @@
id: 49a4f65a-fe18-408e-afec-042fde93d3ce
name: PowerShell or non-browser mailbox login activity
description: |
'Detects mailbox login from Exchange PowerShell. All accounts can use it by default, but admins can change it. Whitelist benign activities.'
description-detailed: |
'This will help you determine if mailbox login was done from Exchange PowerShell session.
By default, all accounts you create in Office 365 are allowed to use Exchange Online PowerShell.
Administrators can use Exchange Online PowerShell to enable or disable a user's ability to connect to Exchange Online PowerShell.
Whitelist any benign scheduled activities using exchange PowerShell if applicable in your environment.
References: https://docs.microsoft.com/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/connect-to-exchange-online-powershell?view=exchange-ps'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
tactics:
- Execution
- Persistence
- Collection
relevantTechniques:
- T1059
- T1098
- T1114
query: |
EnrichedMicrosoft365AuditLogs
| where Workload == "Exchange" and Operation == "MailboxLogin"
| extend ClientApplication = tostring(parse_json(AdditionalProperties).ClientInfoString)
| where ClientApplication == "Client=Microsoft.Exchange.Powershell; Microsoft WinRM Client"
| extend TenantName = tostring(parse_json(AdditionalProperties).TenantName)
| extend MailboxOwner = tostring(parse_json(AdditionalProperties).MailboxOwnerUPN)
| extend LogonType = tostring(parse_json(AdditionalProperties).LogonType)
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Operation, TenantName, UserType, UserId, MailboxOwner, LogonType, ClientApplication
| extend AccountName = iff(UserId contains '@', tostring(split(UserId, '@')[0]), UserId)
| extend AccountUPNSuffix = iff(UserId contains '@', tostring(split(UserId, '@')[1]), '')
| extend AccountName = iff(UserId contains '\\', tostring(split(UserId, '\\')[1]), AccountName)
| extend AccountNTDomain = iff(UserId contains '\\', tostring(split(UserId, '\\')[0]), '')
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- identifier: NTDomain
columnName: AccountNTDomain
version: 2.0.1
kind: Scheduled

40
Solutions/Global Secure Access/Hunting Queries/sharepoint_downloads.yaml Normal file
Просмотреть файл

@ -0,0 +1,40 @@
id: e8ae1375-4640-430c-ae8e-2514d09c71eb
name: SharePoint File Operation via Client IP with Previously Unseen User Agents
description: |
New user agents associated with a client IP for SharePoint file uploads/downloads.
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
tactics:
- Exfiltration
relevantTechniques:
- T1030
query: |
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let lookback = starttime - 14d;
let historicalUA = EnrichedMicrosoft365AuditLogs
| where RecordType == "SharePointFileOperation"
| where Operation in ("FileDownloaded", "FileUploaded")
| where TimeGenerated between(lookback..starttime)
| extend ClientApplication = tostring(parse_json(AdditionalProperties).UserAgent)
| summarize by ClientIp, ClientApplication;
let recentUA = EnrichedMicrosoft365AuditLogs
| where RecordType == "SharePointFileOperation"
| where Operation in ("FileDownloaded", "FileUploaded")
| where TimeGenerated between(starttime..endtime)
| extend ClientApplication = tostring(parse_json(AdditionalProperties).UserAgent)
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by ClientIp, ClientApplication;
recentUA | join kind=leftanti (
historicalUA
) on ClientIp, ClientApplication
// Some EnrichedMicrosoft365AuditLogs records do not contain ClientIp information - exclude these for fewer results
| where not(isempty(ClientIp))
| extend IP_0_Address = ClientIp
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IP_0_Address
version: 2.0.1

Двоичные данные
Solutions/Global Secure Access/Package/3.0.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

