Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Solution Metadata and package update

This commit is contained in:
NikTripathi 2021-10-22 13:52:50 +05:30
Родитель f693359939
Коммит 8cb3e3a192
45 изменённых файлов: 12636 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

12
Solutions/CiscoStealthwatch/Data/Solution_CiscoStealthwatch.json Normal file
Просмотреть файл

@ -0,0 +1,12 @@
{
"Name": "CiscoStealthwatch",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/cisco-logo-72px.svg\" width=\"75px\" height=\"75px\">",
"Description": "[Cisco Secure Network Analytics (Stealthwatch)](https://www.cisco.com/c/en/us/products/security/stealthwatch/index.html) is the most comprehensive visibility and network traffic analysis (NTA)/ network detection and response (NDR) solution that uses enterprise telemetry from the existing network infrastructure. It provides advanced threat detection, accelerated threat response, and simplified network segmentation using multilayer machine learning and entity modeling.",
"Parsers": ["Parsers/StealthwatchEvent.txt"],
"Data Connectors": ["Data Connectors/Cisco_Stealthwatch_syslog.json"],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\CiscoStealthwatch",
"Version": "1.1.0"
}

Двоичные данные
Solutions/CiscoStealthwatch/Package/1.1.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

102
Solutions/CiscoStealthwatch/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,102 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/cisco-logo-72px.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n[Cisco Secure Network Analytics (Stealthwatch)](https://www.cisco.com/c/en/us/products/security/stealthwatch/index.html) is the most comprehensive visibility and network traffic analysis (NTA)/ network detection and response (NDR) solution that uses enterprise telemetry from the existing network infrastructure. It provides advanced threat detection, accelerated threat response, and simplified network segmentation using multilayer machine learning and entity modeling.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for CiscoStealthwatch. You can get CiscoStealthwatch Syslog data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. The logs will be received in the Syslog table in your Azure Sentinel / Azure Log Analytics workspace."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The Solution installs a parser that transforms the ingested data into Azure Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Azure Sentinel."
}
},
{
"name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about normalized format",
"uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema"
}
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
}
],
"outputs": {
"workspace-location": "[resourceGroup().location]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}

272
Solutions/CiscoStealthwatch/Package/mainTemplate.json Normal file
Просмотреть файл

@ -0,0 +1,272 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"comments": "Solution template for CiscoStealthwatch"
},
"parameters": {
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"minLength": 1,
"defaultValue": "[parameters('location')]",
"metadata": {
"description": "Region to deploy solution resources"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Sentinel is setup"
}
},
"connector1-name": {
"type": "string",
"defaultValue": "b6e720ba-f74e-4e02-81fc-f5b2f4269e2e"
}
},
"variables": {
"workspace-dependency": "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspace'))]",
"StealthwatchEvent_Parser": "StealthwatchEvent_Parser",
"_StealthwatchEvent_Parser": "[variables('StealthwatchEvent_Parser')]",
"connector1-source": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'),'/providers/Microsoft.SecurityInsights/dataConnectors/',parameters('connector1-name'))]",
"_connector1-source": "[variables('connector1-source')]",
"StealthwatchConnector": "StealthwatchConnector",
"_StealthwatchConnector": "[variables('StealthwatchConnector')]",
"sourceId": "azuresentinel.azure-sentinel-solution-ciscostealthwatch",
"_sourceId": "[variables('sourceId')]"
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2020-08-01",
"name": "[parameters('workspace')]",
"location": "[parameters('workspace-location')]",
"resources": [
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "CiscoStealthwatch Data Parser",
"dependsOn": [
"[variables('workspace-dependency')]"
],
"properties": {
"eTag": "*",
"displayName": "CiscoStealthwatch Data Parser",
"category": "Samples",
"functionAlias": "StealthwatchEvent",
"query": "\nSyslog\r\n| where SyslogMessage has 'Stealthwatch'\r\n| extend EventVendor = 'Cisco'\r\n| extend EventProduct = 'Stealthwatch'\r\n| extend EventProductVersion = extract(@'Stealthwatch\\|([0-9\\.]+)\\|', 1, SyslogMessage)\r\n| mv-apply ExtractedFields = extract_all(@'\\|(?P<key>[a-zA-Z0-9-_]+)=(?P<value>[a-zA-Z0-9-_:/@.,#{}>< ]+)', dynamic([\"key\",\"value\"]), SyslogMessage) on (\r\n project packed = pack(tostring(ExtractedFields[0]), tostring(ExtractedFields[1]))\r\n | summarize bag = make_bag(packed)\r\n)\r\n| evaluate bag_unpack(bag)\r\n| extend EventStartTime=todatetime(start)\r\n| extend EventEndTime=todatetime(end)\r\n| project-rename EventOriginalUid=alarmID\r\n , EventSeverity=alarmSev\r\n , EventStatus=alarmStatus\r\n , EventType=cat\r\n , SrcDvcDomain=domain\r\n , DstIpAddr=dst\r\n , DstPortNumber=dstPort\r\n , EventMessage=msg\r\n , Protocol=proto\r\n , SrcGeoCountry=sourceHG\r\n , SrcHostSnapshot=sourceHostSnapshot\r\n , SrcIpAddr=src\r\n , DvcIpAddr=flowCollectorIP\r\n , DvcHostname=flowCollectorName\r\n , SrcUserName=sourceUser\r\n , DstUserName=targetUser\r\n , DstGeoCountry=targetHG\r\n , DstDvcHostname=targetHostname\r\n , DstHostSnapshot=targetHostSnapshot\r\n| project-away start\r\n , end\r\n , SyslogMessage\r\n",
"version": 1
}
}
]
},
{
"id": "[variables('_connector1-source')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('connector1-name'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "Cisco Stealthwatch",
"publisher": "Cisco",
"descriptionMarkdown": "The [Cisco Stealthwatch](https://www.cisco.com/c/en/us/products/security/stealthwatch/index.html) data connector provides the capability to ingest [Cisco Stealthwatch events](https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/management_console/securit_events_alarm_categories/SW_7_2_1_Security_Events_and_Alarm_Categories_DV_1_0.pdf) into Azure Sentinel. Refer to [Cisco Stealthwatch documentation](https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/system_installation_configuration/SW_7_3_2_System_Configuration_Guide_DV_1_0.pdf) for more information.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "Stealthwatch",
"baseQuery": "StealthwatchEvent"
}
],
"sampleQueries": [
{
"description": "Top 10 Sources",
"query": "StealthwatchEvent\n | summarize count() by tostring(DvcHostname)\n | top 10 by count_"
}
],
"dataTypes": [
{
"name": "Syslog (StealthwatchEvent)",
"lastDataReceivedQuery": "StealthwatchEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"StealthwatchEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"delete": true
}
}
]
},
"instructionSteps": [
{
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**StealthwatchEvent**](https://aka.ms/sentinel-stealthwatch-parser) which is deployed with the Azure Sentinel Solution."
},
{
"description": ">**NOTE:** This data connector has been developed using Cisco Stealthwatch version 7.3.2"
},
{
"description": "Install the agent on the Server where the Cisco Stealthwatch logs are forwarded.\n\n> Logs from Cisco Stealthwatch Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents.",
"instructions": [
{
"parameters": {
"title": "Choose where to install the Linux agent:",
"instructionSteps": [
{
"title": "Install agent on Azure Linux Virtual Machine",
"description": "Select the machine to install the agent on and then click **Connect**.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxVirtualMachine"
},
"type": "InstallAgent"
}
]
},
{
"title": "Install agent on a non-Azure Linux Machine",
"description": "Download the agent on the relevant machine and follow the instructions.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnLinuxNonAzure"
},
"type": "InstallAgent"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
],
"title": "1. Install and onboard the agent for Linux or Windows"
},
{
"instructions": [
{
"parameters": {
"title": "Choose where to install the Windows agent:",
"instructionSteps": [
{
"title": "Install agent on Azure Windows Virtual Machine",
"description": "Select the machine to install the agent on and then click **Connect**.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnVirtualMachine"
},
"type": "InstallAgent"
}
]
},
{
"title": "Install agent on a non-Azure Windows Machine",
"description": "Download the agent on the relevant machine and follow the instructions.",
"instructions": [
{
"parameters": {
"linkType": "InstallAgentOnNonAzure"
},
"type": "InstallAgent"
}
]
}
]
},
"type": "InstructionStepsGroup"
}
]
},
{
"description": "Follow the configuration steps below to get Cisco Stealthwatch logs into Azure Sentinel.\n1. Log in to the Stealthwatch Management Console (SMC) as an administrator.\n2. In the menu bar, click **Configuration** **>** **Response Management**.\n3. From the **Actions** section in the **Response Management** menu, click **Add > Syslog Message**.\n4. In the Add Syslog Message Action window, configure parameters.\n5. Enter the following custom format:\n|Lancope|Stealthwatch|7.3|{alarm_type_id}|0x7C|src={source_ip}|dst={target_ip}|dstPort={port}|proto={protocol}|msg={alarm_type_description}|fullmessage={details}|start={start_active_time}|end={end_active_time}|cat={alarm_category_name}|alarmID={alarm_id}|sourceHG={source_host_group_names}|argetHG={target_host_group_names}|sourceHostSnapshot={source_url}|targetHostSnapshot={target_url}|flowCollectorName={device_name}|flowCollectorIP={device_ip}|domain={domain_name}|exporterName={exporter_hostname}|exporterIPAddress={exporter_ip}|exporterInfo={exporter_label}|targetUser={target_username}|targetHostname={target_hostname}|sourceUser={source_username}|alarmStatus={alarm_status}|alarmSev={alarm_severity_name}\n\n6. Select the custom format from the list and click **OK**\n7. Click **Response Management > Rules**.\n8. Click **Add** and select **Host Alarm**.\n9. Provide a rule name in the **Name** field.\n10. Create rules by selecting values from the Type and Options menus. To add more rules, click the ellipsis icon. For a Host Alarm, combine as many possible types in a statement as possible.",
"title": "2. Configure Cisco Stealthwatch event forwarding"
}
],
"additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**StealthwatchEvent**](https://aka.ms/sentinel-stealthwatch-parser) which is deployed with the Azure Sentinel Solution."
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2021-03-01-preview",
"properties": {
"version": "1.1.0",
"kind": "Solution",
"contentId": "[variables('_sourceId')]",
"parentId": "[variables('_sourceId')]",
"source": {
"kind": "Solution",
"name": "CiscoStealthwatch",
"sourceId": "[variables('_sourceId')]"
},
"author": {
"name": "Nikhil Tripathi",
"email": "v-ntripathi@microsoft.com"
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "Parser",
"contentId": "[variables('_StealthwatchEvent_Parser')]",
"version": "1.1.0"
},
{
"kind": "DataConnector",
"contentId": "[variables('_StealthwatchConnector')]",
"version": "1.1.0"
}
]
},
"firstPublishDate": "2021-10-20",
"providers": [
"Cisco"
],
"categories": {
"domains": [
"Security – Network"
]
}
},
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_sourceId'))]"
}
],
"outputs": {}
}

16
Solutions/CiscoStealthwatch/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,16 @@
{
"publisherId": "azuresentinel",
"planId": "azure-sentinel-solution-ciscostealthwatch",
"firstPublishDate": "2021-10-20",
"providers": ["Cisco"],
"categories": {
"domains" : ["Security – Network"],
"verticals": []
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}

