From 8de55132778f3868d7772ff071bb1154804dddc7 Mon Sep 17 00:00:00 2001 From: ivukovic Date: Fri, 16 Apr 2021 11:29:55 +0200 Subject: [PATCH] Add ReversingLabs playbook to Solutions --- .../azuredeploy.json | 1206 +++++++++++++++++ .../readme.md | 60 + 2 files changed, 1266 insertions(+) create mode 100644 Solutions/ReversingLabs/Playbooks/Enrich-SentinelIncident-ReversingLabs-File-Information/azuredeploy.json create mode 100644 Solutions/ReversingLabs/Playbooks/Enrich-SentinelIncident-ReversingLabs-File-Information/readme.md diff --git a/Solutions/ReversingLabs/Playbooks/Enrich-SentinelIncident-ReversingLabs-File-Information/azuredeploy.json b/Solutions/ReversingLabs/Playbooks/Enrich-SentinelIncident-ReversingLabs-File-Information/azuredeploy.json new file mode 100644 index 0000000000..54164beb03 --- /dev/null +++ b/Solutions/ReversingLabs/Playbooks/Enrich-SentinelIncident-ReversingLabs-File-Information/azuredeploy.json @@ -0,0 +1,1206 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "PlaybookName": { + "defaultValue": "ReversingLabsFileInfo", + "type": "string" + }, + "UserName": { + "defaultValue": "@", + "type": "string" + } + }, + "variables": { + "AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]", + "ConnectorConnectionName": "[concat('connector-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "[parameters('UserName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('ConnectorConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "[parameters('UserName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/reversinglabsintelligence')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('PlaybookName')]", + "location": "[resourceGroup().location]", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('ConnectorConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/subscribe" + } + } + }, + "actions": { + "Alert_-_Get_incident": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "get", + "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" + } + }, + "Entities_-_Get_FileHashes": { + "runAfter": { + "Alert_-_Get_incident": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['Entities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/filehash" + } + }, + "For_each_-_File_Reputation": { + "foreach": "@body('Entities_-_Get_FileHashes')?['Filehashes']", + "actions": { + "Add_comment_to_incident_(V3)_-_file_reputation": { + "runAfter": { + "Parse_JSON_-_file_reputation": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "message": "

ReversingLabs File Hash Reputation:
\nFile name: @{body('Parse_JSON_-_file_reputation')?['rl']?['malware_presence']?['threat_name']}
\nFile status: @{body('Parse_JSON_-_file_reputation')?['rl']?['malware_presence']?['status']}
\nReason: @{body('Parse_JSON_-_file_reputation')?['rl']?['malware_presence']?['reason']}
\nScanner count: @{body('Parse_JSON_-_file_reputation')?['rl']?['malware_presence']?['scanner_count']}
\nScanner percent: @{body('Parse_JSON_-_file_reputation')?['rl']?['malware_presence']?['scanner_percent']}
\nScanner match: @{body('Parse_JSON_-_file_reputation')?['rl']?['malware_presence']?['scanner_match']}
\nFirst seen: @{body('Parse_JSON_-_file_reputation')?['rl']?['malware_presence']?['first_seen']}
\nLast seen: @{body('Parse_JSON_-_file_reputation')?['rl']?['malware_presence']?['last_seen']}
\nThreat level: @{body('Parse_JSON_-_file_reputation')?['rl']?['malware_presence']?['threat_level']}
\nTrust factor: @{body('Parse_JSON_-_file_reputation')?['rl']?['malware_presence']?['trust_factor']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Get_File_Hash_Reputation": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "headers": { + "User-Agent": "SentinelPartner-ReversingLabs-ReversingLabs Intelligence/v1.0.0" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['reversinglabsintelligence']['connectionId']" + } + }, + "method": "get", + "path": "/api/databrowser/malware_presence/query/@{encodeURIComponent(items('For_each_-_File_Reputation')?['Algorithm'])}/@{encodeURIComponent(items('For_each_-_File_Reputation')?