435
Solutions/Global Secure Access/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,435 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/gsa.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Global%20Secure%20Access/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Global Secure Access](https://aka.ms/GlobalSecureAccess) is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below.\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions to unlock the value provided by this solution.\n 1. Microsoft Entra Id \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n\n\n**Workbooks:** 2, **Hunting Queries:** 21\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "workbooks",
"label": "Workbooks",
"subLabel": {
"preValidation": "Configure the workbooks",
"postValidation": "Done"
},
"bladeTitle": "Workbooks",
"elements": [
{
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences."
}
},
{
"name": "workbooks-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
},
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
"label": "TextBlock",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "TextBlock"
}
}
]
},
{
"name": "workbook2",
"type": "Microsoft.Common.Section",
"label": "TextBlock",
"elements": [
{
"name": "workbook2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "TextBlock"
}
}
]
}
]
},
{
"name": "huntingqueries",
"label": "Hunting Queries",
"bladeTitle": "Hunting Queries",
"elements": [
{
"name": "huntingqueries-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view."
}
},
{
"name": "huntingqueries-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/hunting"
}
}
},
{
"name": "huntingquery1",
"type": "Microsoft.Common.Section",
"label": "Anomalous access to other users' mailboxes",
"elements": [
{
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Looks for users accessing multiple other users' mailboxes or accessing multiple folders in another users mailbox. This hunting query depends on AzureActiveDirectory data connector (EnrichedMicrosoft365AuditLogs Parser or Table)"
}
}
]
},
{
"name": "huntingquery2",
"type": "Microsoft.Common.Section",
"label": "External User Added and Removed in a Short Timeframe",
"elements": [
{
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This hunting query identifies external user accounts that are added to a Team and then removed within one hour. This hunting query depends on AzureActiveDirectory data connector (EnrichedMicrosoft365AuditLogs Parser or Table)"
}
}
]
},
{
"name": "huntingquery3",
"type": "Microsoft.Common.Section",
"label": "External user from a new organisation added to Teams",
"elements": [
{
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query identifies external users added to Teams where the user's domain is not one previously seen in Teams data. This hunting query depends on AzureActiveDirectory data connector (EnrichedMicrosoft365AuditLogs Parser or Table)"
}
}
]
},
{
"name": "huntingquery4",
"type": "Microsoft.Common.Section",
"label": "Mail Redirect via ExO Transport Rule",
"elements": [
{
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Identifies when Exchange Online transport rule is configured to forward emails.\nThis could be an adversary mailbox configured to collect mail from multiple user accounts. This hunting query depends on AzureActiveDirectory data connector (EnrichedMicrosoft365AuditLogs Parser or Table)"
}
}
]
},
{
"name": "huntingquery5",
"type": "Microsoft.Common.Section",
"label": "Bots added to multiple teams",
"elements": [
{
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This hunting query helps identify bots added to multiple Teams in a short space of time. This hunting query depends on AzureActiveDirectory data connector (EnrichedMicrosoft365AuditLogs Parser or Table)"
}
}
]
},
{
"name": "huntingquery6",
"type": "Microsoft.Common.Section",
"label": "User made Owner of multiple teams",
"elements": [
{
"name": "huntingquery6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This hunting query identifies users who have been made Owner of multiple Teams. This hunting query depends on AzureActiveDirectory data connector (EnrichedMicrosoft365AuditLogs Parser or Table)"
}
}
]
},
{
"name": "huntingquery7",
"type": "Microsoft.Common.Section",
"label": "Multiple Teams deleted by a single user",
"elements": [
{
"name": "huntingquery7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This hunting query identifies where multiple Teams have been deleted by a single user in a short timeframe. This hunting query depends on AzureActiveDirectory data connector (EnrichedMicrosoft365AuditLogs Parser or Table)"
}
}
]
},
{
"name": "huntingquery8",
"type": "Microsoft.Common.Section",
"label": "Previously Unseen Bot or Application Added to Teams",
"elements": [
{
"name": "huntingquery8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This hunting query helps identify new, and potentially unapproved applications or bots being added to Teams. This hunting query depends on AzureActiveDirectory data connector (EnrichedMicrosoft365AuditLogs Parser or Table)"
}
}
]
},
{
"name": "huntingquery9",
"type": "Microsoft.Common.Section",
"label": "New Windows Reserved Filenames staged on Office file services",
"elements": [
{
"name": "huntingquery9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This identifies new Windows Reserved Filenames on Office services like SharePoint and OneDrive in the past 7 days. It also detects when a user uploads these files to another user's workspace, which may indicate malicious activity. This hunting query depends on AzureActiveDirectory data connector (EnrichedMicrosoft365AuditLogs Parser or Table)"
}
}
]
},
{
"name": "huntingquery10",
"type": "Microsoft.Common.Section",
"label": "Office Mail Forwarding - Hunting Version",
"elements": [
{
"name": "huntingquery10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Adversaries often abuse email-forwarding rules to monitor victim activities, steal information, and gain intelligence on the victim or their organization. This query highlights cases where user mail is being forwarded, including to external domains. This hunting query depends on AzureActiveDirectory data connector (EnrichedMicrosoft365AuditLogs Parser or Table)"
}
}
]
},
{
"name": "huntingquery11",
"type": "Microsoft.Common.Section",
"label": "Files uploaded to teams and access summary",
"elements": [
{