21
Solutions/Contrast Security/Data/Solution_Contrast Security.json Normal file
Просмотреть файл

@ -0,0 +1,21 @@
{
"Name": "Contrast Security",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/contrastsecurity_logo.svg\"width=\"75px\"height=\"75px\">",
"Description": "Contrast Protect mitigates security threats in production applications with runtime protection and observability. Attack event results (blocked, probed, suspicious...) and other information can be sent to Microsoft Azure Sentinel to blend with security information from other systems.",
"Data Connectors": [
"Data Connectors/ContrastProtect.json"
],
"Analytic Rules": [
"Analytic Rules/ContrastBlocks.yaml",
"Analytic Rules/ContrastExploits.yaml",
"Analytic Rules/ContrastProbes.yaml",
"Analytic Rules/ContrastSuspicious.yaml"
],
"Workbook": [
"Workbooks/ContrastProtect.json"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\Contrast Security",
"Version": "1.1.0"
}

Двоичные данные
Solutions/Contrast Security/Package/1.1.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

173
Solutions/Contrast Security/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,173 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/contrastsecurity_logo.svg\"width=\"75px\"height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nContrast Protect mitigates security threats in production applications with runtime protection and observability. Attack event results (blocked, probed, suspicious...) and other information can be sent to Microsoft Azure Sentinel to blend with security information from other systems.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Analytic Rules:** 4\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for Contrast Security. You can get Contrast Security CommonSecurityLog data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. The logs will be received in the CommonSecurityLog table in your Azure Sentinel / Azure Log Analytics workspace."
}
},
{
"name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about normalized format",
"uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema"
}
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
},
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs analytic rules for Contrast Security that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "Contrast Blocks",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Creates Incidents for Blocked events sourced from the Contrast Protect agent."
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "Contrast Exploits",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Creates Incidents for Exploit events sourced from the Contrast Protect agent."
}
}
]
},
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
"label": "Contrast Probes",
"elements": [
{
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Creates Incidents for Probed events sourced from the Contrast Protect agent."
}
}
]
},
{
"name": "analytic4",
"type": "Microsoft.Common.Section",
"label": "Contrast Suspicious",
"elements": [
{
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Creates Incidents for Suspicious events sourced from the Contrast Protect agent."
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[resourceGroup().location]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}

376
Solutions/Contrast Security/Package/mainTemplate.json Normal file
Просмотреть файл

@ -0,0 +1,376 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"comments": "Solution template for Contrast Security"
},
"parameters": {
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"minLength": 1,
"defaultValue": "[parameters('location')]",
"metadata": {
"description": "Region to deploy solution resources"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Sentinel is setup"
}
},
"connector1-name": {
"type": "string",
"defaultValue": "c8eefcf9-0799-481c-8605-1973011fa703"
},
"analytic1-id": {
"type": "string",
"defaultValue": "[newGuid()]",
"minLength": 1,
"metadata": {
"description": "Unique id for the scheduled alert rule"
}
},
"analytic2-id": {
"type": "string",
"defaultValue": "[newGuid()]",
"minLength": 1,
"metadata": {
"description": "Unique id for the scheduled alert rule"
}
},
"analytic3-id": {
"type": "string",
"defaultValue": "[newGuid()]",
"minLength": 1,
"metadata": {
"description": "Unique id for the scheduled alert rule"
}
},
"analytic4-id": {
"type": "string",
"defaultValue": "[newGuid()]",
"minLength": 1,
"metadata": {
"description": "Unique id for the scheduled alert rule"
}
}
},
"variables": {
"connector1-source": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'),'/providers/Microsoft.SecurityInsights/dataConnectors/',parameters('connector1-name'))]",
"_connector1-source": "[variables('connector1-source')]",
"ContrastProtectConnector": "ContrastProtectConnector",
"_ContrastProtectConnector": "[variables('ContrastProtectConnector')]",
"ContrastBlocks_AnalyticalRules": "ContrastBlocks_AnalyticalRules",
"_ContrastBlocks_AnalyticalRules": "[variables('ContrastBlocks_AnalyticalRules')]",
"ContrastExploits_AnalyticalRules": "ContrastExploits_AnalyticalRules",
"_ContrastExploits_AnalyticalRules": "[variables('ContrastExploits_AnalyticalRules')]",
"ContrastProbes_AnalyticalRules": "ContrastProbes_AnalyticalRules",
"_ContrastProbes_AnalyticalRules": "[variables('ContrastProbes_AnalyticalRules')]",
"ContrastSuspicious_AnalyticalRules": "ContrastSuspicious_AnalyticalRules",
"_ContrastSuspicious_AnalyticalRules": "[variables('ContrastSuspicious_AnalyticalRules')]",
"sourceId": "contrast_security.contrast_protect_azure_sentinel_solution",
"_sourceId": "[variables('sourceId')]"
},
"resources": [
{
"id": "[variables('_connector1-source')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('connector1-name'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "Contrast Protect",
"publisher": "Contrast Security",
"descriptionMarkdown": "Contrast Protect mitigates security threats in production applications with runtime protection and observability. Attack event results (blocked, probed, suspicious...) and other information can be sent to Microsoft Azure Sentinel to blend with security information from other systems.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "ContrastProtect",
"baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"Contrast Security\""
}
],
"sampleQueries": [
{
"description": "All attacks",
"query": "let extract_data=(a:string, k:string) {\n parse_urlquery(replace(@';', @'&', a))[\"Query Parameters\"][k]\n};\n\nCommonSecurityLog \n| where DeviceVendor == 'Contrast Security'\n| extend Outcome = replace(@'INEFFECTIVE', @'PROBED', tostring(extract_data(AdditionalExtensions, 'outcome')))\n| where Outcome != 'success'\n| extend Rule = extract_data(AdditionalExtensions, 'pri')\n| project TimeGenerated, ApplicationProtocol, Rule, Activity, Outcome, RequestURL, SourceIP\n| order by TimeGenerated desc\n"
},
{
"description": "Effective attacks",
"query": "let extract_data=(a:string, k:string) {\n parse_urlquery(replace(@';', @'&', a))[\"Query Parameters\"][k]\n};\n\nCommonSecurityLog \n| where DeviceVendor == 'Contrast Security'\n| extend Outcome = extract_data(AdditionalExtensions, 'outcome')\n| where Outcome in ('EXPLOITED','BLOCKED','SUSPICIOUS')\n| extend Rule = extract_data(AdditionalExtensions, 'pri')\n| project TimeGenerated, ApplicationProtocol, Rule, Activity, Outcome, RequestURL, SourceIP\n| order by TimeGenerated desc\n"
}
],
"dataTypes": [
{
"name": "CommonSecurityLog (ContrastProtect)",
"lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor == \"Contrast Security\"\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"CommonSecurityLog\n| where DeviceVendor == \"Contrast Security\"\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Azure Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
"innerSteps": [
{
"title": "1.1 Select or create a Linux machine",
"description": "Select or create a Linux machine that Azure Sentinel will use as the proxy between your security solution and Azure Sentinel this machine can be on your on-prem environment, Azure or other clouds."
},
{
"title": "1.2 Install the CEF collector on the Linux machine",
"description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Azure Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId",
"PrimaryKey"
],
"label": "Run the following command to install and apply the CEF collector:",
"value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
},
"type": "CopyableLabel"
}
]
}
],
"title": "1. Linux Syslog agent configuration"
},
{
"description": "Configure the Contrast Protect agent to forward events to syslog as described here: https://docs.contrastsecurity.com/en/output-to-syslog.html. Generate some attack events for your application.",
"title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
},
{
"description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Run the following command to validate your connectivity:",
"value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
},
"type": "CopyableLabel"
}
],
"title": "3. Validate connection"
},
{
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
"title": "4. Secure your machine "
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic1-id'))]",
"apiVersion": "2020-01-01",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Creates Incidents for Blocked events sourced from the Contrast Protect agent.",
"displayName": "Contrast Blocks",
"enabled": false,
"query": "let extract_data=(a:string, k:string) {\n parse_urlquery(replace(@';', @'&', a))[\"Query Parameters\"][k]\n};\n\nCommonSecurityLog \n| where DeviceVendor == \"Contrast Security\"\n| where AdditionalExtensions contains \"BLOCKED\"\n| extend DeviceProduct\n| extend SourceIP\n| extend DeviceVersion\n| extend Activity\n| extend ApplicationProtocol\n| extend RequestURL\n| extend RequestMethod\n| extend Rule = extract_data(AdditionalExtensions, 'pri')\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Low",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"tactics": [
"InitialAccess",
"Exfiltration"
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic2-id'))]",
"apiVersion": "2020-01-01",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Creates Incidents for Exploit events sourced from the Contrast Protect agent.",
"displayName": "Contrast Exploits",
"enabled": false,
"query": "let extract_data=(a:string, k:string) {\n parse_urlquery(replace(@';', @'&', a))[\"Query Parameters\"][k]\n};\n\nCommonSecurityLog \n| where DeviceVendor == \"Contrast Security\"\n| where AdditionalExtensions contains \"EXPLOITED\"\n| extend DeviceProduct\n| extend SourceIP\n| extend DeviceVersion\n| extend Activity\n| extend ApplicationProtocol\n| extend RequestURL\n| extend RequestMethod\n| extend Rule = extract_data(AdditionalExtensions, 'pri')\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"tactics": [
"InitialAccess",
"Exfiltration"
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic3-id'))]",
"apiVersion": "2020-01-01",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Creates Incidents for Probed events sourced from the Contrast Protect agent.",
"displayName": "Contrast Probes",
"enabled": false,
"query": "let extract_data=(a:string, k:string) {\n parse_urlquery(replace(@';', @'&', a))[\"Query Parameters\"][k]\n};\n\nCommonSecurityLog \n| where DeviceVendor == \"Contrast Security\"\n| where AdditionalExtensions contains \"PROBED\" or AdditionalExtensions contains \"INEFFECTIVE\"\n| extend DeviceProduct\n| extend SourceIP\n| extend DeviceVersion\n| extend Activity\n| extend ApplicationProtocol\n| extend RequestURL\n| extend RequestMethod\n| extend Rule = extract_data(AdditionalExtensions, 'pri')\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Informational",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 10,
"tactics": [
"InitialAccess",
"Exfiltration"
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic4-id'))]",
"apiVersion": "2020-01-01",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Creates Incidents for Suspicious events sourced from the Contrast Protect agent.",
"displayName": "Contrast Suspicious",
"enabled": false,
"query": "let extract_data=(a:string, k:string) {\n parse_urlquery(replace(@';', @'&', a))[\"Query Parameters\"][k]\n};\n\nCommonSecurityLog \n| where DeviceVendor == \"Contrast Security\"\n| where AdditionalExtensions contains \"SUSPICIOUS\"\n| extend DeviceProduct\n| extend SourceIP\n| extend DeviceVersion\n| extend Activity\n| extend ApplicationProtocol\n| extend RequestURL\n| extend RequestMethod\n| extend Rule = extract_data(AdditionalExtensions, 'pri')\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"tactics": [
"InitialAccess",
"Exfiltration"
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2021-03-01-preview",
"properties": {
"version": "1.1.0",
"kind": "Solution",
"contentId": "[variables('_sourceId')]",
"parentId": "[variables('_sourceId')]",
"source": {
"kind": "Solution",
"name": "Contrast Security",
"sourceId": "[variables('_sourceId')]"
},
"author": {
"name": "Nikhil Tripathi",
"email": "v-ntripathi@microsoft.com"
},
"support": {
"name": "Contrast Security",
"email": "support@contrastsecurity.com",
"tier": "Partner",
"link": "https://docs.contrastsecurity.com/"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "DataConnector",
"contentId": "[variables('_ContrastProtectConnector')]",
"version": "1.1.0"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_ContrastBlocks_AnalyticalRules')]",
"version": "1.1.0"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_ContrastExploits_AnalyticalRules')]",
"version": "1.1.0"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_ContrastProbes_AnalyticalRules')]",
"version": "1.1.0"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_ContrastSuspicious_AnalyticalRules')]",
"version": "1.1.0"
}
]
},
"firstPublishDate": "2021-10-20",
"providers": [
"Contrast Security"
],
"categories": {
"domains": [
"Security - Threat Protection"
]
}
},
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_sourceId'))]"
}
],
"outputs": {}
}