['Value'])}", + "queries": { + "extended": true, + "format": "json", + "show_hashes": true + } + } + }, + "Parse_JSON_-_file_reputation": { + "runAfter": { + "Get_File_Hash_Reputation": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_File_Hash_Reputation')", + "schema": { + "properties": { + "rl": { + "properties": { + "malware_presence": { + "properties": { + "classification": { + "properties": { + "family_name": { + "type": "string" + }, + "is_generic": { + "type": "boolean" + }, + "platform": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "first_seen": { + "type": "string" + }, + "last_seen": { + "type": "string" + }, + "query_hash": { + "properties": { + "sha1": { + "type": "string" + } + }, + "type": "object" + }, + "reason": { + "type": "string" + }, + "scanner_count": { + "type": "integer" + }, + "scanner_match": { + "type": "integer" + }, + "scanner_percent": { + "type": "number" + }, + "status": { + "type": "string" + }, + "threat_level": { + "type": "integer" + }, + "threat_name": { + "type": "string" + }, + "trust_factor": { + "type": "integer" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "Initialize_variable": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_each_hash_-_Details": { + "foreach": "@body('Entities_-_Get_FileHashes')?['Filehashes']", + "actions": { + "For_each_-_entry": { + "foreach": "@body('Parse_JSON_-_details')?['rl']?['sample']?['analysis']?['entries']", + "actions": { + "Add_comment_to_incident_(V3)_-_details": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "message": "

ReversingLabs File Hash Details:
\n@{items('For_each_-_entry')?['tc_report']?['story']}
\nSha1: @{body('Parse_JSON_-_details')?['rl']?['sample']?['sha1']}
\nSd5: @{body('Parse_JSON_-_details')?['rl']?['sample']?['md5']}
\nSha256: @{body('Parse_JSON_-_details')?['rl']?['sample']?['sha256']}
\nSha384: @{body('Parse_JSON_-_details')?['rl']?['sample']?['sha384']}
\nSha512: @{body('Parse_JSON_-_details')?['rl']?['sample']?['sha512']}
\nSample size: @{body('Parse_JSON_-_details')?['rl']?['sample']?['sample_size']}KB

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "runAfter": { + "Parse_JSON_-_details": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Get_File_Hash_Analysis_Detail": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "headers": { + "User-Agent": "SentinelPartner-ReversingLabs-ReversingLabs Intelligence/v1.0.0" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['reversinglabsintelligence']['connectionId']" + } + }, + "method": "get", + "path": "/api/databrowser/rldata/query/@{encodeURIComponent(items('For_each_hash_-_Details')?['Algorithm'])}/@{encodeURIComponent(items('For_each_hash_-_Details')?['Value'])}", + "queries": { + "format": "json" + } + } + }, + "Parse_JSON_-_details": { + "runAfter": { + "Get_File_Hash_Analysis_Detail": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_File_Hash_Analysis_Detail')", + "schema": { + "properties": { + "rl": { + "properties": { + "sample": { + "properties": { + "analysis": { + "properties": { + "entries": { + "items": { + "properties": { + "analysis_type": { + "type": "string" + }, + "analysis_version": { + "type": "string" + }, + "record_time": { + "type": "string" + }, + "tc_report": { + "properties": { + "info": { + "properties": { + "file": { + "properties": { + "file_subtype": { + "type": "string" + }, + "file_type": { + "type": "string" + } + }, + "type": "object" + }, + "identification": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "validation": { + "properties": { + "valid": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "interesting_strings": { + "items": { + "properties": { + "category": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "category", + "values" + ], + "type": "object" + }, + "type": "array" + }, + "metadata": { + "properties": { + "application": { + "properties": { + "pe": { + "properties": { + "dos_header": { + "properties": { + "e_cblp": { + "type": "integer" + }, + "e_cp": { + "type": "integer" + }, + "e_cparhdr": { + "type": "integer" + }, + "e_crlc": { + "type": "integer" + }, + "e_cs": { + "type": "integer" + }, + "e_csum": { + "type": "integer" + }, + "e_ip": { + "type": "integer" + }, + "e_lfanew": { + "type": "integer" + }, + "e_lfarlc": { + "type": "integer" + }, + "e_maxalloc": { + "type": "integer" + }, + "e_minalloc": { + "type": "integer" + }, + "e_oemid": { + "type": "integer" + }, + "e_oeminfo": { + "type": "integer" + }, + "e_ovno": { + "type": "integer" + }, + "e_res": { + "type": "string" + }, + "e_res2": { + "type": "string" + }, + "e_sp": { + "type": "integer" + }, + "e_ss": { + "type": "integer" + }, + "has_rich_header": { + "type": "boolean" + } + }, + "type": "object" + }, + "file_header": { + "properties": { + "characteristics": { + "type": "integer" + }, + "machine": { + "type": "integer" + }, + "number_of_sections": { + "type": "integer" + }, + "number_of_symbols": { + "type": "integer" + }, + "pointer_to_symbol_table": { + "type": "integer" + }, + "size_of_optional_headers": { + "type": "integer" + }, + "time_date_stamp": { + "type": "integer" + }, + "time_date_stamp_decoded": { + "type": "string" + } + }, + "type": "object" + }, + "imports": { + "items": { + "properties": { + "apis": { + "items": { + "type": "string" + }, + "type": "array" + }, + "name": { + "type": "string" + } + }, + "required": [ + "name", + "apis" + ], + "type": "object" + }, + "type": "array" + }, + "optional_header": { + "properties": { + "address_of_entry_point": { + "type": "integer" + }, + "base_of_code": { + "type": "integer" + }, + "base_of_data": { + "type": "integer" + }, + "checksum": { + "type": "integer" + }, + "data_directories": { + "items": { + "properties": { + "address": { + "type": "integer" + }, + "size": { + "type": "integer" + } + }, + "required": [ + "address", + "size" + ], + "type": "object" + }, + "type": "array" + }, + "dll_characteristics": { + "type": "integer" + }, + "file_alignment": { + "type": "integer" + }, + "image_base": { + "type": "integer" + }, + "is_checksum_valid": { + "type": "boolean" + }, + "loader_flags": { + "type": "integer" + }, + "major_image_version": { + "type": "integer" + }, + "major_linker_version": { + "type": "integer" + }, + "major_os_version": { + "type": "integer" + }, + "major_subsystem_version": { + "type": "integer" + }, + "minor_image_version": { + "type": "integer" + }, + "minor_linker_version": { + "type": "integer" + }, + "minor_os_version": { + "type": "integer" + }, + "minor_subsystem_version": { + "type": "integer" + }, + "number_of_rva_and_sizes": { + "type": "integer" + }, + "section_alignment": { + "type": "integer" + }, + "size_of_code": { + "type": "integer" + }, + "size_of_headers": { + "type": "integer" + }, + "size_of_heap_commit": { + "type": "integer" + }, + "size_of_heap_reserve": { + "type": "integer" + }, + "size_of_image": { + "type": "integer" + }, + "size_of_initialized_data": { + "type": "integer" + }, + "size_of_stack_commit": { + "type": "integer" + }, + "size_of_stack_reserve": { + "type": "integer" + }, + "size_of_uninitialized_data": { + "type": "integer" + }, + "subsystem": { + "type": "integer" + }, + "win32_version_value": { + "type": "integer" + } + }, + "type": "object" + }, + "resources": { + "items": { + "properties": { + "code_page": { + "type": "integer" + }, + "language_id": { + "type": "integer" + }, + "language_id_name": { + "type": "string" + }, + "name": { + "type": "string" + }, + "offset": { + "type": "integer" + }, + "size": { + "type": "integer" + }, + "type": { + "type": "string" + } + }, + "required": [ + "type", + "name", + "language_id_name", + "language_id", + "code_page", + "offset", + "size" + ], + "type": "object" + }, + "type": "array" + }, + "sections": { + "items": { + "properties": { + "address": { + "type": "integer" + }, + "flags": { + "type": "integer" + }, + "name": { + "type": "string" + }, + "offset": { + "type": "integer" + }, + "size": { + "type": "integer" + } + }, + "required": [ + "name", + "flags", + "size", + "address", + "offset" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "story": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "record_time", + "analysis_type", + "analysis_version", + "tc_report" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "crc32": { + "type": "string" + }, + "dynamic_analysis": { + "properties": { + "entries": { + "items": { + "properties": { + "dynamic_analysis_report": { + "properties": { + "analysed_on": { + "type": "string" + }, + "cuckoo_version": { + "type": "string" + }, + "network": { + "properties": { + "udp_destinations": { + "items": { + "properties": { + "address": { + "type": "string" + }, + "port": { + "type": "integer" + } + }, + "required": [ + "port", + "address" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "summary": { + "properties": { + "mutexes": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "dynamic_analysis_report_joe_sandbox": { + "properties": { + "analysed_on": { + "type": "string" + }, + "joe_sandbox_version": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "imphash": { + "type": "string" + }, + "md5": { + "type": "string" + }, + "relationships": { + "properties": { + "container_sample_sha1": { + "items": { + "type": "string" + }, + "type": "array" + }, + "parent_sample_sha1": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "ripemd160": { + "type": "string" + }, + "sample_size": { + "type": "integer" + }, + "sha1": { + "type": "string" + }, + "sha256": { + "type": "string" + }, + "sha384": { + "type": "string" + }, + "sha512": { + "type": "string" + }, + "sources": { + "properties": { + "entries": { + "items": { + "properties": { + "properties": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "name", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "record_time": { + "type": "string" + }, + "tag": { + "type": "string" + } + }, + "required": [ + "record_time", + "tag" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "ssdeep": { + "type": "string" + }, + "xref": { + "properties": { + "entries": { + "items": { + "properties": { + "info": { + "properties": { + "scanners": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "timestamp": { + "type": "string" + }, + "version": { + "type": "string" + } + }, + "required": [ + "name", + "version", + "timestamp" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "record_time": { + "type": "string" + }, + "scanners": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "result": { + "type": "string" + } + }, + "required": [ + "name", + "result" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "record_time", + "scanners", + "info" + ], + "type": "object" + }, + "type": "array" + }, + "first_seen": { + "type": "string" + }, + "last_seen": { + "type": "string" + }, + "sample_type": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "Initialize_variable": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_each_hash_-_Multi-AV": { + "foreach": "@body('Entities_-_Get_FileHashes')?['Filehashes']", + "actions": { + "Add_comment_to_incident_(V3)": { + "runAfter": { + "For_each_-_xref": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "message": "

ReversingLabs Multi-AV Scan Records:
\n@{variables('Scanner results')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "For_each_-_xref": { + "foreach": "@body('Parse_JSON_-_multi-AV_scan')?['rl']?['sample']?['xref']", + "actions": { + "For_each_-_result": { + "foreach": "@items('For_each_-_xref')?['results']", + "actions": { + "Append_to_string_variable": { + "runAfter": {}, + "type": "AppendToStringVariable", + "inputs": { + "name": "Scanner results", + "value": "@{items('For_each_-_result')?['scanner']} : @{items('For_each_-_result')?['result']}" + } + } + }, + "runAfter": {}, + "type": "Foreach" + } + }, + "runAfter": { + "Parse_JSON_-_multi-AV_scan": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Get_Historic_Multi-AV_Scan_Records": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "headers": { + "User-Agent": "SentinelPartner-ReversingLabs-ReversingLabs Intelligence/v1.0.0" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['reversinglabsintelligence']['connectionId']" + } + }, + "method": "get", + "path": "/api/xref/v2/query/@{encodeURIComponent(items('For_each_hash_-_Multi-AV')?['Algorithm'])}/@{encodeURIComponent(items('For_each_hash_-_Multi-AV')?['Value'])}", + "queries": { + "format": "json", + "history": false + } + } + }, + "Parse_JSON_-_multi-AV_scan": { + "runAfter": { + "Get_Historic_Multi-AV_Scan_Records": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_Historic_Multi-AV_Scan_Records')", + "schema": { + "properties": { + "rl": { + "properties": { + "sample": { + "properties": { + "first_scanned_on": { + "type": "string" + }, + "first_seen_on": { + "type": "string" + }, + "last_scanned_on": { + "type": "string" + }, + "last_seen_on": { + "type": "string" + }, + "md5": { + "type": "string" + }, + "ripemd160": { + "type": "string" + }, + "sample_size": { + "type": "integer" + }, + "sample_type": { + "type": "string" + }, + "sha1": { + "type": "string" + }, + "sha256": { + "type": "string" + }, + "sha384": { + "type": "string" + }, + "sha512": { + "type": "string" + }, + "single_scan": { + "type": "boolean" + }, + "xref": { + "items": { + "properties": { + "results": { + "items": { + "properties": { + "result": { + "type": "string" + }, + "scanner": { + "type": "string" + } + }, + "required": [ + "scanner", + "result" + ], + "type": "object" + }, + "type": "array" + }, + "scanned_on": { + "type": "string" + }, + "scanner_count": { + "type": "integer" + }, + "scanner_match": { + "type": "integer" + }, + "scanners": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "timestamp": { + "type": "string" + }, + "version": { + "type": "string" + } + }, + "required": [ + "timestamp", + "version", + "name" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "scanner_match", + "scanner_count", + "scanners", + "scanned_on", + "results" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "Initialize_variable": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Initialize_variable": { + "runAfter": { + "Entities_-_Get_FileHashes": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Scanner results", + "type": "string" + } + ] + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[variables('AzureSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + }, + "reversinglabsintelligence": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('ConnectorConnectionName'))]", + "connectionName": "[variables('ConnectorConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/reversinglabsintelligence')]" + } + } + } + } + } + } + ] +} \ No newline at end of file diff --git a/Solutions/ReversingLabs/Playbooks/Enrich-SentinelIncident-ReversingLabs-File-Information/readme.md b/Solutions/ReversingLabs/Playbooks/Enrich-SentinelIncident-ReversingLabs-File-Information/readme.md new file mode 100644 index 0000000000..02316c8219 --- /dev/null +++ b/Solutions/ReversingLabs/Playbooks/Enrich-SentinelIncident-ReversingLabs-File-Information/readme.md @@ -0,0 +1,60 @@ +# Enrich-SentinelIncident-ReversingLabs-File-Information +This playbook utilizes the ReversingLabs Intelligence connector to automatically enrich incident comments section with file information. + +Learn more about the integration via the [connector documentation](https://docs.microsoft.com/connectors/reversinglabsintelligence/). + +In order to successfully run this playbook you will need a valid ReversingLabs TitaniumCloud subscription with the XREF(Historic Multi-AV Scan Records), File Reputation and File Hash Analysis Detail APIs enabled. You can obtain your subscription at support@reversinglabs.com. + +Playbook extracts hashes (SHA-1, SHA-256 or MD5) by utilizing Azure Sentinel-recognized entity FileHashCustomEntity. In your custom rule, map your hash field to this entity: +``` + YourLog_CL + | extend FileHashCustomEntity = +``` + +Sample comment output: +``` +ReversingLabs Multi-AV Scan Records: + +ahnlab_online : antivir : detectedavast : Win32:Malware-genbitdefender : carbonblack_online : clamav : PUA.Win.Packer.Exe-6crowdstrike : crowdstrike_online : drweb : Trojan.DownLoader33.21319ensilo_online : esetnod32 : f_prot : fireeye_online : fortinet : gdata : ikarus : invincea_online : k7computing : kaspersky_online : mcafee_online : Artemis!08490DB63F89 (trojan)microsoft_online : panda_online : quickheal : rising_online : Trojan.MalCert!1.C446sentinelone_online : sophos_online : sunbelt : symantec_beta : trendmicro_consumer : vba32 : Trojan.Downloaderwatchguard_online : + + +ReversingLabs File Hash Details: + +This file (SHA1: db2363303dfa061ae92c8e2c114277174c5f5e38) is a 32-bit portable executable application. Additionally, it was identified as InnoSetup installer, and unpacking was successful. The application uses the Windows graphical user interface (GUI) subsystem, while the languages used are Dutch from Netherlands and English from United States. According to version information, this is CoronaVirus Status [Plugin for Google Chrome] from CENTR MBR LLC. Appended data was detected at the file's end. Its length is greater than the size of the image. Cryptography related data was found in the file. This application has access to device configuration, monitoring, networking and running processes and has security related capabilities. The application is digitally signed, and its certificate is valid. There are 874 extracted files. + +Sha1: db2363303dfa061ae92c8e2c114277174c5f5e38 + +Sd5: 08490db63f89b78bdfbc3dd3ae17c706 + +Sha256: 33cc2944588599a4c70215483e3a59c957c6e7be091a230f9ab9297d12f00933 + +Sha384: deb41647a35986dff1b82faf8f957a7ab78b98109ca3c7bdb67dd27ec42a9cd26d6f4e5a26e63b716703bd497db70032 + +Sha512: b015c0ff6efc24a35b954021d8fdb9ab3b7d69cb1314b629607aae197642ab3999a5aa32388708586058ade19d91ec558e6170e42f92c46cafceed54a829dd0e + +Sample size: 11135784KB + + +ReversingLabs File Hash Reputation: + +File name: Win32.Trojan.Generic + +File status: MALICIOUS + +Reason: analyst_sample_override + +Scanner count: 31 + +Scanner percent: 22.5806446075439 + +Scanner match: 7 + +First seen: 2020-04-03T06:41:18 + +Last seen: 2021-02-07T09:45:35 + +Threat level: 5 + +Trust factor: 5 +``` +