"name": "huntingquery11-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This hunting query identifies files uploaded to SharePoint via a Teams chat and\nsummarizes users and IP addresses that have accessed these files. This allows for \nidentification of anomalous file sharing patterns. This hunting query depends on AzureActiveDirectory data connector (EnrichedMicrosoft365AuditLogs Parser or Table)"
}
}
]
},
{
"name": "huntingquery12",
"type": "Microsoft.Common.Section",
"label": "User added to Teams and immediately uploads file",
"elements": [
{
"name": "huntingquery12-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This hunting query identifies users who are added to a Teams Channel or Teams chat\nand within 1 minute of being added upload a file via the chat. This might be\nan indicator of suspicious activity. This hunting query depends on AzureActiveDirectory data connector (EnrichedMicrosoft365AuditLogs Parser or Table)"
}
}
]
},
{
"name": "huntingquery13",
"type": "Microsoft.Common.Section",
"label": "Windows Reserved Filenames Staged on Office File Services",
"elements": [
{
"name": "huntingquery13-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This identifies Windows Reserved Filenames on Office services like SharePoint and OneDrive. It also detects when a user uploads these files to another user's workspace, which may indicate malicious activity. This hunting query depends on AzureActiveDirectory data connector (EnrichedMicrosoft365AuditLogs Parser or Table)"
}
}
]
},
{
"name": "huntingquery14",
"type": "Microsoft.Common.Section",
"label": "Exes with double file extension and access summary",
"elements": [
{
"name": "huntingquery14-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Provides a summary of executable files with double file extensions in SharePoint \n and the users and IP addresses that have accessed them. This hunting query depends on AzureActiveDirectory data connector (EnrichedMicrosoft365AuditLogs Parser or Table)"
}
}
]
},
{
"name": "huntingquery15",
"type": "Microsoft.Common.Section",
"label": "New Admin Account Activity Seen Which Was Not Seen Historically",
"elements": [
{
"name": "huntingquery15-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This will help you discover any new admin account activity which was seen and were not seen historically.\nAny new accounts seen in the results can be validated and investigated for any suspicious activities. This hunting query depends on AzureActiveDirectory data connector (EnrichedMicrosoft365AuditLogs Parser or Table)"
}
}
]
},
{
"name": "huntingquery16",
"type": "Microsoft.Common.Section",
"label": "SharePointFileOperation via previously unseen IPs",
"elements": [
{
"name": "huntingquery16-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Shows SharePoint upload/download volume by IPs with high-risk ASNs. New IPs with volume spikes may be unauthorized and exfiltrating documents. This hunting query depends on AzureActiveDirectory AzureActiveDirectory data connector (SigninLogs EnrichedMicrosoft365AuditLogs Parser or Table)"
}
}
]
},
{
"name": "huntingquery17",
"type": "Microsoft.Common.Section",
"label": "SharePointFileOperation via devices with previously unseen user agents",
"elements": [
{
"name": "huntingquery17-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Tracking via user agent is one way to differentiate between types of connecting device.\nIn homogeneous enterprise environments the user agent associated with an attacker device may stand out as unusual. This hunting query depends on AzureActiveDirectory AzureActiveDirectory data connector (SigninLogs EnrichedMicrosoft365AuditLogs Parser or Table)"
}
}
]
},
{
"name": "huntingquery18",
"type": "Microsoft.Common.Section",
"label": "Non-owner mailbox login activity",
"elements": [
{
"name": "huntingquery18-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Finds non-owner mailbox access by admin/delegate permissions. Whitelist valid users and check others for unauthorized access. This hunting query depends on AzureActiveDirectory data connector (EnrichedMicrosoft365AuditLogs Parser or Table)"
}
}
]
},
{
"name": "huntingquery19",
"type": "Microsoft.Common.Section",
"label": "PowerShell or non-browser mailbox login activity",
"elements": [
{
"name": "huntingquery19-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects mailbox login from Exchange PowerShell. All accounts can use it by default, but admins can change it. Whitelist benign activities. This hunting query depends on AzureActiveDirectory data connector (EnrichedMicrosoft365AuditLogs Parser or Table)"
}
}
]
},
{
"name": "huntingquery20",
"type": "Microsoft.Common.Section",
"label": "SharePoint File Operation via Client IP with Previously Unseen User Agents",
"elements": [
{
"name": "huntingquery20-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "New user agents associated with a client IP for SharePoint file uploads/downloads. This hunting query depends on AzureActiveDirectory data connector (EnrichedMicrosoft365AuditLogs Parser or Table)"
}
}
]
},
{
"name": "huntingquery21",
"type": "Microsoft.Common.Section",
"label": "Multiple Users Email Forwarded to Same Destination",
"elements": [
{
"name": "huntingquery21-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Identifies when multiple (more than one) users' mailboxes are configured to forward to the same destination. \nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts. This hunting query depends on AzureActiveDirectory data connector (EnrichedMicrosoft365AuditLogs Parser or Table)"
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}

2277
Solutions/Global Secure Access/Package/mainTemplate.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

40
Solutions/Global Secure Access/Package/testParameters.json Normal file
Просмотреть файл

@ -0,0 +1,40 @@
{
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
},
"workbook1-name": {
"type": "string",
"defaultValue": null,
"minLength": 1,
"metadata": {
"description": "Name for the workbook"
}
},
"workbook2-name": {
"type": "string",
"defaultValue": null,
"minLength": 1,
"metadata": {
"description": "Name for the workbook"
}
}
}

15
Solutions/Global Secure Access/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"publisherId": "azuresentinel",
"offerId": "azure-sentinel-solution-globalsecureaccess",
"firstPublishDate": "2024-04-08",
"providers": [ "Microsoft" ],
"categories": {
"domains": [ "Identity"]
},
"support": {
"tier": "Microsoft",
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
}
}