16
Solutions/Contrast Security/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,16 @@
{
"publisherId": "contrast_security",
"planId": "contrast_protect_azure_sentinel_solution",
"firstPublishDate": "2021-10-20",
"providers": ["Contrast Security"],
"categories": {
"domains" : ["Security - Threat Protection"],
"verticals": []
},
"support": {
"name": "Contrast Security",
"email": "support@contrastsecurity.com",
"tier": "Partner",
"link": "https://docs.contrastsecurity.com/"
}
}

43
Solutions/Corelight/Data/Solution_Corelight.json Normal file
Просмотреть файл

@ -0,0 +1,43 @@
{
"Name": "Corelight",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Corelight/Data Connectors/Logo/corelight.svg\" width=\"75px\" height=\"75px\">",
"WorkbookDescription": "Gain insights into Corelight audit logs",
"Description": "Corelight Zeek helps you find the problem—faster for an alert. It complements signature-based tools to help you rapidly trace complex events across multiple flows and protocols with ease, to quickly pinpoint and resolve security issues.",
"Workbooks": [
"Workbooks/Corelight.json"
],
"Analytic Rules": [
"Analytic Rules/CorelightC2RepetitiveFailures.yaml",
"Analytic Rules/CorelightExternalProxyDetected.yaml",
"Analytic Rules/CorelightForcedExternalOutboundSMB.yaml",
"Analytic Rules/CorelightMultipleCompressedFilesTransferredOverHTTP.yaml",
"Analytic Rules/CorelightMultipleFilesSentOverHTTPAbnormalRequests.yaml",
"Analytic Rules/CorelightNetworkServiceScanning.yaml",
"Analytic Rules/CorelightPossibleWebshell.yaml",
"Analytic Rules/CorelightPossibleWebshellRarePOST.yaml",
"Analytic Rules/CorelightSMTPEmailSubjectNonAsciiCharacters.yaml",
"Analytic Rules/CorelightTypoSquattingOrPunycodePhishingHTTPRequest.yaml"
],
"Data Connectors": [
"Data Connectors/Connector_LogAnalytics_agent_Corelight.json"
],
"Parsers": [
"Parsers/Corelight.txt"
],
"Hunting Queries": [
"Hunting Queries/CorelightAbnormalEmailSubject.yaml",
"Hunting Queries/CorelightCompressedFilesTransferredOverHTTP.yaml",
"Hunting Queries/CorelightDataTransferedByIp.yaml",
"Hunting Queries/CorelightExternalServices.yaml",
"Hunting Queries/CorelightFilesSeen.yaml",
"Hunting Queries/CorelightFilesTransferedByIp.yaml",
"Hunting Queries/CorelightMultipleRemoteSMBConnectionsFromSingleIP.yaml",
"Hunting Queries/CorelightObfuscatedBinary.yaml",
"Hunting Queries/CorelightRarePOST.yaml",
"Hunting Queries/CorelightRepetitiveDnsFailures.yaml"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\Corelight",
"Version": "1.1.0"
}

Двоичные данные
Solutions/Corelight/Package/1.1.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

471
Solutions/Corelight/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,471 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Corelight/Data Connectors/Logo/corelight.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nCorelight Zeek helps you find the problem—faster for an alert. It complements signature-based tools to help you rapidly trace complex events across multiple flows and protocols with ease, to quickly pinpoint and resolve security issues.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for Corelight. You can get Corelight custom log data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. This data connector creates custom log table(s) Corelight_CL in your Azure Sentinel / Azure Log Analytics workspace."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The Solution installs a parser that transforms the ingested data into Azure Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Azure Sentinel."
}
},
{
"name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about normalized format",
"uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema"
}
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
},
{
"name": "workbooks",
"label": "Workbooks",
"subLabel": {
"preValidation": "Configure the workbooks",
"postValidation": "Done"
},
"bladeTitle": "Workbooks",
"elements": [
{
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Azure Sentinel and combine them into unified interactive experiences.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
},
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
"label": "Corelight",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Gain insights into Corelight audit logs"
}
},
{
"name": "workbook1-name",
"type": "Microsoft.Common.TextBox",
"label": "Display Name",
"defaultValue": "Corelight",
"toolTip": "Display name for the workbook.",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a workbook name"
}
}
]
}
]
},
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs analytic rules for Corelight that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "Corelight - C2 DGA Detected Via Repetitive Failures",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects large amounts of DNS resolution failures."
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "Corelight - External Proxy Detected",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects external proxy usage."
}
}
]
},
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
"label": "Corelight - Forced External Outbound SMB",
"elements": [
{
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects SMB requests that originate internally and communicate with an external IP address."
}
}
]
},
{
"name": "analytic4",
"type": "Microsoft.Common.Section",
"label": "Corelight - Multiple Compressed Files Transferred over HTTP",
"elements": [
{
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects compressed archives transferre over HTTP."
}
}
]
},
{
"name": "analytic5",
"type": "Microsoft.Common.Section",
"label": "Corelight - Multiple files sent over HTTP with abnormal requests",
"elements": [
{
"name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects sources sending multiple compressed files greater than 10MBs sent over HTTP in a short amount of time."
}
}
]
},
{
"name": "analytic6",
"type": "Microsoft.Common.Section",
"label": "Corelight - Network Service Scanning Multiple IP Addresses",
"elements": [
{
"name": "analytic6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Identify scanning of services that may be available on the internal network."
}
}
]
},
{
"name": "analytic7",
"type": "Microsoft.Common.Section",
"label": "Corelight - Possible Webshell",
"elements": [
{
"name": "analytic7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects post requests to unusual extensions."
}
}
]
},
{
"name": "analytic8",
"type": "Microsoft.Common.Section",
"label": "Corelight - Possible Webshell (Rare PUT or POST)",
"elements": [
{
"name": "analytic8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects rare post requests to a single webserver location."
}
}
]
},
{
"name": "analytic9",
"type": "Microsoft.Common.Section",
"label": "Corelight - SMTP Email containing NON Ascii Characters within the Subject",
"elements": [
{
"name": "analytic9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects where an emails contain non ascii characters within the Subject."
}
}
]
},
{
"name": "analytic10",
"type": "Microsoft.Common.Section",
"label": "Corelight - Possible Typo Squatting or Punycode Phishing HTTP Request",
"elements": [
{
"name": "analytic10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when an HTTP request was made to a domain that was using unicode/punycode."
}
}
]
}
]
},
{
"name": "huntingqueries",
"label": "Hunting Queries",
"bladeTitle": "Hunting Queries",
"elements": [
{
"name": "huntingqueries-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs hunting queries for Corelight that you can run in Azure Sentinel. These hunting queries will be deployed in the Hunting gallery of your Azure Sentinel workspace. Run these hunting queries to hunt for threats in the Hunting gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/hunting"
}
}
},
{
"name": "huntingquery1",
"type": "Microsoft.Common.Section",
"label": "Corelight - Abnormal Email Subject",
"elements": [
{
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for emails with NON-Ascii characters within the Subject . It depends on the Corelight data connector and Corelight data type and Corelight parser."
}
}
]
},
{
"name": "huntingquery2",
"type": "Microsoft.Common.Section",
"label": "Corelight - Compressed Files Transferred over HTTP",
"elements": [
{
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for top sources which transferred compressed archives over HTTP. It depends on the Corelight data connector and Corelight data type and Corelight parser."
}
}
]
},
{
"name": "huntingquery3",
"type": "Microsoft.Common.Section",
"label": "Corelight - Top sources of data transferred",
"elements": [
{
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for top sources by transferred data over period of time. It depends on the Corelight data connector and Corelight data type and Corelight parser."
}
}
]
},
{
"name": "huntingquery4",
"type": "Microsoft.Common.Section",
"label": "Corelight - External Facing Services",
"elements": [
{
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for external facing services. It depends on the Corelight data connector and Corelight data type and Corelight parser."
}
}
]
},
{
"name": "huntingquery5",
"type": "Microsoft.Common.Section",
"label": "Corelight - Files in logs",
"elements": [
{
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for files which where seen in logs over period of time. It depends on the Corelight data connector and Corelight data type and Corelight parser."
}
}
]
},
{
"name": "huntingquery6",
"type": "Microsoft.Common.Section",
"label": "Corelight - File transferred by source",
"elements": [
{
"name": "huntingquery6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for files transferred over period of time by each source. It depends on the Corelight data connector and Corelight data type and Corelight parser."
}
}
]
},
{
"name": "huntingquery7",
"type": "Microsoft.Common.Section",
"label": "Corelight - Multiple Remote SMB Connections from single client",
"elements": [
{
"name": "huntingquery7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when a single source is connecting to many different SMB or file shares. It depends on the Corelight data connector and Corelight data type and Corelight parser."
}
}
]
},
{
"name": "huntingquery8",
"type": "Microsoft.Common.Section",
"label": "Corelight - Obfuscated binary filenames",
"elements": [
{
"name": "huntingquery8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for downloaded obfuscated binary file names. It depends on the Corelight data connector and Corelight data type and Corelight parser."
}
}
]
},
{
"name": "huntingquery9",
"type": "Microsoft.Common.Section",
"label": "Corelight - Rare PUT or POST",
"elements": [
{
"name": "huntingquery9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for rare post requests to a single location. It depends on the Corelight data connector and Corelight data type and Corelight parser."
}
}
]
},
{
"name": "huntingquery10",
"type": "Microsoft.Common.Section",
"label": "Corelight - Repetitive DNS Failures",
"elements": [
{
"name": "huntingquery10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Query searches for repetitive DNS resolution failures from single host. It depends on the Corelight data connector and Corelight data type and Corelight parser."
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[resourceGroup().location]",
"location": "[location()]",
"workspace": "[basics('workspace')]",
"workbook1-name": "[steps('workbooks').workbook1.workbook1-name]"
}
}
}

1038
Solutions/Corelight/Package/mainTemplate.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

15
Solutions/Corelight/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"publisherId": "corelightinc1584998267292",
"planId": "corelight-for-azure-sentinel",
"firstPublishDate": "2021-10-20",
"providers": [""],
"categories": {
"domains" : ["IT Operations", "Security – Network"],
"verticals": []
},
"support": {
"name": "Corelight",
"tier": "Partner",
"link": "https://support.corelight.com/"
}
}