418
Solutions/Global Secure Access/Workbooks/GSAM365EnrichedEvents.json Normal file
Просмотреть файл

@ -0,0 +1,418 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## Traffic Logs workbook\n---\n\nLog information in the dashboard is limited to 30 days."
},
"name": "text - 2"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [],
"parameters": [
{
"id": "ff8b2a55-1849-4848-acf8-eab5452e9f10",
"version": "KqlParameterItem/1.0",
"name": "LogAnalyticWorkspace",
"label": "Log Analytic Workspace",
"type": 5,
"description": "The log analytic workspace in which to execute the queries",
"isRequired": true,
"query": "resources\r\n| where type == \"microsoft.operationalinsights/workspaces\"\r\n| project id",
"typeSettings": {
"resourceTypeFilter": {
"microsoft.operationalinsights/workspaces": true
},
"additionalResourceOptions": [
"value::1"
],
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
},
"defaultValue": "value::1",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "f15f34d8-8e2d-4c39-8dee-be2f979c86a8",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"label": "Time Range",
"type": 4,
"isRequired": true,
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
}
],
"allowCustom": true
},
"timeContext": {
"durationMs": 86400000
},
"value": {
"durationMs": 2592000000
}
},
{
"id": "8bab511b-53b3-4220-9d1c-372345b06728",
"version": "KqlParameterItem/1.0",
"name": "Users",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "EnrichedMicrosoft365AuditLogsDemos_CL\r\n| summarize Count = count() by UserId_s\r\n| order by Count desc, UserId_s asc\r\n| project Value = UserId_s, Label = strcat(UserId_s, ' - ', Count, ' Logs'), Selected = false",
"typeSettings": {
"limitSelectTo": 20,
"additionalResourceOptions": [
"value::all"
],
"selectAllValue": "*",
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"value": [
"value::all"
]
}
],
"style": "pills",
"queryType": 1,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 15"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "2b2cd1be-9d25-412c-8444-f005c4789b55",
"cellValue": "tabSel",
"linkTarget": "parameter",
"linkLabel": "Overview",
"subTarget": "Overview",
"style": "link"
},
{
"id": "cc3e67f2-f20f-4430-8dee-d0773b90d9ce",
"cellValue": "tabSel",
"linkTarget": "parameter",
"linkLabel": "All Traffic",
"subTarget": "AllTraffic",
"style": "link"
}
]
},
"name": "links - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| project \r\n Timestamp = createdDateTime_t,\r\n User = userPrincipalName_s,\r\n SourceIP = SourceIP,\r\n DestinationIP = destinationIp_s,\r\n DestinationPort = destinationPort_d,\r\n Action = action_s,\r\n PolicyName = policyName_s,\r\n TransportProtocol = transportProtocol_s,\r\n TrafficType = trafficType_s,\r\n DestinationURL = destinationUrl_s,\r\n ReceivedBytes = receivedBytes_d,\r\n SentBytes = sentBytes_d,\r\n DeviceOS = deviceOperatingSystem_s,\r\n PolicyRuleID = policyRuleId_s\r\n| order by Timestamp desc",
"size": 3,
"showAnalytics": true,
"title": "Log",
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"rowLimit": 1000,
"filter": true
}
},
"conditionalVisibility": {
"parameterName": "tabSel",
"comparison": "isEqualTo",
"value": "AllTraffic"
},
"name": "query - 6"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "// Unique Users\nNetworkAccessDemo_CL\n| extend GeoInfo = geo_info_from_ip_address(SourceIP) // Extend each row with geolocation info\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\n| project SourceIP, Country = tostring(GeoInfo.country), State = tostring(GeoInfo.state), City = tostring(GeoInfo.city), Latitude = tostring(GeoInfo.latitude), Longitude = tostring(GeoInfo.longitude)\n| summarize UniqueUsers=dcount(Country)\n| extend snapshot = \"Total Locations\"\n| project col1 = UniqueUsers, snapshot\n\n// Union with Unique Devices\n| union (\n NetworkAccessDemo_CL\n | where userPrincipalName_s in ({Users}) or '*' in ({Users})\n | extend BytesInGB = todouble(sentBytes_d + receivedBytes_d) / (1024 * 1024 * 1024) // Convert bytes to gigabytes\n | summarize TotalBytesGB = sum(BytesInGB)\n | extend snapshot = \"Total Bytes (GB)\"\n | project col1 = tolong(TotalBytesGB), snapshot\n)\n\n// Union with Total Internet Access\n| union (\n NetworkAccessDemo_CL\n | where userPrincipalName_s in ({Users}) or '*' in ({Users})\n | summarize TotalTransactions = count()\n | extend snapshot = \"Total Transactions\"\n | project col1 = TotalTransactions, snapshot\n)\n\n// Union with Total Private Access\n// Order by Snapshot for consistent tile ordering on dashboard\n| order by snapshot",
"size": 4,
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "snapshot",
"formatter": 1
},
"leftContent": {
"columnMatch": "col1",
"formatter": 12,
"formatOptions": {
"palette": "auto"
}
},
"showBorder": true,
"size": "auto"
},
"mapSettings": {
"locInfo": "LatLong",
"sizeSettings": "ExistingClients",
"sizeAggregation": "Sum",
"legendMetric": "ExistingClients",
"legendAggregation": "Sum",
"itemColorSettings": {
"type": "heatmap",
"colorAggregation": "Sum",
"nodeColorField": "ExistingClients",
"heatmapPalette": "greenRed"
}
},
"textSettings": {
"style": "bignumber"
}
},
"conditionalVisibility": {
"parameterName": "tabSel",
"comparison": "isEqualTo",
"value": "Overview"
},
"name": "query - 2"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\r\n| extend BytesInGB = todouble(sentBytes_d + receivedBytes_d) / (1024 * 1024 * 1024) // Convert bytes to gigabytes\r\n| summarize TotalBytesGB = sum(BytesInGB) by bin(createdDateTime_t, 1h), trafficType_s\r\n| order by bin(createdDateTime_t, 1h) asc, trafficType_s asc\r\n| project createdDateTime_t, trafficType_s, TotalBytesGB\r\n",
"size": 2,
"title": "Usage over Time (GB)",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"conditionalVisibility": {
"parameterName": "tabSel",
"comparison": "isEqualTo",
"value": "Overview"
},
"name": "query - 0"
}
]
},
"name": "group - 5"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\r\n| extend GeoInfo = geo_info_from_ip_address(SourceIP) // Extend each row with geolocation info\r\n| project createdDateTime_t, SourceIP, Country = tostring(GeoInfo.country), State = tostring(GeoInfo.state), City = tostring(GeoInfo.city), Latitude = tostring(GeoInfo.latitude), Longitude = tostring(GeoInfo.longitude)\r\n| where Country != \"\"\r\n| summarize Count = count() by City, State, Country\r\n",
"size": 0,
"title": "Locations",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "map",
"mapSettings": {
"locInfo": "CountryRegion",
"locInfoColumn": "Country",
"latitude": "Latitude",
"longitude": "Longitude",
"sizeSettings": "Count",
"sizeAggregation": "Sum",
"labelSettings": "Country",
"legendMetric": "Country",
"legendAggregation": "Count",
"itemColorSettings": {
"nodeColorField": "Count",
"colorAggregation": "Sum",
"type": "heatmap",
"heatmapPalette": "turquoise"
}
}
},
"customWidth": "50",
"name": "query - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\r\n| where tolower(action_s) == \"allow\" and destinationWebCategory_displayName_s != '' // Filter for allowed traffic\r\n| extend firstCategory = tostring(split(destinationWebCategory_displayName_s, ',')[0]) // Split and get the first category\r\n| summarize Count = count() by firstCategory\r\n| top 10 by Count\r\n",
"size": 2,
"title": "Top Allowed Web Categories",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\r\n| where tolower(action_s) == \"block\" and destinationFQDN_s != '' // Filter for allowed traffic\r\n| summarize Count = count() by destinationFQDN_s\r\n| top 100 by Count",
"size": 0,
"title": "Top Blocked Destinations",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "50",
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\r\n| where tolower(action_s) == \"block\" and destinationWebCategory_displayName_s != '' // Filter for blocked traffic\r\n| extend firstCategory = tostring(split(destinationWebCategory_displayName_s, ',')[0]) // Split and get the first category\r\n| summarize Count = count() by firstCategory\r\n| top 10 by Count\r\n",
"size": 3,
"title": "Top Blocked Web Categories",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 6"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\r\n| where sentBytes_d > 0\r\n| where tolower(action_s) != \"block\" \r\n| summarize Count = count() , Sent = sum(sentBytes_d), Recived = sum(receivedBytes_d), Total = sum(receivedBytes_d+ sentBytes_d) by destinationFQDN_s\r\n| order by Count desc\r\n",
"size": 0,
"title": "Top Allowed Destinations",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 4,
"formatOptions": {
"palette": "magenta"
}
},
{
"columnMatch": "Recived",
"formatter": 4,
"formatOptions": {
"palette": "turquoise"
}
},
{
"columnMatch": "Total",
"formatter": 4,
"formatOptions": {
"palette": "pink"
}
},
{
"columnMatch": "Sent",
"formatter": 4,
"formatOptions": {
"palette": "blue"
}
}
]
}
},
"customWidth": "50",
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\r\n| where transportProtocol_s != ''\r\n| summarize Count = count() by toupper(transportProtocol_s)\r\n| top 10 by Count\r\n",
"size": 2,
"title": "Protocol Distburion",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 3"
}
]
},
"conditionalVisibility": {
"parameterName": "tabSel",
"comparison": "isEqualTo",
"value": "Overview"
},
"name": "group - 4"
}
],
"fallbackResourceIds": [],
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}

421
Solutions/Global Secure Access/Workbooks/GSANetworkTraffic.json Normal file
Просмотреть файл

@ -0,0 +1,421 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## Traffic Logs workbook\n---\n\nLog information in the dashboard is limited to 30 days."
},
"name": "text - 2"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
""
],
"parameters": [
{
"id": "ff8b2a55-1849-4848-acf8-eab5452e9f10",
"version": "KqlParameterItem/1.0",
"name": "LogAnalyticWorkspace",
"label": "Log Analytic Workspace",
"type": 5,
"description": "The log analytic workspace in which to execute the queries",
"isRequired": true,
"query": "resources\r\n| where type == \"microsoft.operationalinsights/workspaces\"\r\n| project id",
"typeSettings": {
"resourceTypeFilter": {
"microsoft.operationalinsights/workspaces": true
},
"additionalResourceOptions": [
"value::1"
],
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
},
"defaultValue": "value::1",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "f15f34d8-8e2d-4c39-8dee-be2f979c86a8",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"label": "Time Range",
"type": 4,
"isRequired": true,
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
}
],
"allowCustom": true
},
"timeContext": {
"durationMs": 86400000
},
"value": {
"durationMs": 2592000000
}
},
{
"id": "8bab511b-53b3-4220-9d1c-372345b06728",
"version": "KqlParameterItem/1.0",
"name": "Users",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "EnrichedMicrosoft365AuditLogsDemos_CL\r\n| summarize Count = count() by UserId_s\r\n| order by Count desc, UserId_s asc\r\n| project Value = UserId_s, Label = strcat(UserId_s, ' - ', Count, ' Logs'), Selected = false",
"typeSettings": {
"limitSelectTo": 20,
"additionalResourceOptions": [
"value::all"
],
"selectAllValue": "*",
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"value": [
"value::all"
]
}
],
"style": "pills",
"queryType": 1,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 15"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "2b2cd1be-9d25-412c-8444-f005c4789b55",
"cellValue": "tabSel",
"linkTarget": "parameter",
"linkLabel": "Overview",
"subTarget": "Overview",
"style": "link"
},
{
"id": "cc3e67f2-f20f-4430-8dee-d0773b90d9ce",
"cellValue": "tabSel",
"linkTarget": "parameter",
"linkLabel": "All Traffic",
"subTarget": "AllTraffic",
"style": "link"
}
]
},
"name": "links - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| project \r\n Timestamp = createdDateTime_t,\r\n User = userPrincipalName_s,\r\n SourceIP = SourceIP,\r\n DestinationIP = destinationIp_s,\r\n DestinationPort = destinationPort_d,\r\n Action = action_s,\r\n PolicyName = policyName_s,\r\n TransportProtocol = transportProtocol_s,\r\n TrafficType = trafficType_s,\r\n DestinationURL = destinationUrl_s,\r\n ReceivedBytes = receivedBytes_d,\r\n SentBytes = sentBytes_d,\r\n DeviceOS = deviceOperatingSystem_s,\r\n PolicyRuleID = policyRuleId_s\r\n| order by Timestamp desc",
"size": 3,
"showAnalytics": true,
"title": "Log",
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"rowLimit": 1000,
"filter": true
}
},
"conditionalVisibility": {
"parameterName": "tabSel",
"comparison": "isEqualTo",
"value": "AllTraffic"
},
"name": "query - 6"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "// Unique Users\nNetworkAccessDemo_CL\n| extend GeoInfo = geo_info_from_ip_address(SourceIP) // Extend each row with geolocation info\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\n| project SourceIP, Country = tostring(GeoInfo.country), State = tostring(GeoInfo.state), City = tostring(GeoInfo.city), Latitude = tostring(GeoInfo.latitude), Longitude = tostring(GeoInfo.longitude)\n| summarize UniqueUsers=dcount(Country)\n| extend snapshot = \"Total Locations\"\n| project col1 = UniqueUsers, snapshot\n\n// Union with Unique Devices\n| union (\n NetworkAccessDemo_CL\n | where userPrincipalName_s in ({Users}) or '*' in ({Users})\n | extend BytesInGB = todouble(sentBytes_d + receivedBytes_d) / (1024 * 1024 * 1024) // Convert bytes to gigabytes\n | summarize TotalBytesGB = sum(BytesInGB)\n | extend snapshot = \"Total Bytes (GB)\"\n | project col1 = tolong(TotalBytesGB), snapshot\n)\n\n// Union with Total Internet Access\n| union (\n NetworkAccessDemo_CL\n | where userPrincipalName_s in ({Users}) or '*' in ({Users})\n | summarize TotalTransactions = count()\n | extend snapshot = \"Total Trasnacations\"\n | project col1 = TotalTransactions, snapshot\n)\n\n// Union with Total Private Access\n// Order by Snapshot for consistent tile ordering on dashboard\n| order by snapshot",
"size": 4,
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "snapshot",
"formatter": 1
},
"leftContent": {
"columnMatch": "col1",
"formatter": 12,
"formatOptions": {
"palette": "auto"
}
},
"showBorder": true,
"size": "auto"
},
"mapSettings": {
"locInfo": "LatLong",
"sizeSettings": "ExistingClients",
"sizeAggregation": "Sum",
"legendMetric": "ExistingClients",
"legendAggregation": "Sum",
"itemColorSettings": {
"type": "heatmap",
"colorAggregation": "Sum",
"nodeColorField": "ExistingClients",
"heatmapPalette": "greenRed"
}
},
"textSettings": {
"style": "bignumber"
}
},
"conditionalVisibility": {
"parameterName": "tabSel",
"comparison": "isEqualTo",
"value": "Overview"
},
"name": "query - 2"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\r\n| extend BytesInGB = todouble(sentBytes_d + receivedBytes_d) / (1024 * 1024 * 1024) // Convert bytes to gigabytes\r\n| summarize TotalBytesGB = sum(BytesInGB) by bin(createdDateTime_t, 1h), trafficType_s\r\n| order by bin(createdDateTime_t, 1h) asc, trafficType_s asc\r\n| project createdDateTime_t, trafficType_s, TotalBytesGB\r\n",
"size": 2,
"title": "Usage over Time (GB)",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"conditionalVisibility": {
"parameterName": "tabSel",
"comparison": "isEqualTo",
"value": "Overview"
},
"name": "query - 0"
}
]
},
"name": "group - 5"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\r\n| extend GeoInfo = geo_info_from_ip_address(SourceIP) // Extend each row with geolocation info\r\n| project createdDateTime_t, SourceIP, Country = tostring(GeoInfo.country), State = tostring(GeoInfo.state), City = tostring(GeoInfo.city), Latitude = tostring(GeoInfo.latitude), Longitude = tostring(GeoInfo.longitude)\r\n| where Country != \"\"\r\n| summarize Count = count() by City, State, Country\r\n\r\n",
"size": 0,
"title": "Locations",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "map",
"mapSettings": {
"locInfo": "CountryRegion",
"locInfoColumn": "Country",
"latitude": "Latitude",
"longitude": "Longitude",
"sizeSettings": "Count",
"sizeAggregation": "Sum",
"labelSettings": "Country",
"legendMetric": "Country",
"legendAggregation": "Count",
"itemColorSettings": {
"nodeColorField": "Count",
"colorAggregation": "Sum",
"type": "heatmap",
"heatmapPalette": "turquoise"
}
}
},
"customWidth": "50",
"name": "query - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\r\n| where tolower(action_s) == \"allow\" and destinationWebCategory_displayName_s != '' // Filter for allowed traffic\r\n| extend firstCategory = tostring(split(destinationWebCategory_displayName_s, ',')[0]) // Split and get the first category\r\n| summarize Count = count() by firstCategory\r\n| top 10 by Count\r\n",
"size": 2,
"title": "Top Allowed Web Categories",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\r\n| where tolower(action_s) == \"block\" and destinationFQDN_s != '' // Filter for allowed traffic\r\n| summarize Count = count() by destinationFQDN_s\r\n| top 100 by Count",
"size": 0,
"title": "Top Blocked Destinations",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "50",
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\r\n| where tolower(action_s) == \"block\" and destinationWebCategory_displayName_s != '' // Filter for blocked traffic\r\n| extend firstCategory = tostring(split(destinationWebCategory_displayName_s, ',')[0]) // Split and get the first category\r\n| summarize Count = count() by firstCategory\r\n| top 10 by Count\r\n",
"size": 3,
"title": "Top Blocked Web Categories",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 6"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\r\n| where sentBytes_d > 0\r\n| where tolower(action_s) != \"block\" \r\n| summarize Count = count() , Sent = sum(sentBytes_d), Recived = sum(receivedBytes_d), Total = sum(receivedBytes_d+ sentBytes_d) by destinationFQDN_s\r\n| order by Count desc\r\n",
"size": 0,
"title": "Top Allowed Destinations",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 4,
"formatOptions": {
"palette": "magenta"
}
},
{
"columnMatch": "Recived",
"formatter": 4,
"formatOptions": {
"palette": "turquoise"
}
},
{
"columnMatch": "Total",
"formatter": 4,
"formatOptions": {
"palette": "pink"
}
},
{
"columnMatch": "Sent",
"formatter": 4,
"formatOptions": {
"palette": "blue"
}
}
]
}
},
"customWidth": "50",
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\r\n| where transportProtocol_s != ''\r\n| summarize Count = count() by toupper(transportProtocol_s)\r\n| top 10 by Count\r\n",
"size": 2,
"title": "Protocol Distburion",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 3"
}
]
},
"conditionalVisibility": {
"parameterName": "tabSel",
"comparison": "isEqualTo",
"value": "Overview"
},
"name": "group - 4"
}
],
"fallbackResourceIds": [
],
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}