15
Solutions/FlareSystemsFirework/Data/Solution_FlareSystemsFirework.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"Name": "FlareSystemsFirework",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/FlareSystemsFirework/Data%20Connectors/Logo/FlareSystems.svg\"width=\"75px\"height=\"75px\">",
"Description": "The Flare Systems [Firework](https://flare.systems/firework/) connector allows you to receive data and intelligence from Firework on Azure Sentinel.\n\rAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.",
"Data Connectors": [
"Data Connectors/Connector_REST_API_FlareSystemsFirework.json"
],
"Workbook": [
"Workbooks/FlareSystemsFireworkOverview.json"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\FlareSystemsFirework",
"Version": "1.1.0"
}

Двоичные данные
Solutions/FlareSystemsFirework/Package/1.1.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

95
Solutions/FlareSystemsFirework/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,95 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/FlareSystemsFirework/Data%20Connectors/Logo/FlareSystems.svg\"width=\"75px\"height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Flare Systems [Firework](https://flare.systems/firework/) connector allows you to receive data and intelligence from Firework on Azure Sentinel.\n\rAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for FlareSystemsFirework. You can get FlareSystemsFirework custom log data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. This data connector creates custom log table(s) Firework_CL in your Azure Sentinel / Azure Log Analytics workspace."
}
},
{
"name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about normalized format",
"uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema"
}
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
}
],
"outputs": {
"workspace-location": "[resourceGroup().location]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}

193
Solutions/FlareSystemsFirework/Package/mainTemplate.json Normal file
Просмотреть файл

@ -0,0 +1,193 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"comments": "Solution template for FlareSystemsFirework"
},
"parameters": {
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"minLength": 1,
"defaultValue": "[parameters('location')]",
"metadata": {
"description": "Region to deploy solution resources"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Sentinel is setup"
}
},
"connector1-name": {
"type": "string",
"defaultValue": "6467968c-c78d-4972-98e2-83585731997e"
}
},
"variables": {
"connector1-source": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'),'/providers/Microsoft.SecurityInsights/dataConnectors/',parameters('connector1-name'))]",
"_connector1-source": "[variables('connector1-source')]",
"FlareSystemsFireworkConnector": "FlareSystemsFireworkConnector",
"_FlareSystemsFireworkConnector": "[variables('FlareSystemsFireworkConnector')]",
"sourceId": "flaresystmesinc1617114736428.flare-systems-firework-sentinel",
"_sourceId": "[variables('sourceId')]"
},
"resources": [
{
"id": "[variables('_connector1-source')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('connector1-name'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "Flare Systems Firework",
"publisher": "Flare Systems",
"descriptionMarkdown": "The Flare Systems [Firework](https://flare.systems/firework/) connector allows you to receive data and intelligence from Firework on Azure Sentinel.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "Firework_CL",
"baseQuery": "Firework_CL"
}
],
"sampleQueries": [
{
"description": "Firework Activities -- All",
"query": "Firework_CL\n | sort by TimeGenerated desc"
}
],
"dataTypes": [
{
"name": "Firework_CL",
"lastDataReceivedQuery": "Firework_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"Firework_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "Required Firework permissions",
"description": "only Firework organization administrators may configure the Azure Sentinel integration."
}
]
},
"instructionSteps": [
{
"innerSteps": [
{
"description": "As an organization administrator, authenticate on [Firework](https://firework.flared.io/) and access the [team page](https://firework.flared.io/#/team) to create a new alert channel."
},
{
"description": "Click on 'Create a new alert channel' and select 'Azure Sentinel'. Enter your Shared Key And WorkspaceID. Save the Alert Channel."
}
],
"title": "1. Creating an Alert Channel for Azure Sentinel"
},
{
"innerSteps": [
{
"description": "At this point, you may configure alerts to be sent to Azure Sentinel the same way that you would configure regular email alerts."
},
{
"description": "For a more detailed guide, refer to the Firework documentation."
}
],
"title": "2. Associating your alert channel to an alert feed"
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2021-03-01-preview",
"properties": {
"version": "1.1.0",
"kind": "Solution",
"contentId": "[variables('_sourceId')]",
"parentId": "[variables('_sourceId')]",
"source": {
"kind": "Solution",
"name": "FlareSystemsFirework",
"sourceId": "[variables('_sourceId')]"
},
"author": {
"name": "Nikhil Tripathi",
"email": "v-ntripathi@microsoft.com"
},
"support": {
"name": "Flare Systems Inc.",
"email": "contact@flare.systems",
"tier": "Partner",
"link": "https://flare.systems/company/contact/"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "DataConnector",
"contentId": "[variables('_FlareSystemsFireworkConnector')]",
"version": "1.1.0"
}
]
},
"firstPublishDate": "2021-10-20",
"providers": [
"Flare Systems"
],
"categories": {
"domains": [
"Security - Threat Protection"
]
}
},
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_sourceId'))]"
}
],
"outputs": {}
}

16
Solutions/FlareSystemsFirework/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,16 @@
{
"publisherId": "flaresystmesinc1617114736428",
"planId": "flare-systems-firework-sentinel",
"firstPublishDate": "2021-10-20",
"providers": ["Flare Systems"],
"categories": {
"domains" : ["Security - Threat Protection"],
"verticals": []
},
"support": {
"name": "Flare Systems Inc.",
"email": "contact@flare.systems",
"tier": "Partner",
"link": "https://flare.systems/company/contact/"
}
}

22
Solutions/HYAS/Data/Solution_HYAS.json Normal file
Просмотреть файл

@ -0,0 +1,22 @@
{
"Name": "HYAS",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Playbooks": [
"Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-Domain-Current-WHOIS/azuredeploy.json",
"Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-Domain-Historic-WHOIS/azuredeploy.json",
"Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-Domain-Passive-DNS/azuredeploy.json",
"Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-Email-Dynamic-DNS/azuredeploy.json",
"Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-Email-Historic-WHOIS/azuredeploy.json",
"Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-IP-Dynamic-DNS/azuredeploy.json",
"Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-DNS/azuredeploy.json",
"Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-Hash/azuredeploy.json",
"Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-IP-SSL-Certificate/azuredeploy.json",
"Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-IP-Sinkhole/azuredeploy.json",
"Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-IPv4-Device-Geo/azuredeploy.json",
"Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-IPv6-Device-Geo/azuredeploy.json",
"Playbooks/Enrich-Sentinel-Incident-HYAS-Insight-Phone-Number-Historic-WHOIS/azuredeploy.json"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\HYAS",
"Version": "1.1.0"
}

Двоичные данные
Solutions/HYAS/Package/1.1.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