418
Workbooks/GSAM365EnrichedEvents.json Normal file
Просмотреть файл

@ -0,0 +1,418 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## Traffic Logs workbook\n---\n\nLog information in the dashboard is limited to 30 days."
},
"name": "text - 2"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [],
"parameters": [
{
"id": "ff8b2a55-1849-4848-acf8-eab5452e9f10",
"version": "KqlParameterItem/1.0",
"name": "LogAnalyticWorkspace",
"label": "Log Analytic Workspace",
"type": 5,
"description": "The log analytic workspace in which to execute the queries",
"isRequired": true,
"query": "resources\r\n| where type == \"microsoft.operationalinsights/workspaces\"\r\n| project id",
"typeSettings": {
"resourceTypeFilter": {
"microsoft.operationalinsights/workspaces": true
},
"additionalResourceOptions": [
"value::1"
],
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
},
"defaultValue": "value::1",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "f15f34d8-8e2d-4c39-8dee-be2f979c86a8",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"label": "Time Range",
"type": 4,
"isRequired": true,
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
}
],
"allowCustom": true
},
"timeContext": {
"durationMs": 86400000
},
"value": {
"durationMs": 2592000000
}
},
{
"id": "8bab511b-53b3-4220-9d1c-372345b06728",
"version": "KqlParameterItem/1.0",
"name": "Users",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "EnrichedMicrosoft365AuditLogsDemos_CL\r\n| summarize Count = count() by UserId_s\r\n| order by Count desc, UserId_s asc\r\n| project Value = UserId_s, Label = strcat(UserId_s, ' - ', Count, ' Logs'), Selected = false",
"typeSettings": {
"limitSelectTo": 20,
"additionalResourceOptions": [
"value::all"
],
"selectAllValue": "*",
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"value": [
"value::all"
]
}
],
"style": "pills",
"queryType": 1,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 15"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "2b2cd1be-9d25-412c-8444-f005c4789b55",
"cellValue": "tabSel",
"linkTarget": "parameter",
"linkLabel": "Overview",
"subTarget": "Overview",
"style": "link"
},
{
"id": "cc3e67f2-f20f-4430-8dee-d0773b90d9ce",
"cellValue": "tabSel",
"linkTarget": "parameter",
"linkLabel": "All Traffic",
"subTarget": "AllTraffic",
"style": "link"
}
]
},
"name": "links - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| project \r\n Timestamp = createdDateTime_t,\r\n User = userPrincipalName_s,\r\n SourceIP = SourceIP,\r\n DestinationIP = destinationIp_s,\r\n DestinationPort = destinationPort_d,\r\n Action = action_s,\r\n PolicyName = policyName_s,\r\n TransportProtocol = transportProtocol_s,\r\n TrafficType = trafficType_s,\r\n DestinationURL = destinationUrl_s,\r\n ReceivedBytes = receivedBytes_d,\r\n SentBytes = sentBytes_d,\r\n DeviceOS = deviceOperatingSystem_s,\r\n PolicyRuleID = policyRuleId_s\r\n| order by Timestamp desc",
"size": 3,
"showAnalytics": true,
"title": "Log",
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"rowLimit": 1000,
"filter": true
}
},
"conditionalVisibility": {
"parameterName": "tabSel",
"comparison": "isEqualTo",
"value": "AllTraffic"
},
"name": "query - 6"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "// Unique Users\nNetworkAccessDemo_CL\n| extend GeoInfo = geo_info_from_ip_address(SourceIP) // Extend each row with geolocation info\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\n| project SourceIP, Country = tostring(GeoInfo.country), State = tostring(GeoInfo.state), City = tostring(GeoInfo.city), Latitude = tostring(GeoInfo.latitude), Longitude = tostring(GeoInfo.longitude)\n| summarize UniqueUsers=dcount(Country)\n| extend snapshot = \"Total Locations\"\n| project col1 = UniqueUsers, snapshot\n\n// Union with Unique Devices\n| union (\n NetworkAccessDemo_CL\n | where userPrincipalName_s in ({Users}) or '*' in ({Users})\n | extend BytesInGB = todouble(sentBytes_d + receivedBytes_d) / (1024 * 1024 * 1024) // Convert bytes to gigabytes\n | summarize TotalBytesGB = sum(BytesInGB)\n | extend snapshot = \"Total Bytes (GB)\"\n | project col1 = tolong(TotalBytesGB), snapshot\n)\n\n// Union with Total Internet Access\n| union (\n NetworkAccessDemo_CL\n | where userPrincipalName_s in ({Users}) or '*' in ({Users})\n | summarize TotalTransactions = count()\n | extend snapshot = \"Total Transactions\"\n | project col1 = TotalTransactions, snapshot\n)\n\n// Union with Total Private Access\n// Order by Snapshot for consistent tile ordering on dashboard\n| order by snapshot",
"size": 4,
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "snapshot",
"formatter": 1
},
"leftContent": {
"columnMatch": "col1",
"formatter": 12,
"formatOptions": {
"palette": "auto"
}
},
"showBorder": true,
"size": "auto"
},
"mapSettings": {
"locInfo": "LatLong",
"sizeSettings": "ExistingClients",
"sizeAggregation": "Sum",
"legendMetric": "ExistingClients",
"legendAggregation": "Sum",
"itemColorSettings": {
"type": "heatmap",
"colorAggregation": "Sum",
"nodeColorField": "ExistingClients",
"heatmapPalette": "greenRed"
}
},
"textSettings": {
"style": "bignumber"
}
},
"conditionalVisibility": {
"parameterName": "tabSel",
"comparison": "isEqualTo",
"value": "Overview"
},
"name": "query - 2"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\r\n| extend BytesInGB = todouble(sentBytes_d + receivedBytes_d) / (1024 * 1024 * 1024) // Convert bytes to gigabytes\r\n| summarize TotalBytesGB = sum(BytesInGB) by bin(createdDateTime_t, 1h), trafficType_s\r\n| order by bin(createdDateTime_t, 1h) asc, trafficType_s asc\r\n| project createdDateTime_t, trafficType_s, TotalBytesGB\r\n",
"size": 2,
"title": "Usage over Time (GB)",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"conditionalVisibility": {
"parameterName": "tabSel",
"comparison": "isEqualTo",
"value": "Overview"
},
"name": "query - 0"
}
]
},
"name": "group - 5"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\r\n| extend GeoInfo = geo_info_from_ip_address(SourceIP) // Extend each row with geolocation info\r\n| project createdDateTime_t, SourceIP, Country = tostring(GeoInfo.country), State = tostring(GeoInfo.state), City = tostring(GeoInfo.city), Latitude = tostring(GeoInfo.latitude), Longitude = tostring(GeoInfo.longitude)\r\n| where Country != \"\"\r\n| summarize Count = count() by City, State, Country\r\n",
"size": 0,
"title": "Locations",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "map",
"mapSettings": {
"locInfo": "CountryRegion",
"locInfoColumn": "Country",
"latitude": "Latitude",
"longitude": "Longitude",
"sizeSettings": "Count",
"sizeAggregation": "Sum",
"labelSettings": "Country",
"legendMetric": "Country",
"legendAggregation": "Count",
"itemColorSettings": {
"nodeColorField": "Count",
"colorAggregation": "Sum",
"type": "heatmap",
"heatmapPalette": "turquoise"
}
}
},
"customWidth": "50",
"name": "query - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\r\n| where tolower(action_s) == \"allow\" and destinationWebCategory_displayName_s != '' // Filter for allowed traffic\r\n| extend firstCategory = tostring(split(destinationWebCategory_displayName_s, ',')[0]) // Split and get the first category\r\n| summarize Count = count() by firstCategory\r\n| top 10 by Count\r\n",
"size": 2,
"title": "Top Allowed Web Categories",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\r\n| where tolower(action_s) == \"block\" and destinationFQDN_s != '' // Filter for allowed traffic\r\n| summarize Count = count() by destinationFQDN_s\r\n| top 100 by Count",
"size": 0,
"title": "Top Blocked Destinations",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "50",
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\r\n| where tolower(action_s) == \"block\" and destinationWebCategory_displayName_s != '' // Filter for blocked traffic\r\n| extend firstCategory = tostring(split(destinationWebCategory_displayName_s, ',')[0]) // Split and get the first category\r\n| summarize Count = count() by firstCategory\r\n| top 10 by Count\r\n",
"size": 3,
"title": "Top Blocked Web Categories",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 6"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\r\n| where sentBytes_d > 0\r\n| where tolower(action_s) != \"block\" \r\n| summarize Count = count() , Sent = sum(sentBytes_d), Recived = sum(receivedBytes_d), Total = sum(receivedBytes_d+ sentBytes_d) by destinationFQDN_s\r\n| order by Count desc\r\n",
"size": 0,
"title": "Top Allowed Destinations",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 4,
"formatOptions": {
"palette": "magenta"
}
},
{
"columnMatch": "Recived",
"formatter": 4,
"formatOptions": {
"palette": "turquoise"
}
},
{
"columnMatch": "Total",
"formatter": 4,
"formatOptions": {
"palette": "pink"
}
},
{
"columnMatch": "Sent",
"formatter": 4,
"formatOptions": {
"palette": "blue"
}
}
]
}
},
"customWidth": "50",
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\r\n| where transportProtocol_s != ''\r\n| summarize Count = count() by toupper(transportProtocol_s)\r\n| top 10 by Count\r\n",
"size": 2,
"title": "Protocol Distburion",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 3"
}
]
},
"conditionalVisibility": {
"parameterName": "tabSel",
"comparison": "isEqualTo",
"value": "Overview"
},
"name": "group - 4"
}
],
"fallbackResourceIds": [],
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}

421
Workbooks/GSANetworkTraffic.json Normal file
Просмотреть файл

@ -0,0 +1,421 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## Traffic Logs workbook\n---\n\nLog information in the dashboard is limited to 30 days."
},
"name": "text - 2"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
""
],
"parameters": [
{
"id": "ff8b2a55-1849-4848-acf8-eab5452e9f10",
"version": "KqlParameterItem/1.0",
"name": "LogAnalyticWorkspace",
"label": "Log Analytic Workspace",
"type": 5,
"description": "The log analytic workspace in which to execute the queries",
"isRequired": true,
"query": "resources\r\n| where type == \"microsoft.operationalinsights/workspaces\"\r\n| project id",
"typeSettings": {
"resourceTypeFilter": {
"microsoft.operationalinsights/workspaces": true
},
"additionalResourceOptions": [
"value::1"
],
"showDefault": false
},
"timeContext": {
"durationMs": 86400000
},
"defaultValue": "value::1",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "f15f34d8-8e2d-4c39-8dee-be2f979c86a8",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"label": "Time Range",
"type": 4,
"isRequired": true,
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
}
],
"allowCustom": true
},
"timeContext": {
"durationMs": 86400000
},
"value": {
"durationMs": 2592000000
}
},
{
"id": "8bab511b-53b3-4220-9d1c-372345b06728",
"version": "KqlParameterItem/1.0",
"name": "Users",
"type": 2,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "EnrichedMicrosoft365AuditLogsDemos_CL\r\n| summarize Count = count() by UserId_s\r\n| order by Count desc, UserId_s asc\r\n| project Value = UserId_s, Label = strcat(UserId_s, ' - ', Count, ' Logs'), Selected = false",
"typeSettings": {
"limitSelectTo": 20,
"additionalResourceOptions": [
"value::all"
],
"selectAllValue": "*",
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"value": [
"value::all"
]
}
],
"style": "pills",
"queryType": 1,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 15"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "2b2cd1be-9d25-412c-8444-f005c4789b55",
"cellValue": "tabSel",
"linkTarget": "parameter",
"linkLabel": "Overview",
"subTarget": "Overview",
"style": "link"
},
{
"id": "cc3e67f2-f20f-4430-8dee-d0773b90d9ce",
"cellValue": "tabSel",
"linkTarget": "parameter",
"linkLabel": "All Traffic",
"subTarget": "AllTraffic",
"style": "link"
}
]
},
"name": "links - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| project \r\n Timestamp = createdDateTime_t,\r\n User = userPrincipalName_s,\r\n SourceIP = SourceIP,\r\n DestinationIP = destinationIp_s,\r\n DestinationPort = destinationPort_d,\r\n Action = action_s,\r\n PolicyName = policyName_s,\r\n TransportProtocol = transportProtocol_s,\r\n TrafficType = trafficType_s,\r\n DestinationURL = destinationUrl_s,\r\n ReceivedBytes = receivedBytes_d,\r\n SentBytes = sentBytes_d,\r\n DeviceOS = deviceOperatingSystem_s,\r\n PolicyRuleID = policyRuleId_s\r\n| order by Timestamp desc",
"size": 3,
"showAnalytics": true,
"title": "Log",
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"rowLimit": 1000,
"filter": true
}
},
"conditionalVisibility": {
"parameterName": "tabSel",
"comparison": "isEqualTo",
"value": "AllTraffic"
},
"name": "query - 6"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "// Unique Users\nNetworkAccessDemo_CL\n| extend GeoInfo = geo_info_from_ip_address(SourceIP) // Extend each row with geolocation info\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\n| project SourceIP, Country = tostring(GeoInfo.country), State = tostring(GeoInfo.state), City = tostring(GeoInfo.city), Latitude = tostring(GeoInfo.latitude), Longitude = tostring(GeoInfo.longitude)\n| summarize UniqueUsers=dcount(Country)\n| extend snapshot = \"Total Locations\"\n| project col1 = UniqueUsers, snapshot\n\n// Union with Unique Devices\n| union (\n NetworkAccessDemo_CL\n | where userPrincipalName_s in ({Users}) or '*' in ({Users})\n | extend BytesInGB = todouble(sentBytes_d + receivedBytes_d) / (1024 * 1024 * 1024) // Convert bytes to gigabytes\n | summarize TotalBytesGB = sum(BytesInGB)\n | extend snapshot = \"Total Bytes (GB)\"\n | project col1 = tolong(TotalBytesGB), snapshot\n)\n\n// Union with Total Internet Access\n| union (\n NetworkAccessDemo_CL\n | where userPrincipalName_s in ({Users}) or '*' in ({Users})\n | summarize TotalTransactions = count()\n | extend snapshot = \"Total Trasnacations\"\n | project col1 = TotalTransactions, snapshot\n)\n\n// Union with Total Private Access\n// Order by Snapshot for consistent tile ordering on dashboard\n| order by snapshot",
"size": 4,
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "snapshot",
"formatter": 1
},
"leftContent": {
"columnMatch": "col1",
"formatter": 12,
"formatOptions": {
"palette": "auto"
}
},
"showBorder": true,
"size": "auto"
},
"mapSettings": {
"locInfo": "LatLong",
"sizeSettings": "ExistingClients",
"sizeAggregation": "Sum",
"legendMetric": "ExistingClients",
"legendAggregation": "Sum",
"itemColorSettings": {
"type": "heatmap",
"colorAggregation": "Sum",
"nodeColorField": "ExistingClients",
"heatmapPalette": "greenRed"
}
},
"textSettings": {
"style": "bignumber"
}
},
"conditionalVisibility": {
"parameterName": "tabSel",
"comparison": "isEqualTo",
"value": "Overview"
},
"name": "query - 2"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\r\n| extend BytesInGB = todouble(sentBytes_d + receivedBytes_d) / (1024 * 1024 * 1024) // Convert bytes to gigabytes\r\n| summarize TotalBytesGB = sum(BytesInGB) by bin(createdDateTime_t, 1h), trafficType_s\r\n| order by bin(createdDateTime_t, 1h) asc, trafficType_s asc\r\n| project createdDateTime_t, trafficType_s, TotalBytesGB\r\n",
"size": 2,
"title": "Usage over Time (GB)",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart"
},
"conditionalVisibility": {
"parameterName": "tabSel",
"comparison": "isEqualTo",
"value": "Overview"
},
"name": "query - 0"
}
]
},
"name": "group - 5"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\r\n| extend GeoInfo = geo_info_from_ip_address(SourceIP) // Extend each row with geolocation info\r\n| project createdDateTime_t, SourceIP, Country = tostring(GeoInfo.country), State = tostring(GeoInfo.state), City = tostring(GeoInfo.city), Latitude = tostring(GeoInfo.latitude), Longitude = tostring(GeoInfo.longitude)\r\n| where Country != \"\"\r\n| summarize Count = count() by City, State, Country\r\n\r\n",
"size": 0,
"title": "Locations",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "map",
"mapSettings": {
"locInfo": "CountryRegion",
"locInfoColumn": "Country",
"latitude": "Latitude",
"longitude": "Longitude",
"sizeSettings": "Count",
"sizeAggregation": "Sum",
"labelSettings": "Country",
"legendMetric": "Country",
"legendAggregation": "Count",
"itemColorSettings": {
"nodeColorField": "Count",
"colorAggregation": "Sum",
"type": "heatmap",
"heatmapPalette": "turquoise"
}
}
},
"customWidth": "50",
"name": "query - 0"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\r\n| where tolower(action_s) == \"allow\" and destinationWebCategory_displayName_s != '' // Filter for allowed traffic\r\n| extend firstCategory = tostring(split(destinationWebCategory_displayName_s, ',')[0]) // Split and get the first category\r\n| summarize Count = count() by firstCategory\r\n| top 10 by Count\r\n",
"size": 2,
"title": "Top Allowed Web Categories",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\r\n| where tolower(action_s) == \"block\" and destinationFQDN_s != '' // Filter for allowed traffic\r\n| summarize Count = count() by destinationFQDN_s\r\n| top 100 by Count",
"size": 0,
"title": "Top Blocked Destinations",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "50",
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\r\n| where tolower(action_s) == \"block\" and destinationWebCategory_displayName_s != '' // Filter for blocked traffic\r\n| extend firstCategory = tostring(split(destinationWebCategory_displayName_s, ',')[0]) // Split and get the first category\r\n| summarize Count = count() by firstCategory\r\n| top 10 by Count\r\n",
"size": 3,
"title": "Top Blocked Web Categories",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 6"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\r\n| where sentBytes_d > 0\r\n| where tolower(action_s) != \"block\" \r\n| summarize Count = count() , Sent = sum(sentBytes_d), Recived = sum(receivedBytes_d), Total = sum(receivedBytes_d+ sentBytes_d) by destinationFQDN_s\r\n| order by Count desc\r\n",
"size": 0,
"title": "Top Allowed Destinations",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 4,
"formatOptions": {
"palette": "magenta"
}
},
{
"columnMatch": "Recived",
"formatter": 4,
"formatOptions": {
"palette": "turquoise"
}
},
{
"columnMatch": "Total",
"formatter": 4,
"formatOptions": {
"palette": "pink"
}
},
{
"columnMatch": "Sent",
"formatter": 4,
"formatOptions": {
"palette": "blue"
}
}
]
}
},
"customWidth": "50",
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "NetworkAccessDemo_CL\r\n| where userPrincipalName_s in ({Users}) or '*' in ({Users})\r\n| where transportProtocol_s != ''\r\n| summarize Count = count() by toupper(transportProtocol_s)\r\n| top 10 by Count\r\n",
"size": 2,
"title": "Protocol Distburion",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart"
},
"customWidth": "50",
"name": "query - 3"
}
]
},
"conditionalVisibility": {
"parameterName": "tabSel",
"comparison": "isEqualTo",
"value": "Overview"
},
"name": "group - 4"
}
],
"fallbackResourceIds": [
],
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}