603
Solutions/HYAS/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,603 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Playbooks:** 13\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "playbooks",
"label": "Playbooks",
"subLabel": {
"preValidation": "Configure the playbooks",
"postValidation": "Done"
},
"bladeTitle": "Playbooks",
"elements": [
{
"name": "playbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs playbook resources. A security playbook is a collection of procedures that can be run from Azure Sentinel in response to an alert. A security playbook can help automate and orchestrate your response, and can be run manually or set to run automatically when specific alerts are triggered. Security playbooks in Azure Sentinel are based on Azure Logic Apps, which means that you get all the power, customizability, and built-in templates of Logic Apps. Each playbook is created for the specific subscription you choose, but when you look at the Playbooks page, you will see all the playbooks across any selected subscriptions.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "playbook1",
"type": "Microsoft.Common.Section",
"label": "Enrich-Sentinel-Incident-HYAS-Insight-Domain-Current-WHOIS",
"elements": [
{
"name": "playbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with current WHOIS information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the https://docs.microsoft.com/connectors/hyasinsight/ or visit https://www.hyas.com/contact to request a trial key."
}
},
{
"name": "playbook1-PlaybookName",
"type": "Microsoft.Common.TextBox",
"label": "Playbook Name",
"defaultValue": "Enrich-Sentinel-Incident-HYAS-Insight-Domain-Current-WHOIS",
"toolTip": "Resource name for the logic app playbook. No spaces are allowed",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook resource name"
}
},
{
"name": "playbook1-UserName",
"type": "Microsoft.Common.TextBox",
"label": "HYAS Username",
"defaultValue": "<username>@<domain>",
"toolTip": "Username to connect to HYAS API",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook username"
}
}
]
},
{
"name": "playbook2",
"type": "Microsoft.Common.Section",
"label": "Enrich-Sentinel-Incident-HYAS-Insight-Domain-Historic-WHOIS",
"elements": [
{
"name": "playbook2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with historic WHOIS information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the https://docs.microsoft.com/connectors/hyasinsight/ or visit https://www.hyas.com/contact to request a trial key."
}
},
{
"name": "playbook2-PlaybookName",
"type": "Microsoft.Common.TextBox",
"label": "Playbook Name",
"defaultValue": "Enrich-Sentinel-Incident-HYAS-Insight-Domain-Historic-WHOIS",
"toolTip": "Resource name for the logic app playbook. No spaces are allowed",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook resource name"
}
},
{
"name": "playbook2-UserName",
"type": "Microsoft.Common.TextBox",
"label": "HYAS Username",
"defaultValue": "<username>@<domain>",
"toolTip": "Username to connect to HYAS API",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook username"
}
}
]
},
{
"name": "playbook3",
"type": "Microsoft.Common.Section",
"label": "Enrich-Sentinel-Incident-HYAS-Insight-Domain-Passive-DNS",
"elements": [
{
"name": "playbook3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with recent passive DNS records. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the https://docs.microsoft.com/connectors/hyasinsight/ or visit https://www.hyas.com/contact to request a trial key."
}
},
{
"name": "playbook3-PlaybookName",
"type": "Microsoft.Common.TextBox",
"label": "Playbook Name",
"defaultValue": "Enrich-Sentinel-Incident-HYAS-Insight-Domain-Passive-DNS",
"toolTip": "Resource name for the logic app playbook. No spaces are allowed",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook resource name"
}
},
{
"name": "playbook3-UserName",
"type": "Microsoft.Common.TextBox",
"label": "HYAS Username",
"defaultValue": "<username>@<domain>",
"toolTip": "Username to connect to HYAS API",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook username"
}
}
]
},
{
"name": "playbook4",
"type": "Microsoft.Common.Section",
"label": "Enrich-Sentinel-Incident-HYAS-Insight-Email-Dynamic-DNS",
"elements": [
{
"name": "playbook4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with Dynamic DNS information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the https://docs.microsoft.com/connectors/hyasinsight/ or visit https://www.hyas.com/contact to request a trial key."
}
},
{
"name": "playbook4-PlaybookName",
"type": "Microsoft.Common.TextBox",
"label": "Playbook Name",
"defaultValue": "Enrich-Sentinel-Incident-HYAS-Insight-Email-Dynamic-DNS",
"toolTip": "Resource name for the logic app playbook. No spaces are allowed",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook resource name"
}
},
{
"name": "playbook4-UserName",
"type": "Microsoft.Common.TextBox",
"label": "HYAS Username",
"defaultValue": "<username>@<domain>",
"toolTip": "Username to connect to HYAS API",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook username"
}
}
]
},
{
"name": "playbook5",
"type": "Microsoft.Common.Section",
"label": "Enrich-Sentinel-Incident-HYAS-Insight-Email-Historic-WHOIS",
"elements": [
{
"name": "playbook5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with historic WHOIS information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the https://docs.microsoft.com/connectors/hyasinsight/ or visit https://www.hyas.com/contact to request a trial key."
}
},
{
"name": "playbook5-PlaybookName",
"type": "Microsoft.Common.TextBox",
"label": "Playbook Name",
"defaultValue": "Enrich-Sentinel-Incident-HYAS-Insight-Email-Historic-WHOIS",
"toolTip": "Resource name for the logic app playbook. No spaces are allowed",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook resource name"
}
},
{
"name": "playbook5-UserName",
"type": "Microsoft.Common.TextBox",
"label": "HYAS Username",
"defaultValue": "<username>@<domain>",
"toolTip": "Username to connect to HYAS API",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook username"
}
}
]
},
{
"name": "playbook6",
"type": "Microsoft.Common.Section",
"label": "Enrich-Sentinel-Incident-HYAS-Insight-IP-Dynamic-DNS",
"elements": [
{
"name": "playbook6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with recent Dynamic DNS information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the https://docs.microsoft.com/connectors/hyasinsight/ or visit https://www.hyas.com/contact to request a trial key."
}
},
{
"name": "playbook6-PlaybookName",
"type": "Microsoft.Common.TextBox",
"label": "Playbook Name",
"defaultValue": "Enrich-Sentinel-Incident-HYAS-Insight-IP-Dynamic-DNS",
"toolTip": "Resource name for the logic app playbook. No spaces are allowed",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook resource name"
}
},
{
"name": "playbook6-UserName",
"type": "Microsoft.Common.TextBox",
"label": "HYAS Username",
"defaultValue": "<username>@<domain>",
"toolTip": "Username to connect to HYAS API",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook username"
}
}
]
},
{
"name": "playbook7",
"type": "Microsoft.Common.Section",
"label": "Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-DNS",
"elements": [
{
"name": "playbook7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with recent Passive DNS records. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the https://docs.microsoft.com/connectors/hyasinsight/ or visit https://www.hyas.com/contact to request a trial key."
}
},
{
"name": "playbook7-PlaybookName",
"type": "Microsoft.Common.TextBox",
"label": "Playbook Name",
"defaultValue": "Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-DNS",
"toolTip": "Resource name for the logic app playbook. No spaces are allowed",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook resource name"
}
},
{
"name": "playbook7-UserName",
"type": "Microsoft.Common.TextBox",
"label": "HYAS Username",
"defaultValue": "<username>@<domain>",
"toolTip": "Username to connect to HYAS API",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook username"
}
}
]
},
{
"name": "playbook8",
"type": "Microsoft.Common.Section",
"label": "Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-Hash",
"elements": [
{
"name": "playbook8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with Passive Hash information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the https://docs.microsoft.com/connectors/hyasinsight/ or visit https://www.hyas.com/contact to request a trial key."
}
},
{
"name": "playbook8-PlaybookName",
"type": "Microsoft.Common.TextBox",
"label": "Playbook Name",
"defaultValue": "Enrich-Sentinel-Incident-HYAS-Insight-IP-Passive-Hash",
"toolTip": "Resource name for the logic app playbook. No spaces are allowed",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook resource name"
}
},
{
"name": "playbook8-UserName",
"type": "Microsoft.Common.TextBox",
"label": "HYAS Username",
"defaultValue": "<username>@<domain>",
"toolTip": "Username to connect to HYAS API",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook username"
}
}
]
},
{
"name": "playbook9",
"type": "Microsoft.Common.Section",
"label": "Enrich-Sentinel-Incident-HYAS-Insight-IP-SSL-Certificate",
"elements": [
{
"name": "playbook9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with SSL certificate information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the https://docs.microsoft.com/connectors/hyasinsight/ or visit https://www.hyas.com/contact to request a trial key."
}
},
{
"name": "playbook9-PlaybookName",
"type": "Microsoft.Common.TextBox",
"label": "Playbook Name",
"defaultValue": "Enrich-Sentinel-Incident-HYAS-Insight-IP-SSL-Certificate",
"toolTip": "Resource name for the logic app playbook. No spaces are allowed",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook resource name"
}
},
{
"name": "playbook9-UserName",
"type": "Microsoft.Common.TextBox",
"label": "HYAS Username",
"defaultValue": "<username>@<domain>",
"toolTip": "Username to connect to HYAS API",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook username"
}
}
]
},
{
"name": "playbook10",
"type": "Microsoft.Common.Section",
"label": "Enrich-Sentinel-Incident-HYAS-Insight-IP-Sinkhole",
"elements": [
{
"name": "playbook10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with Sinkhole information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the https://docs.microsoft.com/connectors/hyasinsight/ or visit https://www.hyas.com/contact to request a trial key."
}
},
{
"name": "playbook10-PlaybookName",
"type": "Microsoft.Common.TextBox",
"label": "Playbook Name",
"defaultValue": "Enrich-Sentinel-Incident-HYAS-Insight-IP-Sinkhole",
"toolTip": "Resource name for the logic app playbook. No spaces are allowed",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook resource name"
}
},
{
"name": "playbook10-UserName",
"type": "Microsoft.Common.TextBox",
"label": "HYAS Username",
"defaultValue": "<username>@<domain>",
"toolTip": "Username to connect to HYAS API",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook username"
}
}
]
},
{
"name": "playbook11",
"type": "Microsoft.Common.Section",
"label": "Enrich-Sentinel-Incident-HYAS-Insight-IPv4-Device-Geo",
"elements": [
{
"name": "playbook11-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with geolocation information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the https://docs.microsoft.com/connectors/hyasinsight/ or visit https://www.hyas.com/contact to request a trial key."
}
},
{
"name": "playbook11-PlaybookName",
"type": "Microsoft.Common.TextBox",
"label": "Playbook Name",
"defaultValue": "Enrich-Sentinel-Incident-HYAS-Insight-IPv4-Device-Geo",
"toolTip": "Resource name for the logic app playbook. No spaces are allowed",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook resource name"
}
},
{
"name": "playbook11-UserName",
"type": "Microsoft.Common.TextBox",
"label": "HYAS Username",
"defaultValue": "<username>@<domain>",
"toolTip": "Username to connect to HYAS API",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook username"
}
}
]
},
{
"name": "playbook12",
"type": "Microsoft.Common.Section",
"label": "Enrich-Sentinel-Incident-HYAS-Insight-IPv6-Device-Geo",
"elements": [
{
"name": "playbook12-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with geolocation information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the https://docs.microsoft.com/connectors/hyasinsight/ or visit https://www.hyas.com/contact to request a trial key."
}
},
{
"name": "playbook12-PlaybookName",
"type": "Microsoft.Common.TextBox",
"label": "Playbook Name",
"defaultValue": "Enrich-Sentinel-Incident-HYAS-Insight-IPv6-Device-Geo",
"toolTip": "Resource name for the logic app playbook. No spaces are allowed",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook resource name"
}
},
{
"name": "playbook12-UserName",
"type": "Microsoft.Common.TextBox",
"label": "HYAS Username",
"defaultValue": "<username>@<domain>",
"toolTip": "Username to connect to HYAS API",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook username"
}
}
]
},
{
"name": "playbook13",
"type": "Microsoft.Common.Section",
"label": "Enrich-Sentinel-Incident-HYAS-Insight-Phone-Number-Historic-WHOIS",
"elements": [
{
"name": "playbook13-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This playbook uses the HYAS Insight connector to automatically enrich incidents generated by Sentinel with historic WHOIS information. You need a valid subscription in order to use the connector and playbook. Learn more about the integration via the https://docs.microsoft.com/connectors/hyasinsight/ or visit https://www.hyas.com/contact to request a trial key."
}
},
{
"name": "playbook13-PlaybookName",
"type": "Microsoft.Common.TextBox",
"label": "Playbook Name",
"defaultValue": "Enrich-Sentinel-Incident-HYAS-Insight-Phone-Number-Historic-WHOIS",
"toolTip": "Resource name for the logic app playbook. No spaces are allowed",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook resource name"
}
},
{
"name": "playbook13-UserName",
"type": "Microsoft.Common.TextBox",
"label": "HYAS Username",
"defaultValue": "<username>@<domain>",
"toolTip": "Username to connect to HYAS API",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook username"
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[resourceGroup().location]",
"location": "[location()]",
"workspace": "[basics('workspace')]",
"playbook1-PlaybookName": "[steps('playbooks').playbook1.playbook1-PlaybookName]",
"playbook1-UserName": "[steps('playbooks').playbook1.playbook1-UserName]",
"playbook2-PlaybookName": "[steps('playbooks').playbook2.playbook2-PlaybookName]",
"playbook2-UserName": "[steps('playbooks').playbook2.playbook2-UserName]",
"playbook3-PlaybookName": "[steps('playbooks').playbook3.playbook3-PlaybookName]",
"playbook3-UserName": "[steps('playbooks').playbook3.playbook3-UserName]",
"playbook4-PlaybookName": "[steps('playbooks').playbook4.playbook4-PlaybookName]",
"playbook4-UserName": "[steps('playbooks').playbook4.playbook4-UserName]",
"playbook5-PlaybookName": "[steps('playbooks').playbook5.playbook5-PlaybookName]",
"playbook5-UserName": "[steps('playbooks').playbook5.playbook5-UserName]",
"playbook6-PlaybookName": "[steps('playbooks').playbook6.playbook6-PlaybookName]",
"playbook6-UserName": "[steps('playbooks').playbook6.playbook6-UserName]",
"playbook7-PlaybookName": "[steps('playbooks').playbook7.playbook7-PlaybookName]",
"playbook7-UserName": "[steps('playbooks').playbook7.playbook7-UserName]",
"playbook8-PlaybookName": "[steps('playbooks').playbook8.playbook8-PlaybookName]",
"playbook8-UserName": "[steps('playbooks').playbook8.playbook8-UserName]",
"playbook9-PlaybookName": "[steps('playbooks').playbook9.playbook9-PlaybookName]",
"playbook9-UserName": "[steps('playbooks').playbook9.playbook9-UserName]",
"playbook10-PlaybookName": "[steps('playbooks').playbook10.playbook10-PlaybookName]",
"playbook10-UserName": "[steps('playbooks').playbook10.playbook10-UserName]",
"playbook11-PlaybookName": "[steps('playbooks').playbook11.playbook11-PlaybookName]",
"playbook11-UserName": "[steps('playbooks').playbook11.playbook11-UserName]",
"playbook12-PlaybookName": "[steps('playbooks').playbook12.playbook12-PlaybookName]",
"playbook12-UserName": "[steps('playbooks').playbook12.playbook12-UserName]",
"playbook13-PlaybookName": "[steps('playbooks').playbook13.playbook13-PlaybookName]",
"playbook13-UserName": "[steps('playbooks').playbook13.playbook13-UserName]"
}
}
}

4512
Solutions/HYAS/Package/mainTemplate.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

15
Solutions/HYAS/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"publisherId": "hyas",
"planId": "a-hyas-insight-azure-sentinel-solutions-gallery",
"firstPublishDate": "2021-10-20",
"providers": ["HYAS"],
"categories": {
"domains" : ["Security - Threat Intelligence", "Security – Automation (SOAR)"],
"verticals": []
},
"support": {
"name": "HYAS",
"tier": "Partner",
"link": "https://www.hyas.com/contact"
}
}

19
Solutions/Infoblox Cloud Data Connector/Data/Solution_Infoblox.json Normal file
Просмотреть файл

@ -0,0 +1,19 @@
{
"Name": "Infoblox Cloud Data Connector",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/infoblox_logo.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [Infoblox](https://www.infoblox.com/) cloud managed Data Connector (DC) is a utility designed to collect DNS query and response data and security logs and transfer the data to defined destinations such as the BloxOne Threat Defense Cloud, Infoblox NIOS reporting server, and syslog servers such as a SIEM (Security Information and Event Manager).",
"WorkbookDescription": "Get a closer look at your BloxOne Threat Defense security event data. This workbook is intended to help visualize BloxOne Threat Defense data as part of the Infoblox Cloud Data Connector. Drilldown your data and visualize events, trends, and anomalous changes over time.",
"Workbooks": ["Workbooks/InfobloxCDCB1TDWorkbook.json"],
"Analytic Rules": [
"Analytic Rules/HighNumberOfHighThreatLevelDetected.yaml",
"Analytic Rules/HighNumberofNXDOMAINDNSQueriesDetected.yaml"
],
"Data Connectors": [
"Data Connectors/InfobloxCloudDataConnector.json"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\Infoblox Cloud Data Connector",
"Version": "1.1.0"
}

Двоичные данные
Solutions/Infoblox Cloud Data Connector/Package/1.1.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

194
Solutions/Infoblox Cloud Data Connector/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,194 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/infoblox_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Infoblox](https://www.infoblox.com/) cloud managed Data Connector (DC) is a utility designed to collect DNS query and response data and security logs and transfer the data to defined destinations such as the BloxOne Threat Defense Cloud, Infoblox NIOS reporting server, and syslog servers such as a SIEM (Security Information and Event Manager).\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 2\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for Infoblox Cloud Data Connector. You can get Infoblox Cloud Data Connector CommonSecurityLog data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. The logs will be received in the CommonSecurityLog table in your Azure Sentinel / Azure Log Analytics workspace."
}
},
{
"name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about normalized format",
"uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema"
}
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
},
{
"name": "workbooks",
"label": "Workbooks",
"subLabel": {
"preValidation": "Configure the workbooks",
"postValidation": "Done"
},
"bladeTitle": "Workbooks",
"elements": [
{
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Azure Sentinel and combine them into unified interactive experiences.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
},
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
"label": "Infoblox Cloud Data Connector",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Get a closer look at your BloxOne Threat Defense security event data. This workbook is intended to help visualize BloxOne Threat Defense data as part of the Infoblox Cloud Data Connector. Drilldown your data and visualize events, trends, and anomalous changes over time."
}
},
{
"name": "workbook1-name",
"type": "Microsoft.Common.TextBox",
"label": "Display Name",
"defaultValue": "Infoblox Cloud Data Connector",
"toolTip": "Display name for the workbook.",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a workbook name"
}
}
]
}
]
},
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs analytic rules for Infoblox Cloud Data Connector that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "High Number of High Threat Level Detected",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This creates an incident in the event a host generates a high number of high threat level queries."
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "High Number of NXDOMAIN DNS Queries Detected",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This creates an incident in the event a host generates a high number of DNS queries for non-existent domains."
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[resourceGroup().location]",
"location": "[location()]",
"workspace": "[basics('workspace')]",
"workbook1-name": "[steps('workbooks').workbook1.workbook1-name]"
}
}
}

353
Solutions/Infoblox Cloud Data Connector/Package/mainTemplate.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

15
Solutions/Infoblox Cloud Data Connector/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"publisherId": "infoblox",
"planId": "infoblox-cdc-solution",
"firstPublishDate": "2021-10-20",
"providers": ["InfoBlox"],
"categories": {
"domains" : ["Security - Threat Protection"],
"verticals": []
},
"support": {
"name": "InfoBlox",
"tier": "Partner",
"link": "https://support.infoblox.com/"
}
}

12
Solutions/ReversingLabs/Data/Solution_ReversingLabs.json Normal file
Просмотреть файл

@ -0,0 +1,12 @@
{
"Name": "ReversingLabs",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Description": "[ReversingLabs](https://www.reversinglabs.com/) provides explainable threat intelligence into malware infected files and objects, for any file, any location, and any threat.",
"Playbooks": [
"Playbooks/Enrich-SentinelIncident-ReversingLabs-File-Information/azuredeploy.json"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\ReversingLabs",
"Version": "1.1.0"
}

Двоичные данные
Solutions/ReversingLabs/Package/1.1.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

123
Solutions/ReversingLabs/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,123 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n[ReversingLabs](https://www.reversinglabs.com/) provides explainable threat intelligence into malware infected files and objects, for any file, any location, and any threat.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Playbooks:** 1\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "playbooks",
"label": "Playbooks",
"subLabel": {
"preValidation": "Configure the playbooks",
"postValidation": "Done"
},
"bladeTitle": "Playbooks",
"elements": [
{
"name": "playbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs playbook resources. A security playbook is a collection of procedures that can be run from Azure Sentinel in response to an alert. A security playbook can help automate and orchestrate your response, and can be run manually or set to run automatically when specific alerts are triggered. Security playbooks in Azure Sentinel are based on Azure Logic Apps, which means that you get all the power, customizability, and built-in templates of Logic Apps. Each playbook is created for the specific subscription you choose, but when you look at the Playbooks page, you will see all the playbooks across any selected subscriptions.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "playbook1",
"type": "Microsoft.Common.Section",
"label": "ReversingLabsFileInfo",
"elements": [
{
"name": "playbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This playbook ingests events from ReversingLabs into Log Analytics using the API."
}
},
{
"name": "playbook1-PlaybookName",
"type": "Microsoft.Common.TextBox",
"label": "Playbook Name",
"defaultValue": "ReversingLabsFileInfo",
"toolTip": "Resource name for the logic app playbook. No spaces are allowed",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook resource name"
}
},
{
"name": "playbook1-UserName",
"type": "Microsoft.Common.TextBox",
"label": "ReversingLabs Username",
"defaultValue": "<username>@<domain>",
"toolTip": "Username to connect to ReversingLabs API",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a playbook username"
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[resourceGroup().location]",
"location": "[location()]",
"workspace": "[basics('workspace')]",
"playbook1-PlaybookName": "[steps('playbooks').playbook1.playbook1-PlaybookName]",
"playbook1-UserName": "[steps('playbooks').playbook1.playbook1-UserName]"
}
}
}

1282
Solutions/ReversingLabs/Package/mainTemplate.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

15
Solutions/ReversingLabs/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"publisherId": "reversinglabs1597673283347",
"planId": "reversinglabsticloudenrichment",
"firstPublishDate": "2021-10-20",
"providers": ["ReversingLabs"],
"categories": {
"domains" : ["Security - Threat Intelligence"],
"verticals": []
},
"support": {
"name": "ReversingLabs",
"tier": "Partner",
"link": "https://support.reversinglabs.com/hc/en-us"
}
}

52
Solutions/SenservaPro/Data/Solution_SenservaPro.json Normal file
Просмотреть файл

@ -0,0 +1,52 @@
{
"Name": "SenservaPro",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SenservaPro/Data Connectors/Logo/SenservaPro_logo.svg\" width=\"75px\" height=\"75px\">",
"Description": "The SenservaPro data connector provides a viewing experience for your SenservaPro scanning logs. View dashboards of your data, use queries to hunt & explore, and create custom alerts for your needs. Start your security journey today.",
"WorkbookDescription": "",
"Workbooks": [
"Workbooks/SenservaProAnalyticsWorkbook.json",
"Workbooks/SenservaProMultipleWorkspaceWorkbook.json",
"Workbooks/SenservaProSecureScoreMultiTenantWorkbook.json"
],
"Analytic Rules": [
"Analytic Rules/AdminMFA.yaml",
"Analytic Rules/AppsNoClientCredentials.yaml",
"Analytic Rules/BlockLegacyAuthentication.yaml",
"Analytic Rules/GlobaAdminRoleOverlap.yaml",
"Analytic Rules/MFARegistration.yaml",
"Analytic Rules/NonAdminGuest.yaml",
"Analytic Rules/NotUsingClientCredentials.yaml",
"Analytic Rules/OneGlobalAdmin.yaml",
"Analytic Rules/PasswordAgePolicyNew.yaml",
"Analytic Rules/SearchStaleLastPasswordChange.yaml",
"Analytic Rules/SelfServicePasswordReset.yaml",
"Analytic Rules/SignInRiskPolicy.yaml",
"Analytic Rules/ThirdPartyIntegratedApps.yaml",
"Analytic Rules/UserAccountDisabled.yaml",
"Analytic Rules/UserRiskPolicy.yaml"
],
"Hunting Queries": [
"Hunting Queries/ApplicationNotUsingClientCredentials.yaml",
"Hunting Queries/AzureSecureScoreAdminMFAV2.yaml",
"Hunting Queries/AzureSecureScoreBlockLegacyAuthentication.yaml",
"Hunting Queries/AzureSecureScoreIntegratedApps.yaml",
"Hunting Queries/AzureSecureScoreMFARegistrationV2.yaml",
"Hunting Queries/AzureSecureScoreOneAdmin.yaml",
"Hunting Queries/AzureSecureScorePWAgePolicyNew.yaml",
"Hunting Queries/AzureSecureScoreRoleOverlap.yaml",
"Hunting Queries/AzureSecureScoreSelfServicePasswordReset.yaml",
"Hunting Queries/AzureSecureScoreSigninRiskPolicy.yaml",
"Hunting Queries/AzureSecureScoreUserRiskPolicy.yaml",
"Hunting Queries/NonAdminGuest.yaml",
"Hunting Queries/ServicePrincipalNotUsingClientCredentials.yaml",
"Hunting Queries/StaleLastPasswordChange.yaml",
"Hunting Queries/UserAccountDisabled.yaml"
],
"Data Connectors": [
"Data Connectors/SenservaPro.json"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\SenservaPro",
"Version": "1.1.0"
}

Двоичные данные
Solutions/SenservaPro/Package/1.1.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