5
Workbooks/Images/Logos/gsa.svg Normal file
Просмотреть файл

@ -0,0 +1,5 @@
<svg xmlns="http://www.w3.org/2000/svg" width="20" height="20">
<path d="M20 10c0 5.523-4.477 10-10 10S0 15.523 0 10 4.477 0 10 0s10 4.477 10 10Zm0 0" fill="#6df" fill-rule="nonzero" fill-opacity="1"/>
<path d="M10 0c5.523 0 10 4.477 10 10s-4.477 10-10 10S0 15.523 0 10 4.477 0 10 0Zm2.938 14.5H7.061c.653 2.414 1.786 4 2.938 4 1.156 0 2.29-1.586 2.941-4Zm-7.43 0H2.785a8.566 8.566 0 0 0 4.094 3.41c-.52-.82-.953-1.848-1.27-3.015Zm11.707 0h-2.723c-.324 1.332-.793 2.496-1.375 3.41a8.543 8.543 0 0 0 3.91-3.129ZM5.094 8H1.738l-.008.02A8.483 8.483 0 0 0 1.5 10c0 1.059.191 2.066.543 3h3.172C5.075 12.05 5 11.043 5 10c0-.684.031-1.352.094-2Zm8.304 0H6.602a19.41 19.41 0 0 0 .136 5h6.524a19.41 19.41 0 0 0 .137-5Zm4.864 0h-3.356c.063.648.094 1.316.094 2 0 1.043-.074 2.05-.219 3h3.172a8.398 8.398 0 0 0 .547-3c0-.688-.082-1.36-.238-2ZM6.882 2.09l-.023.008A8.547 8.547 0 0 0 2.25 6.5h3.047c.312-1.754.86-3.277 1.582-4.41ZM10 1.5l-.117.004C8.617 1.62 7.398 3.62 6.828 6.5h6.344c-.57-2.871-1.785-4.867-3.047-4.996Zm3.121.59.106.176c.668 1.109 1.175 2.57 1.472 4.234h3.051a8.555 8.555 0 0 0-4.34-4.29Zm0 0" fill="#225086" fill-rule="nonzero" fill-opacity="1"/>
<path d="M10 0a30.898 30.898 0 0 1 1.66 10c0 4.293-.89 7.754-1.66 10 5.484 0 10-4.516 10-10 0-5.523-4.477-10-10-10Zm0 0" fill="#0294e4" fill-rule="nonzero" fill-opacity="1"/>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 1.3 KiB

Двоичные данные
Workbooks/Images/Preview/GSAEnrichedLogsBlack.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 188 KiB

Двоичные данные
Workbooks/Images/Preview/GSAEnrichedLogsWhite.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 177 KiB

Двоичные данные
Workbooks/Images/Preview/GSATrafficLogsBlack.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 150 KiB

Двоичные данные
Workbooks/Images/Preview/GSATrafficLogsWhite.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 136 KiB

40
Workbooks/WorkbooksMetadata.json
Просмотреть файл

@ -7622,5 +7622,45 @@
"templateRelativePath": "SyslogConnectorsOverviewWorkbook.json",
"subtitle": "",
"provider": "-------"
},
{
"workbookKey": "GSAM365EnrichedEvents",
"logoFileName": "gsa.svg",
"description": "This Workbook gives an overview of ingestion of logs in the CommonSecurityLog table.",
"dataTypesDependencies": [],
"dataConnectorsDependencies": [
"AzureActiveDirectory"
],
"previewImagesFileNames": [
"GSAEnrichedLogsWhite.png",
"GSAEnrichedLogsBlack.png"
],
"version": "1.0.0",
"title": "Microsoft Global Secure Access Enriched M365 Logs",
"templateRelativePath": "GSAM365EnrichedEvents.json",
"provider": "Microsoft",
"author": {
"name": "Microsoft"
}
},
{
"workbookKey": "GSANetworkTraffic",
"logoFileName": "gsa.svg",
"description": "Microsoft Global Secure Access Traffic Logs",
"dataConnectorsDependencies": [
"AzureActiveDirectory"
],
"dataConnectorsDependencies": [],
"previewImagesFileNames": [
"GSATrafficLogsWhite.png",
"GSATrafficLogsBlack.png"
],
"version": "1.0.0",
"title": "Microsoft Global Secure Access Traffic Logs",
"templateRelativePath": "GSANetworkTraffic.json",
"provider": "Microsoft",
"author": {
"name": "Microsoft"
}
}
]