649
Solutions/SenservaPro/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,649 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SenservaPro/Data Connectors/Logo/SenservaPro_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe SenservaPro data connector provides a viewing experience for your SenservaPro scanning logs. View dashboards of your data, use queries to hunt & explore, and create custom alerts for your needs. Start your security journey today.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Workbooks:** 3, **Analytic Rules:** 15, **Hunting Queries:** 15\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for SenservaPro. You can get SenservaPro custom log data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. This data connector creates custom log table(s) SenservaPro_CL in your Azure Sentinel / Azure Log Analytics workspace."
}
},
{
"name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about normalized format",
"uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema"
}
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
},
{
"name": "workbooks",
"label": "Workbooks",
"subLabel": {
"preValidation": "Configure the workbooks",
"postValidation": "Done"
},
"bladeTitle": "Workbooks",
"elements": [
{
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Azure Sentinel and combine them into unified interactive experiences.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
},
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
"label": "SenservaPro",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock"
},
{
"name": "workbook1-name",
"type": "Microsoft.Common.TextBox",
"label": "Display Name",
"defaultValue": "SenservaPro",
"toolTip": "Display name for the workbook.",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a workbook name"
}
}
]
},
{
"name": "workbook2",
"type": "Microsoft.Common.Section",
"label": "SenservaPro",
"elements": [
{
"name": "workbook2-text",
"type": "Microsoft.Common.TextBlock"
},
{
"name": "workbook2-name",
"type": "Microsoft.Common.TextBox",
"label": "Display Name",
"defaultValue": "SenservaPro",
"toolTip": "Display name for the workbook.",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a workbook name"
}
}
]
},
{
"name": "workbook3",
"type": "Microsoft.Common.Section",
"label": "SenservaPro",
"elements": [
{
"name": "workbook3-text",
"type": "Microsoft.Common.TextBlock"
},
{
"name": "workbook3-name",
"type": "Microsoft.Common.TextBox",
"label": "Display Name",
"defaultValue": "SenservaPro",
"toolTip": "Display name for the workbook.",
"constraints": {
"required": true,
"regex": "[a-z0-9A-Z]{1,256}$",
"validationMessage": "Please enter a workbook name"
}
}
]
}
]
},
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs analytic rules for SenservaPro that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "Azure secure score admin MFA",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for requiring multi-factor authentication (MFA) for all administrative roles makes it harder\n for attackers to access accounts. Administrative roles have higher permissions than typical users.\n If any of those accounts are compromised, critical devices and data is open to attack."
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "SenservaPro AD Applications Not Using Client Credentials",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Searches for logs of AD Applications without Client Credentials (Key or Secret)"
}
}
]
},
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
"label": "Azure secure score block legacy authentication",
"elements": [
{
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for most compromising sign-in attempts come from legacy authentication. \n Older office clients such as Office 2010 do not support modern authentication \n and use legacy protocols such as IMAP, SMTP, and POP3. \n Legacy authentication does not support multi-factor authentication (MFA).\n Even if an MFA policy is configured in your environment, bad actors can \n bypass these enforcements through legacy protocols."
}
}
]
},
{
"name": "analytic4",
"type": "Microsoft.Common.Section",
"label": "Azure secure score role overlap",
"elements": [
{
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for accounts that have been assigned Global Administrator do not need other roles assigned. \n Global Administrators have access to all aspects of Azure"
}
}
]
},
{
"name": "analytic5",
"type": "Microsoft.Common.Section",
"label": "Azure secure score MFA registration V2",
"elements": [
{
"name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for multi-factor authentication (MFA) helps protect devices and data \n that are accessible to these users. Adding more authentication methods,\n such as the Microsoft Authenticator app or a phone number, increases the level of protection \n if one factor is compromised."
}
}
]
},
{
"name": "analytic6",
"type": "Microsoft.Common.Section",
"label": "Non-admin guest",
"elements": [
{
"name": "analytic6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for guest is not an admin in Azure"
}
}
]
},
{
"name": "analytic7",
"type": "Microsoft.Common.Section",
"label": "Service principal not using client credentials",
"elements": [
{
"name": "analytic7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for an service principal is not using a client certificate or secret is not secure. \n It is recommended that you review your needs and use an Authentication method \n for sign-in."
}
}
]
},
{
"name": "analytic8",
"type": "Microsoft.Common.Section",
"label": "Azure secure score one admin",
"elements": [
{
"name": "analytic8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for having 1 Global Administrator reduces the surface area of attack for your Azure tenant, \n but sets up a single point of failure for the whole tenant. Global Administrators have access\n to all aspects of Azure"
}
}
]
},
{
"name": "analytic9",
"type": "Microsoft.Common.Section",
"label": "Azure secure score PW age policy new",
"elements": [
{
"name": "analytic9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for having found that when periodic password resets are enforced,\n passwords become less secure. Users tend to pick a weaker password and vary it slightly for each reset. \n If a user creates a strong password (long, complex and without any pragmatic words present)\n it should remain just as strong in the future as it is today. It is Microsoft's official security position\n to not expire passwords periodically without a specific reason, and recommends \n that cloud-only tenants set the password policy to never expire."
}
}
]
},
{
"name": "analytic10",
"type": "Microsoft.Common.Section",
"label": "Stale last password change",
"elements": [
{
"name": "analytic10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for stale last password change"
}
}
]
},
{
"name": "analytic11",
"type": "Microsoft.Common.Section",
"label": "Azure Secure Score Self Service Password Reset",
"elements": [
{
"name": "analytic11-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for requires you to setup Azure AD Connect. \n Azure AD Connect is free with all Azure Subscriptions"
}
}
]
},
{
"name": "analytic12",
"type": "Microsoft.Common.Section",
"label": "Azure secure score sign in risk policy",
"elements": [
{
"name": "analytic12-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for an active Azure Premium P2 license is required to use and edit this policy. \n You will be required to have setup the MFA Policy before activating this policy"
}
}
]
},
{
"name": "analytic13",
"type": "Microsoft.Common.Section",
"label": "Third party integrated apps",
"elements": [
{
"name": "analytic13-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for your services by regulating the access of third-party integrated apps. \n Only allow access to necessary apps that support robust security controls. \n Third-party applications are not created by Microsoft, \n so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy.\n Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts."
}
}
]
},
{
"name": "analytic14",
"type": "Microsoft.Common.Section",
"label": "UserAccountDisabled",
"elements": [
{
"name": "analytic14-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for account is Disabled. Does not effect score as its easily enabled."
}
}
]
},
{
"name": "analytic15",
"type": "Microsoft.Common.Section",
"label": "Azure secure score user risk policy",
"elements": [
{
"name": "analytic15-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for an active Azure Premium P2 license is required to use and edit this policy. \n You will be required to have setup the MFA Policy before activating this policy"
}
}
]
}
]
},
{
"name": "huntingqueries",
"label": "Hunting Queries",
"bladeTitle": "Hunting Queries",
"elements": [
{
"name": "huntingqueries-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs hunting queries for SenservaPro that you can run in Azure Sentinel. These hunting queries will be deployed in the Hunting gallery of your Azure Sentinel workspace. Run these hunting queries to hunt for threats in the Hunting gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/hunting"
}
}
},
{
"name": "huntingquery1",
"type": "Microsoft.Common.Section",
"label": "Application not using client credentials",
"elements": [
{
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for application not using a client certificate or secret is not secure.' It depends on the SenservaPro data connector and SenservaPro_CL data type and SenservaPro parser."
}
}
]
},
{
"name": "huntingquery2",
"type": "Microsoft.Common.Section",
"label": "Azure secure score admin MFA V2",
"elements": [
{
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for requiring multi-factor authentication (MFA) for all administrative roles makes it harder\n for attackers to access accounts. Administrative roles have higher permissions than typical users. It depends on the SenservaPro data connector and SenservaPro_CL data type and SenservaPro parser."
}
}
]
},
{
"name": "huntingquery3",
"type": "Microsoft.Common.Section",
"label": "Azure secure score block legacy authentication",
"elements": [
{
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for most compromising sign-in attempts come from legacy authentication. \n Older office clients such as Office 2010 do not support modern authentication \n and use legacy protocols such as IMAP, SMTP, and POP3. It depends on the SenservaPro data connector and SenservaPro_CL data type and SenservaPro parser."
}
}
]
},
{
"name": "huntingquery4",
"type": "Microsoft.Common.Section",
"label": "Azure secure score integrated apps",
"elements": [
{
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for your services by regulating the access of third-party integrated apps. \nOnly allow access to necessary apps that support robust security controls. It depends on the SenservaPro data connector and SenservaPro_CL data type and SenservaPro parser."
}
}
]
},
{
"name": "huntingquery5",
"type": "Microsoft.Common.Section",
"label": "Azure secure score MFA registration V2",
"elements": [
{
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for multi-factor authentication (MFA) helps protect devices and data \n that are accessible to these users. Adding more authentication methods, increases the level of protection \n if one factor is compromised. It depends on the SenservaPro data connector and SenservaPro_CL data type and SenservaPro parser."
}
}
]
},
{
"name": "huntingquery6",
"type": "Microsoft.Common.Section",
"label": "Azure secure score one admin",
"elements": [
{
"name": "huntingquery6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for having 1 Global Administrator reduces the surface area of attack for your Azure tenant, \n but sets up a single point of failure for the whole tenant. Global Administrators have access\n to all aspects of Azure It depends on the SenservaPro data connector and SenservaPro_CL data type and SenservaPro parser."
}
}
]
},
{
"name": "huntingquery7",
"type": "Microsoft.Common.Section",
"label": "Azure secure score PW age policy new",
"elements": [
{
"name": "huntingquery7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for having found that when periodic password resets are enforced,\n passwords become less secure. Users tend to pick a weaker password and vary it slightly for each reset. It depends on the SenservaPro data connector and SenservaPro_CL data type and SenservaPro parser."
}
}
]
},
{
"name": "huntingquery8",
"type": "Microsoft.Common.Section",
"label": "Azure secure score role overlap",
"elements": [
{
"name": "huntingquery8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for accounts that have been assigned Global Administrator do not need other roles assigned. \n Global Administrators have access to all aspects of Azure It depends on the SenservaPro data connector and SenservaPro_CL data type and SenservaPro parser."
}
}
]
},
{
"name": "huntingquery9",
"type": "Microsoft.Common.Section",
"label": "Azure Secure Score Self Service Password Reset",
"elements": [
{
"name": "huntingquery9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for requires you to setup Azure AD Connect. \n Azure AD Connect is free with all Azure Subscriptions It depends on the SenservaPro data connector and SenservaPro_CL data type and SenservaPro parser."
}
}
]
},
{
"name": "huntingquery10",
"type": "Microsoft.Common.Section",
"label": "Azure secure score sign in risk policy",
"elements": [
{
"name": "huntingquery10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for an active Azure Premium P2 license is required to use and edit this policy. \n You will be required to have setup the MFA Policy before activating this policy It depends on the SenservaPro data connector and SenservaPro_CL data type and SenservaPro parser."
}
}
]
},
{
"name": "huntingquery11",
"type": "Microsoft.Common.Section",
"label": "Azure secure score user risk policy",
"elements": [
{
"name": "huntingquery11-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for an active Azure Premium P2 license is required to use and edit this policy. \n You will be required to have setup the MFA Policy before activating this policy It depends on the SenservaPro data connector and SenservaPro_CL data type and SenservaPro parser."
}
}
]
},
{
"name": "huntingquery12",
"type": "Microsoft.Common.Section",
"label": "Non-admin guest",
"elements": [
{
"name": "huntingquery12-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for guest is not an admin in Azure It depends on the SenservaPro data connector and SenservaPro_CL data type and SenservaPro parser."
}
}
]
},
{
"name": "huntingquery13",
"type": "Microsoft.Common.Section",
"label": "Service principal not using client credentials",
"elements": [
{
"name": "huntingquery13-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for an service principal is not using a client certificate or secret is not secure. \n It is recommended that you review your needs and use an Authentication method \n for sign-in. It depends on the SenservaPro data connector and SenservaPro_CL data type and SenservaPro parser."
}
}
]
},
{
"name": "huntingquery14",
"type": "Microsoft.Common.Section",
"label": "Stale last password change",
"elements": [
{
"name": "huntingquery14-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for stale last password change It depends on the SenservaPro data connector and SenservaPro_CL data type and SenservaPro parser."
}
}
]
},
{
"name": "huntingquery15",
"type": "Microsoft.Common.Section",
"label": "UserAccountDisabled",
"elements": [
{
"name": "huntingquery15-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query searches for account is Disabled. Does not effect score as its easily enabled. It depends on the SenservaPro data connector and SenservaPro_CL data type and SenservaPro parser."
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[resourceGroup().location]",
"location": "[location()]",
"workspace": "[basics('workspace')]",
"workbook1-name": "[steps('workbooks').workbook1.workbook1-name]",
"workbook2-name": "[steps('workbooks').workbook2.workbook2-name]",
"workbook3-name": "[steps('workbooks').workbook3.workbook3-name]"
}
}
}

1436
Solutions/SenservaPro/Package/mainTemplate.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

16
Solutions/SenservaPro/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,16 @@
{
"publisherId": "senservallc",
"planId": "senservapro4sentinel",
"firstPublishDate": "2021-10-20",
"providers": ["Senserva Pro"],
"categories": {
"domains" : ["Compliance"],
"verticals": []
},
"support": {
"name": "Senserva",
"email": "support@senserva.com",
"tier": "Partner",
"link": "https://www.senserva.com/contact/"
}
}

18
Solutions/vArmour/Data/Solution_vArmour.json Normal file
Просмотреть файл

@ -0,0 +1,18 @@
{
"Name": "vArmour",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/vArmour/Data%20Connectors/Logo/varmour-logo.svg\"width=\"75px\"height=\"75px\">",
"Description": "[vArmour Application Controller](https://www.varmour.com/product/) reduces risk through the visibility and control of relationships, the interconnections between applications and users, across heterogeneous environments by leveraging the infrastructure you already own.",
"Data Connectors": [
"Data Connectors/Connector_vArmour_AppController_CEF.json"
],
"Analytic Rules": [
"Analytic Rules/vArmourApplicationControllerSMBRealmTraversal.yaml"
],
"Workbook": [
"Workbooks/vArmour_AppContoller_Workbook.json"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\vArmour",
"Version": "1.1.0"
}

Двоичные данные
Solutions/vArmour/Package/1.1.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

131
Solutions/vArmour/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,131 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/vArmour/Data%20Connectors/Logo/varmour-logo.svg\"width=\"75px\"height=\"75px\">\n\n**Important:** _This Azure Sentinel Solution is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)._\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n[vArmour Application Controller](https://www.varmour.com/product/) reduces risk through the visibility and control of relationships, the interconnections between applications and users, across heterogeneous environments by leveraging the infrastructure you already own.\n\nAzure Sentinel Solutions provide a consolidated way to acquire Azure Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Analytic Rules:** 1\n\n[Learn more about Azure Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(filter.id, toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for vArmour. You can get vArmour CommonSecurityLog data in your Azure Sentinel workspace. Configure and enable this data connector in the Data Connector gallery after this Solution deploys. The logs will be received in the CommonSecurityLog table in your Azure Sentinel / Azure Log Analytics workspace."
}
},
{
"name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about normalized format",
"uri": "https://docs.microsoft.com/azure/sentinel/normalization-schema"
}
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
},
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Azure Sentinel Solution installs analytic rules for vArmour that you can enable for custom alert generation in Azure Sentinel. These analytic rules will be deployed in disabled mode in the analytics rules gallery of your Azure Sentinel workspace. Configure and enable these rules in the analytic rules gallery after this Solution deploys.",
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "vArmour AppController - SMB Realm Traversal",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects when SMB traffic crosses Production and Non-Production Realms. Possible network share discovery or lateral tool transfer across realms"
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[resourceGroup().location]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}

280
Solutions/vArmour/Package/mainTemplate.json Normal file
Просмотреть файл

@ -0,0 +1,280 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"comments": "Solution template for vArmour"
},
"parameters": {
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"minLength": 1,
"defaultValue": "[parameters('location')]",
"metadata": {
"description": "Region to deploy solution resources"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Sentinel is setup"
}
},
"connector1-name": {
"type": "string",
"defaultValue": "f1d2e8c9-b52d-47c9-abf6-bf48f073a3a5"
},
"analytic1-id": {
"type": "string",
"defaultValue": "[newGuid()]",
"minLength": 1,
"metadata": {
"description": "Unique id for the scheduled alert rule"
}
}
},
"variables": {
"connector1-source": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'),'/providers/Microsoft.SecurityInsights/dataConnectors/',parameters('connector1-name'))]",
"_connector1-source": "[variables('connector1-source')]",
"vArmourACConnector": "vArmourACConnector",
"_vArmourACConnector": "[variables('vArmourACConnector')]",
"vArmourApplicationControllerSMBRealmTraversal_AnalyticalRules": "vArmourApplicationControllerSMBRealmTraversal_AnalyticalRules",
"_vArmourApplicationControllerSMBRealmTraversal_AnalyticalRules": "[variables('vArmourApplicationControllerSMBRealmTraversal_AnalyticalRules')]",
"sourceId": "62025650.varmour_sentinel",
"_sourceId": "[variables('sourceId')]"
},
"resources": [
{
"id": "[variables('_connector1-source')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('connector1-name'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": " vArmour Application Controller",
"publisher": "vArmour",
"descriptionMarkdown": "vArmour reduces operational risk and increases cyber resiliency by visualizing and controlling application relationships across the enterprise. This vArmour connector enables streaming of Application Controller Violation Alerts into Azure Sentinel, so you can take advantage of search & correlation, alerting, & threat intelligence enrichment for each log.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "vArmour",
"baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"vArmour\"\n| where DeviceProduct == \"AC\""
}
],
"sampleQueries": [
{
"description": "Top 10 App to App violations",
"query": "CommonSecurityLog\n| where DeviceVendor == \"vArmour\"\n| where DeviceProduct == \"AC\"\n| where Activity == \"POLICY_VIOLATION\"\n| extend AppNameSrcDstPair = extract_all(\"AppName=;(\\\\w+)\", AdditionalExtensions)\n| summarize count() by tostring(AppNameSrcDstPair)\n| top 10 by count_\n"
},
{
"description": "Top 10 Policy names matching violations",
"query": "CommonSecurityLog\n| where DeviceVendor == \"vArmour\"\n| where DeviceProduct == \"AC\"\n| where Activity == \"POLICY_VIOLATION\"\n| summarize count() by DeviceCustomString1\n| top 10 by count_ desc\n"
},
{
"description": "Top 10 Source IPs generating violations",
"query": "CommonSecurityLog\n| where DeviceVendor == \"vArmour\"\n| where DeviceProduct == \"AC\"\n| where Activity == \"POLICY_VIOLATION\"\n| summarize count() by SourceIP\n| top 10 by count_\n"
},
{
"description": "Top 10 Destination IPs generating violations",
"query": "CommonSecurityLog\n| where DeviceVendor == \"vArmour\"\n| where DeviceProduct == \"AC\"\n| where Activity == \"POLICY_VIOLATION\"\n| summarize count() by DestinationIP\n| top 10 by count_\n"
},
{
"description": "Top 10 Application Protocols matching violations",
"query": "CommonSecurityLog\n| where DeviceVendor == \"vArmour\"\n| where DeviceProduct == \"AC\"\n| where Activity == \"POLICY_VIOLATION\"\n| summarize count() by ApplicationProtocol\n| top 10 by count_\n"
}
],
"dataTypes": [
{
"name": "CommonSecurityLog (vArmour)",
"lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor == \"vArmour\"\n| where DeviceProduct == \"AC\"\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"CommonSecurityLog\n| where DeviceVendor == \"vArmour\"\n| where DeviceProduct == \"AC\"\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Azure Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
"innerSteps": [
{
"title": "1.1 Select or create a Linux machine",
"description": "Select or create a Linux machine that Azure Sentinel will use as the proxy between your security solution and Azure Sentinel this machine can be on your on-prem environment, Azure or other clouds."
},
{
"title": "1.2 Install the CEF collector on the Linux machine",
"description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Azure Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId",
"PrimaryKey"
],
"label": "Run the following command to install and apply the CEF collector:",
"value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
},
"type": "CopyableLabel"
}
]
}
],
"title": "1. Linux Syslog agent configuration"
},
{
"description": "Send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.",
"innerSteps": [
{
"title": "2.1 Download the vArmour Application Controller user guide",
"description": "Download the user guide from https://support.varmour.com/hc/en-us/articles/360057444831-vArmour-Application-Controller-6-0-User-Guide."
},
{
"title": "2.2 Configure the Application Controller to Send Policy Violations",
"description": "In the user guide - refer to \"Configuring Syslog for Monitoring and Violations\" and follow steps 1 to 3."
}
],
"title": "2. Configure the vArmour Application Controller to forward Common Event Format (CEF) logs to the Syslog agent"
},
{
"description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Run the following command to validate your connectivity:",
"value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
},
"type": "CopyableLabel"
}
],
"title": "3. Validate connection"
},
{
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
"title": "4. Secure your machine "
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic1-id'))]",
"apiVersion": "2020-01-01",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Detects when SMB traffic crosses Production and Non-Production Realms. Possible network share discovery or lateral tool transfer across realms",
"displayName": "vArmour AppController - SMB Realm Traversal",
"enabled": false,
"query": "CommonSecurityLog\n| where DeviceVendor == \"vArmour\"\n| where DeviceProduct == \"AC\"\n| where Activity == \"POLICY_VIOLATION\"\n| extend PolicyName = extract(\"(SMB_REALM_TRAVERSAL\\\\w+{.*})\", 1, DeviceCustomString1)\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"tactics": [
"Discovery",
"LateralMovement"
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2021-03-01-preview",
"properties": {
"version": "1.1.0",
"kind": "Solution",
"contentId": "[variables('_sourceId')]",
"parentId": "[variables('_sourceId')]",
"source": {
"kind": "Solution",
"name": "vArmour",
"sourceId": "[variables('_sourceId')]"
},
"author": {
"name": "Nikhil Tripathi",
"email": "v-ntripathi@microsoft.com"
},
"support": {
"name": "vArmour Networks",
"tier": "Partner",
"link": "https://www.varmour.com/contact-us/"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "DataConnector",
"contentId": "[variables('_vArmourACConnector')]",
"version": "1.1.0"
},
{
"kind": "AnalyticsRule",
"contentId": "[variables('_vArmourApplicationControllerSMBRealmTraversal_AnalyticalRules')]",
"version": "1.1.0"
}
]
},
"firstPublishDate": "2021-10-20",
"providers": [
"vArmour"
],
"categories": {
"domains": [
"IT Operations"
]
}
},
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_sourceId'))]"
}
],
"outputs": {}
}

15
Solutions/vArmour/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"publisherId": "62025650",
"planId": "varmour_sentinel",
"firstPublishDate": "2021-10-20",
"providers": ["vArmour"],
"categories": {
"domains" : ["IT Operations"],
"verticals": []
},
"support": {
"name": "vArmour Networks",
"tier": "Partner",
"link": "https://www.varmour.com/contact-us/"
}
}